spoofing Hot Spot Mac Address

Hello All,

I have a problem where my hot spot users scan the network and get the
mac address of my access points and put it on their own PCs causing the
whole network to go down. I have done some reading but there seems to
be no explicit resolution of this problem. Any Idea's?

There's no real way to prevent this. This, however, should be seen as a
malicious attack. I'd take the following action:

1) Find out what MAC was online immediately prior to going offline. (If
you're not doing RADIUS authentication, you should)

2) Block that MAC.

3) Someone will call if they are having a problem.

Chris

"(E-Mail Removed)" <(E-Mail Removed)> hath wroth:

>I have a problem where my hot spot users scan the network and get the
>mac address of my access points and put it on their own PCs causing the
>whole network to go down. I have done some reading but there seems to
>be no explicit resolution of this problem. Any Idea's?

Nope. Someone is probably trying to do a "man in the middle" attack
and is doing it rather badly. They're trying to poison the ARP cache
in the router, without affecting the routers normal operation. By
also spoofing the MAC address of the router, they've goofed badly. It
can also be a badly written ARP flood tool designed to crack WEP
systems. Even if you're not running WEP, some clueless idiot might be
running the tool.

If you sniff the traffic, you'll probably see a flood of ARP
broadcasts and/or replies. Grab the source MAC address as that's your
culprit. It might also be spoofed, but this attack sounds like the
perpetrator is clueless. You might be able to identify the maker of
the wireless device from the MAC address. See:
http://www.coffer.com/mac_find/

To do a successful "man in the middle" attack, the perpetrator would
also need to be in range of both your access point and their intended
victims, which means they're probably very close to the hot spot. If
your unspecified model access points have any monitoring
capeabilities, you should check the signal strength of the source MAC
address to get a rough idea of their location.

Meanwhile, you should setup "AP isolation" or "client isolation" (same
thing) in your unspecified model hot spot access points. It will
prevent clients from seeing each other via your access points. It
will not prevent such attacks, but will ruin a large series of other
possible attacks.

--
Jeff Liebermann (E-Mail Removed)
150 Felker St #D http://www.LearnByDestroying.com
Santa Cruz CA 95060 http://802.11junk.com
Skype: JeffLiebermann AE6KS 831-336-2558

The main issue is that someone is trying to stop my hot spot network by
simply causing a mac address conflict with the access point. from what
I gather from the above replies, this is unavoidable but can be cured
by blocking the mac address of the attacker each time he tries to do
that.
I have a different plan in mind to avoid such attacks and I would like
your opinions on it. I intend on reserving a /30 subnet for each
client, that way the client cannot get to the access points mac or IP
address. would that work?

"(E-Mail Removed)" <(E-Mail Removed)> hath wroth:

>The main issue is that someone is trying to stop my hot spot network by
>simply causing a mac address conflict with the access point. from what
>I gather from the above replies, this is unavoidable but can be cured
>by blocking the mac address of the attacker each time he tries to do
>that.

That's correct. With a duplicate MAC address, the client has no way
to distinguish between the real access point and a fake access point.

>I have a different plan in mind to avoid such attacks and I would like
>your opinions on it. I intend on reserving a /30 subnet for each
>client, that way the client cannot get to the access points mac or IP
>address. would that work?

I don't see how that would help. Having a mess of IP addresses all
piled onto the one MAC address for the access point isn't going to do
anything. This problem needs to be solved on the MAC level.

You have not described any of your existing hardware or topology, so I
can't offer any specific advice. I'm very suspicious of your theory
that someone is maliciously attacking your system. I've heard such
DoS stories before and invariably find that there is some obscure
misconfiguration or setup issue causing the problem. One of my hot
spot customers had someone explain how they could "take over" a hot
spot with various hacker tools. From that point on, every problem
they had with the wireless was presumed to be a hacker attack. When
someone accidentally unplugged and ethernet cable, the failure was
initially presumed to be a hacker attack.

I also have a guess as to what's happening. Do you have two wireless
routers in series as in double NAT? If so, did you "clone" the MAC
address of one router with the other?

If you want any further help, please disclose exactly how you
determined that you're being attacked and some clues as to your
hardware and setup.

--
Jeff Liebermann (E-Mail Removed)
150 Felker St #D http://www.LearnByDestroying.com
Santa Cruz CA 95060 http://802.11junk.com
Skype: JeffLiebermann AE6KS 831-336-2558

It is a DLINK access point with a Mikrotik hot spot server. The idea is
very simple. just change your PCs MAC address to that of the access
point's and the network is dead. I have tried it my self. It is not
someone trying to hack into the network or do a MIM attack. It is just
someone to stop the network. is there any way around this?

It is a DLINK access point with a Mikrotik hot spot server. The idea is
very simple. just change your PCs MAC address to that of the access
point's and the network is dead. I have tried it my self. It is not
someone trying to hack into the network or do a MIM attack. It is just
someone to stop the network. is there any way around this?

It is a DLINK access point with a Mikrotik hot spot server. The idea is
very simple. just change your PCs MAC address to that of the access
point's and the network is dead. I have tried it my self. It is not
someone trying to hack into the network or do a MIM attack. It is just
someone to stop the network. is there any way around this?

"(E-Mail Removed)" <(E-Mail Removed)> hath wroth:

>It is a DLINK access point with a Mikrotik hot spot server. The idea is
>very simple. just change your PCs MAC address to that of the access
>point's and the network is dead. I have tried it my self. It is not
>someone trying to hack into the network or do a MIM attack. It is just
>someone to stop the network. is there any way around this?

No way to stop it that I know about. The MAC addresses are exposed to
the world and are not encrypted. Therefore, encryption and IP layer
tinkering will do nothing. You could possibly change your unspecified
model DLink access point MAC address, or just try a different access
point, but that's not a permanent fix.

Again, I suggest you verify that you are really being attacked and
that you are not dealing with a configuration problem. Setup a
wireless sniffer that will sniff clients (Kismet) as well as AP's.
Make sure you can see the attackers packets. Then, just power off
your access point. If the attackers packets, (SSID broadcasts,
retransmissions, etc) with your source MAC address, are still there,
you are being attacked. If not, your hot spot is broken or
misconfigured.

There's also the option of finding the culprit. Reduce your access
point signal stength (antenna attenuator) to force the attacker to
raise theirs. Then, go transmitter hunting with a directional dish
antenna.

Your unwillingness to provide system specifics and persue
configuration issues, makes me very suspicious. Are you sure it is
you that is being attacked, or are you planning to attack a hot spot?

--
Jeff Liebermann (E-Mail Removed)
150 Felker St #D http://www.LearnByDestroying.com
Santa Cruz CA 95060 http://802.11junk.com
Skype: JeffLiebermann AE6KS 831-336-2558

LOL, not at all. I am not an attacker. I'm just to too involved with
the configuration. a friend of mine has the network and is facing that
problem. I just did the test with him. I will try to get the details
from him. you think getting another access point might solve the issue?

On Dec 14, 7:53 pm, Jeff Liebermann <j...@comix.santa-cruz.ca.us>
wrote:
> "mustafa.bad...@gmail.com" <mustafa.bad...@gmail.com> hath wroth:
>
> >It is a DLINK access point with a Mikrotik hot spot server. The idea is
> >very simple. just change your PCs MAC address to that of the access
> >point's and the network is dead. I have tried it my self. It is not
> >someone trying to hack into the network or do a MIM attack. It is just
> >someone to stop the network. is there any way around this?No way to stop it that I know about. The MAC addresses are exposed to
> the world and are not encrypted. Therefore, encryption and IP layer
> tinkering will do nothing. You could possibly change your unspecified
> model DLink access point MAC address, or just try a different access
> point, but that's not a permanent fix.
>
> Again, I suggest you verify that you are really being attacked and
> that you are not dealing with a configuration problem. Setup a
> wireless sniffer that will sniff clients (Kismet) as well as AP's.
> Make sure you can see the attackers packets. Then, just power off
> your access point. If the attackers packets, (SSID broadcasts,
> retransmissions, etc) with your source MAC address, are still there,
> you are being attacked. If not, your hot spot is broken or
> misconfigured.
>
> There's also the option of finding the culprit. Reduce your access
> point signal stength (antenna attenuator) to force the attacker to
> raise theirs. Then, go transmitter hunting with a directional dish
> antenna.
>
> Your unwillingness to provide system specifics and persue
> configuration issues, makes me very suspicious. Are you sure it is
> you that is being attacked, or are you planning to attack a hot spot?
>
> --
> Jeff Liebermann j...@comix.santa-cruz.ca.us
> 150 Felker St #D http://www.LearnByDestroying.com
> Santa Cruz CA 95060http://802.11junk.com
> Skype: JeffLiebermann AE6KS 831-336-2558