How to prevent users from scanning the network

DFrenzy asked:

in my network many peoples spoof mac address, they get mac adresses of online users by scanning the network or the ip address range and using wireshark they get easily any mac address
so how to prevent the users from scanning the ip address or how to hide the ip and mac addresses of my network customers?
i think preventing mac spoof is impossible in open network so i just want to prevent the bad guys from scanning the ip address and getting the mac addresses of the online users.

my network is an Open network no need of a security key to connect to the network and i don’t want to change it to WAP2 or any other thing.
users need to login to the hotspot login page to access the internet ( but bad guys change there mac to already logged in customer’s mac and they get it free)

Network detail(little):
Mikrotic router,

My answer:

It’s impossible to prevent a MAC-spoofing attack on a completely open Wi-Fi network. However, it’s relatively easy to detect the attack: Both the attacker and the victim whose MAC address is being spoofed will have trouble using the network, as each computer will send TCP resets for connections the other has initiated. Thus the person whose MAC address was cloned begins having mysterious “trouble with the Internet” and either calls technical support, or gives up and tries again later. The latter is what the attacker wants, as it leaves him free to use the network once the other person is gone.

Again, you cannot prevent this attack on an open network, and while you can attempt to limit it by making legitimate users login again every half hour or so, this is a great inconvenience to legitimate users, and not much inconvenience to the attacker, who can just wait for the legitimate user to login again, or go clone someone else’s MAC address. So this is not practical.

I have set up paid Wi-Fi networks, and I use a two-network design:

  • One SSID is an open network, which can only connect to a (secure) web server where users can create new accounts and make payments.
  • The other SSID is secured with WPA2-Enterprise and users log in to this network with their chosen username and password to access the Internet.

This requires a RADIUS server, which isn’t too hard to set up, and the design completely prevents people sniffing the network at all. The RADIUS server can also be configured to allow only one device at a time to use any given account credentials, which deters account sharing. On the WPA2-Enterprise network, everything is encrypted and the attacker cannot decrypt anything from other users, as he can with WPA2-Personal if he knows the shared passphrase. And on the open network, only one single https web site is accessible, which also can’t be sniffed, and MAC spoofing is pointless on that network.

The only down side to this design is that it requires a one time configuration in advance for older computers running Windows 7 or earlier operating systems, but this takes only a minute to do.

View the full question and answer on Server Fault.

Creative Commons License
This work is licensed under a Creative Commons Attribution-ShareAlike 3.0 Unported License.