I have managed to "solve" a problem that we experienced with a hacker that "stole" our clients' sessions with hacker tools such as Netcut. I combined various methods and also used tips from various posts in the forums to finally get to a configuration that works well for us so far except for one problem that I'll detail later in this post. Below the detail of what I have done:

1. Enabled AP isolation on all AP's
2. Allow only 1 mac-address per IP in the hotspot
3. Added firewall rules to prevent traffic between devices on the same interface (i.e. hotspot)
4. Changed ARP to reply-only on hotspot interface. However, importantly you need to change the default ARP setting for DHCP scope to dynamic (add dynamic ARP entry) otherwise clients experience problems.
5. Set the netmask to /32 on the DHCP scope. The hotspot interface addres remains 10.5.50.1/24, but the netmask provided to DHCP clients are: 255.255.255.255. The result is that hotspot clients are treated like Point to Point links and as such are no longer affected by arp poisoning.

The above have stopped the hacker problem and all cleints works 100% except for my Nokia E71. The E71 is on the latest firmware release. If I try to access the Internet I get the error: "Gateway no reply". The momemt I change my subnet mask to the default /24 The Nokia works 100%. The problem is therefore that the Nokia does not seem to "understand" the /32 netmask. Does anybody have any suggestions to resolve this problem?

Although the detail as per my previous post stopped Netcut, the hacker has found something else and somehow still manages to de-assign the ip address of active DHCP-clients and in some cases highjack their sessions. He changes his IP addres so often and so quickly that I'm almost cetain he does this programatically, i.e. he has program that scrolls through a database of mac-address/ip-address combinations until he manages to highjack one of them.

In many cases the active client is logged out by the mac-address=1 setting, but this does not happen in all cases. What makes the "catching" process extremely difficult is the fact the this person always hides behinds a valid customer's address.

The only indication at this stage that something is "wrong" is that the ip-address of a logged-in hotspot client is de-assigned while the client is still active in the list of hotspot clients.

Any ideas how to stop this hacker would be welcome.

use wpa2. on the non secure hotspot just post the WPA2 key for them to connect to your secure AP. ? maybe ...

That is an option. However, unfortunately this person will also obtain this information if he logs in with a "valid username".

We have been successful to identify and track one of these usernames and are currently using it to gather information for a criminal investigation that has been started. However, the real identity of this person is still unknown and if he purchases/uses another username that we have not identified as a suspect one we’re back to square one.

It is unbelievable the lengths to which this person will go to, to steal internet access and he simply does not stop. Another idea I had was to enable users to create a clientless VPN connection (authentication with radius) via a webpage once logged in by the hotspot and then to somehow automatically log the user out if this connections drops. Thus far I have not been successful to identify a suitable web component that one can utilize to create a PPTP or other VPN connection to the local hotspot gateway.

[...]

It is unbelievable the lengths to which this person will go to, to steal internet access and he simply does not stop. Another idea I had was to enable users to create a clientless VPN connection (authentication with radius) via a webpage once logged in by the hotspot and then to somehow automatically log the user out if this connections drops. Thus far I have not been successful to identify a suitable web component that one can utilize to create a PPTP or other VPN connection to the local hotspot gateway.

Perhaps this can help you figure something out:
http://www.cs.sjsu.edu/faculty/stamp/st ... report.pdf

The solution of applying WPA2 to the network would also not work in a location where the hotspot was running across a Lan network.

Thank you rmichael for a very valuable article. I also got hold of the following article which also has some valuable suggestions:
http://www.cs.pitt.edu/~jcb/slides/net2004.ppt

However, in order to implement these we would need the help of Mikrotik. I cannot see how this can be implemented otherwise.

Any response from Mikrotik on this?

by the way, this is a very nice video about advanced wireless security:
http://www.tiktube.com/?video=199

by the way, this is a very nice video about advanced wireless security:
http://www.tiktube.com/?video=199

Normis,
thank you for your response. This video however does not cover hotspot security issues. One major difference is that we don't have access to client computer the way OLPC project does. Can mikrotik suggest specific ROS future (or configuration) that will stop MAC spoofing?

Michael

I have been told that apparantly Chilispot prevents "session-highjacking" by utilising a session-ID. I'm sure Mikrotik should be able to implement something similar?

I have been told that apparantly Chilispot prevents "session-highjacking" by utilising a session-ID. I'm sure Mikrotik should be able to implement something similar?

fyi, I just came across zeroshell net services. It implements it's own captive portal and session-ID connection tracking. It seems worth checking out.

http://www.zeroshell.net/eng/captiveportaldetails/

cheers.

hi all
for your nokia e71
you can make a new dchp just for you
and make the
address pool to : static only
and make an static ip for yourself
and there is another way
u can but any manual ip in your nokia e71
and set address pool to none in the
hotspot user profile that one your account works in
i hope i help
i need something from you and that is :
the rule that u used in firewall to stop mac spoofing
and how to make the arp of the dhcp
and there is somthing else u can do in dhcp to stop mac spoofing and netcut with that u maked
in dchp change the gateway to any ip of any range else like 1.1.1.1

cheers

RouterOS already supports 'session hijacking' in v4

Management Frame protection:
http://wiki.mikrotik.com/wiki/Wireless_ ... S.2FCTS.29

hi again
for your problem about :
user :
is logged in
and hotspot page asking him to log in
the reason is
maybe the user lost his connection without logging out
maybe he changed the ip or make disable and enable for his devise
maybe he unplugged his cable and but it again
and the solotion is :
make the :
keep alive timeout a short time like 2 minutes 00:02:00 as default if you changed it
and when he complete 2 minutes without a connection the hotspot well log he out and he can log in again

Management frame protection

Used for: Deauthentication attack prevention, MAC address cloning issue.

Thank You!

Hi Normis, how would you know whether the client device has support for Management Frame protection? Also this will not solve the problem for non wireless clients and any client that does not support the Management Frame Protection.

The only way we were able to prevent the hacker from stealing the sessions were by implementing a WPA2 solution. This is not ideal, simply because it is more difficult for end users to connect and use the service and many end users then simply stop using the service because they find it is too "difficult, cumbersome or complex".

The "session protection" therefore needs to be implemented in the Hotspot to prevent the "mac spoofing" or "session highjacking".

this is only for RouterOS->RouterOS