MAC spoofing

MAC filtering is dismissed as a security measure because MAC addresses
can be spoofed.

If there are two devices sharing a MAC address, won't they get the same
IP address from the DHCP server? In my experience, when there are two
devices with the same IP address on a network, neither of them work.

--
Dave Rudisill

Dave Rudisill wrote:

> MAC filtering is dismissed as a security measure because MAC addresses
> can be spoofed.
>
> If there are two devices sharing a MAC address, won't they get the same
> IP address from the DHCP server? In my experience, when there are two
> devices with the same IP address on a network, neither of them work.
>
Absolutely true. So if you rely on MAC filtering for security, it's either
having no effect at all (anybody spoofing your MAC is using it while you
aren't) or it's preventing you, too, from accessing your network. Not a
very useful situation :-)
--
derek

>Derek Broughton <(E-Mail Removed)> wrote:

>Dave Rudisill wrote:
>
>> MAC filtering is dismissed as a security measure because MAC addresses
>> can be spoofed.
>>
>> If there are two devices sharing a MAC address, won't they get the same
>> IP address from the DHCP server? In my experience, when there are two
>> devices with the same IP address on a network, neither of them work.
>>
>Absolutely true. So if you rely on MAC filtering for security, it's either
>having no effect at all (anybody spoofing your MAC is using it while you
>aren't) or it's preventing you, too, from accessing your network. Not a
>very useful situation :-)

My query was really directed to why it ISN'T a useful security tool, as
long as your WiFi network is turned off when you aren't using it. If you
rely on MAC filtering, you would immediately know when someone spoofs
your address, since you lose connectivity, and the intruder doesn't get
any connectivity either, no?

--
DD

Dave Rudisill wrote:
Snip
>
> My query was really directed to why it ISN'T a useful security tool, as
> long as your WiFi network is turned off when you aren't using it. If you
> rely on MAC filtering, you would immediately know when someone spoofs
> your address, since you lose connectivity, and the intruder doesn't get
> any connectivity either, no?
>

Networks tend to have more than one computer connected and tend not to
be switched off when a single computer is.A hacker could wait until a
computer is no longer apparent on his "sniffer"(he will have logged all
MAC addresses for that network) spoof that MAC address and access the
network.If he just wanted to be bolshy he could operate at the same time
as the normal user and deny the service, that could be inconvenient for
some users.

On Thu, 01 Dec 2005 08:20:48 -0800, Dave Rudisill wrote:

> MAC filtering is dismissed as a security measure because MAC addresses
> can be spoofed.
>
> If there are two devices sharing a MAC address, won't they get the same
> IP address from the DHCP server? In my experience, when there are two
> devices with the same IP address on a network, neither of them work.

MAC filtering can be a useful tool - it prevents non-spoofers accessing
your network, and raises the general level of security.

However because there are attacks which can get round this security
measure (MAC spoofing) it is unwise to rely on this as your only defence.

Likewise WEP can be broken by a determined attacker with the right
software and enough data to analyse. This does not mean that you should
not use it; just that you should be aware that it is not foolproof.

For a home network 128 bit WEP combined with MAC filtering should keep
most attackers off your network, especially if your traffic levels are
reasonably low.

Unless you are a particularly attractive target (but why?) you are
probably safe in the main.

Virtually all security measures can be nullified if the attacker is
determined enough and has sufficient resources.
You have to measure the likely threat against the level (and cost) of the
security measures.

Given the number of wireless networks around with no security at all, why
would someone pick on you especially?

Cheers

Dave R

> For a home network 128 bit WEP combined with MAC filtering should keep
> most attackers off your network, especially if your traffic levels are
> reasonably low.

Yes it will keep the accidental connectors off but forget about the
traffic levesl being low. A deauth attack followed by a sniff and arp
replay injection soon sorts that lack of traffic.

> Unless you are a particularly attractive target (but why?) you are
> probably safe in the main.

A target can be as simple as the fact that it's WEP, next door to a
bored teenager.

> Given the number of wireless networks around with no security at all, why
> would someone pick on you especially?

Precisely other than my comment above.

David.

Rob wrote:

> Dave Rudisill wrote:
> Snip
>>
>> My query was really directed to why it ISN'T a useful security tool, as
>> long as your WiFi network is turned off when you aren't using it. If you
>> rely on MAC filtering, you would immediately know when someone spoofs
>> your address, since you lose connectivity, and the intruder doesn't get
>> any connectivity either, no?
>>
>
> Networks tend to have more than one computer connected and tend not to
> be switched off when a single computer is.

What he said. I expect most wireless networks are on 24/7. Half of mine is
(the base router down the road is always on, the WDS router in my home
isn't).

MAC filtering is a useful _tool_, just not a lot of use for security. If
your wireless network gets switched off when not in use, _that's_ a better
security system than most people have. You can't hack a system that's not
turned on!
--
derek

"Dave Rudisill" wrote in message ...
> MAC filtering is dismissed as a security measure because MAC addresses
> can be spoofed.

It seems silly to dismiss using MAC filtering entirely simply because it can
be spoofed. Its another layer, why not use it?

> If there are two devices sharing a MAC address, won't they get the same
> IP address from the DHCP server? In my experience, when there are two
> devices with the same IP address on a network, neither of them work.

I've experimented with spoofing MACs, just to see the behavior of my DLink
stuff. The DHCP servers wouldn't even assign an IP to a connecting device
with the same MAC of a device already connected. Behavior probably varies
from manufacturer to manufacturer. Play and see what your stuff does.

In the typical home environment, I think some people are way too paranoid
that someone is "hiding in their bushes, waiting for the moment for a MAC/IP
to become available."

[POSTED TO alt.internet.wireless - REPLY ON USENET PLEASE]

In <G%llf.152583$(E-Mail Removed)> on Tue, 06 Dec 2005
19:54:14 GMT, "Eric" <(E-Mail Removed)> wrote:

>"Dave Rudisill" wrote in message ...
>> MAC filtering is dismissed as a security measure because MAC addresses
>> can be spoofed.
>
>It seems silly to dismiss using MAC filtering entirely simply because it can
>be spoofed. Its another layer, why not use it?

Because (a) it's trivial to spoof and (b) it gives a false sense of security.

--
Best regards, SEE THE FAQ FOR ALT.INTERNET.WIRELESS AT
John Navas <http://en.wikibooks.org/wiki/FAQ_for_alt.internet.wireless>

"John Navas" wrote in message ...
> [POSTED TO alt.internet.wireless - REPLY ON USENET PLEASE]
>
> "Eric" wrote:
>
> >"Dave Rudisill" wrote in message ...
> >> MAC filtering is dismissed as a security measure because MAC addresses
> >> can be spoofed.
> >
> >It seems silly to dismiss using MAC filtering entirely simply because it
can
> >be spoofed. Its another layer, why not use it?
>
> Because (a) it's trivial to spoof and (b) it gives a false sense of
security.

Perhaps, but it is still another (albeit, thin) layer of security, so why
not use it?

I lock my cars doors, even though if someone wants to break in they will
most likely just bust a window out.