IDS mailing list archives

Re: Wired detection of rogue access points

From: "Eric Hacker" <focus () erichacker com>
Date: Mon, 26 Mar 2007 15:20:31 -0400

On 3/26/07, Chad Mano <chad.mano () usu edu> wrote:

Hello,

Typically it is unreliable to identify a Rogue AP based on some type of
filtering or scanning because it is relatively easy to spoof header
information and probe responses.  I developed a method that relies on the
timing characteristics of wireless communication, something that is not
simple to spoof.  This assumes an active TCP session between the suspect and
some server and that the AP is not acting as a proxy, but the actual
end-point for communication is the wireless laptop or other host.

To give a general overview, the method tracks the round-trip-time (RTT) of
sequence and acknowledgement numbers in TCP packets.  Existing TCP traffic
is utilized, which makes it unnecessary for the monitor to actually
communicate directly with the suspect host/device.


Very cool. I'm sure that the details are not trivial, but it sounds
like it would generally work.

On the downside, if one is monitoring the network this much, then one
is likely to pick up malicious activity from Rogue Access already. My
intent was that detection on the LAN was not possible through probing
alone. I apologize if I did not make that clear.

On the upside, this technique is probably useful for detecting any
type of unauthorized remote access, such as SSL VPNs, modems, illicit
tunnels over VoIP, or RFC 1149 so long as a proxy is not used.

--
Eric Hacker, CISSP

aptronym (AP-troh-NIM) noun
A name that is especially suited to the profession of its owner

I _can_ leave well enough alone, but my criteria for well enough is
pretty darn high.

------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?

Find out quickly and easily by testing itwith real-world attacks from CORE IMPACT.Go to http://www.coresecurity.com/index.php5?module=Form&action=impact&campaign=intro_sfwto learn more.

------------------------------------------------------------------------

Current thread:

RE: Wired detection of rogue access points, (continued)
- - - RE: Wired detection of rogue access points Gabbard, Gregory (Mar 26)
    - RE: Wired detection of rogue access points Adam Graham (Mar 26)
    - Re: Wired detection of rogue access points tim_holman (Mar 27)
    - Message not available
    - Re: Wired detection of rogue access points Adam Crosby (Mar 27)
- Re: Wired detection of rogue access points krymson (Mar 19)
- Re: Wired detection of rogue access points Chris Waters (Mar 21)
  - Re: Wired detection of rogue access points Hari Sekhon (Mar 22)
    - RE: Wired detection of rogue access points Waters, Chris (Mar 22)
- Re: Wired detection of rogue access points krymson (Mar 26)
  - Re: Wired detection of rogue access points Chad Mano (Mar 26)
    - Re: Wired detection of rogue access points Eric Hacker (Mar 26)
- Re: Wired detection of rogue access points jay.tomas (Mar 27)
- Re: Wired detection of rogue access points Adam Powers (Mar 29)
  - Re: Wired detection of rogue access points tim_holman (Mar 29)
  - RE: Wired detection of rogue access points Adam Graham (Mar 29)
    - Re: Wired detection of rogue access points Eric Hacker (Mar 30)
  - RE: Wired detection of rogue access points Adam Graham (Mar 30)