Community discussions

 
freesyrian14
just joined
Topic Author
Posts: 9
Joined: Sat Aug 19, 2017 2:16 am

How to stop ma scanners

Sat Aug 19, 2017 2:26 am

I have a router board rb100ah x2 as a server and using usermanager but i have a big problem that hackers are using some programs like netcut for windows and eznetsan for android to hack my network bypassing my hotspot to get free internet. the way they use that they connect to any of my access points and run theses programs which give them all the clients devices mac addresses then they change their mac to the client mac and by that they get free internet.
Can,t mikrotik find a way to protect the clients mac to be shown to anybody like that easily ??????
Please help
 
libyatik
Frequent Visitor
Frequent Visitor
Posts: 53
Joined: Wed Jun 28, 2017 4:31 am

Re: How to stop ma scanners

Sat Aug 19, 2017 4:16 am

detect netcut users
/ip firewall layer7-protocol
add name=detect regexp="^.+(arcai.com|netCut)"
/ip firewall mangle
add action=add-src-to-address-list address-list=netcutuser address-list-timeout=3d chain=prerouting layer7-protocol=detect
and ban their macs on dhcp and bridge firewall with a script
review this analysis
viewtopic.php?f=2&t=124038&p=610839#p610839
 
pe1chl
Forum Guru
Forum Guru
Posts: 5832
Joined: Mon Jun 08, 2015 12:09 pm

Re: How to stop ma scanners

Sat Aug 19, 2017 12:02 pm

Can,t mikrotik find a way to protect the clients mac to be shown to anybody like that easily ??????
Please help
It is not possible to avoid that. The router has no way to know if the paying user is connecting with their MAC, or someone who copied that MAC.
When you have a prevalence of foul people in your neighborhood, it really is not possible to run a paid WiFi system this way.
The crooks will always be able to either hijack your system to use it for free, or to deny access to the paying users forcing you to give up your business.
 
libyatik
Frequent Visitor
Frequent Visitor
Posts: 53
Joined: Wed Jun 28, 2017 4:31 am

Re: How to stop ma scanners

Sat Aug 19, 2017 2:42 pm

deal with the root reason which is network arp sweeps and icmp scans to reveal the connected macs
if you blocked the scan process then you solve the root of this problem,
 
pe1chl
Forum Guru
Forum Guru
Posts: 5832
Joined: Mon Jun 08, 2015 12:09 pm

Re: How to stop ma scanners

Sat Aug 19, 2017 5:01 pm

Sorry libyatik you lack the basic understanding of the problem and your solution is not a solution.
Banning MAC addresses is going to lock out your paying users alongside with the attackers.... NOT a solution.
 
libyatik
Frequent Visitor
Frequent Visitor
Posts: 53
Joined: Wed Jun 28, 2017 4:31 am

Re: How to stop ma scanners

Sat Aug 19, 2017 11:49 pm

Sorry libyatik you lack the basic understanding of the problem and your solution is not a solution.
Banning MAC addresses is going to lock out your paying users alongside with the attackers.... NOT a solution.
the ban process is for scanners not network legit users (firewall filter) and its not a permanent ban rather than a traffic block
 
freesyrian14
just joined
Topic Author
Posts: 9
Joined: Sat Aug 19, 2017 2:16 am

Re: How to stop ma scanners

Sun Aug 20, 2017 12:33 am

deal with the root reason which is network arp sweeps and icmp scans to reveal the connected macs
if you blocked the scan process then you solve the root of this problem,
I don't understand why mikrotik doesn't have client isolation where every client cannot see other clients information
 
pe1chl
Forum Guru
Forum Guru
Posts: 5832
Joined: Mon Jun 08, 2015 12:09 pm

Re: How to stop ma scanners

Sun Aug 20, 2017 12:35 am

There is no way to tell the difference between legitimate users and users spoofing MAC addresses of legitimate users,
same for IP addresses. Scanning MAC addresses of legitimate users can be done passively, no way to tell that someone is doing that.
 
freesyrian14
just joined
Topic Author
Posts: 9
Joined: Sat Aug 19, 2017 2:16 am

Re: How to stop ma scanners

Sun Aug 20, 2017 12:43 am

There is no way to tell the difference between legitimate users and users spoofing MAC addresses of legitimate users,
same for IP addresses. Scanning MAC addresses of legitimate users can be done passively, no way to tell that someone is doing that.
the question here is why should it must be that easy to discover the clients mac addresses by hackers so that they can copy them ????????
there must be away that we could hide them from everybody
 
pe1chl
Forum Guru
Forum Guru
Posts: 5832
Joined: Mon Jun 08, 2015 12:09 pm

Re: How to stop ma scanners

Sun Aug 20, 2017 12:56 am

It is so because it is defined that way in the 802.11 WiFi standard which was not designed to handle foul users.
The MAC addresses are always sent in the clear even when the data itself is encrypted...

When you use encryption it is somewhat more difficult for foul users to take over the bandwidth bought by paying users,
but they can still disconnect the paying users and leave them without service.

When you want to use an open "hotspot" setup without WPA2 key and everybody log on to a portal page, the system
is essentially wide open to abusers and other foul play.
When you have a "closed" system with fixed users connecting to an access point, at least implement WPA2 encryption
so the sessions are not so easy to take over. But they still can be disconnected.
 
freesyrian14
just joined
Topic Author
Posts: 9
Joined: Sat Aug 19, 2017 2:16 am

Re: How to stop ma scanners

Sun Aug 20, 2017 1:00 am

It is so because it is defined that way in the 802.11 WiFi standard which was not designed to handle foul users.
The MAC addresses are always sent in the clear even when the data itself is encrypted...

When you use encryption it is somewhat more difficult for foul users to take over the bandwidth bought by paying users,
but they can still disconnect the paying users and leave them without service.

When you want to use an open "hotspot" setup without WPA2 key and everybody log on to a portal page, the system
is essentially wide open to abusers and other foul play.
When you have a "closed" system with fixed users connecting to an access point, at least implement WPA2 encryption
so the sessions are not so easy to take over. But they still can be disconnected.
so do you advice me to stop searching for a solution ? and can firewall filters do something or not ? and the last question shouldn't mikrotik update their system to make it more secure for hotspot ??
 
User avatar
docmarius
Forum Guru
Forum Guru
Posts: 1219
Joined: Sat Nov 06, 2010 12:04 pm
Location: Timisoara, Romania
Contact:

Re: How to stop ma scanners

Sun Aug 20, 2017 1:01 am

the question here is why should it must be that easy to discover the clients mac addresses by hackers so that they can copy them ????????
there must be away that we could hide them from everybody
That's how an open system is supposed to work: Open. And there is no way to hide them as long the system is open.
It is your choice to keep it open, and there is nothing you can do against it, unless you close it.
And you can wait for 1000 updates, open systems will remain open and anyone could sniff them.
Torturing CCR1009-7G-1C-1S+, RB450G, RB750GL, RB951G-2HnD, RB960PGS, RB260GSP, OmniTIK 5HnD and NetMetal 922UAGS-5HPacD + R11e-5HnD in my home network.
 
freesyrian14
just joined
Topic Author
Posts: 9
Joined: Sat Aug 19, 2017 2:16 am

Re: How to stop ma scanners

Sun Aug 20, 2017 1:18 am

the question here is why should it must be that easy to discover the clients mac addresses by hackers so that they can copy them ????????
there must be away that we could hide them from everybody
That's how an open system is supposed to work: Open. And there is no way to hide them as long the system is open.
It is your choice to keep it open, and there is nothing you can do against it, unless you close it.
And you can wait for 1000 updates, open systems will remain open and anyone could sniff them.
so what is the purpose of hotspot if anyone can hack it man ????? hotspot should close what you call an open system.
 
libyatik
Frequent Visitor
Frequent Visitor
Posts: 53
Joined: Wed Jun 28, 2017 4:31 am

Re: How to stop ma scanners

Sun Aug 20, 2017 1:47 am

There is no way to tell the difference between legitimate users and users spoofing MAC addresses of legitimate users,
same for IP addresses. Scanning MAC addresses of legitimate users can be done passively, no way to tell that someone is doing that.
the filter works before the spoof happens
a hacker must scan a network to collect macs here is where the prevention acts (!=packets sniffing)
 
User avatar
k6ccc
Member
Member
Posts: 479
Joined: Fri May 13, 2016 12:01 am
Location: Glendora, CA, USA (near Los Angeles)

Re: How to stop ma scanners

Sun Aug 20, 2017 6:15 am

a hacker must scan a network to collect macs here is where the prevention acts (!=packets sniffing)
Nope. All you have to do is receive. If you never transmit, there is no way to detect it.
RB750Gr3, RB750r2, CRS326-24G-2S (in SwitchOS), CSS326-24G-2S, CSS106-5G-1S, RB260GS
Not sure if I beat them in submission, or they beat me into submission


Jim
 
pe1chl
Forum Guru
Forum Guru
Posts: 5832
Joined: Mon Jun 08, 2015 12:09 pm

Re: How to stop ma scanners

Sun Aug 20, 2017 9:56 am

so what is the purpose of hotspot if anyone can hack it man ????? hotspot should close what you call an open system.
Hotspot works fine in an environment where the users are honest.
Normally in a small room e.g. a restaurant you can use it to allow the visitors to use internet.
When you put the accesspoint on the roof and have the entire neighborhood use it via outdoor WiFi, hotspot is really not
the way to do it, because there is more chance that you have hackers. You can use 802.1x authentication with username/password
which will put encryption on the links (WPA2-EAP with MSCHAPv2) but it is not really secure either. The determined hackers
will be able to hack it anyway. at least to the point where they can disconnect your paying users. Taking over the connection
is more difficult but it is possible.
 
libyatik
Frequent Visitor
Frequent Visitor
Posts: 53
Joined: Wed Jun 28, 2017 4:31 am

Re: How to stop ma scanners

Sun Aug 20, 2017 5:24 pm

a hacker must scan a network to collect macs here is where the prevention acts (!=packets sniffing)
Nope. All you have to do is receive. If you never transmit, there is no way to detect it.
that statement holds true in traffic sniffing not network scans where its all request and response
 
User avatar
docmarius
Forum Guru
Forum Guru
Posts: 1219
Joined: Sat Nov 06, 2010 12:04 pm
Location: Timisoara, Romania
Contact:

Re: How to stop ma scanners

Sun Aug 20, 2017 5:40 pm

You have to understand that radio waves are not selectively addressed and can be received by anyone in the range of that AP, and there is no way around this. Everyone can sniff an AP's full traffic, no matter what (and some time the client's traffic, too, but this is not relevant in this discussion).
As long as a data packet is transmitted, there is no way to shield it so that it is not to be received by an arbitrary in range receiver.
so what is the purpose of hotspot if anyone can hack it man ????? hotspot should close what you call an open system.
The purpose of a hotspot is to allow an open access with minimal management overhead. If you want privacy and security, use encryption.
BTW, no one stops you to run a hotspot over an encrypted access, and to hand out access keys to your legitimate users.
Or switch over to some other encrypted solution with an per user password management.
...
that statement holds true in traffic sniffing not network scans where its all request and response
You do not need to connect anywhere find out the users MAC addresses. Sniffing the unencrypted WiFi traffic is sufficient. You can even find the user's WEP key just by sniffing. WPA2 seems still secure towards this approach.
Torturing CCR1009-7G-1C-1S+, RB450G, RB750GL, RB951G-2HnD, RB960PGS, RB260GSP, OmniTIK 5HnD and NetMetal 922UAGS-5HPacD + R11e-5HnD in my home network.

Who is online

Users browsing this forum: No registered users and 80 guests