1

My teen son and I are playing a hacking game. I've installed an WiFi router with parental controls, MAC filtering, VPN, etc. I block Internet for him, he tries to break out of the cage (for now I'm only blocking in a way that I myself know how to break).

Eventually it was time to use MAC filtering. After some days he figured out how to do MAC spoofing. The thing is, my router has a "device information" page for each connected device, and it somehow knows that this happened. It shows the attacker device under same entry, and all known MAC addresses from that attacker. Here's the output (addresses are examples only):

Name:                           Attacker's Computer
Manufacturer:   
Model:  
OS:                             Windows

IP Address (Wireless)-1:        192.168.1.175
IPv6 Address (Wireless)-1:      --
MAC Address:                    00:11:22:33:44:55

IP Address (Offline)-2:         --
IPv6 Address (Offline)-2:       --
MAC Address:                    11:22:33:44:55:66

IP Address (Offline)-3:         --
IPv6 Address (Offline)-3:       --
MAC Address:                    22:33:44:55:66:77

The addresses 00:11:22:33:44:55 and 11:22:33:44:55:66 are spoofed. The manufacturer's address is 22:33:44:55:66:77.

How can my router know this? Which protocol feature is it using to detect that traffic comes from the same computer that was using the old MAC? If it helps, the router in question is a Linksys WRT1200AC.

Improve this question

2 Answers 2

Reset to default
3

He probably spoofed his MAC, but didn't change his IP using the new MAC, so they show together in your status screen.

You may need to install a proxy if you really want to limit access. If the proxy is the only machine that can get to the internet, then you force it to be used. The proxy can then have per-user authentication with whitelists, blacklists, and time-of-day limitations per-user.

Your other option is to blacklist ALL MAC addresses, then whitelist the ones you do want to have internet access.

Improve this answer
2
  • 1
    If he wasn't using a static IP and spoofed his MAC, ultimately his interface would need to be reset, thus requesting a new IP from the DHCP.
    – Hydranix
    Commented Jan 28, 2016 at 6:55
  • Resetting interface to change it's mac address ? What a revolutionary news !
    – drookie
    Commented Jan 28, 2016 at 14:22
1

There are many ways to detect a spoofed wireless MAC address. One of which is to use the clients signal strength. This works effectively for stationary clients.

Another method is to compare the physical characteristics of the client's transceiver.

... physical layer information is inherent to radio characteristics and the physical environment, making it much harder to forge and it may be used to differentiate devices. Hall et al. uses the frequency-domain patterns of the transient portion of radiofrequency (RF) signals, as a fingerprint, to uniquely identify a transceiver. Source

The source of the quoted also contains a bit more information about MAC spoofing detection.

Improve this answer

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .