Beacon Frame Spoofing Attack Detection in IEEE 802.11 Networks

Beacon Frame Spoofing Attack Detection in IEEE 802.11

Networks

Asier Martínez, U. Zurutuza, R. Uribeetxeberria, M. Fernández, J. Lizarraga, A. Serna

Ares 2008 International Conference, March 4th-7th, Technical University of Catalonia 1

IntroductionOverview

Introduction 802.11 attacks Problem description and proposal for solution

1

Proposed detection method Experimental results Comparison against Snort-Wireless

2

Conclusions and Further Work3


IntroductionComputer Security research group of Mondragon University:• Security in embedded systems

• Audit and evaluation mechanisms

• Intrusion detection & Honeypots

Introduction


IntroductionSakontek Security I+D+i:• RFID, Bluetooth, Wi-Fi, Wimax

Security

• Intrusion detection/prevention, Snort contributions

Introduction


Business and innovation centre:

Introduction802.11 attacks


802.11 Complexity

• Management frames are critical for the correct operation of the network

Management frames

They don’t have any protection against

impersonation attacks• 802.11 is complex it have 31 frame types, Ethernet only type.

• Three principal type of frames :

• Administration

• Management

• Data

Introduction802.11 attacks


802.11 Attacks

• DoS Flood attacks, ( Probe Req. Flood, Auth Req. Flood, EAPOL-Start, etc…)

• Radio Jamming

• Hijacking attacks ( Airpwn )

• Cryptographic Attacks ( WEP, WPA … )

• Other DoS Attacks ( Power Saving, 802.11i, CTS/RTS, Deauth … )

• Driver Flaw exploitation

• …

98% of attacks

are based on frame

spoofing

¿How can we detect those spoofed

frames?

IntroductionProblem description and solution proposal


Anomalies in 802.11 protocol or network

• Sequence Number

• Excessive number of some type of frames

• Frame reinyections

• …

Anomalies in behavior of the clients

• OS fingerprinting

• Signal monitoring

• Supported rates in connection

• Driver fingerprinting

• …

The best way to detect falsification is in the stations (AP,

Client) firmware

¿What if we want offline processing of an attack? i.e

Forensic AnalysisWe need external

monitoring techniques

Lot of actual hardware don’t have this functionality, and

another only detects specific frames

IntroductionProposed detection method


802.11 Beacon based attacks

• 802.11i DoS attacks

• Synchronization attacks

• False Information attacks

• Driver Flaw exploitation

We can be hacked only with Wi-Fi network card activated, without being

connected to any network!

• The method proposed detects beacon frames that have been spoofed in an infraestructure 802.11 network

• The detection method is based on the monitoring of time intervals between beacon frames

• We define variable called Delta, which represent the time gap between two consecutive beacon frames Delta = ( b2timestamp – b1timestamp )



802.11 Beacon frames

• They are transmitted in regular intervals called specified in “Beacon Interval” field, it is configured in the AP.

• The transmission will be delayed because hight traffic

• If spoofed beacon is sended, we can detect smaller time between beacon frames ( Delta )

• We can identify each spoofed frame individually



Scenario configuration

• To measure the beacon interval MACTime field of Prism headers has been used because is more precise

• The AP was configured with an beacon interval of 102.4ms

• The Sensor must be near of the AP to detect all Beacon frames

• Senao 802.11g cards with WRT54G router, ( Cisco Aironet 1200 also tested )

Because the beacon frame will be delayed, the network

was tested with low and high traffic



Tools used

• Tcpdump for traffic capture

• Modified Snort-Wireless with a preprocessor to measure and send alert with proposed detection method

• Scapy injection framework

• Wireshark WiFi injection patch created for the paper

IntroductionExperimental results


Time between beacon frames in normal operation network with low traffic, the variation is insignificant

Scenario I, low traffic



Time between beacon frames under attack, here the variation was increased Scenario I, low traffic



Time between beacon frames in normal operation network with high traffic

Scenario II, high traffic



Time between beacon frames under attack Scenario II, high traffic

IntroductionComparison against Snort-Wireless


• Threshold based technique used by Snort-Wireless is prone to false positives

• Snort-Wireless is outdated in some aspects, but choosing Snort-Wireless instead of other commercial tools was due to the fact that they are a black box and it is impossible to analyze the techniques they use

• Uses the sequence number analysis technique to detect false frame attacks

Scenario II, high trafficScenario I, low traffic

Snort-Wireless

Proposed method

Snort-Wireless

IntroductionHow evade the detection


• When legimit beacon is delayed, an attacker can try to inject false beacon

Synchronize false beacons

Cons• This is very difficult because the main reason

for the delay is the congestion of the network

• Usually unpredictable, but it may depends on the hardware

• It’s very difficult to achieve the necessary precision with standard hardware

• Attacks usually needs a few false frames in short period of time

Synchronize with interference• Attacker can create an

interference to the legimit Beacon, and then inject false frame

Cons• Require a highly specialised

hardware and a correct synchronisation with the legitimate frame that we try to interfere with

IntroductionConclusions and Further Work


• ROC curve of the detection method in worst case with hight traffic

• The proposed detection method does not generate any false positive if correct detection threshold is established

• Results clearly show that spoofed beacon frames can be detected measuring the intervals between beacon frames

Conclusions and further work



Conclusions and further work• As well as being effective , technique implementation is very simple an

it is passive measurement with minimum hardware requirements

• The times between frames can be measured and thus, the very same techniques can be used in the future to detect the anomalous behavior provoked by other attacks



??Thank You

Beacon Frame Spoofing Attack Detection in IEEE 802.11 Networks

Documents

international conference

networkthe detection

beacon frames

spoofed frames

attacksdos flood attacks

principal type of frames

complexitymanagement

dos attacks power saving