Detecting and responding to data link layer attacks with scapy

Detecting and Responding to Data Link Layer Attacks With Scapy TJ OConnor September 2011 GIAC GSE, GSEC, GCFW, GCIA, GCIH, GCFA, GREM, GPEN, GWAPT, GCFE... – “Free” Wireless Internet s

Detecting and Responding to

Data Link Layer Attacks With

Scapy

TJ OConnor September 2011 GIAC (GSE, GSEC, GCFW, GCIA, GCIH, GCFA, GREM,

GPEN, GWAPT, GCFE)

The Hotel Area Network

Dilemma

• About 1 year ago, sitting in a hotel room in

Washington D.C.

– “Free” Wireless Internet starts working intermittently – Users start complaining of Facebook posts they didn’t make

• Fire up IDS toolkit

– IDS doesn’t see anything happening at Layer 3

– IPS isn’t seeing any attacks against the hotel either

• What’s happening?

– As incident responders, need the ability to quickly

Cam-Table Exhaustion

Attack

• CAM Table maintains a list of switch ports and destination MAC addresses by port

• Overloading the switch with CAM Table entries results in overflowing memory Switch no

longer knows how to deliver based on

MAC-port bindingsETH.SRC = AA:AA:AA:AA:AA:AA

ETH.SRC = AA:AA:AA:AA:AA:AB ETH.SRC = AA:AA:AA:AA:AA:AC ETH.SRC = AA:AA:AA:AA:AA:AD ETH.SRC = AA:AA:AA:AA:AA:AE

…

Cam-Table Exhaustion

Attack

defmonitorPackets(p):

if p.haslayer(IP):

hwSrc = p.getlayer(Ether).src

if hwSrc not in hwList:

hwList.append(hwSrc) delta = datetime.datetime.now() - start

if ((len(hwList)/delta.seconds) > THRESH)):

print"[*] - Detected CAM Table Attack."

start = datetime.datetime.now()

sniff(iface=interface,prn=monitorPackets)

1

2

3

4

Arp Spoofing

• ARP translates layer 3 to layer 2 addresses

• Clients maintain their own ARP tables of these logical-to-physical bindings

• But anyone can broadcast a gratuitous ARP

and client tables are updated

C

B's IP ADDR is located

at HW ADDR for C

A's IP ADDR is located

at HW ADDR for C

Arp Spoofing

def monitorPackets (p):

global hwTable

if (p getlayer(ARP) op == 2 ):

hwSrc = p getlayer(ARP) hwsrc

ipSrc = p getlayer(ARP) psrc

if ipSrc in hwTable:

if (hwSrc != hwTable[ipSrc]):

print "[*] - Conflict for IP: " + ipSrc hwTable[ipSrc] = hwSrc

sniff(iface = interface, filter = "arp" ,prn = monitorPackets)

1

2

3

4

DHCP Starvation Attack

• Dynamic IP addresses are leased from a DHCP server after a request by a client The lease

allows the client to use the specified address for a period of time

• By sending 254 DHCP Requests, a DHCP

starvation attack prevents any new clients

from joiningDHCP Request,DHCP Request,

DHCP Request,

available

DHCP Starvation Attack

defmonitorPackets(p):

if p.haslayer(BOOTP):

global reqCnt

global ofrCnt

opCode = p.getlayer(BOOTP).op

if opCode == 1:

reqCnt=reqCnt+1

elif opCode == 2:

ofrCnt=ofrCnt+1

print"[*] - "+str(reqCnt)+" Requests.”

print"[*] - " +str(ofrCnt)+" Offers."

sniff(iface=interface,prn=monitorPackets)

1

2

3

4

CTS/RTS Wireless Attack

• Clear-to-send (CTS) and Ready-to-send (RTS) are layer 2 unencrypted/unauthenticated messages used to prevent wireless collisions

• Clients wishing to send traffic, transmit a RTS If the

medium is clear, destination responds with a CTS

Everybody else who hears the CTS- backs off.

CTS/RTS Wireless Attack

defmonitorPackets(p):

if p.haslayer(Dot11):

delta=datetime.datetime.now()-start

if (p.getlayer(Dot11).subtype) == 11: rtsCNT = rtsCNT +1

if ((rtsCNT/delta.seconds) > THRESH)):

print"[*] - Detected RTS Flood.”

elif (p.getlayer(Dot11).subtype) == 12: ctsCNT = ctsCNT + 1

if ((ctsCNT/delta.seconds) > THRESH)):

print"[*] - Detected CTS Flood.”

start = datetime.datetime.now()

2

3

4

1

4

1

Wireless Deauth Attack

• Clients authenticate themselves to access

points prior to association with the network

• Authentication typically occurs over

unencrypted layer 2 management frames

• De-authentication also occurs over

unencrypted layer 2 management frames

• Tools such as aircrack-NG can spoof a

de-authentication

Wireless Deauth Attack

defmonitorPackets(p):

global deauthCNT

if p.haslayer(Dot11):

type = p.getlayer(Dot11).type subtype = p.getlayer(Dot11).subtype

if ((type==0) and (subtype==12)):

deauthCNT = deauthCNT + 1

delta = datetime.datetime.now()-start rate = deauthCNT/delta.seconds

if rate > THRESH)):

print"[*] - Detected Death Attack"

print"[*] – Count: +"str(deauthCNT)

deauthCNT = 0

start = datetime.datetime.now()

2

3

4

Fake Access Point Attack

• Wireless access points are advertised over an

802.11 beacon frame

• Clients use the information in the 802.11 beacon frame to connect to the wireless AP

• Anyone can broadcast an 802.11 beacon,

impersonating a network

• Combined with tools like karmetasploit, an

attacker can instantly attack a client that joins a fake AP.

Fake Access Point Attack

defmonitorPackets (p):

if p haslayer(Dot11):

if (p getlayer(Dot11) subtype == 8 ):

ssid = p getlayer(Dot11) info bssid = p getlayer(Dot11) addr2 stamp = str (p getlayer(Dot11) timestamp) prev = ssidDict[bssid][ len (ssidDict[bssid]) - 1 ])

if bssid not in ssidDict:

ssidDict[bssid] = []

ssidCnt[bssid] = 0

elif ( long (stamp) < long(prev))

ssidCnt[bssid] = ssidCnt[bssid] + 1

if (ssidCnt[bssid] > THRESH):

print"[*] - Detected fakeAP”

print "[*] – SSID: " + ssid ssidDict[bssid] append(stamp)

2

3

4

5

• Layer two attacks still present a threat to

modern networks

• Typically these threats go unnoticed by intrusion detection systems

• Scapy and a little creativity can be used to

automate detecting layer two attacks

• For more information, see “Detecting and

Responding to Data Link Layer Attacks”

published in SANS GCIA Reading Room