Hello,
Within the same VLAN, there are several /24 subnets. The gateways are configured on the MikroTik device, but I'm experiencing a problem. There is a malicious user who sets up a virtual router on their own server and assigns the gateway address to themselves, redirecting all traffic to their server.
How can I prevent this?
-
-
martinclaro
Frequent Visitor
- Posts: 95
- Joined:
- Location: Buenos Aires, Argentina
- Contact:
Re: gateway spoof
Hi @asdgmae2, the solution would depend on how your network architecture is (other routers, switches, etc).
Generally speaking, it could be tackled by enabling dhcp-snooping, trusted ports and denying arp-learning on switch ports what are untrusted.
Additionally, in your case, in RouterOS set the `arp=reply-only` at vlan level setting, and `add-arp=yes` at dhcp-server level.
I'm assuming you have enabled DHCP server for address assignment.
Again, network architecture diagram and `/export hide-sensitive` would be necessary to bring a more detailed solution path.
Generally speaking, it could be tackled by enabling dhcp-snooping, trusted ports and denying arp-learning on switch ports what are untrusted.
Additionally, in your case, in RouterOS set the `arp=reply-only` at vlan level setting, and `add-arp=yes` at dhcp-server level.
I'm assuming you have enabled DHCP server for address assignment.
Again, network architecture diagram and `/export hide-sensitive` would be necessary to bring a more detailed solution path.
Re: gateway spoof
most effective place to prevent this issue is on access network (switches, access-points, OLT, DSLAM, CMTS etc)
Re: gateway spoof
@ asdgmae2,
then you should lock down all the workers station from any system modification.
if your network is a service provider environment,
then you should start to think about changing your subscribers access method.
hope this helps.
if your network is office network,There is a malicious user who sets up a virtual router on their own server and assigns the gateway address to themselves, redirecting all traffic to their server.
then you should lock down all the workers station from any system modification.
if your network is a service provider environment,
then you should start to think about changing your subscribers access method.
hope this helps.
Re: gateway spoof
I'm not using DHCP; IP addresses are assigned manually, but I'm involved in server leasing, and the management of the leased servers belongs to the customers. Each server is allocated one IP address, so I'm running only one VLAN. How can I solve this using a different method?Hi @asdgmae2, the solution would depend on how your network architecture is (other routers, switches, etc).
Generally speaking, it could be tackled by enabling dhcp-snooping, trusted ports and denying arp-learning on switch ports what are untrusted.
Additionally, in your case, in RouterOS set the `arp=reply-only` at vlan level setting, and `add-arp=yes` at dhcp-server level.
I'm assuming you have enabled DHCP server for address assignment.
Again, network architecture diagram and `/export hide-sensitive` would be necessary to bring a more detailed solution path.
Re: gateway spoof
I am using a MikroTik router followed by a Juniper switch. How can I solve this?most effective place to prevent this issue is on access network (switches, access-points, OLT, DSLAM, CMTS etc)
Re: gateway spoof
I am involved in server leasing, where each server is allocated one IP address. I prevent IP spoofing by using the "Make Static" method, but the IP addresses are not listed in the gateway's ARP table.@ asdgmae2,
if your network is office network,There is a malicious user who sets up a virtual router on their own server and assigns the gateway address to themselves, redirecting all traffic to their server.
then you should lock down all the workers station from any system modification.
if your network is a service provider environment,
then you should start to think about changing your subscribers access method.
hope this helps.
Re: gateway spoof
1. are you in some kind of rack rental environment? datacenter?I'm not using DHCP; IP addresses are assigned manually, but I'm involved in server leasing, and the management of the leased servers belongs to the customers. Each server is allocated one IP address, so I'm running only one VLAN. How can I solve this using a different method?
2. if yes, then it (customer gateway spoofing) hardly/has little effect to draw traffic or getting more bandwidth because the amount of interface bandwidth available is obvious.
3. you can try to use separate vlan for the customers, so they don't talk to each other.
4. you can try to implement switch port mac security. limit by 1 macaddr per port.
5. or you can try to use separate pppoe profile and separate pppoe server for each customer.
hope this helps
Re: gateway spoof
I am using a MikroTik router followed by a Juniper switch. How can I solve this?most effective place to prevent this issue is on access network (switches, access-points, OLT, DSLAM, CMTS etc)
find out what security features that switch provides, then you can choose which strategy to properly isolate customers between them just to start, you must see that infrastructure as a untrust zone
Re: gateway spoof
Get the MAC address of the machine pretending to be the gateway
a simple "arp -a" on the command terminal on windows will show it
example
arp -a
Interface: 192.168.1.35 --- 0xc
Internet Address Physical Address Type
192.168.1.1 24-5a-4c-d5-87-d6 dynamic
192.168.1.106 b0-e4-d5-ab-7f-87 dynamic
192.168.1.167 c8-9e-43-c5-6e-3d dynamic
192.168.1.255 ff-ff-ff-ff-ff-ff static
Block or filter the MAC address on all the other machines, routers and switches
Wait for the idiot to complain he can't access anything
a simple "arp -a" on the command terminal on windows will show it
example
arp -a
Interface: 192.168.1.35 --- 0xc
Internet Address Physical Address Type
192.168.1.1 24-5a-4c-d5-87-d6 dynamic
192.168.1.106 b0-e4-d5-ab-7f-87 dynamic
192.168.1.167 c8-9e-43-c5-6e-3d dynamic
192.168.1.255 ff-ff-ff-ff-ff-ff static
Block or filter the MAC address on all the other machines, routers and switches
Wait for the idiot to complain he can't access anything
Re: gateway spoof
Hello,Get the MAC address of the machine pretending to be the gateway
a simple "arp -a" on the command terminal on windows will show it
example
arp -a
Interface: 192.168.1.35 --- 0xc
Internet Address Physical Address Type
192.168.1.1 24-5a-4c-d5-87-d6 dynamic
192.168.1.106 b0-e4-d5-ab-7f-87 dynamic
192.168.1.167 c8-9e-43-c5-6e-3d dynamic
192.168.1.255 ff-ff-ff-ff-ff-ff static
Block or filter the MAC address on all the other machines, routers and switches
Wait for the idiot to complain he can't access anything
This is a solution, but the real solution would be to prevent him from doing this.
Because when you do this, dozens of customers lose access.
-
-
arifworldnet2
just joined
- Posts: 6
- Joined:
Re: gateway spoof
Try using DHCP snooping and dynamic ARP inspection on your switches. Also, consider port security to limit MAC addresses per port.
Re: gateway spoof
Proper config of the router.
It would appear the hacker is not getting into your router but manipulating the traffic reaching his router.
The fact that other traffic can reach his device, id indicative of a leaky setup.
Post your config
/export file=anynameyouwish ( minus public IP address info, any keys, router serial number, any long dhcp lists etc.......)
It would appear the hacker is not getting into your router but manipulating the traffic reaching his router.
The fact that other traffic can reach his device, id indicative of a leaky setup.
Post your config
/export file=anynameyouwish ( minus public IP address info, any keys, router serial number, any long dhcp lists etc.......)