is it possible to add small ip scanner blocker tool to mikrotik?
for the case that you need to block someone who's trying to steal authenticated mac addresses from the network. to disable his mac address.
thanks
You can do something like this... Just modify it a little.
http://wiki.mikrotik.com/wiki/Drop_port_scanners
http://wiki.mikrotik.com/wiki/Drop_port_scanners
someone inside your network, that is scanning something on the outside? only like this.
not someone scanning your network from the inside, that's impossible.
for the first case - yes, limiting the number of connections would work. set it to 20 and your users should not suffer (if they are not heavy torrenters)
not someone scanning your network from the inside, that's impossible.
for the first case - yes, limiting the number of connections would work. set it to 20 and your users should not suffer (if they are not heavy torrenters)
I think you did not get what I meant.
IP scanner is basically try to scan an ip range (lets say 10.1.1.0/24) for alive nodes.
if the hacker can scan the network and find alive network then it can clone mac address and blend into network as one.
but if we can detect who's scanning network we can prevent that.
thanks
IP scanner is basically try to scan an ip range (lets say 10.1.1.0/24) for alive nodes.
if the hacker can scan the network and find alive network then it can clone mac address and blend into network as one.
but if we can detect who's scanning network we can prevent that.
thanks
and how can you detect what a person is doing in his PC? imagine someone throwing tennis balls at random people. you will get hit once, and you will never know that he is doing the same to the others as well. router can't do anything if this scan does not go THROUGH it. it is just pinging random machines.
Hellbound,
The only way its possible to block this is setup a firewall rule where it detects so many packets per second just like the port scanning wiki shows and have it add their ip address to a blocked firewall rule.
Normis is right, you can't distinguish between a real ping and a ip scan. The only way i see it possible is to detect the amount of ping from a src within so many seconds.
The only way its possible to block this is setup a firewall rule where it detects so many packets per second just like the port scanning wiki shows and have it add their ip address to a blocked firewall rule.
Normis is right, you can't distinguish between a real ping and a ip scan. The only way i see it possible is to detect the amount of ping from a src within so many seconds.
if you assign your IP to block of two instead of block of 255 ip address all IP packets has to pass through router.how can a router know that the user has sent some packets to other computers previously? the connection doesn't go through the router, so it's not possible to track anything.
at the other hand, we dont need to pass them through router, we just isolate users either on wireless or managed switches. then we make a transparent bridge with mikrotik bridge option.
everything will pass through that bridge, we enable connection tracking and packets will be analyzed before their delivery.
is it difficult?
thanks for the reply
Well, IP scanners usually work on arp or icmp protocol , you don't need to block users who are communicating with friends through other protocols.and if i want to play online game with 10 other users? like CS:S or hearts?
At the other hand, mostly ip scanners are working through a sequence, for instance try AngryIPScanner. which is one of them that I tried. it simply try to send packets from 10.1.1.1 to 10.1.1.255 you can block that users when it reach 10.1.1.15 and report it to network admin. so we can find a culprit
Also I have not seen any game that scan network for alive IP addressess.
it may not be 100% secure network but we can block average hackers which usually use public tools to clone mac address simply by adding registry to windows.
all network games do that. they look for open servers nearby when you click the `join` button or something. also same for many other programs. just try to monitor one of the scans and see what the person is using; then block only the type of traffic that is the scan. best method of course is to go and beat up the offender.
Thanks for prompt reply again,all network games do that. they look for open servers nearby when you click the `join` button or something. also same for many other programs. just try to monitor one of the scans and see what the person is using. bet method of course is to go and beat up the offender.
Have you ever seen a thief to show his ID to CCTV camera before he steal something?
A Person who is already authenticated and has its user record in the system won't attempt to hack the network.
A Person who is not authenticated will attempt to hack network. a hacker will always use anonymous identity. this rule does not have to be applied for authenticated users who are logged in and have true identity.
Once, you're in then you're clean, but if you're outside and you're trying to call names to create your fake ID to get into the house, then this tool comes in.
And what you mentioned is of course for LAN connection, where it sends a broadcast packet, and of course not in every single game. every game has Internet and LAN options. you can simply force users to use their internet options instead of LAN options to create server (which is also up to individual network admin to decide),
But this is just IP Scanner Detector, so we know who's trying to play game or who's trying to clone mac address by stealing Mac addresses on the network. at least we can log network activities, specially if it also will be added to log option as well.
It is up to the admin to decide to block it or not... at least we will have a list of people who are playing game so we can find out whether they really played their game or they went off the hook and clone the mac address.
but truly if this is not the solution? what is the solution to find someone who is attempting to hack cable or wireless network?
I say that again, it is up to the individuals to decide what policy to apply after that.
-
-
stephenpatrick
Forum Veteran
- Posts: 702
- Joined:
- Location: UK
- Contact:
I'm not an expert on this topic but:
At home I have a Netgear ADSL router. On one config page it has a couple of check-boxes for "DOS prevention" and "port-scan-detect".
i.e. if nasty people out on the net are trying to break in or take down the network by DOS, it takes some action, presumably ignoring the requests.
I doubt the algorithm is terribly sophisticated, and there are no options to tweak it, but it exists.
I wonder if there should be some features like this on the "wish list" for MT?
... hope that was relevant ...
Regards
At home I have a Netgear ADSL router. On one config page it has a couple of check-boxes for "DOS prevention" and "port-scan-detect".
i.e. if nasty people out on the net are trying to break in or take down the network by DOS, it takes some action, presumably ignoring the requests.
I doubt the algorithm is terribly sophisticated, and there are no options to tweak it, but it exists.
I wonder if there should be some features like this on the "wish list" for MT?
... hope that was relevant ...
Regards
-
-
stephenpatrick
Forum Veteran
- Posts: 702
- Joined:
- Location: UK
- Contact:
give me a reason that somebody whoever thatstephen, you are again talking about port scan. that we have. hellbound wants to detect when somebody scans a range of ip's by means of (most likely) single ping to each address. what i'm saying is that it is not possible whether somebody just pings, or actually does it for evil purpose.
is not subscribed to my service or have my prepaid card for hotspot
has to be able to do networking in my network lan gaming and etc?
first find out if those are pings that they usebut thats possible, we just want to be able to track network activities for suspicious traffic.you mean that the offender will actually log in, and then scan again? that's a tough one ...
for instance it is a tough task to detect cold or warm weapon in airport check point and it is not 100% assured detector, but they still install something.
to summerize what we've already discussed, this should be a very secure system:
1. drops everything from non-hotspot users, except what is needed to login
2. drops everything, except what the hotspot users need (if they are basic users then HTTP, HTTPS, FTP and maybe something else could be left on - but a DROP rule after that.
3. enable port scan detection as mentioned above
4. limit connections per IP to a reasonable amount (10-20 for home users is enough)
5. use torch to monitor traffic, use connection tables to see what happens in real time
6. use the Dude to monitor traffic on links, overloaded machines, quickly take action
1. drops everything from non-hotspot users, except what is needed to login
2. drops everything, except what the hotspot users need (if they are basic users then HTTP, HTTPS, FTP and maybe something else could be left on - but a DROP rule after that.
3. enable port scan detection as mentioned above
4. limit connections per IP to a reasonable amount (10-20 for home users is enough)
5. use torch to monitor traffic, use connection tables to see what happens in real time
6. use the Dude to monitor traffic on links, overloaded machines, quickly take action
I agree with you except number 4,to summerize what we've already discussed, this should be a very secure system:
1. drops everything from non-hotspot users, except what is needed to login
2. drops everything, except what the hotspot users need (if they are basic users then HTTP, HTTPS, FTP and maybe something else could be left on - but a DROP rule after that.
3. enable port scan detection as mentioned above
4. limit connections per IP to a reasonable amount (10-20 for home users is enough)
5. use torch to monitor traffic, use connection tables to see what happens in real time
6. use the Dude to monitor traffic on links, overloaded machines, quickly take action
Who is online
Users browsing this forum: Bing [Bot], Google [Bot] and 171 guests