Is there a way to detect if downstream clients are acting as access points?

[Sergey Ryazanov]

Hello Mark,

On Tue, Sep 7, 2021 at 4:01 PM Mark K Vallevand <mvallevand at q.com> wrote:
> I would like to prevent downstream tethering.
> Does anyone have any suggestions for doing that?

AFAIK hostapd does not support such functionality. Moreover, tethering
detection does not even sound like a hostapd related topic.

You could apply some heuristic to detect tethering. Off the top of my
head it is possible to monitor the radio channel looking for an AP
with a BSSID that is very similar to a client MAC address. Or you
could monitor client traffic for some anomalies: unusual TTL as an
indication of a packet routing on the client side, unusual destination
IP addresses like a desktop OS upgrade server request from a client
that pretends to be a phone, etc.

Just curious, why do you need to prevent tethering?

If this is a security measure, then an intruder most probably could
bypass all this heuristic. If this is some kind of an ISP policy, then
a mid-trained user could quickly bypass all this heuristic as well,
since most ISP tricks are already widely known. And since no perfect
detection method exists, then you will need to deal with
false-positive cases. Just my 2 cents.

-- 
Sergey