Title: ICPADS20051
1Protecting IEEE 802.11 Wireless LANs against the
FCS False Blocking Attack
- Shih-Tsung Liang and Ming-Yi Weng
- Department of Mathematics Computer Science
Education, Taipei Municipal Teachers College - Department of Computer Science and Information
Engineering, Da-Yeh University
2Outline
- IEEE 802.11 Media Access Control
- The FCS False Blocking Attack
- FCS False Blocking Detection and Recovery
- Numerical Results
- Concluding Remarks
3IEEE 802.11 Media Access Control
- IEEE 802.11 DCF (Distributed Coordination
Function)
DIFS
Medium is idle
to transmit a frame after long period of idle
medium
4IEEE 802.11 Media Access Control
- On receiving an FCS error frame
EIFS
Medium is idle
- to give high priority to the retransmission of
FCS-error frames - In case of the false CRC module in the receiving
site, the longer holdback can deter the
malfunctioning station from transmitting error
frames, and hence prevent the waste of bandwidth
to transmit a frame after long period of idle
medium
5IEEE 802.11 Media Access Control
- After an error-free frame being received
DIFS
Medium is idle
to transmit a frame after long period of idle
medium
6The FCS False Blocking Attack
- A station constantly transmits frames with FCS
error
Attacking station
(DIFS)
Wireless bandwidth
the attacking station can get higher priority to
transmit
Contending
Other stations nearby
(EIFS)
7The FCS False Blocking Attack
- Impact of the FCS False Blocking attack on
network performance (traffic volume)
-
8The FCS False Blocking Attack
- Possible solutions?
- How about to identify the attacking source?
- The MAC address matching process may take much
more time than FCS calculation - The identified MAC address may be a fake
- FCS error frames still coming from malicious
attackers - Our approach
- Does not identify the source
- Frustrates the malicious behavior
9FCS False Blocking Detection and Recovery
- The ratio of error_frames to correct_frames
error_frames/correct_frames
no. of stream video connections
10FCS False Blocking Detection and Recovery
frame received
rcv_frame
FCS correct?
Y
N
Data Collection Phase
correct_frame
error_frame
rcv_framegtdetection_count?
N
return
Y
11FCS False Blocking Detection and Recovery
N
Y
N
Y
Y
Detection and Recovery Phase
FCS_error_flag0 Set IFS to EIFS
N
FCS_error_flag1 Not Set IFS to EIFS
error_frame0 correct_frame0 all_frame0
return
12Numerical Results
- Simulation set up
- Based on Network Simulator v2.27
- Embed the proposed FCS False Blocking detection
and recovery mechanism into the 802.11 MAC module
of NS2.27 (C code implementation) - network topology
- FCS error attack source
- Constant bit rate
- streaming video connections
- 150Kbps/300Kbps
13Numerical Results
- Simulation parameter settings
14Numerical Results
Scenarios I, II
15Numerical Results
Scenarios III, IV
16Concluding Remarks
- Identify a new pattern of 802.11 false blocking
attacksthe FCS false blocking attack, in which
the attacker continuously transmits data with
erroneous FCS values - Corresponding detection and recovery mechanism is
also proposed and has shown to be able to
moderate the impacts to the wireless networks
caused by FCS false blocking attacks - Under a single attacking source, the FCS False
Blocking detection and recovery mechanism can
averagely increase the network throughput 5 to
8
17Thank you!!
Request for Comment
18DCF
- CSMA/CA
- Error Recovery Mechanisms
- DCF Access Procedure
19CSMA/CA
- Why CSMA/CD doesnt work?
- The hidden terminal problem!
STA1
STA2
STA3
STA1 can communicate with only STA2. STA2 can
communicate with STA1 and STA3. STA3 can
communicate with only STA2. The frame from STA1
to STA2 can be corrupted by a transmission
initiated by STA3. The STA3 did not know the
ongoing transmission from STA1 to STA2
20CSMA/CA
- To cope with the hidden terminal problem
- Medium reservation through the exchange of RTS
and CTS frames prior to the actual data
RTS
CTS
STA2
STA3
STA1
Area cleared by RTS (Request To Send)
Area cleared by CTS (Clear To Send)
21CSMA/CA
- MAC-Level Acknowledgement
- Wireless media are noisy and unreliable
- The source needs to make sure the frame has been
correctly received by the destination - If the source does not receive the ACK, the
source will retransmit the frame
22CSMA/CA
- 4-way MAC frame exchange protocol
Source
Destination
RTS
Collision Protect!!
CTS
who protect me? (size is the key!!)
Data
ACK
23CSMA/CA
- More about 4-way handshake
- RTS and CTS may be disabled by the
dot11RTSThreshold attribute in the MIB
(Management Information Base) - If frame length gt dot11RTSThreshold
- ? 4-way frame exchange with RTS and CTS
- If frame length dot11RTSThreshold
- ? frame exchange without RTS and CTS
- The default dot11RTSThreshold is 128
- In environments STAs can hear from each other, a
higher dot11RTSThreshold can reduce the bandwidth
consumption on RTS and CTS
24CSMA/CA
- Carrier Sense Mechanism
- Physical carrier sense
- Physical layer carrier sense
- Similar to 802.3
- Check for Medium status (Idle/Busy)
- Virtual carrier sense
- Mac layer carrier sense
- Network Allocation Vector (NAV)
- A countdown counter to record the amount of time
remains before wireless channel clear - (i.e. NAV0?clear)
-
25CSMA/CA
Wait for frame to transmit
NAV0 ?
Flag0
Flag1
Note The period of time immediately following a
busy medium is the highest probability of
collision ccurring. Many stations may be waiting
for the medium to become idle and attempt to
transmit at the same time. Thus whenever the
station sensing a busy medium, a random backoff
time is used.
Check PHY
N
Medium Idle?
Collision ?
Y
N
Y
Wait IFS
Still Idle ?
Transmit Frame
Flag0 ?
N
Y
Y
N
Random Backoff Time
26CSMA/CA
- Random backoff time
- Backoff timeRandom()aSlotTime
- Random() a uniform distributed integer randomly
selected from 0,CW, where CW is contention
window - For each unsuccessful frame transmission, CW
doubles (from CWmin to CWmax) - CW ? 2 CW1
- Reduces the collision probability
27Error Recovery Mechanisms
- Errors (interference, collision)
- STA sends an RTS but not receive the CTS
- STA sends a data frame but not receive the ACK
- Retransmission with retry limit
- shortRetryLimit frame length
dot11RTSThreshold - longRetryLimit frame length gt dot11RTSThreshold
28DCF Access procedure
- Interframe space (IFS)
- SIFS Short InterFrame Space
- Used for immediate response actions (e.g., ACK,
CTS) - PIFS PCF InterFrame Space
- Used by centralized controller in PCF scheme when
using polls - DIFS DCF InterFrame Space
- Used by distribution coordination function (DCF)
for asynchronous frames contention - EIFS Extended InterFrame Space
- Used by the DCF after indication of the erroneous
frame (e.g., FCS error) - Reception of an error-free frame during the EIFS
causes the access using EIFS is terminated and
normal medium access (using DIFS) continues
shortest
longest
29DCF Access procedure
30DCF Access procedure
- Example of backoff procedure
DIFS
DIFS
DIFS
backoff12
backoff7
backoff3
busy
STA 1
backoff5
busy
STA 2
DIFS
busy
STA 3
backoff9
backoff4
busy
STA 4
- After MSDU arriving at MAC, STA 3 senses medium
free for DIFS, so it initiates transmission - immediately without backoff interval
- For STA 1,2, and 4, their DIFS intervals are
interrupted by STA 3. Thus, the backoff - Intervals for STA 1, 2, and 4, are generated
randomly (e.g., 12, 5, and 9, respectively) - After transmission of STA 2, the remaining
backoff interval of STA 1 is (12-5) 7. - After transmission of STA 2, the remaining
backoff interval of STA 4 is (9-5) 4. - After transmission of STA 4, the remaining
backoff interval of STA1 is (7-4) 3.
31DCF Access procedure
- Example of backoff procedure (continue)
DIFS
DIFS
DIFS
backoff9
backoff4
busy
STA 1
backoff5
backoff20
backoff16
busy
STA 2
DIFS
busy
STA 3
backoff5
backoff18
backoff14
busy
busy
STA 4
- STA 3 senses medium free for DIFS and initiates
transmission immediately - For STA 1,2, and 4, their DIFS intervals are
interrupted by STA 3. Thus, the backoff - Intervals for station 1, 2, and 4, are generated
randomly (e.g., 9, 5, and 5, respectively) - Collision occurs between STA 2 and 4.
- After the collision of STA 2 and 4, the remaining
backoff interval of station 1 is (9-5) 4. - The backoff Intervals for retransmission of STA
2, and 4, are generated randomly (e.g., 20 and
18, respectively). (tend to be larger the initial
attempt)