Can my network administrator know that I am using a virtual router to access the internet on my unauthorised devices?

I am a university student, and my university's network administrator uses MAC addresses (1 MAC address / student) to authorise access to the internet. The students regularly use virtual routing softwares to create a hotspot to connect to their other devices (MAC spooofing is one possible workaround, but spoofing on a handheld device, for example, an android device, requires root access, which itself is a pain to gain).

Recently, the administrator redirected all the students to refrain from using hotspots, otherwise he will punish those who don't comply (by removing the student's MAC address from the authorised MACs database, I suppose). I have a strong feeling that he is just plain bluffing.

My query is, is it at all possible for the administrator to know that a device is using virtual routing to connect to other unauthorised devices?

Note: I tried searching for resources online, for example, how do exactly the virtual routers network, but I couldn't find any substantial information. I would appreciate even if someone could point me to some resources which would be of use to me.

networking

Tanmay Garg

Posted 2016-09-15T07:27:36.647

Reputation: 631

Answers

Yes, your use of a wireless hotspot can be identified using a wireless intrusion prevention system.

The primary purpose of a WIPS is to prevent unauthorized network access to local area networks and other information assets by wireless devices. These systems are typically implemented as an overlay to an existing Wireless LAN infrastructure, although they may be deployed standalone to enforce no-wireless policies within an organization. Some advanced wireless infrastructures have integrated WIPS capabilities.

vembutech

Posted 2016-09-15T07:27:36.647

Reputation: 5 693

17They won't know via the MAC address, but will be able to find the unauthorized wifi point. At my last job we got a map of all wifi points, authorized and non-authorized, accurate to usually a room. We didn't restrict people to one MAC address, that is too limiting, we just didn't want rogue wifi points. Students would complain to housing, dean, administration and anyone if we tried to restrict them. We found the average student had 3-5 devices on our wifi in dorms and 2 for non-dorm. (Phone, tablet, laptop, xbox, playstation, etc.) – MikeP – 2016-09-15T18:52:58.660

7Depending on the other devices you want to use, the solution may just be to bridge the legitimate connection from your machine to one or more networking cables and plug into those. Those wouldn't be found short of a physical inspection of the room. – SeldomNeedy – 2016-09-15T20:22:49.297

2One of easy ways to detect connection sharing is the examination of TTL values in IP packets, originating from device. There are lists of default TTL values for various operating systems and devices. If a system detects a TTL of (default-1, e.g. 127 when 128 appears in the list of defaults and 127 does not) it can be pretty sure that the packet came from a device on a shared connection. Some 3G mobile providers use that trick as well. – xmp125a – 2016-09-16T13:06:56.310

3WIPS is detection of ANY access points within radio range. An AP without access to the network (or any network) would be detected just as well and drive admin crazy. – Agent_L – 2016-09-16T14:48:18.590

2@xmp125a He can make his computer set the same TTL on all outgoing packets, such as using iptables. – v7d8dpo4 – 2016-09-16T16:17:13.150

Does it mean he can safely use multiple devices if they're connected via ethernet cables or via Wi-Fi in a metal box connected to ground? – v7d8dpo4 – 2016-09-16T16:21:14.793

1@v7d8dpo4 I did not mean to instruct him how to hack his way in, just making him aware that he may be identified quite easily by the administrator. My advice is: talk to admin and ask nicely for authorization for using more devices. – xmp125a – 2016-09-17T14:16:45.880

1@xmp125a: If you're going to do what OP is talking about after being told not to by a BOFH, you really need to be using a VPN for all your traffic, in which case they're not going to be able to examine your TTLs. – R.. GitHub STOP HELPING ICE – 2016-09-18T20:44:36.953

Besides physically running around and detecting hotspots via WLAN traffic ("warwalking"?), or maybe using the existing router to detect then, traffic patterns can also be a giveaway - your hotspot has a different signature than your device.

Instead of working against your sysadmin (which is a PITA for both sides), talk to him. I don't know why they have the "one MAC per student rule", maybe they can relax it a bit? Say, "two or three MACs per student". Not much more trouble to administrate.

I don't know how the political side of the student representation works at your uni, but often students can voice their interests in some way. Yes, this is slower than just setting up a hotspot, but also more effective.

dirkt

Posted 2016-09-15T07:27:36.647

Reputation: 11 627

3Existing access points [not routers] do in fact have such detection features – especially the ones that come with a central controller, like UniFi, show a list of all 'rogue' APs detected anywhere in the building. – user1686 – 2016-09-15T08:23:08.697

3As for multiple MACs, maybe they just don't want the extra work (having to add each and every student's MAC address to the routers' whitelists is sure annoying). Maybe eventually they'll figure out that they can do password logins instead. – user1686 – 2016-09-15T08:42:31.197

1Hey, thanks for the answer! And nice idea, I sure will contact the student association head :) @grawity, nice suggestion I will discuss this with the admin :) – Tanmay Garg – 2016-09-15T08:46:01.073

@grawity Even better, they could become part of something like eduroam so that they have a password login that works in other universities around the world too.

– Bakuriu – 2016-09-15T15:30:50.177

Enterprise wifi software (Cisco makes one) can provide an actual map of all authorized an unauthorized devices and their locations. Easy to find. – MikeP – 2016-09-15T18:53:45.010

I used to work as a network administrator's assistant for a college. It sounds like a generational difference issue or the school's network can't handle more than 1 device for each student, staff member, etc. Probably every student has more devices than the policy allows.

The short answer is YES they can detect unauthorized access. NO, don't do it. I routinely revoked access for network violations (file sharing, illegal software, viruses, porn in the computer labs, etc). Many of those students had to leave school, because college is quite difficult without computer access. The students are exposing the network to risk. What if someone's unauthorized device passed a virus that wiped your doctoral research and thesis? If you think it's a joke now, try it at a job and see what happens.

Work with the network administrator, student government, administration, etc. to get additional wireless access for "your other devices" that don't NEED to be on the school's network and/or in common areas (like the free wifi in most coffee shops). This prevents load on the "actual" school network, and still gives you the internet access you want.

Jon Milliken

Posted 2016-09-15T07:27:36.647

Reputation: 301

16This sounds more like pushing responsibility to the student by offering a deliberately crippled ISP service. – March Ho – 2016-09-15T17:18:02.330

@MarchHo A university isn't an ISP and the network access they're providing is far from crippled. – Lilienthal – 2016-09-15T17:25:36.170

10Every starbucks seems to be able to manage any "risk" posed by allowing any device to connect to the network just fine, and a university can't? – Random832 – 2016-09-15T18:08:25.470

20University is essentially an ISP. Simply consider the network as 'hostile' or 'unsecure'. Never mix 'secure' network stuff with any student, staff, or employee system. It is a BYOD(s) world at school and at work. – MikeP – 2016-09-15T18:55:25.557

21What if someone's unauthorized device passed a virus that wiped your doctoral research and thesis? What if an authorized device did the same thing? If anything, unauthorized mobile devices are probably a lower risk to the network than the authorized computers, as they're generally less susceptible to viruses/malware. – duskwuff -inactive- – 2016-09-15T21:58:07.933

7"If you think it's a joke now, try it at a job and see what happens." SO MUCH THIS. Students put so much effort into trying to bypass these rules, and so little into trying to understand them and trying to get used to them. Then they go into industry and are surprised when they discover how the working world works. Well, shock horror, we did try to train you... but, kids, you weren't interested. – Lightness Races with Monica – 2016-09-15T23:58:23.907

11What if someone's unauthorized device passed a virus that wiped your doctoral research and thesis? <<< so it would be ok if it were an authorised computer? how does limiting MAC addresses have any bearing on this? If the network is vulnerable to attack that is the administrators responsibility. If a company has a BYOD policy, they (should) have the infrastructure to manage devices that are infected etc. It is not a difficult (or expensive) task to create a secure network for insecure devices. - Risking someone's thesis as a result of this would be purely incompetent. – Michael B – 2016-09-16T09:25:56.860

2@LightnessRacesinOrbit in the real world decent companies don't have quite so many arbitrary rules to work around – JamesRyan – 2016-09-16T11:17:13.847

@JamesRyan: You must work for a very lax company. You are fortunate! – Lightness Races with Monica – 2016-09-16T12:34:12.730

I can think of a handful of ways to detect this kind of behaviour in a network. The restriction is not a great one when really what they should do is limit connections by port rather than mac, but it's their network and their rules even if it does create a easy (targeted) denial of service attack if you were to spoof someone else's MAC address.

Taking https://networkengineering.stackexchange.com/questions/123/how-do-you-prevent-rogue-wireless-access-points-on-a-network as a starting point it seems pretty clear that any decent wireless infrastructure would be able to detect rogue hotspots (even a dd-wrt box can do a wireless survey to see what else is around.)

Since the admins control the traffic, IDS tools like Snort can also be brought to bear and would give you away pretty quickly if the admins were keen to find people who weren't compliant. Some protocols don't even hide that they're operating through NAT (RFC7239 has http headers like X-Forwarded-For specifically for use by web proxies.) RFC2821 advises SMTP clients to send an optional identifier though it's not mandatory.

The only way you could really hide something like that is to have the device which connects to their network send everything out to a VPN or system like TOR, which in itself would raise some attention in your direction.

While not exactly the same situation as they don't seem to have the same restrictions, the University of Cambridge's security team do frown upon the use of NAT in their network as seen in Firewalls and Network Address Translation policy and provide some background on their reasoning.

TL;DR - If you want to use more devices then you need to go through the system and student representation to address the issues you're facing, because if your admins want to catch you then they will.

James Snell

Posted 2016-09-15T07:27:36.647

Reputation: 348

1+1 for the VPN comment! Definitely an easy way to hide all the traffic.

I doubt it would raise attention... just tell the admin it's for work or something. ie. you're connecting to a work VPN and aren't allowed to divulge any information other than that. lol – maplemale – 2016-09-16T17:41:11.570

@maplemale - I very much suspect any sysadmin who cares about the number of mac addresses in use would absolutely care about finding tor/vpn traffic. – James Snell – 2016-09-27T17:12:03.343

I don't understand how one would even know if a private VPN is in use? I can see how a public VPN could be detected and blocked via a known list of IPs. But, unless the sysadmin is looking for the protocol identified at the packet level (unlikely he has that sophisticated of a firewall), how could one tell you're even using a VPN?

And second, why would they care? Seems likely VPNs are used all over the network by staff and students regularly for legitimate reasons. Attempting to block VPN traffic seems like a slippery slope. Like, how many students are you preventing from having side jobs? – maplemale – 2016-09-27T18:48:09.500

@maplemale - I could catch someone doing that on my network and it's not that advanced. The rest sounds like a good question for you to search for here and ask if you can't find the answer. Personally if I were admin there I'd have things to say about someone punching a hole through my firewall(s) to who only knows where; especially in a university given the interest of state-sponsored hackers in attacking research facilities. I'd at very least want to have a fairly in-depth 'chat' about what is happening, after I'd disconnected you... – James Snell – 2016-09-27T21:13:00.233

If it's "not that advanced", why not explain? "The rest" was more of a statement than a question. – maplemale – 2016-09-27T22:03:30.950

such an explanation is off-topic for this question and these comments have headed beyond feedback and clarification, you've asked about catching someone on a vpn, which needs to be a separate question as it is unrelated to sharing a mac address between devices and the potential for being discovered. Odds are your question has been asked already. – James Snell – 2016-09-28T14:20:54.457

My network utilizes a system that has detectors spaced throughout the buildings, and if a rogue SSID shows up it will actually triangulate the location of the device. The system isn't cheap, but good Lord, it's probably more cost effective in the long run if you add up time spent manually managing MAC addresses; that has to be an administrative nightmare. Of all the ways to lock down a system, I really can't think of a worse way of doing it.

As others have said, work with the admins, don't try to beat them. With available technology these days, you don't even need a good network admin to catch you. Try to change policies, see if exceptions are allowed, etc. You'll be better off in the end.

DroolTwist

Posted 2016-09-15T07:27:36.647

Reputation: 51

What if you hide the SSID? Also, SSID scanning is not feasible, as it could as well be a 4G router or phone set to tethering, not necessarily being connected to the local network. – TJJ – 2019-05-22T09:37:30.887

So, if a user activates tethering on his phone, or buys a 4G router, it will show up... – TJJ – 2019-05-22T09:50:33.207

As others have said, it's possible for the admins to detect rogue wireless hotspots. But it's also possible to detect unauthorized devices through deep packet inspection. Mobile phone companies can use deep packet inspection to detect unauthorized tethering. You can read about it at https://android.stackexchange.com/questions/47819/how-can-phone-companies-detect-tethering-incl-wifi-hotspot. If Windows-generated packets and Linux-generated packets are both coming from your MAC address at the same time, it's likely you have more than one device attached.

On the other hand, deep packet inspection is expensive, and the admins might not have the budget to implement it. Or they might simply be unwilling to go to that level of effort to catch cheaters. But you don't know that for sure. It's probably best to talk to the admins and see if you can work out something.

Jonathan

Posted 2016-09-15T07:27:36.647

Reputation: 291

As mentioned above the answer is yes. A WiFi hotspot (an AP) is very visible. For example a hotspot sends a periodic beacon with the MAC address. Packet inspection (TCP headers, TTL), inspection of timing/latency, how the node responses to packets loss, what sites it visits (Windows update or PlayStore), HTTP headers generated by the browsers can point to use a routing software and multiple devices. The systems are not cheap, but they exist.

Your options are:

Use non-wireless solutions and pray that Deep packet inspection is not available for your admin and she is not running a simple script which checks the visited software update sites.
Reduce the transmission power on all devices to absolute minimum
Make sure that you are not using device specific browsers/software packages. For example, the same MAC will not use IE and Android WebBrowser.

Larytet

Posted 2016-09-15T07:27:36.647

Reputation: 121