On 3/26/07, Chad Mano <chad.mano@usu.edu> wrote:
Hello,
Typically it is unreliable to identify a Rogue AP based on some type of
filtering or scanning because it is relatively easy to spoof header
information and probe responses. I developed a method that relies on the
timing characteristics of wireless communication, something that is not
simple to spoof. This assumes an active TCP session between the suspect and
some server and that the AP is not acting as a proxy, but the actual
end-point for communication is the wireless laptop or other host.
To give a general overview, the method tracks the round-trip-time (RTT) of
sequence and acknowledgement numbers in TCP packets. Existing TCP traffic
is utilized, which makes it unnecessary for the monitor to actually
communicate directly with the suspect host/device.
Very cool. I'm sure that the details are not trivial, but it sounds
like it would generally work.
On the downside, if one is monitoring the network this much, then one
is likely to pick up malicious activity from Rogue Access already. My
intent was that detection on the LAN was not possible through probing
alone. I apologize if I did not make that clear.
On the upside, this technique is probably useful for detecting any
type of unauthorized remote access, such as SSL VPNs, modems, illicit
tunnels over VoIP, or RFC 1149 so long as a proxy is not used.
--
Eric Hacker, CISSP
aptronym (AP-troh-NIM) noun
A name that is especially suited to the profession of its owner
I _can_ leave well enough alone, but my criteria for well enough is
pretty darn high.
------------------------------------------------------------------------
Test Your IDS
Is your IDS deployed correctly?
Find out quickly and easily by testing it
with real-world attacks from CORE IMPACT.
Go to http://www.coresecurity.com/index.php5?module=Form&action=impact&campaign=intro_sfw
to learn more.
------------------------------------------------------------------------
