Beacon Frame Spoofing Attack Detection in IEEE 802.11 Networks Asier Martínez, U. Zurutuza, R. Uribeetxeberria, M. Fernández, J. Lizarraga, A. Serna Ares 2008 International Conference, March 4th-7th, Technical University of Catalonia 1
Jan 07, 2016
Beacon Frame Spoofing Attack Detection in IEEE 802.11
Networks
Asier Martínez, U. Zurutuza, R. Uribeetxeberria, M. Fernández, J. Lizarraga, A. Serna
Ares 2008 International Conference, March 4th-7th, Technical University of Catalonia 1
IntroductionOverview
Introduction 802.11 attacks Problem description and proposal for solution
1
Proposed detection method Experimental results Comparison against Snort-Wireless
2
Conclusions and Further Work3
Ares 2008 International Conference, March 4th-7th, Technical University of Catalonia 2
IntroductionComputer Security research group of Mondragon University:• Security in embedded systems
• Audit and evaluation mechanisms
• Intrusion detection & Honeypots
Introduction
Ares 2008 International Conference, March 4th-7th, Technical University of Catalonia 3
IntroductionSakontek Security I+D+i:• RFID, Bluetooth, Wi-Fi, Wimax
Security
• Intrusion detection/prevention, Snort contributions
Introduction
Ares 2008 International Conference, March 4th-7th, Technical University of Catalonia 4
Business and innovation centre:
Introduction802.11 attacks
Ares 2008 International Conference, March 4th-7th, Technical University of Catalonia 5
802.11 Complexity
• Management frames are critical for the correct operation of the network
Management frames
They don’t have any protection against
impersonation attacks• 802.11 is complex it have 31 frame types, Ethernet only type.
• Three principal type of frames :
• Administration
• Management
• Data
Introduction802.11 attacks
Ares 2008 International Conference, March 4th-7th, Technical University of Catalonia 6
802.11 Attacks
• DoS Flood attacks, ( Probe Req. Flood, Auth Req. Flood, EAPOL-Start, etc…)
• Radio Jamming
• Hijacking attacks ( Airpwn )
• Cryptographic Attacks ( WEP, WPA … )
• Other DoS Attacks ( Power Saving, 802.11i, CTS/RTS, Deauth … )
• Driver Flaw exploitation
• …
98% of attacks
are based on frame
spoofing
¿How can we detect those spoofed
frames?
IntroductionProblem description and solution proposal
Ares 2008 International Conference, March 4th-7th, Technical University of Catalonia 7
Anomalies in 802.11 protocol or network
• Sequence Number
• Excessive number of some type of frames
• Frame reinyections
• …
Anomalies in behavior of the clients
• OS fingerprinting
• Signal monitoring
• Supported rates in connection
• Driver fingerprinting
• …
The best way to detect falsification is in the stations (AP,
Client) firmware
¿What if we want offline processing of an attack? i.e
Forensic AnalysisWe need external
monitoring techniques
Lot of actual hardware don’t have this functionality, and
another only detects specific frames
IntroductionProposed detection method
Ares 2008 International Conference, March 4th-7th, Technical University of Catalonia 8
802.11 Beacon based attacks
• 802.11i DoS attacks
• Synchronization attacks
• False Information attacks
• Driver Flaw exploitation
We can be hacked only with Wi-Fi network card activated, without being
connected to any network!
• The method proposed detects beacon frames that have been spoofed in an infraestructure 802.11 network
• The detection method is based on the monitoring of time intervals between beacon frames
• We define variable called Delta, which represent the time gap between two consecutive beacon frames Delta = ( b2timestamp – b1timestamp )
IntroductionProposed detection method
Ares 2008 International Conference, March 4th-7th, Technical University of Catalonia 9
802.11 Beacon frames
• They are transmitted in regular intervals called specified in “Beacon Interval” field, it is configured in the AP.
• The transmission will be delayed because hight traffic
• If spoofed beacon is sended, we can detect smaller time between beacon frames ( Delta )
• We can identify each spoofed frame individually
IntroductionProposed detection method
Ares 2008 International Conference, March 4th-7th, Technical University of Catalonia 10
Scenario configuration
• To measure the beacon interval MACTime field of Prism headers has been used because is more precise
• The AP was configured with an beacon interval of 102.4ms
• The Sensor must be near of the AP to detect all Beacon frames
• Senao 802.11g cards with WRT54G router, ( Cisco Aironet 1200 also tested )
Because the beacon frame will be delayed, the network
was tested with low and high traffic
IntroductionProposed detection method
Ares 2008 International Conference, March 4th-7th, Technical University of Catalonia 11
Tools used
• Tcpdump for traffic capture
• Modified Snort-Wireless with a preprocessor to measure and send alert with proposed detection method
• Scapy injection framework
• Wireshark WiFi injection patch created for the paper
IntroductionExperimental results
Ares 2008 International Conference, March 4th-7th, Technical University of Catalonia 12
Time between beacon frames in normal operation network with low traffic, the variation is insignificant
Scenario I, low traffic
IntroductionExperimental results
Ares 2008 International Conference, March 4th-7th, Technical University of Catalonia 13
Time between beacon frames under attack, here the variation was increased Scenario I, low traffic
IntroductionExperimental results
Ares 2008 International Conference, March 4th-7th, Technical University of Catalonia 14
Time between beacon frames in normal operation network with high traffic
Scenario II, high traffic
IntroductionExperimental results
Ares 2008 International Conference, March 4th-7th, Technical University of Catalonia 15
Time between beacon frames under attack Scenario II, high traffic
IntroductionComparison against Snort-Wireless
Ares 2008 International Conference, March 4th-7th, Technical University of Catalonia 16
• Threshold based technique used by Snort-Wireless is prone to false positives
• Snort-Wireless is outdated in some aspects, but choosing Snort-Wireless instead of other commercial tools was due to the fact that they are a black box and it is impossible to analyze the techniques they use
• Uses the sequence number analysis technique to detect false frame attacks
Scenario II, high trafficScenario I, low traffic
Snort-Wireless
Proposed method
Snort-Wireless
IntroductionHow evade the detection
Ares 2008 International Conference, March 4th-7th, Technical University of Catalonia 17
• When legimit beacon is delayed, an attacker can try to inject false beacon
Synchronize false beacons
Cons• This is very difficult because the main reason
for the delay is the congestion of the network
• Usually unpredictable, but it may depends on the hardware
• It’s very difficult to achieve the necessary precision with standard hardware
• Attacks usually needs a few false frames in short period of time
Synchronize with interference• Attacker can create an
interference to the legimit Beacon, and then inject false frame
Cons• Require a highly specialised
hardware and a correct synchronisation with the legitimate frame that we try to interfere with
IntroductionConclusions and Further Work
Ares 2008 International Conference, March 4th-7th, Technical University of Catalonia 18
• ROC curve of the detection method in worst case with hight traffic
• The proposed detection method does not generate any false positive if correct detection threshold is established
• Results clearly show that spoofed beacon frames can be detected measuring the intervals between beacon frames
Conclusions and further work
IntroductionConclusions and Further Work
Ares 2008 International Conference, March 4th-7th, Technical University of Catalonia 19
Conclusions and further work• As well as being effective , technique implementation is very simple an
it is passive measurement with minimum hardware requirements
• The times between frames can be measured and thus, the very same techniques can be used in the future to detect the anomalous behavior provoked by other attacks
IntroductionConclusions and Further Work
Ares 2008 International Conference, March 4th-7th, Technical University of Catalonia 20
??Thank You