1 / 41

DOMINO: A System to Detect Greedy Behavior in IEEE 802.11 Hotspots

DOMINO: A System to Detect Greedy Behavior in IEEE 802.11 Hotspots. Written By: Maxim Raya, Jean-Pierre Hubaux, Imad Aad School of Computer and Communication Sciences Presented By: Michael Kroll University of South Carolina. Overview Introduction. Steady increase in hotspots

arnaud
Download Presentation

DOMINO: A System to Detect Greedy Behavior in IEEE 802.11 Hotspots

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. DOMINO: A System to Detect Greedy Behavior in IEEE 802.11 Hotspots Written By: Maxim Raya, Jean-Pierre Hubaux, Imad Aad School of Computer and Communication Sciences Presented By: Michael Kroll University of South Carolina

  2. OverviewIntroduction • Steady increase in hotspots • 28,000 hotspots in 2004 • Predicted 160,000 in 2007 but actually 180,000 • Security and Billing = Focus on Authentication and Confidentiality in 802.11 • 802.11 only works if stations respect MAC protocol

  3. OverviewBenefit of Misuse in MAC Layer • Mac-layer Greedy Behavior = Deliberate abuse of 802.11 MAC • Why abuse 802.11 MAC? • Significant bandwidth gain in medium • More efficient than network or transport layers • Hidden and independent from upper layers • Hard to detect my applications • Everything uses 802.11 • Cheating on TCP fails against UDP

  4. OverviewDOMINO Solution • Seamless integration into AP • Passive, no interference with normal functions • Compatible with existing networks • Compatible with future versions of 802.11 • With some minor changes • Not theoretical, real experimental product

  5. OverviewOutline • Related Work • System Model of Normal 802.11 • Misbehavior Techniques • Methods to Measure Misbehavior • Function of DOMINO • Simulation Results • Implementation of DOMINO • Discussion

  6. Related Work • Research on MAC-layer greedy is limited • Relatively new and unexplored • Kyasanur/Vaidya: Receiver assigns/sends backoff values in CTS/ACK • Not compatible with 802.11 • Misbehaving receivers • Computational overhead and new frame fields • Only backlogged UDP, actual backoff larger than assigned = cheater success

  7. Related Work • Konorski: Ad-hoc network using backoff from Game Theory • Different from 802.11 standard • IDS (AirDefense Guard) provides sensors to monitor • DOMINO can be extension of these

  8. System Model of Normal 802.11 Review • What is DIFS? • What is SIFS? • What is Backoff? • What is NAV? • How do they relate?

  9. System Model of Normal 802.11Review Diagram

  10. System Model of Normal 802.11 Backoff Setting • Chosen Backoff bounded by Contention Window (CW) • Backoff decreases as long as channel is idle • Backoff frozen when the channel is in use • Backoff = 0, send the frame • Collision = frame lost, increase CW and new backoff • If success next round, reset CW to minimum

  11. Misbehavior TechniquesConcept of Greedy • MAC Greedy Behavior: Fail to follow procedures or change parameters defined by 802.11 • Stations misbehave only for beneficial outcome for themselves • Assumption, don’t consider attacks of disruption (deauthentication, security attack) • Simpler and more efficient than other known methods

  12. Misbehavior Techniques1. Scramble Frames • Scramble others’ frames to increase their CW • CTS: Cheater hears RTS destined somewhere = Intentionally transmit to collide • Expected CTS response lost, channel goes idle for backoff • ACK/Data: Cause CW of ACK destination (Data source) to double • Increases the backoff for longer channel idle

  13. Misbehavior Techniques2. Manipulate 802.11 Parameters • Change existing 802.11 parameters • Idle Channel = Transmit after SIFS but before waiting DIFS • False increase NAV on sending RTS/Data • Choose smaller fixed CW than others • Shorting your Backoff to cheat

  14. Methods to Measure Misbehavior1. Throughput • Measure Throughput on stations to find • Problems in Design • 2 stations using different data rates/delays • VoIP vs. Streaming Video • UDP throughput affected by overhead, SNR, hardware, drivers, O/S • TCP coupled with 802.11 derogates on • TCP: CW, recovery, packet size, timeout • 802.11: ACK, retry limit, backoff

  15. Methods to Measure Misbehavior2. Backoff • Used in DOMINO, less dependant on factors • Problems in Design • Backoff idle period after DIFS is indistinguishable from delay of low packet source • Cheater give impression of well-behaved • MAC header not enough data to get backoff • Some stations increase backoff in collision, some don’t • Hidden Terminal Problem • Sender thinks idle and sends, hidden node also sending, receiver sees collision

  16. Function of DOMINOUse of Backoff • Overcoming Backoff problems easier than Throughput • Estimate backoff by monitoring channel idle time • Several backoff solutions, not enough alone • Combine backoff solutions to catch most misbehavior

  17. Function of DOMINODOMINO Code Structure • Collect traces in Monitoring Period and run algorithm • Increment cheater hit for K times before stopping • Prevent false positives

  18. Function of DOMINO 1. Scramble Frames • Must scramble lots of frames • # of retransmissions less than other stations • Repeated sequence number • Attacker never resetting while others are and repeating sequence

  19. Function of DOMINO 2. Shorter than DIFS • After an ACK is sent, stations should be idle for a DIFS (unless cheating)

  20. Function of DOMINO 3. Oversized NAV • Measure the actual duration of Data, ACK, and RTS/CTS • Advertized NAV more than actual indicates cheater

  21. Function of DOMINO 4. Maximum Backoff • Find if backoff observed is less than some threshold • Small sample period = low threshold, simulations show CW/2 is best threshold • Cheater could give one sufficiently large backoff to throw off average

  22. Function of DOMINO 5. Actual Backoff • Bacnom = average backoff observed by AP • Αac = Percent true/false positive (90% in simulations) • Picks up TCP frame delays, increases backoff and can disguise the cheater

  23. Function of DOMINO 6. Consecutive Backoff • Now can handle TCP sources (91% of network traffic) • Similar to Test 5, but Bconom = Backoff between consecutive non-interleaved transmissions

  24. Function of DOMINO Actual vs. Consecutive Backoff

  25. Function of DOMINOReview Structure Again • Collect traces in Monitoring Period and run algorithm • Increment cheater hit for K times before stopping • Prevent false positives

  26. Simulation ResultsSetup • Ns-2 with Monarch project extension • 10 simulations, 110 seconds each, monitoring period every 10 seconds • Mimic fading effects of real channel with Shadowing Channel • Pr(d) power at distance d, d0 reference

  27. Simulation ResultsSetup • 8 stations (one cheater) sending 500 bytes/packet at 200 packets/s • UDP sending CBR traffic • TCP sending FTP traffic • All stations 50 meters away • Problem in this?

  28. Simulation ResultsMisbehavior Coefficent • Misbehavior Coefficeint: Amount of misbehavior based on size of backoff • M = 0, no misbehavior • M = 1, full misbhavior (no backoff used)

  29. Simulation ResultsGains from Cheating • Why TCP harder to cheat? • TCP congestion control and rate of TCP ACKs

  30. Simulation ResultsTest to Detect Actual Backoff • UDP cheating caught • TCP failed because TCP congestion control being picked up • Result not shown since all on x-axis only

  31. Simulation ResultsTest to Detect Consecutive Backoff • TCP cheating caught • UDP failed as TCP did before • Result not shown since all on x-axis only

  32. Simulation ResultsNeed to Stack Tests • Actual catches UDP but misses TCP • Consecutive catches TCP but misses UDP • Combining catches both

  33. ImplementationDesign • Proxim ORINOCO 11a/b/g Combo Card • MADWIFI driver (Linux) • Modify CW in registry of driver to cheat

  34. Implementation Ethereal Measure Backoff Manually

  35. ImplementationDOMINO in Use • Increasing coefficient (cheating) = Detection • Why allow leeway? • False detection, attacker not doing much harm

  36. ImplementationOverhead and Location • DOMINO on AP (software or firmeware upgrade) • Passive only, low overhead • 500 bytes at 7mbps, 50 stations = 0.021% 200mhz CPU (4 clock cycles) • Can do separate unit near AP (AirDefense Guard sensors) • Decide based on service requirements, available equipment, and infrastructure

  37. Discussion IssuesHidden Terminals • B transmitting to AP, A can’t see B and thinks idle • A decrementing its backoff looks smaller than should be, false detect • Increase threshold values to tolerate some legitimate misbehavior

  38. Discussion IssuesAdaptive Cheating • Cheater knows DOMINO, switch methods during collection periods to throw off • Must guess monitoring period/thresholds (won’t know success until blocked) • Deliberate its collide two frames, fail Actual backoff and never hit Consecutive • Not beneficial to cheater (goal is to be greedy)

  39. Discussion IssuesMonitoring Period • Monitoring Period needs to be large enough for fairness • 802.11 binary exponential backoff unfair in short-term (false positives) • 500 bytes at 7mbps, 50 stations, 10 second monitoring period = 350 backoff values per station

  40. ConclusionAdvantages • What is so good about DOMINO? • DOMINO uses modular building of tests • Catch many cheating with various tests • Easy to build upon for future cheating • Low overhead (passive) or run separate • Extension to existing Intrusion Detection Systems

  41. ConclusionPotential Issues? • Issues not addressed in DOMINO? • Testing was just on FTP and CBR • Focus of tests were Actual and Consecutive Backoffs (only 2 out of 6 issues) • Stations organized perfectly around AP, not different ranges • No consideration for obstacles or interference

More Related