Rogue clients are malicious wireless client devices that
either try to gain illegitimate access to your WLAN or try
to disrupt normal wireless service by launching attacks. There
are numerous ready-to-launch wireless attack tools freely
available on the net. Many of them are open sourced and work
pretty well with most Wireless client cards. This turns any
curious mind to professional hacker in minutes. Many do it
simply for the pleasure of being able to disturb someone remotely.
All these developments force WLAN administrators to give a
second look at any wireless client that is misbehaving.
Rogue Client Detection Technique 1: Look for abnormal
behavior
Some of the behaviors (of the mobile client) that could potentially
spell danger are:
1)Client sending frames with prolonged duration
When a client sends frames with prolonged duration, other
clients in the network have to wait till the specified duration
to use the RF medium. If the client continuously sends frames
with such high duration, then it can prevent other clients
from using RF medium and remain unassociated forever.
|
How duration attack works?
WLAN devices perform virtual carrier sensing prior
to using the RF medium. Carrier sense minimizes the
likelihood of two devices transmitting simultaneously.
Wireless nodes reserve the right to use the radio channel
for the duration specified in the frame. A general 802.11
frame format would look similar to what is shown below.
Figure 6: General format of 802.11
packet
The duration value in the frame indicates the duration
in milliseconds for which the channel is reserved. The
Network Allocation Vector (NAV) stores this duration
information and is traced for every node. The basic
rule is that any node can transmit only if the NAV reaches
zero or in other words no one has reserved the channel
at that time. Attackers take advantage of the NAV. An
attacker can send frames with huge duration values.
This would force other nodes in the range to wait till
the value reaches zero. If the attacker is successful
in sending continuous packets with huge durations, then
it prevents other nodes from operating for a long time
and thereby denying service.
Figure 7: Rogue client launching
a duration attack on WLAN
|
2)Unassociated client sending packets
A client can decide not to connect to the Access Point but
still send out wireless packets (mostly broadcasts, associations/authentication
requests). Typically, this behavior can be attributed to malicious
clients or attackers who want to gain knowledge on your wireless
network. When normal authentication procedures deny access
to such attackers, they choose to inject forged packets into
the wireless network by staying unconnected.
3)Device probing for ‘any’ SSID
Access points if not configured properly allow clients to
connect with ‘any’ SSID. This is a vulnerability,
which the WLAN administrator should identify and stop beforehand.
If a client tries to connect using ‘any’ SSID it
would most probably be a rogue client.
Rogue Client Detection Technique 2: Look for unauthorized
clients
Rogue clients can also be detected by pre-configuring the
authorized list of clients in the network. Some of the different
ways in which IT managers can populate this authorized list
are:
Authorized MAC: WLAN administrators can import
the list of authorized clients’ MAC address into WiFi
Manager. This enables WiFi Manager to trigger an alarm whenever
it sees a client with a different MAC address.
Authorized SSIDs: WLAN administrators can import
the list of authorized SSIDs into WiFi Manager. This enables
WiFi Manager to alert the administrators whenever a client
tries to associate with the WLAN using a different SSID.
Authorized vendor: If an enterprise standardizes
on vendor for client adaptor, then WLAN administrators can
configure WiFi Manger to trigger alarm if it sees adapters
from a different vendor.
|
