Re: Wired detection of rogue access points

[Chad Mano <chad.mano () usu edu>]

Hello,

Typically it is unreliable to identify a Rogue AP based on some type of
filtering or scanning because it is relatively easy to spoof header
information and probe responses.  I developed a method that relies on the
timing characteristics of wireless communication, something that is not
simple to spoof.  This assumes an active TCP session between the suspect and
some server and that the AP is not acting as a proxy, but the actual
end-point for communication is the wireless laptop or other host.

To give a general overview, the method tracks the round-trip-time (RTT) of
sequence and acknowledgement numbers in TCP packets.  Existing TCP traffic
is utilized, which makes it unnecessary for the monitor to actually
communicate directly with the suspect host/device.  A timestamp is created
when a TCP packet destined for the host is identified by some monitoring
point (such as a managed switch or router somewhere in the LAN).  When a
corresponding TCP packet (ACK) is observed the RTT is calculated.  In a
switched wired environment (LAN) the delays are assumed to be short and
consistent relative to wireless environment.  This is due to the protocols
and physical makeup of the wireless medium (half-duplex, IFS delays, random
exponential backoff, etc.).  In reality it is the inconsistency of the
timing that really singles out wireless connections.  With enough RTT values
the standard-deviation can be calculated, which measures the inconsistency.

There are a lot more details, but this is the general idea.  The biggest
problem in taking a timing-based approach deals with packet sizes and which
sizes give you what you need in terms of timing analysis and which just add
extra noise.  I currently have a paper under review that presents the
complete solution, so I'm not able to post it or send it out right now.

Chad

-- 
Chad D. Mano
Assistant Professor
Department of Computer Science
Utah State University
Logan, Utah 84322-4205
(435)797-0959 (office)
(435)797-3265 (fax)
chad.mano () usu edu




On 3/26/07 10:33 AM, "krymson () gmail com" <krymson () gmail com> wrote:

> Now, I'm not necessarily disagreeing with you on your other points, so don't
> jump on top of me...but if you have multiple WAPs set up with WDS, you may be
> able to see WAP-to-WAP traffic on the LAN side (this becomes the wireless
> backbone) as the WAPs attempt to share information. I've not been able to
> verify this myself, but maybe someone else here can either verify or inform me
> of my mistaken assumption. :)
>
> Will this detect the lame CFO plugging in a SOHO WAP in his office to get on
> the network from his couch closer to the window? Nope...
>
>
> <- snip ->
> For each of you that thinks they have a way to detect a wireless
> access point using only the LAN, please demonstrate how you would
> detect this.
>
> ------------------------------------------------------------------------
> Test Your IDS
>
> Is your IDS deployed correctly?
> Find out quickly and easily by testing it
> with real-world attacks from CORE IMPACT.
> Go to 
> http://www.coresecurity.com/index.php5?module=Form&action=impact&campaign=intr
> o_sfw 
> to learn more.
> ------------------------------------------------------------------------


------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it 
with real-world attacks from CORE IMPACT.
Go to http://www.coresecurity.com/index.php5?module=Form&action=impact&campaign=intro_sfw 
to learn more.
------------------------------------------------------------------------