CLASS : a Cross-Layer Attack, Subtle and Simple Alaeddine El Fawal Supervised by: I. Aad, M. Cagalj, J.-P. Hubaux I. Motivation: Most of the traffic in wireless hot-spots is on the downlink. It consists mainly of http and FTP sessions that rely on TCP connections. Consequently, the attacks mentioned in DOMINO [1] are not relevant anymore. Indeed, these misbehaving techniques give the cheater more priority to access the medium either by reducing his contention window or by transmitting before DIFS. Therefore, he will be able to improve his throughput on the uplink whereas most of the traffic is downlink and the AP does not cheat given that it belongs to the ISP. Furthermore, when the cheater jams other nodes packets in order to increase their contention window, if these frames are transmitted by the AP, his gain will be surely negative since the AP will retransmit jammed frames, and all frames in the AP queue are delayed, including the cheater s frames We aim to find a new misbehaving method that applies to downlink traffic and guarantees higher throughputs for the cheater. By cheating at the MAC level, a user is able to kill other TCP connections. Although the concept of attacking TCP connections is relatively old and was achieved by several tools like dsniff, these tools are easy to detect and fail in some case such in presence in IPsec. Our work resulted in a very efficient attack on the downlink as well as on the uplink. Furthermore, it is not easy to detect. This will be the first attempt to kill TCP flows using MAC vulnerabilities. II. Attack description: II.1 Simple scenario: Let us start with a simple case. Consider the scenario in Figure 1: Sc Mc FTP S INTERNET FTP AP M Figure 1: Simple cheating scenario.
Besides the access point (AP), we have 2 active mobiles in the BSS, out of which one cheating node. Denote by M and Mc the well-behaved and the cheater nodes respectively. M and Mc are downloading files, running FTP applications, from the servers S and Sc respectively. Therefore the uplink traffic consists of TCP ACK. Instead of decreasing his contention window to get more priority, Mc thinks that if he can kill the TCP connections of M, he will access the medium without any competition. To this end, Mc will jam frames forwarded to M (or sent from M, in this case they contain TCP ACKs) and he will send a MAC ACK to the AP (to M) on behave of M (AP). Consequently, the AP (M), which can not detect the jamming while transmitting, decides that the frame was successfully transmitted whereas it is not the case. Thus TCP timer at S times out. If this timeout is repeated, S will reset the connection or declares unreachable destination. II.2 General Case: The cheater filters all frames based on ADDR1 and ADDR3 of the MAC header, if the frame does not belongs to him, he jams it with a probability x. x = 1 means the cheater jams all other nodes packets. III. Benefits: In this way the cheater kills other TCP connections, thus the BSS load is reduced. Consequently, the competition to access the medium decreases as well as the probability of collision. Furthermore, the queuing time at the AP is reduced. This surely results in an increase of the cheater s throughput: Because of minimizing the loss probability (no drops at the AP) Because of reduced delays (no queuing time and no retransmission at MAC layer due to collision). Note that jamming RTS or CTS frames do not achieve any benefit. One can notice that the cheater does not need to continuously jam packets, even with probability x. He may apply jamming periodically. So he has two parameters for this attack: x and cheating period. Using these two parameters makes detection even more difficult. IV.Simulation: To simulate this attack, we implemented it in ns-2.27. The cheater jams only data packets sent by the AP. Jamming is made with probability x that we set in the simulation script to be executed. The simulated scenario is the same as in Figure 1. Two mobile nodes, one of which is the cheater, are running FTP sessions with two servers on the downlink. The 2 mobiles work in DCF mode with the AP. The channel capacity is set to 1 Mbps. We used TCP NewReno with 1000-Byte packets. Results are averaged over 5 simulations. To examine the impact of this attack, we distinguish between 2 cases:
1. Immediate jamming: where the cheater starts jamming with the probability X at the beginning of the wellbehaved TCP connection. Figure 2: The cheater and the well-behaved nodes throughputs vs. the percentage of (immediate) jamming. In Figure 2, the cheater and the well-behaved node s throughputs are drawn as a function of the jamming probability x. The results show the very harmful effect of the attack against TCP on the downlink. As soon as x = 35%, the cheater has the medium for his. 2. Delayed jamming (after warm-up): In this case, the cheater lets the well-behaved node connection warm up, and then he starts his attack. Clearly, this case is more challenging and it shows the efficiency of this attack even after this delay.
Figure 3: The cheater and the well-behaved nodes throughputs vs. the percentage of (delayed) jamming. Figure 3 shows that even though jamming started after a warm-up period, it is very harmful. When x reaches 40%, the cheater has the major share of the channel data rate. V. The hidden node case: In spite of its efficiency, the attack will fail in presence of hidden nodes, the traditional WLAN problem. M AP Consider the scenario in Figure 4 where a well-behaved node M hears the AP but not the cheater Mc and vice versa. Without using RTS/CTS, Mc tries to jam the AP frames that are forwarded to M, but M still receives the packets properly. When using RTS/CTS, Mc hears the RTS but not the CTS, so he knows that he will gain nothing by jamming the data frame. Note that, this problem can easily be recovered by increasing the cheater s power. Mc Figure 4: Problem of hidden node.
VI.Multiple cheaters: An intuitive result of multiple cheaters is the network collapse. We can study this case using the same steps as in On cheating in CSMA/CA Ad Hoc networks paper [2], but have to fulfill some modifications to the analytical model which does not hold any more. One example is that to determine an expression for node throughput, we have to use the TCP throughput expression as function of the loss probability and the RTT average. Another problem is that we need, in order to achieve this study, to detect the cheating. The move of player is now, instead of the decreasing the contention window, changing the probability of jamming x. The cheating period depends on the algorithm used in TCP. VII. Detection: Existing DOMINO mechanisms do not apply relevant to the proposed attack. At the MAC level, we encounter the following main problems: How to distinguish between jamming and collision. By detecting jamming, the cheater is still unknown. On the downlink jamming, neither jamming nor collision could be detected near the AP. These problems make detection too difficult at the MAC layer. The strength of this attack resides in its transparency to the MAC and TCP layers. By modifying 802.11, we can find many ways to detect or avoid it, such using NACK, but this is practically unfeasible. The challenge is to detect the attack without modifying 802.11. VIII. Conclusions: Briefly, this is the first attempt that combines 802.11 vulnerabilities to attack TCP connections. The attack is completely transparent to TCP and MAC layers; jamming is considered as a normal collision and the MAC-ACK is not authenticated. Therefore the attack is not easy to detect. It is very efficient on the downlink as well as on the uplink. We should note that it is more harmful to TCP flows, that form an important fraction of the internet traffic, than to UDP ones. The attack is simulated using ns-2.27, and the results show its high efficiency. References [1] M. Raya, J.-P. Hubaux and I. Aad, DOMINO: A system to detect greedy misbehavior in IEEE 802.11 hotspots, to appear in MobiSys 2004. [2] M. Cagalj, S. Ganeriwal, I. Aad and J.-P. Hubaux, On cheating in CSMA/CA ad hoc networks, pending submission.