A Simulation Study of Collusion and Network Partition Denial of Service Attack in IEEE 802.11 and FAIRMAC Protocol

(1)

International Journal of Emerging Technology and Advanced Engineering

Website: www.ijetae.com (ISSN 2250-2459,ISO 9001:2008 Certified Journal, Volume 4, Issue 3, March 2014)

311

A Simulation Study of Collusion and Network Partition

Denial of Service Attack in IEEE 802.11 and FAIRMAC

Protocol

Ankit Rajpal

1

, Preeti

2

, P.K. Hazra

3

1,2_{Department of Computer Science, Deen Dayal Upadhyaya College, University of Delhi, Delhi, India} 3_{Department of Computer Science, University of Delhi, Delhi, India}

Abstract— In this paper, we simulated Collusion and Network partition DoS attacks using GlomoSIm (GLobal MObile information system SIMulator). The network with 36 nodes in grid pattern was chosen. Throughput analysis with and without DoS attack was carried out for varying number of nodes. The importance of fairness in MAC layer is also justified through the results obtained.

Keywords— DoS, Collusion, Partition, MAC, Simulation, GloMoSim, FAIRMAC.

I. INTRODUCTION

Denial of Service is a constant concern in the world of networking. By DoS attack, we mean any effort to “prevent or impair the legitimate use of computer or network resources,” interrupting or delaying services which can cause a node or an entire network to become unavailable [1]. The industry standard for handling DoS attacks includes a three-step process of protection, detection and reaction. Protection, however, is the best defense because if a system is not protected, or a network is not prepared, then detection is more difficult and reaction can be more costly. There is no way to completely harden a network against DoS attacks, but the best way to minimize the damage is to put in as many measures to prevent attacks or mitigate the effect as feasible balanced against resource availability and cost [2].

DoS can occur at any of the seven layers of the OSI model. For an ad hoc network, DoS attacks at layer 1, the physical layer, generally involve jamming to disrupt the signal. The best defense against such an attack, spread spectrum is the default standard within most wireless protocols. Attacks at the data link layer generally focus on overflowing a node’s buffer, affecting its ability to receive and forward packets. The network layer, the third layer of the OSI model, is where routing and the Internet Protocol (IP) exist and where a large number of attacks are aimed. Any disruption of routing within an ad hoc network can isolate any or all nodes.

The majority of DoS attacks occur within layer 4, targeted against the TCP and UDP protocols, impacting Layer 5 which relies on these protocols to maintain sessions. Layer 6 and 7 are prone to application-specific DoS attacks.

More specifically, we investigated attacks at the medium access control layer. An attacker causes congestion in the network by either generating an excessive amount of traffic by itself, or by having other nodes generate excessive amounts of traffic. In wireless networks, DoS attacks are difficult to prevent and protect against. They can cause a severe degradation of network performance in terms of the achieved throughput and latency. We investigate the vulnerabilities of the IEEE 802.11 MAC protocol [3, 4] that make DoS attacks easy. To gain an understanding of how fairness may prevent some of the DoS attacks, we emulate a perfectly Fair MAC (FAIRMAC) protocol. We simulate various scenarios to understand the local and global effects of various types of DoS attacks with both the IEEE 802.11 MAC protocol and with FAIRMAC and discuss possible solutions to overcome or alleviate these effects. Our results show that the extent to which the performance of a wireless network or a service degrades on DoS depends on many factors such as location of malicious nodes, their traffic patterns, fairness provided in the network resources.

Now let us examine how the hidden-terminal problem causes short-term unfairness. Consider the situation (in Fig 1) that the CWs at nodes A and C are very small e.g. 31 (A and C are hidden from each other).

Fig 1

(2)

International Journal of Emerging Technology and Advanced Engineering

312

In particular, one of the two nodes (let us say, node A) may select a small back-off time from its CW, while the other node (i.e. C) selects a large value. Once the Frame Exchange Sequence (FES) from A to B is completed, node A resets its CW and backs-off before initiating another FES. However, the remaining back-off timer at node C may be large compared to the back-off timer at node A, which is drawn from the range [0,CWmin]. In that case, nodes A and B may exchange several more FESs before node C’s back-off timer reduces to zero. Whenever the back-off timer at node C reduces to zero, node C contends for the medium. However, as the CW at node A is equal to CWmin, the contention is most likely to result in a collision. After the collision, node A doubles its CW from CWmin whereas node C doubles its CW from a larger value (at least 63). Therefore, the CW at node C is greater than that at A, and node A is more likely to get control of the medium again. This is obviously unfair for node C since A has already transmitted several packets while C is starved during this period. Moreover, this process (i.e. several packet transmissions by node A, followed by collisions, and then packet transmissions by node A again) may repeat several times, leading to starvation at node C for a long period (compared to the time needed for a FES).

We should note that the short-term unfairness problem is also known as “capture” in Ethernet. However, the main reason of capture in Ethernet is due to the deficiency of the BEB algorithm when the number of contending stations is very large. Moreover, the capture phenomenon scarcely occurs in an Ethernet when there are only two contending stations. On the contrary, in an IEEE 802.11 wireless network, the capture phenomenon poses severe problem even in the scenario with just two contending stations (e.g. in the hidden-terminal scenario). Clearly, in addition to the deficiency of the BEB, the freezing mechanism of the back-off timer, and the hidden-terminal problem itself (which is rooted in wireless networks) causes unfairness.

Vikram et.al.[5] provided an analysis of IEEE 802.11 and FAIRMAC protocol for single node up to eight nodes. Here we have simulated a vast version with varying topology for neighborhood attacks with zero to thirty five nodes.

II. TYPES OF DOS ATTACKS

In wireless networks DoS attacks could be mainly classified into two types, those that are at the routing layer and those that are at the MAC layer.

Attacks at the routing layer could consist of the following:

 The malicious node participates in a route but simply drops a certain number of the data packets. This causes the quality of the connections to deteriorate and further ramifications on the performance if TCP is the transport layer protocol that is used.

 The malicious node transmits falsified route updates. The effects could lead to frequent route failures thereby deteriorating performance.

 The malicious node could potentially replay stale updates. This might again lead to false routes and degradation in performance.

 Reduce the TTL (time-to-live) field in the IP header so that the packet never reaches the destination.

Notice that all of the above could lead to congestion due to data that is either retransmitted or transmitted on erroneous routes only to be dropped at a later time. We can make use of the promiscuous mode wherein a node overhears the transmission of its neighbors and infers if the behavior and responses are normal. However, this overhearing may be very much dependent upon other transmissions in the vicinity and the MAC protocol in use. It has been proved if end-to-end authentication is enforced; attacks by independent malicious nodes of types (b) and (c) may be thwarted. An attack of type (a) may be handled by assigning confidence levels to nodes, and using routes that provide the highest level of confidence. Of course, multiple paths might have to be maintained. An attack of type (d) may be thwarted simply by making it mandatory that a relay node ensures that the TTL field is set to a value greater than the hop count to the intended destination. If nodes collude, the authentication mechanisms fail and it is an open problem to provide protection against such routing attacks.

At the MAC layer the following attacks can be attempted:

 Since we assume that there is a single channel that is reused, keeping the channel busy in the vicinity of a node leads to a denial of service attack at that node.

 By using a particular node to continually relay spurious data the battery life of that node may be drained.

(3)

International Journal of Emerging Technology and Advanced Engineering

313

However, if nodes collude and one of the nodes is the sending node and the other is the destination, MAC layer attacks are very much feasible.

A. Collusion Attack

The objective of this attack is to show that two colluding nodes can attack a server even when they are not in the neighborhood of the node hosting the server.

B. Network Partition Attack

The objective of this experiment is to show that it is possible for 2 colluding nodes to launch a DoS attack so as to separate a set of nodes from the rest of the network.

III. IMPLEMENTATION DETAILS

We quantify and evaluate attacks at the MAC layer. We have used we have used GLOMOSIM for our simulations. Mobility and randomness of the topology complicate the analysis and therefore have not been studied in this work.

We test various attack scenarios for a static 6 x 6 grid topology, consisting of 36 nodes. Each node is separated from its neighbor by 350 meters. The transmission range of each node is fixed at 376m. The simulation settings in config.in are shown in Fig. 2, meaning of each node is shown in Fig. 3 and placement of nodes is shown in Fig. 4.

Fig 2

We quantify and evaluate attacks at the MAC layer. We have used we have used GLOMOSIM [5] for our simulations. Mobility and randomness of the topology complicate the analysis and therefore have not been studied in this work.

Fig 3

Fig 4

The metric for quantifying the effects of DoS attacks are the achieved throughputs as seen by 8 clients from a particular server. The clients are placed at the corners (nodes 0, 5, 30 and 35) and mid-way (nodes 2, 12, 17 and 32) along the edges of the grid. The server (node 20) is placed approximately at the center of the grid. The nodes R1 and R2 in the figure represent nodes that route data through the server.

We use FTP application clients in GLOMOSIM for the TCP connections. Each client sends 10 packets of variable size to the server by establishing a TCP connection with it. The simulation time is 900 seconds. The attack is simulated as a Constant Bit Rate (CBR) application client using UDP. The rate at which the attacker sends data is different for various attacks that we have simulated. We have extended GLOMOSIM to include a perfectly fair MAC protocol (FAIRMAC) by implementing and using the facility of post backoff.

[image:3.612.336.544.134.337.2]

(4)

International Journal of Emerging Technology and Advanced Engineering

314

Fig 5

The static routes were defined in the routes.in file as show in Fig. 5.

Fig 6

The simulation results reveal the fairness problem in IEEE 802.11, which refers to the severe throughput degradation of some nodes due to their unfavorable locations in the network and the commonly used binary exponential backoff (BEB) algorithm that always favors the node that last succeeds.

IV. RESULTS AND ANALYSIS

A. Attack 1: Collusion attack

The objective of this attack is to show that two colluding nodes can attack a server even when they are not in the neighborhood of the node hosting the server. In the above grid pattern, Nodes R1 and R2 establish a UDP session; the server node S is on the route from R1 to R2. In particular, for our experiment, a neighbor of 12 sends data through the server node S to a neighbor of node 17 (the path length is 4 hops in a 6x6 grid).

Fig 7

Fig 8

We observed the following (See Fig 7, 8):

 With the attacker sending data using the IEEE 802.11 MAC, the throughput is reduced for most nodes.

 The decrease in the throughput for node 17 (near the attacking sender) and the corresponding increase in throughput for node 12 (near the attacking receiver) indicates that the attacker’s strategy of sending data at a high rate may lead to localized congestion and the attacking flow does not harm the whole network.

(5)

International Journal of Emerging Technology and Advanced Engineering

315

We noticed that it was possible for nodes R1 and R2 to attack the server, even when the source and destination of attacking flow were many hops away from the server.

Importantly, if nodes R1 and R2 were colluding nodes they would have been able to authenticate themselves. Thus any end-to-end authentication scheme fails in preventing such an attack. However, such a scheme is still desirable because in its absence a malicious node can assume a false identity and convince a node to send large volume of data to any location in the network. Such attacks can be mitigated in environments where it is possible to determine the legitimacy of a particular communication from its source-destination pair. We should note here the importance of routing information in this attack. R1 and R2 need to place themselves in such a way that S is on the path between them. Otherwise, they will need to manipulate the routing information so as to convince other nodes to route through S. In mobile environments routing information may be changing. Thus, it is more difficult for malicious nodes to launch a DoS attack on a specific node that is at a large distance from them.

B. Attack 2: Network partition attack

The objective of this experiment is to show that it is possible for 2 colluding nodes to launch a DoS attack so as to separate a set of nodes from the rest of the network. These nodes P1 and P2 (in the above grid diagram) establish UDP session(s) with each other in order to create a partition in the network by preventing data transfer between nodes that are on the opposite sides of their flow(s). We present simulation results for unidirectional and bi-directional flows. The results are as follows:

1) Attack using unidirectional traffic stream:

Fig 9

Fig 10

2) Attack using bidirectional traffic stream:

Fig 11

Fig 12

[image:5.612.51.285.518.651.2]

(6)

International Journal of Emerging Technology and Advanced Engineering

316

We observed the following (See Fig 9-12):

 When the IEEE 802.11 MAC is used, it is difficult for attacking nodes to create partition by unidirectional streams on long paths.

 With the FAIRMAC, all of the attacks simulated affect the nodes 0, 2, and 5. This is due to formation of long queues at the nodes along the attack path, leading to a partition of the network.

It is possible for malicious nodes to partition the network. The effectiveness of the partition depends on factors like traffic patterns generated by the attacking node, number of hops on the path traversed by the malicious flow and topology of the network.

V. CONCLUSION

The results of collusion attack show that the attacker’s strategy to collude and attack the server leads to localized congestion in the vicinity of the attackers (colluding partners).

The partition attacks aimed at creating a partition of the network and thereby study the effectiveness of a unidirectional data stream and that of bidirectional data stream in bringing about a partition of the network.

We saw that it was difficult for the attacking nodes to create a partition of the network using a unidirectional data streams but using bidirectional streams it is not so. We observed a denial of service (as indicated by their negligible throughput) to the nodes 0, 2, and 5 in each case. The impact of bidirectional stream is more pronounced.

REFERENCES

[1] L. Zhou and Z. Haas. Securing ad hoc networks. IEEE Network, 13(6):24--30, November/December 1999.

[2] Y. Zhang and W. Lee, "Intrusion detection in wireless ad hoc networks," ACM MOBICOM, 2000.

[3] B. P. Crow, I. Widjaja, J. G. Kim, and P. T. Sakai, "IEEE 802.11 wireless local area networks", IEEE Commun. Mag., pp.116 -126 1997

[4] H. AhleHagh, WR. Michalson and D. Finkel, "Statistical Characteristics of Wireless Network Traffic and Its Impact on Ad Hoc Network Performance," In Proceedings of the 2003 Applied Telecommunication Symposium, 2003.

[5] Vikram Gupta, Srikanth Krishnamurthy and Michalis Faloutso, “Denial of Service Attacks at the MAC Layer in Wireless Ad Hoc Networks,” Proceedings of MILCOM Conference, 2002.