Using this method of signature analysis, a WIDS system could easily identify this
attack, while likely mitigating false-positive events. This highlights the major benefit of
signature analysis; that signature analysis requires few resources to identify an attack, and
signatures can be developed rapidly.
Unfortunately, while signature analysis is a useful feature to identify attacks where
the adversary is using an unmodified attack tool, a cautious attacker may be successful in
evading the attack with simple modifications to the attack tool. Figures 7.24 and 7.25 show
the original source and a minor modification to ChopChop, respectively.
481 // prepare the dmac
482 randomMAC(dmac);
483 if (smac) dmac[0]=0; // unicast
484 else dmac[0] = 0xff; // multicast
485 dmac[1] = dmac[1] & 0x7f; // not ff:ff:ff:ff:ff:ff
Figure 7.24: Source code excerpt from chopchop.c, original.
481 // prepare the dmac
482 randomMAC(dmac);
483 if (smac) dmac[0]=0; // unicast
484 else dmac[0] |= 0x10; // multicast
485 dmac[1] = dmac[1] & 0x7f; // not ff:ff:ff:ff:ff:ff
Figure 7.25: Source code excerpt from chopchop.c, modified.
In Figure 7.24, line 484 sets the first octet of the destination MAC address to 0xff,
causing the frame to be recognizes as multicast traffic, as we observed in the Wireshark
capture displayed in Figure 7.
Pages:
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433