DOMINO: A System to Detect Greedy Behavior in IEEE 802.11 Hotspots Written By: Maxim Raya, Jean- Pierre Hubaux, Imad Aad School of Computer and Communication Sciences Presented By: Michael Kroll University of South Carolina
Jan 07, 2016
DOMINO: A System to Detect Greedy Behavior in IEEE 802.11 Hotspots
Written By: Maxim Raya, Jean-Pierre Hubaux, Imad AadSchool of Computer and Communication Sciences
Presented By: Michael KrollUniversity of South Carolina
2/21/2008 2
OverviewIntroduction
Steady increase in hotspots 28,000 hotspots in 2004 Predicted 160,000 in 2007 but actually 180,000
Security and Billing = Focus on Authentication and Confidentiality in 802.11
802.11 only works if stations respect MAC protocol
2/21/2008 3
OverviewBenefit of Misuse in MAC Layer
Mac-layer Greedy Behavior = Deliberate abuse of 802.11 MAC
Why abuse 802.11 MAC? Significant bandwidth gain in medium More efficient than network or transport layers Hidden and independent from upper layers
Hard to detect my applications Everything uses 802.11
Cheating on TCP fails against UDP
2/21/2008 4
OverviewDOMINO Solution
Seamless integration into AP Passive, no interference with normal functions
Compatible with existing networks Compatible with future versions of 802.11
With some minor changes Not theoretical, real experimental product
2/21/2008 5
OverviewOutline
A. Related Work
B. System Model of Normal 802.11
C. Misbehavior Techniques
D. Methods to Measure Misbehavior
E. Function of DOMINO
F. Simulation Results
G. Implementation of DOMINO
H. Discussion
2/21/2008 6
Related Work
Research on MAC-layer greedy is limited Relatively new and unexplored
Kyasanur/Vaidya: Receiver assigns/sends backoff values in CTS/ACK Not compatible with 802.11 Misbehaving receivers Computational overhead and new frame fields Only backlogged UDP, actual backoff larger than
assigned = cheater success
2/21/2008 7
Related Work
Konorski: Ad-hoc network using backoff from Game Theory Different from 802.11 standard
IDS (AirDefense Guard) provides sensors to monitor DOMINO can be extension of these
2/21/2008 8
System Model of Normal 802.11 Review What is DIFS? What is SIFS? What is Backoff? What is NAV? How do they relate?
2/21/2008 9
System Model of Normal 802.11Review Diagram
2/21/2008 10
System Model of Normal 802.11 Backoff Setting Chosen Backoff bounded by Contention
Window (CW) Backoff decreases as long as channel is idle
Backoff frozen when the channel is in use Backoff = 0, send the frame
Collision = frame lost, increase CW and new backoff If success next round, reset CW to minimum
2/21/2008 11
Misbehavior TechniquesConcept of Greedy
MAC Greedy Behavior: Fail to follow procedures or change parameters defined by 802.11
Stations misbehave only for beneficial outcome for themselves Assumption, don’t consider attacks of disruption
(deauthentication, security attack) Simpler and more efficient than other known
methods
2/21/2008 12
Misbehavior Techniques1. Scramble Frames
Scramble others’ frames to increase their CW CTS: Cheater hears RTS destined
somewhere = Intentionally transmit to collide Expected CTS response lost, channel goes idle
for backoff ACK/Data: Cause CW of ACK destination
(Data source) to double Increases the backoff for longer channel idle
2/21/2008 13
Misbehavior Techniques2. Manipulate 802.11 Parameters
Change existing 802.11 parameters Idle Channel = Transmit after SIFS but before
waiting DIFS False increase NAV on sending RTS/Data Choose smaller fixed CW than others
Shorting your Backoff to cheat
2/21/2008 14
Methods to Measure Misbehavior1. Throughput Measure Throughput on stations to find Problems in Design
2 stations using different data rates/delays VoIP vs. Streaming Video
UDP throughput affected by overhead, SNR, hardware, drivers, O/S
TCP coupled with 802.11 derogates on TCP: CW, recovery, packet size, timeout 802.11: ACK, retry limit, backoff
2/21/2008 15
Methods to Measure Misbehavior2. Backoff Used in DOMINO, less dependant on factors Problems in Design
Backoff idle period after DIFS is indistinguishable from delay of low packet source Cheater give impression of well-behaved
MAC header not enough data to get backoff Some stations increase backoff in collision, some don’t
Hidden Terminal Problem Sender thinks idle and sends, hidden node also sending,
receiver sees collision
2/21/2008 16
Function of DOMINOUse of Backoff
Overcoming Backoff problems easier than Throughput
Estimate backoff by monitoring channel idle time
Several backoff solutions, not enough alone Combine backoff solutions to catch most
misbehavior
2/21/2008 17
Function of DOMINODOMINO Code Structure
Collect traces in Monitoring Period and run algorithm
Increment cheater hit for K times before stopping Prevent false positives
2/21/2008 18
Function of DOMINO 1. Scramble Frames
Must scramble lots of frames # of retransmissions less than other stations
Repeated sequence number Attacker never resetting while others are and
repeating sequence
2/21/2008 19
Function of DOMINO 2. Shorter than DIFS
After an ACK is sent, stations should be idle for a DIFS (unless cheating)
2/21/2008 20
Function of DOMINO 3. Oversized NAV
Measure the actual duration of Data, ACK, and RTS/CTS
Advertized NAV more than actual indicates cheater
2/21/2008 21
Function of DOMINO 4. Maximum Backoff
Find if backoff observed is less than some threshold Small sample period = low threshold, simulations
show CW/2 is best threshold Cheater could give one sufficiently large
backoff to throw off average
2/21/2008 22
Function of DOMINO 5. Actual Backoff
Bacnom = average backoff observed by AP
Αac = Percent true/false positive (90% in simulations)
Picks up TCP frame delays, increases backoff and can disguise the cheater
2/21/2008 23
Function of DOMINO 6. Consecutive Backoff
Now can handle TCP sources (91% of network traffic)
Similar to Test 5, but Bconom = Backoff between consecutive non-interleaved transmissions
2/21/2008 24
Function of DOMINO Actual vs. Consecutive Backoff
2/21/2008 25
Function of DOMINOReview Structure Again
Collect traces in Monitoring Period and run algorithm
Increment cheater hit for K times before stopping Prevent false positives
2/21/2008 26
Simulation ResultsSetup
Ns-2 with Monarch project extension 10 simulations, 110 seconds each,
monitoring period every 10 seconds Mimic fading effects of real channel with
Shadowing Channel Pr(d) power at distance d, d0 reference
2/21/2008 27
Simulation ResultsSetup
8 stations (one cheater) sending 500 bytes/packet at 200 packets/s UDP sending CBR traffic TCP sending FTP traffic
All stations 50 meters away
Problem in this?
2/21/2008 28
Simulation ResultsMisbehavior Coefficent
Misbehavior Coefficeint: Amount of misbehavior based on size of backoff M = 0, no misbehavior M = 1, full misbhavior (no backoff used)
2/21/2008 29
Simulation ResultsGains from Cheating
Why TCP harder to cheat? TCP congestion control and rate of TCP ACKs
2/21/2008 30
Simulation ResultsTest to Detect Actual Backoff
UDP cheating caught
TCP failed because TCP congestion control being picked up Result not shown
since all on x-axis only
2/21/2008 31
Simulation ResultsTest to Detect Consecutive Backoff
TCP cheating caught
UDP failed as TCP did before Result not shown
since all on x-axis only
2/21/2008 32
Simulation ResultsNeed to Stack Tests
Actual catches UDP but misses TCP
Consecutive catches TCP but misses UDP
Combining catches both
2/21/2008 33
ImplementationDesign
Proxim ORINOCO 11a/b/g Combo Card
MADWIFI driver (Linux)
Modify CW in registry of driver to cheat
2/21/2008 34
Implementation Ethereal Measure Backoff Manually
2/21/2008 35
ImplementationDOMINO in Use
Increasing coefficient (cheating) = Detection Why allow leeway?
False detection, attacker not doing much harm
2/21/2008 36
ImplementationOverhead and Location
DOMINO on AP (software or firmeware upgrade) Passive only, low overhead 500 bytes at 7mbps, 50 stations = 0.021%
200mhz CPU (4 clock cycles) Can do separate unit near AP (AirDefense
Guard sensors) Decide based on service requirements,
available equipment, and infrastructure
2/21/2008 37
Discussion IssuesHidden Terminals
B transmitting to AP, A can’t see B and thinks idle
A decrementing its backoff looks smaller than should be, false detect
Increase threshold values to tolerate some legitimate misbehavior
2/21/2008 38
Discussion IssuesAdaptive Cheating
Cheater knows DOMINO, switch methods during collection periods to throw off Must guess monitoring period/thresholds (won’t
know success until blocked) Deliberate its collide two frames, fail Actual
backoff and never hit Consecutive Not beneficial to cheater (goal is to be greedy)
2/21/2008 39
Discussion IssuesMonitoring Period
Monitoring Period needs to be large enough for fairness 802.11 binary exponential backoff unfair in short-
term (false positives) 500 bytes at 7mbps, 50 stations, 10 second
monitoring period = 350 backoff values per station
2/21/2008 40
ConclusionAdvantages
What is so good about DOMINO? DOMINO uses modular building of tests
Catch many cheating with various tests Easy to build upon for future cheating
Low overhead (passive) or run separate Extension to existing Intrusion Detection
Systems
2/21/2008 41
ConclusionPotential Issues?
Issues not addressed in DOMINO? Testing was just on FTP and CBR Focus of tests were Actual and Consecutive
Backoffs (only 2 out of 6 issues) Stations organized perfectly around AP, not
different ranges No consideration for obstacles or interference