Detecting MAC Spoofing Attacks in 802.11 Networks through Fingerprinting on the MAC Layer

Idland, Christer

January 2011

In order to provide hassle-free connection options many wireless local area network (WLAN) providers choose to have their networks completely open. In other words there is no password required in order to connect. Such open configurations do not provide any security features on the wireless medium, but are often implemented with other solutions as captive portals. A captive portal forces a Hypertext Transfer Protocol (HTTP) client to see a certain webpage, usually for authentication purposes. All other packets are blocked. Once authenticated, the client's medium access control (MAC) address is whitelisted and he will have access to the Internet.The MAC spoofing attack is easy to perform in open networks, see Appendix A. This attack can have severe consequences as the attacker masquerades as a legitimate client, potentially getting the victim caught for crime done by the attacker. The preferred way to handle these attacks has been through detection, as it can be done on the server side without complicating anything for the user. Effective and reliable detection techniques for plain and QoS enabled 802.11 networks exists [1,5]. However, no good solution exists to detect attacks when the legitimate client is no longer connected. The two main scenarios are the session hijacking attack, where the attacker forces the victim offline, and the wait-for-availability attack where the attacker waits until the legitimate client leaves the network.An algorithm based on MAC layer fingerprinting was developed to detect the class of attacks where attacker and victim are not connected simultaneously. A fingerprint is based on the behavior of a station (STA), and each STA's behavior varies due to implementation differences of the 802.11 protocol. Experiments in a real network was performed with 11 different STAs in order to determine the fingerprints. The results show that on average 2.82 of the 8 fingerprinting properties were different when comparing two fingerprints.The fingerprinting algorithm developed is capable of passively creating a fingerprint of wireless STAs without specialized equipment in realistic network conditions. Fingerprints from different STAs are unique with high probability, even when there are little data available. In addition, the technique used is accurate, fast, and requires no pre-computed databases. The algorithm used in combination with the IDS developed by Idland [1] is now able to detect all of the five different MAC spoofing attacks described in Section 2.6.2.

ntnudaim:6260

MTKOM kommunikasjonsteknologi

Informasjonssikkerhet