Skip to main content

Detection of Spoofed MAC Addresses in 802.11 Wireless Networks

  • Conference paper

Part of the Communications in Computer and Information Science book series (CCIS,volume 23)

Abstract

Medium Access Control (MAC) address spoofing is considered as an important first step in a hacker’s attempt to launch a variety of attacks on 802.11 wireless networks. Unfortunately, MAC address spoofing is hard to detect. Most current spoofing detection systems mainly use the sequence number (SN) tracking technique, which has drawbacks. Firstly, it may lead to an increase in the number of false positives. Secondly, such techniques cannot be used in systems with wireless cards that do not follow standard 802.11 sequence number patterns. Thirdly, attackers can forge sequence numbers, thereby causing the attacks to go undetected. We present a new architecture called WISE GUARD (Wireless Security Guard) for detection of MAC address spoofing on 802.11 wireless LANs. It integrates three detection techniques – SN tracking, Operating System (OS) fingerprinting & tracking and Received Signal Strength (RSS) fingerprinting & tracking. It also includes the fingerprinting of Access Point (AP) parameters as an extension to the OS fingerprinting for detection of AP address spoofing. We have implemented WISE GUARD on a test bed using off-the-shelf wireless devices and open source drivers. Experimental results show that the new design enhances the detection effectiveness and reduces the number of false positives in comparison with current approaches.

Keywords

  • 802.11 wireless networks
  • MAC address spoofing
  • intrusion detection system
  • sequence number tracking
  • operating system fingerprinting
  • access point parameters

This is a preview of subscription content, access via your institution.

Buying options

Chapter
USD   29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD   39.99
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD   54.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Learn about institutional subscriptions

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

References

  1. IEEE Wireless LAN Standards (accessed March 2007), http://standards.ieee.org/

  2. Ethereal – network protocol analyzer (accessed March 2007), http://www.ethereal.com

  3. Netstumbler (accessed March 2007), http://www.netstumbler.com

  4. Kismet (accessed March 2007), http://www.kismetwireless.net

  5. Airsnort (accessed March 2007), http://airsnort.shmoo.com

  6. Wright, J.: Detecting Wireless LAN MAC Address Spoofing (January 2003, site accessed March 2007) (2003), http://home.jwu.edu/wright/papers.htm

  7. Haidong, X., Brustoloni, J., Mitrou, N., Kontovasilis, K., Rouskas, G., Iliadis, I., Merakos, L.: Detecting and blocking unauthorized access in Wi-Fi networks. In: Proceedings of the International Networking Conference, May 2004, pp. 795–806 (2004)

    Google Scholar 

  8. Arkin, O.: ICMP Usage in Scanning, Sys-Security Group Publication (accessed March 2007) (July 2000), http://www.sys-security.com/archive/papers/ICMP_Scanning_v1.0.pdf

  9. Zalewski, M.: Passive OS fingerprinting tool (accessed March 2007), http://www.networkintrusion.co.uk/osfp.htm

  10. Bahl, P., Padmanabhan, V.N.: Radar: An in-building rf-based user location and tracking system. In: Proceedings of the IEEE Infocom 2000, Tel-Aviv, Israel, vol. 2, pp. 775–784 (March 2000)

    Google Scholar 

  11. A Practical Approach to Identifying and Tracking Unauthorized 802.11 cards and Access Points, White Paper, Interlink Networks, Inc. (April 2002)

    Google Scholar 

  12. Bardwell, J.: WiFi Radio Characteristics and the Cost of WLAN implementation. White Paper, Connect802 (accessed March 2007), http://www.connect802.com/white_papers.htm

  13. Airopeek (accessed March 2007), http://www.wildpackets.com/

  14. Snort-Wireless (accessed March 2007), http://snort-wireless.org

  15. WiFi Scanner (accessed March 2007), http://wifiscanner.sourceforge.net

  16. Air Defense Enterprise (accessed March 2007), http://www.airdefense.net

  17. Aruba Networks (accessed March 2007), http://www.arubanetworks.com

  18. Bahl, P., Padmanabhan, V.N., Balachandran, A.: A Software System for Locating Mobile Users: Design, Evaluation, and Lessons. MSR-TR-2000-12 (accessed March 2007) (Febuary 2000), http://citeseer.ist.psu.edu/bahl00software.html

  19. Malinen, J., et al.: Host AP driver for Intersil Prism2/2.5/3, hostapd, and WPA Supplicant (accessed March 2007), http://hostap.epitest.fi/

Download references

Author information

Authors and Affiliations

Authors

Editor information

Editors and Affiliations

Rights and permissions

Reprints and Permissions

Copyright information

© 2008 Springer-Verlag Berlin Heidelberg

About this paper

Cite this paper

Tao, K., Li, J., Sampalli, S. (2008). Detection of Spoofed MAC Addresses in 802.11 Wireless Networks. In: Filipe, J., Obaidat, M.S. (eds) E-business and Telecommunications. ICETE 2007. Communications in Computer and Information Science, vol 23. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-540-88653-2_15

Download citation

  • DOI: https://doi.org/10.1007/978-3-540-88653-2_15

  • Publisher Name: Springer, Berlin, Heidelberg

  • Print ISBN: 978-3-540-88652-5

  • Online ISBN: 978-3-540-88653-2

  • eBook Packages: Computer ScienceComputer Science (R0)