Detection of Rogue Access Points

Jonathan Rogers quantumfoam at gmail.com
Sun Oct 14 21:34:11 UTC 2012


I should probably mention that we do not have any legitimate wireless
devices at these locations. I realize that this complicates matters.

The most recent one we found was found exactly like Joe suggested; we were
looking at an ARP table for other reasons and found suspicious things
(smartphones).

--JR

On Sun, Oct 14, 2012 at 5:30 PM, Tom Morris <blueneon at gmail.com> wrote:

> I have used the wigle app as a scanning and direction finding tool.. it
> works OK. Not automated really as you'd have to walk and watch the screen
> but it works.
>
> I once walked into a glass wall inside a building while searching for a
> rogue AP... FOMP!!!!
> On Oct 14, 2012 5:02 PM, "Jonathan Rogers" <quantumfoam at gmail.com> wrote:
>
>> Gentlemen,
>>
>> An issue has come up in my organization recently with rogue access points.
>> So far it has manifested itself two ways:
>>
>> 1. A WAP that was set up specifically to be transparent and provided
>> unprotected wireless access to our network.
>>
>> 2. A consumer-grade wireless router that was plugged in and "just worked"
>> because it got an address from DHCP and then handed out addresses on its
>> own little network.
>>
>> These are at remote sites that are on their own subnets (10.100.x.0/24;
>> about 130 of them so far). Each site has a decent Cisco router at the
>> demarc that we control. The edge is relatively low-quality managed layer 2
>> switches that we could turn off ports on if we needed to, but we have to
>> know where to look, first.
>>
>> I'm looking for innovative ideas on how to find such a rogue device,
>> ideally as soon as it is plugged in to the network. With situation #2 we
>> may be able to detect NAT going on that should not be there. Situation #1
>> is much more difficult, although I've seen some research material on how
>> frames that originate from 802.11 networks look different from regular
>> ethernet frames. Installation of an advanced monitoring device at each
>> site
>> is not really practical, but we may be able to run some software on a
>> Windows PC in each office. One idea put forth was checking for NTP traffic
>> that was not going to our authorized NTP server, but NTP isn't necessarily
>> turned on by default, especially on consumer-grade hardware.
>>
>> Any ideas?
>>
>> Thank you for your time,
>>
>> Jonathan Rogers
>>
>


More information about the NANOG mailing list