Wireless Network Monitoring

1
Wireless Network Monitoring

• Plan B Project
• Sandeep P Karanth
• Advisor Prof. Anand Tripathi

2
Outline

• Introduction
• Overview of Konark
• IEEE 802.11 Wireless LANs
• Potential Threats to a Wireless LAN
• Modes of Operation
• Detection Logic
• Conclusions and Future work

3
Introduction

• Network Monitoring issues
• Large Networks
• Heterogeneous components
• Distributed monitoring
• Centralized event-viewing and control
• Quick Response to alerts
• Response against attackers/intruders
• Response against misconfigurations/failures
• Robust and Secure system

4
Konark Overview

• Mobile-Agent based network monitoring
• Object capable of migration
• first-class objects altered remotely
• Programming framework Ajanta
• Script based detection techniques
• tedious to install, debug and modify
• coarse-grained protection

5
Konark Overview (Contd..)

• Goals
• Dynamically Extensible
• Addition of new monitoring components
• Modification of existing monitoring policies
• Integration of tools
• Active Monitoring
• Modification of policies in response to events
• Online Monitoring
• Event monitoring in real-time

6
Konark Overview (Contd..)

• Goals (contd..)
• Resilience by diverse monitoring sources
• Secure
• System itself has to be secure
• Robust
• Automated recovery of failed system components
• Scalable
• Acceptable System Performance

7
Konark Overview (Contd..)

• Publish-Subscribe network monitoring system
• Monitoring agents equipped with detectors
• Publisher-subscriber relationship is dynamic
• Event model for information flow
• Automated agent and detector recovery
• Uses self-monitoring schemes
• Authenticated inter-agent communication (RMI)
• Challenge-response protocol

8
Konark Overview (Contd..)
9
IEEE 802.11 Wireless LAN

• IEEE 802.11 operates at PHY and MAC
• Operating modes
• Infrastructure
• Ad hoc
• Carrier Sense Multiple Access (CSMA)
• Collision Avoidance (CA)
• Binary Exponential Back-off algorithm

10
IEEE 802.11 Wireless LAN (contd..)

• Terminology
• Access Point (AP)
• Service Set Identifier (SSID)
• Basic Service Set (BSS)
• Independent BSS (IBSS) Adhoc network
• Extended Service Set (ESS) APs having same
  SSID
• Distribution System (DS) connects APs
• Wired Equivalent Privacy (WEP)

11
IEEE 802.11 Wireless LAN (contd..)

• Generic 802.11 frame format

12
IEEE 802.11 Wireless LAN (contd..)

• Generic Management frame

13
IEEE 802.11 Wireless LAN (contd..)

• Association Process

14
IEEE 802.11 Wireless LAN (contd..)

• Frame types
• Beacon Frame AP advertisement
• Probe Request / Response
• Reassociation Request / Response
• Authentication
• Open Authentication (MAC ACLs used)
• Shared Key authentication

15
Potential Threats and Management Issues

• MAC Address Spoofing
• Attacker impersonates a legitimate client
• Attacker fakes as a legitimate AP (Fake AP)
• Attacker sends spoofed
  deauthenticate/disassociate frames
• Denial-Of-Service Attacks
• Authenticate/Associate message floods on AP
• RTS frame floods

16
Potential Threats and Management issues (contd..)

• Network Misconfigurations / Failures
• AP failure
• Unauthorized or Rogue APs
• May not conform to security policies
• Policy Conformance
• Acceptable signal strengths
• Acceptable data rate
• Correct SSIDs
• Attack Tools macchanger, FakeAP, LibRadiate

17
Design Goals

• Monitoring Objectives
• Attack Detection and response
• Unauthorized use detection and response
• Component failure detection
• Service Provisioning Objectives
• User tracking service Pervasive applications

18
Modes of Monitoring System Operation

• Mode 1
• Notebooks/PCs executing a monitoring daemon
• Statically placed
• Strategically placed to get entire network
  coverage
• Mode 2
• A PDA/handheld running a monitoring daemon

19
Modes of Monitoring System Operation(Contd)

• Mode 2 (contd..)
• Campus walk taken by wireless security auditor
• Mode 3
• Access Points log information to a syslog file
• Syslog file analyzed for event generation

20
Modes of Monitoring System Operation(Contd)
21
Detection Logic and Response

• Sequence number Analysis
• Each frame has a 12-bit sequence number
• Put in by the firmware
• Range of sequence numbers 0 - 4095
• Sequence numbers of 2 stations are not likely to
  be the same
• Fake and legitimate station will have
  out-of-order sequence numbers

22
Detection Logic and Response (contd..)

• Sequence number analysis (contd..)
• Packet capturing software and dump analyzer used
  to analyze
• Dump analyzer slower than capturing software
  (packets captured are dropped)
• Only 1 in 10 beacon frames analyzed to account
  for slow analysis
• Threshold of 20 chosen for difference in seq. no.
  for the same source

23
Detection Logic and Response (contd..)

• Sequence number analysis (contd..)
• Detection Capabilities
• Faking client detection
• Fake AP detection
• Forced disassociation/deauthentication
• Fails if unauthorized user connects in a
  disjoint time frame
• Likely time policy
• Inform users when they connect

24
Detection Logic and Response (contd..)

• Sequence number analysis (contd..)
• Fails if unauthorized user connects to another
  BSS in an ESS
• Konark monitoring agents perform distributed
  correlations to detect this
• Correlation of events among AP logs helps us
  detect this

25
Detection Logic and Response (contd..)

• Packet counting and analysis
• Packets sent to an AP are recorded
• Many packets in a small adjustable interval
  indicate a DOS attack
• AP logs also examined to detect such attacks

26
Detection Logic and Response (contd..)

• Misconfiguration/Failure detection
• Missing beacons imply AP failure
• Beacons may be disabled in an AP (policy)
• Ping every AP with a probe request
• Extraneous beacons/ frames with unknown BSSID
  implies Rogue APs
• Network baseline fed to the daemon at startup
• Repeated associations, DHCP denials or unknown
  frame transmittals imply brute force attacks or
  client misconfiguration

27
Detection Logic and Response (contd..)
28
Experimental Setup

• Experiments conducted on the EECS building
  wireless LAN (802.11b)
• Cisco Access Points (Aironet 340/350 series)
• Notebook PCs running Linux used to conduct
  experiments
• Cisco 340/350 wireless cards used for wireless
  connectivity

29
Experimental Setup (contd..)

• Packet capturing software used Kismet
  (Development version 2.8.1)
• Dump analyzer Ethereal

Named pipe
Pipe
Kismet
Ethereal
Monitoring Daemon
Capture packets
Decode packets
Analyze decoded packets
30
Experimental Setup

• About 90-95 of the frames observed are IEEE
  802.11 management frames
• Beacon frames form 90 of the management frames
• Beacon interval is 0.1024 seconds

31
Experimental Setup

• Mon May 26 153100 2003 Deauthentication
  SrcAddr004096479913 DestAddr004096334c
  8c BSSID004096479913
• Mon May 26 153100 2003 Deauthentication
  SrcAddr004096479913 DestAddr004096334c
  8c BSSID004096479913
• Mon May 26 153100 2003 Authentication
  SrcAddr004096334c8c DestAddr00409647e6
  ec BSSID00409647e6ec
• Mon May 26 153101 2003 Sequence number
  mismatch SrcAddr00409641d401
  DetailsUnauthorized Client suspected
• Mon May 26 153101 2003 Reassociation Request
  SrcAddr004096334c8c DestAddr00409647e6
  ec BSSID00409647e6ec
• Mon May 26 153104 2003 Sequence number
  mismatch SrcAddr 00409641d401
  DetailsUnauthorized Client suspected

32
Conclusions

• A MAC layer monitoring tool is required
• A proof-of-concept monitoring tool is
  implemented
• Such tools can be easily integrated with
  existing monitoring systems (Konark)

33
Future Directions

• Cost efficient ways of monitoring MAC layer need
  to be determined
• Efficient methodologies for building intrusion
  detection systems for thin clients are required
• Ajanta agents need to be customized to run on
  handhelds and wearable computers