|< Day Day Up >|
Categorizing Suspicious Events on WLANs
Once a sufficient number of network behavior statistics are gathered, a proper wireless IDS can start looking for the suspicious events indicating the possibility of malicious attack. These events might be manifested as the presence of certain frame types, frequency of frame transmission, frame structure and sequence number abnormalities, traffic flow deviations, and unexpected frequency use. Let's categorize the events a quality wireless IDS should be able to detect and issue a warning for.
1 RF/Physical Layer Events
These events can indicate connectivity or networking problems, severe network misconfiguration, rogue device placement, intentional jamming, and Layer 1 and Layer 2 man-in-the-middle attacks.
2 Management/Control Frames Events
These events can indicate network misconfigurations and connectivity problems, strong RF interference, wardrivers using active scanning tools in the area, MAC address spoofing on the WLAN, unsolicited clients connected to the WLAN, attempts to guess or brute-force a closed ESSID, or more advanced attackers mangling control and management frames to launch Layer 2 man-in-the-middle or DoS attacks.
3 802.1x/EAP Frames Events
These events can indicate attempts to bypass the 802.1x authentication scheme, including clever rogue 802.1x device placement and access brute-forcing or advanced DoS attacks to disable the authentication mechanisms. Of course, the malformed 802.1x frames can result from strong RF interference and other Layer 1 problems.
4 WEP-Related Events
These events can indicate severe network security misconfigurations, insecure legacy equipment in use, users violating the security policy, rogue wireless device placement, or use of traffic injecting tools (WEPwedgie, reinj) by advanced crackers.
5 General Connectivity/Traffic Flow Events
These events should prompt a future investigation to find the exact causes of the problem detected. An intelligent IDS inference engine should be able to link these problems to the different categories of events, thus partially automating the investigation problems.
6 Miscellaneous Events
These events can indicate successful or unsuccessful cracker attacks, a host with misconfigured security settings, attempts to access and reconfigure the deployed access points, the use of traffic injecting tools, advanced DoS attacks against 802.11i-enabled hosts, or attempts to overwhelm the AP buffers with large numbers of connections from the wired or wireless side. Again, any cases of frame or packet corruption can be attributed to physical layer problems, such as interference and low signal strength.
We hope that after studying the Attack chapters you can easily recognize many of the telltale attack signs from the preceding event list. For example, frames with frequently changed MAC addresses and ESSIDs are a good indication of someone using a FakeAP. Alternatively, there is a way to brute-force closed ESSIDs using two client PCMCIA cards and Wellenreiter. We did not describe it in the Attack section because we have never tried it, and using essid_jack or dinject is far more efficient and saves resources. Such a brute-forcing attack generates frames with changing ESSIDs and MAC addresses (Wellenreiter's way to obscure the attacker's card vendor and identity). Frequent probe requests might indicate someone using Netstumbler or Ministumbler, and hosts suddenly changing their operation channel can flag out a possible man-in-the-middle attack.
Many of the events outlined can be a result of user misbehavior rather than a planned malicious attack. Users can plug in unsolicited wireless devices or use interference-creating appliances (Bluetooth, wireless cameras, cordless phones). They can connect to the AP without enabling WEP/TKIP if the AP permits it (a big mistake on the administrator's side) or miss/avoid firmware upgrades it ("if it works, don't fix it"), thus making your 802.11i-based security deployment efforts useless. Any system or network administrator knows how unruly and obnoxious some users can be.
|< Day Day Up >|