DOMINO: A System to Detect Greedy Behavior in IEEE 802.11 Hotspots

Written By: Maxim Raya, Jean-Pierre Hubaux, Imad AadSchool of Computer and Communication Sciences

Presented By: Michael KrollUniversity of South Carolina

2/21/2008 2

OverviewIntroduction

Steady increase in hotspots 28,000 hotspots in 2004 Predicted 160,000 in 2007 but actually 180,000

Security and Billing = Focus on Authentication and Confidentiality in 802.11

802.11 only works if stations respect MAC protocol

2/21/2008 3

OverviewBenefit of Misuse in MAC Layer

Mac-layer Greedy Behavior = Deliberate abuse of 802.11 MAC

Why abuse 802.11 MAC? Significant bandwidth gain in medium More efficient than network or transport layers Hidden and independent from upper layers

Hard to detect my applications Everything uses 802.11

Cheating on TCP fails against UDP

2/21/2008 4

OverviewDOMINO Solution

Seamless integration into AP Passive, no interference with normal functions

Compatible with existing networks Compatible with future versions of 802.11

With some minor changes Not theoretical, real experimental product

2/21/2008 5

OverviewOutline

A. Related Work

B. System Model of Normal 802.11

C. Misbehavior Techniques

D. Methods to Measure Misbehavior

E. Function of DOMINO

F. Simulation Results

G. Implementation of DOMINO

H. Discussion

2/21/2008 6

Related Work

Research on MAC-layer greedy is limited Relatively new and unexplored

Kyasanur/Vaidya: Receiver assigns/sends backoff values in CTS/ACK Not compatible with 802.11 Misbehaving receivers Computational overhead and new frame fields Only backlogged UDP, actual backoff larger than

assigned = cheater success

2/21/2008 7

Related Work

Konorski: Ad-hoc network using backoff from Game Theory Different from 802.11 standard

IDS (AirDefense Guard) provides sensors to monitor DOMINO can be extension of these

2/21/2008 8

System Model of Normal 802.11 Review What is DIFS? What is SIFS? What is Backoff? What is NAV? How do they relate?

2/21/2008 9

System Model of Normal 802.11Review Diagram

2/21/2008 10

System Model of Normal 802.11 Backoff Setting Chosen Backoff bounded by Contention

Window (CW) Backoff decreases as long as channel is idle

Backoff frozen when the channel is in use Backoff = 0, send the frame

Collision = frame lost, increase CW and new backoff If success next round, reset CW to minimum

2/21/2008 11

Misbehavior TechniquesConcept of Greedy

MAC Greedy Behavior: Fail to follow procedures or change parameters defined by 802.11

Stations misbehave only for beneficial outcome for themselves Assumption, don’t consider attacks of disruption

(deauthentication, security attack) Simpler and more efficient than other known

methods

2/21/2008 12

Misbehavior Techniques1. Scramble Frames

Scramble others’ frames to increase their CW CTS: Cheater hears RTS destined

somewhere = Intentionally transmit to collide Expected CTS response lost, channel goes idle

for backoff ACK/Data: Cause CW of ACK destination

(Data source) to double Increases the backoff for longer channel idle

2/21/2008 13

Misbehavior Techniques2. Manipulate 802.11 Parameters

Change existing 802.11 parameters Idle Channel = Transmit after SIFS but before

waiting DIFS False increase NAV on sending RTS/Data Choose smaller fixed CW than others

Shorting your Backoff to cheat

2/21/2008 14

Methods to Measure Misbehavior1. Throughput Measure Throughput on stations to find Problems in Design

2 stations using different data rates/delays VoIP vs. Streaming Video

UDP throughput affected by overhead, SNR, hardware, drivers, O/S

TCP coupled with 802.11 derogates on TCP: CW, recovery, packet size, timeout 802.11: ACK, retry limit, backoff

2/21/2008 15

Methods to Measure Misbehavior2. Backoff Used in DOMINO, less dependant on factors Problems in Design

Backoff idle period after DIFS is indistinguishable from delay of low packet source Cheater give impression of well-behaved

MAC header not enough data to get backoff Some stations increase backoff in collision, some don’t

Hidden Terminal Problem Sender thinks idle and sends, hidden node also sending,

receiver sees collision

2/21/2008 16

Function of DOMINOUse of Backoff

Overcoming Backoff problems easier than Throughput

Estimate backoff by monitoring channel idle time

Several backoff solutions, not enough alone Combine backoff solutions to catch most

misbehavior

2/21/2008 17

Function of DOMINODOMINO Code Structure

Collect traces in Monitoring Period and run algorithm

Increment cheater hit for K times before stopping Prevent false positives

2/21/2008 18

Function of DOMINO 1. Scramble Frames

Must scramble lots of frames # of retransmissions less than other stations

Repeated sequence number Attacker never resetting while others are and

repeating sequence

2/21/2008 19

Function of DOMINO 2. Shorter than DIFS

After an ACK is sent, stations should be idle for a DIFS (unless cheating)

2/21/2008 20

Function of DOMINO 3. Oversized NAV

Measure the actual duration of Data, ACK, and RTS/CTS

Advertized NAV more than actual indicates cheater

2/21/2008 21

Function of DOMINO 4. Maximum Backoff

Find if backoff observed is less than some threshold Small sample period = low threshold, simulations

show CW/2 is best threshold Cheater could give one sufficiently large

backoff to throw off average

2/21/2008 22

Function of DOMINO 5. Actual Backoff

Bacnom = average backoff observed by AP

Αac = Percent true/false positive (90% in simulations)

Picks up TCP frame delays, increases backoff and can disguise the cheater

2/21/2008 23

Function of DOMINO 6. Consecutive Backoff

Now can handle TCP sources (91% of network traffic)

Similar to Test 5, but Bconom = Backoff between consecutive non-interleaved transmissions

2/21/2008 24

Function of DOMINO Actual vs. Consecutive Backoff

2/21/2008 25

Function of DOMINOReview Structure Again

Collect traces in Monitoring Period and run algorithm

Increment cheater hit for K times before stopping Prevent false positives

2/21/2008 26

Simulation ResultsSetup

Ns-2 with Monarch project extension 10 simulations, 110 seconds each,

monitoring period every 10 seconds Mimic fading effects of real channel with

Shadowing Channel Pr(d) power at distance d, d0 reference

2/21/2008 27

Simulation ResultsSetup

8 stations (one cheater) sending 500 bytes/packet at 200 packets/s UDP sending CBR traffic TCP sending FTP traffic

All stations 50 meters away

Problem in this?

2/21/2008 28

Simulation ResultsMisbehavior Coefficent

Misbehavior Coefficeint: Amount of misbehavior based on size of backoff M = 0, no misbehavior M = 1, full misbhavior (no backoff used)

2/21/2008 29

Simulation ResultsGains from Cheating

Why TCP harder to cheat? TCP congestion control and rate of TCP ACKs

2/21/2008 30

Simulation ResultsTest to Detect Actual Backoff

UDP cheating caught

TCP failed because TCP congestion control being picked up Result not shown

since all on x-axis only

2/21/2008 31

Simulation ResultsTest to Detect Consecutive Backoff

TCP cheating caught

UDP failed as TCP did before Result not shown

since all on x-axis only

2/21/2008 32

Simulation ResultsNeed to Stack Tests

Actual catches UDP but misses TCP

Consecutive catches TCP but misses UDP

Combining catches both

2/21/2008 33

ImplementationDesign

Proxim ORINOCO 11a/b/g Combo Card

MADWIFI driver (Linux)

Modify CW in registry of driver to cheat

2/21/2008 34

Implementation Ethereal Measure Backoff Manually

2/21/2008 35

ImplementationDOMINO in Use

Increasing coefficient (cheating) = Detection Why allow leeway?

False detection, attacker not doing much harm

2/21/2008 36

ImplementationOverhead and Location

DOMINO on AP (software or firmeware upgrade) Passive only, low overhead 500 bytes at 7mbps, 50 stations = 0.021%

200mhz CPU (4 clock cycles) Can do separate unit near AP (AirDefense

Guard sensors) Decide based on service requirements,

available equipment, and infrastructure

2/21/2008 37

Discussion IssuesHidden Terminals

B transmitting to AP, A can’t see B and thinks idle

A decrementing its backoff looks smaller than should be, false detect

Increase threshold values to tolerate some legitimate misbehavior

2/21/2008 38

Discussion IssuesAdaptive Cheating

Cheater knows DOMINO, switch methods during collection periods to throw off Must guess monitoring period/thresholds (won’t

know success until blocked) Deliberate its collide two frames, fail Actual

backoff and never hit Consecutive Not beneficial to cheater (goal is to be greedy)

2/21/2008 39

Discussion IssuesMonitoring Period

Monitoring Period needs to be large enough for fairness 802.11 binary exponential backoff unfair in short-

term (false positives) 500 bytes at 7mbps, 50 stations, 10 second

monitoring period = 350 backoff values per station

2/21/2008 40

ConclusionAdvantages

What is so good about DOMINO? DOMINO uses modular building of tests

Catch many cheating with various tests Easy to build upon for future cheating

Low overhead (passive) or run separate Extension to existing Intrusion Detection

Systems

2/21/2008 41

ConclusionPotential Issues?

Issues not addressed in DOMINO? Testing was just on FTP and CBR Focus of tests were Actual and Consecutive

Backoffs (only 2 out of 6 issues) Stations organized perfectly around AP, not

different ranges No consideration for obstacles or interference