I'm running a Mikrotik with RouterOS 6.23 as a wireless access point with the following setup (only the relevant parts included):
Code: Select all
....
/interface bridge
add mtu=1500 name=bridge-wifi
....
/interface vlan
add comment=wifi interface=ether2-master-local l2mtu=1594 name=vlan556 vlan-id=556
....
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n channel-width=20/40mhz-ht-above disabled=no distance=indoors frequency=auto l2mtu=2290 mode=ap-bridge security-profile=rds ssid=***** \
wireless-protocol=802.11
....
/interface bridge port
add bridge=bridge-wifi interface=vlan556
add bridge=bridge-wifi interface=wlan1
....
A colleague of mine, who is registered with the wifi network, tried an ARP poisoning attack and was successful. Here's a capture of his traffic showing what he's doing. Note that our gateway is at 00:25:90:a6:91:bb with IP address 192.168.14.254 and the attacker is at 88:32:9b:43:78:4d. The attacker's real IP address is 192.168.14.53, but he's trying to present himself as the gateway (192.168.14.254) to the rest of the network.
Here's what's going on:
Code: Select all
....
[#] [time] [source] [destination] [proto] [info]
3 0.608126 00:25:90:a6:91:bb 88:32:9b:43:78:4d ARP 56 Who has 192.168.14.53? Tell 192.168.14.254 (duplicate use of 192.168.14.254 detected!)
4 0.672405 88:32:9b:43:78:4d 00:25:90:a6:91:bb ARP 42 192.168.14.53 is at 88:32:9b:43:78:4d (duplicate use of 192.168.14.254 detected!)
5 0.998377 88:32:9b:43:78:4d 00:24:d7:13:99:b4 ARP 42 192.168.14.254 is at 88:32:9b:43:78:4d
7 2.002016 88:32:9b:43:78:4d 00:24:d7:13:99:b4 ARP 42 192.168.14.254 is at 88:32:9b:43:78:4d
....
149 22.322581 bc:3b:af:68:79:4b 88:32:9b:43:78:4d ARP 56 Who has 192.168.14.254? Tell 192.168.14.74
152 22.329028 88:32:9b:43:78:4d bc:3b:af:68:79:4b ARP 42 192.168.14.254 is at 88:32:9b:43:78:4d
....
546 34.014066 88:32:9b:43:78:4d ff:ff:ff:ff:ff:ff ARP 42 Who has 192.168.14.16? Tell 192.168.14.53
547 34.014118 88:32:9b:43:78:4d ff:ff:ff:ff:ff:ff ARP 42 Who has 192.168.14.17? Tell 192.168.14.53
....
I've tried to prevent this attack by inserting bridge filter rules (/interface bridge filter) which drop the malicious ARP replies, but I wasn't successful.
I need a filter rule on the bridge which drops any ARP reply which states that 192.168.14.254 is at something other than 00:25:90:a6:91:bb, which is the MAC address of the genuine gateway.
This way fake packets like this one
Code: Select all
5 0.998377 88:32:9b:43:78:4d 00:24:d7:13:99:b4 ARP 42 192.168.14.254 is at 88:32:9b:43:78:4d
In other words, I want to accept ARP replies for 192.168.14.254 only if they come from the MAC of the gateway itself.
Is such a thing possible? If yes, what would the filter rules look like?
Big thanks!
Regards,
Stoycho Ganev