Detecting Wireless LAN MAC Address Spoofing

3894 Words8 Pages

Detecting Wireless LAN MAC Address Spoofing

Abstract

An attacker wishing to disrupt a wireless network has a wide arsenal available to them. Many of these tools rely on using a faked MAC address, masquerading as an authorized wireless access point or as an authorized client. Using these tools, an attacker can launch denial of service attacks, bypass access control mechanisms, or falsely advertise services to wireless clients.

This presents unique opportunities for attacks against wireless networks that are difficult to detect, since the attacker can present himself as an authorized client by using an altered MAC address. As nearly all wireless NICs permit changing their MAC address to an arbitrary value – through vendor-supplied drivers, open-source drivers or various application programming frameworks – it is trivial for an attacker to wreak havoc on a target wireless LAN.

This paper describes some of the techniques attackers utilize to disrupt wireless networks through MAC address spoofing, demonstrated with captured traffic that was generated by the AirJack, FakeAP and Wellenreiter tools. Through the analysis of these traces, the author identifies techniques that can be employed to detect applications that are using spoofed MAC addresses. With this information, wireless equipment manufacturers could implement anomaly-based intrusion detection systems capable of identifying MAC address spoofing to alert administrators of attacks against their networks.

Introduction

MAC addresses have long been used as the singularly unique layer 2 network identifier in LANs. Through controlled, organizationally unique identifiers (OUI) allocated to hardware manufacturers, MAC addresses are globally unique ...

... middle of paper ...

... Network administrators and intrusion analysts need to be aware of the risks associated with 802.11 network deployment, and the techniques that can be used to identify malicious client activity.

Works Cited

AirJack. “Advanced 802.11 Attack Tools.” URL: http://802.11ninja.net/ (12 Nov 2002).

FakeAP. “Black Alchemy Weapons Lab.” URL: http://www.blackalchemy.to/project/fakeap/ (19 Dec 2002).

IEEE. “IEEE OUI and Company_id Assignments.” URL: http://standards.ieee.org/regauth/oui/oui.txt (13 Nov 2002).

Malinen, Jouni. “Host AP driver for Intersil Prism2/2.5/3.” File: README.prism2, URL: http://hostap.epitest.fi/ (13 Nov 2002).

Schiffman, Mike. “Radiate 802.11b frame handling.” URL: http://www.packetfactory.net/projects/radiate/ (13 Nov 2002).

Wellenreiter. “Wireless LAN Discovery and Auditing Tool” URL: http://www.remote-exploit.org/ (19 Dec 2002).

More about Detecting Wireless LAN MAC Address Spoofing

Open Document