Csci 136 Computer Architecture II – More on MIPS ISA Xiuzhen Cheng [email protected].
Xiuzhen Cheng cheng@gwu
description
Transcript of Xiuzhen Cheng cheng@gwu
![Page 1: Xiuzhen Cheng cheng@gwu](https://reader036.fdocuments.us/reader036/viewer/2022062607/568147ee550346895db52718/html5/thumbnails/1.jpg)
Xiuzhen ChengXiuzhen Cheng [email protected]
CsciCsci388388 Wireless and Mobile SecurityWireless and Mobile Security – – MAC Layer Misbehavior, DoSMAC Layer Misbehavior, DoS
![Page 2: Xiuzhen Cheng cheng@gwu](https://reader036.fdocuments.us/reader036/viewer/2022062607/568147ee550346895db52718/html5/thumbnails/2.jpg)
Outline
802.11 MAC Management
802.11 DoS Attacks: Discussion and More
Break (5 minutes)
802.11 MAC Layer Misbehavior Detection and Handling
Discussion on DOMINO
![Page 3: Xiuzhen Cheng cheng@gwu](https://reader036.fdocuments.us/reader036/viewer/2022062607/568147ee550346895db52718/html5/thumbnails/3.jpg)
IEEE 802.11 MAC Packet Structure
Packet Type: Management (00), Control (01), and Data (10)
Subtype: In control – RTS, CTS, ACK, etc
MAC frames can be transmitted between mobile stations, between mobile stations and an AP, and between APs over a DS
Address Interpretation
Frame Control (2)
Duration ID (2)
Address 1 (6)
Address 2 (6)
Address 3 (6)
Sequence Control (2)
Address 4 (6)
Data (0-2312)
CRC (4)
Protocol version Type Subtype To DS From DS More Frag Retry Power Mgmt More Data WEP Order
To DS From DS Addr 1 Addr 2 Addr 3 Addr 4
0 0 DA SA BSSID
0 1 DA BSSID SA
1 0 BSSID SA DA
1 1 RA TA DA SA
![Page 4: Xiuzhen Cheng cheng@gwu](https://reader036.fdocuments.us/reader036/viewer/2022062607/568147ee550346895db52718/html5/thumbnails/4.jpg)
MAC Synchronization
In infrastructure network:The AP is responsible for generating beacons which contains a valid time stampIf the channel is in use,defer beacon transmission until it is free
![Page 5: Xiuzhen Cheng cheng@gwu](https://reader036.fdocuments.us/reader036/viewer/2022062607/568147ee550346895db52718/html5/thumbnails/5.jpg)
MAC Synchronization – (cont.)
Ad hoc Network:Every station is responsible for generating its beaconAll stations compete for transmission of the beacon using a standard backoff algorithmAll others adjust their times according to the winning station
![Page 6: Xiuzhen Cheng cheng@gwu](https://reader036.fdocuments.us/reader036/viewer/2022062607/568147ee550346895db52718/html5/thumbnails/6.jpg)
Power Management
Power states for a STA: awake - fully powered doze – low power, cannot transmit/receive
PM in Infrastructure Networks when enter doze mode, STAs inform AP AP buffers frames for STAs in doze mode AP sends beacons periodically
beacon contains time stamp + Traffic Indication Map (TIM)
STA wakes up to get the beacon(check TIM) if traffic is pending, stay awake until transmission complete
![Page 7: Xiuzhen Cheng cheng@gwu](https://reader036.fdocuments.us/reader036/viewer/2022062607/568147ee550346895db52718/html5/thumbnails/7.jpg)
Power Management – (cont.)PM in Ad-hoc Networks
ATIM window traffic for stations in doze mode is announced during ATIM window all stations are awake during ATIM window
both ATIMs and DATA are acknowledged and use standard backoff algorithm.
![Page 8: Xiuzhen Cheng cheng@gwu](https://reader036.fdocuments.us/reader036/viewer/2022062607/568147ee550346895db52718/html5/thumbnails/8.jpg)
What is a DoS Attack ?
Denying genuine users a particular serviceIn our context, preventing transmission of data to/from stations
![Page 9: Xiuzhen Cheng cheng@gwu](https://reader036.fdocuments.us/reader036/viewer/2022062607/568147ee550346895db52718/html5/thumbnails/9.jpg)
Vulnerabilities in 802.11
![Page 10: Xiuzhen Cheng cheng@gwu](https://reader036.fdocuments.us/reader036/viewer/2022062607/568147ee550346895db52718/html5/thumbnails/10.jpg)
Vulnerabilities in 802.11
Two kinds of vulnerabilities Identity vulnerabilities MAC vulnerabilities
![Page 11: Xiuzhen Cheng cheng@gwu](https://reader036.fdocuments.us/reader036/viewer/2022062607/568147ee550346895db52718/html5/thumbnails/11.jpg)
Identity Vulnerabilities
Arise because of the implicit trust placed in the source addressNo verification of source’s identityCauses 2 kinds of attacks:
Deauthentication and Disassociation attacks Power saving mode attack
![Page 12: Xiuzhen Cheng cheng@gwu](https://reader036.fdocuments.us/reader036/viewer/2022062607/568147ee550346895db52718/html5/thumbnails/12.jpg)
Deauthentication and Disassociation Attack
Authentication Mechanism Client sends authentication request to AP AP sends back response Client then sends association request AP responds accordingly
Problem: Explicit message for deauthentication sent in the clear, without being authenticated
by keying material. This message can be spoofed
![Page 13: Xiuzhen Cheng cheng@gwu](https://reader036.fdocuments.us/reader036/viewer/2022062607/568147ee550346895db52718/html5/thumbnails/13.jpg)
Deauthentication and Disassociation Attack
The spoofed deauthentication message causes the communication between client and AP to be suspended. Hence, attacker has achieved DoSClient must reauthenticate to resume communicationAttacker should be careful to spoof the deauthentication message only when a successful authentication has taken placeSimilar attack can be carried out by spoofing the disassociation message, since that message is also sent in the clear.From the attackers perspective, disassociation attack is less effective compared to deauthentication attack.
![Page 14: Xiuzhen Cheng cheng@gwu](https://reader036.fdocuments.us/reader036/viewer/2022062607/568147ee550346895db52718/html5/thumbnails/14.jpg)
Power Saving Mode Attack (1)
Power Conservation Mechanism Client enters sleep mode intermittently AP buffers data during that time Either client awakens and sends a poll message to AP for pending data, or AP
broadcasts a periodic Traffic Indication Map (TIM) message conveying availability of pending data
AP delivers data and clears its buffer
Problem: Attacker can spoof either the poll message or TIM message, as these are sent
unauthenticated For the same reason, attackers can spoof the TSF packet to cause nodes out of
synchronization
![Page 15: Xiuzhen Cheng cheng@gwu](https://reader036.fdocuments.us/reader036/viewer/2022062607/568147ee550346895db52718/html5/thumbnails/15.jpg)
Power Saving Mode Attack (2)
Big problem: Other management messages can also be spoofed, thereby making these attacks
more effective
Solution Simply, encrypt these messages like the data messages, using WEP. Works?
![Page 16: Xiuzhen Cheng cheng@gwu](https://reader036.fdocuments.us/reader036/viewer/2022062607/568147ee550346895db52718/html5/thumbnails/16.jpg)
MAC VulnerabilitiesArise because of the collision avoidance mechanism of the 802.11 MAC layer
Carrier sense is down in two layersCause two kinds of attacks:
Time window attack Virtual carrier sense attack
![Page 17: Xiuzhen Cheng cheng@gwu](https://reader036.fdocuments.us/reader036/viewer/2022062607/568147ee550346895db52718/html5/thumbnails/17.jpg)
Time Window attack802.11 MAC defines time windows to prioritize access to the channel
Two time windows - Short interframe space (SIFS) for existing frame exchange and Distributed interframe space (DIFS) for new frame exchange with SIFS<DIFS
Every STA has to wait at least SIFS before transmitting
Therefore, the attacker can completely monopolize the channel by sending a signal before the end of every SIFS interval
However, there is a problem with the attack Resource intensive – Since SIFS is 28 µs (802.11b), the attacker
will have to send a signal approx. 37,000 times per second
![Page 18: Xiuzhen Cheng cheng@gwu](https://reader036.fdocuments.us/reader036/viewer/2022062607/568147ee550346895db52718/html5/thumbnails/18.jpg)
Virtual Carrier Sense AttackCarrier Sensing Mechanism
To prevent collisions, station sends a short Request-to-Send (RTS) message
RTS contains a Duration field specifying the time for which the sender requires the channel
Receiver responds with Confirm-to-Send (CTS) if it is ready to receive data
CTS contains the updated Duration field Other stations within the range set their Network Allocation Vector
(NAV) such that they do not transmit for the time specified in the Duration field
Duration field is present in all 802.11 frames, so any frame can be used to carry out this attack
![Page 19: Xiuzhen Cheng cheng@gwu](https://reader036.fdocuments.us/reader036/viewer/2022062607/568147ee550346895db52718/html5/thumbnails/19.jpg)
Virtual Carrier Sense Attack
Problems The attacker can set Duration field to high values (maximum 32767), preventing
channel access to others Assuming attacker sets maximum value, he has to transmit only 30 times per
second, therefore, easy for the attacker Attack RTS is more efficient since it will always be replied by a well-behaved
receiver!
![Page 20: Xiuzhen Cheng cheng@gwu](https://reader036.fdocuments.us/reader036/viewer/2022062607/568147ee550346895db52718/html5/thumbnails/20.jpg)
Practical Perspective
![Page 21: Xiuzhen Cheng cheng@gwu](https://reader036.fdocuments.us/reader036/viewer/2022062607/568147ee550346895db52718/html5/thumbnails/21.jpg)
Practical Perspective
DoS attacks are theoretically possible, but what about actual practice ?Bad News !It is feasible to carry out these attacks with commodity hardware with little tweaking
Management frames necessary to exploit the identity attacks can be generated.Exploit the AUX port for carrier sense attacks.
![Page 22: Xiuzhen Cheng cheng@gwu](https://reader036.fdocuments.us/reader036/viewer/2022062607/568147ee550346895db52718/html5/thumbnails/22.jpg)
Deauthentication attack - Empirical Results
![Page 23: Xiuzhen Cheng cheng@gwu](https://reader036.fdocuments.us/reader036/viewer/2022062607/568147ee550346895db52718/html5/thumbnails/23.jpg)
Deauthentication attack – Proposed Solutions
Solution 1: Authenticate management framesBut there are two problems with this solution:
Not feasible using software upgrade A standardized authentication framework requires, can take time Not feasible to upgrade all STAs across all networks
Solution 2: Defer deauthentication Manipulate the firmware to delay deauthentication after receiving the message. If AP
receives a data message after this, then the deauth request was spoofed
Advantages of solution 2: Low overhead Modification only limited to the APs, which is feasible
More Potential Attacks introduced?
![Page 24: Xiuzhen Cheng cheng@gwu](https://reader036.fdocuments.us/reader036/viewer/2022062607/568147ee550346895db52718/html5/thumbnails/24.jpg)
Solution 2 – Empirical Results
![Page 25: Xiuzhen Cheng cheng@gwu](https://reader036.fdocuments.us/reader036/viewer/2022062607/568147ee550346895db52718/html5/thumbnails/25.jpg)
Virtual carrier sense attack – Empirical Results
![Page 26: Xiuzhen Cheng cheng@gwu](https://reader036.fdocuments.us/reader036/viewer/2022062607/568147ee550346895db52718/html5/thumbnails/26.jpg)
Virtual carrier sense attack – Proposed Solution
Put a cap on the value of the maximum duration on received framesIf a station receives a frame with duration more than the cap value, truncate the duration to the cap value
![Page 27: Xiuzhen Cheng cheng@gwu](https://reader036.fdocuments.us/reader036/viewer/2022062607/568147ee550346895db52718/html5/thumbnails/27.jpg)
Solution to Virtual CS attack – Empirical Results
![Page 28: Xiuzhen Cheng cheng@gwu](https://reader036.fdocuments.us/reader036/viewer/2022062607/568147ee550346895db52718/html5/thumbnails/28.jpg)
Virtual carrier sense attack – Proposed Solution
Put a cap on the value of the maximum duration on received framesIf a station receives a frame with duration more than the cap value, truncate the duration to the cap valueCan be further improved by selectively adhering to the specified duration value in:
Data and ACK frames – These frames will have a high duration value only if they are a part of a fragmented packet exchange. Since, fragmentation is almost never used, duration specified in these frames can be ignored
RTS frame – A station that receives an RTS frame will also receive the data frame. 802.11 std specifies the exact times for the subsequent CTS and data frames. So the duration value of RTS is respected till the following data frame is received/not received
CTS frame – Either the observed CTS is unsolicited or the observing node is a hidden terminal. If this CTS is addressed to a valid in-range station, the valid station can nullify this by sending a zero duration null function frame.If this CTS is addressed to an out of range station, one foolproof defense is to introduce authenticated CTS frames, containing cryptographically signed copy of the preceding RTS. But there are overhead and feasibility issues with this
![Page 29: Xiuzhen Cheng cheng@gwu](https://reader036.fdocuments.us/reader036/viewer/2022062607/568147ee550346895db52718/html5/thumbnails/29.jpg)
Conclusions
802.11 WLANs suffer from many vulnerabilities threatening the availability of serviceSecure and extended authentication mechanisms can helpChanges to the MAC layer protocol also required, may track and punish malicious nodes
![Page 30: Xiuzhen Cheng cheng@gwu](https://reader036.fdocuments.us/reader036/viewer/2022062607/568147ee550346895db52718/html5/thumbnails/30.jpg)
Take a Break
Will study the detection and handling MAC layer misbehavior by P. Kyasanur and N.H. Vaidya.
P. Kyasanur and N.H. Vaidya, Detection and Handling of MAC Layer Misbehavior in wireless Networks, In Dependable Systems and Networks, June 2003.
Will Discuss the detection of Greedy Behavior in 802.11 hotspots after the break1. M. Raya, J. P. Hubaux,, and I. Aad DOMINO: A System to Detect
Greedy Behavior in IEEE 802.11 Hotspots, Proceedings of the Second International Conference on Mobile Systems, Applications, and Services, Boston, June 2004
![Page 31: Xiuzhen Cheng cheng@gwu](https://reader036.fdocuments.us/reader036/viewer/2022062607/568147ee550346895db52718/html5/thumbnails/31.jpg)
Paper 1
P. Kyasanur and N.H. Vaidya, Detection and Handling of MAC Layer Misbehavior in wireless Networks, In Dependable Systems and Networks, June 2003.
![Page 32: Xiuzhen Cheng cheng@gwu](https://reader036.fdocuments.us/reader036/viewer/2022062607/568147ee550346895db52718/html5/thumbnails/32.jpg)
Problem Definition
Wireless
channel
Access Point
A B
Infrastructure-based Network
C D
Ad hoc Network
Nodes may violate Medium Access Control rules
![Page 33: Xiuzhen Cheng cheng@gwu](https://reader036.fdocuments.us/reader036/viewer/2022062607/568147ee550346895db52718/html5/thumbnails/33.jpg)
IEEE 802.11 overview
Distributed Coordination Function (DCF) - MandatoryWidely used for channel access
DCF is a Carrier Sense Multiple Access/ Collision Avoidance (CSMA/CA) protocol
![Page 34: Xiuzhen Cheng cheng@gwu](https://reader036.fdocuments.us/reader036/viewer/2022062607/568147ee550346895db52718/html5/thumbnails/34.jpg)
CSMA/CA
Carrier sense Don’t transmit when channel is busy
Collision avoidanceDefer transmission for random time after channel goes idle
![Page 35: Xiuzhen Cheng cheng@gwu](https://reader036.fdocuments.us/reader036/viewer/2022062607/568147ee550346895db52718/html5/thumbnails/35.jpg)
Backoff Example
Choose backoff value B in range [0,CW] CW is the Contention Window
Count down backoff by 1 every idle slot
wait
Transmit
Transmit
wait
B2=10
B1=20
B2=10
B1=0
S1
S2
CW=31
B1=15
B2=25
![Page 36: Xiuzhen Cheng cheng@gwu](https://reader036.fdocuments.us/reader036/viewer/2022062607/568147ee550346895db52718/html5/thumbnails/36.jpg)
Data Transmission
Reserve channel with RTS/CTS exchange
Sender S
Receiver R
B=10DATA
ACK
S BA R
RTS
RTS
CTS
CTS
![Page 37: Xiuzhen Cheng cheng@gwu](https://reader036.fdocuments.us/reader036/viewer/2022062607/568147ee550346895db52718/html5/thumbnails/37.jpg)
Possible Misbehavior
Backoff selected from different distributionSelect a small constant backoff always
Transmit
wait
B1 = 1
B2 = 20
Transmit
wait
B2 = 19
B1 = 1Misbehaving node
Well-behaved node
![Page 38: Xiuzhen Cheng cheng@gwu](https://reader036.fdocuments.us/reader036/viewer/2022062607/568147ee550346895db52718/html5/thumbnails/38.jpg)
Goals of proposed scheme
Diagnose node misbehaviorCatch misbehaving nodes
Discourage misbehavior with MAC layer schemePunish misbehaving nodes
![Page 39: Xiuzhen Cheng cheng@gwu](https://reader036.fdocuments.us/reader036/viewer/2022062607/568147ee550346895db52718/html5/thumbnails/39.jpg)
Related work at other layers
Many proposals for securing network layer
Designing protocols resilient to misbehavior[Savage99, Nisan99, Buttyan01]
Explicitly detect and penalize misbehavior[Marti00, Zhang00, Buchegger02, Hu02]
![Page 40: Xiuzhen Cheng cheng@gwu](https://reader036.fdocuments.us/reader036/viewer/2022062607/568147ee550346895db52718/html5/thumbnails/40.jpg)
Related work at MAC Layer
Game-theoretic solutions proposed for selfish misbehavior at MAC layer
[Konorski01, MacKenzie01, Konorski02]
Game-theoretic approach+ Protocols resilient to misbehavior - Assumptions not always valid - Performance may not be good
![Page 41: Xiuzhen Cheng cheng@gwu](https://reader036.fdocuments.us/reader036/viewer/2022062607/568147ee550346895db52718/html5/thumbnails/41.jpg)
Misbehaving node can gain more bandwidthUse payment schemes, charging per packet
Misbehaving node can achieve lower delaySend burst of packets ignoring MAC rulesAverage delay is less with same cost
Solution Approaches
Payment based schemes not sufficient
![Page 42: Xiuzhen Cheng cheng@gwu](https://reader036.fdocuments.us/reader036/viewer/2022062607/568147ee550346895db52718/html5/thumbnails/42.jpg)
Proposed Approach
Receivers detect sender misbehaviorAssume receivers are well-behaved (can be relaxed)
Receiver does not know exact backoff value chosen by sender
Wireless Channel introduces uncertainties
Wireless channel
Access Point
A
![Page 43: Xiuzhen Cheng cheng@gwu](https://reader036.fdocuments.us/reader036/viewer/2022062607/568147ee550346895db52718/html5/thumbnails/43.jpg)
Use long-term statistics
Observe backoffs chosen by sender over multiple packets
Backoff values not from expected distribution Misbehavior
Selecting right observation interval difficult
![Page 44: Xiuzhen Cheng cheng@gwu](https://reader036.fdocuments.us/reader036/viewer/2022062607/568147ee550346895db52718/html5/thumbnails/44.jpg)
Alternate Approach
Receiver provides backoff values to senderSend in current transmission backoff value for next transmission
Receiver can then accurately observe sender behavior
Uncertainty of sender’s backoff eliminated
![Page 45: Xiuzhen Cheng cheng@gwu](https://reader036.fdocuments.us/reader036/viewer/2022062607/568147ee550346895db52718/html5/thumbnails/45.jpg)
Modifications to 802.11
1. R provides backoff B to S in ACK and/or in DATA B selected from [0,CWmin]
DATA
Sender S
Receiver R
CTS
ACK(
B)RTS
2. S uses B for backoff
RTS
B
![Page 46: Xiuzhen Cheng cheng@gwu](https://reader036.fdocuments.us/reader036/viewer/2022062607/568147ee550346895db52718/html5/thumbnails/46.jpg)
Protocol steps
1. Detect deviations: Receiver observes one transmission from the sender
2. Penalize deviations: Penalty is added, if the sender appears to have deviated
3. Diagnose misbehavior: Based on last W observations, diagnose misbehavior
![Page 47: Xiuzhen Cheng cheng@gwu](https://reader036.fdocuments.us/reader036/viewer/2022062607/568147ee550346895db52718/html5/thumbnails/47.jpg)
Detecting deviations
Receiver counts number of idle slots Bobsr
Condition for detecting deviations:
Bobsr < B 0 < <= 1
Sender S
Receiver R
ACK(
B) RTS
Backoff
Bobsr
![Page 48: Xiuzhen Cheng cheng@gwu](https://reader036.fdocuments.us/reader036/viewer/2022062607/568147ee550346895db52718/html5/thumbnails/48.jpg)
Penalizing Misbehavior
When Bobsr < B, penalty P added
P proportional to B– Bobsr
ACK(
B+P
)
CTS DATA
Total backoff assigned = B + P
Bobsr
Sender SReceiver R
ACK(
B) RTS
Actual backoff < B
![Page 49: Xiuzhen Cheng cheng@gwu](https://reader036.fdocuments.us/reader036/viewer/2022062607/568147ee550346895db52718/html5/thumbnails/49.jpg)
Penalty Scheme issues
With penalty, sender has to misbehave more for the same throughput gain
Misbehaving sender has two optionsIgnore assigned penalty Easier to detectFollow assigned penalty No throughput gain
![Page 50: Xiuzhen Cheng cheng@gwu](https://reader036.fdocuments.us/reader036/viewer/2022062607/568147ee550346895db52718/html5/thumbnails/50.jpg)
Diagnosing Misbehavior
Total deviation for last W packets usedDeviation per packet is B – Bobsr
If total deviation > THRESH then sender is designated as misbehaving
Higher layers/ administrator can be informed of misbehavior
![Page 51: Xiuzhen Cheng cheng@gwu](https://reader036.fdocuments.us/reader036/viewer/2022062607/568147ee550346895db52718/html5/thumbnails/51.jpg)
Simulation Results
Using ns-2 simulator
Misbehavior modeled by parameter – “Percentage of Misbehavior (PM)”
PM = 0% well-behavedLarger PM greater misbehavior
Results for one receiver, multiple senders with single misbehaving sender
![Page 52: Xiuzhen Cheng cheng@gwu](https://reader036.fdocuments.us/reader036/viewer/2022062607/568147ee550346895db52718/html5/thumbnails/52.jpg)
Simulation Setup
Misbehaving Node
![Page 53: Xiuzhen Cheng cheng@gwu](https://reader036.fdocuments.us/reader036/viewer/2022062607/568147ee550346895db52718/html5/thumbnails/53.jpg)
Results – Diagnosis Accuracy
0
10
20
30
40
50
60
70
80
90
100
100959080706050403020100
Correct Diagnosis
Misdiagnosis
Percentage of Misbehavior (of misbehaving node)
Per
cent
age
![Page 54: Xiuzhen Cheng cheng@gwu](https://reader036.fdocuments.us/reader036/viewer/2022062607/568147ee550346895db52718/html5/thumbnails/54.jpg)
Misbehaving node throughput
0
100
200
300
400
500
600
700
800
900
100959080706050403020100
802.11
Proposed Scheme
Percentage of Misbehavior
Thro
ughp
ut (K
bps
per n
ode)
Avg. with penalty
Avg. with 802.11
![Page 55: Xiuzhen Cheng cheng@gwu](https://reader036.fdocuments.us/reader036/viewer/2022062607/568147ee550346895db52718/html5/thumbnails/55.jpg)
Throughput – no misbehavior
0
100
200
300
400
500
600
700
800
900
1000
1 2 4 8 16 32 64
Proposed Scheme
802.11
Number of sender nodes
Thro
ughp
ut (K
bps
per n
ode)
![Page 56: Xiuzhen Cheng cheng@gwu](https://reader036.fdocuments.us/reader036/viewer/2022062607/568147ee550346895db52718/html5/thumbnails/56.jpg)
Simulation Observations
Diagnosis accuracy is high Diagnosis accuracy depends on channel conditionsPersistent misbehavior detected with high accuracy
Adding penalty negates throughput advantageCan discourage misbehavior
![Page 57: Xiuzhen Cheng cheng@gwu](https://reader036.fdocuments.us/reader036/viewer/2022062607/568147ee550346895db52718/html5/thumbnails/57.jpg)
Additional details in paper
Mechanisms to address protocol response after packet collisions
Extensions for catching certain receiver misbehavior
Preliminary ideas for addressing collusion
![Page 58: Xiuzhen Cheng cheng@gwu](https://reader036.fdocuments.us/reader036/viewer/2022062607/568147ee550346895db52718/html5/thumbnails/58.jpg)
Conclusion
MAC layer misbehavior can severely affect throughput of well-behaved nodes
We present simple modifications to IEEE 802.11 to detect/penalize misbehavior
Open issues:Collusion detectionIntegrate diagnosis scheme with higher layers
![Page 59: Xiuzhen Cheng cheng@gwu](https://reader036.fdocuments.us/reader036/viewer/2022062607/568147ee550346895db52718/html5/thumbnails/59.jpg)
Paper 2
M. Raya, J. P. Hubaux,, and I. Aad DOMINO: A System to Detect Greedy Behavior in IEEE 802.11 Hotspots, Proceedings of the Second International Conference on Mobile Systems, Applications, and Services, Boston, June 2004
![Page 60: Xiuzhen Cheng cheng@gwu](https://reader036.fdocuments.us/reader036/viewer/2022062607/568147ee550346895db52718/html5/thumbnails/60.jpg)
Question
Well-behaved node Well-behaved node
The access point is trusted
The MAC layer is fair: if users have similar needs, they obtain a similar share of the bandwidth
How do we prevent greedy behavior at the MAC layer in WiFi hotspots ?
![Page 61: Xiuzhen Cheng cheng@gwu](https://reader036.fdocuments.us/reader036/viewer/2022062607/568147ee550346895db52718/html5/thumbnails/61.jpg)
Question
Well-behaved node Cheater
The access point is trusted
Preventing greedy behavior at the MAC layer in WiFi hotspots
![Page 62: Xiuzhen Cheng cheng@gwu](https://reader036.fdocuments.us/reader036/viewer/2022062607/568147ee550346895db52718/html5/thumbnails/62.jpg)
IEEE 802.11 MAC – Brief reminder
• IEEE 802.11 is the MAC protocol used in WiFi• By default, it is the one used in wireless multi-hop networks
![Page 63: Xiuzhen Cheng cheng@gwu](https://reader036.fdocuments.us/reader036/viewer/2022062607/568147ee550346895db52718/html5/thumbnails/63.jpg)
Greedy Behavior 1/4: Oversized NAV
![Page 64: Xiuzhen Cheng cheng@gwu](https://reader036.fdocuments.us/reader036/viewer/2022062607/568147ee550346895db52718/html5/thumbnails/64.jpg)
Greedy Behavior 2/4: Transmit before DIFS
![Page 65: Xiuzhen Cheng cheng@gwu](https://reader036.fdocuments.us/reader036/viewer/2022062607/568147ee550346895db52718/html5/thumbnails/65.jpg)
Greedy Behavior 3/4: Scramble others’ frames
![Page 66: Xiuzhen Cheng cheng@gwu](https://reader036.fdocuments.us/reader036/viewer/2022062607/568147ee550346895db52718/html5/thumbnails/66.jpg)
Greedy Behavior 4/4: Pick a shorter backoff
Implementation of this cheating technique: 3 lines of code!
![Page 67: Xiuzhen Cheng cheng@gwu](https://reader036.fdocuments.us/reader036/viewer/2022062607/568147ee550346895db52718/html5/thumbnails/67.jpg)
Misbehavior Metrics
ThroughputDepending on applicationsAffected by many factorsAffected by the performance of higher layers
BackoffNot perfect but relatively easier to computeBackoff time and the waiting time of a low rate source can’t be distinguishedHard to compute sender’s backoffHidden terminal problem
![Page 68: Xiuzhen Cheng cheng@gwu](https://reader036.fdocuments.us/reader036/viewer/2022062607/568147ee550346895db52718/html5/thumbnails/68.jpg)
Proposed solution: DOMINODOMINO: System for Detection Of greedy behaviour in the MAC layer of WiFi public NetwOrks (Raya, Hubaux, Aad, Mobisys 2004)
Idea: monitor the traffic and detect deviations by comparing average values of observed usersDetection tests: statistical comparison of the observed protocol behaviourFeatures:
Full standard complianceNeeds to be implemented only at the Access PointSimple and efficient
The operator decides the amount of evidence required before taking action (in order e.g. to prevent false positives)
Other solution: Kyasanur + Vaidya, DSN 2003 (but not protocol compliant)
![Page 69: Xiuzhen Cheng cheng@gwu](https://reader036.fdocuments.us/reader036/viewer/2022062607/568147ee550346895db52718/html5/thumbnails/69.jpg)
Detection Tests of DOMINO
Consecutive backoff
Actual backoff
Maximum backoff: the maximum should be close to CWmin - 1
Backoff manipulation
Comparison of the idle time after the last ACK with DIFS
Transmission before DIFS
Comparison of the declared and actual NAV values
Oversized NAV
Number of retransmissionsFrame scrambling
Detection testCheating method
![Page 70: Xiuzhen Cheng cheng@gwu](https://reader036.fdocuments.us/reader036/viewer/2022062607/568147ee550346895db52718/html5/thumbnails/70.jpg)
Simulation of cheating and detection
Cheating technique: Backoff manipulation
Traffic:
Constant Bit Rate / UDP traffic
FTP / TCP traffic
misbehavior coefficient (m): cheater chooses
its backoff as (1 - m) x CWmin
Simulation environment: ns-2
Cheater
![Page 71: Xiuzhen Cheng cheng@gwu](https://reader036.fdocuments.us/reader036/viewer/2022062607/568147ee550346895db52718/html5/thumbnails/71.jpg)
Simulation results
• Each point corresponds to 100 simulations• Confidence intervals: 95%
![Page 72: Xiuzhen Cheng cheng@gwu](https://reader036.fdocuments.us/reader036/viewer/2022062607/568147ee550346895db52718/html5/thumbnails/72.jpg)
Implementation of the demo prototype
Equipment
Adapters based on the Atheros
AR5212 chipset
MADWIFI driver
Misbehavior: backoff
Overwrite the values CWmin and
CWmax (in driver)
Monitoring
The driver in MONITOR mode
prism2 frame header
AP DOMINO
Cheater Well-behaved
![Page 73: Xiuzhen Cheng cheng@gwu](https://reader036.fdocuments.us/reader036/viewer/2022062607/568147ee550346895db52718/html5/thumbnails/73.jpg)
Conclusion
There exist greedy techniques against hotspotsSome of these techniques are straightforwardAuthors have proposed, implemented and patented a simple solution, DOMINO, to prevent them (http://domino.epfl.ch)The same problem in self-organized wireless systems is still unsolved. Can it be solved?
Game-theoretic study:M. Cagalj, S. Ganeriwal, I. Aad and J.-P. Hubaux"On Cheating in CSMA/CA Networks" Technical report No. IC/2004/27, July 2004
Many problems still need to be solved in this field
![Page 74: Xiuzhen Cheng cheng@gwu](https://reader036.fdocuments.us/reader036/viewer/2022062607/568147ee550346895db52718/html5/thumbnails/74.jpg)
Questions
The measurements of actual backoff and consecutive backoff by the AP are not clearly addressed in the paper (to me ^_^). Who can give a better explanation?
Why consecutive backoff does not work with UDP traffic?
Further exploration is encouraged in this topic.
![Page 75: Xiuzhen Cheng cheng@gwu](https://reader036.fdocuments.us/reader036/viewer/2022062607/568147ee550346895db52718/html5/thumbnails/75.jpg)
Howeworks