Jamming Wireless Networks: Attack and Defense Strategies Wenyuan Xu, Ke Ma, Wade Trappe, Yanyong Zhang, WINLAB, Rutgers University Network/Computer Security.

Jamming Wireless Networks: Attack and Defense

Strategies

Wenyuan Xu, Ke Ma, Wade Trappe, Yanyong Zhang,WINLAB, Rutgers University

Network/Computer Security WorkshopMay 16th, 2006

2

Roadmap Introduction and Motivation

Jammer Models– Four models– Their effectiveness

Detecting Jamming attacks– Basic statistic + Consistency check

Defenses strategy– Channel surfing– Spatial retreat

Conclusions

3

Jammers

Jamming style DoS Attack: – Behavior that prevents other nodes from using the

channel to communicate by occupying the channel that they are communicating on

A jammer – An entity who is purposefully trying to interfere with

the physical transmission and reception of wireless communications.

Is it hard to build a jammer?

Mr. X

No! Haha…

Bob Alice

Hello … Hi …

@#$%%$#@&

…

Mr. X

4

Jammers – Hardware Cell phone jammer unit:

– Intended for blocking all mobile phone types within designated indoor areas

– 'plug and play' unit

Waveform GeneratorTune frequency to what ever you want

MAC-layer Jammer (our focus)Mica2 Motes (UC Berkeley)

8-bit CPU at 4MHz,128KB flash, 4KB RAM916.7MHz radioOS: TinyOS

Disable the CSMAKeep sending out the preamble

5

Jammers – Hardware Cell phone jammer unit:

– Intended for blocking all mobile phone types within designated indoor areas

– 'plug and play' unit

Waveform Generator– Tune frequency to what ever you want

MAC-layer Jammer (our focus)Mica2 Motes (UC Berkeley)

8-bit CPU at 4MHz,128KB flash, 4KB RAM916.7MHz radioOS: TinyOS

Disable the CSMAKeep sending out the preamble

6

Jammers – Hardware Cell phone jammer unit:

– Intended for blocking all mobile phone types within designated indoor areas

– 'plug and play' unit

Waveform Generator– Tune frequency to what ever you want

MAC-layer Jammer– 802.11 laptop – Mica2 Motes (UC Berkeley)

8-bit CPU at 4MHz, 128KB flash, 4KB RAM 916.7MHz radio OS: TinyOS

– Disable the CSMA– Keep sending out the preamble

The Jammer Models and Their Effectiveness

8

Jammer Attack Models

Constant jammer:– Continuously emits a radio signal

Deceptive jammer:– Constantly injects regular packets to the channel without any gap

between consecutive packet transmissions– A normal communicator will be deceived into the receive state

&F*(SDJFFD(*MC*(^%&^*&(%*)(*)_*^&*FS…….

Payload …

Preamble CRC

PayloadPayload Payload Payload

9

Jammer Attack Models

Random jammer:– Alternates between sleeping and jamming

Sleeping period: turn off the radio Jamming period: either a constant jammer or deceptive jammer

Reactive jammer:– Stays quiet when the channel is idle, starts transmitting a

radio signal as soon as it senses activity on the channel.– Targets the reception of a message

&F*(SDJF ^F&*D( D*KC*I^ …

…

Underling normal traffic

&F*(SDJ

Payload

^%^*&

Payload

CD*(&FG

Payload

Detecting Jamming Attacks: Basic Statistics plus Consistency Checks

11

-100

-80

-60CBR

-100

-80

-60MaxTraffic

-100

-80

-60Constant Jammer

-100

-80

-60

R

SS

I (dB

m)

Deceptive Jammer

-100

-80

-60Reactive Jammer

0 200 400 600 800 1000 1200 1400 1600-100

-80

-60

sample sequence number

Random Jammer

Basic Statistics P.1

Idea:– Many measurement will be affected by the presence of a jammer– Network devices can gather measurements during a time period

prior to jamming and build a statistical model describing basic measurement in the network

Measurement– Signal strength

Moving average Spectral discrimination

– Carrier sensing time– Packet delivery ratio

Experiment platform:– Mica2 Motes– Use RSSI ADC to measure the signal strength

12

Basic Statistics P.2

Can basic statistics differentiate between jamming scenario from a normal scenario including congestion?

Differentiate jamming scenario from all network dynamics, e.g. congestion, hardware failure

– PDR is a relative good statistic, but cannot do hardware failure– Consistency checks --- using Signal strength

Normal scenarios: – High signal strength a high PDR – Low signal strength a low PDR

Low PDR:– Hardware failure or poor link quality low signal strength– Jamming attack high signal strength

Signal strength Carrier sensing time

Packet delivery ratio

Average Spectral Discrimination

Constant Jammer

Deceptive Jammer

Random Jammer

Reactive Jammer

13

Jammed Region

PDR %

PDR VS. SS

SS

(dB

m)

Jamming Detection with Consistency Checks

Measure PDR(N){N Є Neighbors}

PDR(N) < PDRThresh ? Not Jammed

Jammed!

No

Yes

PDR(N) consistent with signal strength?

Yes

No

Build a (PDR,SS) look-up table empirically– Measure (PDR, SS) during a guaranteed time of

non-interfered network.– Divide the data into PDR bins, calculate the mean

and variance for the data within each bin.– Get the upper bound for the maximum SS that

world have produced a particular PDR value during a normal case.

– Partition the (PDR, SS) plane into a jammed-region and a non-jammed region.

Defenses against Jamming Attacks: Channel Surfing and Spatial Retreat

15

Handling Jamming: Strategies

What can you do when your channel is occupied?– In wired network you can cut the link that causes the problem, but

in wireless…– Make the building as resistant as possible to incoming radio signals?– Find the jamming source and shoot it down?– Battery drain defenses/attacks are not realistic!

Protecting networks is a constant battle between the security expert and the clever adversary.

Therefore, we take motivation from “The Art of War” by Sun Tze:

– He who cannot defeat his enemy should retreat.

Retreat Strategies:– Channel Surfing– Spatial retreat

16

Channel Surfing Idea:

– If we are blocked at a particular channel, we can resume our communication by switching to a “safe” channel

– Inspired by frequency hopping techniques, but operates at the link layer in an on-demand fashion.

Challenge– Distributed computing, scheduling– Asynchrony, latency and scalability

Jammer Jammer

Node working in channel 1

Node working in channel 2

channel 1

channel 2

17

Channel Surfing Coordinated Channel Switching

– The entire network changes its channel to a new channel

Spectral Multiplexing– Jammed node switch channel– Nodes on the boundary of a jammed region serve as relay nodes between

different spectral zones

Jammer

Coordinated channel surfing

Jammer

Spectral Multiplexing Node working in channel 1

Node working in channel 2

Node working in both channel 1 & 2

channel 1

channel 2

18

Channel Surfing Coordinated Channel Switching

– The entire network changes its channel to a new channel

Spectral Multiplexing– Jammed node switch channel– Nodes on the boundary of a jammed region serve as relay nodes between

different spectral zones

Jammer

Coordinated channel surfing

Jammer

Spectral Multiplexing Node working in channel 1

Node working in channel 2

Node working in both channel 1 & 2

channel 1

channel 2

19

Channel Surfing – Experiment Verification

Setup:– 30 Mica2 motes (916MHz) – Indoor environment– Data rate: 1 packet/10sec– Routing: shortest path routing– Jammer: Constant jammer

Metrics:– Ability to repair network => latency required to restore connectivity– Protocol overhead => # of channel switch

20

Channel Surfing- results Coordinated channel switching

– Broadcast-assistant switching– Switching latency: 232.9 seconds– Maximum number of channel switches among all nodes: 3

Spectral Multiplexing– Synchronous & asynchronous spectral multiplexing – The network work can resume its connectivity within comparable amount

of time

21

X

Spatial Retreat Targeted Networks—Nodes in

the network should have– Mobility– GPS or similar localization

Idea:– Nodes that are located within the

jammed area move to “safe” regions.

Escaping:– Choose a random direction to

evacuate from jammed area– If no nodes are within its radio

range, it moves along the boundary of the jammed area until it reconnects to the rest of the network.

A E

C D

IGH

F

B

22

Spatial Retreat Issues:

– A mobile adversary can move through the network– The network can be partitioned– After Escape Phase we need Reconstruction phase to repair the network

Reconstruction phase—Virtual force Model– “Forces” only exist between neighboring sensors– Forces are either repulsive or attractive– Forces represent a need for sensors to move in order to improve system

behavior– virtual force is calculated based on its distance to all its neighboring sensors– Direct its movement according to its force– When all sensors stop moving, the spatial coverage of the whole network is

maximized

Borrowed from Ke Ma

23

Case Study : Spatial Retreats

Borrowed from Ke Ma

24

Conclusion Due to the shared nature of the wireless medium, it is an

easy feat for adversaries to perform a jamming-style denial of service against wireless networks

We proposed to use consistency check based on PDR to detect jammers

We have presented two different strategies to defend against the jamming style of DoS attacks

– Channel-surfing: changing the transmission frequency to a range where there is no interference from the adversary

– Spatial retreat: moving to a new location where there is no interference