International Journal of Emerging Trends & Technology in Computer Science (IJETTCS)

Web Site: www.ijettcs.org Email: editor@ijettcs.org

Volume 3, Issue 6, November-December 2014

ISSN 2278-6856

SURVEY ON TYPES OF THREATS DUE TO

RAP AND SOLUTIONS IN IEEE 802.11
WLAN
Mr. Ganesh B. Bandal1, Prof. Vidya S. Dhamdhere2
1

Research Scholar, G.H. Raisoni College of Engg. & Management,

Wagholi, Pune
2

Assistant Professor, G.H. Raisoni College of Engg. & Management ,

Wagholi, Pune

Abstract
On the basis of Gartner research, now a day 20% of IEEE
802.11 WLAN worldwide is vulnerable due to deployment of
Rogue Access Points. This paper identifies and summarizes all
threats due to deployment of Rogue Access Points and their
possible solutions to detect and prevent them in IEEE 802.11
Wireless Network.

Keywords:- Wireless Local Area Network (WLAN),

Rogue Access Point (RAP), IEEE802.11.

2. IEEE 802.11 STANDARD AND ROGUE APS

2.1 Components of IEEE 802.11
1) An Access Point
2) A wireless station
An Access Point (AP) act as a bridge between wireless
and wired networks. It is the base station giving access for
several other wireless stations on the network. Wireless
station is a computer with a Network Interface Card
(NIC).

1. INTRODUCTION
IEEE 802.11 WLAN specifically named as infrastructure
network bridges a wireless network to a wired network
through Wireless Access Points (WAPs). Therefore it is
necessary to configure the Access Point and all local
wireless clients in order to use the same network.
Unfortunately, due to low cost and plug and play facility,
employee brings in an unsecured access point, plugs it in
to an available wired port and now has wireless access to
the larger wired network. Due to this, attacker can gain
access to sensitive information of an organization. It gives
an attacker a cutting edge over the established security
policies. Also it is not only an AP which is being targeted,
but also acting as normal users having an open access of
wireless network. Due to open wireless network, an
attacker can attack on the whole open wireless network
infrastructure including the clients who are getting
connected to the wireless access point. Attacker can apply
Different methodologies by taking advantage of the
security flaws in the implementation of the IEEE
802.11WLAN. These threats becomes more complicated
as more and more innovative technologies become
available enabling further network attack vectors. So
network administrators must maintain security against old
and emerging threats that depends largely on the
deployment of firewalls, intrusion detection systems and
other network defense tools. Also detecting rogue APs is
one of the most important tasks for a network manager.
This paper discusses all threats and security issues due to
deployment of Rogue Access Points (RAP) in IEEE
802.11 WLAN and also describes all possible solutions for
detecting this Rogue Access Point (RAP). The last section
gives the conclusion of the whole paper.

Volume 3, Issue 6, November-December 2014

Fig. 2.1.1 Components of IEEE 802.11

2.2 Operational Modes Of IEEE 802.11
TABLE I. Infrastructure mode
TABLE II. Ad Hoc mode
In the infrastructure mode, the wireless network has a set
of wireless end stations and no less than one AP which is
connected to the wired network. It is used for extending
the range of the wired LAN to wireless cells. Ad hoc
mode is a set of wireless stations which communicate with
each other without any connection to a wired network and
also without the use of an AP. The connected stations in
ad hoc network form an Independent Basic Service Set
(IBSS).

Fig 2.2.1 Infrastructure Network

Page 265

International Journal of Emerging Trends & Technology in Computer Science (IJETTCS)

Web Site: www.ijettcs.org Email: editor@ijettcs.org
Volume 3, Issue 6, November-December 2014

Fig 2.2.2 Ad-hoc Network (IBSS)

2.3 Rogue Access Point
In wireless technology there is still a threat to security of
the wired network. Due to increase in demand for
mobility, employees ask for mobility, but if not provided
with wireless access, they will install it. Access points are
inexpensive and easy to set up. When connected to the
corporate wired network, rogue APs bypass firewalls and
other security systems. They are configured with very
weak security settings which provide an easy entry point
onto the network. Also rogue access points can be set up
by an attacker purposefully to obtain unauthorized access
to the network later on at his leisure.

ISSN 2278-6856

APs. In this type of attack, attacker can provide a stronger

signal than the targeted AP. Rogue
Access
Points
between the client and the AP may fool the user. Once
they fooled into this association, the man-in-the middle
attack can intercept communication, read unencrypted
information, can get passwords. Even with WEP
encryption technique, attacker can intercept and decrypt
data. After MAC spoofing, an attacker can ensure that
each fake management frame from his device has a unique
fake MAC address. Due to this, attackers simulate a
network scenario where many stations send requests to
AP. The authentication mechanism under 802.11 allows
AP to deauthenticate itself with the other entity. The
deficiency is that deauthentication message is not
cryptographically protected. Due to this, any attacker may
forge this message by impersonating as the supplicant. In
impersonation attack, attacker can establish an access
point with the same SSID as the target networks and
unsuspecting clients can connect to an attacker controlled
wireless network [9].

Fig. 3.1 AP Impersonation Attack

Fig 2.3.1 Rogue Devices compromising wireless security

3.SECURITY THREATS DUE TO RAP IN

IEEE 802.11 WLAN
Associations between APs and wireless stations are made
by virtual wires in Wi-Fi, they are vulnerable to
interference in surrounding devices, such as cordless
phones and other APs operating nearby. These virtual
wires easily allow radio signals to take different paths to a
destination. Some radio signals head directly to the
destination and some bounce back from obstacles. Thus,
in eavesdropping attack, attacker can intercept the radio
transmission away from the area where the network is
available. With respect to network security, one of the
problems to be considered is installation of unauthorized
APs or rogue APs [3]. Currently, problems caused by
rogue APs have been very common. For wireless network
users, accessing unsecured APs that are not protected by
passwords may raise a threat. In Denial of Service attack,
an attacker can interrupt wireless communication by
flooding RF spectrums with excess noise or by flooding

Volume 3, Issue 6, November-December 2014

Deauthentication attacks are one of the most common

DOS attacks. An attacker takes to create DOS attack
against an AP with the intention to make it not respond
and force the clients to use the rogue AP. Evil twins are
dummy APs that are intentionally deployed by adversaries
targeting to intercept sensitive data from associating
wireless stations. In evil twin attack, all transmitting
packets could be logged and the ones without encryption
could be analyzed thereafter. With encryption, expert
attackers can read user information and distinguish them
from others by utilization of fingerprinting techniques [2].
In this type of attack, an attacker can deploy phony access
point in the network that pretends to be a legitimate AP by
advertising that WLANs name i.e. extended SSID.
Sometimes
attacker
inserts
himself into the
communication path. Due to this, attacker can add, delete,
or modify data in transit. As IEEE 802.11 network
operates in the unlicensed 2.4 GHz and 5 GHz frequency
band, the attacker jams the WLAN frequency with a
strong radio signal which renders access points Now a
day, Access Points come with a built in wireless traffic
encryption technique. But the tools like Aircrack-ng suite
can be used by attacker to break the security of wireless
network by monitoring wireless traffic. In Caf Latte
Page 266

International Journal of Emerging Trends & Technology in Computer Science (IJETTCS)

Web Site: www.ijettcs.org Email: editor@ijettcs.org
Volume 3, Issue 6, November-December 2014
Attack, an attacker can recover a WEP key without being
in the same vicinity of the corporate wireless network by
targeting isolated clients in public areas like airports [9].
In a distributed system, authorization is performed by an
external firewall. But, the firewall is not aware of user
identity, because it does not perform authentication. Also,
the firewall does not perform encryption and decryption of
user data, so it cannot be sure that data claiming to come
from a user actually came from that user. This makes the
external firewall unreliable for performing identity-based
security [10].

ISSN 2278-6856

via Windows netmessage. AirSnare has a non-commercial

license [5]. Enterprise rogue WLAN detection requires a
scalable solution that combines the centralized
management of wired-side scanners and radio frequency
analysis of wireless scanners. The AirDefense Services
Platform provides this comprehensive solution with an
innovative approach to WLAN security that includes a
distributed architecture of remote sensors to monitor the
airwaves for all WLAN activity and report to a centrally
managed server appliance. The remote sensors are
equivalent to wireless scanners and add 24x7 monitoring
to provide 100% coverage against rogue WLANs the
minute they are connected to the network or enter the
coverage area. This approach to rogue WLAN detection is
akin to the security of physical buildings in which video
cameras are deployed at key locations for 24x7
monitoring. A central security station analyzes the
incoming video for security risks. The video cameras
reduce the need to walk through the building just as the
remote sensors of the AirDefense Services Platform
replace the need for handheld manual wireless scanners
[8].

Fig. 3.2 Distributed System Security

4. SOLUTIONS AGAINST THREATS DUE

TO RAP IN IEEE 802.11 WLAN
Suppose a user attaches their own rogue access point and
using unauthorized wireless hosts with it. To quickly
detect such unauthorized activity in real time, the
incoming and outgoing traffic from a central gateway is
passively monitored [2]. Multiple APs and mobile clients
perform RF monitoring to help detect the presence of
rogue wireless devices like unauthorized APs. Each client
is required to install special diagnostic software, and
rogue APs are assumed to transmit beacon messages and
respond to probe requests. In contrast, RAP does not
inconvenience clients with additional software installs.
Further, its detection ability is not based on the
assumption that rogue APs will function properly [4].
Each node in a wireless network can be identified by its
location information, which is hard to falsify and not
reliant on cryptography. For detecting spoofing attacks in
wireless networks, Cluster base mechanism uses this
location information. This method is capable of both
detecting and providing the number of adversaries in the
wireless network, and spoofing the same node identity.
There were experiments conducted on two test beds
through 802.11 networks and ZigBee network in two real
office building environments. This method has a detection
rate of above 98% and determining the number of
adversaries with the hit rate of over 90%. AirSnare is a
program for Windows that detects DHCP requests or
unauthorized MAC addresses attempting to connect to an
AP. Intrusion response consists of an alert to the
administrator and optional message is sent to the intruder

Volume 3, Issue 6, November-December 2014

Fig 4.1 AirDefense Service Deployment

In User-oriented technique, the users independently
determine whether an AP is a RAP. These techniques can
be used for laptops or mobiles. Administrator can use
clock skew of a Wireless access point (WAP) as a
fingerprint to identify RAPs. It calculates every APs clock
skews by collecting their beacons as well as probe
messages. If deployed APs clock skew is different from
existing clock skews in the database, the AP is then
identified as a rogue AP. The software called Netstumbler
is used for sending 802.11 probe request to a broadcast
address. Once received, all access points within the signal
issue a probe response which contains the network
configuration information including SSID and encryption
key. In agent based intrusion detection system for RAPs,
agent is equipped with network cards to act as a sniffer,
and return an information packet of new APs to the
server. The server compares it to information of
Page 267

International Journal of Emerging Trends & Technology in Computer Science (IJETTCS)

Web Site: www.ijettcs.org Email: editor@ijettcs.org
Volume 3, Issue 6, November-December 2014
authorized Aps which have been stored by hands to
determine if it is a rogue AP [11]. Link verification and
Neighbour discovery technique monitors traffic for
detecting malicious AP coming in and going out of its
neighboring AP. After detecting Rogue Access Point,
location of the rogue device can be tracked by using signal
strength. It also protects the further threats.

5. Conclusion
In this paper, we surveyed various types of attacks as well
as solutions against Deployment of Rogue Access Points
in IEEE 802.11 Wireless LAN. Due to continuous growth
in wireless communication in IEEE 802.11 WLAN, there
is a great scope in finding the solutions against the threats
due to deployment of RAPs in IEEE 802.11 WLAN

ISSN 2278-6856

AUTHOR
Mr. Ganesh B. Bandal. Research
Scholar, G.H. Raisoni College of
Engg. & Management, wagholi, pune.

Prof. Vidya S. Dhamdhere Assistant

Professor, G.H. Raisoni College of
Engg. & Management, wagholi,pune,
She has completed M.E. (CSE),
Persuing Ph.D. She is associated with IEEE international
conferences as reviewer and program committee member
and published more than nine papers. Current research
interest is in remote sensor network, network security.

References
[1] Sandip Patil, A Survey on Malicious Access Point
Detection Methods for Wireless LAN, International
Journal of Computer Sciences and Engineering,
Volume-2 Issue-3, E-ISSN: 2347-2693, pp. 22-25,
March 2014.
[2] Guangzhi Qu, RAPiD:An Indirect Rogue Access
Points
Detection
System
978-1-4244-93289/10/$26.00 2010 IEEE
[3] Ibrahim Halil Saruhan Detecting and Preventing
Rogue Devices on the Network, Sans Institute
[4] Prof. Pranit S. Thakur, Review on RAP: Protecting
Wi-Fi Networks from Rogue Access Points, 1st
International Conference on Recent Trends in
Engineering & Technology, ISSN:2277-9477, Mar2012
[5] Prof. S. B. Vanjale, International Journal of
Engineering Science & Technology Vol-4,No-2,Feb2012, ISSN:0975-5462
[6] Wen Chuan Hsieh, Chi Chun Lo, Jing Chi Lee, The
Implementation of a Proactive Wireless Intrusion
Detection System, IEEE 2004
[7] Kaixing Wu, Wei Zhang and Wenzeng Zhu, A
Study on the Application of Intrusion Detection
Technology to WLAN 978-1-61284-486-2/11/$26.00
2011 IEEE
[8] Motorola, Tired of Rogues? Solutions for detecting
and eliminating Rogue Wireless Networks White
Paper,October 2011
[9] Brad Antoniewicz, 802.11 Attacks White Paper
[10] Aruba Networks, Building global security policy for
Wireless LANs White Paper
[11] Kangsuk Chae, Jiawei Shao, Souhwan Jung, A
Scheme of Detection and Prevention Rogue AP using
Comparison Security Condition of AP International
Conference on Advances in Computer Science and
Electronics Engineering, ISBN: 978-981-07-14031_647, 2012

Volume 3, Issue 6, November-December 2014

Page 268