HT201155: AirPort Base Station: ISP provisioning may prevent Internet connection via broadband (cable or DSL)

Learn about AirPort Base Station: ISP provisioning may prevent Internet connection via broadband (cable or DSL)
wjmjr

Q: MITM attack

how does one exclude a certain IP from connecting?  Is the only way is to reset the password? Thanks

MacBook Pro, iOS 8.3

Posted on May 17, 2015 6:30 AM

Close

Q: MITM attack

  • All replies
  • Helpful answers

  • by Bob Timmons,

    Bob Timmons Bob Timmons May 17, 2015 6:46 AM in response to wjmjr
    Level 10 (105,086 points)
    Wireless
    May 17, 2015 6:46 AM in response to wjmjr

    If you are using an AirPort base station, the other way is to use Timed Access in AirPort Utility to set up a No Access rule for the wireless device that you do not want to allow to connect. 

     

    To do this though, you need to have what is called the MAC Address or WiFi Address of the device that will be denied access. An example of what a rule might look like for a device named Excluded Device is pictured below. All other devices would have Unlimited access.

     

    Screen Shot 2015-05-17 at 8.42.52 AM.png

     

    Changing the password would be the faster and simpler way to do what you want, but if for some reason you did not want to change the password, then setting up a rule to not allow access to the device would be the only other option.

  • by wjmjr,

    wjmjr wjmjr May 17, 2015 7:03 AM in response to Bob Timmons
    Level 1 (0 points)
    May 17, 2015 7:03 AM in response to Bob Timmons

    Bob,

    Thank you for the prompt response.

    I do not wish to change the password.

    So, creating an "excluded Device" would be good but the attack is coming from a Mac address of ff:ff:ff:ff:ff:ff:ff:ff but an IP of 192.168.0.255.

    The airport software will not accept that MAC address and I cannot find how to do it though an IP address.

    Any further good suggestions?

    Thank.

    Jack

  • by Bob Timmons,

    Bob Timmons Bob Timmons May 17, 2015 7:21 AM in response to wjmjr
    Level 10 (105,086 points)
    Wireless
    May 17, 2015 7:21 AM in response to wjmjr
    The airport software will not accept that MAC address

    The AirPort software assumes that you will be using a standard MAC Address of 12 characters.  Your example has 16, so that is not going to work on the current software.

     

    I cannot find how to do it though an IP address.

    Sorry, but this is not possible.

  • by wjmjr,

    wjmjr wjmjr May 17, 2015 7:27 AM in response to Bob Timmons
    Level 1 (0 points)
    May 17, 2015 7:27 AM in response to Bob Timmons

    My mistake about 16 rather than 12. Anyway all pairs are "ff".

    Thanks for your help.

    Jack

    P.S. Anyone with other thoughts??

  • by jjkraw,

    jjkraw jjkraw May 17, 2015 7:45 AM in response to wjmjr
    Level 2 (336 points)
    Apple TV
    May 17, 2015 7:45 AM in response to wjmjr

    Mind if I back up a few steps to understand the problem better?

     

    How did you determine that an attack was happening and diagnose it to that particular Mac address and IP address? The reason that AirPort utility won't let you enter that address is that it isn't valid as a source Mac address (it is a broadcast address).

     

    Have you determined what device is doing this? If you have security on the network, I assume you have some control over who and what connects.

  • by Bob Timmons,

    Bob Timmons Bob Timmons May 17, 2015 7:48 AM in response to wjmjr
    Level 10 (105,086 points)
    Wireless
    May 17, 2015 7:48 AM in response to wjmjr

    All pairs are "ff"

     

    Sorry, I am confused. You mean that they are lower case letters, or something else?  Are you sure that this is a MAC Address?  Sometimes the MAC address is different for Ethernet than it is for wireless. You have to have the wireless address, since Timed Access only works on wireless devices.

     

    Write down the actual MAC Address of the device that you see. Then, change the letters to another letter and numbers to another number, so we'll have no idea of what that actual MAC Address might be.

     

    Post back with that address.

  • by jjkraw,

    jjkraw jjkraw May 17, 2015 8:31 AM in response to Bob Timmons
    Level 2 (336 points)
    Apple TV
    May 17, 2015 8:31 AM in response to Bob Timmons

    All pairs are "ff"

     

    Sorry, I am confused.

     

    My interpretation was that each octet in the Mac address was "ff", therefore: ff:ff:ff:ff:ff:ff.

     

    But I'm wondering if that is the destination Mac (and IP, 192.168.0.255) rather than the source. That would make sense as it would be a subnet broadcast for 192.168.0/24. Hence my request to back up a step and see where these values actually came from.

  • by Bob Timmons,

    Bob Timmons Bob Timmons May 17, 2015 8:40 AM in response to jjkraw
    Level 10 (105,086 points)
    Wireless
    May 17, 2015 8:40 AM in response to jjkraw

    There is virtually zero chance that a MAC address would be ff:ff:ff:ff:ff:ff.   A typical address would look something like f2:b3:a4:22:d1:c3

     

    What device do you want to not allow to connect to the wireless network?   Is it a Mac?  A mobile device like an iPhone or iPad?

  • by wjmjr,

    wjmjr wjmjr May 17, 2015 9:07 AM in response to Bob Timmons
    Level 1 (0 points)
    May 17, 2015 9:07 AM in response to Bob Timmons

    Here's what I get from a network "guard":(192.168.0.255) at ff:ff:ff:ff:ff:ff on en1 ifscope [ethernet]

    I have no idea what is generating this, but it is getting into my gateway and I am frequently receiving notices of an "MITM" attack.

    All other IPs or MACs are in order and I can match with devices I control.

    Thanks again.

  • by jjkraw,

    jjkraw jjkraw May 17, 2015 9:14 AM in response to wjmjr
    Level 2 (336 points)
    Apple TV
    May 17, 2015 9:14 AM in response to wjmjr

    On what device is this network guard running?

     

    Those are very likely the destination addresses, not the source. You'd need some way to see the rest of the packet to determine the sender.

  • by Bob Timmons,Helpful

    Bob Timmons Bob Timmons May 17, 2015 9:17 AM in response to wjmjr
    Level 10 (105,086 points)
    Wireless
    May 17, 2015 9:17 AM in response to wjmjr

    [Ethernet]

     

    This is an Ethernet connection according to the info that you supplied.

     

    Timed Access only works on a wireless connection.  Changing the wireless network password will have no effect on a device that is connecting to the network using Ethernet.

     

    Sorry, but there are no controls on an AirPort router to limit connections of Ethernet devices other than physically checking the connections.

  • by jjkraw,

    jjkraw jjkraw May 17, 2015 9:31 AM in response to Bob Timmons
    Level 2 (336 points)
    Apple TV
    May 17, 2015 9:31 AM in response to Bob Timmons

    It came in on an Ethernet connection to whatever device is generating the message. But that doesn't mean the source is necessarily wired. If this is a broadcast packet as it looks to be, a copy will go to all wired and wireless devices on the network.

     

    I think we need to know a bit more about your topology. Do you have an Apple device for a router or something else? Where does the Airport device (if any) fit into the picture?