Community discussions

MikroTik App
 
User avatar
CyB3RMX
Member Candidate
Member Candidate
Topic Author
Posts: 141
Joined: Thu May 26, 2011 7:08 am

Attack?

Fri Jul 06, 2012 2:36 am

Hi there,

First of i know there are a few work arounds to this problem like adding security on the network, but i want to know if this is any kind of attack?.

I have a 21m tower on the highway, it have 2 r52 radios on a 532A Routerboard, works great but lately, it has hotspot and a pppoe server running, hotspot for people near can connect (theres a gas station 100m away) i have on each r52 a 90 degree sector antennas at 2.4Ghz, the problem is that lately i have like 200 clients connected, at least 200 mac addresses because none of them tries to get IP from the hotspot, its just connected, but the sectors are set to a 4km radius. The problem here is that the clients connected with a cpe uses a router and pppoe but when theres a lot of macs registered the bandwith slows down like crazy.. if i do a speedtest i get 200k at most! if i put all unknown macs in access list and remove them from auth and forward i get my bandwith again..

To show you how serious this is.. all this macs are copied to my acl this week.. the thing is that the tower its in a 4 lane highway and theres NOTHING but the trees and a couple of houses at the beach (2 -> 4km).. any idea if this could be an attack.? im almost sure it is.. but ? how?

This is my access list of all the "intruders" connected to this ap..

http://pastebin.com/3F0QKtf1
Have a great day!
Certified: MTCNA - MTCWE - MTCRE
 
User avatar
CyB3RMX
Member Candidate
Member Candidate
Topic Author
Posts: 141
Joined: Thu May 26, 2011 7:08 am

Re: Attack?

Fri Jul 06, 2012 2:42 am

or any way i can make a wild card?. i have only Ubnt and Mikrotik CPE...so the mac address all start with 00:15:6D -> 00:0c:42 -> 00:27:22 ... so the others are'nt mine..

I know you may be thinking, why dont you put WPA2 or something, thats because i have this ap almos 80 mi from here and its a lot of work to pass to all the customers to make this change.. first i want to try if theres anyway to do it from here.

thanks in advance.
Have a great day!
Certified: MTCNA - MTCWE - MTCRE
 
0ldman
Forum Guru
Forum Guru
Posts: 1465
Joined: Thu Jul 27, 2006 5:01 am

Re: Attack?

Fri Jul 06, 2012 5:12 pm

You could use the access list to drop anyone with weak signal, but that would likely be a ton of work compared to just enabling encryption.

Best bet is to encrypt it. There is a reason that would be the first bit of advice.

An easy way to reconfigure the encryption remotely is set up a virtual AP as a slave to the main, bridge it to the main, same SSID with encryption enabled. Go into each client, configure encryption and then they should connect to the V AP, once everyone has been migrated, change the encryption to the main AP and remove the VAP.
 
User avatar
CyB3RMX
Member Candidate
Member Candidate
Topic Author
Posts: 141
Joined: Thu May 26, 2011 7:08 am

Re: Attack?

Fri Jul 06, 2012 8:30 pm

You could use the access list to drop anyone with weak signal, but that would likely be a ton of work compared to just enabling encryption.

Best bet is to encrypt it. There is a reason that would be the first bit of advice.

An easy way to reconfigure the encryption remotely is set up a virtual AP as a slave to the main, bridge it to the main, same SSID with encryption enabled. Go into each client, configure encryption and then they should connect to the V AP, once everyone has been migrated, change the encryption to the main AP and remove the VAP.
Thanks im going to do that, but the thing is.. is this an attack of some kind? because i dont get it how can it be over 200 macs registered in an area witch is alone, only forest the highway and 2 km inside the beach, and i can see connected devices like "samsung mobile, nokia, intel, etc.." all with -85 to -94... how can it 200 devices connected thats my "trauma" hehe.!

Thanks!
Have a great day!
Certified: MTCNA - MTCWE - MTCRE
 
0ldman
Forum Guru
Forum Guru
Posts: 1465
Joined: Thu Jul 27, 2006 5:01 am

Re: Attack?

Sat Jul 07, 2012 6:05 pm

Sounds like everyone driving by that has a cell phone or a laptop hits it.
 
User avatar
CyB3RMX
Member Candidate
Member Candidate
Topic Author
Posts: 141
Joined: Thu May 26, 2011 7:08 am

Re: Attack?

Sat Jul 14, 2012 8:21 pm

Sounds like everyone driving by that has a cell phone or a laptop hits it.
im not pretty sure about that because all the clients are registered and stands like if theres a crowd near the AP. anyway.. im migrating this cell to 5GHz with NV2 so this problem soon will be solved..

thanks
Have a great day!
Certified: MTCNA - MTCWE - MTCRE
 
User avatar
CyB3RMX
Member Candidate
Member Candidate
Topic Author
Posts: 141
Joined: Thu May 26, 2011 7:08 am

Re: Attack?

Fri Aug 10, 2012 6:32 pm

Im pretty sure now this is an attack, yesterday i found this MACS on my reg table and please, this mac 00:00:00 belongs to 80's Xerox devices..
You do not have the required permissions to view the files attached to this post.
Last edited by CyB3RMX on Fri Aug 10, 2012 7:42 pm, edited 1 time in total.
Have a great day!
Certified: MTCNA - MTCWE - MTCRE
 
User avatar
CyB3RMX
Member Candidate
Member Candidate
Topic Author
Posts: 141
Joined: Thu May 26, 2011 7:08 am

Re: Attack?

Fri Aug 10, 2012 7:39 pm

Today i got another 80's Xerox connecting to my AP ?!
You do not have the required permissions to view the files attached to this post.
Have a great day!
Certified: MTCNA - MTCWE - MTCRE
 
User avatar
CyB3RMX
Member Candidate
Member Candidate
Topic Author
Posts: 141
Joined: Thu May 26, 2011 7:08 am

Re: Attack?

Tue Aug 14, 2012 6:01 pm

i just cant believe no one can answer anything, i found this weird... anyway thanks again..

:?
Have a great day!
Certified: MTCNA - MTCWE - MTCRE
 
djdrastic
Member
Member
Posts: 321
Joined: Wed Aug 01, 2012 2:14 pm

Re: Attack?

Tue Aug 14, 2012 10:31 pm

Sounds perhaps like a CAM Table attack ? I don't know if it's possible on the Mikrotik but on the Cisco switches I've used we used to enable Port Security to limit the amount of macs that can associate to a single port.
 
0ldman
Forum Guru
Forum Guru
Posts: 1465
Joined: Thu Jul 27, 2006 5:01 am

Re: Attack?

Tue Aug 14, 2012 11:12 pm

I am very interested, however I don't have much advice aside from encryption, disable default authenticate. All of the CPE would have to be expressly allowed in the access list.
 
User avatar
CyB3RMX
Member Candidate
Member Candidate
Topic Author
Posts: 141
Joined: Thu May 26, 2011 7:08 am

Re: Attack?

Wed Aug 15, 2012 6:40 pm

This was one of my first equips, its running 802.11b 200mW PRISM cards, but for the amount of clients on that area i didnt put it much attention, but now that area is growing so in the same pop there is a 5Ghz sector with NV2 + nStreme Encrypted and with the Ssid hidden. So im migrating all my clients to this sector.

The idea of this whole post is to know what kind of attack it is, have you ever seen it?, thats what i dont understand, the clients connect but they wont connect all at once, it appear 1 mac every 20 mins aprox.. all of them with low signal. But the number keeps growing and at the time you see it the AP cant handle too much connections and start dropping the real clients.. (this is faster because is 802.11b), i repeat, i know its real old infraestructure but the point is the whole scenario, i am kind of worried because if this is a kind of an attack, its possible to do it to an hotel hotspot for example, that uses the same schema, open wifi, with a hotspot controller.

Regards
Have a great day!
Certified: MTCNA - MTCWE - MTCRE
 
User avatar
CyB3RMX
Member Candidate
Member Candidate
Topic Author
Posts: 141
Joined: Thu May 26, 2011 7:08 am

Re: Attack?

Fri Nov 16, 2012 6:12 pm

Sounds perhaps like a CAM Table attack ? I don't know if it's possible on the Mikrotik but on the Cisco switches I've used we used to enable Port Security to limit the amount of macs that can associate to a single port.
on wireless?
Have a great day!
Certified: MTCNA - MTCWE - MTCRE
 
log
Member Candidate
Member Candidate
Posts: 105
Joined: Fri May 28, 2010 11:37 am

Re: Attack?

Fri Nov 16, 2012 8:50 pm

 
sabbirahasan
just joined
Posts: 5
Joined: Fri Aug 12, 2011 9:00 pm

Re: Attack?

Sat Nov 17, 2012 9:37 pm

create access list and put ur customer in access list and disable the default authenticate and default forward
 
User avatar
CyB3RMX
Member Candidate
Member Candidate
Topic Author
Posts: 141
Joined: Thu May 26, 2011 7:08 am

Re: Attack?

Fri Mar 15, 2013 6:39 pm

this is what i was looking for... thanks.. im pretty sure that was it..

The problem stoped, i migrated all to a 802.11n based system + NV2 on 5Ghz. so its more secured than the last one.
Have a great day!
Certified: MTCNA - MTCWE - MTCRE
 
User avatar
PCNetworks
newbie
Posts: 35
Joined: Tue Feb 19, 2013 7:57 am
Location: California

Re: Attack?

Sat Mar 16, 2013 4:58 am

Encryption is the solution really...
I had a situation kind of like this where I notified all of my clients in an area which was going to be affected by the changes I had to make.

What I elected to do however was to upgrade from WEP to WPA2.
So what I did after notifying clients was to log into each client device remotely under your present configuration, reconfigure the encryption type and key within the CPE and save the settings.
Once completed with the setting mods to all clients in the area I just switched to the new encryption at the AP, Viola it was done and assholes couldn't crack into the connection wire-lessly

I hope this is of some help to you

Who is online

Users browsing this forum: ChaosAzrael, sakirozkan and 30 guests