Doctoral School
ICI
Course Project
Self Organized Networks
CLASS : a Cross-Layer Attack,
Subtle and Simple
Alaeddine EL-FAWAL
LCA : Laboratory for computer Communications and Applications
February 6th, 2004
OUTLINE
Facts and Objectives
Related Work
Motivation for our Proposal
Our Attack
Simulation
Detection
Perspectives
Conclusions
Facts & Objectives
Facts :
Hotspots anywhere
24,000 world-wide soon
100 so far in Switzerland
Given the limited bandwidth:
Attacks are benificial!! (Gain in banwidth and money )
At the network layer : (well discussed in the literature)
What about MAC layer ? (Rarely discussed)
MAC layer protocol : 802.11
Objectives :
Find vulnerabilities in 802.11.
Protect 802.11.
We are concerned in rational behavior.
Facts & Objectives
Misbehavior scenario
Well-behaved node
Cheater
Well-behaved node
OUTLINE
Facts and Objectives
Related Work
Motivation for our Proposal
Our Attack
Simulation
Detection
Perspectives
Conclusions
Related Work
Existing Attacks : (Rational Cheater)
Specially based on manipulating backoff time /DIFS:
Decreasing Backoff / DIFS Increasing Priority
A cheater can:
Change his own Parameters :
Reduce Contention Windows.
Transmit before DIFS
...
increase cheater´s priority
Act directly against other nodes :
Selectively scramble others´ Pkts .
Others will increase their Contention Windows.
decrease other nodes´ priorities
Related Work
Existing Solutions
1 - Proposed by Kyasanur and Vaidya :
Concept: the receiver assigns backoff values to the sender
Detection: compare expected and observed backoffs
Correction: assign penalty to the cheater
Drawbacks:
Modification of IEEE 802.11
The receiver can control the sender
Only one traffic pattern
Only one type of misbehavior
Related Work
Existing Solutions
2 – DOMINO Solutions :
1. Station sends before DIFS:
• Easily detectable after few packets
2. CTS/ACK scrambling:
• Detectable using the number of retransmissions
3. Manipulated backoff: more subtle
• Detection metrics
a) Throughput and delay ? NO because:
Traffic dependent
Subject to many factors
b) Backoff ? YES but:
Cannot be distinguished if the sender has large delays
Collisions lead to confusing situations
OUTLINE
Facts and Objectives
Related Work
Motivation for our Proposal
Our Attack
Simulation
Detection
Perspectives
Conclusions
Motivation for our Proposal
The Above Attacks
The Above Attacks are Uplink (Cheater AP)
Realistic traffic
Downlink
AP belongs to ISP : Trusted Node.
The above Attacks are not relevant anymore
Furthermore
90% of traffic : TCP (http, FTP, ...)
To kill TCP connections : network layer Attacks (dsniff)
BUT
Fail in presence of Authentication (IPsec)
Motivation for our Proposal
Our Proposal
Efficient Smart Attack against TCP on the downlink.
At the MAC Layer.
First Attack that combines 802.11 and TCP Vulnerabilities
Transparent to TCP and MAC:
Hard to detect.
Efficient even when using IPsec
OUTLINE
Facts and Objectives
Related Work
Motivation for our Proposal
Our Attack
Simulation
Detection
Perspectives
Conclusions
Our Attack
Uses the following 802.11 vulnerability :
MAC Frame Header
Copying of transmitter address (AP)
MAC-ACK
No Authentication, No source Address
Our Attack
Attack Description
Simple Scenario :
Well-behaved node‘s Pkts
Cheater‘s Pkts AP Queue
Sc Mc
TCP
INTERNET
S AP
TCP
M
TCP Pkt is lost.
AP knows nothing about this loss.
It dequeues the frame. (No retransmissions)
TCP decreases its window.
Repeated loss killed TCP connection
Our Attack
Attack Description
General Case :
Jam all TCP Pkts or TCP-ACKs that don´t belong to the cheater.
Send MAC-ACK to the transmiter.
Prob. of jamming : X (X=1, jamming all other nodes‘ Pkts)
Cheater´s Benefits :
Killing TCP Connections reducing load at AP & Wireless Channel.
Decreasing Delay (No retransmission due to collision)
Minimizing Loss Prob. (No Drop at AP)
Result: increasing the cheater’s Throughput
OUTLINE
Facts and Objectives
Related Work
Motivation for our Proposal
Our Attack
Simulation
Detection
Perspectives
Conclusions
Simulation
Simulator :
Implementation of the attacks in ns-2.27.
To be completely transparent, only TCP traffic is jammed (ctrl.
Pkts. are saved)
Results are averaged over 5 simulations.
Simulation
Simulated Scenario :
Sc Mc
FTP
INTERNET
S AP
FTP
M
DCF
TCP traffic on the downlink (FTP connections).
Channel capacity : 1Mbps
TCP Pkt size : 1000 Bytes
2 cases :
Immediate jamming.
Delayed jamming (after a warmup period).
Simulation
Immediate Jamming :
Simulation
Delayed Jamming (warmup period):
OUTLINE
Facts and Objectives
Related Work
Motivation for our Proposal
Our Attack
Simulation
Detection
Perspectives
Conclusions
Detection
Problems :
How to distinguish between jamming & collision.
Even if jamming is detected, the cheater remains unknown.
Downlink jamming is not detectable near the AP.
AP signal strength is larger than the jamming signal strength near the AP.
Placing sensors near the AP is useless.
This attack is completely
Existing DOMINO procedures cannotto
Transparent detect it
MAC and TCP.
OUTLINE
Facts and Objectives
Related Work
Motivation for our Proposal
Our Attack
Simulation
Detection
Perspectives
Conclusions
Perspectives
To make detection more difficult, the cheater may use On/Off
jamming periods.
Multiple cheaters.
Network collapses.
Pareto-optimal point.
Applying game theory: the move is to change the jamming prob.
BUT: We need to detect the attack.
To avoid this attack:
Without modifying 802.11.
Here is the challenge!!
Modifying 802.11.
NACK.
Authentication.
OUTLINE
Facts and Objectives
Related Work
Motivation for our Proposal
Our Attack
Simulation
Detection
Perspectives
Conclusions
Conclusions
First attack that combines 802.11 & TCP vulnerabilities.
Completely transparent:
Jamming = collision.
MAC-ACK is not authenticated.
Very efficient on the downlink as well as on the uplink.
More harmful to TCP than UDP flows.