Community discussions

MUM Europe 2020
 
cleaver
just joined
Topic Author
Posts: 7
Joined: Tue Apr 15, 2014 2:39 pm

Bridge filter rules against ARP poisoning attack

Fri Dec 12, 2014 11:19 am

Hello guys!
I'm running a Mikrotik with RouterOS 6.23 as a wireless access point with the following setup (only the relevant parts included):
....

/interface bridge
add mtu=1500 name=bridge-wifi

....

/interface vlan
add comment=wifi interface=ether2-master-local l2mtu=1594 name=vlan556 vlan-id=556

....

/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n channel-width=20/40mhz-ht-above disabled=no distance=indoors frequency=auto l2mtu=2290 mode=ap-bridge security-profile=rds ssid=***** \
    wireless-protocol=802.11

....

/interface bridge port
add bridge=bridge-wifi interface=vlan556
add bridge=bridge-wifi interface=wlan1

....
The vlan556 interface is an uplink to an Internet router and the wifi interface wlan1 is bridged to it via the "bridge-wifi" bridge.

A colleague of mine, who is registered with the wifi network, tried an ARP poisoning attack and was successful. Here's a capture of his traffic showing what he's doing. Note that our gateway is at 00:25:90:a6:91:bb with IP address 192.168.14.254 and the attacker is at 88:32:9b:43:78:4d. The attacker's real IP address is 192.168.14.53, but he's trying to present himself as the gateway (192.168.14.254) to the rest of the network.

Here's what's going on:
....

[#]	[time]		[source]		[destination]		[proto]		[info]
3	0.608126	00:25:90:a6:91:bb	88:32:9b:43:78:4d	ARP	56	Who has 192.168.14.53?  Tell 192.168.14.254 (duplicate use of 192.168.14.254 detected!)
4	0.672405	88:32:9b:43:78:4d	00:25:90:a6:91:bb	ARP	42	192.168.14.53 is at 88:32:9b:43:78:4d (duplicate use of 192.168.14.254 detected!)
5	0.998377	88:32:9b:43:78:4d	00:24:d7:13:99:b4	ARP	42	192.168.14.254 is at 88:32:9b:43:78:4d
7	2.002016	88:32:9b:43:78:4d	00:24:d7:13:99:b4	ARP	42	192.168.14.254 is at 88:32:9b:43:78:4d

....

149	22.322581	bc:3b:af:68:79:4b	88:32:9b:43:78:4d	ARP	56	Who has 192.168.14.254?  Tell 192.168.14.74
152	22.329028	88:32:9b:43:78:4d	bc:3b:af:68:79:4b	ARP	42	192.168.14.254 is at 88:32:9b:43:78:4d

....

546	34.014066	88:32:9b:43:78:4d	ff:ff:ff:ff:ff:ff	ARP	42	Who has 192.168.14.16?  Tell 192.168.14.53
547	34.014118	88:32:9b:43:78:4d	ff:ff:ff:ff:ff:ff	ARP	42	Who has 192.168.14.17?  Tell 192.168.14.53

....
As you see the attacker 88:32:9b:43:78:4d, whos real IP address is ..14.53, sends fake ARP replies, claiming that he is the gateway - 192.168.14.254 is at 88:32:9b:43:78:4d, fooling the rest of the hosts into sending their traffic to him.

I've tried to prevent this attack by inserting bridge filter rules (/interface bridge filter) which drop the malicious ARP replies, but I wasn't successful.
I need a filter rule on the bridge which drops any ARP reply which states that 192.168.14.254 is at something other than 00:25:90:a6:91:bb, which is the MAC address of the genuine gateway.
This way fake packets like this one
5	0.998377	88:32:9b:43:78:4d	00:24:d7:13:99:b4	ARP	42	192.168.14.254 is at 88:32:9b:43:78:4d
coming from malicious machines would get dropped and the attackers wouldn't be able to present themselves as the gateway.
In other words, I want to accept ARP replies for 192.168.14.254 only if they come from the MAC of the gateway itself.

Is such a thing possible? If yes, what would the filter rules look like?


Big thanks!

Regards,
Stoycho Ganev
 
User avatar
gabrielpike
Frequent Visitor
Frequent Visitor
Posts: 84
Joined: Thu Apr 17, 2014 4:17 pm

Re: Bridge filter rules against ARP poisoning attack

Fri Dec 12, 2014 4:55 pm

If you are handing out DHCP from your router you could add-arp=yes under the server chain. Like this:

/ip dhcp-server
add add-arp=yes address-pool=dhcp_pool1 authoritative=yes disabled=no \
interface=LAN lease-time=3d name=dhcp1
Gabriel Pike
MTCNA
 
cleaver
just joined
Topic Author
Posts: 7
Joined: Tue Apr 15, 2014 2:39 pm

Re: Bridge filter rules against ARP poisoning attack

Sat Dec 13, 2014 5:43 pm

There is no DHCP service running. It's only a wireless AP bridge.
The DHCP is on a different machine, which is not a RouterOS.
 
User avatar
gabrielpike
Frequent Visitor
Frequent Visitor
Posts: 84
Joined: Thu Apr 17, 2014 4:17 pm

Re: Bridge filter rules against ARP poisoning attack

Mon Dec 15, 2014 4:22 pm

My suggestion then would be to make a static arp cache entry on your hosts if you want to prevent a MITM attack then. Or maybe run some type of script to do this from your DHCP server. As I said the answer would be simple if the mikrotik was doing the work. I have done this on many public connections for businesses.
Gabriel Pike
MTCNA

Who is online

Users browsing this forum: comredperu, jerryd, MSN [Bot] and 48 guests