Wireless LAN MAC Spoof Detection
The exponential growth in the deployment of IEEE 802.11-based wireless LAN (WLAN) in enterprises and homes makes WLAN an attractive target for attackers. It is also well known that the IEEE 802.11 standard has certain vulnerabilities due to flaws in its MAC protocol design. One vulnerability is that an attacker can easily spoof other’s MAC address and results in DoS or access control violation. Some spoofing-based attacks are as follows:
l DoS attacks by spoofing deauthentication/disassociation or power saving frames. (See paper for theory and attack tools such as void11 for implementation)
l Spoofing as legitimate APs or stations. (See attack tools such as Airsnarf, WEPWedgie)
Spoofing is possible because the IEEE 802.11 standard does not provide per-frame source authentication, but can be effectively prevented if a proper authentication is added into the standard. Unfortunately, there is no plan for such standard modification to support link-layer source authentication that covers both management and control frames. Even if it is available in the future, it cannot protect the large installed base of legacy WLAN devices.
The key idea of this project is to leverage the sequence number field in the link-layer header of IEEE 802.11 frames without modifying STAs, APs, or the MAC protocol. If an intrusion detection system keeps track of the latest sequence number of each wireless node, to impersonate a node an attacker needs to spoof the source address as well as its corresponding sequence number. If the sequence number of a spoofed frame is equal to or smaller than the corresponding node's current sequence number, the spoofed frame is considered a retransmitted frame and thus has to have the same content as the authentic frame with the same sequence number. This means that the spoofed frame cannot possibly do any harm as it is just a duplicate. If a spoofed frame's sequence number is larger than the corresponding node's current sequence number, some subsequent authentic frame will have the same sequence number as this spoofed frame and eventually expose the spoofing.
Though the idea is simple, the challenges are how to implement it in real world due to the following issues
l The sequence number will wrap around after 4 K.
l Frames can be lost, duplicated or out of order.
The contribution of this project is that it designs and evaluates a detailed algorithm on sequence number-based spoofing detection. In real world tests, the false positive rate of the proposed algorithm is zero, and the false negative rate is close to zero. In the worst case, the proposed algorithm can detect a spoofing activity, even though it can only detect some but not all spoofed frames. Although several commercial systems claim that they can also detect spoof, the details and effectiveness of their detection mechanisms are largely unknown. We thus believe this paper will help shed light on how spoof detection can be done and its empirical effectiveness.
l Fanglu Guo and Tzi-cker Chiueh, ``Sequence Number-Based MAC Address Spoof Detection,'' in Proceedings of 8th International Symposium on Recent Advances in Intrusion Detection (RAID 2005), September 2005
l
J. Bellardo
and S. Savage. 802.11 Denial-of-Service Attacks: Real
Vulnerabilities and Practical Solutions. In Proceedings of the USENIX Security
Symposium,
l Joshua Wright, Detecting Wireless LAN MAC Address Spoofing http://home.jwu.edu/jwright/papers/wlan-mac-spoof.pdf
l Industry products