Vulnerability Analysis and Intrusion Mitigation Systems for WiMAX Networks PowerPoint PPT Presentation

presentation player overlay
About This Presentation
Transcript and Presenter's Notes

Title: Vulnerability Analysis and Intrusion Mitigation Systems for WiMAX Networks


1
Vulnerability Analysis and Intrusion Mitigation
Systems for WiMAX Networks
  • Yan Chen, Hai Zhou
  • Northwestern Lab for Internet and Security
    Technology (LIST)
  • Dept. of Electrical Engineering and Computer
    Science
  • Northwestern University
  • http//list.cs.northwestern.edu

Motorola Liaisons Greg W. Cox, Z. Judy Fu, Phil
Roberts, and Peter McCann Motorola Labs
2
The Current Threat Landscape and Countermeasures
of WiMAX Networks
  • WiMAX next wireless phenomenon
  • Predicted multi-billion dollar industry
  • WiMAX faces both Internet attacks and wireless
    network attacks
  • E.g., 6 new viruses, including Cabir and Skulls,
    with 30 variants targeting mobile devices
  • Goal of this project secure WiMAX networks
  • Big security risks for WiMAX networks
  • No formal analysis about WiMAX security
    vulnerabilities
  • No intrusion detection/mitigation
    product/research tailored towards WiMAX networks

3
Security Challenges in WiMAX Networks
  • In addition to sharing similar challenge of wired
    net
  • High speed traffic
  • Zero-day threats
  • Wireless networks are more vulnerable
  • Open media
  • Easy to sniff, spoof and inject packets
  • Open access
  • Hotspots and potential large user population
  • Attacking is more diverse
  • On media access (e.g., jamming), but easy to
    detect
  • On protocols (our focus)

4
Overall Approach and Achievement
  • Adaptive Intrusion Detection and Mitigation for
    WiMAX Networks (WAIDM)
  • Focus on the emerging threats polymorphic
    zero-day worms and botnets
  • High-speed network monitoring and
    anomaly/intrusion detection
  • Polymorphic zero-day worm signature generation
  • Both designed, implemented and fully evaluated
  • All code are available for Motorola
  • Vulnerability analysis and defense of WiMAX
    networks at various layers
  • IEEE 802.16e MAC layer
  • Mobile IP v4/6 network layer
  • EAP layer (generalized to various wireless
    cellular nets)
  • Finished for WiMAX, generalization ongoing

5
Overall Approach and Achievement II
  • Twelve conference and two journal papers
  • Some more are under submission
  • Two book chapters
  • One patent filed

6
Outline
  • Threat landscape and motivation
  • Overall approach and achievement
  • Accomplishment this year
  • Error-message based DoS attacks of wireless
    networks and the defense

7
Accomplishments This Year
  • Most achieved with close interaction with
    Motorola liaisons
  • Automatic polymorphic worm signature generation
    systems for high-speed networks
  • Fast, noise tolerant w/ proved attack resilience
  • Resulted two joint papers with Motorola Labs
  • Network-based and Attack-resilient Length
    Signature Generation for Zero-day Polymorphic
    Worms, published in to IEEE International
    Conference on Network Protocols (ICNP) 2007 (14
    acceptance rate).
  • Patent filed through Motorola.
  • Method and Apparatus to Facilitate Generating
    Worm-Detection Signatures Using Data Packet Field
    Lengths, U.S. Patent Application No. 11/985,760.
    Filed on Dec. 18, 2007.
  • A journal paper submitted to IEEE/ACM Trans. on
    Net.

8
Accomplishments on Publications
  • Four conference, one journal papers and two book
    chapters
  • Accurate and Efficient Traffic Monitoring Using
    Adaptive Non-linear Sampling Method", in the
    Proc. of IEEE INFOCOM, 2008
  • A Survey of Existing Botnet Defenses , in the
    Proc. of IWSSE 2008.
  • Honeynet-based Botnet Scan Traffic Analysis",
    invited book chapter for Botnet Detection
    Countering the Largest Security Threat,
    Springer, 2007.
  • Integrated Fault and Security Management,
    invited book chapter for Information Assurance
    Dependability and Security in Networked Systems,
    Morgan Kaufmann Publishers, 2007.
  • Reversible Sketches Enabling Monitoring and
    Analysis over High-speed Data Streams, in
    ACM/IEEE Transaction on Networking, Volume 15,
    Issue 5, Oct. 2007.
  • Network-based and Attack-resilient Length
    Signature Generation for Zero-day Polymorphic
    Worms, in the Proc. of the 15th IEEE
    International Conference on Network Protocols
    (ICNP), 2007.
  • Detecting Stealthy Spreaders Using Online
    Outdegree Histograms, in the Proc. Of IEEE
    International Workshop on Quality of Service,
    2007.

9
Students Involved
  • PhD students
  • Zhichun Li, Yao Zhao (both in their 4th years)
  • Lanjia Wang (visiting PhD students)
  • MS students
  • Sagar Vemuri (2nd year)
  • Jiazhen Chen (1st year)

10
Error-message Based DoS Attacks of Wireless
Networks and the Defense
11
Vulnerability and Attack Methodology
  • Processing error messages imprudently
  • Error messages are in clear text before
    authentication
  • Messages are trusted without integrity check
  • Attacking requirements
  • Sniffing easy for wireless networks
  • Spoofing before authenticated
  • Easy for wireless LANs doable for cellular
    networks
  • Basic attack ideas
  • Spoof and inject error messages or wrong messages
    that trigger error messages to clients and/or
    servers.
  • Maybe a known problem but largely ignored

12
Outline
  • Vulnerability and Attack Methodology
  • Attack Case Studies
  • EAP protocols for wireless and cellular networks
  • Mobile IPv6 route optimization protocol (skipped)
  • Countermeasures
  • Conclusions

13
EAP Authentication on Wireless Networks
Challenge/Response
TLS
Authentication primitive
EAP-FAST
PEAP
EAP-TTLS
EAP-AKA
EAP-SIM
EAP-TLS
Authentication method layer
Extensible Authentication Protocol (EAP)
EAP Layer
EAP Over LAN (EAPOL)
802.11 WLAN
GSM
UMTS/ CDMA2000
Data Link Layer
14
TLS Authentication Procedure
TLS Handshake Protocol Client and server
negotiate a stateful connection using a handshake
procedure.
15
DoS Attacks on TLS Authentication
  • Sniff to get the client MAC address and IDs
  • Packet in clear text before authentication
  • Send spoofed error messages
  • Before authentication is done, attacker spoofs an
    alert message of level fatal, followed by a
    close notify alert.
  • Then the handshake protocol fails and needs to be
    tried again.
  • Complete the DoS attack
  • The attacker repeats the previous steps to stop
    all the retries
  • When this attack happens, WPA2,WPA or WEP are all
    in clear text.

16
DoS Attacks on TLS Illustration
  • Sending Error Alert message of level Fatal
  • Can either attack client or server

17
DoS Attack on Challenge/Response over EAP-AKA
Server End
Client End
EAP-Request/Identity
EAP-Response/Identity (NAI)
AKA-Challenge (RAND, AUTN, MAC)
AKA-Response (RES, MAC)
EAP-Success
Simple attack Sending Error Rejection/
Notification message
18
DoS Attack Experiment on a WiFi Network with PEAP
Protocols
  • Hardware
  • Wifi cards with Atheros chipsets (e.g., Proxim
    Orinoco Gold wireless adapter)
  • MADWifi driver
  • Code implementation
  • Libraries
  • Sniffing Libpcap library
  • Spoofing Lorcon library
  • Attacking code
  • About 1200 lines of C code in Ubuntu linux

19
Field Test Results
  • We conducted the EAP-TLS attack experiments at a
    Cafeteria.
  • 7 mobile hosts and one Attacker
  • Weve successfully attacked all of them in one
    of the two channels

20
Attack Efficiency Evaluation
Attack Point 1 Attack Point 1
Ratio by of Messages 25.00 1/4
Ratio by Bytes 15.89 78/491
Attack Point 2 Attack Point 2
Ratio by of Messages 28.57 2/7
Ratio by Bytes 14.87 156/1049
  • For example, when attack happens at the second
    point
  • Just need to send 156 bytes of message to screw
    the whole 1049 bytes authentication messages.

21
Scalability Evaluation by NS2 Simulations
  • Vary the of simultaneous sign-on clients up to
    100
  • All results are based on an average of 100 runs.
  • Shows that the attacker is scalable very few
    clients are able to authenticate successfully.

22
NS-2 Simulation Results II
  • Even better results when sending error messages
    more aggressively by reducing the CWMin parameter
    of the attacker
  • The back-off time of attacker is reduced.

23
Outline
  • Vulnerability and Attack Methodology
  • Attack Case Studies
  • EAP protocols for wireless and cellular networks
  • Mobile IPv6 route optimization protocol (skipped)
  • Countermeasures
  • Conclusions

24
Countermeasures
  • Enhance the robustness of the authentication
    protocol for wireless access
  • Delay decision making process by waiting for a
    short time for a success message (if any) to
    arrive and
  • Give preference to success messages than the
    error ones.
  • Implemented and successfully thwart EAP-TLS
    attacks

25
Conclusions
  • We have designed new methods to launch DoS
    attacks on security protocols using error
    messages.
  • We found that any security protocol is vulnerable
    to such attacks as long as it supports a few
    error messages before the authentication step.
  • We demonstrated the effect of these attacks on
    TLS and MIPv6 protocols.
  • As far as we know, no authentication protocol
    currently is secure against such attacks.
  • We suggest a few guidelines for the protocol
    designers and implementers to defend such
    attacks.

26
Backup Slides
27
EAP and TLS Authentication
  • Extensible Authentication Protocol (EAP) is a PPP
    extension
  • Provides support for additional authentication
    methods within PPP.
  • Transport Layer Security (TLS)
  • Mutual authentication
  • Integrity-protected cipher suite negotiation
  • Key exchange
  • Challenge/Response authentication with pre-shared
    keys
  • Pre-shared key (Ki) in SIM and AuC
  • Auc challenges mobile station with RAND
  • Both sides derive keys based on Ki and RAND

28
Practical Experiment
  • For the 33 different tries
  • All suffered an attack at Attack Point-1
  • 21 survive from the first attack but failed at
    the 2nd Attack Point.

29
  • Simulate one TLS-Server, one TLS-Attacker and
    range the TLS-Clients between 1 to a maximum of
    100.
  • The number of clients authenticate to the TLS
    server simultaneously.
  • Its extremely rare case
  • Base Station was set up to interface between the
    wired and wireless networks.
  • The duplex-link between the BS and the TLS-Server
    was of 100MBps with a 10ms delay.

30
Case 2 Mobile IPv6 Routing-Optimization
protocol
31
Mobile IPv6
  • Mobile IPv6 is a protocol which allows nodes to
    remain reachable while moving around in the IPv6
    Internet.
  • Each mobile node is always identified by its home
    address, regardless of its current point of
    attachment to the Internet.
  • IPv6 packets addressed to a mobile node's home
    address are transparently routed to its care-of
    address.
  • The protocol enables IPv6 nodes to cache the
    binding of a mobile node's home address with its
    care-of address, and to then send any packets
    destined for the mobile node directly to it at
    this care-of address

32
Return Routability Procedure
  • The procedure begins when the MN sends HoTI
    message to CN through HA and CoTI message
    directly to CN.
  • Upon the receipt of the Binding Update, CN adds
    an entry for the MN in its Binding Cache and
    optionally sends Binding Acknowledgement.
  • Once this happens, MN and CN will be capable of
    communicating over a direct route.
  • This way, the route between MN and CN is
    optimized.

33
Return Routability Procedure
  • Once Return Routability happens, MN and CN will
    be capable of communicating over a direct route
  • The route between MN and CN is optimized.

34
The Vulnerability
  • Binding Error Vulnerability
  • Used to disable the Routing Optimization
    procedure.
  • Binding Error message set Status to 2
    (unrecognized MH Type value), Then the mobile
    node SHOULD cease the attempt to use route
    optimization.
  • The Binding Error message is not protected.
  • Bind Acknowledgement Vulnerability
  • The Bind Acknowledgement vulnerability affects
    the Return Routability procedure
  • Binding Acknowledgement with status 136, 137 and
    138 is used to indicate an error and not
    protected in any way
  • Hence, it could be easily spoofed by an external
    entity

35
The Vulnerability
  • Bind Error Vulnerability

36
The Vulnerability
  • Bind Acknowledgement Vulnerability

37
Experiment Environment
38
Evaluation
  • The MIPv6 Experiment is based on a LAN testbed.
  • Except the Mobile Node, all other components such
    as Home Agent and Correspondence Node are all
    connected via wired cable in the Northwestern
    network.
  • We collected the data through 100 times
    experiment. Observed via the Wireshark running on
    the Mobile Node, for one successful attack, the
    time window is about 5ms in average and the
    Standard Deviation is 0.108ms for distribution
  • The time consumed by computing the spoofed Error
    message is 0.0203ms in average. The closer the
    attack to the Mobile Node, the higher probability
    we get for launching a successful Error Message
    attack.

39
PEAP Enhancement
  • Original WPA supplicant v0.5.10
  • Generate TLS ALERT on unexpected messages
  • Stop authentication on TLS ALERT
  • Delayed response implementation
  • Drop unexpected message silently
  • Wait for 1 second when receiving TLS ALERT to
    allow multiple responses, and ignore TLS ALERT
    response if good responses are received.
  • Verification
  • Redid the attack experiments and prove the
    effect of the countermeasures
Write a Comment
User Comments (0)
About PowerShow.com
Home About Us Terms and Conditions Privacy Policy Presentation Removal Request Contact Us
Copyright 2025 CrystalGraphics, Inc. — All rights Reserved. PowerShow.com is a trademark of CrystalGraphics, Inc.
The : "Vulnerability Analysis and Intrusion Mitigation Systems for WiMAX Networks" is the property of its rightful owner.
Do you have PowerPoint slides to share? If so, share your PPT presentation slides online with PowerShow.com. It's FREE!