An incomplete list of the ways around MAC address blocking

August 8, 2011

In an earlier entry I wrote that there were plenty of ways for someone with a banned MAC address to get back on your network. Since some people may doubt that, today I feel like running down some of those ways to emphasize how weak MAC-based blocking is.

The straightforward workaround is to change your MAC address to some new random one you made up (often you can just vary the last octet of the MAC address slightly), then register your 'new' machine for network access. This works best in environments with an automated registration portal.

The next option is to skip the whole registration process by borrowing someone else's MAC address, ideally the MAC address of a machine that itself is not currently on the network. This usually requires some advance planning to acquire the MAC addresses of other machines, but has the obvious advantage of working even if you can't register new machines.

The more extreme option is to skip straight to what you actually care about, which is getting the DHCP server to give you an IP address. Well, who needs a DHCP server? After all, if you know the IP address range and other routing information, you can just give yourself an IP address without bothering the DHCP server. (You probably want to give yourself a different IP address than you used to be using.)

It's quite difficult to stop the first two attacks without side effects. In fact I think it's close to impossible to reliably block MAC address impersonation if you allow machines to roam from port to port. It's possible to block the third attack but it requires that your DHCP server and your network firewall talk to each other, so that the firewall only passes specific IP addresses that the DHCP server has given out.

All of this leads to the larger point, which is that both MAC addresses and IP addresses are only a very weak form of access control. They will keep ordinary people out, but they're not going to stop someone who knows what they're doing. If you need strong network access restrictions, you need strong authentication either of machines, via mechanisms such as IPSec, or of users, via mechanisms such as VPNs.

(This is nothing new to networking people, of course.)

Comments on this page:

From at 2011-08-08 11:30:57:

A friend who sets up municipal networks makes heavy use of EAP (IIRC 802.1x / PEAP) and tells me it has eliminated all "rogue" devices on their networks. If you need more than access control, IPSec or SSL VPN is probably the way to go. This is my favorite approach as it moves crypto closer to L7 which is almost always a good thing.

As you have pointed out, MAC addresses are far too easy to manipulate to use them for access control. I've always found it humorous that various "Wireless Security Best Practices" found online suggest you do things like use MAC access control, static IPs instead of DHCP, and disable SSID broadcast. These are all worthless practices and only hinder usability.

Written on 08 August 2011.
« What I want out a Symbol type in Python
You need to hash web app session IDs »

Page tools: View Source, View Normal, Add Comment.
Login: Password:
Atom Syndication: Recent Comments.

Last modified: Mon Aug 8 00:48:45 2011
This dinky wiki is brought to you by the Insane Hackers Guild, Python sub-branch.