Hidden Terminal based Attack, Diagnosis and Detection

1
Hidden Terminal based Attack, Diagnosis and
Detection

• Yao Zhao, Leo Zhao, Yan Chen

Lab for Internet Security Tech, Northwestern
Univ.
2
Outline

• Motivation
• Background on Hidden Terminal Problem
• Hidden Terminal based DoS attacks in WLAN
• Current Work on Diagnosis and Detection

3
Motivation

• Hidden terminal problem is usually studied in
  wireless ad hoc networks
• Hidden terminal problem for WLAN
• HT exists in large WLAN
• Limited channels only 3 out of 11 channels are
  orthogonal to each other
• To cover a large hotspot, hidden terminal
  problems may occur because of the deployment of
  APs
• Easy to launch DoS attack to WLAN

4
Outline

• Motivation
• Background on Hidden Terminal Problem
• Hidden Terminal based DoS attacks in WLAN
• Current Work on Diagnosis and Detection

5
Whats Hidden Terminal Problem

• S sends a packet to D
• H doesnt know D is receiving packet and
  broadcast a packet to another node during Ss
  sending
• Two packets are collided at D

S
D
H
6
Mitigation of HT Problem

• RTS-CTS-DATA-ACK procedure
• NAV is included in RTS and CTS

S
D
H
7
Problem of RTS-CTS

• WLAN doesnt enable RTS-CTS by default
• RTS and CTS are overhead
• In single AP scenario, no HT at all since every
  clients only communicate with the AP
• RTS-CTS cannot totally solve HT problem
• A packet may not be correctly received if theres
  interference whose strength is much weaker than
  the packet (1/10)

8
HT Problem Still Exists

• CTS cant be received by H
• H can send P to interfere with DATA

S
D
H
P
9
Outline

• Motivation
• Background on Hidden Terminal Problem
• Hidden Terminal based DoS attacks in WLAN
• Current Work on Diagnosis and Detection

10
HT Problem in WLAN

• Hard to deploy WLAN to avoid HT
• No global deployment in some environments

3
2
2
B
A
1
1
3
3
2
11
Example of HT in WLAN
12
HT based DoS

• Use two laptops in ad hoc mode
• Simple no extra hardware or change of MAC needed
• Powerful
• Stealthy

13
Powerful Attack Cover Range (1)

• Pda, a4 (usually 2ltalt4)
• Packet cant be received correctly if interfering
  packets power gt 1/10 power of the packet

14
Powerful Attack Cover Range (2)

• AP as sender
• Receivers in shaded area suffer HT problem

15
Conclusion on HT Based Attack

• Powerful
• About ½ of the coverage of an AP is affected by
  HT
• Stealthy
• The victim cannot receive packets from HT
• The packets from HT are legal packets
• Several factors have the same symptoms low
  signals but normal noises
• Long distance between AP and clients
• Hidden terminal
• Phone/Microwave/Bluetooth interference

16
Current Work on Diagnosis

• Preliminary ideas
• Pre-define the coverage area
• Strategic walk from different directions

17
QA

• Thanks!

18
Future Works

• Identify the reason of low throughput
• Long distance between AP and clients
• HT problem
• Phone/Microwave interference
• Locate the HT
• The victim cannot receive packets from HT
• Triangulation approach may not work in indoor
  environment