Why ISPs Shouldn't Ban MAC Addresses

I'm very fed up with the University of Toronto, and its terrible network management. Last Saturday, I was cut off from the internet at about 11:00 PM for no apparent reason. I hadn't touched any cables (I'm hooked up by a cord), and the other people in this suite had perfectly working internet. I sighed heavily, scooped some ice cream, and proceeded to diagnose the problem.

The little connectivity symbol on my startbar was acting strange. Once in a while it would appear normal:

But sometimes, a yellow exclaimation mark would appear, signaling that something was wrong. After running a diagnostic test, Windows 7 told me my configurations were correct, but it couldn't connect to the primary DNS. I tried disabling and re-enabling, jiggling my cord, and even ran a bunch of ipconfig commands in hope it would be fixed. No luck. Here's what it would look like:

Ok - I had three ideas:

  1. My ethernet card was broken
  2. My ethernet cord or socket was really broken
  3. My MAC address been banned off the network without notice

Let me rewind. I'm currently living at the University of Toronto for the summer for an internship - I don't actually go here. My $600/month under a 4 month contract is supposed to include internet service, and I have been very careful not to violate any of their sensible rules. I say sensible, because I'm pretty sure a failing law student drew up their contracts. I point you to one of many issues with the Occupancy Agreement, for example:

 

14. The Resident will not keep any firearm, fireworks, weapon, explosive, animal, fish, reptile, insect, bird in the Room, Suite or Residence

 

Read it carefully - multiple problems should jump out at you. This is a completely insensible request, and every suite in the entire building is in violation. So once again, I obey all the sensible requests.

To test whether my ethernet card was broken, I tried a wifi connection, and also connected my computer to my friend's computer through the same ethernet cord. I then connected my computer to my friend's wall socket. This tested both #1 and #2, and showed me that for sure, I had been banned.

But why? I didn't get a knock on the door, a message, or even an email. Okay, network administrators are sensible people - I'm going to go talk to them. If they're up banning me at 11:00 at night, they should probably be awake right? Wrong. My suite mate told me that apparently (I can't confirm this) this university has software that flags individuals. Then, apparently there is a delay between flagging and banning. This means that once you've been flagged, you will be banned at some random time in the future. I really hope this is not true... but evidence thusfar corroborates the theory.

I went down stairs and I was told that the technicians "do not have a set schedule". Furthermore, I was told I could not contact them directly, and that I could fill out a form and they would find me "when they have time." However, being a long weekend, that might not be until Tuesday. I was about to have a verbal scuffle at this point with the desk staff, but realized they couldn't do anything about poor policy. I asked for a contact number, made them aware of my situation, and went up stairs to sleep.

The next day, a technician comes to my door and tells me he can't do anything to help me. Yes, he came to my door to tell me this. He further assured me that he would find out what was going on, and at least let me know by Tuesday. He couldn't even find out why I had been banned, and blamed it on the "central network" - and his tone suggested it was some sort of omnipotent power. He further suggested that I may have been banned in error, and that I should find alternative ways to access the internet.

Good point, technician! I might have been banned in error. I went back to my computer, and decided to just get myself online, because it's not like they intended to ban me - right? 

Good thing Microsoft smartened up and made it easy to spoof your MAC Address in Windows 7. I didn't even have to do any tinkering. So there it was, I changed my MAC Address and what do you know? This happens:

This is the standard page, telling you to authenticate yourself. I just used the same information I signed up with originally, and it worked. Had they banned my records, could easily have wrote a script to brute force every room-birthday combination. Of course I didn't, because I wouldn't want to do anything bad. They hadn't banned my room, so it must have been a mistake. I ran a security check, and bamn:

I was back online! I could hang out with all your wonderful people again:

 

Subsequently, I have been banned again yesterday, and just now again about 50 minutes ago. The funny thing is, I figured maybe I had broken one of their rules.. so I did a test. Between when I was first banned and now, the only things I have done are:

  • Visit HN and read articles
  • Use Wikipedia
  • Check my Gmail
  • Use Facebook / Twitter / LAL / G+ / MSN / Skype / GTalk
  • Google random things here and there

No video streaming, no downloads, not even YouTube. It's almost Thursday, and no one has gotten back to me yet. I know this isn't a big technical accomplishment, but it's a great illustration of outdated techniques and poor implementation/service. At the very least, it's a semi-funny story to read (I hope). 

Upvote Upvoted 1
13 responses
Maybe you didn't break any rules the first time around, but I'm pretty sure spoofing your MAC address will get them mighty angry at you.
Dan
You actually read articles on a website with "HACKER" in the title tag? Then you circumvented the security system to get around your ban?

These are dangerous times, comrade. You'll be lucky if you don't end up in prison for this.

Mark
Might have been visiting HN, since the word "hack" appears. Yes, some people are this stupid. Happened to me in highschool, so I just ROT-13ed everything through a proxy.
Leon
Maybe your computer is on a zombie network
Keith Gordon
I agree that it's probably either visiting HN or your computer is infected with something or other. Probably the first one, which is ridiculously stupid. What if you're a computer science student writing a paper on malicious hacks?
Jarin Udom
I guess it must be HN. I've checked for all sorts of malware, and I've even been monitoring my incoming/outgoing data.
Shenglong
It's not well documented, but www.noc.utoronto.ca/ has (under the 'Security' section) a list of blocked hosts on the University network. At the moment it is showing two Innis Residence IPs blocked on August 3rd for what it claims is 'Bethany botnet Command&Control connections'.

To the best of my knowledge, both the identification and the blocking are done more or less automatically by an IPS appliance located in the central networking systems. We have seen this trigger for hosts on our networks on what we are relatively certain was false positives, but we've also seen it trigger on real infected hosts. If you have a hub and a second machine you have access to, I would strongly suggest doing some traffic monitoring from that second machine; if this is you, you may be surprised by what you find and how it differs from what you see on your own machine.

(Despite the domain in my home page URL, I work in the Department of Computer Science.)

Chris Siebenmann
It can be a lot of things really.

- Sometimes a bad routing table combined with both wired and wireless connection results in a multicast storm.
- You have a DHCP service running (you are using a router perhaps?)
- You are sending out packets without proper CRC values (packet errors)
- You have a broken driver/netcard that sends out malformed packets.

Sniff your own data and see if you are sending out garbage. Try to get them to explain why you are getting banned (might be an automated system).

La gong
Chris - thanks for the link. I've just scanned with AVG, Malwarebytes, and S&D, and I can't find anything. I'm almost positive it's not me.
Shenglong
Like the other commenters said, it's probably because you're visiting Hacker News -- a site with "hacker" in the title. I suggest using a VPN (if the network hasn't blocked it) or a proxy, or just visiting HN on your mobile phone/tablet using 3G.
Link Tamake
I'm pretty confidant that browsing Hacker News is not what has triggered the blocking. Among other things this is a university environment, not a company, and these blocking systems are not run by idiots. There would be a very large revolt in any university community at such ham-handed blocking, in part because of, well, Hacker News itself.
Chris Siebenmann
It's because you didn't get rid of those roaches man. No insects mean NO INSECTS. That stuff revokes your internet connection man.
Bob
1 visitor upvoted this post.