Yan Chen

1
Intrusion Detection and Forensics for
Self-defending Wireless Networks

• Yan Chen
• Lab for Internet and Security Technology (LIST)
• Dept. of Electrical Engineering and Computer
  Science
• Northwestern University
• http//list.cs.northwestern.edu

2
Security Challenges in GIG Wireless Networks

• In addition to sharing similar challenge of wired
  net
• High speed traffic (e.g., WiMAX)
• Zero-day threats
• Lack of quality info for situational-aware
  analysis attack target/strategy, attacker
  (botnet) size, etc.
• Wireless networks are more vulnerable
• Open media
• Easy to sniff, spoof and inject packets
• Open access
• Hotspots and potential large user population
• Attacking is more diverse
• On media access (e.g., jamming), but easy to
  detect
• On protocols (our focus)

3
Self-Defending Wireless Networks

• Network-based adaptive intrusion detection and
  mitigation systems for emerging threats
• Polymorphic zero-day worm signature generation
  (done)
• Automated analysis of large-scale botnet probing
  events for situation aware info (ongoing)
• Proactive vulnerability analysis and defense of
  wireless network protocols at various layers
• WiMAX IEEE 802.16e MAC layer (done)
• Mobile IP v4/6 network layer (done)
• Authentication layer (generalized to various
  wireless cellular networks, ongoing)

4
Outline

• Overall approach and achievement
• Accomplishment this year
• Highlight Error-message based DoS attacks of
  wireless networks and the defense

5
Accomplishments on Publications

• Four conference, one journal papers and two book
  chapters
• Accurate and Efficient Traffic Monitoring Using
  Adaptive Non-linear Sampling Method", in the
  Proc. of IEEE INFOCOM, 2008
• A Survey of Existing Botnet Defenses , in Proc.
  of IEEE IWSSE 2008.
• Honeynet-based Botnet Scan Traffic Analysis",
  invited book chapter for Botnet Detection
  Countering the Largest Security Threat,
  Springer, 2007.
• Integrated Fault and Security Management,
  invited book chapter for Information Assurance
  Dependability and Security in Networked Systems,
  Morgan Kaufmann Publishers, 2007.
• Reversible Sketches Enabling Monitoring and
  Analysis over High-speed Data Streams, in
  ACM/IEEE Transaction on Networking, Volume 15,
  Issue 5, Oct. 2007.
• Network-based and Attack-resilient Length
  Signature Generation for Zero-day Polymorphic
  Worms, in the Proc. of the IEEE ICNP, 2007.
• Detecting Stealthy Spreaders Using Online
  Outdegree Histograms, in the Proc. Of IEEE
  International Workshop on Quality of Service,
  2007.

• Collaborated publication with Dr. Keesook Han
  from AFRL
• Resulted from joint research on botnet.
• Obtain binary/source from Dr. Han
• Plan to use the testbed developed at AFRL

6
Accomplishments This Year

• Automatic zero-day polymorphic worm signature
  generation systems for high-speed networks
• Fast, noise tolerant w/ proved attack resilience
• Published in IEEE International Conference on
  Network Protocols (ICNP) 2007 (14 acceptance
  rate).
• A patent filed through Motorola.
• Potential technology transfer thru Motorola

7
Limitations of Exploit Based Signatures
Signature 10.01
Traffic Filtering
Internet
Our network
X
X
Polymorphism!
Polymorphic worms might not have exact exploit
based signatures.
8
Vulnerability Signatures
Vulnerability signature traffic filtering
Internet
X
X
Our network
X
X
Vulnerability

• Use protocol semantics to express vulnerability
• Work for all the worms which target the same
  vulnerability

9
Accomplishments This Year II

• Automating Analysis of Large-Scale Botnet
  Probing Events

• What scanning strategies does the probing employ
  ?
• Is this an attack that specifically targets the
  site, or is the site only incidentally probed as
  part of a larger attack ?
• Leverage honeynet for bot probe detection
• Ten /24 honeynet from LBNL, five running honeyd,
  others dark.

10
Approaches

• Statistical testing of scan properties trend,
  uniformity, coordination, and use of
  pre-generated hit lists.
• Two approaches for global property extrapolation
• Use IPID and ephemeral port continuity
• Use probe interarrival times

11
Extrapolated Properties and Results

• Evaluated w/ 12 month LBNL traces (220GB)
• 49 uniform random scan
• 40 hit list scan, majority of them (94) also
  uniform
• Cross-validation with Dshield dataset
• Largest global alert repository
• All extrapolated scope within a factor of 1.5

12
Error-message Based DoS Attacks of Wireless
Networks and the Defense
13
Vulnerability and Attack Methodology

• Processing error messages imprudently
• Error messages are in clear text before
  authentication
• Messages are trusted without integrity check
• Attacking requirements
• Sniffing easy for wireless networks
• Spoofing before authenticated
• Easy for wireless LANs doable for cellular
  networks
• Basic attack ideas
• Spoof and inject error messages or wrong messages
  that trigger error messages to clients and/or
  servers.
• Maybe a known problem but largely ignored

14
Outline

• Vulnerability and Attack Methodology
• Attack Case Studies
• EAP protocols for wireless and cellular networks
• Mobile IPv6 route optimization protocol (skipped)
• Countermeasures
• Conclusions

15
EAP Authentication on Wireless Networks
Challenge/Response
TLS
Authentication primitive
EAP-FAST
PEAP
EAP-TTLS
EAP-AKA
EAP-SIM
EAP-TLS
Authentication method layer
Extensible Authentication Protocol (EAP)
EAP Layer
EAP Over LAN (EAPOL)
802.11 WLAN
GSM
UMTS/ CDMA2000
Data Link Layer
16
TLS Authentication Procedure
TLS Handshake Protocol Client and server
negotiate a stateful connection using a handshake
procedure.
17
DoS Attacks on TLS Authentication

• Sniff to get the client MAC address and IDs
• Packet in clear text before authentication
• Send spoofed error messages
• Before authentication is done, attacker spoofs an
  alert message of level fatal, followed by a
  close notify alert.
• Then the handshake protocol fails and needs to be
  tried again.
• Complete the DoS attack
• The attacker repeats the previous steps to stop
  all the retries
• When this attack happens, WPA2,WPA or WEP are all
  in clear text.

18
DoS Attacks on TLS Illustration

• Sending Error Alert message of level Fatal
• Can either attack client or server

19
DoS Attack on Challenge/Response over EAP-AKA
Server End
Client End
EAP-Request/Identity
EAP-Response/Identity (NAI)
AKA-Challenge (RAND, AUTN, MAC)
AKA-Response (RES, MAC)
EAP-Success
Simple attack Sending Error Rejection/
Notification message
20
DoS Attack Experiment on a WiFi Network with PEAP
Protocols

• Hardware
• Wifi cards with Atheros chipsets (e.g., Proxim
  Orinoco Gold wireless adapter)
• MADWifi driver
• Code implementation
• Libraries
• Sniffing Libpcap library
• Spoofing Lorcon library
• Attacking code
• About 1200 lines of C code in Ubuntu linux

21
Field Test Results

• We conducted the EAP-TLS attack experiments at a
  Cafeteria.
• 7 mobile hosts and one Attacker
• Weve successfully attacked all of them in one
  of the two channels

22
Attack Efficiency Evaluation
Attack Point 1 Attack Point 1
Ratio by of Messages 25.00 1/4
Ratio by Bytes 15.89 78/491
Attack Point 2 Attack Point 2
Ratio by of Messages 28.57 2/7
Ratio by Bytes 14.87 156/1049

• For example, when attack happens at the second
  point
• Just need to send 156 bytes of message to screw
  the whole 1049 bytes authentication messages.

23
Scalability Evaluation by NS2 Simulations

• Vary the of simultaneous sign-on clients up to
  100
• All results are based on an average of 100 runs.
• Shows that the attacker is scalable very few
  clients are able to authenticate successfully.

24
NS-2 Simulation Results II

• Even better results when sending error messages
  more aggressively by reducing the CWMin parameter
  of the attacker
• The back-off time of attacker is reduced.

25
Outline

• Vulnerability and Attack Methodology
• Attack Case Studies
• EAP protocols for wireless and cellular networks
• Mobile IPv6 route optimization protocol (skipped)
• Countermeasures
• Conclusions

26
Countermeasures

• Enhance the robustness of the authentication
  protocol for wireless access
• Delay decision making process by waiting for a
  short time for a success message (if any) to
  arrive and
• Give preference to success messages than the
  error ones.
• Implemented and successfully thwart EAP-TLS
  attacks

27
Conclusions

• We have designed new methods to launch DoS
  attacks on security protocols using error
  messages.
• We found that any security protocol is vulnerable
  to such attacks as long as it supports a few
  error messages before the authentication step.
• As far as we know, no authentication protocol
  currently is secure against such attacks.
• We demonstrated the effect of these attacks on
  TLS and MIPv6 protocols.
• We suggest a few guidelines for the protocol
  designers and implementers to defend such
  attacks.

28
Intrusion Detection and Forensics for
Self-defending Wireless Networks Yan Chen,
Northwestern University
asdf

• Proactively secure wireless networks via
• searching unknown protocol vulnerabilities.
• Automatically detect and filter zero-day
• polymorphic worms.
• Accurate network-based intrusion
• detection and prevention.

Objective
Vulnerability analysis of various wireless
network protocols.

• Accomplishments
• Find error-message based attacks and propose
  defense schemes.
• Design implement length-based signature
  generation for zero-day polymorphic worms.
• Challenges
• Various and complicated network protocols
• Large number of vulnerability signatures and
  high-speed traffic volume.

• Complete protocol vulnerability
• search and defense
• Network-based automatic signature
• generation for polymorphic worms
• Efficient matching with a large vulnerability
• signature ruleset

Scientific/Technical Approach
29
Backup Slides
30
The Spread of Sapphire/Slammer Worms
31
The Current Threat Landscape of Wireless Networks

• Wireless networks, crucial for GIG, face both
  Internet attacks and their unique attacks
• Viruses/worms e.g., 6 new viruses, including
  Cabir and Skulls, with 30 variants targeting
  mobile devices
• Botnets underground army of the Internet,
  emerging for wireless networks
• Big security risks for wireless networks
• Few formal analysis about wireless network
  protocol vulnerabilities
• Existing (wireless) IDSes only focus on existing
  attacks
• Ineffective for unknown attacks or polymorphic
  worms
• Little work on attack forensics
• E.g., how to identify the command-and-control
  (CC) channel of botnets?

32
Evaluation Methodology

• Fully implemented and deployed to sniff a campus
  router hosting university Web servers and several
  labs.
• Run on a P4 3.8Ghz single core PC w/ 4GB memory.
• Much smaller memory usage. E.g., http 791
  vulnerability sigs from 941 Snort rules
• DFA 5.29 GB vs. NetShield 1.08MB

33
EAP and TLS Authentication

• Extensible Authentication Protocol (EAP) is a PPP
  extension
• Provides support for additional authentication
  methods within PPP.
• Transport Layer Security (TLS)
• Mutual authentication
• Integrity-protected cipher suite negotiation
• Key exchange
• Challenge/Response authentication with pre-shared
  keys
• Pre-shared key (Ki) in SIM and AuC
• Auc challenges mobile station with RAND
• Both sides derive keys based on Ki and RAND

34
Practical Experiment

• For the 33 different tries
• All suffered an attack at Attack Point-1
• 21 survive from the first attack but failed at
  the 2nd Attack Point.

35

• Simulate one TLS-Server, one TLS-Attacker and
  range the TLS-Clients between 1 to a maximum of
  100.
• The number of clients authenticate to the TLS
  server simultaneously.
• Its extremely rare case
• Base Station was set up to interface between the
  wired and wireless networks.
• The duplex-link between the BS and the TLS-Server
  was of 100MBps with a 10ms delay.

36
Case 2 Mobile IPv6 Routing-Optimization
protocol
37
Mobile IPv6

• Mobile IPv6 is a protocol which allows nodes to
  remain reachable while moving around in the IPv6
  Internet.
• Each mobile node is always identified by its home
  address, regardless of its current point of
  attachment to the Internet.
• IPv6 packets addressed to a mobile node's home
  address are transparently routed to its care-of
  address.
• The protocol enables IPv6 nodes to cache the
  binding of a mobile node's home address with its
  care-of address, and to then send any packets
  destined for the mobile node directly to it at
  this care-of address

38
Return Routability Procedure

• The procedure begins when the MN sends HoTI
  message to CN through HA and CoTI message
  directly to CN.
• Upon the receipt of the Binding Update, CN adds
  an entry for the MN in its Binding Cache and
  optionally sends Binding Acknowledgement.
• Once this happens, MN and CN will be capable of
  communicating over a direct route.
• This way, the route between MN and CN is
  optimized.

39
Return Routability Procedure

• Once Return Routability happens, MN and CN will
  be capable of communicating over a direct route
• The route between MN and CN is optimized.

40
The Vulnerability

• Binding Error Vulnerability
• Used to disable the Routing Optimization
  procedure.
• Binding Error message set Status to 2
  (unrecognized MH Type value), Then the mobile
  node SHOULD cease the attempt to use route
  optimization.
• The Binding Error message is not protected.
• Bind Acknowledgement Vulnerability
• The Bind Acknowledgement vulnerability affects
  the Return Routability procedure
• Binding Acknowledgement with status 136, 137 and
  138 is used to indicate an error and not
  protected in any way
• Hence, it could be easily spoofed by an external
  entity

41
The Vulnerability

• Bind Error Vulnerability

42
The Vulnerability

• Bind Acknowledgement Vulnerability

43
Experiment Environment
44
Evaluation

• The MIPv6 Experiment is based on a LAN testbed.
• Except the Mobile Node, all other components such
  as Home Agent and Correspondence Node are all
  connected via wired cable in the Northwestern
  network.
• We collected the data through 100 times
  experiment. Observed via the Wireshark running on
  the Mobile Node, for one successful attack, the
  time window is about 5ms in average and the
  Standard Deviation is 0.108ms for distribution
• The time consumed by computing the spoofed Error
  message is 0.0203ms in average. The closer the
  attack to the Mobile Node, the higher probability
  we get for launching a successful Error Message
  attack.

45
PEAP Enhancement

• Original WPA supplicant v0.5.10
• Generate TLS ALERT on unexpected messages
• Stop authentication on TLS ALERT
• Delayed response implementation
• Drop unexpected message silently
• Wait for 1 second when receiving TLS ALERT to
  allow multiple responses, and ignore TLS ALERT
  response if good responses are received.
• Verification
• Redid the attack experiments and prove the
  effect of the countermeasures