CLASS : a Cross-Layer Attack, Subtle and Simple

Similar documents
CSMA/CA. Information Networks p. 1

IEEE [3] wireless LANs were originally meant to be

... neither PCF nor CA used in practice

TCP in Wireless Networks

ECE 358: Computer Networks. Homework #3. Chapter 5 and 6 Review Questions 1

Behavior Analysis of TCP Traffic in Mobile Ad Hoc Network using Reactive Routing Protocols

Wireless LAN Services for Hot-Spot

Wiereless LAN

CS6956: Wireless and Mobile Networks Lecture Notes: 2/11/2015. IEEE Wireless Local Area Networks (WLANs)

Final for ECE374 05/06/13 Solution!!

Enhanced TXOP scheme for efficiency improvement of WLAN IEEE e

standard. Acknowledgement: Slides borrowed from Richard Y. Yale

Transport Layer Protocols

Wireless LAN Protocol CS 571 Fall Kenneth L. Calvert All rights reserved

A Short Look on Power Saving Mechanisms in the Wireless LAN Standard Draft IEEE

An Experimental Study of Throughput for UDP and VoIP Traffic in IEEE b Networks

LAN Switching Computer Networking. Switched Network Advantages. Hubs (more) Hubs. Bridges/Switches, , PPP. Interconnecting LANs

How To Analyze The Security On An Ipa Wireless Sensor Network

Adaptive DCF of MAC for VoIP services using IEEE networks

Introduction VOIP in an Network VOIP 3

Attenuation (amplitude of the wave loses strength thereby the signal power) Refraction Reflection Shadowing Scattering Diffraction

Chapter 6: Conclusion

Denial of Service Attacks at the MAC Layer in Wireless Ad Hoc Networks

Medium Access Control (MAC) Protocols for Ad hoc Wireless Networks - III

BCS THE CHARTERED INSTITUTE FOR IT. BCS HIGHER EDUCATION QUALIFICATIONS BCS Level 5 Diploma in IT COMPUTER NETWORKS

Markku Renfors. Partly based on student presentation by: Lukasz Kondrad Tomasz Augustynowicz Jaroslaw Lacki Jakub Jakubiak

Final Exam. Route Computation: One reason why link state routing is preferable to distance vector style routing.

WiFi. Is for Wireless Fidelity Or IEEE Standard By Greg Goldman. WiFi 1

CPS221 Lecture: Layered Network Architecture

Detection and Prevention of MAC Layer Misbehavior for Ad Hoc Networks. by Alvaro A. Cardenas, Svetlana Radosavac, John S. Baras

Solution of Exercise Sheet 5

Performance Comparison of Dual Queue and EDCA for VoIP over IEEE WLAN

TCP Behavior across Multihop Wireless Networks and the Wired Internet

How To Determine The Capacity Of An B Network

Enhancing WLAN MAC Protocol performance using Differentiated VOIP and Data Services Strategy

IEEE Ad Hoc Networks: Performance Measurements

An Overview of Wireless LAN Standards IEEE and IEEE e

A TCP-like Adaptive Contention Window Scheme for WLAN

Enhancement of VoIP over IEEE WLAN via Dual Queue Strategy

Improving Throughput Performance of the IEEE MAC Layer Using Congestion Control Methods

Lecture Objectives. Lecture 07 Mobile Networks: TCP in Wireless Networks. Agenda. TCP Flow Control. Flow Control Can Limit Throughput (1)

Mobile Communications Exercise: Satellite Systems and Wireless LANs. Georg von Zengen, IBR, TU Braunschweig,

Seamless Congestion Control over Wired and Wireless IEEE Networks

MultiNet: Connecting to Multiple IEEE Networks Using a Single Wireless Card

Effect of Packet-Size over Network Performance

RESOURCE ALLOCATION FOR INTERACTIVE TRAFFIC CLASS OVER GPRS

Collision of wireless signals. The MAC layer in wireless networks. Wireless MAC protocols classification. Evolutionary perspective of distributed MAC

Measurement of the Usage of Several Secure Internet Protocols from Internet Traces

A Transport Protocol for Multimedia Wireless Sensor Networks

A Comparison Study of Qos Using Different Routing Algorithms In Mobile Ad Hoc Networks

MAC Algorithms in Wireless Networks

CSE331: Introduction to Networks and Security. Lecture 6 Fall 2006

Computer Networks. Chapter 5 Transport Protocols

Transport layer issues in ad hoc wireless networks Dmitrij Lagutin,

IEEE 802 Protocol Layers. IEEE Wireless LAN Standard. Protocol Architecture. Protocol Architecture. Separation of LLC and MAC.

An Experimental Performance Analysis of MAC Multicast in b Networks for VoIP Traffic

APPENDIX 1 USER LEVEL IMPLEMENTATION OF PPATPAN IN LINUX SYSTEM

First Midterm for ECE374 03/09/12 Solution!!

A Survey: High Speed TCP Variants in Wireless Networks

Ethernet. Ethernet Frame Structure. Ethernet Frame Structure (more) Ethernet: uses CSMA/CD

IEEE Wireless LAN Standard. Updated: 5/10/2011

Note! The problem set consists of two parts: Part I: The problem specifications pages Part II: The answer pages

LANs. Local Area Networks. via the Media Access Control (MAC) SubLayer. Networks: Local Area Networks

Thwarting Selective Insider Jamming Attacks in Wireless Network by Delaying Real Time Packet Classification

Overview. Securing TCP/IP. Introduction to TCP/IP (cont d) Introduction to TCP/IP

TCOM 370 NOTES LOCAL AREA NETWORKS AND THE ALOHA PROTOCOL

Supporting VoIP in IEEE Distributed WLANs

Lab Exercise Objective. Requirements. Step 1: Fetch a Trace

Simulation-Based Comparisons of Solutions for TCP Packet Reordering in Wireless Network

Ethernet. Ethernet. Network Devices

FORTH-ICS / TR-375 March Experimental Evaluation of QoS Features in WiFi Multimedia (WMM)

TCP over Multi-hop Wireless Networks * Overview of Transmission Control Protocol / Internet Protocol (TCP/IP) Internet Protocol (IP)

Random Access Protocols

Chapter 7 Low-Speed Wireless Local Area Networks

Defending against Flooding-Based Distributed Denial-of-Service Attacks: A Tutorial

VoIP in Mika Nupponen. S Postgraduate Course in Radio Communications 06/04/2004 1

Visualizations and Correlations in Troubleshooting

ECE 428 Computer Networks and Security

Performance analysis and simulation in wireless mesh networks

Measuring TCP over WiFi: A Real Case

Adapting WLAN MAC Parameters to Enhance VoIP Call Capacity

Midterm Exam CMPSCI 453: Computer Networks Fall 2011 Prof. Jim Kurose

Optimization of VoIP over e EDCA based on synchronized time

Based on Computer Networking, 4 th Edition by Kurose and Ross

COMP 361 Computer Communications Networks. Fall Semester Midterm Examination

Performance of UMTS Code Sharing Algorithms in the Presence of Mixed Web, and FTP Traffic

Performance Evaluation of Priority based Contention- MAC in Mobile Ad-Hoc Networks

Networking Test 4 Study Guide

SJBIT, Bangalore, KARNATAKA

A Seamless Handover Mechanism for IEEE e Broadband Wireless Access

Solutions to Performance Problems in VoIP over Wireless LAN 1

Express Forwarding : A Distributed QoS MAC Protocol for Wireless Mesh

Detecting MAC Layer Misbehavior in Wifi Networks By Co-ordinated Sampling of Network Monitoring

Lecture 15: Congestion Control. CSE 123: Computer Networks Stefan Savage

OSBRiDGE 5XLi. Configuration Manual. Firmware 3.10R

About Firewall Protection

Selfish MAC Layer Misbehavior in Wireless Networks

Modeling and Simulation of Quality of Service in VoIP Wireless LAN

RTT 60.5 msec receiver window size: 32 KB

Enhanced Power Saving for IEEE WLAN with Dynamic Slot Allocation

Transcription:

CLASS : a Cross-Layer Attack, Subtle and Simple Alaeddine El Fawal Supervised by: I. Aad, M. Cagalj, J.-P. Hubaux I. Motivation: Most of the traffic in wireless hot-spots is on the downlink. It consists mainly of http and FTP sessions that rely on TCP connections. Consequently, the attacks mentioned in DOMINO [1] are not relevant anymore. Indeed, these misbehaving techniques give the cheater more priority to access the medium either by reducing his contention window or by transmitting before DIFS. Therefore, he will be able to improve his throughput on the uplink whereas most of the traffic is downlink and the AP does not cheat given that it belongs to the ISP. Furthermore, when the cheater jams other nodes packets in order to increase their contention window, if these frames are transmitted by the AP, his gain will be surely negative since the AP will retransmit jammed frames, and all frames in the AP queue are delayed, including the cheater s frames We aim to find a new misbehaving method that applies to downlink traffic and guarantees higher throughputs for the cheater. By cheating at the MAC level, a user is able to kill other TCP connections. Although the concept of attacking TCP connections is relatively old and was achieved by several tools like dsniff, these tools are easy to detect and fail in some case such in presence in IPsec. Our work resulted in a very efficient attack on the downlink as well as on the uplink. Furthermore, it is not easy to detect. This will be the first attempt to kill TCP flows using MAC vulnerabilities. II. Attack description: II.1 Simple scenario: Let us start with a simple case. Consider the scenario in Figure 1: Sc Mc FTP S INTERNET FTP AP M Figure 1: Simple cheating scenario.

Besides the access point (AP), we have 2 active mobiles in the BSS, out of which one cheating node. Denote by M and Mc the well-behaved and the cheater nodes respectively. M and Mc are downloading files, running FTP applications, from the servers S and Sc respectively. Therefore the uplink traffic consists of TCP ACK. Instead of decreasing his contention window to get more priority, Mc thinks that if he can kill the TCP connections of M, he will access the medium without any competition. To this end, Mc will jam frames forwarded to M (or sent from M, in this case they contain TCP ACKs) and he will send a MAC ACK to the AP (to M) on behave of M (AP). Consequently, the AP (M), which can not detect the jamming while transmitting, decides that the frame was successfully transmitted whereas it is not the case. Thus TCP timer at S times out. If this timeout is repeated, S will reset the connection or declares unreachable destination. II.2 General Case: The cheater filters all frames based on ADDR1 and ADDR3 of the MAC header, if the frame does not belongs to him, he jams it with a probability x. x = 1 means the cheater jams all other nodes packets. III. Benefits: In this way the cheater kills other TCP connections, thus the BSS load is reduced. Consequently, the competition to access the medium decreases as well as the probability of collision. Furthermore, the queuing time at the AP is reduced. This surely results in an increase of the cheater s throughput: Because of minimizing the loss probability (no drops at the AP) Because of reduced delays (no queuing time and no retransmission at MAC layer due to collision). Note that jamming RTS or CTS frames do not achieve any benefit. One can notice that the cheater does not need to continuously jam packets, even with probability x. He may apply jamming periodically. So he has two parameters for this attack: x and cheating period. Using these two parameters makes detection even more difficult. IV.Simulation: To simulate this attack, we implemented it in ns-2.27. The cheater jams only data packets sent by the AP. Jamming is made with probability x that we set in the simulation script to be executed. The simulated scenario is the same as in Figure 1. Two mobile nodes, one of which is the cheater, are running FTP sessions with two servers on the downlink. The 2 mobiles work in DCF mode with the AP. The channel capacity is set to 1 Mbps. We used TCP NewReno with 1000-Byte packets. Results are averaged over 5 simulations. To examine the impact of this attack, we distinguish between 2 cases:

1. Immediate jamming: where the cheater starts jamming with the probability X at the beginning of the wellbehaved TCP connection. Figure 2: The cheater and the well-behaved nodes throughputs vs. the percentage of (immediate) jamming. In Figure 2, the cheater and the well-behaved node s throughputs are drawn as a function of the jamming probability x. The results show the very harmful effect of the attack against TCP on the downlink. As soon as x = 35%, the cheater has the medium for his. 2. Delayed jamming (after warm-up): In this case, the cheater lets the well-behaved node connection warm up, and then he starts his attack. Clearly, this case is more challenging and it shows the efficiency of this attack even after this delay.

Figure 3: The cheater and the well-behaved nodes throughputs vs. the percentage of (delayed) jamming. Figure 3 shows that even though jamming started after a warm-up period, it is very harmful. When x reaches 40%, the cheater has the major share of the channel data rate. V. The hidden node case: In spite of its efficiency, the attack will fail in presence of hidden nodes, the traditional WLAN problem. M AP Consider the scenario in Figure 4 where a well-behaved node M hears the AP but not the cheater Mc and vice versa. Without using RTS/CTS, Mc tries to jam the AP frames that are forwarded to M, but M still receives the packets properly. When using RTS/CTS, Mc hears the RTS but not the CTS, so he knows that he will gain nothing by jamming the data frame. Note that, this problem can easily be recovered by increasing the cheater s power. Mc Figure 4: Problem of hidden node.

VI.Multiple cheaters: An intuitive result of multiple cheaters is the network collapse. We can study this case using the same steps as in On cheating in CSMA/CA Ad Hoc networks paper [2], but have to fulfill some modifications to the analytical model which does not hold any more. One example is that to determine an expression for node throughput, we have to use the TCP throughput expression as function of the loss probability and the RTT average. Another problem is that we need, in order to achieve this study, to detect the cheating. The move of player is now, instead of the decreasing the contention window, changing the probability of jamming x. The cheating period depends on the algorithm used in TCP. VII. Detection: Existing DOMINO mechanisms do not apply relevant to the proposed attack. At the MAC level, we encounter the following main problems: How to distinguish between jamming and collision. By detecting jamming, the cheater is still unknown. On the downlink jamming, neither jamming nor collision could be detected near the AP. These problems make detection too difficult at the MAC layer. The strength of this attack resides in its transparency to the MAC and TCP layers. By modifying 802.11, we can find many ways to detect or avoid it, such using NACK, but this is practically unfeasible. The challenge is to detect the attack without modifying 802.11. VIII. Conclusions: Briefly, this is the first attempt that combines 802.11 vulnerabilities to attack TCP connections. The attack is completely transparent to TCP and MAC layers; jamming is considered as a normal collision and the MAC-ACK is not authenticated. Therefore the attack is not easy to detect. It is very efficient on the downlink as well as on the uplink. We should note that it is more harmful to TCP flows, that form an important fraction of the internet traffic, than to UDP ones. The attack is simulated using ns-2.27, and the results show its high efficiency. References [1] M. Raya, J.-P. Hubaux and I. Aad, DOMINO: A system to detect greedy misbehavior in IEEE 802.11 hotspots, to appear in MobiSys 2004. [2] M. Cagalj, S. Ganeriwal, I. Aad and J.-P. Hubaux, On cheating in CSMA/CA ad hoc networks, pending submission.

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information