NationStates Jolt Archive


Hey, Mods, Can't IP Ban Someone? Try This:

Kaukolastan
03-12-2003, 07:20
Try banning the MAC address. It's the adress of the actual network card, and unless we have a truly proficient computer whiz, it'll find him.
Oglethorpia
03-12-2003, 07:21
OOC:

Would that seriously work?

I'm sure if you could do it; most forum software and website admins would have already incorporated it into their most popularly used programs and scripts.

It must be something new, since when I modded some forums a few months back we could only ban based on IP.
SalusaSecondus
03-12-2003, 07:22
This is much easier said than done. It is something that I've been toying with though. Don't expect if for a long time though.

http://www.weirdozone.0catch.com/projects/nationstates/salusasecondus/salusasecondus2.jpg
SalusaSecondus
Tech Modling
PGP: 0x0604DF3E
03-12-2003, 07:25
It can be done, actually, and fairly easily. Just put the server behind a switch (which operates on the same layer of networking as a MAC address) and have it filter out unwanted MAC addresses. This can be defeated by changing your NIC or modem, but who wants to spend more than $20 to get a new one of those every few minutes?
Kaukolastan
03-12-2003, 07:26
I'm sure a router is in front of the server, therefore you can program the router to deny requests from any given MAC address, IP address, and can even block given networks using an IP mask on the blocked IP address. This does take some knowledge of the router you use, but say it was a Linksys router, you can do this on the setup "web page."
03-12-2003, 07:29
I'm sure a router is in front of the server, therefore you can program the router to deny requests from any given MAC address, IP address, and can even block given networks using an IP mask on the blocked IP address. This does take some knowledge of the router you use, but say it was a Linksys router, you can do this on the setup "web page."

You can use a router, but switches are eaier to work with on layer 2 IMO. Both kinds of blocking, layer 2 and 3, are powerful. I wouldn't be suprised if the IP bans of NS are done via a router.
03-12-2003, 07:29
Try banning the MAC address. It's the adress of the actual network card, and unless we have a truly proficient computer whiz, it'll find him.

This won't work in all cases either. Many routers (including the cheap Linksys one I have) allow you to set a custom MAC address.
[violet]
03-12-2003, 07:31
Do browsers transmit MAC addresses? I didn't think this was something a remote server could tell.
Kaukolastan
03-12-2003, 07:32
In the encapsulation of the packet the internal MAC of the computer that sent it is included, where as the router's MAC is not. Basically, it sees the computer. If you IP banned with your concept, entire networks would be blocked.
Naleth
03-12-2003, 07:32
But I would think only violet, if anyone, has access to that router. Also, MAC addresses are old. Realy old. It's just that they aren't used much because they tell you absolutely nothing about the computer on the other end (except what company made their NIC).
03-12-2003, 07:33
This won't work in all cases either. Many routers (including the cheap Linksys one I have) allow you to set a custom MAC address.

MAC addresses are burned onto the card. Without exception. That's like saying you purchased a computer without a BIOS. Perhaps you're thinking of IP addresses.

The reason MAC addys are burned onto the hardware is to limit confusion about what machine is which. IPs can change, but MACs can't. Routers refer to both MACs and IPs when making forwarding decisions.

Edit: Violet, you can get the MAC address of an IP by accessing the MAC address table on the router. I think there might be something like ping for MACs, too, but since it's been three years since my networking classes, I'm a little fuzzy.
Kaukolastan
03-12-2003, 07:34
]Do browsers transmit MAC addresses? I didn't think this was something a remote server could tell.
The server could tell, but it would be highly complicated. Routers would tell easily.
SalusaSecondus
03-12-2003, 07:34
I've been scanning security forums, and the consensus is basically that this doesn't work.
Kaukolastan
03-12-2003, 07:36
Just a quick OT post:
I'm talking to Violet and SalusaSecondus in the same post!
*happy post dance*

On Topic: A buddy is breaking out the Sysqo code now.
03-12-2003, 07:37
I've been scanning security forums, and the consensus is basically that this doesn't work.

Huh. Have you been able to determine why? I mean, have you seen a routing tech go on a spiel about it or something that you could repost here?
Naleth
03-12-2003, 07:37
This won't work in all cases either. Many routers (including the cheap Linksys one I have) allow you to set a custom MAC address.

MAC addresses are burned onto the card. Without exception. That's like saying you purchased a computer without a BIOS. Perhaps you're thinking of IP addresses.

The reason MAC addys are burned onto the hardware is to limit confusion about what machine is which. IPs can change, but MACs can't. Routers refer to both MACs and IPs when making forwarding decisions.

Edit: Violet, you can get the MAC address of an IP by accessing the MAC address table on the router. I think there might be something like ping for MACs, too, but since it's been three years since my networking classes, I'm a little fuzzy.
But a router can pretend it has a different MAC by changing the packet before it sends it.
03-12-2003, 07:39
But a router can pretend it has a different MAC by changing the packet before it sends it.

Yes, but that goes against every standardization code I've ever seen on the subject of MACs. It'd be hard to do, and it's probably proprietary. I doubt it would work correctly on a multibrand network.
03-12-2003, 07:40
This won't work in all cases either. Many routers (including the cheap Linksys one I have) allow you to set a custom MAC address.

MAC addresses are burned onto the card. Without exception. That's like saying you purchased a computer without a BIOS. Perhaps you're thinking of IP addresses.

The reason MAC addys are burned onto the hardware is to limit confusion about what machine is which. IPs can change, but MACs can't. Routers refer to both MACs and IPs when making forwarding decisions.

Edit: Violet, you can get the MAC address of an IP by accessing the MAC address table on the router. I think there might be something like ping for MACs, too, but since it's been three years since my networking classes, I'm a little fuzzy.

I'm not confusing it with IP address. I have enough experience with basic networking to know the difference. I think I am just misinterpreting the meaning of a config page on my router. The title of the page is "MAC Address Clone", and the description is "In this page, you can change the WAN MAC address of this router."

Do you have any idea what this is?
Naleth
03-12-2003, 07:40
But a router can pretend it has a different MAC by changing the packet before it sends it.

Yes, but that goes against every standardization code I've ever seen on the subject of MACs. It'd be hard to do, and it's probably proprietary. I doubt it would work correctly on a multibrand network.
My little D-Link here can do it just fine (although since this is a 1computer network ATM, it's acting more like a hardware firewall then a router). It may break the rules, but it can be done with relative ease.
03-12-2003, 07:41
I'm not confusing it with IP address. I have enough experience with basic networking to know the difference. I think I am just misinterpreting the meaning of a config page on my router. The title of the page is "MAC Address Clone", and the description is "In this page, you can change the WAN MAC address of this router."

Do you have any idea what this is?

Not a clue. I've never seen anything like that before, not even on my own Linksys.
Naleth
03-12-2003, 07:44
I'm not confusing it with IP address. I have enough experience with basic networking to know the difference. I think I am just misinterpreting the meaning of a config page on my router. The title of the page is "MAC Address Clone", and the description is "In this page, you can change the WAN MAC address of this router."

Do you have any idea what this is?

Not a clue. I've never seen anything like that before, not even on my own Linksys.
It's a setting to change the MAC address given out by the router...

The reason it's there is because some ISPs check the MAC address of computers before they give them a DHCP address. Well, if you get a new router then it will have a new MAC. Problem. Solution: Router pretends to have the old MAC address, so you can continue to use the same DHCP server without interupting your internet access to get your ISP to add the new MAC to the list of allowed DHCP clients.
Karmabaijan
03-12-2003, 07:45
I just did that tonight with my new router. Any data to the outside gets tagged with whatever MAC you clone into the router.
03-12-2003, 07:46
It's a setting to change the MAC address given out by the router...

The reason it's there is because some ISPs check the MAC address of computers before they give them a DHCP address. Well, if you get a new router then it will have a new MAC. Problem. Solution: Router pretends to have the old MAC address, so you can continue to use the same DHCP server without interupting your internet access to get your ISP to add the new MAC to the list of allowed DHCP clients.

That still doesn't change the MAC address of the computer from which the packets are being sent, though, just the MAC addy of the router through which the packets are being sent.
Karmabaijan
03-12-2003, 07:47
The router rebroadcasts the internal data it recieves to the outside world as its own though. The router's IP and the MAC set into it. This is how you are able to trick an ISP into seeing only one network connection, and sharing it amongst many systems.
03-12-2003, 07:49
Huh. Oh well, I guess. Like I said, my classes were some time ago. Must be a relatively recent development.
Allison blair
03-12-2003, 07:50
You can change the Mac address givein out by a router and by a internal nic however it is extreemly dificult. On a router it is easy, but that does not matter, inorder for a coumputer to read a packet sent by a computer, it must have either its ip or mac address. One can be converted to the other by rip or igrip router comands. There for if someone posts you have there ip you rip and get there mac then you can go to your cisco router useing please see this site the code is posted on the botom to block a mac.
http://isp-lists.isp-planet.com/isp-wireless/0104/msg03452.html
Naleth
03-12-2003, 07:52
Huh. Oh well, I guess. Like I said, my classes were some time ago. Must be a relatively recent development.
It's called NAT (Network Address Translation) routing. Works pretty well, untill you start trying to use it with UDP-based programs (games, for example, get screwed up sometimes).
Allison blair
03-12-2003, 07:52
any way the problem is people useing non broadband and useing modem with non static ip, and modem users dont have routers often, so you can get there mac with ease.
Guanyu
03-12-2003, 07:55
But a router can pretend it has a different MAC by changing the packet before it sends it.

Yes, but that goes against every standardization code I've ever seen on the subject of MACs. It'd be hard to do, and it's probably proprietary. I doubt it would work correctly on a multibrand network.
My little D-Link here can do it just fine (although since this is a 1computer network ATM, it's acting more like a hardware firewall then a router). It may break the rules, but it can be done with relative ease.

Yeah, this isn't at all hard to do. It was considered a while back on some of the "1337" forums but they discarded it because anyone who knows enough to get around the IP ban generally knows enough to do this as well. On a forum I modded on about two to three months ago, they were just instituting this when I left, and a friend of mine later told me that they had abandoned it all together because it was more work than it was worth, as anyone with google or a few hacker friends/net student friends could learn how to get around it.

EDIT: This mainly applies to broadband users.
Allison blair
03-12-2003, 08:00
Amen.
possible but too much hassle
and would only block out Modem users.
[violet]
03-12-2003, 10:40
I actually don't have access to the router anyway. Just this box.
Kaukolastan
03-12-2003, 10:43
Oh well. It was an idea.