Yan ChenLab for Internet and Security Technology (LIST)

Dept. of Electrical Engineering and Computer ScienceNorthwestern University

http://list.cs.northwestern.edu

Intrusion Detection and Forensics for Self-defending

Wireless Networks

Security Challenges in GIG Wireless Networks

• In addition to sharing similar challenge of wired net– High speed traffic (e.g., WiMAX)– Zero-day threats– Lack of quality info for situational-aware analysis:

attack target/strategy, attacker (botnet) size, etc.

• Wireless networks are more vulnerable– Open media

• Easy to sniff, spoof and inject packets

– Open access• Hotspots and potential large user population

• Attacking is more diverse– On media access (e.g., jamming), but easy to detect– On protocols (our focus)

Self-Defending Wireless Networks

• Network-based adaptive intrusion detection and mitigation systems for emerging threats– Polymorphic zero-day worm signature generation

(done)– Automated analysis of large-scale botnet probing

events for situation aware info (ongoing)

• Proactive vulnerability analysis and defense of wireless network protocols at various layers– WiMAX IEEE 802.16e: MAC layer (done)– Mobile IP v4/6: network layer (done)– Authentication layer (generalized to various wireless

& cellular networks, ongoing)

Outline

• Overall approach and achievement• Accomplishment this year

• Highlight: Error-message based DoS attacks of wireless networks and the defense

Accomplishments on PublicationsFour conference, one journal papers and two book chapters

– “Accurate and Efficient Traffic Monitoring Using Adaptive Non-linear Sampling Method", in the Proc. of IEEE INFOCOM, 2008

– “A Survey of Existing Botnet Defenses “, in Proc. of IEEE IWSSE 2008.– “Honeynet-based Botnet Scan Traffic Analysis", invited book chapter for

“Botnet Detection: Countering the Largest Security Threat”, Springer, 2007.

– “Integrated Fault and Security Management”, invited book chapter for “Information Assurance: Dependability and Security in Networked Systems”, Morgan Kaufmann Publishers, 2007.

– “Reversible Sketches: Enabling Monitoring and Analysis over High-speed Data Streams”, in ACM/IEEE Transaction on Networking, Volume 15, Issue 5, Oct. 2007.

– “Network-based and Attack-resilient Length Signature Generation for Zero-day Polymorphic Worms”, in the Proc. of the IEEE ICNP, 2007.

– “Detecting Stealthy Spreaders Using Online Outdegree Histograms”, in the Proc. Of IEEE International Workshop on Quality of Service, 2007.

• Collaborated publication with Dr. Keesook Han from AFRL

• Resulted from joint research on botnet.

• Obtain binary/source from Dr. Han

• Plan to use the testbed developed at AFRL

Accomplishments This Year• Automatic zero-day polymorphic worm

signature generation systems for high-speed networks– Fast, noise tolerant w/ proved attack resilience– Published in IEEE International Conference on

Network Protocols (ICNP) 2007 (14% acceptance rate).

– A patent filed through Motorola.– Potential technology transfer thru Motorola

ProtocolClassifier

UDP1434

Core algorithmsFlow

Classifier

TCP137

. . .TCP80

TCP53

TCP25

NormalTraffic Pool

SuspiciousTraffic Pool

Signatures

NetworkTap

KnownAttackFilter

Normal traffic reservoir

Real time

Policy driven

Limitations of Exploit Based Signatures

1010101

10111101

11111100

00010111

Our network

Traffic FilteringInternet

Signature: 10.*01

XX

Polymorphic worms might not have exact exploit based

signatures.

Polymorphism!

Vulnerability Signatures

• Use protocol semantics to express vulnerability• Work for all the worms which target the same

vulnerability

Vulnerability signature traffic

filteringInternet

XX Our network

Vulnerability

XX

Accomplishments This Year IIAutomating Analysis of Large-Scale Botnet Probing Events

• What scanning strategies does the probing employ ? • Is this an attack that specifically targets the site, or is

the site only incidentally probed as part of a larger attack ?

• Leverage honeynet for bot probe detection• Ten /24 honeynet from LBNL, five running honeyd,

others dark.

Approaches• Statistical testing of scan properties: trend, uniformity,

coordination, and use of pre-generated “hit lists.” • Two approaches for global property extrapolation

• Use IPID and ephemeral port # continuity• Use probe interarrival times

11

Extrapolated Properties and Results• Evaluated w/ 12 month LBNL traces (220GB)

– 49% uniform random scan– 40% hit list scan, majority of them (94%) also uniform

• Cross-validation with Dshield dataset– Largest global alert repository– All extrapolated scope within a factor of 1.5

12

Error-message Based DoS Attacks of Wireless

Networks and the Defense

13

Vulnerability and Attack Methodology• Processing error messages imprudently

– Error messages are in clear text before authentication

– Messages are trusted without integrity check

• Attacking requirements– Sniffing: easy for wireless networks– Spoofing before authenticated

• Easy for wireless LANs & doable for cellular networks

• Basic attack ideas Spoof and inject error messages or wrong messages

that trigger error messages to clients and/or servers.

• Maybe a known problem but largely ignored

14

Outline

• Vulnerability and Attack Methodology• Attack Case Studies

– EAP protocols for wireless and cellular networks

– Mobile IPv6 route optimization protocol (skipped)

• Countermeasures• Conclusions

15

EAP Authentication on Wireless Networks

EAP-FASTPEAPEAP-TTLS

EAP Over LAN (EAPOL)

Extensible Authentication Protocol (EAP)

EAP Layer

Data Link Layer802.11

WLAN

EAP-TLSAuthentication

method layer

TLSAuthentication

primitive

GSMUMTS/

CDMA2000

EAP-AKAEAP-SIM

Challenge/Response

16

TLS Authentication Procedure

Hello Request

Client Hello

Server HelloServer Certificate

Key-exchange messageServer Hello Done

Client Key-exchange messageChange cipher Spec

Client End Server End

Encrypted conversation over TLS

TLS finished

TLS finishedChange cipher Spec

TLS Handshake Protocol

Client and server negotiate a stateful connection using a handshake procedure.

17

DoS Attacks on TLS Authentication

• Sniff to get the client MAC address and IDs– Packet in clear text before authentication

• Send spoofed error messages– Before authentication is done, attacker spoofs

an alert message of level ‘fatal‘, followed by a close notify alert.

– Then the handshake protocol fails and needs to be tried again.

• Complete the DoS attack– The attacker repeats the previous steps to stop

all the retries

• When this attack happens, WPA2,WPA or WEP are all in clear text.

18

DoS Attacks on TLS: Illustration

• Sending Error Alert message of level Fatal• Can either attack client or server

Hello Request

Client Hello

Server HelloServer Certificate

Server Key-exchange messageCertification Request

Server Hello Done

CertificateClient Key-exchange message

Certificate VerifyFinished

Client End Server EndAttacker

Error Message

Error Message

Attack Point-1

Attack Point-2

19

DoS Attack on Challenge/Response over EAP-

AKA

Simple attack: Sending Error Rejection/ Notification message

Client End Server End

EAP-Request/Identity

EAP-Response/Identity (NAI)

AKA-Challenge (RAND, AUTN, MAC)

AKA-Response (RES, MAC)

EAP-Success

AKA-Authentication-Reject

AKA-Notification

20

DoS Attack Experiment on a WiFi Network with PEAP

Protocols • Hardware

– Wifi cards with Atheros chipsets (e.g., Proxim Orinoco Gold wireless adapter)

– MADWifi driver

• Code implementation– Libraries

• Sniffing: Libpcap library• Spoofing: Lorcon library

– Attacking code• About 1200 lines of C++ code in Ubuntu linux

21

Field Test Results

We conducted the EAP-TLS attack experiments at a Cafeteria.

•7 mobile hosts and one Attacker

• We’ve successfully attacked all of them in one of the two channels

22

Attack Efficiency Evaluation

• For example, when attack happens at the second point– Just need to send 156 bytes of message to

screw the whole 1049 bytes authentication messages.

Attack Point 1

Ratio by # of Messages 25.00% [1/4]

Ratio by Bytes 15.89% [78/491 ]

Attack Point 2

Ratio by # of Messages 28.57% [2/7]

Ratio by Bytes 14.87% [156/1049]

23

Scalability Evaluation by NS2 Simulations

• Vary the # of simultaneous sign-on clients up to 100– All results are based on an average of 100 runs.

• Shows that the attacker is scalable: very few clients are able to authenticate successfully.

24

NS-2 Simulation Results II• Even better results when sending error

messages more aggressively by reducing the CWMin parameter of the attacker – The back-off time of attacker is reduced.

25

Outline

• Vulnerability and Attack Methodology• Attack Case Studies

– EAP protocols for wireless and cellular networks

– Mobile IPv6 route optimization protocol (skipped)

• Countermeasures• Conclusions

26

Countermeasures• Enhance the robustness of the

authentication protocol for wireless access– Delay decision making process by waiting for

a short time for a success message (if any) to arrive; and

– Give preference to success messages than the error ones.

– Implemented and successfully thwart EAP-TLS attacks

27

Conclusions• We have designed new methods to launch DoS

attacks on security protocols using error messages.

• We found that any security protocol is vulnerable to such attacks as long as it supports a few error messages before the authentication step.

• As far as we know, no authentication protocol currently is secure against such attacks.

• We demonstrated the effect of these attacks on TLS and MIPv6 protocols.

• We suggest a few guidelines for the protocol designers and implementers to defend such attacks.

asdf

• Proactively secure wireless networks via

searching unknown protocol vulnerabilities.

• Automatically detect and filter zero-day

polymorphic worms.

• Accurate network-based intrusion

detection and prevention.

• Complete protocol vulnerability

search and defense

• Network-based automatic signature

generation for polymorphic worms

• Efficient matching with a large vulnerability

signature ruleset

Intrusion Detection and Forensics for Self-defending Wireless Networks

Yan Chen, Northwestern University

Objective

Scientific/Technical ApproachAccomplishments

• Find error-message based attacks and propose defense schemes.

• Design & implement length-based signature generation for zero-day polymorphic worms.

Challenges• Various and complicated network protocols

• Large number of vulnerability signatures and high-speed traffic volume.

EAP-FASTPEAPEAP-TTLS

EAP Over LAN (EAPOL)

Extensible Authentication Protocol (EAP)

802.11

WLAN

EAP-TLS

TLS

GSMUMTS/

CDMA2000

EAP-AKAEAP-SIM

Challenge/Response

Vulnerability analysis of various wireless network protocols.

Backup Slides

29

The Spread of Sapphire/Slammer Worms

The Current Threat Landscape of Wireless Networks

• Wireless networks, crucial for GIG, face both Internet attacks and their unique attacks– Viruses/worms: e.g., 6 new viruses, including Cabir and

Skulls, with 30 variants targeting mobile devices– Botnets: underground army of the Internet, emerging

for wireless networks

• Big security risks for wireless networks– Few formal analysis about wireless network protocol

vulnerabilities – Existing (wireless) IDSes only focus on existing attacks

• Ineffective for unknown attacks or polymorphic worms

– Little work on attack forensics• E.g., how to identify the command-and-control (C&C) channel of

botnets?

Evaluation Methodology• Fully implemented and deployed to sniff a campus

router hosting university Web servers and several labs.• Run on a P4 3.8Ghz single core PC w/ 4GB memory.• Much smaller memory usage. E.g., http 791

vulnerability sigs from 941 Snort rules:DFA: 5.29 GB vs. NetShield 1.08MB

32

33

EAP and TLS Authentication

• Extensible Authentication Protocol (EAP) is a PPP extension – Provides support for additional

authentication methods within PPP. • Transport Layer Security (TLS)

– Mutual authentication – Integrity-protected cipher suite negotiation – Key exchange

• Challenge/Response authentication with pre-shared keys– Pre-shared key (Ki) in SIM and AuC– Auc challenges mobile station with RAND– Both sides derive keys based on Ki and

RAND

34

Practical Experiment

• For the 33 different tries– All suffered an attack at Attack Point-1– 21% survive from the first attack but failed at

the 2nd Attack Point.

EAP-TLS Attack Practical Experiment

Attack Point - 179%

Attack Point - 221%

Attack Point - 1 Attack Point - 2

35

• Simulate one TLS-Server, one TLS-Attacker and range the TLS-Clients between 1 to a maximum of 100. – The number of clients authenticate to the

TLS server simultaneously. – It’s extremely rare case

• Base Station was set up to interface between the wired and wireless networks.

• The duplex-link between the BS and the TLS-Server was of 100MBps with a 10ms delay.

36

Case 2:

Mobile IPv6 Routing-Optimization

protocol

37

Mobile IPv6• Mobile IPv6 is a protocol which allows nodes

to remain reachable while moving around in the IPv6 Internet. – Each mobile node is always identified by its

home address, regardless of its current point of attachment to the Internet.

– IPv6 packets addressed to a mobile node's home address are transparently routed to its care-of address.

– The protocol enables IPv6 nodes to cache the binding of a mobile node's home address with its care-of address, and to then send any packets destined for the mobile node directly to it at this care-of address

38

Return Routability Procedure

• The procedure begins when the MN sends HoTI message to CN through HA and CoTI message directly to CN.

• Upon the receipt of the Binding Update, CN adds an entry for the MN in its Binding Cache and optionally sends Binding Acknowledgement.

• Once this happens, MN and CN will be capable of communicating over a direct route. – This way, the route between MN and CN is

optimized.

39

•Once Return Routability happens, MN and CN will be capable of communicating over a direct route

•The route between MN and CN is optimized.

Return Routability Procedure

40

The Vulnerability

• Binding Error Vulnerability– Used to disable the Routing Optimization procedure.

• Binding Error message set Status to 2 (unrecognized MH Type value), Then the mobile node SHOULD cease the attempt to use route optimization.

• The Binding Error message is not protected.

• Bind Acknowledgement Vulnerability– The Bind Acknowledgement vulnerability affects the

Return Routability procedure• Binding Acknowledgement with status 136, 137 and

138 is used to indicate an error and not protected in any way

• Hence, it could be easily spoofed by an external entity

41

• Bind Error Vulnerability

HoTI

HoTI

CoTI

CoT

HoT

HoT

Bi nd Updat e (Sni ff ed by At t acker )

Spoofed Bind Error By Attacker

Bi nd Ack

Mobile Node Home Agent AttackerCorrespondent

Node

Retard Return Routability

Silently Discard Bind Ack

Start Return Routability

The Vulnerability

42

• Bind Acknowledgement Vulnerability

HoTI

HoTI

CoTI

CoT

HoT

HoT

Bi nd Updat e (Sni ff ed by At t acker )

Spoofed Bind Ack By Attacker

Bi nd Ack

Mobile Node Home Agent AttackerCorrespondent

Node

Retard Return Routability

Silently Discard Bind Ack

Start Return Routability

The Vulnerability

43

Experiment Environment

HA / Router

Access Router

CN / RouterGRE

GRE

GRE

GRE

GRE GRE

ETH

ETH

MNETH

MN

ETH

2001:106:2300::1 2001:106:2300::2

2001:106:2100::2

2001:106:2100::12001:106:2200::2

2001:106:2200::1

2001:106:2700::2

2001:106:2700::4

2001:106:1100::1

2001:106:1100::2

Notes:- All are linux boxes with one physical wired interface.- Diagram shows logical network connection. Physicaly, all are connected to each other through IPv4 LAN.- HA and AR run radvd on ETH interfaces with addresses 2700::2 and 1100::1 respectively.- MN movement is simulated by bringing the ETH interface on, once in home network and once in foreign network

44

Evaluation• The MIPv6 Experiment is based on a LAN testbed.

– Except the Mobile Node, all other components such as Home Agent and Correspondence Node are all connected via wired cable in the Northwestern network.

• We collected the data through 100 times experiment. Observed via the Wireshark running on the Mobile Node, for one successful attack, the time window is about 5ms in average and the Standard Deviation is 0.108ms for distribution

• The time consumed by computing the spoofed Error message is 0.0203ms in average. The closer the attack to the Mobile Node, the higher probability we get for launching a successful Error Message attack.

45

PEAP Enhancement

• Original WPA supplicant v0.5.10– Generate TLS ALERT on unexpected

messages– Stop authentication on TLS ALERT

• Delayed response implementation– Drop unexpected message silently– Wait for 1 second when receiving TLS ALERT

to allow multiple responses, and ignore TLS ALERT response if good responses are received.

• Verification– Redid the attack experiments and prove

the effect of the countermeasures