MikroTik

Hi there,

First of i know there are a few work arounds to this problem like adding security on the network, but i want to know if this is any kind of attack?.

I have a 21m tower on the highway, it have 2 r52 radios on a 532A Routerboard, works great but lately, it has hotspot and a pppoe server running, hotspot for people near can connect (theres a gas station 100m away) i have on each r52 a 90 degree sector antennas at 2.4Ghz, the problem is that lately i have like 200 clients connected, at least 200 mac addresses because none of them tries to get IP from the hotspot, its just connected, but the sectors are set to a 4km radius. The problem here is that the clients connected with a cpe uses a router and pppoe but when theres a lot of macs registered the bandwith slows down like crazy.. if i do a speedtest i get 200k at most! if i put all unknown macs in access list and remove them from auth and forward i get my bandwith again..

To show you how serious this is.. all this macs are copied to my acl this week.. the thing is that the tower its in a 4 lane highway and theres NOTHING but the trees and a couple of houses at the beach (2 -> 4km).. any idea if this could be an attack.? im almost sure it is.. but ? how?

This is my access list of all the "intruders" connected to this ap..

http://pastebin.com/3F0QKtf1

or any way i can make a wild card?. i have only Ubnt and Mikrotik CPE...so the mac address all start with 00:15:6D -> 00:0c:42 -> 00:27:22 ... so the others are'nt mine..

I know you may be thinking, why dont you put WPA2 or something, thats because i have this ap almos 80 mi from here and its a lot of work to pass to all the customers to make this change.. first i want to try if theres anyway to do it from here.

thanks in advance.

You could use the access list to drop anyone with weak signal, but that would likely be a ton of work compared to just enabling encryption.

Best bet is to encrypt it. There is a reason that would be the first bit of advice.

An easy way to reconfigure the encryption remotely is set up a virtual AP as a slave to the main, bridge it to the main, same SSID with encryption enabled. Go into each client, configure encryption and then they should connect to the V AP, once everyone has been migrated, change the encryption to the main AP and remove the VAP.

You could use the access list to drop anyone with weak signal, but that would likely be a ton of work compared to just enabling encryption.

Best bet is to encrypt it. There is a reason that would be the first bit of advice.

An easy way to reconfigure the encryption remotely is set up a virtual AP as a slave to the main, bridge it to the main, same SSID with encryption enabled. Go into each client, configure encryption and then they should connect to the V AP, once everyone has been migrated, change the encryption to the main AP and remove the VAP.

Thanks im going to do that, but the thing is.. is this an attack of some kind? because i dont get it how can it be over 200 macs registered in an area witch is alone, only forest the highway and 2 km inside the beach, and i can see connected devices like "samsung mobile, nokia, intel, etc.." all with -85 to -94... how can it 200 devices connected thats my "trauma" hehe.!

Thanks!

Sounds like everyone driving by that has a cell phone or a laptop hits it.

Sounds like everyone driving by that has a cell phone or a laptop hits it.

im not pretty sure about that because all the clients are registered and stands like if theres a crowd near the AP. anyway.. im migrating this cell to 5GHz with NV2 so this problem soon will be solved..

thanks

Im pretty sure now this is an attack, yesterday i found this MACS on my reg table and please, this mac 00:00:00 belongs to 80's Xerox devices..

Today i got another 80's Xerox connecting to my AP ?!

i just cant believe no one can answer anything, i found this weird... anyway thanks again..

Sounds perhaps like a CAM Table attack ? I don't know if it's possible on the Mikrotik but on the Cisco switches I've used we used to enable Port Security to limit the amount of macs that can associate to a single port.

I am very interested, however I don't have much advice aside from encryption, disable default authenticate. All of the CPE would have to be expressly allowed in the access list.

This was one of my first equips, its running 802.11b 200mW PRISM cards, but for the amount of clients on that area i didnt put it much attention, but now that area is growing so in the same pop there is a 5Ghz sector with NV2 + nStreme Encrypted and with the Ssid hidden. So im migrating all my clients to this sector.

The idea of this whole post is to know what kind of attack it is, have you ever seen it?, thats what i dont understand, the clients connect but they wont connect all at once, it appear 1 mac every 20 mins aprox.. all of them with low signal. But the number keeps growing and at the time you see it the AP cant handle too much connections and start dropping the real clients.. (this is faster because is 802.11b), i repeat, i know its real old infraestructure but the point is the whole scenario, i am kind of worried because if this is a kind of an attack, its possible to do it to an hotel hotspot for example, that uses the same schema, open wifi, with a hotspot controller.

Regards

Sounds perhaps like a CAM Table attack ? I don't know if it's possible on the Mikrotik but on the Cisco switches I've used we used to enable Port Security to limit the amount of macs that can associate to a single port.

on wireless?

It could be attack, read this: http://homepages.tu-darmstadt.de/~p_larbig/wlan/#mdk3

create access list and put ur customer in access list and disable the default authenticate and default forward

It could be attack, read this: http://homepages.tu-darmstadt.de/~p_larbig/wlan/#mdk3

this is what i was looking for... thanks.. im pretty sure that was it..

The problem stoped, i migrated all to a 802.11n based system + NV2 on 5Ghz. so its more secured than the last one.

Encryption is the solution really...
I had a situation kind of like this where I notified all of my clients in an area which was going to be affected by the changes I had to make.

What I elected to do however was to upgrade from WEP to WPA2.
So what I did after notifying clients was to log into each client device remotely under your present configuration, reconfigure the encryption type and key within the CPE and save the settings.
Once completed with the setting mods to all clients in the area I just switched to the new encryption at the AP, Viola it was done and assholes couldn't crack into the connection wire-lessly

I hope this is of some help to you