-3

in my network many peoples spoof mac address, they get mac adresses of online users by scanning the network or the ip address range and using wireshark they get easily any mac address so how to prevent the users from scanning the ip address or how to hide the ip and mac addresses of my network customers? i think preventing mac spoof is impossible in open network so i just want to prevent the bad guys from scanning the ip address and getting the mac addresses of the online users.

Note: my network is an Open network no need of a security key to connect to the network and i don't want to change it to WAP2 or any other thing. users need to login to the hotspot login page to access the internet ( but bad guys change there mac to already logged in customer's mac and they get it free)

Network detail(little): Mikrotic router, Ubiquiti

Fractalizer
  • 35
  • 7
DFrenzy
  • 1
  • 1
  • 1
  • 4
    You can't prevent this without adding some security to the wireless network. – Michael Hampton Sep 18 '15 at 03:01
  • no there should be someway to protect it – DFrenzy Sep 18 '15 at 03:44
  • I agree with Michael, and I would add that if they does not have the wpa key they need an airpcap adapter to be able to scan with wireshark without authentification. Not something everyone have. – yagmoth555 Sep 18 '15 at 03:48
  • 1
    @DFrenzy in what sense are you using the word "should"? As a wish, or a statement of fact? – womble Sep 18 '15 at 03:49
  • Oh yes, another way exist.. limit the signal strenght and be sure your wall block the signal. After watch everyone.... – yagmoth555 Sep 18 '15 at 03:50
  • If for some reasons (?) you don't want to use any of the existing security solutions - basically encrypted communications - you could modify the openwrt source and hack the server to your needs, then install customized wifi clients... A lot of work ahead! (openwrt is rather easily customizable, clients may be harder) – Déjà vu Sep 18 '15 at 03:57

1 Answers1

7

It's impossible to prevent a MAC-spoofing attack on a completely open Wi-Fi network. However, it's relatively easy to detect the attack: Both the attacker and the victim whose MAC address is being spoofed will have trouble using the network, as each computer will send TCP resets for connections the other has initiated. Thus the person whose MAC address was cloned begins having mysterious "trouble with the Internet" and either calls technical support, or gives up and tries again later. The latter is what the attacker wants, as it leaves him free to use the network once the other person is gone.

Again, you cannot prevent this attack on an open network, and while you can attempt to limit it by making legitimate users login again every half hour or so, this is a great inconvenience to legitimate users, and not much inconvenience to the attacker, who can just wait for the legitimate user to login again, or go clone someone else's MAC address. So this is not practical.

I have set up paid Wi-Fi networks, and I use a two-network design:

  • One SSID is an open network, which can only connect to a (secure) web server where users can create new accounts and make payments.
  • The other SSID is secured with WPA2-Enterprise and users log in to this network with their chosen username and password to access the Internet.

This requires a RADIUS server, which isn't too hard to set up, and the design completely prevents people sniffing the network at all. The RADIUS server can also be configured to allow only one device at a time to use any given account credentials, which deters account sharing. On the WPA2-Enterprise network, everything is encrypted and the attacker cannot decrypt anything from other users, as he can with WPA2-Personal if he knows the shared passphrase. And on the open network, only one single https web site is accessible, which also can't be sniffed, and MAC spoofing is pointless on that network.

The only down side to this design is that it requires a one time configuration in advance for older computers running Windows 7 or earlier operating systems, but this takes only a minute to do.

Michael Hampton
  • 244,070
  • 43
  • 506
  • 972
  • The only way to prevent MAC spoofing on a layer2 network is to prevent each client from seeing each other. This is beyond the control and scope of ANY layer3 device, this must happen at the edge of the network. Get access points that support client isolation, get managed switches that support port isolation, is this a solution? Note that this does not prevent them from changing their MAC address at will, it just prevents them from scanning the network and finding out other peoples MAC addresses in the hopes of getting on with another clients MAC address – DFrenzy Sep 18 '15 at 05:05
  • AP client isolation doesn't help you if the network is open, because everything can be sniffed right off the air in monitor mode by any attacker in radio range. – Michael Hampton Sep 18 '15 at 05:09