Title: Diapositiva 1
1Beacon Frame Spoofing Attack Detection in IEEE
802.11 Networks
Asier Martínez, U. Zurutuza, R. Uribeetxeberria,
M. Fernández, J. Lizarraga, A. Serna
2Introduction
Overview
- Introduction
- 802.11 attacks
- Problem description and proposal for solution
1
2
- Proposed detection method
- Experimental results
- Comparison against Snort-Wireless
-
-
-
-
3
Conclusions and Further Work
3Introduction
Introduction
Computer Security research group of Mondragon
University
- Security in embedded systems
- Audit and evaluation mechanisms
- Intrusion detection Honeypots
4Introduction
Introduction
Business and innovation centre
5Introduction
802.11 attacks
802.11 Complexity
They dont have any protection against
impersonation attacks
- 802.11 is complex it have 31 frame types,
Ethernet only type. - Three principal type of frames
- Administration
- Management
- Data
Management frames
- Management frames are critical for the correct
operation of the network
6Introduction
802.11 attacks
802.11 Attacks
- DoS Flood attacks, ( Probe Req. Flood, Auth Req.
Flood, EAPOL-Start, etc) - Radio Jamming
- Hijacking attacks ( Airpwn )
- Cryptographic Attacks ( WEP, WPA )
- Other DoS Attacks ( Power Saving, 802.11i,
CTS/RTS, Deauth ) - Driver Flaw exploitation
-
98 of attacks are based on frame spoofing
How can we detect those spoofed frames?
7Introduction
Problem description and solution proposal
The best way to detect falsification is in the
stations (AP, Client) firmware
Anomalies in behavior of the clients
- OS fingerprinting
- Signal monitoring
- Supported rates in connection
- Driver fingerprinting
What if we want offline processing of an attack?
i.e Forensic Analysis We need external monitoring
techniques
Anomalies in 802.11 protocol or network
- Sequence Number
- Excessive number of some type of frames
- Frame reinyections
-
Lot of actual hardware dont have this
functionality, and another only detects specific
frames
8Introduction
Proposed detection method
- The method proposed detects beacon frames that
have been spoofed in an infraestructure 802.11
network - The detection method is based on the monitoring
of time intervals between beacon frames - We define variable called Delta, which represent
the time gap between two consecutive beacon
frames Delta ( b2timestamp b1timestamp )
9Introduction
Proposed detection method
802.11 Beacon frames
- They are transmitted in regular intervals called
specified in Beacon Interval field, it is
configured in the AP. - The transmission will be delayed because hight
traffic - If spoofed beacon is sended, we can detect
smaller time between beacon frames ( Delta ) - We can identify each spoofed frame individually
10Introduction
Proposed detection method
Scenario configuration
- To measure the beacon interval MACTime field of
Prism headers has been used because is more
precise - The AP was configured with an beacon interval of
102.4ms - The Sensor must be near of the AP to detect all
Beacon frames - Senao 802.11g cards with WRT54G router, ( Cisco
Aironet 1200 also tested )
Because the beacon frame will be delayed, the
network was tested with low and high traffic
11Introduction
Proposed detection method
Tools used
- Tcpdump for traffic capture
- Modified Snort-Wireless with a preprocessor to
measure and send alert with proposed detection
method - Scapy injection framework
- Wireshark WiFi injection patch created for the
paper
12Introduction
Experimental results
Scenario I, low traffic
Time between beacon frames in normal operation
network with low traffic, the variation is
insignificant
13Introduction
Experimental results
Scenario I, low traffic
Time between beacon frames under attack, here the
variation was increased
14Introduction
Experimental results
Scenario II, high traffic
Time between beacon frames in normal operation
network with high traffic
15Introduction
Experimental results
Scenario II, high traffic
Time between beacon frames under attack
16Introduction
Comparison against Snort-Wireless
Snort-Wireless
- Threshold based technique used by Snort-Wireless
is prone to false positives - Snort-Wireless is outdated in some aspects, but
choosing Snort-Wireless instead of other
commercial tools was due to the fact that they
are a black box and it is impossible to analyze
the techniques they use - Uses the sequence number analysis technique to
detect false frame attacks
17Introduction
How evade the detection
Synchronize false beacons
Synchronize with interference
- When legimit beacon is delayed, an attacker can
try to inject false beacon
- Attacker can create an interference to the
legimit Beacon, and then inject false frame
Cons
- This is very difficult because the main reason
for the delay is the congestion of the network - Usually unpredictable, but it may depends on the
hardware - Its very difficult to achieve the necessary
precision with standard hardware - Attacks usually needs a few false frames in short
period of time
Cons
- Require a highly specialised hardware and a
correct synchronisation with the legitimate frame
that we try to interfere with
18Introduction
Conclusions and Further Work
Conclusions and further work
- ROC curve of the detection method in worst case
with hight traffic - The proposed detection method does not generate
any false positive if correct detection threshold
is established - Results clearly show that spoofed beacon frames
can be detected measuring the intervals between
beacon frames
19Introduction
Conclusions and Further Work
Conclusions and further work
- As well as being effective , technique
implementation is very simple an it is passive
measurement with minimum hardware requirements - The times between frames can be measured and
thus, the very same techniques can be used in the
future to detect the anomalous behavior provoked
by other attacks
20Introduction
Conclusions and Further Work
Thank You
?