Hotspot Authentication Issues
Rogue access points detection and blocking
WIDS and WIPS
Wireless Honeypots Architecture
CASE STUDY – Honey Net
Hot spot architecture: captive
Hot spots are dedicated Wi-Fi networks usually deployed in
airports and railway stations that give users the opportunity to
connect to the Internet or their Intranet. This kind of network
access was firstly deployed by providers in areas where the users
The hot spot architecture is based on the “captive portal”
technology. Access control and authentication are performed with
the captive portal. The main strength of this technology is
ergonomics as there is no impact on the client‟s computer
Captive Portal Overview
A captive portal is a router or a gateway host that will not allow
traffic to pass until a user has authenticated himself .
In a captive portal environment, a client device acquires an
Internet Protocol (IP) address using Dynamic Host Configuration
Protocol (DHCP) and any web request from the client device is
redirected to the captive portal.
The captive portal presents a web page, the user authenticates
himself to the web page, possibly paying an access fee, the portal
stops redirecting that client‟s traffic, so the client can now access
the rest of the Internet.
A captive portal is composed of:
• a dynamic rules based firewall.
• a Web server.
• an authentication framework and database.
• (optionally) a billing framework.
When a computer associates with the “Open” Wi-Fi access point,
it will firstly negotiate a DHCP lease. The wireless client will be
redirected to the Web server whenever he will ask to go to the
Internet (opening its browser and asking for www.joe.com). The
captive portal will thus redirect the connection to a HTTPS Web
server in order to authenticate the Web server using public
cryptography and the use of Transport Layer Security (TLS)
protocol. The presented Web page is the provider portal page
where the user will always be redirected until he succeeds in his
authentication to the hot spot.
2) Authorization. When the user authenticates himself to the
captive portal (by providing a valid username/password or a valid
token), the authentication framework will then authorize the user
to communicate with the Internet by dynamically configuring the
rule set applied on the firewall. Most captive portals rely only on
the IP address to authorize the user on the firewall, while some
others may also use the MAC address in order to prevent spoofing
attacks on the MAC address.
3) Connection. When the firewall has configured the new rule set
for the authenticated user, the template security policy (applied by
the provider) is enforced and basically the user now has access to
4) Disconnection. The user may be able to close the connection to
the captive portal by sending a logoff through a specific Web page
on the captive portal. Also, most of hot spot architectures use
other techniques to detect if the user has left the architecture (e.g.
by sending ARP probes or observing DHCP renewal).
Hot spot providers are usually aware of the common issues regarding
security . As these issues are related to access control and lack of
attack detection in common hot spot architecture, this section will
discuss possible improvements that will aim at raising the overall
difficulty of performing such attacks.
Access control improvements
A simple but effective improvement is to add the user‟s operating
system detection to correlate the MAC/IP address with. The assertion
is that most attackers will use Unix-based operating systems, unlike
contrary to legitimate users who will rely on Microsoft Windowsbased operating systems. Thus, if the same IP address has two
different operating system fingerprints at the same moment, an IP
spoofing attack is possible: this is simple but effective in practice as
today it is hard to perfectly mimic other operating systems by TCP/IP
Device discovering improvements
One requirement for overcoming billing issues is to detect
whenever the customer leaves the hot spot in order to stop the
billing mechanism and to reconfigure the dynamic firewall to
redirect the IP address to the captive portal. This is necessary to
reduce the window of opportunity for the attacker. To detect that a
customer leaves the architecture, several options are possible:
logoff window, MAC address lookup in ARP tables of network
switches, ARP probes, ICMP probes, DCHP renewal, etc.
When a user is authenticated to the Captive Portal, a logoff window
is accessible and triggerable . This logoff window is useful for:
giving the customer the opportunity to manually stop the billing
whenever he clicks on this window;
periodically sending information to the captive portal in order to
tell that the customer is still active
these probes are usually securely sent over SSL/TLS.
If the captive portal does not receive the customer probes then it
will consider that he has left the hot spot and thus will shut down
the current authorization linked to the authenticated user.
In this case, the captive portal retrieves information from DHCP
As DHCP leases are usually short timed, if the legitimate user
leaves the architecture and does not renew his DHCP lease, then
the captive portal will de-authenticate the legitimate user.
The attacker must then mimic the DHCP renewal process in
order to bypass this mechanism..
ROGUE ACCESS POINT DETECTION
Rogue detection is a two step process starting with
discovering the presence of an Access Point in the network
and then proceeding to identify whether it is a rogue or not.
Some of the very commonly used techniques for AP
Using wired side inputs
RF scanning: Most WLAN IDS vendors follow this
technique. Re-purposed access points that do only packet
capture and analysis (a.k.a RF sensors) will be plugged all
over the wired network. These sensors will be quick to detect
any wireless device operating in the area and can alert the
AP Scanning: Few Access Point vendors have this
functionality of detecting neighbouring Access Points. If you
deploy such Access Points in your WLAN it will
automatically discover APs operating in the nearby area and
expose the data through its web interface as well as its MIBs.
Wired Side Inputs: Most network management software use
this technique to discover Access Points. This software use
multiple protocols to detect devices connected in the LAN,
including SNMP, Telnet, CDP (Cisco Discovery Protocol .
specific to Cisco devices) etc. This approach is very reliable
and proven as it can detect an AP anywhere in the LAN
irrespective of its physical location. Moreover, wireless NMSs
can not only discover the AP but also constantly monitor it for
health and availability.
Once an AP is discovered, the next step is to identify whether
it is a rogue or not. One way to do this is to use preconfigured
authorized list of APs. Any newly detected AP that falls
outside the authorized list would be tagged rogue. Some of
the different ways in which IT managers can populate the
authorized list are:
Authorized MAC: IT administrators can import ACL settings to
Wi-Fi Manager or type in the MAC address of authorized Access
Points in the network. This enables the rogue detection tool to alert
WLAN administrators whenever AP with a different MAC is
Authorized SSIDs: Enterprises would in most cases standardize
on the authorized SSIDs that needs to be used. These SSIDs can be
fed to the rogue detection tool so that it alerts WLAN
administrators whenever an AP with a different SSID is detected.
Authorized Radio Media Type: Enterprises sometimes
standardize on 802.11 a,b,g, Access Points. This enables
the rogue detection tool to alert WLAN administrators
whenever AP with different radio media type is detected.
Authorized Channel: Sometimes enterprises may want
their APs to operate on select channels. This enables the
rogue detection tool to alert WLAN administrators
whenever AP operating in a different channel is detected
ROGUE AP BLOCKING
Once a rogue AP is discovered the next immediate step is to
block the AP from the network so that the authorized clients
don‟t associate with it. There are two ways of blocking the
1. Tit for Tat: Launch a Denial-of-service (DoS) attack on the
rogue AP and make it deny wireless service to any new client.
2. Pull it out of the network: Either the WLAN administrator
can manually locate the AP and pull it physically off the LAN
OR block the switch port to which the AP is connected
Launching a DoS attack on the rogue AP
Most Wireless IDS vendors follow this practice. This is kind of
using offence for defence. Once a rogue AP is detected the
WLAN administrator can use the sensor to launch a DoS attack
on it by sending numerous disassociation packets.
Blocking the switch port
Wireless network management software offers this functionality.
Once the rogue AP is detected the software will look for the rogue
AP.s MAC address in all the switches connected in the LAN. The
port at which the MAC is connected can then be blocked for any
LAN traffic. This is a very effective technique
Wireless intrusion detection systems
In order to protect our network we need to ensure that we know:
where all access points reside on our network
what actions to take to close down any unauthorised access points
that do not conform to the company security standards
what wireless users are connected to our network
what unencrypted data is being accessed and exchanged by those
To do this we must monitor our air space using a Wireless
Intrusion Detection System.
What is an WIDS?
For an enterprise to protect itself from abuse of its information, it
must monitor the events occurring in its computer system or
network and analyze them for signs of intrusion. To do this, the
enterprise must install an Intrusion Detection System (IDS).
First thing to clarify here is that an IDS is not a firewall! Firewalls are
designed to be outward looking and to limit access between networks
in order to prevent an intrusion happening. IDS watch the wired and
wireless network from the inside and report or alarm depending on
how they evaluate the network traffic they see. They continually
monitor for access points to the network and are able, in some cases, to
do comparisons of the security controls defined on the access point
with pre-defined company security standards and either reset or
closedown any non conforming AP‟s they find.
FIREWALL VS IDS
Firewall cannot detect security breaches associated with
traffic that does not pass through it. Only IDS is aware of
traffic in the internal network
Not all access to the Internet occurs through the firewall.
Firewall does not inspect the content of the permitted traffic
Firewall is more likely to be attacked more often than IDS
Firewall is usually helpless against tunneling attacks
IDS is capable of monitoring messages from other pieces of
Misuse IDS or Signature based detection as it is sometimes
known, looks for network attack sequences or events that match a
predefined pattern (or signature). This method is only as good as the
signatures provided to it, however, and relies on regular signature
updates to keep updated of known attacks. The advantage of this
method is that there are few false alarms, or false positives, when
attacks are detected.
Anomaly detection on the other hand, relies on the administrator to
define normal traffic behaviour on the network – things like typical
packet size for example. The sensors then monitor the network for
deviations to this normal behaviour and alert when anomalies are
discovered. This method can produce a number of false alarms and
the systems rely heavily on being „trained‟ in what is normal
network traffic and what is not.
In a network-based IDS, or NIDS, the traffic flowing through a
network is analysed. NIDS is able to detect malicious packets that
are designed to be overlooked by a firewall‟s filtering rules. It
analyse traffic at all seven layers of OSI-model
In a host-based system, or HIDS, the IDS examine the activity on
each individual computer and system-specific settings such as
software calls, local security policy, local log audits, and more. This
is done by installing a software client on the host which, again, will
detect known attack patterns but only against the host that the client
is installed on.
Passive IDS or Reactive IDS: the passive IDS detects suspicious
network traffic, logs the information and signals an alert. A reactive
IDS responds to the suspicious traffic by logging off a user or
closing down an AP.
Wireless Intrusion Detection Systems
Wireless intrusion detection systems will monitor a WLAN
using a mixture of hardware and software called intrusion
detection sensors. The sensor will sit on the 802.11 network and
will examine all network traffic. To help make this decision,
some detailed analysis must first be carried out on the site of the
What kind of a building or location is it? Steel framed or
wooden? (A steel framed building will limit the wireless
Are there areas of the site that have to be kept segregated? (In a
built up area there will be mixed businesses, or it may be that a
payroll department may want to be segregated in a large
company for example.)
What MAC addresses are in use? (This list can be used as a
baseline for comparison)
What authorised Access Points already exist? (Again, this list
can be used as a baseline for future comparisons)
Based on this information and from information gathered
from sniffing the wireless network - using open source
software such as Kismet we can easily build up a picture of
what our WLAN looks like – where our AP‟s are located who
uses them, from where and how strong the radio signals are
and how strong the radio signals need to be.
Ways to connect sensor to network:
Once we have our sensors on the network, the AP‟s signal
strength can be calibrated or blocked to ensure appropriate
coverage, the network traffic can be analysed and, if we have
decided on a misuse type of IDS, can be compared to a
signature file for comparison for attack patterns and known
vulnerabilities. If an attack pattern is detected the sensor can
send off an alert to either a central console, a member of staff
or a managed security service provider for appropriate
response and action.
IDS Security analysts who can interpret the alerts and make
sense of the output
IDS Software Programmers to program the correlation tools
IDS Database Administrators
To be effective, IDS must be run online, in real time. Offline,
or after-the-event IDS, is useful for audit trail but will not
prevent an attack from taking place. Real time IDS needs to be
able to stream data across a network from sensors to a central
point where it can be stored and analysed, sometimes known
as a correlation server. This „additional‟ network traffic
running concurrently can significantly impact network
performance so sufficient bandwidth is a prerequisite
Intrusion detection systems should now be very effective on false
positives and false negatives. As is the case for any intrusion
detection system, false positives are a serious issue that can
prevent the technology to be effective.
If a high rate of false positives is observed, then the confidence in
intrusion detection techniques will decrease drastically and its
alarms will be deactivated or deleted.
The intrusion detection system must evoke confidence in the
network administrators who will be in charge of operating these
systems; if this is not the case, in practice the intrusion detection
systems alarms will be ignored and the architecture will be
Wireless IDS can be deployed in one of two ways
In a decentralized environment each WIDS operates
independently, logging, and alerting on its own. In addition
this also means each WIDS has to be administered
independently. In a large network this can quickly become
overwhelming and inefficient, and therefore is not
recommend for networks with more than one or two access
The idea behind a centralized WIDS is that sensors are
deployed that relate information back to one central point.
This one point would send alerts and log events as well as
serve as a single point of administration for all sensors.
Another advantage to a centralized approach is that sensors
can collaborate with one another in order to detect a wider
range of events with more accuracy. In this approach there are
also three main ways in which sensors can be deployed.
The first is by using existing access points (AP). Some
access points on the market are able to simultaneously
function as an AP and WIDS sensor. This option has the
potential to be less expensive than the others however there
is a downside. Using the AP for both functions will reduce
the performance, potentially creating a “bottle neck” on the
The second option is to deploy “dumb” sensors. These
devices simply relay all information to the central server
and rely on the server to detect all events. While
inexpensive, all information is sent back to a central point
causing an impact in the performance of the wired network
and creating a single point of failure at the server.
c. The third option is the use of intelligent sensors. These
devices actively monitor and analyze wireless traffic,
identify attack patterns and rouge devices as well as look
for deviations from the norm. They then report these events
back to the central server and allow an administrator to
These architectures schematically need to:
listen to the wireless network: which is quite easy thanks to a wireless
network card in “monitor” mode
analyze the wireless traffic captures: using the mean of static
signatures rule set or anomaly detection algorithms (for example, to
detect MAC spoofing), these components are the code of the intrusion
transmit the events to a central collector;
aggregate events to reduce the overall number of events stored in the
correlate events in order to reduce the number of events and also to
enrich the semantics of these events (typically, a large number of
de-authentications during a certain timeslot is likely to be a denialof-service attack);
detect if rogue access points are interfering (neighbours), legitimate
enrich the events database to provide the network administrator
with precise alerts;
Wireless intrusion prevention systems
Intrusion detection has a serious drawback: it only provides
detection. Intrusion prevention tries to mitigate the identified risks
by using techniques to prevent the attacks from being effective.
Today, most wireless intrusion detection vendors provide means to
achieve prevention. For example, it could be interesting to prevent
legitimate clients from connecting to a rogue access point
If the detection system is able to detect a rogue access point
interconnected with internal networks, it represents a serious threat
for the company. However, as a detection system, nothing can be
done regarding sending alarms to security operators in order to
manually mitigate the issue. During the reaction period, malicious
activities may occur and will not be prevented by anyone. This is
one of the reason why wireless intrusion prevention systems were
designed: to prevent the exploitation of wireless security issues.
A typical wireless intrusion prevention system consist of:
wireless sensors – used to monitor and analyze activity;
management server – receives information from the sensors
and perform analysis;
database server – used to store event information generated
by sensors and management servers;
console – represents the interface for the user and
users and administrators.
In a wireless intrusion prevention system, a normal sensor cannot
monitor all the traffic on a band (which consists of more channels)
simultaneously and can monitor only a single channel at a time; to
cover multiple channels, it uses a technique called channel
scanning, which involves monitoring each channel a few times per
To reduce or avoid this limitation, there are specialized sensors that
use several radio modules and can monitor several channels at the
The intrusion prevention systems can detect incidents using mainly
stateful protocol analysis
Signature-based detection involves comparing signatures
against observed events in order to identify possible
incidents; this method is very effective in the detection of
known threats but does not provide good results in detecting
previously unknown threats.
Anomaly-based detection involves creating „normal‟
activity patterns and comparing the observed events against
these patterns. The intrusion detection/prevention system has
an initial training phase, in which the system learns the
normal behaviour and creates profiles, which are used as a
base for comparison.
A static profile is determined in the training phase and remains
unchanged, whereas a dynamic profile is constantly adjusted as
additional events are observed.
Stateful protocol analysis: It is the process of comparing
predetermined profiles of generally accepted definitions of
general protocol activity for each protocol state against
observed events to identify deviations
The main types of events which can be detected by wireless
intrusion prevention systems are:
unauthorized WLANs and WLAN devices : (rogue APs,
unauthorized stations, unauthorized WLANs);
poorly secured WLAN devices: (misconfigurations, use of weak
WLAN protocols and implementations);
unusual usage patterns (using anomaly based detection);
the use of wireless network scanners :obviously only active
scanners can be detected;
Denial of Service (DoS) attacks :(flooding, jamming);
Impersonation and man-in-the-middle attacks
The prevention capabilities refer to wireless actions (such as
terminating the connections between a rogue or misconfigured
station and an authorized AP by sending disassociation
messages to the endpoints) and wired actions (such as
blocking a switch port on which a particular station or AP is
Another feature contained in most wireless intrusion
prevention systems is tracking the location of the threat – by
using triangulation (estimation of the approximate distance
from multiple sensors by the strengths of the threat‟s signal
received by each sensor and calculation of the physical
location based on this information )
After tracking the IP address of intruders, our next objective
is to find the geolocation of the intruders. IP to geolocation
tracking is the technique of determining a user's geographic
latitude, longitude and, by inference, city, region and nation by
comparing the user's public Internet IP address with known
locations of other electronically neighbouring servers and
routers IDS can detect the intrusion. We can find the IP
address of intruders but barely having a IP address, it do not
give the idea that from which place attack is generated.
Advantage of Geolocation Tracking:
Tracking the intruders IP address and plotting the trace on
geographical map gives a clear picture that whether the attack
is distributed and initiated from multiple country or it is
initiated from one specific country our region. This
information may be the vital information for the organization
to take any further action or any precaution measures
The overall system (Figure 2) works on IDS alert analysis.
Each alerts generated by IDS is passed to IDS alerts log
report. All the alerts from IDS log report is further analyzed
for tracking the Intruders source IP address. Once the
correct source IP address of the intruders is confirmed, it is
passed to the API which map the source IP address on
We have implemented the system using Snort and Google API for
geolocation mapping of intruders. Snort is the well known open source
IDS software which detect the intrusion event. Snort log this report in
alert file. The intruders IP address is analyzed and traced back. The
traced IP address is passed to Google Geolocation API which enables a
web application to:
Obtain the user's current position, using the getCurrentPosition
Watch the user's position as it changes over time, using the
Quickly and cheaply obtain the user's last known position, using
the lastPosition property
The Geolocation API provides the best estimate of the user's
position using a number of sources (called location providers).
These providers may be onboard (GPS for example) or serverbased (a network location provider). The getCurrentPosition
and watchPosition methods support an optional parameter of
type PositionOptions which lets you specify which location
providers to use.
Geolocation of intruders are obtained by tracking the IP
addresses of intruders using databases that map Internet IP
addresses to geographic locations. Google uses MaxMind‟s
database for mapping IP addresses to a geographical location.
They claim it is 99% accurate. What is in the fine print, is that
it is 99% accurate in determining the country, but pinpointing
the exact position is still a challenging issues which need to be
A honeypot is a deception trap,designed to entice an attacker into
attempting to compromise the information systems .
Honeypots are typically virtual machines, designed to emulate real
A honeypot works by fooling attackers into believing it is a legitimate
system; they attack the system without knowing that they are being
When an attacker attempts to compromise a honeypot, attack-related
information, such as the IP address of the attacker, will be collected.
This activity done by the attacker provides valuable information and
analysis on attacking techniques, allowing system administrators to “trace
back” to the source of attack if required.
CLASSIFICATION OF HONEYPOTS
Low-interaction Honeypots :
Low-interaction honeypots work by emulating certain
services and operating systems and have limited interaction.
The attacker‟s activities are limited to the level of emulation
provided by the honeypot. For example, an emulated FTP
service listening on a particular port may only emulate an
FTP login, or it may further support a variety of additional
The advantages of low-interaction honeypots are that they are
simple and easy to deploy and maintain. In addition, the
limited emulation available and/or allowed on low-interaction
honeypots reduces the potential risks brought about using
them in the field. However, with low-interaction honeypots,
only limited information can be obtained, and it is possible
that experienced attackers will easily recognise a honeypot
when they come across one.
A façade is a software emulation of a target service or
application that provides a false image of a target host. When
a façade is probed or attacked, it gathers information about the
High-interaction Honeypots :
High-interaction honeypots are more complex, as they involve real
operating systems and applications. For example, a real FTP server
will be built if the aim is to collect information about attacks on a
particular FTP server or service
By giving attackers real systems to interact with, no restrictions are
imposed on attack behaviour, and this allows administrators to
capture extensive details about the full extent of an attacker‟s
However, it is not impossible that attackers might take over a highinteraction honeypot system and use it as a stepping-stone to attack
other systems within the organisation. Therefore, sufficient
protection measures need to be implemented accordingly.
In the worst case, the network connection to the honeypot may need
to be disconnected to prevent attackers from further penetrating the
network and machines beyond the honeypot system itself
Example : Sacrificial Lambs
A sacrificial lamb is a system intentionally left vulnerable to
attack. The administrator will examine the honeypot
periodically to determine if it has been compromised, and if
so, what was done to it.
Additional data, such as a detailed trace of commands sent to
the honeypot, can be collected by a network sniffer deployed
near the honeypot.
However, the honeypots themselves are “live” and thus
present a possible jumping-off point for an attacker.
Additional deployment considerations must be made in order
to isolate and control the honeypot, such as by means of
firewalls or other network control devices, or by completely
disconnecting the honeypot from the internal network .
HONEYPOT DEPLOYMENT STRATEGIES
Install honeypots alongside regular production servers. The
honeypot will likely need to mirror some real data and
services from the production servers in order to attract
attackers. The security of the honeypot can be loosened
slightly so as to increase its chance of being compromised.
The honeypot can then collect attack-related information.
However, if a successful attack takes place on the honeypot
within the network, that compromised honeypot machine
might be used to scan for other potential targets in the
This is the main drawback of installing honeypots within
the production system. In other honeypot deployment
methods, (some of which are outlined below) this would not
happen, as the whole honeynet can itself be a fictitious
Pair each server with a honeypot, and direct suspicious
traffic destined for the server to the honeypot. For instance,
traffic at TCP port 80 can be directed to a web server IP
address as normal, while all other traffic to the web server
will be directed towards the honeypot. To camouflage the
honeypot, a certain amount of data, such as the website
contents of a web server, may need to be replicated on the
Build a honeynet, which is a network of honeypots that
imitate and replicate an actual or fictitious network. This will
appear to attackers as if many different types of applications
are available on several different platforms. A honeynet
offers an early warning system against attacks and provides
an excellent way to analyse and understand an attacker‟s
intention, by looking at what kind of machines and services
have been attacked, and what type of attacks have been
A CASE STUDY
Distributed Honeynet System
Collection of Malware/Bot Sample
Detection of Bot
Finding and Detecting Latest Attack trend
Development of DHS
Distributed Collection System
Development of malware collection mechanism
Development of client-server architecture based
dynamically configurable honeynet nodes.
Development of integrated WEB based framework for
managing, controlling and visualizing DHS.
DHS analysis system
Applied Supervised learning algorithm for developing
classification mechanism to segregate bots based on
native API calls .
System for botnet detection from honeynet data
(freezing the scope and restricting to IRC and HTTP
C&C server detection.
Collection System : Malware Collection framework
To get entire spectrum of malware hybrid honeypots were
used. A combination of high interaction and low interaction
honeypots was configured. Other parameters that were
considered are scalability. To avoid detection IP switching
technique was used.
The following solution was developed for autonomous
spreading malware binaries which propagate by exploiting
known and unknown vulnerabilities.
Dynamic Malware Analysis for Bot segregation
Bot detection using native API call sequence mining
Bot detection using system‟s persistence behavior
Behavior in terms of system state changes & network
behavior rather than pattern of system calls.
Bot detection using Bothunter tool.
802.11-based wireless honeypots are a low-cost option to
observe potential malicious uses of open wireless access
points. This is quite different from WIDS, but, it is considered
as an additional source of information regarding attacks from
the wireless side.
Even if honeypots – especially wireless honeypots – are not
widely deployed and are much more dedicated to research,
these technologies are valuable whenever you want to
evaluate the real risks you are facing. The main drawback is
related to manpower for deploying and operating the
However, honeypots do have their drawbacks. Because they
only track and capture activity that directly interacts with
them, they cannot detect attacks against other systems in the
network. Furthermore, deploying honeypots without enough
planning and consideration may introduce more risks to an
existing network, because honeypots are designed to be
exploited, and there is always a risk of them being taken over
by attackers, using them as a stepping-stone to gain entry to
other systems within the network. This is perhaps the most
controversial drawback of honeypots.