Community discussions

MUM Europe 2020
 
loveman
Member
Member
Topic Author
Posts: 327
Joined: Tue Mar 10, 2015 9:32 pm

How can Drop - sharing internet program

Wed Feb 03, 2016 6:45 pm

Hello every one,
How can Drop - sharing internet program,
I tried more method to drop application on windows but can't drop
I need to drop (Connectify Hotspot Pro , Connectify Dispatch , mHotspot , Maryfi , Connectify Hotspot )
if any one have idea to stop (drop) all program plz write great method to do the dropping .
regards
 
jarda
Forum Guru
Forum Guru
Posts: 7604
Joined: Mon Oct 22, 2012 4:46 pm

How can Drop - sharing internet program

Wed Feb 03, 2016 7:18 pm

Write great method...

OK. First of all you need to know how to distinguish their traffic from the rest. Can you? If yes then you can drop it.

Unfortunately I haven't noticed any problems caused by these programs in my network so I cannot advice how to distinguish their traffic.
 
User avatar
ZeroByte
Forum Guru
Forum Guru
Posts: 4051
Joined: Wed May 11, 2011 6:08 pm

Re: How can Drop - sharing internet program

Wed Feb 03, 2016 9:56 pm

In a word - you really can't do it.

How can you tell by inspecting packets, the difference between packets generated by an application on the "sharing" host, vs packets generated by applications running on devices behind the sharing device? There may be subtle clues in the payload, but this is well beyond the scope of ROS.

You could just charge more money and not care if your users decide to split the cost of an account amongst themselves......
When given a spoon,
you should not cling to your fork.
The soup will get cold.
 
jarda
Forum Guru
Forum Guru
Posts: 7604
Joined: Mon Oct 22, 2012 4:46 pm

Wed Feb 03, 2016 10:14 pm

That's it. Sell the better service and do not block anything.
 
loveman
Member
Member
Topic Author
Posts: 327
Joined: Tue Mar 10, 2015 9:32 pm

Re: How can Drop - sharing internet program

Thu Feb 04, 2016 10:40 pm

Write great method...

OK. First of all you need to know how to distinguish their traffic from the rest. Can you? If yes then you can drop it.

Unfortunately I haven't noticed any problems caused by these programs in my network so I cannot advice how to distinguish their traffic.
I am working in company and my boss tell me to drop this program because that do sharing internet ,,
because of need to drop it.
 
jarda
Forum Guru
Forum Guru
Posts: 7604
Joined: Mon Oct 22, 2012 4:46 pm

Thu Feb 04, 2016 10:46 pm

Ok. In your situation I would just install the programs, catch the traffic, find the signs of it and then drop according to it.
 
loveman
Member
Member
Topic Author
Posts: 327
Joined: Tue Mar 10, 2015 9:32 pm

Re: How can Drop - sharing internet program

Thu Feb 04, 2016 10:49 pm

In a word - you really can't do it.

How can you tell by inspecting packets, the difference between packets generated by an application on the "sharing" host, vs packets generated by applications running on devices behind the sharing device? There may be subtle clues in the payload, but this is well beyond the scope of ROS.

You could just charge more money and not care if your users decide to split the cost of an account amongst themselves......

I am working in company and my boss tell me to drop this program because that do sharing internet ,,
because of need to drop it.

I am reading before i add new post here ,,
In version 5.0 and down,, you can change the TTL equal 1
all sharing internet can stopped , but in version 6.0 and up ,, the programs can't stop ,,
note: if you create PPPOE server and work true on one session ... all programs can drop ! only on PPPOE server !!! why if not create pppoe server so that programs not cant drop .

you can see below how can change the TTL equal 1


Image
Image

Thanks
 
User avatar
ZeroByte
Forum Guru
Forum Guru
Posts: 4051
Joined: Wed May 11, 2011 6:08 pm

Re: How can Drop - sharing internet program

Thu Feb 04, 2016 11:45 pm

Changing the TTL is still an option in my router, which is running the bleeding-edge 6.34.1

You could do a sniffer capture on the LAN interface to confirm that the outbound TTL values are indeed being set to 1.

If they are being set to 1, then the client's sharing devices are incrementing the TTL again, or ignoring the TTL.
If you can set it to 1, then they can set it back up to 255 if they want.

Since this is a business, it's easy:
If someone's sharing the Internet behind some device, then fire them.
When given a spoon,
you should not cling to your fork.
The soup will get cold.
 
kiaunel
Member Candidate
Member Candidate
Posts: 211
Joined: Mon Jul 21, 2014 7:59 pm
Location: Romania

Thu Feb 04, 2016 11:56 pm

Try to limit connections or packets. For sure you can see a difference between a normal client and those who sharing. This will not stop them to share but for sure will make them problems :) . Some years ago I was changing the TTL to 1 and luckily they did not know to increment it again .

Sent from my Lenovo K50-t5 using Tapatalk
 
loveman
Member
Member
Topic Author
Posts: 327
Joined: Tue Mar 10, 2015 9:32 pm

Re: How can Drop - sharing internet program

Tue Feb 09, 2016 6:04 pm

Changing the TTL is still an option in my router, which is running the bleeding-edge 6.34.1

You could do a sniffer capture on the LAN interface to confirm that the outbound TTL values are indeed being set to 1.

If they are being set to 1, then the client's sharing devices are incrementing the TTL again, or ignoring the TTL.
If you can set it to 1, then they can set it back up to 255 if they want.

Since this is a business, it's easy:
If someone's sharing the Internet behind some device, then fire them.
Thank you for support
I try to on your comment ,, if true any think about drop ,i tell you here.
If you have idea to drop " Netcut " program ?
Netcut: is discover all "mac address" and ip's of user's , if have method to drop it
please comment .

regards
 
loveman
Member
Member
Topic Author
Posts: 327
Joined: Tue Mar 10, 2015 9:32 pm

Re:

Tue Feb 09, 2016 6:05 pm

Try to limit connections or packets. For sure you can see a difference between a normal client and those who sharing. This will not stop them to share but for sure will make them problems :) . Some years ago I was changing the TTL to 1 and luckily they did not know to increment it again .

Sent from my Lenovo K50-t5 using Tapatalk
Thank you for support
If you have idea to drop " Netcut " program ?
Netcut: is discover all "mac address" and ip's of user's , if have method to drop it
please comment .

regards
 
User avatar
ZeroByte
Forum Guru
Forum Guru
Posts: 4051
Joined: Wed May 11, 2011 6:08 pm

Re: How can Drop - sharing internet program

Tue Feb 09, 2016 6:09 pm

Dropping things like netcut requires access port security, which Mikrotik doesn't really have.
The mainstream net vendors like Cisco, Dell, Juniper, etc have features like DHCPguard, RA guard (if you're doing IPv6), MAC guard, etc - all of these things are required for stopping such things, because these types of attacks don't go through the router at all.
When given a spoon,
you should not cling to your fork.
The soup will get cold.
 
loveman
Member
Member
Topic Author
Posts: 327
Joined: Tue Mar 10, 2015 9:32 pm

Re: How can Drop - sharing internet program

Tue Feb 09, 2016 6:14 pm

Dropping things like netcut requires access port security, which Mikrotik doesn't really have.
The mainstream net vendors like Cisco, Dell, Juniper, etc have features like DHCPguard, RA guard (if you're doing IPv6), MAC guard, etc - all of these things are required for stopping such things, because these types of attacks don't go through the router at all.
I'am reading some post here ,,

His subject as well as comments
As I noted in the comments that are enabled on "arp" and "Dhcp = reply-only"
(1. Make firewall rules to drop ICMP unless you really need it (then make it available only for certain hosts)
2. Make static ARP entries with arp=reply-only)
Netcut It is blocked
So that when the program runs, it reads the same user only title
what your reply comment ??
 
User avatar
ZeroByte
Forum Guru
Forum Guru
Posts: 4051
Joined: Wed May 11, 2011 6:08 pm

Re: How can Drop - sharing internet program

Tue Feb 09, 2016 8:57 pm

Not really.... netcut lets users do things like arp poisoning and such - the router can't stop this kind of traffic because this traffic doesn't even go through the router at all. It's strictly client to client.

arp = reply-only coupled with DHCP server creating dynamic ARP table entries is a way to force clients to use DHCP, as they won't gain internet access without first using DHCP, but they can still interfere with the other LAN stations, or just put a static IP and use it to talk to the other stations.

Think about it - if I put a static IP on a computer and plugged into the LAN without DHCP, then the router will not ever find my MAC address because it never sends arp requests - it only adds ARP entries for dhcp clients. However, if I sent a ping to some other LAN host, my computer is going to send an ARP request for the other computer, which will reply to my ARP request with a direct unicast reply - the ethernet switch is going to forward the frame to my computer because it knows where my MAC address is. The other computer will of course ARP for me as well, which is another broadcast - and that broadcast will be forwarded to all LAN hosts, including mine. My computer will reply unicast to the requester - so the switch will forward that as well. The router has nothing to do with this.
When given a spoon,
you should not cling to your fork.
The soup will get cold.
 
loveman
Member
Member
Topic Author
Posts: 327
Joined: Tue Mar 10, 2015 9:32 pm

Re: How can Drop - sharing internet program

Tue Feb 09, 2016 11:19 pm

Not really.... netcut lets users do things like arp poisoning and such - the router can't stop this kind of traffic because this traffic doesn't even go through the router at all. It's strictly client to client.

arp = reply-only coupled with DHCP server creating dynamic ARP table entries is a way to force clients to use DHCP, as they won't gain internet access without first using DHCP, but they can still interfere with the other LAN stations, or just put a static IP and use it to talk to the other stations.

Think about it - if I put a static IP on a computer and plugged into the LAN without DHCP, then the router will not ever find my MAC address because it never sends arp requests - it only adds ARP entries for dhcp clients. However, if I sent a ping to some other LAN host, my computer is going to send an ARP request for the other computer, which will reply to my ARP request with a direct unicast reply - the ethernet switch is going to forward the frame to my computer because it knows where my MAC address is. The other computer will of course ARP for me as well, which is another broadcast - and that broadcast will be forwarded to all LAN hosts, including mine. My computer will reply unicast to the requester - so the switch will forward that as well. The router has nothing to do with this.

when search in internet I found more than method
some method speaking of :
ether 1 have address 2.2.2.2/24 and going to add a new one in the same ip address in ether 1
ip,address,add
for example
address 1.1.1.1/24
netmask
interface:lan (lan that going to customer)
step 2
going to ip,dhcp server,network,,double click
change the gateway and put the new one who is (1.1.1.1) and apply ok
step 3
netcut now not working because the dhcp his change the gateway and netcut not have reading the ip and mac address for user's .
method 2
same method 1 but
in ip,dhcp,network,double click
change only netmask : 32 apply ok
finally netcut drop .
method 3
found this
/ip firewall filter
add action=accept chain=input comment="NETCUT BLOCK" disabled=no dst-port=\
0-65535 protocol=tcp src-address=61.213.183.0/24
add action=accept chain=input comment="" disabled=no dst-port=0-65535 \
protocol=tcp src-address=67.195.134.0/24
add action=accept chain=input comment="" disabled=no dst-port=0-65535 \
protocol=tcp src-address=68.142.233.0/24
add action=accept chain=input comment="" disabled=no dst-port=0-65535 \
protocol=tcp src-address=68.180.217.0/24
add action=accept chain=input comment="" disabled=no dst-port=0-65535 \
protocol=tcp src-address=203.84.204.0/24
add action=accept chain=input comment="" disabled=no dst-port=0-65535 \
protocol=tcp src-address=69.63.176.0/24
add action=accept chain=input comment="" disabled=no dst-port=0-65535 \
protocol=tcp src-address=69.63.181.0/24

which one of that method have a true ?
note : if create pppoe server the netcut "In your opinion" his drop ?? because pppoe server include tow connection Different Ip address .

Thank you for reply comment
regards
 
User avatar
ZeroByte
Forum Guru
Forum Guru
Posts: 4051
Joined: Wed May 11, 2011 6:08 pm

Re: How can Drop - sharing internet program

Wed Feb 10, 2016 1:51 am

pppoe eliminates arp poisoning attacks and rogue/malicious dhcp because your router only forward packets in pppoe tunnels.
Of course, someone could put a pppoe server on the LAN if they're motivated.....

Again... you can put all of the rules you like into your router, but it will not block client-to-client attacks.

Only a switch or bridge can isolate clients from each other.
When given a spoon,
you should not cling to your fork.
The soup will get cold.
 
loveman
Member
Member
Topic Author
Posts: 327
Joined: Tue Mar 10, 2015 9:32 pm

Re: How can Drop - sharing internet program

Thu Feb 11, 2016 11:12 pm

pppoe eliminates arp poisoning attacks and rogue/malicious dhcp because your router only forward packets in pppoe tunnels.
Of course, someone could put a pppoe server on the LAN if they're motivated.....

Again... you can put all of the rules you like into your router, but it will not block client-to-client attacks.

Only a switch or bridge can isolate clients from each other.

Thank you
before i reading your reply comment here
i applied method when i using pppoe server
and change the netmask from dhcp-network-netmask
netmask put equal 32 after that the netcut was dropping
below you can see picture (note : the picture It was received from google search )
Image
Image

after that i tried this method ,,

my question for you ,,, What is the benefit of netmask here ...
dhcp-32-subnet111.png
You do not have the required permissions to view the files attached to this post.
 
User avatar
ZeroByte
Forum Guru
Forum Guru
Posts: 4051
Joined: Wed May 11, 2011 6:08 pm

Re: How can Drop - sharing internet program

Fri Feb 12, 2016 12:53 am

PPPoE does not use DHCP. PPP assigns the IP addresses of the clients using IPCP, so it can use /32 addresses.

Assigning a /32 to clients' ethernet adapters (when they're not using PPPoE) would probably break their connectivity - I haven't tried this in the lab or anything, but I think I'll experiment just to see what happens - obviously this is going to vary based on the clients' operating systems.

To answer your question, I've never used that netmask field - I don't see much use in sending a different netmask to the clients than is actually in use on the network, or from the netmask that defines the range (/24 in your example)

In any case, netcut packets do not travel through the router - only through the switch.
Therefore only the switch can truly stop Netcut from doing the ARP poisoning attack.
netcut.png
Of course, if the Mikrotik is being used as a switch, then you can filter ARP replies in the bridge filter rules, or you could choose "redirect to CPU" as an action in the switch menu if using a hardware switch. If you have even one external switch, then that switch must also drop/filter/redirect the ARP protocol, or else any host on that switch can netcut any other host connected to the same switch in the same VLAN.
You do not have the required permissions to view the files attached to this post.
When given a spoon,
you should not cling to your fork.
The soup will get cold.
 
loveman
Member
Member
Topic Author
Posts: 327
Joined: Tue Mar 10, 2015 9:32 pm

Re: How can Drop - sharing internet program

Wed Feb 17, 2016 8:54 pm

PPPoE does not use DHCP. PPP assigns the IP addresses of the clients using IPCP, so it can use /32 addresses.

Assigning a /32 to clients' ethernet adapters (when they're not using PPPoE) would probably break their connectivity - I haven't tried this in the lab or anything, but I think I'll experiment just to see what happens - obviously this is going to vary based on the clients' operating systems.

To answer your question, I've never used that netmask field - I don't see much use in sending a different netmask to the clients than is actually in use on the network, or from the netmask that defines the range (/24 in your example)

In any case, netcut packets do not travel through the router - only through the switch.
Therefore only the switch can truly stop Netcut from doing the ARP poisoning attack.
netcut.png
Of course, if the Mikrotik is being used as a switch, then you can filter ARP replies in the bridge filter rules, or you could choose "redirect to CPU" as an action in the switch menu if using a hardware switch. If you have even one external switch, then that switch must also drop/filter/redirect the ARP protocol, or else any host on that switch can netcut any other host connected to the same switch in the same VLAN.
Thank you
for your help me

Who is online

Users browsing this forum: No registered users and 137 guests