Is there a way to detect if downstream clients are acting as access points?

Mark K Vallevand mvallevand at q.com
Thu Sep 9 16:41:58 PDT 2021 

Your 2c are very welcome.
You are correct.  This probably isn't a hostapd topic.  Detection of connected stations that are tethering is something we probably need to do.  We are casting about to see if there are any ideas.  I think its a very unlikely situation.  But, we want to have just the connected station participate in our solution.  I think we have a way to block participation from other devices.


Regards. 
Mark K Vallevand 

Cats were once worshiped as gods. They have not forgotten this. 
- Terry Pratchett

----- Original Message -----
From: "Sergey Ryazanov" <ryazanov.s.a at gmail.com>
To: "Mark Vallevand" <mvallevand at q.com>
Cc: "hostap" <hostap at lists.infradead.org>
Sent: Thursday, September 9, 2021 6:17:08 PM
Subject: Re: Is there a way to detect if downstream clients are acting as access points?

Hello Mark,

On Tue, Sep 7, 2021 at 4:01 PM Mark K Vallevand <mvallevand at q.com> wrote:
> I would like to prevent downstream tethering.
> Does anyone have any suggestions for doing that?

AFAIK hostapd does not support such functionality. Moreover, tethering
detection does not even sound like a hostapd related topic.

You could apply some heuristic to detect tethering. Off the top of my
head it is possible to monitor the radio channel looking for an AP
with a BSSID that is very similar to a client MAC address. Or you
could monitor client traffic for some anomalies: unusual TTL as an
indication of a packet routing on the client side, unusual destination
IP addresses like a desktop OS upgrade server request from a client
that pretends to be a phone, etc.

Just curious, why do you need to prevent tethering?

If this is a security measure, then an intruder most probably could
bypass all this heuristic. If this is some kind of an ISP policy, then
a mid-trained user could quickly bypass all this heuristic as well,
since most ISP tricks are already widely known. And since no perfect
detection method exists, then you will need to deal with
false-positive cases. Just my 2 cents.

-- 
Sergey

More information about the Hostap mailing list