Q

Hunting down the source of a wireless attack

A wireless intrusion prevention system (WIPS) can notify you in the event of an attack on the wireless attack, but might only give an approximate location of the attacker. Wireless expert Lisa Phifer gives advice on some tools to track down the source of a denial of service attack on the WLAN.

Question: I am looking for a tool which would help in physically locating a denial of service (DoS) attacker of a Wireless LAN. I do have a wireless intrusion prevention system (WIPS) which is constantly alerting me to the attack, but need some info on what tool I would use to try and locate the device(s).
Your WIPS should depict the approximate location of the attacker on a floorplan, or at least tell you the sensors/APs closest to the attacker. Given that as a starting point, you'll need to try to find the device by listening to RF that location.

• If the "attacker" happens to be a Wi-Fi AP or Ad Hoc node causing co-channel interference, you can hear it with just about any Wi-Fi discovery tool (aka "stumbler"). See my list of Wireless Security Tools. For example, a good free tool for mapping APs is HeatMapper.

• If the attacker is a Wi-Fi client, you'll need something that can enter RFMON mode and listen to other Wi-Fi traffic, not just AP or Ad Hoc beacons. Some free examples include Airodump-ng, Kismet, or Wireshark, running on Linux or (with an AirPCap adapter) on Windows. Commercial WLAN analyzers can also capture client traffic.

• If the attacker is a non-Wi-Fi device, you'll need a mobile RF spectrum analyzer with a "find" capability. That's commercial product territory right now, but one good example is MetaGeek Wi-Spy. ,

Note that the "attacker" must be active when you're searching. This might seem obvious but it can pose a real challenge – especially for DoS attacks that turn out to be transient RF interference. Look at both historical data gathered by your WIPS and real-time observations from sensors and APs. You might be able to use a WIPS "watch" to trigger a sensor-based remote packet capture the next time the attacker is heard. WIPS event history may suggest the best time of day to find the attacker active. Finally, some new enterprise APs provide on-board spectrum analysis – this investment could prove worthwhile if your "DoS attacks" are really chronic RF interference problems.

This was first published in August 2010

Pro+

Features

Enjoy the benefits of Pro+ membership, learn more and join.

Have a question for an expert?

Please add a title for your question

Get answers from a TechTarget expert on whatever's puzzling you.

You will be able to add details on the next page.

0 comments

Oldest 

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

-ADS BY GOOGLE

SearchSDN

SearchEnterpriseWAN

SearchUnifiedCommunications

SearchMobileComputing

SearchDataCenter

SearchITChannel

Close