Self Organized Networks Doctoral School ICI Course Project Self Organized Networks CLASS : a Cross-Layer Attack, Subtle and Simple Alaeddine EL-FAWAL LCA : Laboratory for computer Communications and Applications February 6th, 2004

OUTLINE Facts and Objectives Related Work Motivation for our Proposal Simulation Detection Perspectives Conclusions Our Attack

Facts & Objectives Facts : Objectives : Hotspots anywhere 24,000 world-wide soon 100 so far in Switzerland Given the limited bandwidth: Attacks are benificial!! (Gain in banwidth and money ) At the network layer : (well discussed in the literature) What about MAC layer ? (Rarely discussed) MAC layer protocol : 802.11 Objectives : Find vulnerabilities in 802.11. Protect 802.11. We are concerned in rational behavior.

Facts & Objectives Misbehavior scenario Well-behaved node Cheater

OUTLINE Related Work Facts and Objectives Motivation for our Proposal Our Attack Simulation Detection Perspectives Conclusions

Existing Attacks : (Rational Cheater) Related Work Existing Attacks : (Rational Cheater) Specially based on manipulating backoff time /DIFS: Decreasing Backoff / DIFS  Increasing Priority A cheater can: Change his own Parameters : Reduce Contention Windows. Transmit before DIFS ... increase cheater´s priority Act directly against other nodes : Selectively scramble others´ Pkts . Others will increase their Contention Windows. decrease other nodes´ priorities

Related Work Existing Solutions 1 - Proposed by Kyasanur and Vaidya : Concept: the receiver assigns backoff values to the sender Detection: compare expected and observed backoffs Correction: assign penalty to the cheater Drawbacks: Modification of IEEE 802.11 The receiver can control the sender Only one traffic pattern Only one type of misbehavior

Related Work Existing Solutions 2 – DOMINO Solutions : Station sends before DIFS: Easily detectable after few packets CTS/ACK scrambling: Detectable using the number of retransmissions Manipulated backoff: more subtle Detection metrics Throughput and delay ? NO because: Traffic dependent Subject to many factors Backoff ? YES but: Cannot be distinguished if the sender has large delays Collisions lead to confusing situations

Motivation for our Proposal OUTLINE Facts and Objectives Related Work Motivation for our Proposal Our Attack Simulation Detection Perspectives Conclusions

Motivation for our Proposal The Above Attacks The Above Attacks are Uplink (Cheater  AP) Realistic traffic Downlink AP belongs to ISP : Trusted Node. The above Attacks are not relevant anymore Furthermore 90% of traffic : TCP (http, FTP, ...) To kill TCP connections : network layer Attacks (dsniff) BUT Fail in presence of Authentication (IPsec)

Motivation for our Proposal Efficient Smart Attack against TCP on the downlink. At the MAC Layer. First Attack that combines 802.11 and TCP Vulnerabilities Transparent to TCP and MAC: Hard to detect. Efficient even when using IPsec

OUTLINE Facts and Objectives Related Work Motivation for our Proposal Our Attack Simulation Detection Perspectives Conclusions

Our Attack Uses the following 802.11 vulnerability : MAC Frame Header Copying of transmitter address (AP) MAC-ACK No Authentication, No source Address

Our Attack Attack Description Simple Scenario : Sc S Mc M INTERNET Well-behaved node‘s Pkts AP Queue Cheater‘s Pkts MAC-ACK TCP AP TCP TCP Pkt is lost. AP knows nothing about this loss. It dequeues the frame. (No retransmissions) TCP decreases its window. Repeated loss  killed TCP connection

Result: increasing the cheater’s Throughput Our Attack Attack Description General Case : Jam all TCP Pkts or TCP-ACKs that don´t belong to the cheater. Send MAC-ACK to the transmiter. Prob. of jamming : X (X=1, jamming all other nodes‘ Pkts) Cheater´s Benefits : Killing TCP Connections  reducing load at AP & Wireless Channel. Decreasing Delay (No retransmission due to collision) Minimizing Loss Prob. (No Drop at AP) Result: increasing the cheater’s Throughput

OUTLINE Facts and Objectives Related Work Motivation for our Proposal Our Attack Simulation Detection Perspectives Conclusions

Simulation Simulator : Implementation of the attacks in ns-2.27. To be completely transparent, only TCP traffic is jammed (ctrl. Pkts. are saved) Results are averaged over 5 simulations.

Simulation Simulated Scenario : DCF Mc M INTERNET AP FTP DCF TCP traffic on the downlink (FTP connections). Channel capacity : 1Mbps TCP Pkt size : 1000 Bytes 2 cases : Immediate jamming. Delayed jamming (after a warmup period).

Simulation Immediate Jamming :

Simulation Delayed Jamming (warmup period):

OUTLINE Facts and Objectives Related Work Motivation for our Proposal Our Attack Simulation Detection Perspectives Conclusions

This attack is completely Detection Problems : How to distinguish between jamming & collision. Even if jamming is detected, the cheater remains unknown. Downlink jamming is not detectable near the AP. AP signal strength is larger than the jamming signal strength near the AP. Placing sensors near the AP is useless. Existing DOMINO procedures cannot detect it This attack is completely Transparent to MAC and TCP.

OUTLINE Facts and Objectives Related Work Motivation for our Proposal Our Attack Simulation Detection Perspectives Conclusions

Perspectives To make detection more difficult, the cheater may use On/Off jamming periods. Multiple cheaters. Network collapses. Pareto-optimal point. Applying game theory: the move is to change the jamming prob. BUT: We need to detect the attack. To avoid this attack: Without modifying 802.11. Here is the challenge!! Modifying 802.11. NACK. Authentication.

OUTLINE Facts and Objectives Related Work Motivation for our Proposal Our Attack Simulation Detection Perspectives Conclusions

Conclusions First attack that combines 802.11 & TCP vulnerabilities. Completely transparent: Jamming = collision. MAC-ACK is not authenticated. Very efficient on the downlink as well as on the uplink. More harmful to TCP than UDP flows.

MERCI DE VOTRE ATTENTION