Hacker News new | past | comments | ask | show | jobs | submit login
Why ISPs shouldn't ban MAC addresses (shenglong.posterous.com)
27 points by Shenglong on Aug 3, 2011 | hide | past | favorite | 19 comments



Absolutely have to send a message to your network administrator, but can't find her? Target several local hosts (this works quicker with an IDS in the mix) with xmas packets, and place your message in the body. Send 'em once every five seconds or so, preferably in the afternoon when they should be awake. If that doesn't seem to get anyone's attention, start a rogue DHCP server which issues DHCPOFFERS with "Oy, why is 05:23:a3:bb:40 banned? --room 201" in the message field.

If they're worth their salt, the network admin will see it light up in their packet dump, and resolve any problems you're having. With fire.


"xmas UDP packets" does not compute... Xmas only has meaning in the context of TCP.


Whoops! Serves me right for sloppy editing.


What are xmas packets?


a packet with all options "lit up". like sending a tcp packet with SYN, FIN, PSH and URG all set.


PSH, URG, SYN, FIN, all set.


Or security will show up and escort you off the campus for "hacking".

I've been places where I would expect that kind of response.


I think this article misses the point.

Yes, MAC addresses are not to be trusted. They can be easily changed. However, the corollary to "you shouldn't blacklist MAC addresses" is "you shouldn't whitelist them either." Great, you just threw out DHCP, and are going down the network access control blackhole. (802.1X supplicants for everybody!)

Most ISPs don't put multiple clients in a layer-2 domain, you can't trust it. So, most ISPs already don't trust MAC addresses, nor do they care.

On a college campus, things are different, and locking down the network can only go so far technologically. You need technical measures and good communication to cover 98% of the users (IDS, automatic quarantine systems, simple registration), accommodation for the 1.9% of technically inquisitive/advanced users (forums, workarounds for edge cases), and a big stick for the remaining 0.1%.

When I was at WWU, they ran a very liberal network. You could change your MAC address (as long as it wasn't taken from another user), you could run your own WiFi (as long as you took responsibility for it), you could run servers, and almost no protocol was banned (although it might be throttled.) But use someone else's credentials or interfere with the functioning of the network? Stick time.

Sounds like the problem at this school is bad communication, and not having a holistic network management system. Not surprising: they're both hard, and most schools don't invest the time with any serious effort.

... and don't get me started on the campuses that ban IRC.


That's a whole lotta words to say "Because they can easily be spoofed".


But it was a fun story, and you'll remember it better now, probably :)


Banning MAC addresses is a must for large univerities (and probably any large network where you have frequent guests and do not have employer/employee power relations).

Yes you can change your MAC address. But this type of policy is in place in order to stop misconfigured machines or malware ridden machines from connecting to the network.


Still, at least it's an improvement on the system my university network imposed, which required pre-registration of your MAC address for your assigned room port. Any other MAC detected would immediately block the port at the switch level (and require a helpdesk call, and up to 3 days wait) to fix.

It taught me some useful things about the linux system init process, and where to stick the mac spoofing setup call though, so not a total loss


Sure you can spoof MAC's but most people won't, so it's an easy solution that works for most incidents. No telling why you are getting banned over and over, but if it's for a legitimate reason that you're unaware of you're certainly not going to be getting much understanding by the time an ops person has had to figure out what's going on and manually turn off the port.


Sounds like his system has been tripping an IDS and being flagged for malware. Changing the MAC address (which, in some environments, is a violation of the Acceptable Use Policy) will just result in the new MAC address being banned as well, if that is the case.


Years ago I worked for the ResNet team at Purdue University and some of the items in the story were similar. I can relate to the posters pain but I've also been on the other side.

We had an entirely automated system to temporarily block users who exceeded their bandwidth limit. When that happened we brought down the port on the switch. If they moved to a different port we brought it down as well. If they had changed their MAC they would have to associate it with their username (using our home grown NAC) and then we would block them then.

As for support we had standard hours for a helpdesk staffed by students.


has the author, who appears to read hn and hopefully therefore this, considered that the reasons for the apparently automatic ban might be malware on the machine?


Yes I have. However, I don't frequent any dangerous sites much, and my computer it's terribly vulnerable. I've done full scans with MWB and AVG, and I've checked my data in/out rates.


Try hooking your computer up through a hub or something and use WireShark on your traffic. You never know on a Windows box. I've had deeply rootkitted machines that didn't get picked up by any scans.

In any case, I'd recommend against changing your MAC address because when you do get a hold of the network admins they may be rather disgruntled that you're violating network policy (almost any university that registers MACs prohibits MAC spoofing, otherwise you could just use the MAC of somebody that you saw on a different subnet).


Have you considered escalating this past the engineers, and to the Dean of your school?

Alternatively, if you could find out his or her MAC address...




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: