Plugin Idea - Mac Address Banning

Discussion in 'Bukkit Discussion' started by ghost0001, Jul 6, 2011.

Thread Status:
Not open for further replies.
  1. Offline

    ghost0001

    First off, is this possible? I can get mac address from packet sniffing with wireshark. However, there currently is no banning system for MAC addresses. So, if possible, would a dev want to pick this up?
     
    Nytewarrior and blutherz like this.
  2. Offline

    tcvs

    wut u mean because the server already comes with a ip banner and normal banner through the console
     
  3. Offline

    Gnatz

    It would be very interesting, because IP banning fails if the banned person changes the IP address - ie when switching their router off and on. With MAC address blocking you could make sure that people using a specific network interface do not come to your server ever again, no matter what IP or username they use.

    I for one would install and use such a plugin.
     
    blutherz likes this.
  4. Offline

    Don Redhorse

    this will only work in a local network as normally only the mac of the next hop is including in a package IIRC.. but I would need to look that up again... old memories of network trace reading... shudder...
     
  5. Offline

    tcvs

    does banning the user name not work
     
  6. Offline

    ghost0001

    i beg to differ, because with layer 2, unlike layer 1(physical), your MAC address is attached to every packet your PC sends/receives. I have sniffed networks before and if you check your packets, they always are addressed to you via IP and MAC. If you would ban a user's MAC then that PC would be banned. Sooner or later, that user would run out of computers. I need to see how these IP based banning plugins work. I dont write java, but I do program Cisco routers and switches.
     
  7. Offline

    bassfader

    But only if he doesn't know how to spoof the MAC of his network card, which is fairly simple...
     
  8. Offline

    ghost0001

    true you are, just like an IP it is spoofable. Most users don't know how to do that. As for the idea of this plugin, all they would think is that their IP was banned. Currently I am using Easy Bans. I like it, but this little pest I have has changed his third octet about five times. So i have banned five subnets. I dont want to ban more than i need to, because this would keep other users out from the world.

    EDIT:
    I have my PC in the DMZ of my router. Effectively making the internet my LAN
     
  9. Offline

    RawCode

    you cant.

    on login client report only it's name and IP, if you have online mode also handshake, no mac adress is reported.

    also ever if you provide modded client, simple plugin will be able to overwrite it's content.
     
  10. Offline

    ghost0001

    i know in the packets we see MAC addresses...is there no way to pick up on this at all?
     
  11. Offline

    Takel

    You 'program Cisco routers and switches' but you don't recall that the MAC address is used for link to link communications and thus is subject to being changed whenever the frame needs to travel across subnets?
     
    4am likes this.
  12. Offline

    4am

    That and no, Bukkit exposes no API for deep packet inspection. You'd have to hack straight into the net.minecraft code and that breaks/changes every version.
     
  13. you will ban your gateway, nice idea.

    this will only works with lan connected clients, as mac address dont spread over the internet.
     
  14. Correct. MAC addresses are for local links only. Usually only point to point.
     
  15. Offline

    4am

    Also, as a FYI: With IPv6, MAC address are part of the IP, therefore banning an IPv6 address will ban the whole machine. Of course, that'll have to wait until IPv6 becomes standard (which, really, should have happened years ago)
     
    Sukasa likes this.
  16. Offline

    ghost0001

    agreed on IPv6, as for my cisco skills, still developing. got ton of work. but i could have sworn i saw mac address target in the packets i was looking in. oh well, this was just an idea. i appreciate the input you all gave. I guess I'll need a more in depth program outside of minecraft to handle connections.

    as for this:

    You 'program Cisco routers and switches' but you don't recall that the MAC address is used for link to link communications and thus is subject to being changed whenever the frame needs to travel across subnets?​


    I suffer from CRS sometimes and have difficulties remembering crap before my coffee, so yes, i have issues.​
     
  17. Yes, MAC address is part of the packet header. It just isn't helpful outside of the local loop.
     
  18. Offline

    ghost0001

    ya know, packets are encap'ed with the mac address of all devices between the start and the finish. so why not? i guess bukkit wont handle it, bc it only has an API to handle IP's. But maybe later they can support MAC banning. Your right, but look deeper into a packet. There you will find the source...
     
  19. It shouldn't have the MAC address of every hop. That doesn't even make sense considering there is a single source and single destination field.
     
  20. Offline

    Kaosvf

  21. Offline

    4am

    I'm not sure if TCP/IP allows for extra data fields to be sent along with the packet; also, underlying protocols may include the information as part of the datagram. However, this is at best unreliable, and not really likely enough to occur to make this feasable. Good thought, though; unfortunately we still have only IP/player name to go by.
     
  22. Offline

    ghost0001

    well, ok, so maybe not on the packet...but couldnt we negotiate a handshake within bukkit to get a mac address from the client? i am thinking along the lines like ospf in routers, but maybe bukkit could request from the client a mac address of the player's pc. this might be far fetched, but when ipv6 finally gets implemented, we wont have to worry too much about how to ban.

    -- A bit of background as to why i even thought of this:
    A user came to my server one day and after a week of playing he was banned due to breaking my server rules more than once. he continued to change his IP*(not mac) via his DSL connection. So after unsuccessfully banning individual ip's i got fed up and hoped that someone in the community could have figured out a mac ban. i found easy ban and so far i have blocked five class C addresses. yup, you read right, 5 X 255 ip's. All because he has changed his third octet five times. he hasn't been heard of since, but i wanted something a bit more permanent. anyhoo, it was just a thought, and i appreciate all the input. but since bukkit does not support this, and probably never will, it will just stay a good idea.

    on another note, will minecraft/bukkit support IPv6?
     
  23. You could make a feature request in Spout to add something like this.

    As for IPv6, it already supports it.
     
  24. Offline

    draeath

    Erm, your MAC address disappears when you cross a gateway. Period. The most you would be able to do is ban your gateway, instantly preventing anyone from another subnet (read: anyone not on your local LAN from playing.

    Want to argue? Don't make me pull out my credentials and HUUUGE book that explains every. single. freakin'. subprotocol.
     
    Vhab likes this.
  25. Offline

    ghost0001

    yeah yeah, I'm reading that now...did a ping of my gateway and compared it to a few packets to further destinations(i'm not ccnp, ccna, or ccie certed. but i freaking work with this crap daily out here in iraq.). alright, i accept defeat. but the question remains, can we ask for it somehow. like a verification handshake. client connects then the server asks for the physical address in some type of message. server then checks the mac that was sent in a message and verifies it to a ban/whitelist. is this possible? if so, what would we need? i saw spout, but i was thinking of something that didn't require a client mod.
     
  26. Offline

    Celeixen

    I am pretty positive this isn't possible because wouldn't you just be reading the mac address of the router/modem. Also the reason they made white-list's is for over-protective admins like yourself (no offence, just sounds that way).
    Unless you are expecting a visit from team AVO or AMG i don't think you will require that level of protection.
     
  27. Offline

    SwearWord

    Sigh so much false information in this thread. Real life != movies.

    IP Spoofing = not possible. If by spoofing you mean using a proxy, then yes it's possible.

    MAC Address is changeable. Very easily changeable, no efforts are even taken to stop it. The reason behind it is because they don't matter. They don't survive past your modem.

    Why do you need such complicated banning. Ban their name and boom they're gone. Oh wait, unless you're running a cracked server. Then ban them based on geography.
     
    Vhab likes this.
  28. Offline

    JD DeGaetano

    I know this posted back in August, but how does one ban based on geography?
     
  29. Offline

    iPhysX

    @JD DeGaetano You can create a plugin with the Bukkit API, using a GeoIP library.
     
Thread Status:
Not open for further replies.

Share This Page