WO2014114099A1 - Method and system for preventing rogue access points in wireless local area network - Google Patents

Method and system for preventing rogue access points in wireless local area network Download PDF

Info

Publication number
WO2014114099A1
WO2014114099A1 PCT/CN2013/083675 CN2013083675W WO2014114099A1 WO 2014114099 A1 WO2014114099 A1 WO 2014114099A1 CN 2013083675 W CN2013083675 W CN 2013083675W WO 2014114099 A1 WO2014114099 A1 WO 2014114099A1
Authority
WO
WIPO (PCT)
Prior art keywords
access point
monitoring
sta
rogue
send
Prior art date
Application number
PCT/CN2013/083675
Other languages
French (fr)
Chinese (zh)
Inventor
彭永超
熊杰
唐建国
Original Assignee
中兴通讯股份有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 中兴通讯股份有限公司 filed Critical 中兴通讯股份有限公司
Publication of WO2014114099A1 publication Critical patent/WO2014114099A1/en

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/12Detection or prevention of fraud
    • H04W12/121Wireless intrusion detection systems [WIDS]; Wireless intrusion prevention systems [WIPS]
    • H04W12/122Counter-measures against attacks; Protection against rogue devices

Definitions

  • the present invention relates to the field of communications technologies, and in particular, to a method and system for preventing a rogue access point in a wireless local area network.
  • WLAN Wireless Local Area Network
  • BSS Basic Service Set
  • the devices that make up the BSS are called stations (STA, Station), and define two networking modes: Infrastructure mode (Infrastructure BSS) BSS and independent mode (Independent) BSS.
  • Infrastructure BSS there is a STA that has both an interface to a wireless LAN and an interface to a wired network.
  • IBSS access point
  • the criminals can set up an AP at a very low cost (just a wireless network card), put it in a hotspot, such as a coffee shop, and name it with a legal wireless network name or the same name, such as ChinaNet -
  • a hotspot such as a coffee shop
  • a legal wireless network name or the same name such as ChinaNet -
  • criminals may adopt a man-in-the-middle attack method, installing two wireless network cards on his computer, one of which is configured in AP mode to provide false access services; the other is configured in STA mode, connected to legal On the AP; two network cards are bridged.
  • the STA can access the Internet normally.
  • all the packets sent and received by the STA are intercepted, and the attacker can analyze many information of the user.
  • the detection method is generally based on the MAC address of the AP.
  • the controller maintains a MAC address list of a legal AP through static configuration or dynamic learning, and specifies that several legal APs periodically perform scanning operations.
  • the result of the scan including the MAC address and channel number of each neighbor AP, is reported to the controller; the controller compares the scan result with the legal AP list. If the MAC address of the AP is not in the list, it is judged.
  • the present invention is directed to a method and a system for preventing a rogue access point in a wireless local area network, so as to at least solve the problem that the MAC address of an AP that cannot be prevented by an illegal AP from modifying its MAC address to be legal is illegal. Access problems.
  • a method for preventing a rogue access point in a wireless local area network comprising: an AC controlling one or more monitoring terminals to send a detection packet to all APs, and the AC is pre-passed through security The channel is notified that the legal AP does not respond after receiving the detection packet; the AC determines the rogue AP in all the APs by using the response received by the monitoring terminal, and controls the monitoring terminal to send an attack packet to the rogue AP.
  • the step of controlling the monitoring end to send an attack packet to the rogue AP after the AC determines the rogue AP includes: after the AC determines the rogue AP, randomly constructs multiple fake STA addresses, and the fake The STA address is transmitted to the monitoring terminal through the secure channel, and if the illegal AP is impersonating the STA address of the legal AP, the fake STA address is transmitted to the legal AP impersonating the illegal AP through the secure channel; The AC controls the monitoring terminal to use the fake STA address to falsely generate a plurality of fake STAs to send an attack packet to the rogue AP. After the legal AP that the rogue AP is pretending, the legal AP ignores the attack after receiving the attack packet. Message.
  • the monitoring end is a monitoring STA or a monitoring AP designated by the AC; when the monitoring end is a monitoring AP, the monitoring AP spoofs as a STA sends a detection packet to all APs, where the monitoring AP The MAC address masquerading as the STA is randomly configured by the AC; when the monitoring end is monitoring the STA, the MAC address of the monitoring STA is randomly configured by the AC.
  • the type of the detection message includes: a probe request and/or an association request.
  • the type of the attack message includes: an authentication request and/or an association request.
  • the present invention also provides a system for preventing a rogue access point in a wireless local area network, including:
  • the AC is configured to control one or more monitoring terminals to send detection packets to all APs, and notify the legal APs through the secure channel to receive the detection packets without responding, and determine all the responses received by the monitoring terminal.
  • a rogue AP in the AP, and the monitoring terminal sends an attack packet to the rogue AP.
  • the monitoring end is configured to send a detection packet to all APs according to the indication of the AC, and the received packet is received. The response is sent to the AC, and the attack packet is sent to the rogue AP according to the indication of the AC.
  • the AC is configured to control one or more monitoring terminals to send detection packets to all APs, and notify all legal APs through the secure channel to receive no response after receiving the detection packet, according to the monitoring terminal.
  • the STA sends an attack packet to the rogue AP; the monitoring end is configured to send a detection packet to all APs according to the indication of the AC, and send the received response to the AC, according to the The indication of the AC uses the AC to randomly construct multiple fake STA addresses to send an attack message to the rogue AP.
  • the monitoring end is a monitoring STA or a monitoring AP designated by the AC; when the monitoring end is a monitoring AP, the monitoring AP spoofs as a STA sends a detection packet to all APs, where the monitoring AP
  • the MAC address masquerading as the STA is randomly configured by the AC; when the monitoring end is monitoring the STA, the MAC address of the monitoring STA is randomly configured by the AC.
  • the type of the detection message includes: a probe request and/or an association request.
  • the type of the attack message includes: an authentication request and/or an association request.
  • the present invention provides a method and a system for preventing a rogue access point in a wireless local area network.
  • the access point controller controls the monitoring end to send a detection packet to all APs, and the legal AP receives the detection message. No response is received, and the illegal AP responds after receiving the detection packet, and the access point controller receives the illegal AP according to the monitoring terminal. And sending the response to the rogue AP, and controlling the monitoring end to send an attack packet to the rogue AP, so that the rogue AP cannot work normally.
  • the method is simple and easy to implement.
  • ⁇ RTI 1 is a flowchart of a method for preventing a rogue AP from detecting a rogue AP according to Embodiment 1 of the present invention
  • FIG. 2 is a flowchart of a method for detecting and attacking a rogue AP by a legal AP according to Embodiment 1 of the present invention
  • the method and system for preventing a rogue access point in a wireless local area network include a station (STA, Station) access point (Access Point, referred to as AP) and an access point controller (Access Point Controller, abbreviated as AC). ).
  • STA, Station access point
  • AC Access Point Controller
  • Embodiment 1 This embodiment of the present invention provides a method for preventing a rogue access point of a wireless local area network. Referring to FIG. 1, the method includes:
  • the monitoring terminal in the embodiment of the present invention is a monitoring STA or a monitoring AP designated by the AC.
  • the monitoring AP spoofs that the STA sends a detection packet to all APs, where the monitoring AP masquerades as the MAC address of the STA is randomly configured by the AC;
  • the detection message in the embodiment of the present invention includes: a detection period, a probe request and/or an association request, and a channel that needs to be scanned.
  • S1 02 The illegal AP responds after receiving the detection packet; because the illegal AP does not know that this is a detection packet, it will respond to the detection packet.
  • S103 The AC determines, according to the response sent by the illegal AP, the AP is an illegal AP.
  • the AC controls the monitoring end to send an attack packet to the rogue AP, so that the illegal AP cannot work normally.
  • the attack packet includes: a MAC address of the illegal AP, a probe request and/or an association request, and a length of the attack time.
  • the step may include: after the AC determines the rogue AP, randomly constructs a plurality of fake STA addresses, and transmits the fake STA address to the monitoring terminal through the secure channel, if the rogue access point is impersonated The STA address of the legal access point, and the fake STA address is transmitted to the legal access point impersonating the rogue access point through the secure channel; the AC controls the monitoring terminal to use the fake STA address pseudo Causing multiple fake STAs to the illegal
  • the embodiment of the present invention further provides a method for a legal AP to perform detection and attack on a rogue AP.
  • the method may include: when the function of preventing an illegal AP is enabled, the AC first selects several legal APs for monitoring. AP, the coverage of these monitoring APs should add up to cover the entire wireless network.
  • the following example assumes that there are 3 legal APs, AP1-AP3, and AC selected APIs as monitoring APs. Assume that AP4 is a rogue AP and that it sets its own MAC address to be the same as AP2.
  • the S20K AC randomly constructs several fake STA addresses and transmits them to all legal APs through a secure channel.
  • S202. The AC issues a command to start testing to the API, and requests it to start detecting the process of the illegal AP.
  • the detection command includes: a detection period, a type of the detected message (a probe request and/or an association request, etc.), and a channel that needs to be scanned;
  • the API periodically constructs a detection packet whose source address is a fake STA address, and sends the broadcast packet or unicast (if it is a probe request, it can use broadcast; if it is an association request, it can only use the single broadcast).
  • AP2 and AP3 already know that this is a fake STA and will not respond.
  • AP4 did not know, sent a response, and exposed himself.
  • AC can be further confirmed. For example, if the source address of the response packet is the address of a legal AP, the AC can pass the secure channel and ask the legal AP to confirm whether the response packet has been sent. In addition, certain rules can be configured on the AC to ignore certain responses. For example, if the name of the wireless network included in the response message is not the carrier's, it is ignored. After the AC confirms that an illegal AP is detected, you can perform the following steps to attack the illegal AP to prevent the STA from connecting to the illegal AP.
  • the AC randomly constructs a plurality of fake STA addresses, and these addresses are transmitted to the monitoring AP through a secure channel, where is an API. If the rogue AP sets its own address to be the same as a legitimate AP, the AC also passes the fake STA address to the spoofed legal AP, here AP2. 5207.
  • the AC sends an attack command to the API, and requests it to attack the illegal AP.
  • the attack command includes parameters such as the MAC address of the rogue AP, the type of the attack packet (authentication request and/or association request, etc.), and the length of the attack.
  • the API starts to send an attack to the illegal AP, that is, AP4, and generates a number of STAs to send attack packets to the illegal AP.
  • AP4 the number of STAs allowed to connect on an AP is limited.
  • resources on AP4 are false.
  • an embodiment of the present invention further provides a method for an STA to perform detection and attack on an illegal AP, and the method may include: the present invention deploys a plurality of monitoring STAs within a coverage of a wireless local area network, and performs detection and detection by the same. Block the work of illegal APs. By using the monitoring STA, the impact on the normal operation of the legal AP can be reduced.
  • the S30K monitors the STA to establish a secure channel with the legal AP through the WPA/WPA2 key negotiation.
  • the AC determines that the uplink is a monitoring STA, and sends a command to the monitoring STA, which includes a fake STA address, and the AC sends the forged STA address to each legal AP through the secure channel;
  • the AC sends a command for detecting the packet to the monitoring STA, and requests it to start the detecting process, where the detecting command includes: a detection period, a type of the detected packet (a probe request and/or an association request, etc.), and a channel to be scanned. ;
  • the monitoring STA changes its own address to a forged address and sends a detection packet according to the requirements. Since the legitimate AP already knows that this is a fake address, it will not respond; and if the illegal AP does not know, it will respond and will expose itself;
  • the monitoring STA changes its own address back to the real address, re-associates the corresponding AP, and reports the detection result to the AC.
  • the AC may send a message to the legal AP that the fake AP spoofs for further confirmation; 5307. After confirming the rogue AP, the AC randomly constructs a plurality of fake STA addresses, and transmits the addresses to the monitoring STA and the counterfeit legal AP through the secure channel, where is AP2;
  • the AC sends an attack command to the monitoring STA, and requests it to attack the illegal AP.
  • the attack command includes: the MAC address of the illegal AP, the type of the attack packet (authentication request and/or association request, etc.), and the length of the attack time;
  • the monitoring STA starts to attack the illegal AP, that is, AP4. It uses a fake address to send an attack packet to AP4.
  • the number of STAs allowed to connect to the AP is limited. When the resources on AP4 are occupied by fake STAs, other normal STAs cannot connect to it. A rogue AP is not working properly.
  • AP4 sets its own address to be the same as that of AP2, AP2 also receives attack packets. Since the AC has already notified the address of the fake STA to the AP2, the wireless driver on the AP2 can directly discard these messages, and it is less affected.
  • Embodiment 2 The embodiment of the present invention provides a system for preventing a rogue access point in a wireless local area network, where the system includes: an access point controller, configured to control one or more monitoring terminals to send detection packets to all access points, And in advance, the security channel is notified that all legal access points do not respond after receiving the detection message, and the illegal access point in all the access points is determined according to the response received by the monitoring terminal, and the illegal access point is determined. After the access point, a plurality of fake STA addresses are randomly configured, and the fake STA address is transmitted to the monitoring terminal through the secure channel.
  • the fake STA address is transmitted to the legal access point impersonating the rogue access point through the secure channel, and the monitoring terminal uses the above-mentioned fake STA address to falsely cause multiple fake STAs to the illegal access.
  • the point sends an attack message; the monitoring end is configured to send a detection message to all access points according to the indication of the access point controller, and send the received response to the access point.
  • System further use of the random access point controller configured according to a plurality of address STA false indicates that the access point controller transmits the illegal attack packets to the access point.
  • the monitoring terminal in the embodiment of the present invention is a monitoring STA or a monitoring AP designated by the AC.
  • the monitoring AP spoofs the STA to send a detection packet to all the APs, where the monitoring AP masquerades as the MAC address of the STA is randomly configured by the AC;
  • the monitoring end is a monitoring STA
  • the MAC address of the monitoring STA is randomly configured by the AC.
  • the detection message in the embodiment of the present invention includes: a detection period, a probe request, and/or an association request, and a channel that needs to be scanned.
  • the attack packet in the embodiment of the present invention includes: a MAC address, an authentication request, and/or an association request of the illegal AP, and a length of the attack time.
  • the embodiment of the present invention provides a method and system for preventing a rogue access point in a wireless local area network.
  • the access point controller controls the monitoring end to send a detection packet to all APs, and the legal AP receives the detection packet.
  • the illegitimate AP responds with the detection packet, and the access point controller determines, according to the response sent by the illegitimate AP received by the monitoring terminal, which AP is a rogue AP.
  • the monitoring terminal sends an attack packet to the rogue AP, so that the rogue AP cannot work normally.
  • the method is simple and easy to implement.
  • the embodiment of the present invention provides a method and system for preventing a rogue access point in a wireless local area network, which has the following beneficial effects:
  • the access point controller controls the monitoring end to send detection packets to all APs, and the legal AP
  • the acknowledgment is not performed, and the illegitimate AP responds after receiving the detection packet, and the access point controller determines, according to the response sent by the illegal AP received by the monitoring terminal.
  • a rogue AP sends an attack packet to the rogue AP, so that the rogue AP cannot work normally.

Abstract

Disclosed in the present invention are a method and system for preventing rogue access points in a wireless local area network. The method comprises: an access point controller controlling one or a plurality of monitor terminals to send a detection message to all access points, and the access point controller giving an advance notice through a secure channel that legal access points do not respond after receiving the detection message; and the access point controller determining the rogue access points in all the access points through the responses received by the monitor terminals, and controlling the monitor terminals to send an attack message to the rogue access points. The method is simple and easy to implement, and effectively solves the problem that the MAC (Media Access Control) address of a rogue AP (Access Point) is modified as the MAC address of a legal AP for illegal access.

Description

无线局域网防范非法接入点的方法及系统 技术领域 本发明涉及通信技术领域, 尤其涉及一种无线局域网防范非法接入点的方法及系 统。 背景技术 无线局域网 (Wireless Local Area Network, 简称为 WLAN) 技术是基于 IEEE制 定的 802.11标准建立的。 该标准中将无线局域网称为基本服务集 (Basic Service Set, 简称为 BSS), 组成 BSS的设备被称为站点 (STA, Station), 并定义了两种组网模式: 基础设施模式(Infrastructure BSS) BSS和独立模式(Independent) BSS。在 Infrastructure BSS中, 有一个 STA既有连接到无线局域网的接口, 也有连接到有线网络的接口, 它 被称为接入点 (AP), 其它 STA都要连接到 AP上, 各 STA与有线网络之间的通信, 以及各 STA之间的通信, 都要经过 AP中转。 而 IBSS也被称为 ad hoc网络, 各 STA 的地位是平等的, 没有 AP, 它们相互连接, 并直接通信。 实际组网时大多会采用基础 设施模式。 由于 WLAN的信号是在空中传输,所以相比有线局域网来说, 它面临更多的安全 威胁。其中一个比较大的威胁是非法 AP。不法分子用很低的成本(只需一个无线网卡) 就可以搭建起一个 AP, 将它放到热点区域, 例如咖啡厅, 并起一个与合法的无线网络 名称相识或者相同的名称, 例如 ChinaNet -、 CMCC-开头的, 诱使用户连接上它, 并 提供虚假的登录页面, 获取到用户的帐号和密码等。 为了更具欺骗性, 不法分子可能 会采取中间人攻击方式, 在他的电脑上安装两个无线网卡, 其中一个配置成 AP模式, 提供虚假的接入服务; 另外一个配置成 STA模式, 连接到合法 AP上; 两个网卡进行 桥接。 这样一来, STA连接到非法 AP后, 还能正常地上网, 但是 STA收发的报文全 部被截获了, 攻击者从中可以分析出用户的很多信息。 要防范非法 AP, 首先要能检测出非法 AP的存在。 目前普遍采用的检测方法是基 于 AP的 MAC地址: 控制器通过静态配置或者动态学习的方法维护一张合法 AP的 MAC地址列表, 并指定若干个合法 AP周期性的进行扫描操作; 各合法 AP将自己的 扫描结果, 包括各个邻居 AP的 MAC地址、信道号等信息, 上报给控制器; 控制器再 将扫描结果与合法 AP列表进行比较, 如果有 AP的 MAC地址不在列表中的, 就判断 它是非法 AP。 但是由于无线网络环境是开放的, 所以非法 AP完全可以通过监听信标帧, 获取 到某个合法 AP的 MAC地址等信息,然后将自己的 MAC地址等参数修改成与之相同, 这样上面的检测方法就失效了。 所以需要研究新的方法来应对这种情况。 发明内容 鉴于上述的分析,本发明旨在提供一种无线局域网防范非法接入点的方法及系统, 以至少解决相关技术中不能防范非法 AP将其 MAC地址修改为合法的 AP的 MAC地 址进行非法接入的问题。 本发明的目的主要是通过以下技术方案实现的: 一种无线局域网防范非法接入点的方法, 包括: AC控制一个或多个监控端向所有 AP发送检测报文,并且所述 AC预先通过安全 通道告知合法 AP收到该检测报文后不进行应答; 所述 AC通过所述监控端收到的应答确定所有 AP中的非法 AP, 并控制所述监控 端向所述非法 AP发送攻击报文。 优选地,所述 AC确定非法 AP后控制所述监控端向所述非法 AP发送攻击报文的 步骤包括: 所述 AC确定非法 AP后, 随机构造多个假的 STA地址, 并将上述假的 STA地址 通过所述安全通道传递给所述监控端,如果所述非法 AP冒充了合法 AP的 STA地址, 同时将上述假的 STA地址通过所述安全通道传递给所述非法 AP冒充的合法 AP; 所述 AC控制所述监控端使用上述假的 STA地址伪造成多个假的 STA向所述非法 AP发送攻击报文; 所述非法 AP冒充的合法 AP收到上述攻击报文后, 忽略该攻击报文。 优选地, 所述监控端为所述 AC指定的监控 STA或监控 AP; 当所述监控端为监控 AP时, 所述监控 AP伪装成 STA向所有 AP发送检测报文, 其中, 所述监控 AP伪装成 STA的 MAC地址为所述 AC随机构造的; 当所述监控端为监控 STA时,所述监控 STA的 MAC地址为所述 AC随机构造的。 优选地, 所述检测报文的类型包括: 探测请求和 /或关联请求。 优选地, 所述攻击报文的类型包括: 认证请求和 /或关联请求。 本发明还提供了一种无线局域网防范非法接入点的系统, 包括: The present invention relates to the field of communications technologies, and in particular, to a method and system for preventing a rogue access point in a wireless local area network. BACKGROUND Wireless Local Area Network (WLAN) technology is established based on the 802.11 standard established by the IEEE. In this standard, the wireless local area network is called Basic Service Set (BSS). The devices that make up the BSS are called stations (STA, Station), and define two networking modes: Infrastructure mode (Infrastructure BSS) BSS and independent mode (Independent) BSS. In Infrastructure BSS, there is a STA that has both an interface to a wireless LAN and an interface to a wired network. It is called an access point (AP), and other STAs must be connected to the AP, each STA and wired network. The communication between the STAs and the communication between the STAs must be relayed through the AP. IBSS is also known as ad hoc network. The status of each STA is equal. There is no AP, they are connected to each other and communicate directly. Most of the actual networking will adopt the infrastructure mode. Since the WLAN signal is transmitted over the air, it faces more security threats than wired LAN. One of the bigger threats is illegal APs. The criminals can set up an AP at a very low cost (just a wireless network card), put it in a hotspot, such as a coffee shop, and name it with a legal wireless network name or the same name, such as ChinaNet - At the beginning of CMCC-, the user is tempted to connect to it, and provides a fake login page to obtain the user's account number and password. In order to be more deceptive, criminals may adopt a man-in-the-middle attack method, installing two wireless network cards on his computer, one of which is configured in AP mode to provide false access services; the other is configured in STA mode, connected to legal On the AP; two network cards are bridged. In this way, after the STA is connected to the rogue AP, the STA can access the Internet normally. However, all the packets sent and received by the STA are intercepted, and the attacker can analyze many information of the user. To prevent illegal APs, you must first detect the existence of illegal APs. Currently, the detection method is generally based on the MAC address of the AP. The controller maintains a MAC address list of a legal AP through static configuration or dynamic learning, and specifies that several legal APs periodically perform scanning operations. The result of the scan, including the MAC address and channel number of each neighbor AP, is reported to the controller; the controller compares the scan result with the legal AP list. If the MAC address of the AP is not in the list, it is judged. It is an illegal AP. However, because the wireless network environment is open, the illegal AP can completely obtain the information such as the MAC address of a legitimate AP by listening to the beacon frame, and then modify its own MAC address and other parameters to be the same, so that the above detection The method is invalid. So we need to study new ways to deal with this situation. SUMMARY OF THE INVENTION In view of the above analysis, the present invention is directed to a method and a system for preventing a rogue access point in a wireless local area network, so as to at least solve the problem that the MAC address of an AP that cannot be prevented by an illegal AP from modifying its MAC address to be legal is illegal. Access problems. The purpose of the present invention is mainly achieved by the following technical solutions: A method for preventing a rogue access point in a wireless local area network, comprising: an AC controlling one or more monitoring terminals to send a detection packet to all APs, and the AC is pre-passed through security The channel is notified that the legal AP does not respond after receiving the detection packet; the AC determines the rogue AP in all the APs by using the response received by the monitoring terminal, and controls the monitoring terminal to send an attack packet to the rogue AP. . Preferably, the step of controlling the monitoring end to send an attack packet to the rogue AP after the AC determines the rogue AP includes: after the AC determines the rogue AP, randomly constructs multiple fake STA addresses, and the fake The STA address is transmitted to the monitoring terminal through the secure channel, and if the illegal AP is impersonating the STA address of the legal AP, the fake STA address is transmitted to the legal AP impersonating the illegal AP through the secure channel; The AC controls the monitoring terminal to use the fake STA address to falsely generate a plurality of fake STAs to send an attack packet to the rogue AP. After the legal AP that the rogue AP is pretending, the legal AP ignores the attack after receiving the attack packet. Message. Preferably, the monitoring end is a monitoring STA or a monitoring AP designated by the AC; when the monitoring end is a monitoring AP, the monitoring AP spoofs as a STA sends a detection packet to all APs, where the monitoring AP The MAC address masquerading as the STA is randomly configured by the AC; when the monitoring end is monitoring the STA, the MAC address of the monitoring STA is randomly configured by the AC. Preferably, the type of the detection message includes: a probe request and/or an association request. Preferably, the type of the attack message includes: an authentication request and/or an association request. The present invention also provides a system for preventing a rogue access point in a wireless local area network, including:
AC, 设置为控制一个或多个监控端向所有 AP发送检测报文, 并且预先通过安全 通道告知合法 AP收到该检测报文后不进行应答, 并通过所述监控端收到的应答确定 所有 AP中的非法 AP, 并控制所述监控端向所述非法 AP发送攻击报文; 所述监控端, 设置为根据所述 AC的指示向所有 AP发送检测报文, 并将收到的 所述应答发送给所述 AC, 还根据所述 AC的指示向所述非法 AP发送攻击报文。 优选地, 所述 AC设置为, 控制一个或多个监控端向所有 AP发送检测报文, 并 且预先通过安全通道告知所有合法 AP收到该检测报文后不进行应答, 根据所述监控 端收到的所述应答来确定所有 AP中的非法 AP, 并在确定非法 AP后随机构造多个假 的 STA地址, 将上述假的 STA地址通过所述安全通道传递给所述监控端, 如果所述 非法 AP冒充了合法 AP的 STA地址, 同时将上述假的 STA地址通过所述安全通道传 递给所述非法 AP冒充的合法 AP, 并控制所述监控端使用上述假的 STA地址伪造成 多个假的 STA向所述非法 AP发送攻击报文; 所述监控端设置为, 根据所述 AC的指示向所有 AP发送检测报文, 并将收到的 所述应答发送给所述 AC,还根据所述 AC的指示使用所述 AC随机构造多个假的 STA 地址向所述非法 AP发送攻击报文。 优选地, 所述监控端为所述 AC指定的监控 STA或监控 AP; 当所述监控端为监控 AP时, 所述监控 AP伪装成 STA向所有 AP发送检测报文, 其中, 所述监控 AP伪装成 STA的 MAC地址为所述 AC随机构造的; 当所述监控端为监控 STA时,所述监控 STA的 MAC地址为所述 AC随机构造的。 优选地, 所述检测报文的类型包括: 探测请求和 /或关联请求。 优选地, 所述攻击报文的类型包括: 认证请求和 /或关联请求。 本发明有益效果如下: 本发明提供了一种无线局域网防范非法接入点的方法及系统, 通过接入点控制器 控制监控端向所有 AP发送检测报文,合法 AP收到该检测报文后不进行应答,而非法 AP收到所述检测报文后进行应答, 接入点控制器根据所述监控端收到的所述非法 AP 发送来的所述应答来确定非法 AP, 并控制所述监控端向所述非法 AP发送攻击报文, 使所述非法 AP不能正常工作。 该方法简单, 容易实现, 通过该方法有效解决了非法 AP将其 MAC地址修改为合法 AP的 MAC地址进行非法接入的问题。 本发明的其他特征和优点将在随后的说明书中阐述, 并且, 部分的从说明书中变 得显而易见, 或者通过实施本发明而了解。 本发明的目的和其他优点可通过在所写的 说明书、 权利要求书、 以及附图中所特别指出的结构来实现和获得。 附图说明 图 1为本发明实施例 1的无线局域网防范非法接入点的方法的流程图; 图 2为本发明实施例 1的合法 AP检测和攻击非法 AP的方法的流程图; 图 3为本发明实施例 1的 STA检测和攻击非法 AP的方法的流程图。 具体实施方式 下面结合附图来具体描述本发明的优选实施例, 其中, 附图构成本申请一部分, 并与本发明的实施例一起用于阐释本发明的原理。 为了清楚和简化目的, 当其可能使 本发明的主题模糊不清时, 将省略本文所描述的器件中已知功能和结构的详细具体说 明。 本发明提供的一种无线局域网防范非法接入点的方法及系统中包括站点 (STA, Station ) 接入点(Access Point, 简称为 AP)和接入点控制器 (Access Point Controller, 简称为 AC)。 实施例 1 本发明实施例提供了一种无线局域网防范非法接入点的方法, 参见图 1, 该方法 包括: The AC is configured to control one or more monitoring terminals to send detection packets to all APs, and notify the legal APs through the secure channel to receive the detection packets without responding, and determine all the responses received by the monitoring terminal. A rogue AP in the AP, and the monitoring terminal sends an attack packet to the rogue AP. The monitoring end is configured to send a detection packet to all APs according to the indication of the AC, and the received packet is received. The response is sent to the AC, and the attack packet is sent to the rogue AP according to the indication of the AC. Preferably, the AC is configured to control one or more monitoring terminals to send detection packets to all APs, and notify all legal APs through the secure channel to receive no response after receiving the detection packet, according to the monitoring terminal. Determining the illegitimate APs in all the APs, and randomly constructing a plurality of fake STA addresses after determining the rogue APs, and transmitting the fake STA addresses to the monitoring terminal through the secure channel, if The illegal AP is pretending to be the STA address of the legal AP, and the fake STA address is transmitted to the legal AP that is impersonating the illegal AP through the secure channel, and the monitoring terminal uses the fake STA address to fake multiple fakes. The STA sends an attack packet to the rogue AP; the monitoring end is configured to send a detection packet to all APs according to the indication of the AC, and send the received response to the AC, according to the The indication of the AC uses the AC to randomly construct multiple fake STA addresses to send an attack message to the rogue AP. Preferably, the monitoring end is a monitoring STA or a monitoring AP designated by the AC; when the monitoring end is a monitoring AP, the monitoring AP spoofs as a STA sends a detection packet to all APs, where the monitoring AP The MAC address masquerading as the STA is randomly configured by the AC; when the monitoring end is monitoring the STA, the MAC address of the monitoring STA is randomly configured by the AC. Preferably, the type of the detection message includes: a probe request and/or an association request. Preferably, the type of the attack message includes: an authentication request and/or an association request. The present invention provides a method and a system for preventing a rogue access point in a wireless local area network. The access point controller controls the monitoring end to send a detection packet to all APs, and the legal AP receives the detection message. No response is received, and the illegal AP responds after receiving the detection packet, and the access point controller receives the illegal AP according to the monitoring terminal. And sending the response to the rogue AP, and controlling the monitoring end to send an attack packet to the rogue AP, so that the rogue AP cannot work normally. The method is simple and easy to implement. This method effectively solves the problem that an illegal AP modifies its MAC address to the MAC address of a legal AP for illegal access. Other features and advantages of the invention will be set forth in the description in the description which follows. The objectives and other advantages of the invention will be realized and attained by the <RTI 1 is a flowchart of a method for preventing a rogue AP from detecting a rogue AP according to Embodiment 1 of the present invention; FIG. 2 is a flowchart of a method for detecting and attacking a rogue AP by a legal AP according to Embodiment 1 of the present invention; A flowchart of a method for detecting and attacking an illegal AP by the STA in Embodiment 1 of the present invention. DETAILED DESCRIPTION OF THE PREFERRED EMBODIMENT OF THE INVENTION The preferred embodiments of the present invention will be described in detail with reference to the accompanying drawings in which For the sake of clarity and simplicity, detailed descriptions of known functions and structures in the devices described herein will be omitted when they may obscure the subject matter of the present invention. The method and system for preventing a rogue access point in a wireless local area network include a station (STA, Station) access point (Access Point, referred to as AP) and an access point controller (Access Point Controller, abbreviated as AC). ). Embodiment 1 This embodiment of the present invention provides a method for preventing a rogue access point of a wireless local area network. Referring to FIG. 1, the method includes:
S10K 接入点控制器控制一个或多个监控端向所有 AP发送检测报文, 并且所述 AC预先通过安全通道告知所有合法 AP收到该检测报文后不需要进行应答; 本发明实施例中的安全通道为所述合法 AP与所述 AC之间,以及 STA与所述 AC 之间建立的一种安全通道。 合法 AP与 AC间通常是通过有线网络连接的, 并且采用 CAPWAP协议 (见 rfc5415 ) 进行交互, 此协议要求基于预共享密钥, 或者是证书, 建立 AP和 AC间的加密通信通道。而非法 AP—般是没有通过有线网络连接上 AC的, 即使连接了, 由于非法 AP上没有预共享密钥或证书, 也无法建立起加密通信通道, 所以只有合法 AP与 AC间才有安全通道。 如果所述监控端是 STA, 则该 STA与合法 AP间通过无线信道传输的报文也需要保护, 可以让合法 AP与 STA通过 WPA/WPA2 密钥协商建立起无线安全通道。 本发明实施例中的所述监控端为所述 AC指定的监控 STA或监控 AP。 当所述监控端为监控 AP时, 所述监控 AP伪装成 STA向所有 AP发送检测报文, 其中, 所述监控 AP伪装成 STA的 MAC地址为所述 AC随机构造的; 当所述监控端为监控 STA时,所述监控 STA的 MAC地址为所述 AC随机构造的。 本发明实施例中的检测报文包括: 检测周期、 探测请求和 /或关联请求, 以及需要 扫描的信道。 The S10K access point controller controls one or more monitoring terminals to send the detection packet to all the APs, and the AC does not need to respond after receiving the detection packet by using the secure channel. The secure channel is a secure channel established between the legal AP and the AC, and between the STA and the AC. The legal AP and the AC are usually connected through a wired network and interact using the CAPWAP protocol (see rfc5415). This protocol requires a pre-shared key or a certificate. Establish an encrypted communication channel between the AP and the AC. An illegal AP is not connected to the AC through a wired network. Even if it is connected, because there is no pre-shared key or certificate on the illegal AP, the encrypted communication channel cannot be established. Therefore, only the legitimate AP and the AC have a secure channel. . If the monitoring terminal is a STA, the packets transmitted between the STA and the legal AP through the wireless channel also need to be protected, so that the legal AP and the STA can establish a wireless security channel through WPA/WPA2 key negotiation. The monitoring terminal in the embodiment of the present invention is a monitoring STA or a monitoring AP designated by the AC. When the monitoring end is a monitoring AP, the monitoring AP spoofs that the STA sends a detection packet to all APs, where the monitoring AP masquerades as the MAC address of the STA is randomly configured by the AC; When monitoring the STA, the MAC address of the monitoring STA is randomly configured by the AC. The detection message in the embodiment of the present invention includes: a detection period, a probe request and/or an association request, and a channel that needs to be scanned.
S1 02、 非法 AP收到所述检测报文后进行应答; 因为非法 AP不知道这是一个检测报文, 所以会对该检测报文进行应答。 S1 02: The illegal AP responds after receiving the detection packet; because the illegal AP does not know that this is a detection packet, it will respond to the detection packet.
5103、 所述 AC根据所述监控端收到的所述非法 AP发送来的所述应答来确定哪 一个 AP是非法 AP; S103: The AC determines, according to the response sent by the illegal AP, the AP is an illegal AP.
5104、所述 AC在确定非法 AP后,控制所述监控端向所述非法 AP发送攻击报文, 使所述非法 AP不能正常工作。 其中, 所述攻击报文包括: 所述非法 AP的 MAC地址、 探测请求和 /或关联请求, 以及攻击时间的长度。 该步骤可以包括: 所述 AC确定非法 AP后, 随机构造多个假的 STA地址, 并将上述假的 STA地址 通过所述安全通道传递给所述监控端, 如果所述非法接入点冒充了合法接入点的 STA 地址, 同时将上述假的 STA地址通过所述安全通道传递给所述非法接入点冒充的合法 接入点; 所述 AC控制所述监控端使用上述假的 STA地址伪造成多个假的 STA向所述非法S104: After determining the rogue AP, the AC controls the monitoring end to send an attack packet to the rogue AP, so that the illegal AP cannot work normally. The attack packet includes: a MAC address of the illegal AP, a probe request and/or an association request, and a length of the attack time. The step may include: after the AC determines the rogue AP, randomly constructs a plurality of fake STA addresses, and transmits the fake STA address to the monitoring terminal through the secure channel, if the rogue access point is impersonated The STA address of the legal access point, and the fake STA address is transmitted to the legal access point impersonating the rogue access point through the secure channel; the AC controls the monitoring terminal to use the fake STA address pseudo Causing multiple fake STAs to the illegal
AP发送攻击报文, 使所述非法 AP不能正常工作; 而所述非法 AP冒充的合法 AP收到上述攻击报文后,忽略该攻击报文,所以其不 会受到攻击报文的影响。 如图 2所示,本发明实施例还提供了一种合法 AP执行检测和攻击非法 AP的方法, 该方法可以包括: 当启用防范非法 AP的功能时, AC上首先选择若干个合法 AP作为监控 AP, 这 些监控 AP的覆盖范围加起来应该要能涵盖整个无线网络。 为简化描述, 下面的例子中假定有 3个合法 AP, AP1-AP3 , AC选定 API作为 监控 AP。 假定 AP4是非法 AP, 并且它将自己的 MAC地址设置成了与 AP2相同。 The AP sends an attack packet, so that the illegal AP cannot work normally. The legal AP that the spoofing AP is spoofed ignores the attack packet after receiving the attack packet, so it is not affected by the attack packet. As shown in FIG. 2, the embodiment of the present invention further provides a method for a legal AP to perform detection and attack on a rogue AP. The method may include: when the function of preventing an illegal AP is enabled, the AC first selects several legal APs for monitoring. AP, the coverage of these monitoring APs should add up to cover the entire wireless network. To simplify the description, the following example assumes that there are 3 legal APs, AP1-AP3, and AC selected APIs as monitoring APs. Assume that AP4 is a rogue AP and that it sets its own MAC address to be the same as AP2.
S20K AC随机构造若干个假的 STA地址,通过安全通道,传递给所有的合法 AP。 S202、 AC向 API下达开始检测的命令, 要求它开始检测非法 AP的过程。 所述 检测命令包括: 检测周期、 检测报文的类型 (探测请求和 /或关联请求等), 以及需要 扫描的信道; The S20K AC randomly constructs several fake STA addresses and transmits them to all legal APs through a secure channel. S202. The AC issues a command to start testing to the API, and requests it to start detecting the process of the illegal AP. The detection command includes: a detection period, a type of the detected message (a probe request and/or an association request, etc.), and a channel that needs to be scanned;
5203、 API按照要求, 周期性地构造源地址是某个虚假 STA地址的检测报文, 采 取广播或单播的形式发送 (如果是探测请求, 可以用广播; 如果是关联请求, 只能用 单播)。 AP2和 AP3已经知道这是个虚假的 STA, 不会进行应答。 而 AP4不知道, 发 送了应答, 把自己暴露了。 5203. The API periodically constructs a detection packet whose source address is a fake STA address, and sends the broadcast packet or unicast (if it is a probe request, it can use broadcast; if it is an association request, it can only use the single broadcast). AP2 and AP3 already know that this is a fake STA and will not respond. AP4 did not know, sent a response, and exposed himself.
5204、 如果 API收到了应答, 就上报给 AC。 5204. If the API receives the response, it is reported to the AC.
5205、 为了减少误判, AC上可作进一步确认。 例如, 如果应答报文的源地址是某个合法 AP的地址, AC可以通过安全通道, 要 求该合法 AP确认, 是否真的发送过应答报文。 另外, AC上可以配置一定的规则, 忽 略某些应答。例如, 如果应答报文中包含的无线网络名称不是本运营商的, 就忽略掉。 当 AC确认检测到了非法 AP后, 可以执行下面的步骤, 向非法 AP发起攻击, 以 阻止 STA连接到非法 AP上。 5205. In order to reduce misjudgment, AC can be further confirmed. For example, if the source address of the response packet is the address of a legal AP, the AC can pass the secure channel and ask the legal AP to confirm whether the response packet has been sent. In addition, certain rules can be configured on the AC to ignore certain responses. For example, if the name of the wireless network included in the response message is not the carrier's, it is ignored. After the AC confirms that an illegal AP is detected, you can perform the following steps to attack the illegal AP to prevent the STA from connecting to the illegal AP.
5206、 AC随机构造很多假的 STA地址,将这些地址通过安全通道传递给监控 AP, 这里是 API。如果非法 AP将自己的地址设置成了与某个合法 AP相同, 则 AC还要将 假的 STA地址传递给被假冒的合法 AP, 这里是 AP2。 5207、 AC向 API下达发起攻击命令, 要求它向非法 AP发起攻击。 所述攻击命 令中包括非法 AP的 MAC地址、 攻击报文的类型(认证请求和 /或关联请求等)、 攻击 时间长度等参数。 5206. The AC randomly constructs a plurality of fake STA addresses, and these addresses are transmitted to the monitoring AP through a secure channel, where is an API. If the rogue AP sets its own address to be the same as a legitimate AP, the AC also passes the fake STA address to the spoofed legal AP, here AP2. 5207. The AC sends an attack command to the API, and requests it to attack the illegal AP. The attack command includes parameters such as the MAC address of the rogue AP, the type of the attack packet (authentication request and/or association request, etc.), and the length of the attack.
5208、 API开始向非法 AP, 即 AP4, 发起攻击, 伪造成很多 STA, 向非法 AP发 送攻击报文。 一般 AP上允许连接的 STA数目是有限的, 当 AP4上的资源都被虚假5208. The API starts to send an attack to the illegal AP, that is, AP4, and generates a number of STAs to send attack packets to the illegal AP. Generally, the number of STAs allowed to connect on an AP is limited. When resources on AP4 are false.
STA占用时, 正常的 STA就连不上它了, 这正是我们想要的结果。 When the STA is occupied, the normal STA cannot connect to it, which is exactly what we want.
5209、 由于 AP4将自己的地址设置成与 AP2的相同, 所以 AP2上也会收到攻击 报文。 由于 AC已经将虚假 STA的地址告知了 AP2,所以 AP2上的无线驱动可以直接 将这些报文丢弃, 它受到的影响很小。 如图 3所示, 本发明实施例还提供了一种 STA执行检测和攻击非法 AP的方法, 该方法可以包括: 本发明在无线局域网的覆盖范围内部署若干个监控 STA, 由它们执行检测和阻止 非法 AP的工作。 通过采用监控 STA可以减少对合法 AP正常工作的影响。 5209. Because AP4 sets its own address to be the same as that of AP2, AP2 also receives attack packets. Since the AC has already notified the address of the fake STA to the AP2, the wireless driver on the AP2 can directly discard these messages, and it is less affected. As shown in FIG. 3, an embodiment of the present invention further provides a method for an STA to perform detection and attack on an illegal AP, and the method may include: the present invention deploys a plurality of monitoring STAs within a coverage of a wireless local area network, and performs detection and detection by the same. Block the work of illegal APs. By using the monitoring STA, the impact on the normal operation of the legal AP can be reduced.
S30K监控 STA使用真实的地址关联上某个合法 AP, 并通过 WPA/WPA2密钥协 商等方式, 建立与合法 AP间安全通道; The S30K monitors the STA to establish a secure channel with the legal AP through the WPA/WPA2 key negotiation.
5302、 AC判断上线的是个监控 STA, 向监控 STA下发一个命令, 其中包含要假 的 STA地址, AC同时通过安全通道将伪造的 STA地址下发给各合法 AP; 5302, the AC determines that the uplink is a monitoring STA, and sends a command to the monitoring STA, which includes a fake STA address, and the AC sends the forged STA address to each legal AP through the secure channel;
5303、 AC向监控 STA下达检测报文的命令, 要求它开始检测过程, 所述检测命 令中包括: 检测周期、 检测报文的类型 (探测请求和 /或关联请求等), 以及需要扫描 的信道; 5303. The AC sends a command for detecting the packet to the monitoring STA, and requests it to start the detecting process, where the detecting command includes: a detection period, a type of the detected packet (a probe request and/or an association request, etc.), and a channel to be scanned. ;
5304、监控 STA按照要求,将自己的地址修改为某个伪造的地址,发送检测报文。 由于合法 AP已经知道这是伪造的地址, 不会进行应答; 而非法 AP不知道, 会进行应 答, 就把自己暴露了; 5304. The monitoring STA changes its own address to a forged address and sends a detection packet according to the requirements. Since the legitimate AP already knows that this is a fake address, it will not respond; and if the illegal AP does not know, it will respond and will expose itself;
5305、 检测过程结束后, 监控 STA将自己的地址改回真实的地址, 重新关联上合 法 AP, 将检测结果上报给 AC; After the detection process is completed, the monitoring STA changes its own address back to the real address, re-associates the corresponding AP, and reports the detection result to the AC.
S306、 为了减少误判, AC上可向非法 AP假冒的合法 AP发送消息, 作进一步确 认; 5307、 确认非法 AP后, AC随机构造很多假的 STA地址, 将这些地址通过安全 通道传递给监控 STA和被假冒的合法 AP, 这里是 AP2; S306. In order to reduce the misjudgment, the AC may send a message to the legal AP that the fake AP spoofs for further confirmation; 5307. After confirming the rogue AP, the AC randomly constructs a plurality of fake STA addresses, and transmits the addresses to the monitoring STA and the counterfeit legal AP through the secure channel, where is AP2;
5308、 AC向监控 STA下达开始攻击命令, 要求它向非法 AP发起攻击。 所述攻 击命令中包括: 所述非法 AP的 MAC地址、 攻击报文的类型 (认证请求和 /或关联请 求等), 以及攻击时间的长度; 5308. The AC sends an attack command to the monitoring STA, and requests it to attack the illegal AP. The attack command includes: the MAC address of the illegal AP, the type of the attack packet (authentication request and/or association request, etc.), and the length of the attack time;
5309、监控 STA开始向非法 AP, 即 AP4, 发起攻击。它使用虚假的地址, 向 AP4 发送攻击报文; 一般 AP上允许连接的 STA数目是有限的, 当 AP4上的资源都被虚假 STA占用 时, 其它正常的 STA就连不上它了, 从而使非法 AP不能正常工作。 5309. The monitoring STA starts to attack the illegal AP, that is, AP4. It uses a fake address to send an attack packet to AP4. The number of STAs allowed to connect to the AP is limited. When the resources on AP4 are occupied by fake STAs, other normal STAs cannot connect to it. A rogue AP is not working properly.
5310、 由于 AP4将自己的地址设置成与 AP2的相同, 所以 AP2上也会收到攻击 报文。 由于 AC已经将虚假 STA的地址告知了 AP2,所以 AP2上的无线驱动可以直接 将这些报文丢弃, 它受到的影响很小。 5310. Because AP4 sets its own address to be the same as that of AP2, AP2 also receives attack packets. Since the AC has already notified the address of the fake STA to the AP2, the wireless driver on the AP2 can directly discard these messages, and it is less affected.
实施例 2 本发明实施例提供了一种无线局域网防范非法接入点的系统, 该系统包括: 接入点控制器, 设置为控制一个或多个监控端向所有接入点发送检测报文, 并且 预先通过安全通道告知所有合法接入点收到该检测报文后不进行应答, 根据所述监控 端收到的所述应答来确定所有接入点中的非法接入点, 并在确定非法接入点后随机构 造多个假的 STA地址, 将上述假的 STA地址通过所述安全通道传递给所述监控端, 如果所述非法接入点冒充了合法接入点的 STA地址, 同时将上述假的 STA地址通过 所述安全通道传递给所述非法接入点冒充的合法接入点, 并控制所述监控端使用上述 假的 STA地址伪造成多个假的 STA向所述非法接入点发送攻击报文; 监控端, 设置为根据所述接入点控制器的指示向所有接入点发送检测报文, 并将 收到的所述应答发送给所述接入点控制器, 还根据所述接入点控制器的指示使用所述 接入点控制器随机构造多个假的 STA地址向所述非法接入点发送攻击报文。 本发明实施例中的所述监控端为所述 AC指定的监控 STA或监控 AP。 其中, 当所述监控端为监控 AP时, 所述监控 AP伪装成 STA向所有 AP发送检 测报文, 其中, 所述监控 AP伪装成 STA的 MAC地址为所述 AC随机构造的; 当所述监控端为监控 STA时,所述监控 STA的 MAC地址为所述 AC随机构造的。 本发明实施例中的所述检测报文包括: 检测周期、 探测请求和 /或关联请求, 以及 需要扫描的信道。 本发明实施例中的所述攻击报文包括: 所述非法 AP的 MAC地址、 认证请求和 / 或关联请求, 以及攻击时间的长度。 综上所述, 本发明实施例提供了一种无线局域网防范非法接入点的方法及系统, 通过接入点控制器控制监控端向所有 AP发送检测报文,合法 AP收到该检测报文后不 进行应答, 而非法 AP收到所述检测报文后进行应答, 接入点控制器根据所述监控端 收到的所述非法 AP发送来的所述应答来确定哪一个 AP是非法 AP,并在确定非法 AP 后, 控制所述监控端向所述非法 AP发送攻击报文, 使所述非法 AP不能正常工作。该 方法简单, 容易实现, 通过该方法有效解决了非法 AP将其 MAC地址修改为合法 AP 的 MAC地址进行非法接入的问题。 工业实用性 如上所述, 本发明实施例提供了一种无线局域网防范非法接入点的方法及系统具 有以下有益效果: 通过接入点控制器控制监控端向所有 AP 发送检测报文, 合法 AP 收到该检测报文后不进行应答, 而非法 AP收到所述检测报文后进行应答, 接入点控 制器根据所述监控端收到的所述非法 AP发送来的所述应答来确定非法 AP,并控制所 述监控端向所述非法 AP发送攻击报文, 使所述非法 AP不能正常工作。 该方法简单, 容易实现。 以上所述,仅为本发明较佳的具体实施方式,但本发明的保护范围并不局限于此, 任何熟悉本技术领域的技术人员在本发明揭露的技术范围内, 可轻易想到的变化或替 换, 都应涵盖在本发明的保护范围之内。 因此, 本发明的保护范围应该以权利要求书 的保护范围为准。 Embodiment 2 The embodiment of the present invention provides a system for preventing a rogue access point in a wireless local area network, where the system includes: an access point controller, configured to control one or more monitoring terminals to send detection packets to all access points, And in advance, the security channel is notified that all legal access points do not respond after receiving the detection message, and the illegal access point in all the access points is determined according to the response received by the monitoring terminal, and the illegal access point is determined. After the access point, a plurality of fake STA addresses are randomly configured, and the fake STA address is transmitted to the monitoring terminal through the secure channel. If the illegal access point is pretending to be the address of the legal access point, The fake STA address is transmitted to the legal access point impersonating the rogue access point through the secure channel, and the monitoring terminal uses the above-mentioned fake STA address to falsely cause multiple fake STAs to the illegal access. The point sends an attack message; the monitoring end is configured to send a detection message to all access points according to the indication of the access point controller, and send the received response to the access point. System, further use of the random access point controller configured according to a plurality of address STA false indicates that the access point controller transmits the illegal attack packets to the access point. The monitoring terminal in the embodiment of the present invention is a monitoring STA or a monitoring AP designated by the AC. When the monitoring end is a monitoring AP, the monitoring AP spoofs the STA to send a detection packet to all the APs, where the monitoring AP masquerades as the MAC address of the STA is randomly configured by the AC; When the monitoring end is a monitoring STA, the MAC address of the monitoring STA is randomly configured by the AC. The detection message in the embodiment of the present invention includes: a detection period, a probe request, and/or an association request, and a channel that needs to be scanned. The attack packet in the embodiment of the present invention includes: a MAC address, an authentication request, and/or an association request of the illegal AP, and a length of the attack time. In summary, the embodiment of the present invention provides a method and system for preventing a rogue access point in a wireless local area network. The access point controller controls the monitoring end to send a detection packet to all APs, and the legal AP receives the detection packet. After the acknowledgment is received, the illegitimate AP responds with the detection packet, and the access point controller determines, according to the response sent by the illegitimate AP received by the monitoring terminal, which AP is a rogue AP. And after determining the rogue AP, the monitoring terminal sends an attack packet to the rogue AP, so that the rogue AP cannot work normally. The method is simple and easy to implement. This method effectively solves the problem that an illegal AP modifies its MAC address to the MAC address of a legal AP for illegal access. Industrial Applicability As described above, the embodiment of the present invention provides a method and system for preventing a rogue access point in a wireless local area network, which has the following beneficial effects: The access point controller controls the monitoring end to send detection packets to all APs, and the legal AP After receiving the detection packet, the acknowledgment is not performed, and the illegitimate AP responds after receiving the detection packet, and the access point controller determines, according to the response sent by the illegal AP received by the monitoring terminal. A rogue AP sends an attack packet to the rogue AP, so that the rogue AP cannot work normally. This method is simple and easy to implement. The above is only a preferred embodiment of the present invention, but the scope of the present invention is not limited thereto, and any person skilled in the art can easily think of changes or within the technical scope disclosed by the present invention. Alternatives are intended to be covered by the scope of the present invention. Therefore, the scope of the invention should be determined by the scope of the claims.

Claims

权 利 要 求 书 、 一种无线局域网防范非法接入点的方法, 包括:  Claims, a method for preventing unauthorized access points in a wireless LAN, including:
接入点控制器控制一个或多个监控端向所有接入点发送检测报文, 并且所 述接入点控制器预先通过安全通道告知合法接入点收到该检测报文后不进行应 答;  The access point controller controls one or more monitoring terminals to send a detection packet to all the access points, and the access point controller notifies the legal access point to receive the detection packet and does not respond in advance through the secure channel;
所述接入点控制器通过所述监控端收到的应答确定所有接入点中的非法接 入点, 并控制所述监控端向所述非法接入点发送攻击报文。 、 根据权利要求 1所述的方法, 其中, 所述接入点控制器确定非法接入点后控制 所述监控端向所述非法接入点发送攻击报文的步骤包括:  The access point controller determines an illegal access point in all the access points by using the response received by the monitoring terminal, and controls the monitoring end to send an attack packet to the rogue access point. The method according to claim 1, wherein the step of controlling the access point controller to control the monitoring end to send an attack message to the rogue access point after the access point controller comprises:
所述接入点控制器确定非法接入点后, 随机构造多个假的 STA地址, 并将 上述假的 STA地址通过所述安全通道传递给所述监控端,如果所述非法接入点 冒充了合法接入点的 STA地址, 同时将上述假的 STA地址通过所述安全通道 传递给所述非法接入点冒充的合法接入点;  After the access point controller determines the rogue access point, randomly constructs a plurality of fake STA addresses, and transmits the fake STA address to the monitoring terminal through the secure channel, if the rogue access point is impersonating The STA address of the legal access point is transmitted to the legal access point impersonated by the rogue access point through the secure channel;
所述接入点控制器控制所述监控端使用上述假的 STA地址伪造成多个假 的 STA向所述非法接入点发送攻击报文;  The access point controller controls the monitoring terminal to use the fake STA address to falsely generate multiple fake STAs to send an attack message to the rogue access point;
所述非法接入点冒充的合法接入点收到上述攻击报文后,忽略该攻击报文。 、 根据权利要求 1或 2所述的方法, 其中, 所述监控端为所述接入点控制器指定 的监控 STA或监控接入点;  After receiving the attack packet, the legal access point impersonating the rogue access point ignores the attack packet. The method according to claim 1 or 2, wherein the monitoring end is a monitoring STA or a monitoring access point specified by the access point controller;
当所述监控端为监控接入点时,所述监控接入点伪装成 STA向所有接入点 发送检测报文, 其中, 所述监控接入点伪装成 STA的 MAC地址为所述接入点 控制器随机构造的;  When the monitoring end is the monitoring access point, the monitoring access point is spoofed as the STA sends a detection packet to all the access points, where the monitoring access point is masqueraded as the MAC address of the STA as the access. The point controller is randomly constructed;
当所述监控端为监控 STA时,所述监控 STA的 MAC地址为所述接入点控 制器随机构造的。 、 根据权利要求 1或 2所述的方法, 其中, 所述检测报文的类型包括: 探测请求 和 /或关联请求。 、 根据权利要求 1或 2所述的方法, 其中, 所述攻击报文的类型包括: 认证请求 和 /或关联请求。 、 一种无线局域网防范非法接入点的系统, 包括: When the monitoring end is a monitoring STA, the MAC address of the monitoring STA is randomly configured by the access point controller. The method according to claim 1 or 2, wherein the detecting the type of the message comprises: a probe request and/or an association request. The method according to claim 1 or 2, wherein the type of the attack message comprises: an authentication request and/or an association request. A system for preventing a rogue access point in a wireless local area network, comprising:
接入点控制器,设置为控制一个或多个监控端向所有接入点发送检测报文, 并且预先通过安全通道告知合法接入点收到该检测报文后不进行应答, 并通过 所述监控端收到的应答确定所有接入点中的非法接入点, 并控制所述监控端向 所述非法接入点发送攻击报文;  The access point controller is configured to control one or more monitoring terminals to send detection packets to all access points, and notify the legal access point through the secure channel to receive the detection message without responding, and The response received by the monitoring end determines an illegal access point in all the access points, and controls the monitoring end to send an attack message to the illegal access point;
所述监控端, 设置为根据所述接入点控制器的指示向所有接入点发送检测 报文, 并将收到的所述应答发送给所述接入点控制器, 还根据所述接入点控制 器的指示向所述非法接入点发送攻击报文。 、 根据权利要求 6所述的系统, 其中,  The monitoring end is configured to send a detection packet to all access points according to the indication of the access point controller, and send the received response to the access point controller, and according to the connection The indication of the ingress controller sends an attack message to the rogue access point. The system according to claim 6, wherein
所述接入点控制器设置为, 控制一个或多个监控端向所有接入点发送检测 报文, 并且预先通过安全通道告知所有合法接入点收到该检测报文后不进行应 答, 根据所述监控端收到的所述应答来确定所有接入点中的非法接入点, 并在 确定非法接入点后随机构造多个假的 STA地址, 将上述假的 STA地址通过所 述安全通道传递给所述监控端, 如果所述非法接入点冒充了合法接入点的 STA 地址,同时将上述假的 STA地址通过所述安全通道传递给所述非法接入点冒充 的合法接入点,并控制所述监控端使用上述假的 STA地址伪造成多个假的 STA 向所述非法接入点发送攻击报文;  The access point controller is configured to: control one or more monitoring terminals to send detection packets to all access points, and notify all legal access points through the secure channel to receive the detection message without answering, according to The response received by the monitoring end determines an illegal access point in all access points, and randomly constructs multiple fake STA addresses after determining the illegal access point, and passes the fake STA address through the security. Passing the channel to the monitoring terminal, if the rogue access point is pretending to be the address of the legal access point, and transmitting the fake STA address to the rogue access point through the secure channel And controlling, by the monitoring terminal, the fake STA address to generate a plurality of fake STAs to send an attack message to the rogue access point;
所述监控端设置为, 根据所述接入点控制器的指示向所有接入点发送检测 报文, 并将收到的所述应答发送给所述接入点控制器, 还根据所述接入点控制 器的指示使用所述接入点控制器随机构造多个假的 STA地址向所述非法接入 点发送攻击报文。 、 根据权利要求 6或 7所述的系统, 其中, 所述监控端为所述接入点控制器指定 的监控 STA或监控接入点;  The monitoring end is configured to send a detection packet to all access points according to the indication of the access point controller, and send the received response to the access point controller, according to the connection The indication of the ingress controller uses the access point controller to randomly construct a plurality of fake STA addresses to send an attack message to the rogue access point. The system according to claim 6 or 7, wherein the monitoring terminal is a monitoring STA or a monitoring access point specified by the access point controller;
当所述监控端为监控接入点时,所述监控接入点伪装成 STA向所有接入点 发送检测报文, 其中, 所述监控接入点伪装成 STA的 MAC地址为所述接入点 控制器随机构造的;  When the monitoring end is the monitoring access point, the monitoring access point is spoofed as the STA sends a detection packet to all the access points, where the monitoring access point is masqueraded as the MAC address of the STA as the access. The point controller is randomly constructed;
当所述监控端为监控 STA时,所述监控 STA的 MAC地址为所述接入点控 制器随机构造的。 、 根据权利要求 6或 Ί所述的系统, 其中, 所述检测报文的类型包括探测请求和 / 或关联请求。 根据权利要求 6或 7所述的系统, 其中, 所述攻击报文的类型包括: 认证请求 和 /或关联请求。 When the monitoring end is a monitoring STA, the MAC address of the monitoring STA is randomly configured by the access point controller. The system according to claim 6 or claim 1, wherein the type of the detection message comprises a probe request and/or an association request. The system according to claim 6 or 7, wherein the type of the attack message comprises: an authentication request and/or an association request.
PCT/CN2013/083675 2013-01-24 2013-09-17 Method and system for preventing rogue access points in wireless local area network WO2014114099A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN201310027099.X 2013-01-24
CN201310027099XA CN103067922A (en) 2013-01-24 2013-01-24 Method and system for preventing illegal access point in wireless local area network

Publications (1)

Publication Number Publication Date
WO2014114099A1 true WO2014114099A1 (en) 2014-07-31

Family

ID=48110348

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2013/083675 WO2014114099A1 (en) 2013-01-24 2013-09-17 Method and system for preventing rogue access points in wireless local area network

Country Status (2)

Country Link
CN (1) CN103067922A (en)
WO (1) WO2014114099A1 (en)

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN108768671A (en) * 2018-06-28 2018-11-06 新华三技术有限公司 access point control method and device
US20200107198A1 (en) * 2017-03-29 2020-04-02 The Johns Hopkins University SYSTEM AND METHOD FOR SMALL UNMANNED AERIAL SYSTEMS (sUAS) DEFENSE

Families Citing this family (17)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103067922A (en) * 2013-01-24 2013-04-24 中兴通讯股份有限公司 Method and system for preventing illegal access point in wireless local area network
CN103391546B (en) * 2013-07-12 2017-03-15 杭州华三通信技术有限公司 A kind of wireless attack detection and defence installation and its method
US9578458B2 (en) * 2013-07-19 2017-02-21 Intel Corporation Identification of rogue access points
CN103561405A (en) * 2013-10-23 2014-02-05 杭州华三通信技术有限公司 Method and device for countering Rogue AP
CN104703181A (en) * 2013-12-09 2015-06-10 重庆重邮信科通信技术有限公司 Access node authentication method and terminal
CN104253817A (en) * 2014-09-25 2014-12-31 大连梯耐德网络技术有限公司 FPGA (field programmable gate array)-based network behavior attack method and FPGA-based network behavior attack device
CN104270366B (en) * 2014-09-30 2017-09-29 北京金山安全软件有限公司 method and device for detecting karma attack
CN105162768B (en) * 2015-07-31 2018-12-07 腾讯科技(深圳)有限公司 The method and device of detection fishing Wi-Fi Hotspot
CN105208562A (en) * 2015-08-26 2015-12-30 盾宇(上海)信息科技有限公司 Active base station fraud prevention method based on client computer and system thereof
CN105262734A (en) * 2015-09-23 2016-01-20 周超 Secure router having hacker attack prevention function
CN105657706A (en) * 2015-10-30 2016-06-08 东莞酷派软件技术有限公司 Access method, related device and access apparatus
CN106899538B (en) * 2015-12-17 2020-04-14 中国电信股份有限公司 Access point inspection method and system, trusted access point and cloud server
CN106211161B (en) * 2016-06-23 2021-04-02 新华三技术有限公司 Equipment countercheck method and device
CN106102068A (en) * 2016-08-23 2016-11-09 大连网月科技股份有限公司 A kind of illegal wireless access point detection and attack method and device
CN106131845A (en) * 2016-08-23 2016-11-16 大连网月科技股份有限公司 A kind of illegal wireless access-point attacks method and device
CN106454843B (en) * 2016-11-14 2020-12-22 金华市智甄通信设备有限公司 Method and system for inhibiting illegal AP in wireless local area network, and wireless AP
CN108235322B (en) * 2017-12-28 2021-06-29 新华三技术有限公司 Reverse control method and device for wireless equipment

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2006073642A2 (en) * 2005-01-05 2006-07-13 Cisco Technology, Inc. Network infrastructure validation of network management frames
CN1996893A (en) * 2006-12-25 2007-07-11 杭州华为三康技术有限公司 Method, device and system for monitoring illegal access point in the wireless LAN
US20070180244A1 (en) * 2001-07-27 2007-08-02 Halasz David E Rogue access point detection
CN103067922A (en) * 2013-01-24 2013-04-24 中兴通讯股份有限公司 Method and system for preventing illegal access point in wireless local area network

Family Cites Families (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US7224678B2 (en) * 2002-08-12 2007-05-29 Harris Corporation Wireless local or metropolitan area network with intrusion detection features and related methods
CN102227114B (en) * 2010-07-23 2017-06-16 卡巴斯基实验室封闭式股份公司 The system and method that spam robot is detected by detection data transmission
CN102014378B (en) * 2010-11-29 2014-04-02 北京星网锐捷网络技术有限公司 Method and system for detecting rogue access point device and access point device

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20070180244A1 (en) * 2001-07-27 2007-08-02 Halasz David E Rogue access point detection
WO2006073642A2 (en) * 2005-01-05 2006-07-13 Cisco Technology, Inc. Network infrastructure validation of network management frames
CN1996893A (en) * 2006-12-25 2007-07-11 杭州华为三康技术有限公司 Method, device and system for monitoring illegal access point in the wireless LAN
CN103067922A (en) * 2013-01-24 2013-04-24 中兴通讯股份有限公司 Method and system for preventing illegal access point in wireless local area network

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20200107198A1 (en) * 2017-03-29 2020-04-02 The Johns Hopkins University SYSTEM AND METHOD FOR SMALL UNMANNED AERIAL SYSTEMS (sUAS) DEFENSE
US11601812B2 (en) * 2017-03-29 2023-03-07 The Johns Hopkins University System and method for small unmanned aerial systems (sUAS) defense
CN108768671A (en) * 2018-06-28 2018-11-06 新华三技术有限公司 access point control method and device

Also Published As

Publication number Publication date
CN103067922A (en) 2013-04-24

Similar Documents

Publication Publication Date Title
WO2014114099A1 (en) Method and system for preventing rogue access points in wireless local area network
US9603021B2 (en) Rogue access point detection
US8904177B2 (en) Authentication for a multi-tier wireless home mesh network
US7216365B2 (en) Automated sniffer apparatus and method for wireless local area network security
US9003527B2 (en) Automated method and system for monitoring local area computer networks for unauthorized wireless access
US20090016529A1 (en) Method and system for prevention of unauthorized communication over 802.11w and related wireless protocols
JP7455220B2 (en) Wireless intrusion prevention system, wireless network system including the same, and method of operating the wireless network system
EP2023571A1 (en) Method and system for wireless communications characterized by IEEE 802.11W and related protocols
US9794119B2 (en) Method and system for preventing the propagation of ad-hoc networks
WO2014182836A1 (en) System and method for indicating a service set identifier
TWI242650B (en) Wireless local or metropolitan area network with intrusion detection features and related methods
US10659370B2 (en) Wireless local area network (WLAN) node, a wireless device, and methods therein
JP7079994B1 (en) Intrusion blocking method for unauthorized wireless terminals using WIPS sensor and WIPS sensor
CN113708951A (en) Method and system for realizing automatic network distribution of intelligent terminal equipment
WO2015042917A1 (en) Wireless secure access method, apparatus and system
Vartak et al. An experimental evaluation of over-the-air (ota) wireless intrusion prevention techniques
KR102627393B1 (en) Method and apparatus for preventing wireless intrusion
CN113473471A (en) Method for blocking wireless mobile terminal from accessing illegal AP
Lu et al. Exploration on SA Query Mechanism in IEEE 802.11 w
Jaiaree The security aspects of wireless local area network (WLAN)
Naik et al. Protection of Control Frames in Wireless Network.
JP2004349885A (en) Wireless network system, wireless terminal, and base station

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 13873066

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 13873066

Country of ref document: EP

Kind code of ref document: A1