My teen son and I are playing a hacking game. I've installed an WiFi router with parental controls, MAC filtering, VPN, etc. I block Internet for him, he tries to break out of the cage (for now I'm only blocking in a way that I myself know how to break).
Eventually it was time to use MAC filtering. After some days he figured out how to do MAC spoofing. The thing is, my router has a "device information" page for each connected device, and it somehow knows that this happened. It shows the attacker device under same entry, and all known MAC addresses from that attacker. Here's the output (addresses are examples only):
Name: Attacker's Computer
Manufacturer:
Model:
OS: Windows
IP Address (Wireless)-1: 192.168.1.175
IPv6 Address (Wireless)-1: --
MAC Address: 00:11:22:33:44:55
IP Address (Offline)-2: --
IPv6 Address (Offline)-2: --
MAC Address: 11:22:33:44:55:66
IP Address (Offline)-3: --
IPv6 Address (Offline)-3: --
MAC Address: 22:33:44:55:66:77
The addresses 00:11:22:33:44:55 and 11:22:33:44:55:66 are spoofed. The manufacturer's address is 22:33:44:55:66:77.
How can my router know this? Which protocol feature is it using to detect that traffic comes from the same computer that was using the old MAC? If it helps, the router in question is a Linksys WRT1200AC.