ICPADS2005-1 - PowerPoint PPT Presentation

1 / 31
About This Presentation
Title:

ICPADS2005-1

Description:

Department of Mathematics Computer Science Education, Taipei Municipal ... A countdown counter to record the amount of time remains before wireless channel ... – PowerPoint PPT presentation

Number of Views:17
Avg rating:3.0/5.0
Slides: 32
Provided by: sli82
Category:

less

Transcript and Presenter's Notes

Title: ICPADS2005-1


1
Protecting IEEE 802.11 Wireless LANs against the
FCS False Blocking Attack
  • Shih-Tsung Liang and Ming-Yi Weng
  • Department of Mathematics Computer Science
    Education, Taipei Municipal Teachers College
  • Department of Computer Science and Information
    Engineering, Da-Yeh University

2
Outline
  • IEEE 802.11 Media Access Control
  • The FCS False Blocking Attack
  • FCS False Blocking Detection and Recovery
  • Numerical Results
  • Concluding Remarks

3
IEEE 802.11 Media Access Control
  • IEEE 802.11 DCF (Distributed Coordination
    Function)

DIFS
Medium is idle

to transmit a frame after long period of idle
medium
4
IEEE 802.11 Media Access Control
  • On receiving an FCS error frame

EIFS
Medium is idle
  • to give high priority to the retransmission of
    FCS-error frames
  • In case of the false CRC module in the receiving
    site, the longer holdback can deter the
    malfunctioning station from transmitting error
    frames, and hence prevent the waste of bandwidth

to transmit a frame after long period of idle
medium
5
IEEE 802.11 Media Access Control
  • After an error-free frame being received

DIFS
Medium is idle

to transmit a frame after long period of idle
medium
6
The FCS False Blocking Attack
  • A station constantly transmits frames with FCS
    error

Attacking station
(DIFS)
Wireless bandwidth
the attacking station can get higher priority to
transmit
Contending
Other stations nearby
(EIFS)
7
The FCS False Blocking Attack
  • Impact of the FCS False Blocking attack on
    network performance (traffic volume)

Transmission Rate Connection type Transmission Rate Connection type 1M 2M 5.5M 11M
Without Attacks FCS Attack Connection 3079 4620 6625 8939
Without Attacks All 5 Stream video connections 32179 45522 61630 67139
Under an Attack FCS Attack Connection 3669 5275 8063 10381
Under an Attack All 5 Stream video connections 31684 44100 54507 62017

-
8
The FCS False Blocking Attack
  • Possible solutions?
  • How about to identify the attacking source?
  • The MAC address matching process may take much
    more time than FCS calculation
  • The identified MAC address may be a fake
  • FCS error frames still coming from malicious
    attackers
  • Our approach
  • Does not identify the source
  • Frustrates the malicious behavior

9
FCS False Blocking Detection and Recovery
  • The ratio of error_frames to correct_frames

error_frames/correct_frames
no. of stream video connections
10
FCS False Blocking Detection and Recovery
frame received
rcv_frame
FCS correct?
Y
N
Data Collection Phase
correct_frame
error_frame
rcv_framegtdetection_count?
N
return
Y
11
FCS False Blocking Detection and Recovery
N
Y
N
Y
Y
Detection and Recovery Phase
FCS_error_flag0 Set IFS to EIFS
N
FCS_error_flag1 Not Set IFS to EIFS
error_frame0 correct_frame0 all_frame0
return
12
Numerical Results
  • Simulation set up
  • Based on Network Simulator v2.27
  • Embed the proposed FCS False Blocking detection
    and recovery mechanism into the 802.11 MAC module
    of NS2.27 (C code implementation)
  • network topology
  • FCS error attack source
  • Constant bit rate
  • streaming video connections
  • 150Kbps/300Kbps

13
Numerical Results
  • Simulation parameter settings

No. of streaming video connections FCS attacking rate Transmission rate Error threshold Detection count Simulation time
6(300Kbps3,150Kbps3) 2Mbps 2Mb 0.03 2000 10 Minutes
10(300Kbps5,150Kbps5) 2Mbps 2Mb 0.03 2000 10 Minutes
6(300Kbps3,150Kbps3) 5.5Mbps 5.5Mb 0.03 5500 10 Minutes
10(300Kbps5,150Kbps5) 5.5Mbps 5.5Mb 0.03 5500 10 Minutes
14
Numerical Results
Scenarios I, II
15
Numerical Results
Scenarios III, IV
16
Concluding Remarks
  • Identify a new pattern of 802.11 false blocking
    attacksthe FCS false blocking attack, in which
    the attacker continuously transmits data with
    erroneous FCS values
  • Corresponding detection and recovery mechanism is
    also proposed and has shown to be able to
    moderate the impacts to the wireless networks
    caused by FCS false blocking attacks
  • Under a single attacking source, the FCS False
    Blocking detection and recovery mechanism can
    averagely increase the network throughput 5 to
    8

17
Thank you!!
Request for Comment
18
DCF
  • CSMA/CA
  • Error Recovery Mechanisms
  • DCF Access Procedure

19
CSMA/CA
  • Why CSMA/CD doesnt work?
  • The hidden terminal problem!

STA1
STA2
STA3
STA1 can communicate with only STA2. STA2 can
communicate with STA1 and STA3. STA3 can
communicate with only STA2. The frame from STA1
to STA2 can be corrupted by a transmission
initiated by STA3. The STA3 did not know the
ongoing transmission from STA1 to STA2
20
CSMA/CA
  • To cope with the hidden terminal problem
  • Medium reservation through the exchange of RTS
    and CTS frames prior to the actual data

RTS
CTS
STA2
STA3
STA1
Area cleared by RTS (Request To Send)
Area cleared by CTS (Clear To Send)
21
CSMA/CA
  • MAC-Level Acknowledgement
  • Wireless media are noisy and unreliable
  • The source needs to make sure the frame has been
    correctly received by the destination
  • If the source does not receive the ACK, the
    source will retransmit the frame

22
CSMA/CA
  • 4-way MAC frame exchange protocol

Source
Destination
RTS
Collision Protect!!
CTS
who protect me? (size is the key!!)
Data
ACK
23
CSMA/CA
  • More about 4-way handshake
  • RTS and CTS may be disabled by the
    dot11RTSThreshold attribute in the MIB
    (Management Information Base)
  • If frame length gt dot11RTSThreshold
  • ? 4-way frame exchange with RTS and CTS
  • If frame length dot11RTSThreshold
  • ? frame exchange without RTS and CTS
  • The default dot11RTSThreshold is 128
  • In environments STAs can hear from each other, a
    higher dot11RTSThreshold can reduce the bandwidth
    consumption on RTS and CTS

24
CSMA/CA
  • Carrier Sense Mechanism
  • Physical carrier sense
  • Physical layer carrier sense
  • Similar to 802.3
  • Check for Medium status (Idle/Busy)
  • Virtual carrier sense
  • Mac layer carrier sense
  • Network Allocation Vector (NAV)
  • A countdown counter to record the amount of time
    remains before wireless channel clear
  • (i.e. NAV0?clear)

25
CSMA/CA
  • MAC control logic

Wait for frame to transmit
NAV0 ?
Flag0
Flag1
Note The period of time immediately following a
busy medium is the highest probability of
collision ccurring. Many stations may be waiting
for the medium to become idle and attempt to
transmit at the same time. Thus whenever the
station sensing a busy medium, a random backoff
time is used.
Check PHY
N
Medium Idle?
Collision ?
Y
N
Y
Wait IFS
Still Idle ?
Transmit Frame
Flag0 ?
N
Y
Y
N
Random Backoff Time
26
CSMA/CA
  • Random backoff time
  • Backoff timeRandom()aSlotTime
  • Random() a uniform distributed integer randomly
    selected from 0,CW, where CW is contention
    window
  • For each unsuccessful frame transmission, CW
    doubles (from CWmin to CWmax)
  • CW ? 2 CW1
  • Reduces the collision probability

CWmin CWmax
FHSS 15 1023
DSSS 31 1023
IR 63 1023
27
Error Recovery Mechanisms
  • Errors (interference, collision)
  • STA sends an RTS but not receive the CTS
  • STA sends a data frame but not receive the ACK
  • Retransmission with retry limit
  • shortRetryLimit frame length
    dot11RTSThreshold
  • longRetryLimit frame length gt dot11RTSThreshold

28
DCF Access procedure
  • Interframe space (IFS)
  • SIFS Short InterFrame Space
  • Used for immediate response actions (e.g., ACK,
    CTS)
  • PIFS PCF InterFrame Space
  • Used by centralized controller in PCF scheme when
    using polls
  • DIFS DCF InterFrame Space
  • Used by distribution coordination function (DCF)
    for asynchronous frames contention
  • EIFS Extended InterFrame Space
  • Used by the DCF after indication of the erroneous
    frame (e.g., FCS error)
  • Reception of an error-free frame during the EIFS
    causes the access using EIFS is terminated and
    normal medium access (using DIFS) continues

shortest
longest
29
DCF Access procedure
  • Basic Access Method

30
DCF Access procedure
  • Example of backoff procedure

DIFS
DIFS
DIFS
backoff12
backoff7
backoff3
busy
STA 1
backoff5
busy
STA 2

DIFS
busy
STA 3

backoff9
backoff4
busy
STA 4
  • After MSDU arriving at MAC, STA 3 senses medium
    free for DIFS, so it initiates transmission
  • immediately without backoff interval
  • For STA 1,2, and 4, their DIFS intervals are
    interrupted by STA 3. Thus, the backoff
  • Intervals for STA 1, 2, and 4, are generated
    randomly (e.g., 12, 5, and 9, respectively)
  • After transmission of STA 2, the remaining
    backoff interval of STA 1 is (12-5) 7.
  • After transmission of STA 2, the remaining
    backoff interval of STA 4 is (9-5) 4.
  • After transmission of STA 4, the remaining
    backoff interval of STA1 is (7-4) 3.

31
DCF Access procedure
  • Example of backoff procedure (continue)

DIFS
DIFS
DIFS
backoff9
backoff4
busy
STA 1
backoff5
backoff20
backoff16

busy
STA 2
DIFS

busy
STA 3
backoff5
backoff18
backoff14
busy
busy
STA 4
  • STA 3 senses medium free for DIFS and initiates
    transmission immediately
  • For STA 1,2, and 4, their DIFS intervals are
    interrupted by STA 3. Thus, the backoff
  • Intervals for station 1, 2, and 4, are generated
    randomly (e.g., 9, 5, and 5, respectively)
  • Collision occurs between STA 2 and 4.
  • After the collision of STA 2 and 4, the remaining
    backoff interval of station 1 is (9-5) 4.
  • The backoff Intervals for retransmission of STA
    2, and 4, are generated randomly (e.g., 20 and
    18, respectively). (tend to be larger the initial
    attempt)
Write a Comment
User Comments (0)
About PowerShow.com