Plugin Idea - Mac Address Banning

First off, is this possible? I can get mac address from packet sniffing with wireshark. However, there currently is no banning system for MAC addresses. So, if possible, would a dev want to pick this up?

 

wut u mean because the server already comes with a ip banner and normal banner through the console

 

It would be very interesting, because IP banning fails if the banned person changes the IP address - ie when switching their router off and on. With MAC address blocking you could make sure that people using a specific network interface do not come to your server ever again, no matter what IP or username they use.

I for one would install and use such a plugin.

 

+1

 

this will only work in a local network as normally only the mac of the next hop is including in a package IIRC.. but I would need to look that up again... old memories of network trace reading... shudder...

 

does banning the user name not work

 

i beg to differ, because with layer 2, unlike layer 1(physical), your MAC address is attached to every packet your PC sends/receives. I have sniffed networks before and if you check your packets, they always are addressed to you via IP and MAC. If you would ban a user's MAC then that PC would be banned. Sooner or later, that user would run out of computers. I need to see how these IP based banning plugins work. I dont write java, but I do program Cisco routers and switches.

 

But only if he doesn't know how to spoof the MAC of his network card, which is fairly simple...

 

true you are, just like an IP it is spoofable. Most users don't know how to do that. As for the idea of this plugin, all they would think is that their IP was banned. Currently I am using Easy Bans. I like it, but this little pest I have has changed his third octet about five times. So i have banned five subnets. I dont want to ban more than i need to, because this would keep other users out from the world.

EDIT:
I have my PC in the DMZ of my router. Effectively making the internet my LAN

 

you cant.

on login client report only it's name and IP, if you have online mode also handshake, no mac adress is reported.

also ever if you provide modded client, simple plugin will be able to overwrite it's content.

 

i know in the packets we see MAC addresses...is there no way to pick up on this at all?

 

You 'program Cisco routers and switches' but you don't recall that the MAC address is used for link to link communications and thus is subject to being changed whenever the frame needs to travel across subnets?

 

That and no, Bukkit exposes no API for deep packet inspection. You'd have to hack straight into the net.minecraft code and that breaks/changes every version.

 

you will ban your gateway, nice idea.

this will only works with lan connected clients, as mac address dont spread over the internet.

 

Correct. MAC addresses are for local links only. Usually only point to point.

 

Also, as a FYI: With IPv6, MAC address are part of the IP, therefore banning an IPv6 address will ban the whole machine. Of course, that'll have to wait until IPv6 becomes standard (which, really, should have happened years ago)

 

agreed on IPv6, as for my cisco skills, still developing. got ton of work. but i could have sworn i saw mac address target in the packets i was looking in. oh well, this was just an idea. i appreciate the input you all gave. I guess I'll need a more in depth program outside of minecraft to handle connections.

as for this:

You 'program Cisco routers and switches' but you don't recall that the MAC address is used for link to link communications and thus is subject to being changed whenever the frame needs to travel across subnets?​

​

​

I suffer from CRS sometimes and have difficulties remembering crap before my coffee, so yes, i have issues.​

 

Yes, MAC address is part of the packet header. It just isn't helpful outside of the local loop.

 

ya know, packets are encap'ed with the mac address of all devices between the start and the finish. so why not? i guess bukkit wont handle it, bc it only has an API to handle IP's. But maybe later they can support MAC banning. Your right, but look deeper into a packet. There you will find the source...

 

It shouldn't have the MAC address of every hop. That doesn't even make sense considering there is a single source and single destination field.

 

+1

 

I'm not sure if TCP/IP allows for extra data fields to be sent along with the packet; also, underlying protocols may include the information as part of the datagram. However, this is at best unreliable, and not really likely enough to occur to make this feasable. Good thought, though; unfortunately we still have only IP/player name to go by.

 

well, ok, so maybe not on the packet...but couldnt we negotiate a handshake within bukkit to get a mac address from the client? i am thinking along the lines like ospf in routers, but maybe bukkit could request from the client a mac address of the player's pc. this might be far fetched, but when ipv6 finally gets implemented, we wont have to worry too much about how to ban.

-- A bit of background as to why i even thought of this:
A user came to my server one day and after a week of playing he was banned due to breaking my server rules more than once. he continued to change his IP*(not mac) via his DSL connection. So after unsuccessfully banning individual ip's i got fed up and hoped that someone in the community could have figured out a mac ban. i found easy ban and so far i have blocked five class C addresses. yup, you read right, 5 X 255 ip's. All because he has changed his third octet five times. he hasn't been heard of since, but i wanted something a bit more permanent. anyhoo, it was just a thought, and i appreciate all the input. but since bukkit does not support this, and probably never will, it will just stay a good idea.

on another note, will minecraft/bukkit support IPv6?

 

You could make a feature request in Spout to add something like this.

As for IPv6, it already supports it.

 

Erm, your MAC address disappears when you cross a gateway. Period. The most you would be able to do is ban your gateway, instantly preventing anyone from another subnet (read: anyone not on your local LAN from playing.

Want to argue? Don't make me pull out my credentials and HUUUGE book that explains every. single. freakin'. subprotocol.

 

yeah yeah, I'm reading that now...did a ping of my gateway and compared it to a few packets to further destinations(i'm not ccnp, ccna, or ccie certed. but i freaking work with this crap daily out here in iraq.). alright, i accept defeat. but the question remains, can we ask for it somehow. like a verification handshake. client connects then the server asks for the physical address in some type of message. server then checks the mac that was sent in a message and verifies it to a ban/whitelist. is this possible? if so, what would we need? i saw spout, but i was thinking of something that didn't require a client mod.

 

I am pretty positive this isn't possible because wouldn't you just be reading the mac address of the router/modem. Also the reason they made white-list's is for over-protective admins like yourself (no offence, just sounds that way).
Unless you are expecting a visit from team AVO or AMG i don't think you will require that level of protection.

 

Sigh so much false information in this thread. Real life != movies.

IP Spoofing = not possible. If by spoofing you mean using a proxy, then yes it's possible.

MAC Address is changeable. Very easily changeable, no efforts are even taken to stop it. The reason behind it is because they don't matter. They don't survive past your modem.

Why do you need such complicated banning. Ban their name and boom they're gone. Oh wait, unless you're running a cracked server. Then ban them based on geography.

 

I know this posted back in August, but how does one ban based on geography?

 

@JD DeGaetano You can create a plugin with the Bukkit API, using a GeoIP library.