IDS mailing list archives
Re: Wired detection of rogue access points
From: Chad Mano <chad.mano () usu edu>
Date: Mon, 26 Mar 2007 11:15:20 -0600
Hello, Typically it is unreliable to identify a Rogue AP based on some type of filtering or scanning because it is relatively easy to spoof header information and probe responses. I developed a method that relies on the timing characteristics of wireless communication, something that is not simple to spoof. This assumes an active TCP session between the suspect and some server and that the AP is not acting as a proxy, but the actual end-point for communication is the wireless laptop or other host. To give a general overview, the method tracks the round-trip-time (RTT) of sequence and acknowledgement numbers in TCP packets. Existing TCP traffic is utilized, which makes it unnecessary for the monitor to actually communicate directly with the suspect host/device. A timestamp is created when a TCP packet destined for the host is identified by some monitoring point (such as a managed switch or router somewhere in the LAN). When a corresponding TCP packet (ACK) is observed the RTT is calculated. In a switched wired environment (LAN) the delays are assumed to be short and consistent relative to wireless environment. This is due to the protocols and physical makeup of the wireless medium (half-duplex, IFS delays, random exponential backoff, etc.). In reality it is the inconsistency of the timing that really singles out wireless connections. With enough RTT values the standard-deviation can be calculated, which measures the inconsistency. There are a lot more details, but this is the general idea. The biggest problem in taking a timing-based approach deals with packet sizes and which sizes give you what you need in terms of timing analysis and which just add extra noise. I currently have a paper under review that presents the complete solution, so I'm not able to post it or send it out right now. Chad -- Chad D. Mano Assistant Professor Department of Computer Science Utah State University Logan, Utah 84322-4205 (435)797-0959 (office) (435)797-3265 (fax) chad.mano () usu edu On 3/26/07 10:33 AM, "krymson () gmail com" <krymson () gmail com> wrote:
Now, I'm not necessarily disagreeing with you on your other points, so don't jump on top of me...but if you have multiple WAPs set up with WDS, you may be able to see WAP-to-WAP traffic on the LAN side (this becomes the wireless backbone) as the WAPs attempt to share information. I've not been able to verify this myself, but maybe someone else here can either verify or inform me of my mistaken assumption. :) Will this detect the lame CFO plugging in a SOHO WAP in his office to get on the network from his couch closer to the window? Nope... <- snip -> For each of you that thinks they have a way to detect a wireless access point using only the LAN, please demonstrate how you would detect this. ------------------------------------------------------------------------ Test Your IDS Is your IDS deployed correctly? Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to http://www.coresecurity.com/index.php5?module=Form&action=impact&campaign=intr o_sfw to learn more. ------------------------------------------------------------------------
------------------------------------------------------------------------ Test Your IDS Is your IDS deployed correctly? Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to http://www.coresecurity.com/index.php5?module=Form&action=impact&campaign=intro_sfw to learn more. ------------------------------------------------------------------------
Current thread:
- RE: Wired detection of rogue access points, (continued)
- RE: Wired detection of rogue access points Bourque Daniel (Mar 26)
- RE: Wired detection of rogue access points Gabbard, Gregory (Mar 26)
- RE: Wired detection of rogue access points Adam Graham (Mar 26)
- Re: Wired detection of rogue access points tim_holman (Mar 27)
- Message not available
- Re: Wired detection of rogue access points Adam Crosby (Mar 27)
- Re: Wired detection of rogue access points Hari Sekhon (Mar 22)
- RE: Wired detection of rogue access points Waters, Chris (Mar 22)
- Re: Wired detection of rogue access points Chad Mano (Mar 26)
- Re: Wired detection of rogue access points Eric Hacker (Mar 26)
- Re: Wired detection of rogue access points tim_holman (Mar 29)
- RE: Wired detection of rogue access points Adam Graham (Mar 29)
- Re: Wired detection of rogue access points Eric Hacker (Mar 30)
- RE: Wired detection of rogue access points Adam Graham (Mar 30)