410 likes | 604 Views
DOMINO: A System to Detect Greedy Behavior in IEEE 802.11 Hotspots. Written By: Maxim Raya, Jean-Pierre Hubaux, Imad Aad School of Computer and Communication Sciences Presented By: Michael Kroll University of South Carolina. Overview Introduction. Steady increase in hotspots
E N D
DOMINO: A System to Detect Greedy Behavior in IEEE 802.11 Hotspots Written By: Maxim Raya, Jean-Pierre Hubaux, Imad Aad School of Computer and Communication Sciences Presented By: Michael Kroll University of South Carolina
OverviewIntroduction • Steady increase in hotspots • 28,000 hotspots in 2004 • Predicted 160,000 in 2007 but actually 180,000 • Security and Billing = Focus on Authentication and Confidentiality in 802.11 • 802.11 only works if stations respect MAC protocol
OverviewBenefit of Misuse in MAC Layer • Mac-layer Greedy Behavior = Deliberate abuse of 802.11 MAC • Why abuse 802.11 MAC? • Significant bandwidth gain in medium • More efficient than network or transport layers • Hidden and independent from upper layers • Hard to detect my applications • Everything uses 802.11 • Cheating on TCP fails against UDP
OverviewDOMINO Solution • Seamless integration into AP • Passive, no interference with normal functions • Compatible with existing networks • Compatible with future versions of 802.11 • With some minor changes • Not theoretical, real experimental product
OverviewOutline • Related Work • System Model of Normal 802.11 • Misbehavior Techniques • Methods to Measure Misbehavior • Function of DOMINO • Simulation Results • Implementation of DOMINO • Discussion
Related Work • Research on MAC-layer greedy is limited • Relatively new and unexplored • Kyasanur/Vaidya: Receiver assigns/sends backoff values in CTS/ACK • Not compatible with 802.11 • Misbehaving receivers • Computational overhead and new frame fields • Only backlogged UDP, actual backoff larger than assigned = cheater success
Related Work • Konorski: Ad-hoc network using backoff from Game Theory • Different from 802.11 standard • IDS (AirDefense Guard) provides sensors to monitor • DOMINO can be extension of these
System Model of Normal 802.11 Review • What is DIFS? • What is SIFS? • What is Backoff? • What is NAV? • How do they relate?
System Model of Normal 802.11 Backoff Setting • Chosen Backoff bounded by Contention Window (CW) • Backoff decreases as long as channel is idle • Backoff frozen when the channel is in use • Backoff = 0, send the frame • Collision = frame lost, increase CW and new backoff • If success next round, reset CW to minimum
Misbehavior TechniquesConcept of Greedy • MAC Greedy Behavior: Fail to follow procedures or change parameters defined by 802.11 • Stations misbehave only for beneficial outcome for themselves • Assumption, don’t consider attacks of disruption (deauthentication, security attack) • Simpler and more efficient than other known methods
Misbehavior Techniques1. Scramble Frames • Scramble others’ frames to increase their CW • CTS: Cheater hears RTS destined somewhere = Intentionally transmit to collide • Expected CTS response lost, channel goes idle for backoff • ACK/Data: Cause CW of ACK destination (Data source) to double • Increases the backoff for longer channel idle
Misbehavior Techniques2. Manipulate 802.11 Parameters • Change existing 802.11 parameters • Idle Channel = Transmit after SIFS but before waiting DIFS • False increase NAV on sending RTS/Data • Choose smaller fixed CW than others • Shorting your Backoff to cheat
Methods to Measure Misbehavior1. Throughput • Measure Throughput on stations to find • Problems in Design • 2 stations using different data rates/delays • VoIP vs. Streaming Video • UDP throughput affected by overhead, SNR, hardware, drivers, O/S • TCP coupled with 802.11 derogates on • TCP: CW, recovery, packet size, timeout • 802.11: ACK, retry limit, backoff
Methods to Measure Misbehavior2. Backoff • Used in DOMINO, less dependant on factors • Problems in Design • Backoff idle period after DIFS is indistinguishable from delay of low packet source • Cheater give impression of well-behaved • MAC header not enough data to get backoff • Some stations increase backoff in collision, some don’t • Hidden Terminal Problem • Sender thinks idle and sends, hidden node also sending, receiver sees collision
Function of DOMINOUse of Backoff • Overcoming Backoff problems easier than Throughput • Estimate backoff by monitoring channel idle time • Several backoff solutions, not enough alone • Combine backoff solutions to catch most misbehavior
Function of DOMINODOMINO Code Structure • Collect traces in Monitoring Period and run algorithm • Increment cheater hit for K times before stopping • Prevent false positives
Function of DOMINO 1. Scramble Frames • Must scramble lots of frames • # of retransmissions less than other stations • Repeated sequence number • Attacker never resetting while others are and repeating sequence
Function of DOMINO 2. Shorter than DIFS • After an ACK is sent, stations should be idle for a DIFS (unless cheating)
Function of DOMINO 3. Oversized NAV • Measure the actual duration of Data, ACK, and RTS/CTS • Advertized NAV more than actual indicates cheater
Function of DOMINO 4. Maximum Backoff • Find if backoff observed is less than some threshold • Small sample period = low threshold, simulations show CW/2 is best threshold • Cheater could give one sufficiently large backoff to throw off average
Function of DOMINO 5. Actual Backoff • Bacnom = average backoff observed by AP • Αac = Percent true/false positive (90% in simulations) • Picks up TCP frame delays, increases backoff and can disguise the cheater
Function of DOMINO 6. Consecutive Backoff • Now can handle TCP sources (91% of network traffic) • Similar to Test 5, but Bconom = Backoff between consecutive non-interleaved transmissions
Function of DOMINOReview Structure Again • Collect traces in Monitoring Period and run algorithm • Increment cheater hit for K times before stopping • Prevent false positives
Simulation ResultsSetup • Ns-2 with Monarch project extension • 10 simulations, 110 seconds each, monitoring period every 10 seconds • Mimic fading effects of real channel with Shadowing Channel • Pr(d) power at distance d, d0 reference
Simulation ResultsSetup • 8 stations (one cheater) sending 500 bytes/packet at 200 packets/s • UDP sending CBR traffic • TCP sending FTP traffic • All stations 50 meters away • Problem in this?
Simulation ResultsMisbehavior Coefficent • Misbehavior Coefficeint: Amount of misbehavior based on size of backoff • M = 0, no misbehavior • M = 1, full misbhavior (no backoff used)
Simulation ResultsGains from Cheating • Why TCP harder to cheat? • TCP congestion control and rate of TCP ACKs
Simulation ResultsTest to Detect Actual Backoff • UDP cheating caught • TCP failed because TCP congestion control being picked up • Result not shown since all on x-axis only
Simulation ResultsTest to Detect Consecutive Backoff • TCP cheating caught • UDP failed as TCP did before • Result not shown since all on x-axis only
Simulation ResultsNeed to Stack Tests • Actual catches UDP but misses TCP • Consecutive catches TCP but misses UDP • Combining catches both
ImplementationDesign • Proxim ORINOCO 11a/b/g Combo Card • MADWIFI driver (Linux) • Modify CW in registry of driver to cheat
ImplementationDOMINO in Use • Increasing coefficient (cheating) = Detection • Why allow leeway? • False detection, attacker not doing much harm
ImplementationOverhead and Location • DOMINO on AP (software or firmeware upgrade) • Passive only, low overhead • 500 bytes at 7mbps, 50 stations = 0.021% 200mhz CPU (4 clock cycles) • Can do separate unit near AP (AirDefense Guard sensors) • Decide based on service requirements, available equipment, and infrastructure
Discussion IssuesHidden Terminals • B transmitting to AP, A can’t see B and thinks idle • A decrementing its backoff looks smaller than should be, false detect • Increase threshold values to tolerate some legitimate misbehavior
Discussion IssuesAdaptive Cheating • Cheater knows DOMINO, switch methods during collection periods to throw off • Must guess monitoring period/thresholds (won’t know success until blocked) • Deliberate its collide two frames, fail Actual backoff and never hit Consecutive • Not beneficial to cheater (goal is to be greedy)
Discussion IssuesMonitoring Period • Monitoring Period needs to be large enough for fairness • 802.11 binary exponential backoff unfair in short-term (false positives) • 500 bytes at 7mbps, 50 stations, 10 second monitoring period = 350 backoff values per station
ConclusionAdvantages • What is so good about DOMINO? • DOMINO uses modular building of tests • Catch many cheating with various tests • Easy to build upon for future cheating • Low overhead (passive) or run separate • Extension to existing Intrusion Detection Systems
ConclusionPotential Issues? • Issues not addressed in DOMINO? • Testing was just on FTP and CBR • Focus of tests were Actual and Consecutive Backoffs (only 2 out of 6 issues) • Stations organized perfectly around AP, not different ranges • No consideration for obstacles or interference