Sequence Number-Based MAC Address Spoof Detection

Guo, Fanglu; Chiueh, Tzi-cker

doi:10.1007/11663812_16

Fanglu Guo¹⁸ &
Tzi-cker Chiueh¹⁸

Part of the book series: Lecture Notes in Computer Science ((LNSC,volume 3858))

Included in the following conference series:

International Workshop on Recent Advances in Intrusion Detection

1297 Accesses
43 Citations

Abstract

The exponential growth in the deployment of IEEE 802.11-based wireless LAN (WLAN) in enterprises and homes makes WLAN an attractive target for attackers. Attacks that exploit vulnerabilities at the IP layer or above can be readily addressed by intrusion detection systems designed for wired networks. However, attacks exploiting link-layer protocol vulnerabilities require a different set of intrusion detection mechanism. Most link-layer attacks in WLANs are denial of service attacks and work by spoofing either access points (APs) or wireless stations. Spoofing is possible because the IEEE 802.11 standard does not provide per-frame source authentication, but can be effectively prevented if a proper authentication is added into the standard. Unfortunately, it is unlikely that commercial WLANs will support link-layer source authentication that covers both management and control frames in the near future. Even if it is available in next-generation WLANs equipments, it cannot protect the large installed base of legacy WLAN devices. This paper proposes an algorithm to detect spoofing by leveraging the sequence number field in the link-layer header of IEEE 802.11 frames, and demonstrates how it can detect various spoofing without modifying the APs or wireless stations. The false positive rate of the proposed algorithm is zero, and the false negative rate is close to zero. In the worst case, the proposed algorithm can detect a spoofing activity, even though it can only detect some but not all spoofed frames.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution

Chapter: USD 29.95; Price excludes VAT (USA)

eBook: USD 39.99; Price excludes VAT (USA)

Softcover Book: USD 54.99; Price excludes VAT (USA)

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Preview

Unable to display preview. Download preview PDF.

References

IEEE 802.11 Standard, http://standards.ieee.org/getieee802/download/802.11-1999.pdf
Bellardo, J., Savage, S.: 802.11 Denial-of-Service Attacks: Real Vulnerabilities and Practical Solutions. In: Proceedings of the USENIX Security Symposium, Washington DC (August 2003)
Google Scholar
WEPWedgie, http://sourceforge.net/projects/wepwedgie/
void11, http://www.wlsec.net/void11/
AirJack, http://sourceforge.net/projects/airjack/
Airsnarf, http://airsnarf.shmoo.com/
KisMAC, http://binaervarianz.de/projekte/programmieren/kismac/
dsniff, http://www.monkey.org/~dugsong/dsniff
Borisov, N., Goldberg, I., Wagner, D.: Intercepting Mobile Communications: The Insecurity of 802.11. In: Mobicom 2001 (2001)
Google Scholar
Wright, J.: Detecting Wireless LAN MAC Address Spoofing, http://home.jwu.edu/jwright/papers/wlan-mac-spoof.pdf
Cardenas, E.D.: MAC Spoofing–An Introduction, http://www.giac.org/practical/GSEC/Edgar_Cardenas_GSEC.pdf
Dasgupta, D., Gonzalez, F., Yallapu, K., Kaniganti, M.: Multilevel Monitoring and Detection Systems (MMDS). In: The proceedings of the 15th Annual Computer Security Incident Handling Conference (FIRST), Ottawa, Canada, June 22-27 (2003)
Google Scholar
Hall, J., Barbeau, M., Kranakis, E.: Using Transceiverprints for Anomaly Based Intrusion Detection. In: Proceedings of 3rd IASTED, CIIT 2004, St. Thomas, US Virgin Islands, November 22-24 (2004)
Google Scholar
Yeo, J., Youssef, M., Agrawala, A.: A framework for wireless LAN monitoring and its applications. In: Proceedings of the 2004 ACM workshop on Wireless security, Philadelphia, PA, USA, October 1 (2004)
Google Scholar
Robinson, F.: 802.11i and WPA Up Close. Network Computing (2004)
Google Scholar
Mishra, A., Arbaugh, W.: An Initial Security Analysis of the IEEE 802.1X Standard. CS-TR 4328, Department of Computer Science, University of Maryland, College Park (December 2002)
Google Scholar
AirDefense. Enterprise Wireless LAN Security and WLAN Monitoring, http://www.airdefense.net/
Aruba Wireless Networks. Wireless Intrusion Protection, http://www.arubanetworks.com/pdf/techbrief-IDS.pdf
AirMagnet, http://www.airmagnet.com/products/enterprise.htm
Malinen, J.: Host AP driver for Intersil Prism2/2.5/3, http://hostap.epitest.fi/

Download references

Author information

Authors and Affiliations

Computer Science Department, Stony Brook University, NY, 11794, USA
Fanglu Guo & Tzi-cker Chiueh

Authors

Fanglu Guo
View author publications
You can also search for this author in PubMed Google Scholar
Tzi-cker Chiueh
View author publications
You can also search for this author in PubMed Google Scholar

Editor information

Editors and Affiliations

SRI International, 333 Ravenswood Ave., 94025, Menlo Park, CA, USA
Alfonso Valdes
IBM Research Laboratory, Säumerstr. 4, 8803, Rüschlikon, Switzerland
Diego Zamboni

Rights and permissions

Reprints and permissions

Copyright information

About this paper

Cite this paper

Guo, F., Chiueh, Tc. (2006). Sequence Number-Based MAC Address Spoof Detection. In: Valdes, A., Zamboni, D. (eds) Recent Advances in Intrusion Detection. RAID 2005. Lecture Notes in Computer Science, vol 3858. Springer, Berlin, Heidelberg. https://doi.org/10.1007/11663812_16

Download citation

DOI: https://doi.org/10.1007/11663812_16
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-540-31778-4
Online ISBN: 978-3-540-31779-1
eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics