I'm running a Mikrotik with RouterOS 6.23 as a wireless access point with the following setup (only the relevant parts included):
The vlan556 interface is an uplink to an Internet router and the wifi interface wlan1 is bridged to it via the "bridge-wifi" bridge.
.... /interface bridge add mtu=1500 name=bridge-wifi .... /interface vlan add comment=wifi interface=ether2-master-local l2mtu=1594 name=vlan556 vlan-id=556 .... /interface wireless set [ find default-name=wlan1 ] band=2ghz-b/g/n channel-width=20/40mhz-ht-above disabled=no distance=indoors frequency=auto l2mtu=2290 mode=ap-bridge security-profile=rds ssid=***** \ wireless-protocol=802.11 .... /interface bridge port add bridge=bridge-wifi interface=vlan556 add bridge=bridge-wifi interface=wlan1 ....
A colleague of mine, who is registered with the wifi network, tried an ARP poisoning attack and was successful. Here's a capture of his traffic showing what he's doing. Note that our gateway is at 00:25:90:a6:91:bb with IP address 192.168.14.254 and the attacker is at 88:32:9b:43:78:4d. The attacker's real IP address is 192.168.14.53, but he's trying to present himself as the gateway (192.168.14.254) to the rest of the network.
Here's what's going on:
As you see the attacker 88:32:9b:43:78:4d, whos real IP address is ..14.53, sends fake ARP replies, claiming that he is the gateway - 192.168.14.254 is at 88:32:9b:43:78:4d, fooling the rest of the hosts into sending their traffic to him.
.... [#] [time] [source] [destination] [proto] [info] 3 0.608126 00:25:90:a6:91:bb 88:32:9b:43:78:4d ARP 56 Who has 192.168.14.53? Tell 192.168.14.254 (duplicate use of 192.168.14.254 detected!) 4 0.672405 88:32:9b:43:78:4d 00:25:90:a6:91:bb ARP 42 192.168.14.53 is at 88:32:9b:43:78:4d (duplicate use of 192.168.14.254 detected!) 5 0.998377 88:32:9b:43:78:4d 00:24:d7:13:99:b4 ARP 42 192.168.14.254 is at 88:32:9b:43:78:4d 7 2.002016 88:32:9b:43:78:4d 00:24:d7:13:99:b4 ARP 42 192.168.14.254 is at 88:32:9b:43:78:4d .... 149 22.322581 bc:3b:af:68:79:4b 88:32:9b:43:78:4d ARP 56 Who has 192.168.14.254? Tell 192.168.14.74 152 22.329028 88:32:9b:43:78:4d bc:3b:af:68:79:4b ARP 42 192.168.14.254 is at 88:32:9b:43:78:4d .... 546 34.014066 88:32:9b:43:78:4d ff:ff:ff:ff:ff:ff ARP 42 Who has 192.168.14.16? Tell 192.168.14.53 547 34.014118 88:32:9b:43:78:4d ff:ff:ff:ff:ff:ff ARP 42 Who has 192.168.14.17? Tell 192.168.14.53 ....
I've tried to prevent this attack by inserting bridge filter rules (/interface bridge filter) which drop the malicious ARP replies, but I wasn't successful.
I need a filter rule on the bridge which drops any ARP reply which states that 192.168.14.254 is at something other than 00:25:90:a6:91:bb, which is the MAC address of the genuine gateway.
This way fake packets like this one
coming from malicious machines would get dropped and the attackers wouldn't be able to present themselves as the gateway.
5 0.998377 88:32:9b:43:78:4d 00:24:d7:13:99:b4 ARP 42 192.168.14.254 is at 88:32:9b:43:78:4d
In other words, I want to accept ARP replies for 192.168.14.254 only if they come from the MAC of the gateway itself.
Is such a thing possible? If yes, what would the filter rules look like?