Block MAC Headers from known hacked devices
-
I am trying to block MAC addresses from known Chinese devices that hackers use as bots. I want to make sure I am doing it correctly. Under Captive Portal, I have created a list of blocked MAC headers like this 08:ed:ed:00:00:00/24. Is this the correct format to block all MAC's that start with 08:ed:ed?
-
So known hacked devices all change their mac to start with 08:ed:ed? That is pretty stupid thing to do for these hackers..
That mac is
Zhejiang Dahua Technology Co., Ltd.Why would normally they make like video camera's be on your captive portal or try and join your network in the first place?
Normally people don't carry around video cameras ;) So are their cameras in your area that use your network? While I could understand blocking known device types via the mac address - this seems kind of specific and bit tinfoil hatish to be worried about that specific mac.
-
Research Internet outage of October 2016. That wasn’t the only one. There are 3 major companies that are known to be used by hackers frequently. I have about a hundred MAC filters to create. I am also using an IP database to create a blacklist to block traffic as well.
-
Not saying camera's don't get hacked... What I am saying is you have these cameras on your network? People don't normally carry camera's around to join a network that uses a captive portal.. Captive portals are normally used for your guest.. Say a phone or a tablet or laptop.
A captive portal is used to allow access to your network.. How would hacked cameras be joining your network in the first place?
I think maybe you should do a bit more research on how these bot networks are leveraged.. And sure if you had any sort of video cameras on your network I would isolate them to their own vlan.. And limit their access to the rest of your network.
I am just not seeing a valid use case for blocking this mac on a captive port, on how a captive portal is leveraged. Simple place to block mac address, using vendor specific would just be your dhcp server.. Not the captive portal. To access a captive portal - normally users have to auth. Say with a token you give them or password you give them..
Are you saying anything can just join your network via no auth?
How exactly are using this captive portal? Are you running a internet cafe or provide access in a place of business, a hotel, a bar, etc.. Just not clear on how some hacked video camera would possible have access to join your wifi in the first place ;) Are you worried about the guy next doors video cameras accessing your wifi via zero auth and just allowed in from a wide open captive portal?
-
I've one of these :
for years now.It's a DVR, not a camera - and cameras are hooked up to it the old fashioned way : coax.
This device has merited it's place in my LAN : it does nothing out of the ordinary.
Btw : Captive portals are untrusted networks by default.
Devices connected to it should even be able to communicate among themselves = network isolation. -
Different Mac.. Then what he wants to block..
Yeah that company makes video surveillance stuff.. They are big into it.. Just not seeing how that sort of hardware moves about and joins some captive portal network. Which I agree shouldn't be doing anything but talking to the internet.
Just curious the use case of blocking companies from talking to your captive portal - because the devices they make are known members of bot nets.. The reason why is users expose them to the internet.. Which really should of never been done in the first place.
There are hundreds of hundreds makes of cameras that use bad firmware that could be exploited. You going to block them all by mac.. I still don't get how cameras that someone puts up on their wall to watch their mailman deliver their mail everyday is going to end up trying to join your network.
-
I think there may be a minor misunderstanding.
The IoT hacks that are used in the various attacks are devices that are compromised where they sit. The victim does not see the MAC of the device, they see the MAC of the nearest router. Should a hacker decide to attack your network directly, the attack is more likely to come from a more capable device, like a laptop which would have an unpredictable MAC (I would change the MAC if that is what stopped me) and they would have to be in range of your WiFi or in the building to plug in.
If you are worried about your network being used to perform an attack limit who can connect through the captive portal with some version of validation. My company requires an employee to register guests. Or limit the bandwidth available if it is more open. Certainly do not allow guests to see each other or your production network.
If your data is worth someone showing up to take it, you should have a professional security assessment done because it is worth more than the assessment to protect it.
-
@andyrh said in Block MAC Headers from known hacked devices:
I think there may be a minor misunderstanding.
Concur.. I just do not see how blocking camera makers mac addresses has any valid use case on a captive portal..
Now if you wanted to stop iphone users from using your network via captive portal - ok, maybe you hate iphone users ;) I just don't see how some video camera having been hacked or not is going to be trying to access your network via a captive portal. Which normal would have to auth in some fashion anyway.. How would this bad camera have the info to auth with in the first place?
Most of these devices have no way to auth to a captive portal in the first place, and for them to use a network that is behind a captive portal, their mac addresses would have to be whitelisted so they do not have to auth to this captive portal.
I would be happy to help the user validate his syntax correct.. But without some more info - I don't see the point of doing what he is asking to do at all.. And wanting help him from going down some rabbit hole blocking this and that and the other thing that serves no real purpose.
-
It appears I am using the wrong methodology to block external traffic. I am already blocking all external IP traffic from problematic countries. I wanted to also block all traffic from inside the US from devices known to be used by hackers. I have already tuned my wireless network to be invisible 10' outside my home. If you are within that perimeter my security system has already alerted me to your presence. Is there a way to block external IP packets from specific manufacturers devices?
-
@thisislivin said in Block MAC Headers from known hacked devices:
Is there a way to block external IP packets from specific manufacturers devices?
Not with mac addresses that is for sure - mac addresses are only layer 2. So unless the devices were directly connected to your wan L2 network..
-
Thanks for helping a Pfsense newbie.
-
@thisislivin said in Block MAC Headers from known hacked devices:
Pfsense newbie.
As we are all learning every day, So I guess we all are.
But you can shift from "think you know" to "know you know" just by looking at something like this :
It starts with a wire, 8 conductors .... easy.
By the end, you know what 'networks" are, what and IP address is, and a MAC address.
