Change search
ReferencesLink to record
Permanent link

Direct link
Detecting MAC Spoofing Attacks in 802.11 Networks through Fingerprinting on the MAC Layer
Norwegian University of Science and Technology, Faculty of Information Technology, Mathematics and Electrical Engineering, Department of Telematics.
2011 (English)MasteroppgaveStudent thesis
Abstract [en]

In order to provide hassle-free connection options many wireless local area network (WLAN) providers choose to have their networks completely open. In other words there is no password required in order to connect. Such open configurations do not provide any security features on the wireless medium, but are often implemented with other solutions as captive portals. A captive portal forces a Hypertext Transfer Protocol (HTTP) client to see a certain webpage, usually for authentication purposes. All other packets are blocked. Once authenticated, the client's medium access control (MAC) address is whitelisted and he will have access to the Internet. The MAC spoofing attack is easy to perform in open networks, see Appendix A. This attack can have severe consequences as the attacker masquerades as a legitimate client, potentially getting the victim caught for crime done by the attacker. The preferred way to handle these attacks has been through detection, as it can be done on the server side without complicating anything for the user. Effective and reliable detection techniques for plain and QoS enabled 802.11 networks exists [1,5]. However, no good solution exists to detect attacks when the legitimate client is no longer connected. The two main scenarios are the session hijacking attack, where the attacker forces the victim offline, and the wait-for-availability attack where the attacker waits until the legitimate client leaves the network. An algorithm based on MAC layer fingerprinting was developed to detect the class of attacks where attacker and victim are not connected simultaneously. A fingerprint is based on the behavior of a station (STA), and each STA's behavior varies due to implementation differences of the 802.11 protocol. Experiments in a real network was performed with 11 different STAs in order to determine the fingerprints. The results show that on average 2.82 of the 8 fingerprinting properties were different when comparing two fingerprints. The fingerprinting algorithm developed is capable of passively creating a fingerprint of wireless STAs without specialized equipment in realistic network conditions. Fingerprints from different STAs are unique with high probability, even when there are little data available. In addition, the technique used is accurate, fast, and requires no pre-computed databases. The algorithm used in combination with the IDS developed by Idland [1] is now able to detect all of the five different MAC spoofing attacks described in Section 2.6.2.

Place, publisher, year, edition, pages
Institutt for telematikk , 2011. , 118 p.
Keyword [no]
ntnudaim:6260, MTKOM kommunikasjonsteknologi, Informasjonssikkerhet
URN: urn:nbn:no:ntnu:diva-14093Local ID: ntnudaim:6260OAI: diva2:446135
Available from: 2011-10-06 Created: 2011-10-06

Open Access in DiVA

fulltext(1863 kB)855 downloads
File information
File name FULLTEXT01.pdfFile size 1863 kBChecksum SHA-512
Type fulltextMimetype application/pdf
cover(47 kB)25 downloads
File information
File name COVER01.pdfFile size 47 kBChecksum SHA-512
Type coverMimetype application/pdf

By organisation
Department of Telematics

Search outside of DiVA

GoogleGoogle Scholar
Total: 855 downloads
The number of downloads is the sum of all downloads of full texts. It may include eg previous versions that are now no longer available

Total: 113 hits
ReferencesLink to record
Permanent link

Direct link