Diapositiva 1

1
Beacon Frame Spoofing Attack Detection in IEEE
802.11 Networks
Asier Martínez, U. Zurutuza, R. Uribeetxeberria,
M. Fernández, J. Lizarraga, A. Serna
2
Introduction
Overview

• Introduction
• 802.11 attacks
• Problem description and proposal for solution

1
2

• Proposed detection method
• Experimental results
• Comparison against Snort-Wireless

3
Conclusions and Further Work
3
Introduction
Introduction
Computer Security research group of Mondragon
University

• Security in embedded systems
• Audit and evaluation mechanisms
• Intrusion detection Honeypots

4
Introduction
Introduction
Business and innovation centre
5
Introduction
802.11 attacks
802.11 Complexity
They dont have any protection against
impersonation attacks

• 802.11 is complex it have 31 frame types,
  Ethernet only type.
• Three principal type of frames
• Administration
• Management
• Data

Management frames

• Management frames are critical for the correct
  operation of the network

6
Introduction
802.11 attacks
802.11 Attacks

• DoS Flood attacks, ( Probe Req. Flood, Auth Req.
  Flood, EAPOL-Start, etc)
• Radio Jamming
• Hijacking attacks ( Airpwn )
• Cryptographic Attacks ( WEP, WPA )
• Other DoS Attacks ( Power Saving, 802.11i,
  CTS/RTS, Deauth )
• Driver Flaw exploitation

98 of attacks are based on frame spoofing
How can we detect those spoofed frames?
7
Introduction
Problem description and solution proposal
The best way to detect falsification is in the
stations (AP, Client) firmware
Anomalies in behavior of the clients

• OS fingerprinting
• Signal monitoring
• Supported rates in connection
• Driver fingerprinting

What if we want offline processing of an attack?
i.e Forensic Analysis We need external monitoring
techniques
Anomalies in 802.11 protocol or network

• Sequence Number
• Excessive number of some type of frames
• Frame reinyections

Lot of actual hardware dont have this
functionality, and another only detects specific
frames
8
Introduction
Proposed detection method

• The method proposed detects beacon frames that
  have been spoofed in an infraestructure 802.11
  network
• The detection method is based on the monitoring
  of time intervals between beacon frames
• We define variable called Delta, which represent
  the time gap between two consecutive beacon
  frames Delta ( b2timestamp b1timestamp )

9
Introduction
Proposed detection method
802.11 Beacon frames

• They are transmitted in regular intervals called
  specified in Beacon Interval field, it is
  configured in the AP.
• The transmission will be delayed because hight
  traffic
• If spoofed beacon is sended, we can detect
  smaller time between beacon frames ( Delta )
• We can identify each spoofed frame individually

10
Introduction
Proposed detection method
Scenario configuration

• To measure the beacon interval MACTime field of
  Prism headers has been used because is more
  precise
• The AP was configured with an beacon interval of
  102.4ms
• The Sensor must be near of the AP to detect all
  Beacon frames
• Senao 802.11g cards with WRT54G router, ( Cisco
  Aironet 1200 also tested )

Because the beacon frame will be delayed, the
network was tested with low and high traffic
11
Introduction
Proposed detection method
Tools used

• Tcpdump for traffic capture
• Modified Snort-Wireless with a preprocessor to
  measure and send alert with proposed detection
  method
• Scapy injection framework
• Wireshark WiFi injection patch created for the
  paper

12
Introduction
Experimental results
Scenario I, low traffic
Time between beacon frames in normal operation
network with low traffic, the variation is
insignificant
13
Introduction
Experimental results
Scenario I, low traffic
Time between beacon frames under attack, here the
variation was increased
14
Introduction
Experimental results
Scenario II, high traffic
Time between beacon frames in normal operation
network with high traffic
15
Introduction
Experimental results
Scenario II, high traffic
Time between beacon frames under attack
16
Introduction
Comparison against Snort-Wireless
Snort-Wireless

• Threshold based technique used by Snort-Wireless
  is prone to false positives
• Snort-Wireless is outdated in some aspects, but
  choosing Snort-Wireless instead of other
  commercial tools was due to the fact that they
  are a black box and it is impossible to analyze
  the techniques they use
• Uses the sequence number analysis technique to
  detect false frame attacks

17
Introduction
How evade the detection
Synchronize false beacons
Synchronize with interference

• When legimit beacon is delayed, an attacker can
  try to inject false beacon

• Attacker can create an interference to the
  legimit Beacon, and then inject false frame

Cons

• This is very difficult because the main reason
  for the delay is the congestion of the network
• Usually unpredictable, but it may depends on the
  hardware
• Its very difficult to achieve the necessary
  precision with standard hardware
• Attacks usually needs a few false frames in short
  period of time

Cons

• Require a highly specialised hardware and a
  correct synchronisation with the legitimate frame
  that we try to interfere with

18
Introduction
Conclusions and Further Work
Conclusions and further work

• ROC curve of the detection method in worst case
  with hight traffic
• The proposed detection method does not generate
  any false positive if correct detection threshold
  is established
• Results clearly show that spoofed beacon frames
  can be detected measuring the intervals between
  beacon frames

19
Introduction
Conclusions and Further Work
Conclusions and further work

• As well as being effective , technique
  implementation is very simple an it is passive
  measurement with minimum hardware requirements
• The times between frames can be measured and
  thus, the very same techniques can be used in the
  future to detect the anomalous behavior provoked
  by other attacks

20
Introduction
Conclusions and Further Work
Thank You
?