Hello guys!
I'm running a Mikrotik with RouterOS 6.23 as a wireless access point with the following setup (only the relevant parts included): The vlan556 interface is an uplink to an Internet router and the wifi interface wlan1 is bridged to it via the "bridge-wifi" bridge.

A colleague of mine, who is registered with the wifi network, tried an ARP poisoning attack and was successful. Here's a capture of his traffic showing what he's doing. Note that our gateway is at 00:25:90:a6:91:bb with IP address 192.168.14.254 and the attacker is at 88:32:9b:43:78:4d. The attacker's real IP address is 192.168.14.53, but he's trying to present himself as the gateway (192.168.14.254) to the rest of the network.

Here's what's going on:
As you see the attacker 88:32:9b:43:78:4d, whos real IP address is ..14.53, sends fake ARP replies, claiming that he is the gateway - 192.168.14.254 is at 88:32:9b:43:78:4d, fooling the rest of the hosts into sending their traffic to him.

I've tried to prevent this attack by inserting bridge filter rules (/interface bridge filter) which drop the malicious ARP replies, but I wasn't successful.
I need a filter rule on the bridge which drops any ARP reply which states that 192.168.14.254 is at something other than 00:25:90:a6:91:bb, which is the MAC address of the genuine gateway.
This way fake packets like this one coming from malicious machines would get dropped and the attackers wouldn't be able to present themselves as the gateway.
In other words, I want to accept ARP replies for 192.168.14.254 only if they come from the MAC of the gateway itself.

Is such a thing possible? If yes, what would the filter rules look like?


Big thanks!

Regards,
Stoycho Ganev

If you are handing out DHCP from your router you could add-arp=yes under the server chain. Like this:

/ip dhcp-server
add add-arp=yes address-pool=dhcp_pool1 authoritative=yes disabled=no \
interface=LAN lease-time=3d name=dhcp1

There is no DHCP service running. It's only a wireless AP bridge.
The DHCP is on a different machine, which is not a RouterOS.

My suggestion then would be to make a static arp cache entry on your hosts if you want to prevent a MITM attack then. Or maybe run some type of script to do this from your DHCP server. As I said the answer would be simple if the mikrotik was doing the work. I have done this on many public connections for businesses.