domino: a system to detect greedy behavior in ieee 802.11 hotspots
DESCRIPTION
DOMINO: A System to Detect Greedy Behavior in IEEE 802.11 Hotspots. Written By: Maxim Raya, Jean-Pierre Hubaux, Imad Aad School of Computer and Communication Sciences Presented By: Michael Kroll University of South Carolina. Overview Introduction. Steady increase in hotspots - PowerPoint PPT PresentationTRANSCRIPT
![Page 1: DOMINO: A System to Detect Greedy Behavior in IEEE 802.11 Hotspots](https://reader036.vdocuments.us/reader036/viewer/2022081514/56813d61550346895da73490/html5/thumbnails/1.jpg)
DOMINO: A System to Detect Greedy Behavior in IEEE 802.11 Hotspots
Written By: Maxim Raya, Jean-Pierre Hubaux, Imad AadSchool of Computer and Communication Sciences
Presented By: Michael KrollUniversity of South Carolina
![Page 2: DOMINO: A System to Detect Greedy Behavior in IEEE 802.11 Hotspots](https://reader036.vdocuments.us/reader036/viewer/2022081514/56813d61550346895da73490/html5/thumbnails/2.jpg)
2/21/2008 2
OverviewIntroduction
Steady increase in hotspots 28,000 hotspots in 2004 Predicted 160,000 in 2007 but actually 180,000
Security and Billing = Focus on Authentication and Confidentiality in 802.11
802.11 only works if stations respect MAC protocol
![Page 3: DOMINO: A System to Detect Greedy Behavior in IEEE 802.11 Hotspots](https://reader036.vdocuments.us/reader036/viewer/2022081514/56813d61550346895da73490/html5/thumbnails/3.jpg)
2/21/2008 3
OverviewBenefit of Misuse in MAC Layer
Mac-layer Greedy Behavior = Deliberate abuse of 802.11 MAC
Why abuse 802.11 MAC? Significant bandwidth gain in medium More efficient than network or transport layers Hidden and independent from upper layers
Hard to detect my applications Everything uses 802.11
Cheating on TCP fails against UDP
![Page 4: DOMINO: A System to Detect Greedy Behavior in IEEE 802.11 Hotspots](https://reader036.vdocuments.us/reader036/viewer/2022081514/56813d61550346895da73490/html5/thumbnails/4.jpg)
2/21/2008 4
OverviewDOMINO Solution
Seamless integration into AP Passive, no interference with normal functions
Compatible with existing networks Compatible with future versions of 802.11
With some minor changes Not theoretical, real experimental product
![Page 5: DOMINO: A System to Detect Greedy Behavior in IEEE 802.11 Hotspots](https://reader036.vdocuments.us/reader036/viewer/2022081514/56813d61550346895da73490/html5/thumbnails/5.jpg)
2/21/2008 5
OverviewOutline
A. Related Work
B. System Model of Normal 802.11
C. Misbehavior Techniques
D. Methods to Measure Misbehavior
E. Function of DOMINO
F. Simulation Results
G. Implementation of DOMINO
H. Discussion
![Page 6: DOMINO: A System to Detect Greedy Behavior in IEEE 802.11 Hotspots](https://reader036.vdocuments.us/reader036/viewer/2022081514/56813d61550346895da73490/html5/thumbnails/6.jpg)
2/21/2008 6
Related Work
Research on MAC-layer greedy is limited Relatively new and unexplored
Kyasanur/Vaidya: Receiver assigns/sends backoff values in CTS/ACK Not compatible with 802.11 Misbehaving receivers Computational overhead and new frame fields Only backlogged UDP, actual backoff larger than
assigned = cheater success
![Page 7: DOMINO: A System to Detect Greedy Behavior in IEEE 802.11 Hotspots](https://reader036.vdocuments.us/reader036/viewer/2022081514/56813d61550346895da73490/html5/thumbnails/7.jpg)
2/21/2008 7
Related Work
Konorski: Ad-hoc network using backoff from Game Theory Different from 802.11 standard
IDS (AirDefense Guard) provides sensors to monitor DOMINO can be extension of these
![Page 8: DOMINO: A System to Detect Greedy Behavior in IEEE 802.11 Hotspots](https://reader036.vdocuments.us/reader036/viewer/2022081514/56813d61550346895da73490/html5/thumbnails/8.jpg)
2/21/2008 8
System Model of Normal 802.11 Review What is DIFS? What is SIFS? What is Backoff? What is NAV? How do they relate?
![Page 9: DOMINO: A System to Detect Greedy Behavior in IEEE 802.11 Hotspots](https://reader036.vdocuments.us/reader036/viewer/2022081514/56813d61550346895da73490/html5/thumbnails/9.jpg)
2/21/2008 9
System Model of Normal 802.11Review Diagram
![Page 10: DOMINO: A System to Detect Greedy Behavior in IEEE 802.11 Hotspots](https://reader036.vdocuments.us/reader036/viewer/2022081514/56813d61550346895da73490/html5/thumbnails/10.jpg)
2/21/2008 10
System Model of Normal 802.11 Backoff Setting Chosen Backoff bounded by Contention
Window (CW) Backoff decreases as long as channel is idle
Backoff frozen when the channel is in use Backoff = 0, send the frame
Collision = frame lost, increase CW and new backoff If success next round, reset CW to minimum
![Page 11: DOMINO: A System to Detect Greedy Behavior in IEEE 802.11 Hotspots](https://reader036.vdocuments.us/reader036/viewer/2022081514/56813d61550346895da73490/html5/thumbnails/11.jpg)
2/21/2008 11
Misbehavior TechniquesConcept of Greedy
MAC Greedy Behavior: Fail to follow procedures or change parameters defined by 802.11
Stations misbehave only for beneficial outcome for themselves Assumption, don’t consider attacks of disruption
(deauthentication, security attack) Simpler and more efficient than other known
methods
![Page 12: DOMINO: A System to Detect Greedy Behavior in IEEE 802.11 Hotspots](https://reader036.vdocuments.us/reader036/viewer/2022081514/56813d61550346895da73490/html5/thumbnails/12.jpg)
2/21/2008 12
Misbehavior Techniques1. Scramble Frames
Scramble others’ frames to increase their CW CTS: Cheater hears RTS destined
somewhere = Intentionally transmit to collide Expected CTS response lost, channel goes idle
for backoff ACK/Data: Cause CW of ACK destination
(Data source) to double Increases the backoff for longer channel idle
![Page 13: DOMINO: A System to Detect Greedy Behavior in IEEE 802.11 Hotspots](https://reader036.vdocuments.us/reader036/viewer/2022081514/56813d61550346895da73490/html5/thumbnails/13.jpg)
2/21/2008 13
Misbehavior Techniques2. Manipulate 802.11 Parameters
Change existing 802.11 parameters Idle Channel = Transmit after SIFS but before
waiting DIFS False increase NAV on sending RTS/Data Choose smaller fixed CW than others
Shorting your Backoff to cheat
![Page 14: DOMINO: A System to Detect Greedy Behavior in IEEE 802.11 Hotspots](https://reader036.vdocuments.us/reader036/viewer/2022081514/56813d61550346895da73490/html5/thumbnails/14.jpg)
2/21/2008 14
Methods to Measure Misbehavior1. Throughput Measure Throughput on stations to find Problems in Design
2 stations using different data rates/delays VoIP vs. Streaming Video
UDP throughput affected by overhead, SNR, hardware, drivers, O/S
TCP coupled with 802.11 derogates on TCP: CW, recovery, packet size, timeout 802.11: ACK, retry limit, backoff
![Page 15: DOMINO: A System to Detect Greedy Behavior in IEEE 802.11 Hotspots](https://reader036.vdocuments.us/reader036/viewer/2022081514/56813d61550346895da73490/html5/thumbnails/15.jpg)
2/21/2008 15
Methods to Measure Misbehavior2. Backoff Used in DOMINO, less dependant on factors Problems in Design
Backoff idle period after DIFS is indistinguishable from delay of low packet source Cheater give impression of well-behaved
MAC header not enough data to get backoff Some stations increase backoff in collision, some don’t
Hidden Terminal Problem Sender thinks idle and sends, hidden node also sending,
receiver sees collision
![Page 16: DOMINO: A System to Detect Greedy Behavior in IEEE 802.11 Hotspots](https://reader036.vdocuments.us/reader036/viewer/2022081514/56813d61550346895da73490/html5/thumbnails/16.jpg)
2/21/2008 16
Function of DOMINOUse of Backoff
Overcoming Backoff problems easier than Throughput
Estimate backoff by monitoring channel idle time
Several backoff solutions, not enough alone Combine backoff solutions to catch most
misbehavior
![Page 17: DOMINO: A System to Detect Greedy Behavior in IEEE 802.11 Hotspots](https://reader036.vdocuments.us/reader036/viewer/2022081514/56813d61550346895da73490/html5/thumbnails/17.jpg)
2/21/2008 17
Function of DOMINODOMINO Code Structure
Collect traces in Monitoring Period and run algorithm
Increment cheater hit for K times before stopping Prevent false positives
![Page 18: DOMINO: A System to Detect Greedy Behavior in IEEE 802.11 Hotspots](https://reader036.vdocuments.us/reader036/viewer/2022081514/56813d61550346895da73490/html5/thumbnails/18.jpg)
2/21/2008 18
Function of DOMINO 1. Scramble Frames
Must scramble lots of frames # of retransmissions less than other stations
Repeated sequence number Attacker never resetting while others are and
repeating sequence
![Page 19: DOMINO: A System to Detect Greedy Behavior in IEEE 802.11 Hotspots](https://reader036.vdocuments.us/reader036/viewer/2022081514/56813d61550346895da73490/html5/thumbnails/19.jpg)
2/21/2008 19
Function of DOMINO 2. Shorter than DIFS
After an ACK is sent, stations should be idle for a DIFS (unless cheating)
![Page 20: DOMINO: A System to Detect Greedy Behavior in IEEE 802.11 Hotspots](https://reader036.vdocuments.us/reader036/viewer/2022081514/56813d61550346895da73490/html5/thumbnails/20.jpg)
2/21/2008 20
Function of DOMINO 3. Oversized NAV
Measure the actual duration of Data, ACK, and RTS/CTS
Advertized NAV more than actual indicates cheater
![Page 21: DOMINO: A System to Detect Greedy Behavior in IEEE 802.11 Hotspots](https://reader036.vdocuments.us/reader036/viewer/2022081514/56813d61550346895da73490/html5/thumbnails/21.jpg)
2/21/2008 21
Function of DOMINO 4. Maximum Backoff
Find if backoff observed is less than some threshold Small sample period = low threshold, simulations
show CW/2 is best threshold Cheater could give one sufficiently large
backoff to throw off average
![Page 22: DOMINO: A System to Detect Greedy Behavior in IEEE 802.11 Hotspots](https://reader036.vdocuments.us/reader036/viewer/2022081514/56813d61550346895da73490/html5/thumbnails/22.jpg)
2/21/2008 22
Function of DOMINO 5. Actual Backoff
Bacnom = average backoff observed by AP
Αac = Percent true/false positive (90% in simulations)
Picks up TCP frame delays, increases backoff and can disguise the cheater
![Page 23: DOMINO: A System to Detect Greedy Behavior in IEEE 802.11 Hotspots](https://reader036.vdocuments.us/reader036/viewer/2022081514/56813d61550346895da73490/html5/thumbnails/23.jpg)
2/21/2008 23
Function of DOMINO 6. Consecutive Backoff
Now can handle TCP sources (91% of network traffic)
Similar to Test 5, but Bconom = Backoff between consecutive non-interleaved transmissions
![Page 24: DOMINO: A System to Detect Greedy Behavior in IEEE 802.11 Hotspots](https://reader036.vdocuments.us/reader036/viewer/2022081514/56813d61550346895da73490/html5/thumbnails/24.jpg)
2/21/2008 24
Function of DOMINO Actual vs. Consecutive Backoff
![Page 25: DOMINO: A System to Detect Greedy Behavior in IEEE 802.11 Hotspots](https://reader036.vdocuments.us/reader036/viewer/2022081514/56813d61550346895da73490/html5/thumbnails/25.jpg)
2/21/2008 25
Function of DOMINOReview Structure Again
Collect traces in Monitoring Period and run algorithm
Increment cheater hit for K times before stopping Prevent false positives
![Page 26: DOMINO: A System to Detect Greedy Behavior in IEEE 802.11 Hotspots](https://reader036.vdocuments.us/reader036/viewer/2022081514/56813d61550346895da73490/html5/thumbnails/26.jpg)
2/21/2008 26
Simulation ResultsSetup
Ns-2 with Monarch project extension 10 simulations, 110 seconds each,
monitoring period every 10 seconds Mimic fading effects of real channel with
Shadowing Channel Pr(d) power at distance d, d0 reference
![Page 27: DOMINO: A System to Detect Greedy Behavior in IEEE 802.11 Hotspots](https://reader036.vdocuments.us/reader036/viewer/2022081514/56813d61550346895da73490/html5/thumbnails/27.jpg)
2/21/2008 27
Simulation ResultsSetup
8 stations (one cheater) sending 500 bytes/packet at 200 packets/s UDP sending CBR traffic TCP sending FTP traffic
All stations 50 meters away
Problem in this?
![Page 28: DOMINO: A System to Detect Greedy Behavior in IEEE 802.11 Hotspots](https://reader036.vdocuments.us/reader036/viewer/2022081514/56813d61550346895da73490/html5/thumbnails/28.jpg)
2/21/2008 28
Simulation ResultsMisbehavior Coefficent
Misbehavior Coefficeint: Amount of misbehavior based on size of backoff M = 0, no misbehavior M = 1, full misbhavior (no backoff used)
![Page 29: DOMINO: A System to Detect Greedy Behavior in IEEE 802.11 Hotspots](https://reader036.vdocuments.us/reader036/viewer/2022081514/56813d61550346895da73490/html5/thumbnails/29.jpg)
2/21/2008 29
Simulation ResultsGains from Cheating
Why TCP harder to cheat? TCP congestion control and rate of TCP ACKs
![Page 30: DOMINO: A System to Detect Greedy Behavior in IEEE 802.11 Hotspots](https://reader036.vdocuments.us/reader036/viewer/2022081514/56813d61550346895da73490/html5/thumbnails/30.jpg)
2/21/2008 30
Simulation ResultsTest to Detect Actual Backoff
UDP cheating caught
TCP failed because TCP congestion control being picked up Result not shown
since all on x-axis only
![Page 31: DOMINO: A System to Detect Greedy Behavior in IEEE 802.11 Hotspots](https://reader036.vdocuments.us/reader036/viewer/2022081514/56813d61550346895da73490/html5/thumbnails/31.jpg)
2/21/2008 31
Simulation ResultsTest to Detect Consecutive Backoff
TCP cheating caught
UDP failed as TCP did before Result not shown
since all on x-axis only
![Page 32: DOMINO: A System to Detect Greedy Behavior in IEEE 802.11 Hotspots](https://reader036.vdocuments.us/reader036/viewer/2022081514/56813d61550346895da73490/html5/thumbnails/32.jpg)
2/21/2008 32
Simulation ResultsNeed to Stack Tests
Actual catches UDP but misses TCP
Consecutive catches TCP but misses UDP
Combining catches both
![Page 33: DOMINO: A System to Detect Greedy Behavior in IEEE 802.11 Hotspots](https://reader036.vdocuments.us/reader036/viewer/2022081514/56813d61550346895da73490/html5/thumbnails/33.jpg)
2/21/2008 33
ImplementationDesign
Proxim ORINOCO 11a/b/g Combo Card
MADWIFI driver (Linux)
Modify CW in registry of driver to cheat
![Page 34: DOMINO: A System to Detect Greedy Behavior in IEEE 802.11 Hotspots](https://reader036.vdocuments.us/reader036/viewer/2022081514/56813d61550346895da73490/html5/thumbnails/34.jpg)
2/21/2008 34
Implementation Ethereal Measure Backoff Manually
![Page 35: DOMINO: A System to Detect Greedy Behavior in IEEE 802.11 Hotspots](https://reader036.vdocuments.us/reader036/viewer/2022081514/56813d61550346895da73490/html5/thumbnails/35.jpg)
2/21/2008 35
ImplementationDOMINO in Use
Increasing coefficient (cheating) = Detection Why allow leeway?
False detection, attacker not doing much harm
![Page 36: DOMINO: A System to Detect Greedy Behavior in IEEE 802.11 Hotspots](https://reader036.vdocuments.us/reader036/viewer/2022081514/56813d61550346895da73490/html5/thumbnails/36.jpg)
2/21/2008 36
ImplementationOverhead and Location
DOMINO on AP (software or firmeware upgrade) Passive only, low overhead 500 bytes at 7mbps, 50 stations = 0.021%
200mhz CPU (4 clock cycles) Can do separate unit near AP (AirDefense
Guard sensors) Decide based on service requirements,
available equipment, and infrastructure
![Page 37: DOMINO: A System to Detect Greedy Behavior in IEEE 802.11 Hotspots](https://reader036.vdocuments.us/reader036/viewer/2022081514/56813d61550346895da73490/html5/thumbnails/37.jpg)
2/21/2008 37
Discussion IssuesHidden Terminals
B transmitting to AP, A can’t see B and thinks idle
A decrementing its backoff looks smaller than should be, false detect
Increase threshold values to tolerate some legitimate misbehavior
![Page 38: DOMINO: A System to Detect Greedy Behavior in IEEE 802.11 Hotspots](https://reader036.vdocuments.us/reader036/viewer/2022081514/56813d61550346895da73490/html5/thumbnails/38.jpg)
2/21/2008 38
Discussion IssuesAdaptive Cheating
Cheater knows DOMINO, switch methods during collection periods to throw off Must guess monitoring period/thresholds (won’t
know success until blocked) Deliberate its collide two frames, fail Actual
backoff and never hit Consecutive Not beneficial to cheater (goal is to be greedy)
![Page 39: DOMINO: A System to Detect Greedy Behavior in IEEE 802.11 Hotspots](https://reader036.vdocuments.us/reader036/viewer/2022081514/56813d61550346895da73490/html5/thumbnails/39.jpg)
2/21/2008 39
Discussion IssuesMonitoring Period
Monitoring Period needs to be large enough for fairness 802.11 binary exponential backoff unfair in short-
term (false positives) 500 bytes at 7mbps, 50 stations, 10 second
monitoring period = 350 backoff values per station
![Page 40: DOMINO: A System to Detect Greedy Behavior in IEEE 802.11 Hotspots](https://reader036.vdocuments.us/reader036/viewer/2022081514/56813d61550346895da73490/html5/thumbnails/40.jpg)
2/21/2008 40
ConclusionAdvantages
What is so good about DOMINO? DOMINO uses modular building of tests
Catch many cheating with various tests Easy to build upon for future cheating
Low overhead (passive) or run separate Extension to existing Intrusion Detection
Systems
![Page 41: DOMINO: A System to Detect Greedy Behavior in IEEE 802.11 Hotspots](https://reader036.vdocuments.us/reader036/viewer/2022081514/56813d61550346895da73490/html5/thumbnails/41.jpg)
2/21/2008 41
ConclusionPotential Issues?
Issues not addressed in DOMINO? Testing was just on FTP and CBR Focus of tests were Actual and Consecutive
Backoffs (only 2 out of 6 issues) Stations organized perfectly around AP, not
different ranges No consideration for obstacles or interference