Wireless Intrusion Detection & Response ECE 4006 Group 2: Seng Ooh Toh Varun Kanotra Nitin Namjoshi Yu-Xi Lim

Contents Project Description & Demo Competitors & Market Building Blocks & Project Timeline Challenges, Risks and Difficulty Level Product Testing Hardware and Software Requirements

Project Description

What is the product? An access point which can detect intruders and take counter measures Detection of Netstumbler Blocking / Jamming Netstumbler without affecting network performance Product will be open source and will integrate several available technologies

Project Demo Several computers on a wireless network Wireless network intruder using Netstumbler Three Phases Network setup Netstumbler and intrusion Intrusion detection and counter measures

Phase I – Network Setup 2-3 Linux machines setup with an access point to form a b network Data (packets) routed from linux machines to each other through AP Access point monitor used to detect source and destination of packets passing through the access point

Phase II – Intrusion Intrusion detection and jamming turned off Netstumbler used to access information on the wireless network Netstumbler captured packet information shown

Phase III – Intrusion Detection & Counter Measures Netstumbler packet detection Blocking of Netstumbler packets, RF jamming or fake AP barrage Data rate on wireless network measured w/ and w/o counter measures

User Interface Focus on proving the concept Open source allows end users to develop UI according to their needs Basic text-based user interface for testing, debugging and demo

Competitors & Market

Competitors Fake AP – Product developed by Black Alchemy. Used for flooding the wireless network with false AP beacon packets. Netstumbler gets overwhelmed with thousands of access points. Open Source, supported by linux.

Competitors (contd.) Air Defense – Enterprise/Military wireless intrusion detection system. Sold as a complete system which includes AirDefense sensors, server appliance. Does not take action against intruder, just monitors the network, and informs the administrator of any suspicious activity.

Price Fake AP is a freeware. Available at: keap/fake-ap.html keap/fake-ap.html AirDefense system costs between $19,000 to $25,000.

Our Product No product in the market today combines both Intrusion detection and response. Our product shall be freely available. This makes product unique and attractive to potential users.

Building Blocks Setup – Installing network cards on two linux machines, installing HostAP drivers, installing wireless sniffers, packet sniffer libraries. Detect NetStumbler – recognize netstumbler signature, UI design for reporting malicious activity.

Building Blocks (contd.) Counter-measures – - Logging event information (MAC, time, physical location) - Sending bogus AP information. - DoS Port to Open AP – combine detection and countermeasure and run it on an AP.

Building Blocks (contd.) OpenAP PC interface – write a TCP sockets client-server program. Allow network administrator to remotely configure and acquire information from Access Point.

Projected Timeline 12 weeks to complete.

Task Assignments

Challenges, Risks and Difficulty Level

Initial Setup – Challenges and Difficulty Lack of resources for experimental drivers Recompilation of kernel and other support packages Compatibility and interoperability of hardware

Initial Setup - Risk Project could be severely delayed if we are plagued with compatibility issues Incompatible hardware might require extra expenses to get different cards

Wardriving Detection – Challenges and Difficulty Limited storage memory Libpcap vs. low-level syscalls Development of algorithm for heuristic Wardriving detection

Wardriving Detection – Risks Inability to differentiate between Wardriver and legitimate client renders module useless Forced to resort to low-level syscalls without availability of experimental driver documentation

Countermeasure – Challenges and Difficulty Limited storage memory Countermeasures without affecting normal network performance Discovering new denial-of-service attacks attains Wardriving client

Porting to Access Point Different development framework Inaccessibility of access point Limited debug tools

Product Testing

Stage 1 : Wardriver Detection Reliable Wardriver detection Does not pick up legitimate traffic from a variety of wireless cards Logging

Stage 2 : Countermeasure Executed in parallel with Stage 1 Sufficiently confuses Wardriver Disables Wardriver Does not affect normal network traffic

Stage 3 : Access Point Remote deployment Durability (uptime) Status monitored remotely

Hardware and Software Requirements

Hardware Required 2x Linksys Wireless PC Card 1x Orinoco Gold Wireless Card 2x PCI-PC Card adapter USR 2450 Access Point Pretec 4MB Linear Mapped Card

Software Required Host AP Open AP Net Stumbler Ethereal Other scanners Other sniffers

Parts Designed and Adapted

Parts Adapted or Reused Host AP Open AP Fake AP

Parts Designed Intrusion detection algorithm Integration on Host AP Integration on Open AP