1 / 20

Beacon Frame Spoofing Attack Detection in IEEE 802.11 Networks

Beacon Frame Spoofing Attack Detection in IEEE 802.11 Networks. Asier Martínez, U. Zurutuza, R. Uribeetxeberria, M. Fernández, J. Lizarraga, A. Serna. Overview. Introduction. Introduction 802.11 attacks Problem description and proposal for solution. 1. 2. Proposed detection method

skyler
Download Presentation

Beacon Frame Spoofing Attack Detection in IEEE 802.11 Networks

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. BeaconFrameSpoofingAttackDetection in IEEE 802.11 Networks Asier Martínez, U. Zurutuza, R. Uribeetxeberria, M. Fernández, J. Lizarraga, A. Serna Ares 2008 International Conference, March 4th-7th, Technical University of Catalonia

  2. Overview Introduction • Introduction • 802.11 attacks • Problemdescription and proposalforsolution 1 2 Proposed detection method • Experimental results • Comparison against Snort-Wireless 3 Conclusions and Further Work Ares 2008 International Conference, March 4th-7th, Technical University of Catalonia

  3. Introduction Introduction Computer Security research group of Mondragon University: • Security in embedded systems • Audit and evaluation mechanisms • Intrusion detection & Honeypots Ares 2008 International Conference, March 4th-7th, Technical University of Catalonia

  4. Introduction Introduction Business and innovation centre: Sakontek Security I+D+i: • RFID, Bluetooth, Wi-Fi, Wimax Security • Intrusion detection/prevention, Snort contributions Ares 2008 International Conference, March 4th-7th, Technical University of Catalonia

  5. 802.11 attacks Introduction 802.11 Complexity • They don’t have any protection against impersonation attacks • 802.11 is complex it have 31 frame types, Ethernet only type. • Three principal type of frames : • Administration • Management • Data Management frames • Management frames are critical for the correct operation of the network Ares 2008 International Conference, March 4th-7th, Technical University of Catalonia

  6. 802.11 attacks Introduction 802.11 Attacks • DoS Flood attacks, ( Probe Req. Flood, Auth Req. Flood, EAPOL-Start, etc…) • Radio Jamming • Hijacking attacks ( Airpwn ) • Cryptographic Attacks ( WEP, WPA … ) • Other DoS Attacks ( Power Saving, 802.11i, CTS/RTS, Deauth … ) • Driver Flaw exploitation • … 98% of attacks are based on frame spoofing ¿How can wedetectthosespoofedframes? Ares 2008 International Conference, March 4th-7th, Technical University of Catalonia

  7. Problemdescription and solutionproposal Introduction Thebestwaytodetectfalsificationis in thestations (AP, Client) firmware Anomalies in behavior of the clients • OS fingerprinting • Signal monitoring • Supported rates in connection • Driver fingerprinting • … ¿Whatifwewant offline processing of anattack? i.eForensicAnalysis Weneedexternalmonitoringtechniques Anomalies in 802.11 protocol or network • Sequence Number • Excessive number of some type of frames • Frame reinyections • … Lot of actual hardware don’thavethisfunctionality, and anotheronlydetectsspecificframes Ares 2008 International Conference, March 4th-7th, Technical University of Catalonia

  8. Proposeddetectionmethod Introduction • The method proposed detects beacon frames that have been spoofed in an infraestructure 802.11 network • The detection method is based on the monitoring of time intervals between beacon frames • We define variable called Delta, which represent the time gap between two consecutive beacon frames Delta = ( b2timestamp – b1timestamp ) 802.11 Beacon based attacks • 802.11i DoS attacks • Synchronization attacks • False Information attacks • Driver Flaw exploitation We can behackedonlywithWi-Fi networkcardactivated, withoutbeingconnectedtoanynetwork! Ares 2008 International Conference, March 4th-7th, Technical University of Catalonia

  9. Proposeddetectionmethod Introduction 802.11 Beacon frames • They are transmitted in regular intervals called specified in “Beacon Interval” field, it is configured in the AP. • The transmission will be delayed because hight traffic • If spoofed beacon is sended, we can detect smaller time between beacon frames ( Delta ) • We can identify each spoofed frame individually Ares 2008 International Conference, March 4th-7th, Technical University of Catalonia

  10. Proposeddetectionmethod Introduction Scenario configuration • To measure the beacon interval MACTime field of Prism headers has been used because is more precise • The AP was configured with an beacon interval of 102.4ms • The Sensor must be near of the AP to detect all Beacon frames • Senao 802.11g cards with WRT54G router, ( Cisco Aironet 1200 also tested ) Becausethebeaconframewillbedelayed, thenetworkwastestedwithlow and hightraffic Ares 2008 International Conference, March 4th-7th, Technical University of Catalonia

  11. Proposeddetectionmethod Introduction Tools used • Tcpdump for traffic capture • Modified Snort-Wireless with a preprocessor to measure and send alert with proposed detection method • Scapy injection framework • Wireshark WiFi injection patch created for the paper Ares 2008 International Conference, March 4th-7th, Technical University of Catalonia

  12. Experimental results Introduction Scenario I, low traffic Time between beacon frames in normal operation network with low traffic, the variation is insignificant Ares 2008 International Conference, March 4th-7th, Technical University of Catalonia

  13. Experimental results Introduction Scenario I, low traffic Time between beacon frames under attack, here the variation was increased Ares 2008 International Conference, March 4th-7th, Technical University of Catalonia

  14. Experimental results Introduction Scenario II, high traffic Time between beacon frames in normal operation network with high traffic Ares 2008 International Conference, March 4th-7th, Technical University of Catalonia

  15. Experimental results Introduction Scenario II, high traffic Time between beacon frames under attack Ares 2008 International Conference, March 4th-7th, Technical University of Catalonia

  16. ComparisonagainstSnort-Wireless Introduction Snort-Wireless • Threshold based technique used by Snort-Wireless is prone to false positives • Snort-Wireless is outdated in some aspects, but choosing Snort-Wireless instead of other commercial tools was due to the fact that they are a black box and it is impossible to analyze the techniques they use • Uses the sequence number analysis technique to detect false frame attacks Scenario I, low traffic Scenario II, high traffic Snort-Wireless Proposedmethod Ares 2008 International Conference, March 4th-7th, Technical University of Catalonia

  17. How evade thedetection Introduction Synchronize false beacons Synchronize with interference • When legimit beacon is delayed, an attacker can try to inject false beacon • Attacker can create an interference to the legimit Beacon, and then inject false frame Cons • This is very difficult because the main reason for the delay is the congestion of the network • Usually unpredictable, but it may depends on the hardware • It’s very difficult to achieve the necessary precision with standard hardware • Attacks usually needs a few false frames in short period of time Cons • Require a highly specialised hardware and a correct synchronisation with the legitimate frame that we try to interfere with Ares 2008 International Conference, March 4th-7th, Technical University of Catalonia

  18. Conclusions and FurtherWork Introduction Conclusions and further work • ROC curve of the detection method in worst case with hight traffic • The proposed detection method does not generate any false positive if correct detection threshold is established • Results clearly show that spoofed beacon frames can be detected measuring the intervals between beacon frames Ares 2008 International Conference, March 4th-7th, Technical University of Catalonia

  19. Conclusions and FurtherWork Introduction Conclusions and further work • As well as being effective , technique implementation is very simple an it is passive measurement with minimum hardware requirements • The times between frames can be measured and thus, the very same techniques can be used in the future to detect the anomalous behavior provoked by other attacks Ares 2008 International Conference, March 4th-7th, Technical University of Catalonia

  20. Conclusions and FurtherWork Introduction Thank You ? Ares 2008 International Conference, March 4th-7th, Technical University of Catalonia

More Related