Whitepaper - Detecting Wireless LAN MAC Address Spoofing

From: Joshua Wright (Joshua.Wrightat_private)
Date: Wed Jan 22 2003 - 05:42:28 PST

Next message: Pedram Amini: "Blackboard 5.x Password Retrieval"

Previous message: OpenPKG: "[OpenPKG-SA-2003.004] OpenPKG Security Advisory (cvs)"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

I recently completed a white paper that demonstrates some techniques
that can be used for detecting spoofed MAC addresses on 802.11
networks.  In this paper I identify tactics that can be used to
identify the use of the Wellenreiter, FakeAP and AirJack tools
through anomaly analysis.  Here is the abstract:

"An attacker wishing to disrupt a wireless network has a wide arsenal
available to them.  Many of these tools rely on using a faked MAC
address, masquerading as an authorized wireless access point or as an
authorized client.  Using these tools, an attacker can launch denial
of service attacks, bypass access control mechanisms, or falsely
advertise services to wireless clients.

This presents unique opportunities for attacks against wireless
networks that are difficult to detect, since the attacker can present
himself as an authorized client by using an altered MAC address.  As
nearly all wireless NICs permit changing their MAC address to an
arbitrary value - through vendor-supplied drivers, open-source
drivers or various application programming frameworks - it is trivial
for an attacker to wreak havoc on a target wireless LAN.

This paper describes some of the techniques attackers utilize to
disrupt wireless networks through MAC address spoofing, demonstrated
with captured traffic that was generated by the AirJack, FakeAP and
Wellenreiter tools.  Through the analysis of these traces, the author
identifies techniques that can be employed to detect applications
that are using spoofed MAC addresses.  With this information,
wireless equipment manufacturers could implement anomaly-based
intrusion detection systems capable of identifying MAC address
spoofing to alert administrators of attacks against their networks."

http://home.jwu.edu/jwright/papers/wlan-mac-spoof.pdf

Please reply with comments off-list and I will post a summary.

Thanks.

- -Joshua Wright
Team Leader, Networks and Systems
Johnson & Wales University
Joshua.Wrightat_private 
http://home.jwu.edu/jwright/

pgpkey: http://home.jwu.edu/jwright/pgpkey.htm
fingerprint: FDA5 12FC F391 3740 E0AE BDB6 8FE2 FC0A D44B 4A73


-----BEGIN PGP SIGNATURE-----
Version: PGPfreeware 6.5.8 for non-commercial use <http://www.pgp.com>

iQA/AwUBPi6fw4/i/ArUS0pzEQKu3gCgqy4pO3dwQutaJ4nsji0IUiizS1EAoKdW
a33isuFUCr3ilkmClJD+YEWB
=TVLk
-----END PGP SIGNATURE-----

Next message: Pedram Amini: "Blackboard 5.x Password Retrieval"
Previous message: OpenPKG: "[OpenPKG-SA-2003.004] OpenPKG Security Advisory (cvs)"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Wed Jan 22 2003 - 13:51:36 PST