Community discussions

MikroTik App
 
User avatar
AmrSubZero
just joined
Topic Author
Posts: 17
Joined: Tue Dec 02, 2014 3:29 pm
Location: Egypt
Contact:

Assign static IP's from ARP not DHCP Leases to stop MAC Clonning

Sun May 02, 2021 5:36 am

Good day!

I've been struggling with people who steal internet using MAC-Address spoofing/clonning. since anybody can change his device mac-address to any of my clients on the network and get access to internet and i won't know about him if i didn't check the Hostname change on DHCP-Server/Leases.

after lots of tries, i ended up setting my LAN interface ARP to "reply-only" which doesn't send internet if the MAC/IP isn't added to the ARP.

Image

ARP List :

Image

I've been always making Static IP's for the clients to be able to Limit their bandwidth/etc .. from IP/DHCP-Server/Leases and that's how the attackers succeed to have internet access once they change thier MAC to any of the clients .. they will take the same IP .. since every MAC is listed on Leases with Static IP.

But then i removed All the Static Leases assuming the ARP list i set will Keep the clients IP's to Static.
so once a client connect there will be generated "Dynamic" lease not "Static".
If an attacker cloned the MAC he will get a different IP and will not have internet access because i only give access to the ARP item a MAC and an IP .. if it doesn't match, no internet access will be given.

To this part everything works and MAC cloning doesn't work as i've tested and explained above. but here's the problem, as i said .. i assumed the ARP list will make the IP's static for each client.
But that didn't happen, my phone and pc can take randomly free IP address. so if the IP changes for a client, i cannot limit his bandwidth using Simple Queues (target ip & max-limit).

If there's a way to make the IP static for my clients without creating a static lease for each one, the mac cloning then will not work, because the idea is to force the attacker to get a new IP different from the client ip that is listed on ARP list. then he will not have internet access since the ARP item has to match the MAC & IP

right now i'm setting static lease IP's for clients .. temporally, hoping someone can help with this issue.

Sorry for taking long.
Thanks!
Last edited by AmrSubZero on Mon May 03, 2021 7:37 pm, edited 1 time in total.
 
pe1chl
Forum Guru
Forum Guru
Posts: 10186
Joined: Mon Jun 08, 2015 12:09 pm

Re: Assign static IP's from ARP not DHCP Leases

Sun May 02, 2021 12:24 pm

This kind of tricks will never work completely and it will always be possible to work around it when your clients are clever enough.
When you want better possibilities to check things you will have to use 802.1x or PPPoE and use a RADIUS server to authenticate the clients, preferably with a certificate.
 
joegoldman
Forum Veteran
Forum Veteran
Posts: 766
Joined: Mon May 27, 2013 2:05 am

Re: Assign static IP's from ARP not DHCP Leases

Sun May 02, 2021 2:15 pm

Another option is port security depending on what switching you are using - where you restrict MAC down to the physical port on the switch, so they'd need to spoof and repatch/move desks.
 
User avatar
AmrSubZero
just joined
Topic Author
Posts: 17
Joined: Tue Dec 02, 2014 3:29 pm
Location: Egypt
Contact:

Re: Assign static IP's from ARP not DHCP Leases

Mon May 03, 2021 7:29 pm

This kind of tricks will never work completely and it will always be possible to work around it when your clients are clever enough.
When you want better possibilities to check things you will have to use 802.1x or PPPoE and use a RADIUS server to authenticate the clients, preferably with a certificate.
ِI don't require authentication for my clients, they are "bypassed" in IP Bindings and limiting them by Queues, i don't think PPPoE with RADIUS (usermanager) will allow me to do the same.
so there's no way to achieve the thing i asked for, on such a powerful system like MikroTik, that's sad .. like over 15+ years there's no Fix for MAC-Clonning/Spoofing on Hotspot.
Last edited by AmrSubZero on Mon May 03, 2021 7:36 pm, edited 1 time in total.
 
User avatar
AmrSubZero
just joined
Topic Author
Posts: 17
Joined: Tue Dec 02, 2014 3:29 pm
Location: Egypt
Contact:

Re: Assign static IP's from ARP not DHCP Leases

Mon May 03, 2021 7:33 pm

Another option is port security depending on what switching you are using - where you restrict MAC down to the physical port on the switch, so they'd need to spoof and repatch/move desks.
i have no idea what you are talking about, but i guess you mean to configure switches or routers rather than MikroTik configuration. i have lots of switches & repeaters/routers i can't configure one by one to only restrict some MAC's allowed. that will be pain. if i understood you correct.
 
pe1chl
Forum Guru
Forum Guru
Posts: 10186
Joined: Mon Jun 08, 2015 12:09 pm

Re: Assign static IP's from ARP not DHCP Leases

Mon May 03, 2021 8:12 pm

so there's no way to achieve the thing i asked for, on such a powerful system like MikroTik, that's sad .. like over 15+ years there's no Fix for MAC-Clonning/Spoofing on Hotspot.
This is not related to MikroTik, it is just a property of using MAC as identifier and users that are not cooperative.
Solutions exist, 802.1x (dot1x) and PPPoE. With a capable RADIUS server of course (freeradius, maybe RouterOS v7 usermanager).
But you seem to not want to use them.
 
User avatar
AmrSubZero
just joined
Topic Author
Posts: 17
Joined: Tue Dec 02, 2014 3:29 pm
Location: Egypt
Contact:

Re: Assign static IP's from ARP not DHCP Leases

Wed May 05, 2021 1:47 am

Solutions exist, 802.1x (dot1x) and PPPoE. With a capable RADIUS server of course (freeradius, maybe RouterOS v7 usermanager).
My setup doesn't require user authentication (user/pass), all my clients have IP Binding of type "Bypassed" so they have access to internet once they connect to the network.
PC's and Phones, and i limit their bandwidth using Simple Queues by Target IP and for the Queues to always work for Target IP's, i'm setting static IP's to clients using DHCP Leases.

I tried to use PPPoE with RADIUS with Usermananger but i couldn't achieve the same scenario as i explained.
e.g i couldn't make clients "Bypassed" by MAC address so they don't have to enter username & password to use Internet.

Also for PPPoE the mobile users have to setup a VPN to connect with PPPoE to my network. i can tell that my clients isn't clever enough to do that. they always want to auto-connect to Wifi Network and have access to internet immediately without going with any settings.

So can i achieve the same Hotspot scenario i'm using, with PPPoE / Usermanager? or maybe any other service that allow me to do that?

If not, i think i would need to stick with the current settings and accept the situation with the Mac clonning people.

Thanks!
 
pe1chl
Forum Guru
Forum Guru
Posts: 10186
Joined: Mon Jun 08, 2015 12:09 pm

Re: Assign static IP's from ARP not DHCP Leases

Wed May 05, 2021 11:16 am

Solutions exist, 802.1x (dot1x) and PPPoE. With a capable RADIUS server of course (freeradius, maybe RouterOS v7 usermanager).
My setup doesn't require user authentication (user/pass)
That is where you go wrong! You say you have a problem with people stealing your internet, yet you do not require your users to identify.
You will never be able to solve that problem. Either your users are honest and play by your rules, and you do not require authentications etc,
or your users are thieves and you need to make sure you are talking to genuine users.
(and even then username/password probably will not work either because they will pass that on to others)
i think i would need to stick with the current settings and accept the situation with the Mac clonning people.
That is right. Either you make things secure or you accept abuse.

Who is online

Users browsing this forum: akakua, anav, ItchyAnkle, menyarito and 91 guests