Patent Application
20150341789
Conventional Wireless Local Area Network (WLAN) techniques are typically flexible to implement and convenient to deploy. However, often due to the openness of the transmission media and inadequate security, WLAN faces threats from various kinds of attacks. One type of attack is an attack by a rogue Access Point (AP), which may be defined as an AP that has not been authorized and/or lacks the appropriate credentials to operate on a WLAN. In this type of attack, when a legal (or authorized) user connects to a rogue AP, a malicious user may obtain information of the legal user via the rogue AP.
Features of the present disclosure are illustrated by way of example and not limited in the following figure(s), in which like numerals indicate like elements, in which:
For simplicity and illustrative purposes, the present disclosure is described by referring to examples. It will be readily apparent however, that the present disclosure may be practiced without limitation to these specific details. In other instances, some methods and structures have not been described in detail so as not to unnecessarily obscure the present disclosure. As used herein, the term “includes” means includes but not limited to, the term “including” means including but not limited to. The term “based on” means based at least in part on. In addition, the terms “a” and “an” are intended to denote at least one of a particular element.
In order to avoid potential security risks and provide normal services to wireless users, conventional techniques for preventing clients from accessing rogue APs in a wireless network usually include the scanning of wireless channels periodically by a detecting AP and determining whether there is a rogue AP based on certain filtering conditions. If it is determined that there is a rogue AP, the detecting AP simulates the rogue AP to transmit a large amount of deassociation packets to clients to force the clients to be deassociated from the rogue AP. However, the clients will associate with the rogue AP again within a relatively short period of time. Thus, continuous transmission of the deassociation packets is required to keep the clients from continuing to associate with the rogue AP. The continuous transmission of the deassociation packets, however, occupies a great amount of radio resources and disrupts normal services to users associated with the rogue AP.
In contrast, disclosed herein is a method for preventing clients from accessing a rogue AP in a wireless network, so as to avoid potential security risks caused by the rogue AP and provide normal services to wireless users. Particularly, the method may include determining, by a detecting AP, whether there is a rogue AP in the wireless network. In response to a determination that there is a rogue AP in the wireless network, the detecting AP may obtain a wireless channel of the rogue AP. In addition, the detecting AP may transmit, on the wireless channel of the rogue AP, a channel switch instruction to a client associated with the rogue AP by simulating an identity of the rogue AP to instruct the client to switch to a designated new channel.
Compared with conventional systems, in examples of the present disclosure, if a detecting AP detects the presence of a rogue AP in the wireless network, the detecting AP may simulate the identity of the rogue AP to transmit a channel switch instruction to the client associated with the rogue AP to instruct the client to switch to the designated new channel, so as to remove the association between the client and the rogue AP and further provide a normal service for the user of the client.
According to an example, in the method disclosed herein, a determination may be made by a detecting AP as to whether there is a rogue AP in the wireless network. A “detecting AP” is an AP which is able to detect a rogue AP. In response to a determination that there is a rogue AP, the detecting AP may transmit a channel switch instruction to the client associated with the rogue AP by simulating the identity of the rogue AP. The channel switch instruction may instruct the client to switch to the designated new channel, so as to remove the association between the client the rogue AP. In addition, in order to prevent the client from associating with the rogue AP again, the detecting AP may simulate the identity of the rogue AP to broadcast Beacon packets on the designated new channel to instruct wireless clients that previously associated with the rogue AP to associate with the detecting AP. The client may be a Wi-Fi terminal such as a laptop computer, a tablet computer, a cell phone, etc.
At block 101, the detecting AP may determine whether a rogue AP is in the wireless network. In response to the detecting AP detecting a rogue AP in the wireless network, block 102 may be performed; otherwise, block 101 may be repeated. In one regard, block 101 may be a scanning operation of wireless channels.
In particular, according to an example, the detecting AP may determine whether a rogue AP is in the WLAN network through periodic scanning of wireless channels at multiple iterations of block 101. In addition, the detecting AP may determine whether a rogue AP is in the WLAN network through monitoring measures such as channel listening. In any regard, the detecting AP may determine the existence of a rogue AP according to a certain filtering condition. The detecting AP may implement a determination process and configuration of the filtering condition that are similar to those in conventional systems and thus this process will not be described in detail herein.
It should be noted that the detecting AP may be a legal AP, e.g., an authorized AP in the wireless network, which is responsible for practical data forwarding services or may be a legal AP that is dedicated for the detection of rogue APs. In addition or alternatively, the detecting AP may be a detecting module inside a legal AP.
At block 102, following the detection of a rogue AP in the wireless network, the detecting AP may obtain the wireless channel of the rogue AP. In addition, the detecting AP may further obtain Basic Service Set Identifier (BSSID) information of the rogue AP and a list of users associated with the rogue AP (i.e., a wireless user list), and may save the above information. The BSSID information includes a MAC address of the rogue AP.
At block 103, the detecting AP may transmit, on the wireless channel of the rogue AP, a channel switch instruction to a client associated with the rogue AP by simulating an identity of the rogue AP to instruct the client to switch to a designated new channel.
At block 103, the detecting AP may determine all of the clients associated with the rogue AP according to the wireless user list obtained at block 102, and may transmit the channel switch instruction to all of the determined clients.
Through implementation of blocks 101-103, when a detecting AP determines that a rogue AP is in the wireless network, the detecting AP may transmit a channel switch instruction to the client associated with the rogue AP by simulating the identity of the rogue AP to instruct the client to switch to a designated new channel. As such, the association between the client and the rogue AP may be removed and the client may be prevented from associating with the rogue AP again on the wireless channel of the rogue AP.
In addition, after block 103, in order to further avoid security risks brought on by the rogue AP and to reduce the probability that the client associates with the rogue AP again, the method may further include a procedure of instructing the client to associate with the detecting AP. This procedure is shown in
In
At block 304, the detecting AP may switch to the designated new channel and may broadcast a beacon packet on the designated new channel by simulating the identity of the rogue AP. The detecting AP may thus instruct the wireless client, which is associated with the rogue AP, to associate with the detecting AP.
After the client switches to the designated new channel, the client is not to transmit an association request on its own initiative. Therefore, in order to cause the client to associate with the detecting AP, the detecting AP may transmit a beacon packet on the designated new channel by simulating the identity of the rogue AP and may respond to a probe request of the user by simulating the rogue AP. After receiving the beacon packet broadcasted by the detecting AP on the designated new channel, the client establishes an association with the detecting AP. In one regard, therefore, because the client does not transmit an association request on its own initiative, the client may be prevented from associating with the rogue AP again after switching to the designated new channel. After switching to the designated new channel, the client may also receive beacon packets transmitted by other legal APs and may establish associations with the other legal APs. The client may also establish an association with another rogue AP on the designated new channel. If the client associates with a rogue AP again, the detecting AP may continue to transmit the channel switch instruction to the client by simulating the identity of the rogue AP to direct the client to another designated new channel.
After the association between the wireless client and the detecting AP is established, the wireless client may perform data packet transmission and receipt operations via the detecting AP and may enter into a normal operating procedure.
As such, a problem in the conventional method for preventing clients from accessing the rogue AP in a wireless network, i.e., the continuous transmission of deassociation packets to prevent the client from associating with the rogue AP again after being deassociated from the rogue AP, the large amount of radio resources required by the continuous transmission of the deassociation packets, and the prevention of services provided for the user, may be resolved.
The determining unit 401 may determine whether a rogue AP is in the wireless network. In particular, the determining unit 401 may determine whether a rogue AP is in the wireless network by periodically scanning wireless channels in the wireless network. In addition, the detecting AP may also determine whether a rogue AP is in the wireless network through implementation of monitoring measures such as channel listening. The detecting AP may determine the existence of the rogue AP according to a conventional filtering condition.
The recording unit 402 may record the wireless channel of the rogue AP if the determining unit 401 determines that a rogue AP is in the wireless network. In particular, the recording unit 402 may record the BSSID information of the rogue AP and a list of wireless users associated with the rogue AP (i.e., a wireless user list). The BSSID information includes a MAC address of the rogue AP.
The switch indicating unit 403 may transmit, on the wireless channel of the rogue AP, a channel switch instruction to each client associated with the rogue AP by simulating the identity of the rogue AP according to the wireless channel recorded by the recording unit 402. The channel switch instruction may instruct the client associated with the rogue AP to switch to a designated new channel.
The switch indicating unit 403 may determine the client associated with the rogue AP according to the wireless user list recorded by the recording unit 402, so as to transmit the channel switch instruction to the client. The switch indicating unit 403 may simulate the rogue AP by using the MAC address of the rogue AP as a source MAC address of the channel switch instruction. The channel switch instruction may include an index of the designated new channel and time for switching to the designated new channel. In the channel switch instruction as shown in
According to the above, when the detecting AP detects that a rogue AP is in the wireless network, the detecting AP may transmit a channel switch instruction to the client associated with the rogue AP by simulating the identity of the rogue AP. The channel switch instruction is to instruct the client to switch to a designated new channel, which removes the association between the client and the rogue AP and prevents the client from associating with the rogue AP again on the wireless channel of the rogue AP.
In addition, in order to further eliminate security risks brought on by the rogue AP and to reduce the probability that the client associates with the rogue AP again, the detecting AP may further instruct the client to associate with the detecting AP.
As shown in
The packet broadcasting unit 504 may broadcast a beacon packet on the designated new channel by simulating the identity of the rogue AP to instruct the wireless client, which is associated with the rogue AP, to associate with the detecting AP.
After the client switches to the designated new channel, the client is not to transmit an association request on its own initiative. Therefore, in order to cause the client to associate with the detecting AP, the detecting AP may transmit a beacon packet on the designated new channel by simulating the identity of the rogue AP and may respond to a probe request of the user by simulating the identity of the rogue AP. After receiving the beacon packet broadcasted by the detecting AP on the designated new channel, the client establishes an association with the detecting AP. In one regard, therefore, because the client does not transmit an association request on its own initiative, the client may be prevented from associating with the rogue AP again after switching to the designated new channel. After switching to the designated new channel, the client may also receive beacon packets transmitted by other legal APs and may establish associations with the other legal APs. The client may also establish an association with another rogue AP on the designated new channel. If the client associates with a rogue AP again, the detecting AP may continue to transmit the channel switch instruction to the client by simulating the identity of the rogue AP to direct the client to another designated new channel.
After the association between the wireless client and the detecting AP is established, the wireless client may perform data packet transmission and receipt operations through the detecting AP and may enter into a normal operating procedure. As such, a problem in the conventional method for preventing clients from accessing the rogue AP in a wireless network, i.e., the continuous transmission of deassociation packets to prevent the client from associating with the rogue AP again after being deassociated from the rogue AP, the large amount of radio resources required by the continuous transmission of the deassociation packets, and the prevention of services provided for the user, may be resolved.
The above examples may be implemented by hardware, software, firmware, or a combination thereof. For example, the various methods, processes, and functional modules described herein may be implemented by a processor (the term processor is to be interpreted broadly to include a CPU, processing module, ASIC, logic module, or programmable gate array, etc.). The processes, methods, and functional modules may all be performed by a single processor or split between several processors; reference in this disclosure or the claims to a ‘processor’ should thus be interpreted to mean ‘one or more processors’. The processes, methods and functional modules may be implemented as machine readable instructions executable by one or more processors, hardware logic circuitry of the one or more processors or a combination thereof. Further, the examples disclosed herein may be implemented in the form of a software product. The computer software product may be stored in a non-transitory computer readable storage medium and may include a plurality of instructions for making a computer device (which may be a personal computer, a server or a network device, such as a router, switch, access point, etc.) implement the method recited in the examples of the present disclosure.
What has been described and illustrated herein is an example of the disclosure along with some of its variations. The terms, descriptions and figures used herein are set forth by way of illustration. Many variations are possible within the spirit and scope of the disclosure, which is intended to be defined by the following claims and their equivalents.
| Number | Date | Country | Kind |
|---|---|---|---|
| 201210556408.8 | Dec 2012 | CN | national |
| Filing Document | Filing Date | Country | Kind |
|---|---|---|---|
| PCT/CN2013/085448 | 10/18/2013 | WO | 00 |
