Wireless Network Security Spring 2012

Similar documents
Wireless Network Security Spring 2013

Wireless Network Security Spring 2014

Wireless Network Security Spring 2015

Wireless Network Security Spring 2011

DOMINO: A System to Detect Greedy Behavior in IEEE Hotspots

Mohammad Hossein Manshaei

Mohamed Khedr.

CSE 461: Wireless Networks

Lecture 16: QoS and "

Unit 7 Media Access Control (MAC)

MAC in /20/06

Wireless Networks (MAC)

CS 348: Computer Networks. - WiFi (contd.); 16 th Aug Instructor: Sridhar Iyer IIT Bombay

Wireless Networks (MAC) Kate Ching-Ju Lin ( 林靖茹 ) Academia Sinica

MAC. Fall Data Communications II 1

Wireless Local Area Networks (WLANs) Part I

CSC344 Wireless and Mobile Computing. Department of Computer Science COMSATS Institute of Information Technology

Logical Link Control (LLC) Medium Access Control (MAC)

Attacks on WLAN Alessandro Redondi

Medium Access Control. MAC protocols: design goals, challenges, contention-based and contention-free protocols

Local Area Networks NETW 901

CMPE 257: Wireless and Mobile Networking

Introduction to Wireless Networking CS 490WN/ECE 401WN Winter Lecture 4: Wireless LANs and IEEE Part II

Outline / Wireless Networks and Applications Lecture 9: Wireless LANs Aloha and 802 Wireless. Regular Ethernet CSMA/CD

Wireless LANs. ITS 413 Internet Technologies and Applications

Mobile & Wireless Networking. Lecture 7: Wireless LAN

CSCD 433 Network Programming Fall Lecture 7 Ethernet and Wireless

Remarks On Per-flow Differentiation In IEEE

ICE 1332/0715 Mobile Computing (Summer, 2008)

IEEE Medium Access Control. Medium Access Control

standard. Acknowledgement: Slides borrowed from Richard Y. Yale

CS263: Wireless Communications and Sensor Networks

Final Exam: Mobile Networking (Part II of the course Réseaux et mobilité )

ECE442 Communications Lecture 3. Wireless Local Area Networks

Topics for Today. More on Ethernet. Wireless LANs Readings. Topology and Wiring Switched Ethernet Fast Ethernet Gigabit Ethernet. 4.3 to 4.

CSE 6811 Ashikur Rahman

Rahman 1. Application

Performance anomaly of b

Overview : Computer Networking. Spectrum Use Comments. Spectrum Allocation in US Link layer challenges and WiFi WiFi

Chapter 6 Wireless and Mobile Networks. Csci 4211 David H.C. Du

Multiple Access Links and Protocols

Introduction to IEEE

Medium Access Control (MAC) Protocols for Ad hoc Wireless Networks -IV

High Performance Distributed Coordination Function for Wireless LANs

The MAC layer in wireless networks

Wireless Local Area Network (IEEE )

Wireless Networking & Mobile Computing

Computer Networks. Wireless LANs

Lesson 2-3: The IEEE x MAC Layer

Mohammad Hossein Manshaei 1393

Lecture 24: CSE 123: Computer Networks Stefan Savage. HW4 due NOW

IEEE , Token Rings. 10/11/06 CS/ECE UIUC, Fall

Data Communications. Data Link Layer Protocols Wireless LANs

IEEE MAC Sublayer (Based on IEEE )

4.3 IEEE Physical Layer IEEE IEEE b IEEE a IEEE g IEEE n IEEE 802.

Announcements / Wireless Networks and Applications Lecture 9: Wireless LANs Wireless. Regular Ethernet CSMA/CD.

Wireless Network Security Spring 2011

Department of Electrical and Computer Systems Engineering

Figure.2. Hidden & Exposed node problem

Lecture 25: CSE 123: Computer Networks Alex C. Snoeren. HW4 due NOW

Computer Communication III

The MAC layer in wireless networks

Resource sharing optimality in WiFi infrastructure networks

Media Access Control in Ad Hoc Networks

ICE 1332/0715 Mobile Computing (Summer, 2008)

Nomadic Communications WLAN MAC Fundamentals

Medium Access Control Sublayer

Outline. CS5984 Mobile Computing. IEEE 802 Architecture 1/7. IEEE 802 Architecture 2/7. IEEE 802 Architecture 3/7. Dr. Ayman Abdel-Hamid, CS5984

WiFi Networks: IEEE b Wireless LANs. Carey Williamson Department of Computer Science University of Calgary Winter 2018

Wireless Communications

A Study of Jamming Attacks in IEEE Networks. Deepak Nadig Anantha

Advanced Computer Networks WLAN

Data and Computer Communications. Chapter 13 Wireless LANs

AIMAC: An Auction-Inspired MAC Protocol

CMPE 257: Wireless and Mobile Networking

Telecommunication Protocols Laboratory Course. Lecture 2

Wireless Network and Mobility

Embedded Internet and the Internet of Things WS 12/13

Fairness in the IEEE network. Shun Y. Cheung

Wireless MACs: MACAW/802.11

Announcements: Assignment 4 due now Lab 4 due next Tuesday Assignment 5 posted, due next Thursday

ECEN 5032 Data Networks Medium Access Control Sublayer

DOMINO: A System to Detect Greedy Behavior in IEEE Hotspots

CS/ECE 439: Wireless Networking. MAC Layer Road to Wireless

Mobile Communications Chapter 7: Wireless LANs

Cross-layer attacks in wireless ad hoc networks 1

Multi-Channel MAC for Ad Hoc Networks: Handling Multi-Channel Hidden Terminals Using A Single Transceiver

15-441: Computer Networking. Wireless Networking

Page 1. Outline : Wireless Networks Lecture 11: MAC. Standardization of Wireless Networks. History. Frequency Bands

B. Bellalta Mobile Communication Networks

E-BEB Algorithm to Improve Quality of Service on Wireless Ad-Hoc Networks

Wireless Local Area Networks (WLANs)) and Wireless Sensor Networks (WSNs) Computer Networks: Wireless Networks 1

Chapter 6 Medium Access Control Protocols and Local Area Networks

Wireless Challenges : Computer Networking. Overview. Routing to Mobile Nodes. Lecture 25: Wireless Networking

Caveat. Much of security-related stuff is mostly beyond my expertise. So coverage of this topic is very limited

Medium Access Control. IEEE , Token Rings. CSMA/CD in WLANs? Ethernet MAC Algorithm. MACA Solution for Hidden Terminal Problem

Performance analysis of Internet applications over an adaptive IEEE MAC architecture

Enhancing the DCF mechanism in noisy environment

Transmission Control Protocol over Wireless LAN

Efficient Power MAC Protocol in Ad-hoc Network s

Transcription:

Wireless Network Security 14-814 Spring 2012 Patrick Tague Class #10 MAC Layer Misbehavior

Announcements I'll be in Pittsburgh Feb 28-29 If you or your project team would like to meet, email me to schedule a time If you haven't signed up for a survey, please do so soon. Available: 3/1, 3/6, 3/8, and 3/27 TBD dates in April if you have a suitable topic

MAC Layer Misbehavior Theme: offensive techniques for protocol misbehavior at the MAC layer and detection of such behaviors in 802.11 networks Papers: Čagalj et al., On Cheating in CSMA/CA Ad Hoc Networks, EPFL-IC Tech. Report IC/2004/27 (similar to version from INFOCOM 2005). Raya et al., DOMINO: Detecting MAC Layer Greedy Behavior in IEEE 802.11 Hotspots, IEEE Trans. Mobile Computing, v. 5, n. 12, Dec. 2006. Broustis et al., FIJI: Fighting Implicit Jamming in 802.11 WLANs, SecureComm 2009.

IEEE 802.11 Infrastructure mode Many stations share an AP connected to Internet Distributed coordination function (DCF) Point control functions (PCF) Rarely used due to inefficiency, vague standard specification, and lack of interoperability support Ad hoc mode Multi-hop, no infrastructure, no Internet Never really picked up commercially Mesh mode (using 802.11s) Potential...on the horizon

802.11 MAC Responsibilities of the MAC layer Logical responsibilities Addressing Fragmentation Error detection, correction, and management Timing responsibilities Channel management Link flow control Collision avoidance Today, we focus on timing-based vulnerabilities

CSMA Carrier Sense Multiple Access Listen to the channel before transmitting If channel is quiet, transmit After a short delay (DIFS = DCF Inter-Frame Spacing) If channel is busy: Wait until it's quiet for a DIFS period Wait for random backoff period Send if still quiet Wait for ACK or retransmit using random backoff

DCF Operation using CSMA Sender 1 DIFS Data Receiver SIFS ACK Sender 2 NAV DIFS time

Random Backoff Reduce the chance of collisions Each device must wait a random duration depending on past contention use contention window CW If medium is busy: Wait for DIFS period Set backoff counter randomly in CW Transmit after counter time expires After failed retransmissions: Increase CW exponentially 2 n -1 from CW min to CW max, e.g., 7 15 31

Collision Avoidance Attempt to make channel reservation to avoid collisions by other senders Request to Send (RTS) Before transmitting data, sender transmits RTS Clear to Send (CTS) Receiver transmits CTS to tell sender to proceed RTS and CTS uses shorter IFS (SIFS < DIFS) to give priority over data packets RTS CTS CTS S1 R S2

RTS/CTS Usage S1 R1 DIFS Backoff RTS SIFS CTS SIFS Data SIFS ACK S2 R2 NAV DIFS Backoff Data SIFS ACK time RTS/CTS is not required S1-R1 use RTS/CTS, S2-R2 do not

MAC Layer Misbehavior 802.11 DCF works well under the assumption that everyone plays nicely together However, selfish and malicious nodes are free to arbitrarily break the rules

MAC Jamming DCF structure and behavior gives advantages to jamming attackers Jamming after RTS (and SIFS period) blocks CTS (prevents data flow) and occupies channel (prevents other senders from using it) Low duty-cycle attack order-of-magnitude efficiency gain S1 R1 DIFS RTS SIFS CTS DIFS Backoff Backoff RTS SIFS CTS J

MAC Blocking DCF structure and behavior gives advantages to other DoS attackers RTS/CTS flooding - repeated sending of RTS/CTS exchanges while other senders obey the rules Modified/zero backoff allows attacker to win M DIFS RTS SIFS CTS DIFS RTS SIFS CTS S1 NAV S2 NAV

MAC Greed w/ Jamming Greedy/malicious sources can block or collide with other sources, causing their sending rates to decrease Gives more opportunity to greedy source S1 R1 DIFS Backoff RTS SIFS CTS Lost CTS increase CW more BW for MS/MR MS MR DIFS Backoff Data SIFS ACK

MAC Greed w/ Parameters Greedy/malicious sources can manipulate protocol parameters for unfair resource usage S1 R1 DIFS Backoff = 7 DIFS Backoff = 4 Data SIFS ACK MS MR DIFS Backoff = 3 Data SIFS ACK Artificially low/non-random backoff high success rate more BW for MS/MR

Cheating in CSMA/CA [Čagalj et al., 2004] CSMA/CA was designed with the assumption that the nodes would play by the rules MAC cheaters deliberately fail to follow the IEEE 802.11 protocol, in particular in terms of the contention window size and backoff

N tx-rx pairs in a single collision domain, using 802.11, C of N are cheaters with control of MAC layer parameters Cheaters want to maximize avg. throughput r i As a game: System Game Model Each player (cheater) adjusts its contention window size W i to maximize utility U i = r i Players react to changes of remaining N-C users who play by the rules Authors analyze relationships between throughput and contention window sizes

Single Static Cheater First case: a single cheater with a fixed strategy (i.e. makes a decision and sticks with it) A single cheater gets best throughput at W i =1 In fact, W i =1 is the Nash Equilibrium for the static game with C=1

Multiple Static Cheaters Second case: many cheaters with fixed strategy 2.1 Cheaters don't know about each other 2.2 Cheaters are aware of cheater v. cheater competition in forming strategies Window size W i =1 is no longer optimal

Dynamic Cheating Game In the dynamic game, cheaters can change their strategy in response to other players (including other cheaters) A penalty is enforced on the utility function, so cheaters converge to the optimal operating point Cooperative cheaters can inflict the penalty on non-cooperative cheaters by jamming their packets

Distributed/Adaptive Cheating Cheaters can observe actual throughput and jamming to adapt contention window size Cheaters are forced to cooperate or get lower throughput due to penalization from other cheaters

Detecting Greedy Behavior [Raya et al., 2006] Detection Of greedy behavior in the Mac layer of Ieee 802.11 public NetwOrks (DOMINO) Software installed at/near the access point that can detect and identify greedy players No changes to software of benign players

DOMINO Architecture

Behavior Tests The DOMINO-enabled AP performs a number of behavioral tests as a decision-making basis Scrambled / re-transmitted frames Shorter than DIFS Oversized NAV Observed back-off Consecutive back-off

UDP vs. TCP Traffic Impact of misbehavior varies for different types of target traffic Disparity between cheater and benign users is higher in UDP case

UDP vs. TCP Detection Traffic type also has significant impact on detection capabilities of DOMINO Actual back-off test in UDP vs. Consecutive back-off test in TCP TCP congestion control causes additional timing-related behaviors that can cause detection error

Further Discussions in Paper The DOMINO paper talks about a lot of different types of misbehavior Jamming attacks, timing misbehavior, etc. Design of a deployable system Lots of design parameters to choose Analysis of numerous types of misbehavior Incorporation of security mechanisms, quality of service, wireless error scenarios (e.g., hidden terminal)

Fairness in 802.11 802.11 incorporates various fairness mechanisms Provides fairness regardless of connection quality Allows low-quality connections to occupy the medium for much longer than high-quality connections

Implicit Jamming in 802.11 [Broustis et al., 2009] 802.11 has a built-in fairness mechanism that basically allows all users to get the same longterm throughput A clever attacker can take advantage of this property to deny service to others by jamming a single user Degradation of the single user effectively starves the other users Jamming an end node is not necessarily observable by the AP, so detection is much harder

Implicit Jamming Low-power jammer attacks a single nearby node, degrades throughput for every user using the same AP

Mitigating Implicit Jamming FIJI: anti-jamming mitigation of the implicit jamming attack Goal 1: ensure that nodes not under attack are not indirectly affected by the attack Goal 2: ensure that the maximum amount of traffic is delivered to the node under attack, given that the node is under attack Both goals rely on explicit detection of the jamming attack

FIJI Detection Component Detection module Since FIJI is run/managed entirely at the AP, detection must also take place there; not typical jamming attack detection Standard jamming detection mechanisms (e.g., using RSSI+PDR) don't apply, need other metrics Instead, look for changes in transmission delay Very large increment in measured transaction time indicates the node is under attack

FIJI Traffic Component Adjust the traffic patterns to all clients based on detection events Trivial solution: don't send any data to jammed clients, but this is unfair and could lead to big problems if any detection errors occur Accept traffic degradation to attacked node, but keep traffic patterns constant for other nodes Two approaches to deal with the attacked node: Adjust the data packet size: shorter packet fragments are more likely to get through Adjust the data rate: send to the jammed nodes less often

FIJI Evaluation

Summary Discussed three papers that discuss MAC layer cheating, attacks, and detection Game theoretic modeling of rational cheating Čagalj et al., On Cheating in CSMA/CA Ad Hoc Networks, EPFL-IC Tech. Report IC/2004/27 (~INFOCOM 2005). Detecting misbehavior with tests Raya et al., DOMINO: Detecting MAC Layer Greedy Behavior in IEEE 802.11 Hotspots, IEEE Trans. Mobile Computing, v. 5, n. 12, Dec. 2006. Implicit jamming leveraging 802.11 fairness Broustis et al., FIJI: Fighting Implicit Jamming in 802.11 WLANs, SecureComm 2009.

Next Time Feb 23: Distributed addressing Addressing challenges in distributed networks Attacks on address auto-configuration protocols Secure address auto-configuration

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback