IDS mailing list archives
Re: Wired detection of rogue access points
From: "Eric Hacker" <focus () erichacker com>
Date: Mon, 26 Mar 2007 15:20:31 -0400
On 3/26/07, Chad Mano <chad.mano () usu edu> wrote:
Hello, Typically it is unreliable to identify a Rogue AP based on some type of filtering or scanning because it is relatively easy to spoof header information and probe responses. I developed a method that relies on the timing characteristics of wireless communication, something that is not simple to spoof. This assumes an active TCP session between the suspect and some server and that the AP is not acting as a proxy, but the actual end-point for communication is the wireless laptop or other host. To give a general overview, the method tracks the round-trip-time (RTT) of sequence and acknowledgement numbers in TCP packets. Existing TCP traffic is utilized, which makes it unnecessary for the monitor to actually communicate directly with the suspect host/device.
Very cool. I'm sure that the details are not trivial, but it sounds like it would generally work. On the downside, if one is monitoring the network this much, then one is likely to pick up malicious activity from Rogue Access already. My intent was that detection on the LAN was not possible through probing alone. I apologize if I did not make that clear. On the upside, this technique is probably useful for detecting any type of unauthorized remote access, such as SSL VPNs, modems, illicit tunnels over VoIP, or RFC 1149 so long as a proxy is not used. -- Eric Hacker, CISSP aptronym (AP-troh-NIM) noun A name that is especially suited to the profession of its owner I _can_ leave well enough alone, but my criteria for well enough is pretty darn high. ------------------------------------------------------------------------ Test Your IDS Is your IDS deployed correctly?Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to http://www.coresecurity.com/index.php5?module=Form&action=impact&campaign=intro_sfw to learn more.
------------------------------------------------------------------------
Current thread:
- RE: Wired detection of rogue access points, (continued)
- RE: Wired detection of rogue access points Gabbard, Gregory (Mar 26)
- RE: Wired detection of rogue access points Adam Graham (Mar 26)
- Re: Wired detection of rogue access points tim_holman (Mar 27)
- Message not available
- Re: Wired detection of rogue access points Adam Crosby (Mar 27)
- Re: Wired detection of rogue access points Hari Sekhon (Mar 22)
- RE: Wired detection of rogue access points Waters, Chris (Mar 22)
- Re: Wired detection of rogue access points Chad Mano (Mar 26)
- Re: Wired detection of rogue access points Eric Hacker (Mar 26)
- Re: Wired detection of rogue access points tim_holman (Mar 29)
- RE: Wired detection of rogue access points Adam Graham (Mar 29)
- Re: Wired detection of rogue access points Eric Hacker (Mar 30)
- RE: Wired detection of rogue access points Adam Graham (Mar 30)