There was a problem where I work the other day, where a mobile device flooding one of our ADSL connections using all available bandwidth. We needed to block a device from flooding our guest Wifi. This connection is used primarily for the guest wifi. The guest wifi is provided as a connection to the Internet. This post assumes that you have a router built on a Linux machine where you are running your own firewall and not the modem/router box provided by your ISP.
Not knowing what the device was meant we were not able to determine why or what this device was transmitting. It could be infected with malware or just a rouge app pushing all the device owners data to a location not of their choosing. To find out which device was causing the problem we went through the following steps. We needed to check that the device was in fact on the guest wifi. If it was that takes the pressure off as it cannot connect to our LAN and cause disruption to other systems.
Let’s install a couple of network tools.
sudo apt-get update sudo apt-get install iptraf arp
To isolate the network card that is being used to receive the data from the rouge device you can use the command:
Use the IP monitor option and monitor all interfaces to start with. This will show the network interface that is using the bandwidth.
A brutal way of testing your analysis that one particular interface is causing the problem is by bringing down that interface, say eth2. I said it was brutal 🙂
sudo ifdown eth2
At this point the high loading on the ADSL connection should drop off. Remember to bring the interface backup again.
sudo ifup eth2
We can then start iptraf again just on that interface. This will show a smaller number of IP connections and you should be able to identify the IP address of the offending device, lets use 10.2.200.5. As we use DHCP on the guest Wifi we cannot block the device by IP address. We need to block the device by its MAC address as that will not change. To find the MAC address for the device we can use the following arp command, where -i is the interface connected to the device and -n shows the IP address not the device name.
sudo arp -i eth2 -n
After running the arp command you will be shown a list of devices that are connected to the network interface. It should look something like this:
Address HWtype HWaddress Flags Mask Iface 10.2.200.5 ether XX:XX:XX:XX:XX:XX C eth2
Now we have the MAC address we can use iptables to DROP all of the packets on the INPUT chain and on the FORWARD chain for that MAC address. Add these rules to the beginning of your firewall rules. Flush all the tables and rerun your rules, after a few seconds your network traffic will drop off, as the device will no longer be able to send or receive packets.
iptables -A INPUT -m mac --mac-source XX:XX:XX:XX:XX:XX -j DROP iptables -A FORWARD -m mac --mac-source XX:XX:XX:XX:XX:XX -j DROP
To find out the owner of the device was really simple, We waited to see who started complaining there is no guest wifi. 🙂
So there you have it the sets to find and block a device from flooding our guest Wifi.