evading and detecting wireless ids systems

David Maynor recently caught some attention by being critical of how Airtight protects a wireless network from rogue APs (and clients). I’ll let the link speak for itself on that, as well as the Airtight CTOs take on the comments section of a post on Andrew Hay’s site (and Mike Rothman’s for that matter).

What I found even more intriguing was the link to a 2005 paper from Joshua Wright discussing the flaws and details in wireless IDS/IPS methods of containing rogue wireless clients. Joshua Wright has an amazing ability in his papers to write very clearly and plainly, making the information easy to follow, and while the paper comes in only at 17 pages, I thought I would paraphrase his key points a bit in this post.

  • Wireless IDS detect and then try to disassociate/deauthenticate (deauth from here on) rogue clients.
  • Some try send deauth frames to the clients, some also to the appropriate access point.
  • Some just vomit out deauth frames, others are more timed to respond efficiently.
  • The deauth mechanism is not set in stone, meaning implementation of frames can be done many ways. This combined with the various features means an attacker can detect and fingerprint a wireless IDS to better attack/evade it.
  • Detection/fingerprinting can be done via sequence number anomalies in the frames. Some vendors have set sequence numbers. Sometimes sequence numbers can be noticed as different between the wireless IDS frames and the real AP frames.
  • Detection/fingerprinting can be done via disconnect notice bit anomalies.
  • Detection/fingerprinting can be done by watching access point traffic in relation to deauth frames. If an AP really did issue a deauth, it wouldn’t overlap that with assoc or other frames. If an IDS did the deauth, the APs frames may overlap, giving away the IDS.
  • Detection can be done by comparing the signal strength bits of deauth and normal frames. Deauths of a different signal strength can give away the IDS presence.
  • An attacker can sometimes slip data into a network by slipping in between deauths that are spaced too far apart. Some vendors allow this to be variable or simply leave more time in between deauths so as not to further saturate the wireless media.
  • An attacker can modify his wireless drivers to ignore deauth frames such that if an IDS only sends deauths to the client and not the AP, the connection is never torn down because the client takes no action.

Check the paper for more details, including patching madwifi drivers to ignore deauths.