Open as PDF
586 CHAPTER 26: ROGUE DETECTION AND COUNTERMEASURES
Decrypt errors—An excessive number of decrypt errors can indicate
that multiple clients are using the same MAC address. A device’s MAC
address is supposed to be unique. Multiple instances of the same
address can indicate that a rogue device is pretending to be a
legitimate device by spoofing its MAC address.
Fake AP—A rogue device sends beacon frames for randomly
generated SSIDs or BSSIDs. This type of attack can cause clients to
become confused by the presence of so many SSIDs and BSSIDs, and
thus interferes with the clients’ ability to connect to valid APs. This
type of attack can also interfere with RF Auto-Tuning when a MAP is
trying to adjust to its RF neighborhood.
SSID masquerade—A rogue device pretends to be a legitimate AP by
sending beacon frames for a valid SSID serviced by APs in your
network. Data from clients that associate with the rogue device can
be accessed by the hacker controlling the rogue device.
Spoofed AP—A rogue device pretends to be a 3Com MAP by sending
packets with the source MAC address of the 3Com MAP. Data from
clients that associate with the rogue device can be accessed by the
hacker controlling the rogue device.
MSS detects a spoofed AP attack based on the fingerprint of the spoofed
MAP. Packets from the real MAP have the correct signature, while
spoofed packets lack the signature. (See “Enabling MAP Signatures” on
Netstumbler and Wellenreiter are widely available applications that
hackers can use to gather information about the APs in your network,
including location, manufacturer, and encryption settings.
Wireless Bridge A wireless bridge can extend a wireless network outside the desired area.
For example, someone can place a wireless bridge near an exterior wall to
extend wireless coverage out into the parking lot, where a hacker could
then gain access to the network.
Ad-Hoc Network An ad-hoc network is established directly among wireless clients and
does not use the infrastructure network (a network using an AP). An
ad-hoc network might not be an intentionally malicious attack on the
network, but it does steal bandwidth from your infrastructure users.