1. Vulnerability Analysis and Intrusion Mitigation Systems for WiMAX Networks Yan Chen, Hai Zhou Northwestern Lab for Internet and Security Technology (LIST) Dept. of Electrical Engineering and Computer Science Northwestern University http://list.cs.northwestern.edu Motorola Liaisons Greg W. Cox, Z. Judy Fu, Phil Roberts, and Peter McCann Motorola Labs

2. The Current Threat Landscape and Countermeasures of WiMAX Networks WiMAX: next wireless phenomenon –Predicted multi-billion dollar industry WiMAX faces both Internet attacks and wireless network attacks –E.g., 6 new viruses, including Cabir and Skulls, with 30 variants targeting mobile devices Goal of this project: secure WiMAX networks Big security risks for WiMAX networks –No formal analysis about WiMAX security vulnerabilities –No intrusion detection/mitigation product/research tailored towards WiMAX networks

3. Security Challenges in WiMAX Networks In addition to sharing similar challenge of wired net –High speed traffic –Zero-day threats Wireless networks are more vulnerable –Open media Easy to sniff, spoof and inject packets –Open access Hotspots and potential large user population Attacking is more diverse –On media access (e.g., jamming), but easy to detect –On protocols (our focus)

4. Overall Approach and Achievement Adaptive Intrusion Detection and Mitigation for WiMAX Networks (WAIDM) Focus on the emerging threats: polymorphic zero-day worms and botnets –High-speed network monitoring and anomaly/intrusion detection –Polymorphic zero-day worm signature generation –Both designed, implemented and fully evaluated –All code are available for Motorola Vulnerability analysis and defense of WiMAX networks at various layers –IEEE 802.16e: MAC layer –Mobile IP v4/6: network layer –EAP layer (generalized to various wireless & cellular nets) –Finished for WiMAX, generalization ongoing

5. Overall Approach and Achievement II Twelve conference and two journal papers –Some more are under submission Two book chapters One patent filed

6. Outline Threat landscape and motivation Overall approach and achievement Accomplishment this year Error-message based DoS attacks of wireless networks and the defense

7. Accomplishments This Year Most achieved with close interaction with Motorola liaisons Automatic polymorphic worm signature generation systems for high-speed networks –Fast, noise tolerant w/ proved attack resilience –Resulted two joint papers with Motorola Labs “Network-based and Attack-resilient Length Signature Generation for Zero-day Polymorphic Worms”, published in to IEEE International Conference on Network Protocols (ICNP) 2007 (14% acceptance rate). –Patent filed through Motorola. “Method and Apparatus to Facilitate Generating Worm-Detection Signatures Using Data Packet Field Lengths”, U.S. Patent Application No. 11/985,760. Filed on Dec. 18, 2007. –A journal paper submitted to IEEE/ACM Trans. on Net.

8. Accomplishments on Publications Four conference, one journal papers and two book chapters –“Accurate and Efficient Traffic Monitoring Using Adaptive Non-linear Sampling Method", in the Proc. of IEEE INFOCOM, 2008 –“A Survey of Existing Botnet Defenses “, in the Proc. of IWSSE 2008. –“Honeynet-based Botnet Scan Traffic Analysis", invited book chapter for “Botnet Detection: Countering the Largest Security Threat”, Springer, 2007. –“Integrated Fault and Security Management”, invited book chapter for “Information Assurance: Dependability and Security in Networked Systems”, Morgan Kaufmann Publishers, 2007. –“Reversible Sketches: Enabling Monitoring and Analysis over High-speed Data Streams”, in ACM/IEEE Transaction on Networking, Volume 15, Issue 5, Oct. 2007. –“Network-based and Attack-resilient Length Signature Generation for Zero-day Polymorphic Worms”, in the Proc. of the 15th IEEE International Conference on Network Protocols (ICNP), 2007. –“Detecting Stealthy Spreaders Using Online Outdegree Histograms”, in the Proc. Of IEEE International Workshop on Quality of Service, 2007.

9. Students Involved PhD students: –Zhichun Li, Yao Zhao (both in their 4th years) –Lanjia Wang (visiting PhD students) MS students: –Sagar Vemuri (2 nd year) –Jiazhen Chen (1st year)

10. 10 Error-message Based DoS Attacks of Wireless Networks and the Defense

11. 11 Vulnerability and Attack Methodology Processing error messages imprudently –Error messages are in clear text before authentication –Messages are trusted without integrity check Attacking requirements –Sniffing: easy for wireless networks –Spoofing before authenticated Easy for wireless LANs & doable for cellular networks Basic attack ideas Spoof and inject error messages or wrong messages that trigger error messages to clients and/or servers. Maybe a known problem but largely ignored

12. 12 Outline Vulnerability and Attack Methodology Attack Case Studies –EAP protocols for wireless and cellular networks –Mobile IPv6 route optimization protocol (skipped) Countermeasures Conclusions

13. 13 EAP Authentication on Wireless Networks EAP-FASTPEAPEAP-TTLS EAP Over LAN (EAPOL) Extensible Authentication Protocol (EAP) EAP Layer Data Link Layer 802.11 WLAN EAP-TLS Authentication method layer TLS Authentication primitive GSM UMTS/ CDMA2000 EAP-AKAEAP-SIM Challenge/Response

14. 14 TLS Authentication Procedure TLS Handshake Protocol Client and server negotiate a stateful connection using a handshake procedure.

15. 15 DoS Attacks on TLS Authentication Sniff to get the client MAC address and IDs –Packet in clear text before authentication Send spoofed error messages –Before authentication is done, attacker spoofs an alert message of level ‘fatal‘, followed by a close notify alert. –Then the handshake protocol fails and needs to be tried again. Complete the DoS attack –The attacker repeats the previous steps to stop all the retries When this attack happens, WPA2,WPA or WEP are all in clear text.

16. 16 DoS Attacks on TLS: Illustration Sending Error Alert message of level Fatal Can either attack client or server

17. 17 DoS Attack on Challenge/Response over EAP-AKA Simple attack: Sending Error Rejection/ Notification message Client End Server End EAP-Request/Identity EAP-Response/Identity (NAI) AKA-Challenge (RAND, AUTN, MAC) AKA-Response (RES, MAC) EAP-Success AKA-Authentication-Reject AKA-Notification

18. 18 DoS Attack Experiment on a WiFi Network with PEAP Protocols Hardware –Wifi cards with Atheros chipsets (e.g., Proxim Orinoco Gold wireless adapter) –MADWifi driver Code implementation –Libraries Sniffing: Libpcap library Spoofing: Lorcon library –Attacking code About 1200 lines of C++ code in Ubuntu linux

19. 19 Field Test Results We conducted the EAP-TLS attack experiments at a Cafeteria. 7 mobile hosts and one Attacker We’ve successfully attacked all of them in one of the two channels

20. 20 Attack Efficiency Evaluation For example, when attack happens at the second point –Just need to send 156 bytes of message to screw the whole 1049 bytes authentication messages. Attack Point 1 Ratio by # of Messages25.00% [1/4] Ratio by Bytes15.89% [78/491 ] Attack Point 2 Ratio by # of Messages28.57% [2/7] Ratio by Bytes14.87% [156/1049]

21. 21 Scalability Evaluation by NS2 Simulations Vary the # of simultaneous sign-on clients up to 100 –All results are based on an average of 100 runs. Shows that the attacker is scalable: very few clients are able to authenticate successfully.

22. 22 NS-2 Simulation Results II Even better results when sending error messages more aggressively by reducing the CWMin parameter of the attacker –The back-off time of attacker is reduced.

23. 23 Outline Vulnerability and Attack Methodology Attack Case Studies –EAP protocols for wireless and cellular networks –Mobile IPv6 route optimization protocol (skipped) Countermeasures Conclusions

24. 24 Countermeasures Enhance the robustness of the authentication protocol for wireless access –Delay decision making process by waiting for a short time for a success message (if any) to arrive; and –Give preference to success messages than the error ones. –Implemented and successfully thwart EAP-TLS attacks

25. 25 Conclusions We have designed new methods to launch DoS attacks on security protocols using error messages. We found that any security protocol is vulnerable to such attacks as long as it supports a few error messages before the authentication step. We demonstrated the effect of these attacks on TLS and MIPv6 protocols. As far as we know, no authentication protocol currently is secure against such attacks. We suggest a few guidelines for the protocol designers and implementers to defend such attacks.

26. Backup Slides 26

27. 27 EAP and TLS Authentication Extensible Authentication Protocol (EAP) is a PPP extension –Provides support for additional authentication methods within PPP. Transport Layer Security (TLS) –Mutual authentication –Integrity-protected cipher suite negotiation –Key exchange Challenge/Response authentication with pre-shared keys –Pre-shared key (Ki) in SIM and AuC –Auc challenges mobile station with RAND –Both sides derive keys based on Ki and RAND

28. 28 Practical Experiment For the 33 different tries –All suffered an attack at Attack Point-1 –21% survive from the first attack but failed at the 2 nd Attack Point.

29. 29 Simulate one TLS-Server, one TLS-Attacker and range the TLS-Clients between 1 to a maximum of 100. –The number of clients authenticate to the TLS server simultaneously. –It’s extremely rare case Base Station was set up to interface between the wired and wireless networks. The duplex-link between the BS and the TLS- Server was of 100MBps with a 10ms delay.

30. 30 Case 2: Mobile IPv6 Routing-Optimization protocol

31. 31 Mobile IPv6 Mobile IPv6 is a protocol which allows nodes to remain reachable while moving around in the IPv6 Internet. –Each mobile node is always identified by its home address, regardless of its current point of attachment to the Internet. –IPv6 packets addressed to a mobile node's home address are transparently routed to its care-of address. –The protocol enables IPv6 nodes to cache the binding of a mobile node's home address with its care-of address, and to then send any packets destined for the mobile node directly to it at this care-of address

32. 32 Return Routability Procedure The procedure begins when the MN sends HoTI message to CN through HA and CoTI message directly to CN. Upon the receipt of the Binding Update, CN adds an entry for the MN in its Binding Cache and optionally sends Binding Acknowledgement. Once this happens, MN and CN will be capable of communicating over a direct route. –This way, the route between MN and CN is optimized.

33. 33 Once Return Routability happens, MN and CN will be capable of communicating over a direct route The route between MN and CN is optimized. Return Routability Procedure

34. 34 The Vulnerability Binding Error Vulnerability –Used to disable the Routing Optimization procedure. Binding Error message set Status to 2 (unrecognized MH Type value), Then the mobile node SHOULD cease the attempt to use route optimization. The Binding Error message is not protected. Bind Acknowledgement Vulnerability –The Bind Acknowledgement vulnerability affects the Return Routability procedure Binding Acknowledgement with status 136, 137 and 138 is used to indicate an error and not protected in any way Hence, it could be easily spoofed by an external entity

35. 35 Bind Error Vulnerability The Vulnerability

36. 36 Bind Acknowledgement Vulnerability The Vulnerability

37. 37 Experiment Environment

38. 38 Evaluation The MIPv6 Experiment is based on a LAN testbed. –Except the Mobile Node, all other components such as Home Agent and Correspondence Node are all connected via wired cable in the Northwestern network. We collected the data through 100 times experiment. Observed via the Wireshark running on the Mobile Node, for one successful attack, the time window is about 5ms in average and the Standard Deviation is 0.108ms for distribution The time consumed by computing the spoofed Error message is 0.0203ms in average. The closer the attack to the Mobile Node, the higher probability we get for launching a successful Error Message attack.

39. 39 PEAP Enhancement Original WPA supplicant v0.5.10 –Generate TLS ALERT on unexpected messages –Stop authentication on TLS ALERT Delayed response implementation –Drop unexpected message silently –Wait for 1 second when receiving TLS ALERT to allow multiple responses, and ignore TLS ALERT response if good responses are received. Verification – Redid the attack experiments and prove the effect of the countermeasures