Wireless Intrusion Detection & Response

ECE 4006 Group 2:Seng Ooh TohVarun KanotraNitin Namjoshi

Yu-Xi Lim

Contents Project Description & Demo Competitors & Market Building Blocks & Project Timeline Challenges, Risks and Difficulty Level Product Testing Hardware and Software

Requirements

Project Description

What is the product? An access point which can detect

intruders and take counter measures Detection of Netstumbler Blocking / Jamming Netstumbler without

affecting network performance Product will be open source and will

integrate several available technologies

Project Demo Several computers on a wireless

network Wireless network intruder using

Netstumbler Three Phases

Network setup Netstumbler and intrusion Intrusion detection and counter

measures

Phase I – Network Setup 2-3 Linux machines setup with an

access point to form a 802.11b network

Data (packets) routed from linux machines to each other through AP

Access point monitor used to detect source and destination of packets passing through the access point

Phase II – Intrusion Intrusion detection and jamming

turned off Netstumbler used to access

information on the wireless network

Netstumbler captured packet information shown

Phase III – Intrusion Detection & Counter Measures Netstumbler packet detection Blocking of Netstumbler packets,

RF jamming or fake AP barrage Data rate on wireless network

measured w/ and w/o counter measures

User Interface Focus on proving the concept Open source allows end users to

develop UI according to their needs

Basic text-based user interface for testing, debugging and demo

Competitors & Market

Competitors Fake AP – Product developed by

Black Alchemy. Used for flooding the wireless

network with false AP beacon packets.

Netstumbler gets overwhelmed with thousands of access points.

Open Source, supported by linux.

Competitors (contd.) Air Defense – Enterprise/Military

wireless intrusion detection system. Sold as a complete system which

includes AirDefense sensors, server appliance.

Does not take action against intruder, just monitors the network, and informs the administrator of any suspicious activity.

Price Fake AP is a freeware. Available

at: http://www.blackalchemy.to/Projects/fakeap/fake-ap.html

AirDefense system costs between $19,000 to $25,000.

Our Product No product in the market today

combines both Intrusion detection and response.

Our product shall be freely available.

This makes product unique and attractive to potential users.

Building Blocks Setup – Installing network cards on

two linux machines, installing HostAP drivers, installing wireless sniffers, packet sniffer libraries.

Detect NetStumbler – recognize netstumbler signature, UI design for reporting malicious activity.

Building Blocks (contd.) Counter-measures – - Logging event information (MAC, time,

physical location)- Sending bogus AP information.- DoS

Port to Open AP – combine detection and countermeasure and run it on an AP.

Building Blocks (contd.) OpenAP PC interface – write a TCP

sockets client-server program.

Allow network administrator to remotely configure and acquire information from Access Point.

Projected Timeline 12 weeks to complete.

Task Assignments

Challenges, Risks and Difficulty Level

Initial Setup – Challenges and Difficulty Lack of resources for experimental

drivers Recompilation of kernel and other

support packages Compatibility and interoperability

of hardware

Initial Setup - Risk Project could be severely delayed

if we are plagued with compatibility issues

Incompatible hardware might require extra expenses to get different cards

Wardriving Detection – Challenges and Difficulty Limited storage memory Libpcap vs. low-level syscalls Development of algorithm for

heuristic Wardriving detection

Wardriving Detection – Risks Inability to differentiate between

Wardriver and legitimate client renders module useless

Forced to resort to low-level syscalls without availability of experimental driver documentation

Countermeasure – Challenges and Difficulty Limited storage memory Countermeasures without affecting

normal network performance Discovering new denial-of-service

attacks attains Wardriving client

Porting to Access Point Different development framework Inaccessibility of access point Limited debug tools

Product Testing

Stage 1 : Wardriver Detection Reliable Wardriver detection Does not pick up legitimate traffic

from a variety of wireless cards Logging

Stage 2 : Countermeasure Executed in parallel with Stage 1 Sufficiently confuses Wardriver Disables Wardriver Does not affect normal network

traffic

Stage 3 : Access Point Remote deployment Durability (uptime) Status monitored remotely

Hardware and Software Requirements

Hardware Required 2x Linksys Wireless PC Card 1x Orinoco Gold Wireless Card 2x PCI-PC Card adapter USR 2450 Access Point Pretec 4MB Linear Mapped Card

Software Required Host AP Open AP Net Stumbler Ethereal Other scanners Other sniffers

Parts Designed and Adapted

Parts Adapted or Reused Host AP Open AP Fake AP

Parts Designed Intrusion detection algorithm Integration on Host AP Integration on Open AP