Understanding and Mitigating the Impact of

RF Interference on 802.11 Networks

Ramakrishna Gummadi∗ David Wetherall†‡ Ben Greenstein† Srinivasan Seshan§
∗ USC † Intel Research ‡ University of Washington § CMU

Abstract (IEEE 802.15.4) embedded devices, 2.4GHz RFID tags, and pro-
We study the impact on 802.11 networks of RF interference from prietary devices such as the ANT radios [4], Chipcon 2.4GHz RF
devices such as Zigbee and cordless phones that increasingly crowd transceivers [9] and Cypress “WirelessUSB” peripherals [31].
the 2.4GHz ISM band, and from devices such as wireless cam- Although the use of unlicensed bands does not require coordina-
era jammers and non-compliant 802.11 devices that seek to disrupt tion between the deployers of devices, not all forms of device be-
802.11 operation. Our experiments show that commodity 802.11 havior is permitted. To promote coexistence, devices must meet a
equipment is surprisingly vulnerable to certain patterns of weak or number of FCC regulations that limit transmission power and force
narrow-band interference. This enables us to disrupt a link with an transmitters to spread their signals. Wireless technologies often
interfering signal whose power is 1000 times weaker than the vic- have mechanisms in their MAC and PHY layers that go beyond the
tim’s 802.11 signals, or to shut down a multiple AP, multiple chan- basic FCC/ITU rules to improve coexistence. For example, 802.11
nel managed network at a location with a single radio interferer. uses carrier sense to detect and defer to 802.11 and other transmit-
We identify several factors that lead to these vulnerabilities, rang- ters. Similarly, Bluetooth adaptively hops frequencies to decrease
ing from MAC layer driver implementation strategies to PHY layer interference on 802.11 [7]. However, unlicensed band coexistence
radio frequency implementation strategies. Our results further show and additional precautions have not prevented a range of interfer-
that these factors are not overcome by simply changing 802.11 op- ence problems across the n2 combinations of wireless technologies
erational parameters (such as CCA threshold, rate and packet size) that may interact. In fact, there are reports of interference between
with the exception of frequency shifts. This leads us to explore rapid technologies that are specifically designed to coexist (e.g., 802.11
channel hopping as a strategy to withstand RF interference. We pro- and Bluetooth [29]). Moreover, mechanisms for politely accommo-
totype a channel hopping design using PRISM NICs, and find that dating other transmitters, such as carrier sense in 802.11, can make
it can sustain throughput at levels of RF interference well above technologies more susceptible to interference from other devices.
that needed to disrupt unmodified links, and at a reasonable cost in Our goal is to explore the impact of interference on 802.11 links
terms of switching overheads. and to develop techniques that make 802.11 more resistant to inter-
Categories and Subject Descriptors: ference. To develop an understanding of the key factors, we subject
C.4 [Performance of Systems]: Measurement Techniques; C.2.1 an 802.11 network consisting of a single AP and a single nearby
[Computer-Communication Networks]: Network Architecture client to commonly available RF sources and measure the effect
and Design on client/AP performance. Since 802.11 already uses many mecha-
General Terms: Experimentation, Measurement, Performance, nisms to mitigate noise and interference, it is natural to ask whether
Security 802.11 links are already as robust to interference as can reason-
Keywords: 802.11, RF Interference, SINR, Jamming, Channel ably be expected. These mechanisms include: 1) a MAC protocol
hopping that avoids collisions; 2) lower transmission rates that accommo-
date lower signal-to-interference-plus-noise (SINR) ratios; 3) sig-
1 Introduction nal spreading that tolerates narrow-band fading and interference;
Our reliance on wireless communications such as 802.11 is increas- and 4) PHY layer coding for error correction. However, we are
ing. Wireless technology is now used as an alternative to wired net- aware of little published work that we can use to answer this ques-
works in enterprises [12], to enable mobility in safety critical set- tion because past studies consider RF sources that follow 802.11
tings like hospitals, and to provide city-wide Internet access [10]. protocols in either the same or adjacent channels [17, 19, 21, 22].
In each of these cases, high network availability is desirable. Un- We consider both selfish interferers such as Zigbee nodes and cord-
fortunately, by their nature, wireless transmissions are vulnera- less phones that co-exist in the unlicensed band and run their own
ble to RF (Radio Frequency) interference from various sources. protocol for their own benefit, and malicious interferers such as
This weakness is a growing problem for technologies that oper- wireless jammers [30] that actively seek to deny service to other
ate in unlicensed frequency bands, as these bands are becoming nodes to achieve their own ends.
more crowded over time [3]. 802.11b/g networks which use the Our experimental results confirm anecdotal evidence that a range
2.4GHz band now compete with a wide range of wireless devices of selfish and malicious interferers (802.11 waveforms, Zigbee, a
that includes 2.4GHz cordless phones, Bluetooth headsets, Zigbee wireless camera jammer, a cordless phone) cause 802.11 perfor-
∗ Work done while the author was at Intel Research Seattle. This
mance to degrade much more significantly than expected from sim-
ple SINR considerations. Surprisingly, we find that even highly at-
material is based in part upon work supported by the National Science
Foundation under Grant No. 0520192. tenuated signals from malicious devices can cause severe losses at
the receiver. We identify a number of properties of a typical NIC
Permission to make digital or hard copies of all or part of this work for (Network Interface Card) implementation of the 802.11 PHY and
personal or classroom use is granted without fee provided that copies are
not made or distributed for profit or commercial advantage and that copies
MAC layers that is to blame for this poor performance. This leads
bear this notice and the full citation on the first page. To copy otherwise, to us to extend the classic SINR model of successful packet transmis-
republish, to post on servers or to redistribute to lists, requires prior specific sions to account for these effects.
permission and/or a fee. This extended model helps us to understand the performance
SIGCOMM’07, August 27–31, 2007, Kyoto, Japan. degradations that we observe, as well as predict the utility of other
Copyright 2007 ACM 978-1-59593-713-1/07/0008 . . . $5.00. strategies; we check these predictions experimentally to build confi-
dence in our model. In particular, the model shows why some likely SYNC SFD SIGNAL SERVICE LENGTH CRC
interference mitigation techniques are of little help because of re- MAC
(128 bits) (16 bits) (8 bits) (8 bits) (16 bits) (16 bits)
ceiver path limitations. For example, high sender transmit power,
large channel bandwidth compared to a narrow-band interferer, Energy Detection, PHY Header PHY Duration PHY Header
Frame
Verification,
high receiver selectivity, and multi-antenna and spatial diversity Timing Recovery Detection Estimation Verification Beaconing,
etc.
techniques used in the new 802.11n do not gracefully tolerate inter-
ference. It also highlights that existing 802.11 implementations are PLCP Preamble PLCP Header PSDU
able to tolerate interference when it is modestly off the center of the (144 bits) (48 bits) (2304 bytes max)
frequency channel that they are using, e.g., when it is in an adjacent
channel even though this adjacent channel is not orthogonal. This PPDU
(PLCP Protocol Data Unit)
is a surprising and useful result because there are only three non-
overlapping (i.e., orthogonal) channels in the 2.4GHz band, while
there are eleven overlapping channels. Figure 1—802.11 PHY encapsulation and its usage at the receiver.
Motivated by these observations, we design a channel hopping
scheme and evaluate its ability to withstand interference. Our goal is
that performance degrades gracefully and slowly with increasingly
large levels of interference. We use commodity (PRISM) chipsets If the CCA module declares the medium to be free, the packet is
to prototype our design. In it, clients and the AP switch to a pseudo- sent. If it is busy, the transmitter defers the transmission for a ran-
random channel rapidly (250µ s channel switching latency), and dom number of 20µ s slots selected between 1 and the Contention
occupy it for a short period (10ms dwell period) before switching Window (CW), and repeats the CCA procedure. The CW is dou-
again. This makes it difficult for both selfish and malicious devices bled with successive deferrals, up to a maximum of 127 slots; the
to jam a link for an extended period. This is because they must packet is sent if this maximum is reached regardless of whether the
first find the channel that the link is using at a given time (or jam medium is busy. The CW is reset to a minimum value after a trans-
all channels, which is considerably more expensive). We find the mission.
overhead of channel hopping to be acceptably small, and the im- Receivers send an ACK packet within a fixed time limit to ac-
provement in performance under interference to be large. Without knowledge the receipt of a non-broadcast data packet that passes
hopping, the effect of a single interferer is catastrophic. With hop- the CRC check for data integrity. If the transmitter does not receive
ping, even three interferers jamming all three orthogonal channels an ACK, it considers the packet (or its ACK) lost. It then retransmits
cannot degrade performance to low levels. the packet by re-inserting it at the front of the transmission queue
In this paper, we make three contributions. First, we quantify and treating it as a new packet. Retransmission can be repeated up
the extent and magnitude of 802.11’s vulnerability to interference, to seven times, after which the packet is dropped. Optionally, nodes
and relate the causes of such vulnerability to design limitations in can precede data packets with a RTS/CTS exchange to reduce the
commodity NICs. Second, we extend the SINR model to capture likelihood of interference by hidden terminals, but most implemen-
these limitations, and quantify how our extended version can be tations choose not to do so in practice because the costs outweigh
used to predict the high interference degradation with even weak the benefits.
and narrow-band interferers seen in practice. We also use the model The 802.11 MAC also defines management packets, the most
to show that changing 802.11 operational parameters would be in- relevant here being beacons and probes. An AP periodically (∼
effective at mitigating this degradation, while channel hopping can 100ms) broadcasts beacons to assist clients with association, roam-
be helpful. Third, we implement and evaluate a rapid channel hop- ing, synchronization, power-saving and other tasks. Beacons carry
ping scheme that can withstand even multiple strong interferers in a an 8-octet timestamp field so that the client’s NIC can synchronize
realistic setting, at a reasonable cost in terms of channel switching its clock with the AP to meet the timing constraints of the 802.11
overheads. MAC. Probe packets are sent by a client to discover APs.
The rest of the paper is organized as follows. We briefly review
802.11 in the next section, then describe our experimental setup in Reception at a node can be explained in terms of the PLCP
Section 3. We describe our experiments to gauge the effects of in- (Physical Layer Convergence Protocol) headers that encapsulate
terference in Section 4, and extend the SINR model to capture these packets (shown in Figure 1). Processing steps are shown as ovals.
effects in Section 5. Our channel hopping solution is developed in To begin, a preamble of a SYNC bit-pattern triggers the energy de-
Section 6. We then consider related work in Section 7 and conclude tection circuitry that alerts the receiver to an incoming transmis-
in Section 8. sion. This bit-pattern is also used to extract symbol timing. It is
always transmitted at 1Mbps. 802.11b/g uses either a long pream-
ble that transmits the PLCP header (Figure 1) at 1Mbps or a short
2 802.11 Background preamble that transmits the PLCP header at 2Mbps, regardless of
We briefly review 802.11b/g as it is relevant to our work. 802.11 the transmit speed of the MAC frame itself. A long preamble is
nodes follow a contention-based CSMA/CA MAC defined by the shown in the figure. The Start Frame Delimiter (SFD) is a specific
IEEE standard. Normally, the 802.11 radio is in receive mode. 16-bit pattern (0x07cf with long preambles) that signifies the start
When a node has a packet to send, it enters the transmit mode and of PLCP data. In the PLCP header, the LENGTH field contains the
waits for a certain time period to make sure the medium is free packet length, which is used with bit rate information in the SER-
(CSMA). It uses a Clear Channel Assessment (CCA) module that VICE field to determine the overall duration of the packet. To com-
may be configured in several modes to make this determination. In plete the PLCP processing, the receiver computes a CRC over the
Mode 1, the transmitter declares the medium busy if it detects any header. It generates a physical-layer error if the header is corrupted.
signal energy above the Energy Detect (ED) threshold. In mode 2, The MAC frame follows and it includes a separate CRC over the
it declares a busy medium if it detects any valid 802.11-modulated MAC contents. The receiver generates a separate MAC-layer error
signal. In mode 3, a busy medium is declared only when a valid if the MAC is corrupted. In Section 4, we study how interference
802.11-modulated signal that exceeds the ED threshold is detected. can disrupt the processing of these PHY and MAC functions.
Normally, mode 2 is used.
 E Wired Endpoint Interferer Power(dBm) BW(MHz) Range(m)
AP
I Interferer. Three types: PRISM 2.5 [−20, 20] 22 ∼30
UDP/TCP traffic
between client/wired a) Unattenuated PRISM interferer 2.4GHz jammer 30 1, FH ∼20
C
endpoint through AP b) Attenuated PRISM interferer CC2420 (Zigbee) [−24, 0] 5 ∼6
Client Cordless phone 20 0.003, FH ∼2

c) Zigbee interferer Table 1—Interferers and their characteristics.

Figure 2—Experimental setup with three interferers. (PRISM-based interferer and video camera jammer) and two self-
ish devices (a Zigbee sensor node and a Panasonic cordless phone).
To understand degradation effects (Section 4), we use the cheap and
An 802.11b/g transmission occurs on one of 11 overlapping ubiquitous PRISM 802.11 NICs with custom software, and Zigbee
channels in the 2.4GHz North American ISM band; the band is nodes as interferers. Our Zigbee nodes are sensor motes equipped
wide enough for three orthogonal channels. On a given channel, with Chipcon CC2420 radios [8], which implement the Zigbee-
802.11 offers a large choice of rates and modulations that trade off PHY and parts of the Zigbee-MAC in hardware. To evaluate our
performance for interference tolerance. 802.11b rates are 1Mbps mitigation strategies (Section 6), we also use a wireless video cam-
(Differential Binary Phase Shift Keying, DBPSK), 2Mbps (Differ- era jammer [30] and a cordless phone.
ential Quadrature Phase Shift Keying, DQPSK), 5.5Mbps (Com- In Table 1, the power column gives the power output by an in-
plementary Code Keying, CCK), and 11Mbps (CCK). The 1 and terferer’s radio before antenna gain. To control the transmit power
2Mbps rates use Direct Sequence Spread Spectrum (DSSS) to of the PRISM interferer over a wide range (40dB, or a factor of
spread their signals across the entire 22MHz channel bandwidth and 10,000), we use hardware attenuators. For Zigbee, we change the
increase noise immunity. The spreading sequence, the 11-bit Barker power levels in software. In the BW (Bandwidth) column, FH
code, has low auto-correlation to tolerate multipath conditions, and means the device frequency hops the entire 2.4–2.4835GHz band.
gives a processing gain of 10.4dB. CCK in the 5.5 and 11Mbps rates The range column in Table 1 shows the approximate range we found
handles both modulation and spreading. 802.11g, like 802.11a, uses the interferer to be highly effective (i.e., severely impacted TCP
Orthogonal Frequency Division Multiplexing (OFDM) for modula- transfers between the wired endpoint and the client in Figure 2).
tion. 52 tightly-spaced (0.3125MHz apart) orthogonal sub-carriers, The PRISM interferer is a Linux desktop with PRISM PCI NICs,
of which 48 are for data, carry data at various rates ranging from as shown in Figure 2, with custom software. We chose it because the
54Mbps down to 6Mbps depending on channel conditions. PRISM firmware provides a low-level interface that can generate
arbitrary 802.11-modulated continuous 16-bit patterns as the MAC
data. Such RF patterns are valid modulated 802.11 signals, but not
3 Experimental Setup valid 802.11 PLCP or MAC units. We use a user-level program to
For our experiments, we use a simple network setup (Figure 2) that generate and count the duration of these interference patterns; they
consists of an AP, client, and selfish or malicious interferer. This is cannot be measured externally using packet sniffers because snif-
to clearly expose low-level interference effects. We ran experiments fers typically only decode frames with valid MAC data.
with PRISM, Atheros and Intel NICs as described below to ensure The Zigbee interferer outputs 128-byte packets, without any
that we do not focus on implementation deficiencies that are easily transmission control. The wireless camera jammer is a commer-
corrected. cially available device that uses frequency hopping to block all
Client and AP. The client is a Linux laptop equipped with 802.11b/g channels. The cordless phone is a Panasonic brand com-
802.11 NICs from Intersil (802.11b), as well as Atheros and In- modity device.
tel (802.11a/b/g), in PCMCIA and mini-PCI formats. The AP is a For our experiments in Section 4 and Section 5, we place the in-
Linux laptop with either an Intersil PRISM 2.5 in 802.11b mode terferer to ensure that its signals at the AP and client are more atten-
(using the HostAP driver) or an Atheros AR5006X in 802.11b/g uated than the AP to client signals at all times. We verified this by
mode (using the MadWifi driver). The Intel NIC for the client is measuring the signal and noise (which includes interference) pow-
PRO/Wireless 3945ABG using the ipw3945 driver. The majority of ers at the AP and client. This is to avoid overstating the effects of
current 802.11 NICs belong to one of these three architectures, and interference. The output power of the client and the AP varied from
all implement the 802.11 PHY in hardware, and at least the time- 18–25dBm depending on the NIC, and the output power of the unat-
critical parts of the 802.11 MAC in firmware. tenuated interferer was 18dBm. In our experiments, the measured
During our early experiments, we found that a NIC is highly sen- path loss between the client and the AP varied between 32–37dB,
sitive to beacon losses at the client. During beacon loss periods, a and between the interferer and the client or AP varied between 39–
NIC rapidly begins looking for other APs to associate with and is 46dB. This is because the client and the AP are physically closer
prone to lock-ups under high loss. We mask these effects to ob- to each other than the interferer, and have a direct line-of-sight to
serve other interference effects by disabling beacon transmission each other to mitigate small-scale path loss considerations such as
at the AP and manually assigning the MAC address of the AP on multipath and fading. However, to evaluate our channel hopping
the client. Also, there are some timing dependencies in the 802.11 design in Section 6, we use a more realistic setup with multiple,
protocol, and the required clock synchronization across nodes is non-line-of-sight clients and multiple interferers whose signals can
handled by the timestamps within the beacons. In our interference be stronger than the AP and client.
measurement experiments, we ensured no adverse effects due to Tests and Metrics. The tests were conducted in a lab that is part of
these dependencies. Note that the channel hopping technique that a 30mx30m office floor. There were other 802.11 networks nearby,
we propose in Section 6 employs beaconing. but we ran our experiments when there was little external traffic.
Interferers. We use four qualitatively different sources of interfer- Each test consists of the client doing a one-way UDP or a TCP
ence in our experiments (Table 1). We use two malicious devices transfer of several megabytes between itself and a wired source or
 10000 1200
sink E through the AP, as shown in Figure 2. The packet size is
1500 bytes, and we provisioned enough socket buffers at the end

Latency (microseconds)
1000
hosts and enough forwarding buffer at the AP so that there were no 1000

Throughput (kbps)
packet losses inside the nodes themselves.
800
We measure overall performance in terms of throughput and la- 100 Throughput
tency. For each test, we measure kernel-level end-to-end packet
600
transmissions and receptions at one-second intervals. To investigate
performance effects, we also collect many low-level 802.11 statis- 10
400
tics at the AP and the client, such as the number of PLCP reception Latency
errors, PHY CRC errors, MAC CRC errors, etc. 1
200

4 Causes and Effects of Interference 0.1 0

This section presents the results of our interference experiments, −∞ -20 -12 -2 8 12 15 20
and shows how design choices made in commodity NICs explain PRISM Interferer Power (dBm)
our results. We categorize our results into three main classes: lim-
itations related to timing recovery, limitations related to dynamic Figure 4—Throughput and latency vs. interferer power caused by in-
range selection, and limitations related to PLCP header process- terference affecting timing recovery.
ing. Each of these limitations leads to high packet loss and, conse-
quently, low throughput.
We test with NICs from different vendors (PRISM, Atheros and
Intel depending on the test) to check that these effects are not im- AP flow and PRISM NICs; Atheros results are qualitatively simi-
plementation artifacts. We report results mainly for the PRISM NIC lar. Throughput is on a log-scale. It includes 95% confidence inter-
due to space limitations. We also test with 802.11g and 802.11n to vals across at least 10 experimental runs, but they are generally too
check that that these effects are not 802.11b PHY artifacts that can small to see as they are all within 5% of the actual values. Latency
be overcome with modulation schemes that have different receiver is measured as the time that the transmitter handles each packet,
parameters for the processing chain. Finally, we show that if the in- before sending or dropping it.
terferer is modestly away from the center frequency of an 802.11 The graph shows that, as the interference increases beyond
channel even though it is within the receive band (e.g., separated 12dBm (or 16mW1 ), the receiver fails to lock onto any packet, and
by 5MHz or more, as are two adjacent 802.11 channels), then the the throughput drops to zero. For comparison, the AP and client
interference is significantly less damaging. transmissions are at roughly 20dBm output power, and between
physically closer devices, and so are expected to be significantly
4.1 Timing Recovery Interference higher than this level of interference. Latency increases with loss
as expected, because the transmitter retries each lost packet up to
Sender clock extraction is done in the Timing Recovery module
seven times, and the carrier sense mechanism during each trans-
in Figure 3. If this module fails to lock onto the sender’s clock,
mission or retransmission attempt potentially causes transmission
the receiver will sense energy, but not recognize it as valid modu-
backoffs due to the interferer. This increases the average latency of
lated SYNC bits. Synchronization begins when the receiver detects
a transmitted or a lost packet. Surprisingly, the plot shows that even
the SYNC bit pattern of 128 scrambled 1s (long-preamble) or 56
small amounts of interference cause significant loss (e.g., −20dBm,
scrambled 0s (short-preamble). They are always sent at 1Mbps re-
or 0.01mW interferer power reduces throughput by a factor of four)
gardless of the data rate for the rest of the packet. As shown in Fig-
even though the SINR is high. We investigate the reasons for this
ure 3, the transmitter scrambles the PLCP preamble that includes
sensitivity to attenuated interference in the next subsection.
the SYNC bits to remove DC-bias (in the Scrambler module in Fig-
ure 3), modulates them using DBPSK modulation (in the Modu- We also found that higher layer effects can exacerbate lower
lator module), and spreads them (in the Barker Spreader module). layer ones. Specifically, clients disconnect from their APs under
At the receiver, the RF signal is digitized into 6-bit samples (in the moderate packet loss. This is because the MAC firmware of NICs
Analog-to-Digial Converter or ADC module), and these samples like PRISM and Intel is especially sensitive to three or more con-
are processed to recover the sender’s clock so that the rest of the secutive beacon losses. This allowed us to use a single radio inter-
receiver components can work on aligned signal samples. ferer to disconnect clients associated with different APs operating
We consider the impact of a PRISM interferer that emits a con- on multiple channels. We simply cycled through all 11 channels
tinuous all 1s pattern, which directly interferes with the receiver’s and emitted interference briefly on each channel. In one experi-
Timing Recovery module. This pattern is scrambled, modulated, ment, we made the PRISM interferer switch channels rapidly us-
and spread by the interferer’s NIC in the same way that the trans- ing a low-level PHY interface, while continuously emitting the all
mitter’s SYNC bits are. Since the interferer’s clock and the trans- 1s interference pattern. There were six APs belonging to a single
mitter’s clock are unsynchronized, the Timing Recovery module at managed network, each listening on a different channel. The APs
the receiver cannot lock onto the transmitter’s clock. The receiver were spread around an office floor that was 30m long and 30m wide.
therefore only records energy detection events, but does not detect Interference caused all clients in the office, who were connected to
any packet transmissions. Thus, packets sent by the transmitter are different APs, to disconnect from their APs within a short period
lost at the receiver, and we verified this packet loss through the low- (less than 5s), and remain disconnected. This is because they could
level NIC hardware counter for PLCP errors, which records a high not reliably receive beacons from any AP, even though a client was
count of PHY detection errors. We also experimented with an all within transmission range of several APs on average.
0s pattern to interfere with devices that use short preambles, with
substantially similar results. 1 The
relationship between dBm and milliwatts is:
We plot the throughput and latency for UDP traffic under this P = 10(x/10) mW, where P is power in mW and x is in dBm.
interference pattern in Figure 4. This graph is for a single client to
 PHY MAC
To RF Amplifiers
PLCP Preamble, Data Scrambled To AGC
Header Samples PLCP RF
BasebandADC Timing Barker
or Signal Demodulator Descrambler Data
Data 6-bit Recovery Correlator (includes
Scrambler Modulator
samples Preamble Detector/ beacons)
CCA Barker Header CRC-16 Checker
Spreader
Transmitter Receiver

Figure 3—The PHY processing chains at the transmitter and the receiver. The components in the receiver vulnerable to interference are shown in
italics.

10000 900
4.2 Dynamic Range Limitation
800

Latency (microseconds)
Receivers need to decode packets over a very large range of sig- Zigbee Throughput
1000
nal strengths: the strongest signals are typically around −10dBm,

Throughput (kbps)
700
while weak signals can be −70dBm or less, a range of 60dB, or a 600
factor of 106 . To work over this range, the receiver normalizes these 100 PRISM Throughput
500
signals internally into a fixed range. The fixed range is designed so
that, after taking the average background noise into account, the 400
10
Analog-to-Digital Converter (the ADC module in Figure 3) can PRISM Latency 300
make the best use of the fixed-width bits that are available to rep-
resent the digital samples of the signal. In PRISMs, these samples 1 200

are 6-bit wide and linearly spaced, representing 64 different volt- 100
Zigbee Latency
age levels [16]. An automatic gain control unit (the AGC module in
0.1 0
Figure 3) samples these voltage levels during the PLCP preamble −∞ -20 -12 -2 0 8 12 15 20
processing, and controls the gain of the RF and the IF amplifiers so
that the signal samples can occupy the entire ADC range. Interferer Power (dBm)
For cost and complexity reasons, there are two limitations of
such a design in commodity NICs such as from Intersil and Intel Figure 5—Throughput and latency vs. interferer power caused by in-
that we find lead to significant interference effects: terference affecting dynamic range selection.

• The AGC is fairly simple in practice, checking to see if the sig-

nal voltage level, during the time it is sampling the SYNC bits,
is greater than a certain voltage threshold. If so, the signal is These random patterns interfere with the dynamic range selection
considered strong, and the AGC asks the RF amplifier to sub- because the receiver can not calibrate the signal power or the noise
tract a large (∼30dB) gain from the incoming signals [16]. This floor correctly with such rapid on-off patterns. This means when
causes the RF amplifier to operate in a low-gain mode, whose such an interference is added to a strong signal that has been atten-
output signal power is lower than if the amplifier was operating uated, it can cause the signal samples at the output of the ADC to
in a high-gain mode. In the low-gain mode, the amplifier has a overflow, as described above. Similarly, when the random interfer-
high noise figure [15], which means that the output signal has ence pattern is removed from a strong signal that has been attenu-
its SINR diminished by as much as 30dB before accounting for ated, it can cause underflow of signal samples, because the receiver
the interference power. Such coarse-grained gain selection of the had estimated a high noise floor while decoding the preamble that
RF amplifier is present is present in other chipsets as well [8]. had this interference added to it. Thus, the net effect of such inter-
We use this lowered SINR number in Section 5 to numerically ference patterns is to cause CRC errors either in the PLCP header
illustrate how the SINR model predicts interference effects. or, if the PLCP header is received correctly, in the data payload.
This leads to packet corruption, which, in turn, leads to high packet
• Gain control and dynamic range selection are only done once loss.
per packet, during the PLCP preamble processing (i.e., just be- These random patterns can be emitted by both malicious interfer-
fore the PLCP header is about to be processed). This means that ers, such as our PRISM-based jammer, and selfish interferers, such
if interference is introduced after the gain control is done, the as Zigbee nodes that transmit sensor data in rapid bursts. While
6-bit signal voltage levels that are output at the ADC are not ad- these patterns can also cause some timing recovery failures, as with
justed to cope with this interference, and can overflow. Similarly, a continuous all 1s pattern, their main effect is to cause packet losses
if interference is removed after gain control, these voltage levels under weaker interference conditions.
of the signal can underflow. We show the performance impact in Figure 5 for the same setup
This range selection process can be undermined by both attenu- as previously. We plot the throughput (on a log-scale) and latency
ated and narrow-band interferers. We consider an interference pat- for two interferers that output random patterns in bursts. The output
tern consisting of a random 16-bit pattern, which is turned on for a range of the Zigbee radio is restricted to [−24, 0]dBm. It can be seen
short period (5ms), and then switched off for another short period from the throughput graphs that even a small amount of interference
(1ms). This process is then repeated with another random pattern. is effective at causing heavy losses. We verified that the through-
 10000 900
put drop is due to packet losses induced due to the AGC and not
due to effects such as CCA-induced transmission backoffs, which 800

Latency (microseconds)
ultimately succeed during the off-period of the interferer both by 1000

Throughput (kbps)
700
recording the low-level PLCP reception and MAC CRC error coun-
600
ters, and by calculating the throughput possible if there were no
100
losses due to interference but only delays due to CCA-backoffs. Throughput 500
Here, we see a large number of MAC CRC errors in addition to
400
PLCP reception errors, unlike the timing recovery interference in 10
Section 4.1, where we mainly observe only PLCP reception er- Latency
300

rors. Further, these interference patterns are effective with both self- 200
1
ish and malicious interferers, because such interference artificially
100
lowers the working SINR rather than relying on any property that
is specific to 802.11. For this same reason, the PRISM interferer 0.1 0
does not cause the link throughput to drop to zero at power lev- −∞ -20 -12 0 8 12 15 20

els above 12dBm, unlike timing recovery interference (Figure 4). Interferer Power (dBm)
Link latency increases with interferer power and is slightly higher
with the PRISM interferer than with the Zigbee interferer. This is Figure 6—Throughput and latency vs. interferer power caused by in-
because PRISM also induces CCA backoffs in Mode 2 (the default terference affecting header processing.
mode in most NICs) because it outputs modulated 802.11b energy.
While the link fares marginally better under Zigbee interference
than under PRISM interference, we were surprised to find that a and the Timing Recovery module can therefore become synchro-
non-802.11 narrow-band interferer could be so effective in practice, nized to the interferer.
especially because Zigbee channels are slightly (2MHz or more) We plot the link throughput and latency under a PRISM inter-
offset from 802.11 channels. We found that the cause to be the ferer that generates continuous long-preamble SFD patterns in Fig-
non-linearity in receiver sensitivity. The sensitivity of the receiver’s ure 6 with the same setup as previously. Once again, the impact of
RF amplifier drops off non-linearly as the frequency separation be- interference is substantial for even attenuated interferers. We ver-
tween the interferer and the center frequency of the 802.11 channel ified that this throughput drop is actually due to interference dur-
to which the amplifier is currently tuned increases. This drop-off is ing PLCP header processing by examining the error counters for
small near the center frequencies (for example, at 2MHz, the inter- PHY CRC, PLCP reception, and MAC CRC. The packet loss and
ference attenuation is around 10dB in the PRISM receivers), but throughput drop was mainly due to PHY CRC errors at the receiver.
increases non-linearly as the frequency separation increases (the To interfere with devices that use short preambles, we also exper-
interference attenuation increases to around 30dB at 5MHz in the imented with the short-preamble SFD pattern, with qualitatively
PRISM receivers). This weights signal energy close to the center similar results.
frequency disproportionately higher than energy in the receive band
but away from the center. 4.4 Impact of Interference on 802.11g/n
While many of the components in the receiver path in Figure 3 are
4.3 Header Processing Interference present in 802.11g and 802.11n, these new standards are different
We also discovered that we could cause loss by interfering with enough from 802.11b to question whether interference can decrease
the mechanism that starts packet processing at the receiver. To do their link throughputs drastically as well. 802.11g does not use the
this, we continuously transmit the modulated 16-bit data value used Barker Correlator module, and the Demodulator module is quite
by the Start Frame Delimiter (SFD) field (Figure 1) in the PLCP different because it uses OFDM. Similarly, the new 802.11n stan-
preamble. This field signals to the receiver that the PLCP header dard applies spatial coding techniques, which use multiple trans-
is about to be sent. The receiver is expected to have initialized its mitter and receiver antennas.
processing chain (i.e., ensured that the AGC, the Barker Correlator, To tackle this question and establish the impact of interference,
the Demodulator and the Descrambler modules are ready) by this we subject transmissions from these new cards to the interference
time. The SYNC bits are designed to allow receivers sufficient time pattern used in Section 4.2. Recall, a PRISM interferer emitted a
to do so. This means that, in practice, receivers are ready for the random data pattern in bursts, which prevented receivers from cali-
SFD pattern before it arrives. If the receiver’s Preamble Detector brating the signal power and the noise floor correctly. For 802.11g,
module in Figure 3 sees the SFD pattern from the interferer before we used Atheros NICs at the client and the AP in 802.11g-only
it sees it from the transmitter, it starts processing the header before mode, and for 802.11n, we used a D-Link DWA645 NIC and a D-
the actual header from the transmitter arrives at the receiver. This Link DIR635 AP that implement the 802.11n draft standard.
means that it assembles the header fields such as LENGTH and CRC In Figure 7, we plot the throughput and latency of UDP traf-
(Figure 1) from the wrong samples. Consequently, the CRC that the fic sent over 802.11g and 802.11n links. Even though these links
Header CRC-16 Checker module computes over such samples will have high throughputs in the absence of interference, even small
not match what the receiver thinks is the CRC of the PLCP header. amounts of interference still cause substantial performance degra-
This results in the PHY header checksum error (a condition which is dation. These new protocols share the same types of receiver limi-
explicitly detectable on NICs based on the Atheros, Intersil PRISM, tations, such as limited dynamic range selection and non-linear re-
and Intel chips). ceiver sensitivity.
Surprisingly, this interference pattern works even when the in-
terferer’s clock and the transmitter’s clock are not synchronized, 4.5 Impact of Frequency Separation
and even when the transmitter is stronger than the interferer. This is We now examine the impact of interference as the interferer is pro-
because of the AGC gain limitations described in Section 4.2: the gressively displaced from the center frequency of the transmitter
AGC module drops the transmitter’s signal by as much as 30dB, and the receiver. We expect interference to be mitigated for two
 100000 900
linearity. As we pointed out in Section 4.2, these limitations allow
800 weak and narrow-band interferers to be surprisingly effective.

Latency (microseconds)
10000 802.11n Throughput
The standard SINR model is widely used in simulators such as
Throughput (kbps)

700
Qualnet and ns-2 to model the performance of wireless receivers.
1000 600
802.11g Throughput The basic idea is to compute the difference between the signal
500 power and the combined power of interference and noise at the re-
100 ceiver. This SINR value is used to compute the bit-error rate, which
400
is, in turn, used to calculate whether the receiver successfully re-
10 802.11g Latency 300 ceives a packet. The results of such simulations are reported to be in
200 good agreement with real-world experiments [20]. But this simple
802.11n Latency
1 SINR model does not predict the severe interference degradation
100
that we see because it does not account for limitations of commod-
0.1 0 ity NICs. For example, the SINR model predicts that packets will
−∞ -20 -12 0 8 12 15 20 be received with high probability when the signal power at the re-
Interferer Power (dBm) ceiver is at least 10dB greater than the interference power, yet we
observe high loss.
Figure 7—Throughput and latency vs. interferer power for 802.11g/n. To model these effects, we begin with the theoretical SINR
model and extend it to include the limitations of real NICs that
our experiments in Section 4 found to be significant. Using this
10000
15MHz Separation extended model, we then predict the effects of changing 802.11 pa-
rameters such as bit rates, packet sizes, and modulation techniques.
1000 10MHz Separation We experimentally confirm our predictions that such changes will
Throughput (kbps)

5MHz Separation not mitigate interference degradation, while moving to an adjacent

Same Channel
channel will tolerate interference.
100

5.1 Extending the SINR Model

10 The standard SINR equation for each bit of a packet x that the re-
ceiver receives at time t is:
S(x,t)
1 SINR(x,t) = (1)
I(x,t) + Nenv

0.1 Interference I(.) is sum of all undesirable signals S(y,t) (both ex-
−∞ -20 -12 0 8 12 15 20 ternal interferers and self-interference due to multipath) that arrive
Interferer Power (dBm) at the receiver at time t:
I(x,t) = ∑ S(y,t) (2)
Figure 8—Throughput and latency vs. interferer power with frequency y6=x
separation.
We can ignore multipath in our line-of-sight setup, so I(.) is sim-
ply the instantaneous interferer power.
The noise term in Equation 1 has several components, but is
main reasons: the sensitivity of the RF amplifiers at the receiver mainly the channel and antenna noise. It is Gaussian in nature,
falls off with frequency separation and the RF filters in the receiver and can be approximated as Nenv = kT B, where k is the Boltz-
remove interference power on frequencies that do not overlap the mann constant, T is the receiver temperature, and B is the signal
receiver’s frequencies. bandwidth. At room temperature, for 22MHz 802.11b or 20MHz
We move a PRISM interferer to adjacent 802.11 channels that 802.11g, Nenv is about -100dBm. For the 1Mbps rate (the slowest
overlap the client and AP transmissions (i.e., these adjacent chan- possible), we can then calculate using standard formulas that we
nels are not orthogonal). Figure 8 shows the impact of this fre- need a signal-to-interference ratio of at least 10dB above this noise
quency separation on link throughput. At 5MHz separation, the link threshold of −100dBm in order to achieve a Bit Error Ratio (BER)
throughput remains high (over 1Mbps) for all interferer output pow- of 10−6 (which roughly corresponds to a 1% packet loss with 1000-
ers. At 10MHz separation, the link throughput is at least ∼33% byte packets).
of the interference-free throughput, and at 15MHz separation, it is Accounting for processing gain. We need an SINR of at least 10dB
more than ∼50%. This tolerance to interference suggests that chan- to decode 802.11b signals correctly. Barker coding provides an ad-
nel hopping may be an effective remedy in mitigating interference. dition 10.4dB processing gain for packets sent at 1 or 2Mbps, and
We explore this idea in Section 6. for PLCP headers of packets sent at 5.5 or 11Mbps. This means,
theoretically, a signal can be −0.4dB weaker than an interferer, and
still be received with only a 1% packet error rate. So far, we assume
5 Modeling Interference Effects an ideal receiver and 1Mbps data rate, but this sets the lower bound
This section presents a quantitative model for the interference ef- on SINR.
fects we see, and uses it to explain why we see degraded per- Accounting for the AGC Behavior. As described in Section 4.2,
formance even with attenuated and narrow-band interferers. Our the receiver’s Automatic Gain Control module can cause the SINR
model is an extension of the Signal to Interference plus Noise Ratio of the signal to be degraded by as much as 30dB when the AGC
(SINR) model, and takes into account two important receiver lim- uses a low-gain mode at the RF amplifier, so that the signal stays
itations found in commodity NIC designs, namely, dynamic range within the receiver’s processing range. It does this if the received
selection limitation due to the AGC, and receiver sensitivity non- signal power exceeds a threshold Smax , a NIC-dependent constant.
This is around −25dBm for the PRISM 2.5 NICs. This dynamic
range limitation can thus lead to a loss of up to 30dB SINR at the
demodulator. Thus, the SINR to the demodulator, SINR(x,t), is ac-
tually: (
SINR(x,t) − 30dB, if S(x,t) > Smax
SINR(x,t) = (3)
SINR(x,t), if S(x,t) ≤ Smax
Our model substitutes this equation into Equation 1. Since the
SINR margin is −0.4dB with Barker coding, after this attenuation,
the signal can not be demodulated unless the signal is now 29.6dB
greater than the interferer. We will refer to this 29.6dB SINR re-
quirement in the next section, where we apply this extended SINR
model.
SINR
Accounting for Non-linearity in Receiver Sensitivity. As de-
scribed in Section 4.2, the receiver’s amplifiers attenuate interfer-
ence that is concentrated away from the center frequency of the se-
Figure 9—BER vs. SINR for 802.11b rates.
lected 802.11 channel. However, this attenuation is not linear, and
increases with the frequency separation between the receiver and
the interferer. Thus, to accurately account for the impact of inter-
ference which is centered at a different frequency than the receiver, even weak interferers. We will refer to this 7dB SINR shortfall with
we need to integrate the interference power in Equation 2 with the attenuated PRISMs below.
receiver sensitivity over the entire frequency range [ f 1, f 2] that the Narrow-band Zigbee. Zigbee channels are separated from each
receiver and the interferer overlap. Formally, I(x,t) in Equation 2 is other by 5MHz starting at 2.400GHz, and each channel occupies
now: a 5MHz bandwidth. By design, the center frequencies of Zigbee
Zf 2 and 802.11 are therefore always offset by at least 2MHz. The
I(x,t) = ∑ R( f )S(y,t)d f (4) PRISM data sheet indicates that the receiver sensitivity at 2MHz
y6=x f 1 offset is 10dB below center frequency [25]. We measured the Zig-
bee interference power at −35dBm. This gives us an SINR of
where the receiver’s sensitivity at frequency f is R( f ).
−18−(−35)+10 = 27dB. Since this is below the required SINR of
We do not actually need to compute this weighted integral accu-
29.6dB, the Zigbee narrow-band interferer also causes heavy losses
rately, but can approximate it with the receiver sensitivity table from
in this case.
the data sheets of a particular receiver. For example, for PRISMs
Adjacent-channel PRISM. An immediately adjacent 802.11 chan-
this sensitivity is about −10dB at 2MHz, and about −30dB at
nel is 5MHz away from the center frequency of another 802.11
5MHz, and This means that SINR effectively increases by 10dB
channel. This leads to three effects: the receiver sensitivity at 5MHz
if the interferer is displaced by 2MHz, and by 30dB if the displace-
drops by more than 30dB; the interferer does not incur the Barker
ment is 5MHz [15].
processing gain this time because the Barker correlator in the re-
5.2 Applying the Model ceiver does not correlate the interferer signal due to this 5MHz fre-
quency offset; and some interferer power is filtered by the receiver
We can use this model to explain the effects we found in Sec-
filters. Concretely, we measured a noise power of −57dBm (after
tion 4 and to predict the effects of strategies that might be used
filtering) for the same attenuated PRISM. This means the SINR is
to more gracefully tolerate interference. Specifically, we revisit the
now at least −18 − (−57) + 30 = 69dB, which is much larger than
effects of an attenuated PRISM interferer, a normal (unattenuated)
the required SINR of 29.6dB, and sufficient for even higher rate
Zigbee interferer, and a normal PRISM interferer on an adjacent-
802.11 modulations, even after relaxing the ideal receiver assump-
channel to build confidence in our model. We then predict and ex-
tion (which typically incurs a 10dB penalty).
perimentally confirm the effect of varying 802.11 parameters such
Changing Packet Sizes. We use the 7dB SINR requirement from
as packet sizes, rates and modulations, and coding gain. These are
the attenuated PRISM interferer example above. If we were to re-
all plausible strategies for tolerating interference: small-size (100-
duce packet size by a factor of 15 (from 1500 bytes to 100 bytes),
byte) packets might be lost less often than normal-size (1500-byte)
we can see from Figure 9 that our SINR requirements drop by no
packets; low rates may be more robust than higher ones; and some
more than 4dB for any modulation going from a BER of 10−5 to
modulation schemes such as BPSK, QPSK, and OFDM benefit 10−5
from Forward Error Correction (FEC) coding to better withstand 15 (for example, the 1Mbps rate intersects the horizontal BER
−5
bit-errors in received packets. Unfortunately, none of these param- line of 10−5 at ∼ 1dB SINR, and the BER line of 1015 at ∼ −1.5dB
eter changes are predicted or found to be effective! This leads us SINR, for an SINR drop of ∼ 2.5dB). Since we have an SINR short-
to the strategy of shifting frequencies that we explore as channel fall of 7dB even with a 1Mbps modulation, we will still be short by
hopping in the next section. 7 − 4 = 3dB. Thus, we can expect that changing packet sizes will
As an aid to explain interference degradation seen in Section 4 not help much, as is indeed the case in practice (Figure 10). Note
and to make predictions about 802.11 parameters, we plot BER vs. that the x-axis in Figure 10 is the interference power emitted by the
SINR for all 802.11b modulations (Figure 9). interference, and the measured path loss between the interferer and
Attenuated PRISM. In one experiment, we measured a signal the client or AP in these experiments varied between 39–46dB, as
power of −18dBm and an attenuated PRISM interference (noise) described in Section 3. We once again see that the link throughput
power of −51dBm. Since the PRISM interferer also uses the same decreases dramatically for all 802.11 parameters, including for 100-
Barker code, it also incurs a processing gain. This means the SINR byte packets, when even small amounts of interference are intro-
in this case is −18 − (−51 + 10.4) = 22.6dB, which is less than the duced. Note that, in practice, the performance of UDP with small-
required SINR of 29.6dB. This explains the heavy losses seen with size packets is worse than with large-size packets (the plot in the
 10000
strategies of existing NICs. This design is motivated by our experi-
ments that show the frequency separation of the receiver and inter-
1000 ferer by 5MHz or more mitigates the effects of interference substan-
1Mbps
tially (Section 4), while other software techniques such as changing
Throughput (kbps)

100
11Mbps,PBCC packet sizes, rates, modulations, CCA thresholds and modes, and
100-byte packets@11Mbps
11Mbps adding FEC are ineffective (Section 5).
11Mbps,CCA Mode 1 Our goal is for a single radio link to withstand RF interfer-
10

5.5Mbps,PBCC
ence from a greater number of attackers with comparable radio re-
2Mbps
5.5Mbps
sources, e.g., commodity NICs. Of course, even a hopping design
1 can be jammed by sending interference on all channels at all times,
but this is a more powerful and expensive attack. However, we find
0.1
hopping to be more effective than might be expected. For exam-
−∞
(No interference)
-20 -12 -2 8 12 15 20 ple, three interferers on all orthogonal channels do not shut down
PRISM Interferer Power (dBm)
a channel hopping link. This is because hopping to adjacent (but
Figure 10—Throughput vs. interference with various packet sizes, overlapping) channels provides a good measure of protection. The
rates, and modulations. effectiveness of hopping also increases with the number of available
channels.
Our scheme lies in-between fine-grained hopping, e.g., per short
figure with the 11Mbps rate), because more packets induce extra packet in Bluetooth, and coarse-grained hopping, e.g., only occa-
CCA delays, without reducing packet losses significantly. sionally for balancing spectrum usage with 802.11h. We use a chan-
Changing Rates and Modulations. We consider whether chang- nel dwell time measured in milliseconds. This both avoids tight
ing the modulation schemes and rates may help. At the 1Mbps timing constraints that complicate high-rate implementation and
and 2Mbps rates, the UDP sender uses the DBPSK and DQPSK provides robustness against agile interferers that may overwhelm
modulations, while the PRISM interferer uses DBPSK. This causes mostly stationary channel assignments. It is also practical as the
Barker gains for both. One question is whether rates that do not use vast majority of commodity NICs in use today provide the ability
Barker modulations, such as the 5.5Mbps and the 11Mbps CCK to change channels in software at a moderate rate. We describe it
modulations, can improve performance by not causing Barker gain as rapid hopping in comparison to current 802.11 channel changes
for the interferer. To predict this situation, we look at Figure 9. If that typically occur only in response to failures.
we use 5.5Mbps CCK, Figure 9 shows that we need an additional
7dB SINR over 1Mbps DBPSK (the 5.5Mbps and the 1Mbps rate 6.1 Design and Implementation
curves intersect the horizontal BER line of 10−5 at around 7dB and
0dB respectively). Since our SINR shortfall with 1Mbps DBSK is Our design has two main goals. First, it must be efficient and with-
7dB, we are still short by 7 + 7 − 10.4 = 4.4dB, and, so, CCK mod- stand even malicious interferers. As a result, it must balance the
ulations should not help, as confirmed in practice in Figure 10. channel dwell period, during which it can actively use a channel un-
Adding FEC. Finally, we consider whether FEC techniques such til discovered by an interferer, with the overhead of channel switch-
as convolution coding can help. PBCC (Packet Binary Convolution ing latency. Second, to be practical we should be able to implement
Coding) is one such coding that can be used with BPSK (5.5Mbps it on commodity NICs without changing their MAC or PHY.
PBCC) or QPSK (11Mbps PBCC) modulation, and adds 4dB cod- Hopping Design. The combination of these two considerations
ing gain to these modulations [1]. It is supported in many NICs, leads us to use a dwell time of 10ms. The hardware-imposed chan-
such as Intel. In the attenuated PRISM example, we showed that nel switching latency of PRISM NICs is 250µ s and it is less than
the required SINR is 29.6dB, while the available SINR with BPSK 500µ s for Intel NICs. In our implementation with PRISM NICs, a
modulation is only 22.6dB (it is lower with QPSK). Thus, even 10ms dwell time is long enough to result in a reasonably low 2.5%
adding 4dB to BPSK modulation will not cover the 7dB SINR gap, overhead when hopping. It is also short enough to cause compara-
and we can still expect high losses and low throughput, as we in- ble radios to spend a reasonable fraction of the dwell time search-
deed confirmed in practice for both 5.5Mbps and 11Mbps PBCC ing the 11 channels for the one that is in use, especially when re-
rates in Figure 10. ceive/transmit turnaround times are considered. Further, during pe-
Changing CCA Thresholds and Modes. It is apparent from our riods of interference, a node will defer packet transmission by up
SINR model that changes to the CCA modes or thresholds will also to 2.5ms due to carrier sense (for a contention window of 127 slots
not be effective. This is because they change behavior only at the with a slot duration of 20µ s). Since the dwell time is only 10ms,
transmitter, while we predict and observe losses at the receiver. and since each packet is retried up to 7 times, these lengthy defer-
Figure 10 confirms that changing the CCA mode to 1, with the rals will ensure that packet loss is minimized during dwell periods
CCA deferral threshold set high, has little effect on link throughput. when there is heavy interference.
Thus, the high CCA threshold decreases the number of deferrals To ensure resistance to attackers, only legitimate users should
per packet, without substantially affecting the link throughput. Ad- know the channel hopping sequence. We accomplish this by us-
ditionally, we observed that altering CCA thresholds at only some ing an MD5 hash chain to decide the next channel in the hopping
clients caused unfairness in throughputs by up to 40%, while alter- sequence. Starting with an initial seed, we repeatedly hash the cur-
ing them at all clients essentially disabled the CSMA mechanism, rent value, extract the lower four bits, and use them to determine
leading to poor overall throughput. the next channel: if their value is between 1 and 11, we use the
value as the channel number; and if not, we discard the bits and
try the next value in the hash chain. The resulting sequence will be
6 Rapid Channel Hopping pseudo-random and cryptographically strong. All legitimate nodes
In this section, we describe a rapid channel hopping (CH) technique can compute this chain as long as the nodes agree on a value in the
designed to tolerate interference well given the implementation hash chain at some point. Assuming that the interferer is outside
the network, the network can use WEP or WPA based encryption We implement our adversary with the same PRISM NIC. Un-
to securely exchange this hopping information. fortunately, current PRISMs cannot sense the medium for several
To minimize implementation issues, we try to avoid global syn- milliseconds after launching an interference pattern because of RF
chronization and changes to 802.11 control messages or MAC be- settling time issues. To discount this artifact, we give each PRISM
havior that are not backwards-compatible. In normal operating con- NIC access to an oracle. Once an interferer has selected a random
ditions, the AP does not perform channel hopping. However, as channel, it queries the oracle whether the channel is being used.
soon as the AP detects link degradation, it creates a MD5 seed The oracle replies with a yes/no answer within 1ms. We chose a
and starts hopping. As a result, all clients immediately become dis- 1ms delay because it is the minimum RF turn-around time between
connected. The reaction to this disconnection in current implemen- continuous-wave interference and sensing that we found on devices
tations is that each client begins scanning all channels for an AP ranging from 802.11 NICs to Zigbee to Bluetooth.
from the network. Eventually (in a few seconds), each client syn-
chronizes with the hopping AP on some channel by successfully 6.2 Evaluation
transmitting a probe request and receiving a probe reply. Thus, this Setup and Baseline Performance. Our experimental setup consists
synchronization is a one-time cost for a client. The probe reply con- of an AP (AP), three clients (C1–C3), and three PRISM interferers
tains the AP’s current encrypted MD5 value in the “Information (P1–P3) that are all suspended from the roof of a large office floor
Elements” section (this section is designed to be extensible). To building. The clients, the interferers and the AP are StrongARM-
further simplify our implementation, we do not provide any special based embedded Linux boards [28]. UDP and TCP transfers oc-
error handling during channel switching. The 802.11 MAC works cur between AP and C1. We use clients C2–C3 in order to ensure
unchanged within a dwell period. During channel switching, the rendezvous works with multiple clients during CH, and to verify
MAC on the NIC can be made to not transmit packets. The receiver we obtain qualitatively similar results using them instead of C1.
is likely on the same channel as the transmitter before and after There are also three ground-level interferers in the form of a cord-
channel switching, but our implementation does not guarantee this less phone, a Zigbee sensor mote, and a video camera jammer.
because channel switching is triggered by the driver and not directly
Our PRISM NICs only supports 802.11b. We observe a link
by the NIC. We rely on 802.11’s built-in retransmission facility to
throughput of 4.4Mbit/s from AP to C1 during unidirectional UDP
handle any missed transmissions. An interesting question is what
transfers (1500-byte packets) with no channel hopping. With chan-
happens when the interference is mostly localized at the client and
nel hopping but without interference, this throughput degrades to
not at the AP. Theoretically, the client could trigger the above pro-
3.6Mbit/s. This throughput difference is attributable to the fact that
cedure at the AP, but we have not implemented it.
our implementation does not prevent the NIC from transmitting
Adversary Design. We assume that an adversary able to cause three packets immediately before, during, and immediately after switch-
successive beacon losses can disconnect clients for all practical pur- ing channels. We believe that this issue can be addressed in a future
poses, as we saw in Section 4.1. One strategy to inflict this damage implementation. These are the baseline numbers we use to measure
is for the interferer to randomly pick a channel, blindly disrupt it for degradation between AP and C1.
a short period, and repeat; if the attacker were to remain stationary Single Interferer. We first measure the performance of CH with
on a channel, the 802.11 network can avoid the jammed channel a single PRISM interferer P1. Figure 11 shows the impact that in-
by using 802.11h-like extensions.This behavior generates a large creasing the transmission power of a single PRISM interferer has on
amount of interference because it gives the malicious interferer the the throughput between the AP and a client. We control the power
highest duty cycle it can achieve across all channels. However, the of the PRISM interferer in software from 0dBm to 20dBm. For the
1
interferer only has a probability of 11 of successful jamming at a CH lines, both the network and the interferer hop channels. We
given time because there are 11 802.11b/g channels. If we assume show the link performance using UDP and TCP traffic (TCP con-
a simple model in which beacons are transmitted every 100ms (the nections stalled and throughput dropped to zero without CH). Note
default in most APs), and that APs jitter these beacon transmissions that throughput is shown on a log-scale. The plot also contains 95%
by up to 10ms (being the channel dwell time), then the probability confidence intervals for all data points, all of which are within 6%
of three successive beacon losses is less than 0.1%. of the values of the data points (they are once again too small to see
A better strategy that we explore is for the adversary to target the clearly because the throughput scale is logarithmic). With CH, UDP
active channel used by the network. It does this by randomly pick- throughput in the presence of a 0dBm interferer is 3Mbps, which is
ing a channel and listening for transmissions, and repeating until about 68% of the baseline interference-free channel and 83% of an
the active channel is found. The cost of this targeting is that the interference-free channel that uses CH. This is two orders of mag-
adversary incurs an additional delay to listen on the channel and nitude better performance than a network that does not channel-hop
switch from receive to transmit mode, during which time is it not under interference. TCP, which is more susceptible to interference-
generating interference. related delays and losses, obtains throughput of about 70% of UDP
Implementation. We implemented a rapid channel hopping proto- under interference. This illustrates that CH enables both TCP and
type using PRISM NICs. We use the low-level PHY interface de- UDP performance to gracefully degrade as interference increases.
scribed in Section 4.1 in order to switch channels. We modified To obtain a deeper understanding of how CH reacts to interfer-
the hostap driver to switch channels every 10ms. Our implemen- ence, we measured the transmission behavior and latencies of pack-
tation uses only one NIC at the AP, and is therefore susceptible to ets. For each interferer power level, Figure 12 plots the percentage
lost packets when clients are not on the same channel as the AP. of packets that were successfully transmitted in the first try, those
This may result from unsynchronized channel hopping due to clock that needed a single retry, those that needed multiple retries, and
drift. It is possible to eliminate this problem by using two NICs at those that were discarded, and, therefore, lost. The plot also shows
the AP, one of which listens to the old channel while the other uses the average packet latency across all transmissions for each power
the new channel. We do not change any 802.11 parameters, such as level. Note that the average loss rate is small, less than 4% even
CCA thresholds, since our measurements (Section 5.2) show that with heavy interference. This rate is less than the channel over-
1
such changes are not particularly helpful and that they can lead to lap probability between the interferer and the network (= 11 ) be-
adverse side-effects such as unfairness. cause the transmitter’s MAC defers transmitting a packet for some
 1800 450
10000

CH, UDP Traffic 1600

Latency 400

Latency (microseconds)
1400 350
1000

Throughput (kbps)
CH, TCP Traffic 1200 300
Throughput (kbps)

100
1000 Throughput 250

800 200

10
No CH, UDP Traffic 600 150

400 100

1 200 50

0 0
One PRISM Two PRISMs Three PRISMs Three PRISMs, Three PRISMs, Three PRISMs,
camera jammer jammer, Zigbee camera jammer,
0.1 Zigbee, cordless
0 5 10 15 20 phone

PRISM Interferer Power (dBm) Unattenuated Interferers

Figure 13—Throughput and latency vs. interference with CH.

Figure 11—Throughput vs. interferer power with and without CH.

100% 250 We show the throughputs and latencies for each configuration
Losses
Multiple retransmits in Figure 13. Throughput is plotted linearly this time. We can see
Fraction of Transmissions by Type

that, even with heavy interference, the UDP link throughput stays
80% 200
above 600kbps. It drops almost linearly with the number of PRISM
Single retransmits

Average Latency

Latency interferers, and more gradually as we add other interferers. The

(microseconds)

60% 150
more gradual decrease is because these interferers are narrow-band.
So, unless the interferer happens to fall squarely within the cur-
rent channel, we can use the channel during the entire dwell period,
40% 100 without delays or losses. We also measured throughput under TCP
No retransmits

and it is 20%–40% worse than under UDP. In addition, the PRISM

interferers impact the TCP transfers more heavily due their abil-
20% 50
ity to create higher latencies and losses than the other interferers.
The average packet latency across every transmitted packet is also
0% 0 shown in Figure 13. It also follows a similar trend as the throughput
0 4 8 12 16 20
curve and reaches a maximum value of about 400µ s. We measured
PRISM Interferer Power (dBm) the loss rates in each case and found them to be under 5%. This loss
rate is not much different from the single interferer scenario shown
Figure 12—Transmission types and average latency vs. interferer in Figure 12. This is because rapid channel hopping quickly finds
power with CH. time slots during which there is light interference, and because de-
ferrals and link-local retransmits retain a packet until such a usable
time slot can be found. These results show that CH can withstand
large amounts of interference well and ensure graceful degradation.
time when the interferer is active, and because there can be up to
7 retransmits per packet. The average latency is under 200µ s in all 7 Related Work
cases, and increases gradually as the interferer power increases. La- There are three main bodies of relevant prior work. The first cat-
tency increases mainly because of deferrals and losses during those egory deals with RF interference and jamming, the second with
dwell periods that it encounters the hopping interferer. As can be Denial-of-Service (DoS) in 802.11, and the third with channel hop-
seen from the graph, increasing power causes a few less packets ping. We consider each below.
to reach successfully on the first try. However, these transmit er- RF interference and jamming. RF interference is a classical prob-
rors are largely recovered by a single retransmission, and hence, lem in signal processing, and much prior literature on theoretical
the slight increase in packets requiring a single retry. Note that the and simulation studies of narrow-band jamming on 802.11 mod-
percentage of packets that need multiple retransmissions remains ulations exists [18, 24]. While they highlight specific vulnerabili-
fairly constant across the interferer power. ties with particular modulation schemes, they mainly consider the
Multiple Interferers. Next, we measure the performance of CH by demodulator performance in isolation. In this paper, we show that
increasing the number of interferers. We launch up to three unat- commodity NICs are vulnerable to interference at several additional
tenuated PRISM interferers, P1–P3, whose transmit powers are the points in the receiver processing path.
same as the 802.11 network, and who coordinate their interference Spread spectrum techniques such as DSSS and FH can inher-
schedules so that they do not overlap—the optimal strategy for ently withstand jamming [27]. DSSS is better at withstanding wide-
three transmitters. These interferers can therefore occupy all three band interference, while FH is better at withstanding narrow-band
802.11b/g orthogonal channels at least part of the time. We should or pulse jamming, which can be caused by selfish devices such as
note that 11 interferers could occupy all channels simultaneously. Zigbees. Also, while 802.11b uses DSSS, it uses the same spread-
However, this requires more hardware and we do not consider it ing code on all 802.11b devices, which renders it ineffective against
here. We also add other interferers to the PRISMs, in descending other DSSS interferers, such as malicious PRISM devices. Thus,
order of their interference capability: a video camera jammer, a Zig- adding CH, which is a form of FH, to 802.11b/g can significantly
bee sensor node, and a cordless phone. mitigate both selfish and malicious interference.
 The 802.11 standard includes several task groups [26] for mini- plicable. We plan to extend our work to other wireless technologies
mizing interference and ensuring interoperability among 802.11 de- and consider hardware and other low level changes in the future.
vices, and between 802.11 and specific non-802.11 devices such as References
military radars. For example, 802.11f specifies how multiple APs
[1] A brief tutorial on the PHY and MAC layers of the IEEE
of the same network can coordinate to support client hand-offs and 802.11b Standard, http://tinyurl.com/2d6f48.
roaming, and 802.11h specifies channel energy measurement tech- [2] A comparison of frequency hopping and direct sequence spread
niques in order to detect and avoid military radar interference in spectrum modulation for IEEE 802.11 applications at 2.4 GHz,
the 5GHz band. Unfortunately, 802.11 currently does not include http://www.sss-mag.com/pdf/ds-v-fh.pdf.
protocol-level coexistence with non-802.11 protocols beyond the [3] A. Akella, G. Judd, S. Seshan, and P. Steenkiste. Self
basic CSMA/CA mechanism. As we saw, this is insufficient to han- management in chaotic wireless deployments. In MobiCom ’05.
[4] ANT personal area networks,
dle selfish and malicious devices.
http://www.thisisant.com/.
802.11 DoS. Several researchers have highlighted 802.11’s vulner- [5] P. Bahl, R. Chandra, and J. Dunagan. SSCH: slotted seeded
abilities against DoS attacks. Bellardo et al. [6] show how one channel hopping for capacity improvement in IEEE 802.11
can launch DoS attacks against 802.11’s management and media- ad-hoc wireless networks. In MobiCom ’04.
access protocols, and Ferreri et al. [13] describe DoS attacks against [6] J. Bellardo and S. Savage. 802.11 denial-of-service attacks: Real
an AP’s association and authentication mechanisms. Such attacks vulnerabilities and practical solutions. In Usenix Security 2003.
purely target the MAC layer, while our focus is largely on PHY [7] Bluetooth coexistence with 802.11,
http://tinyurl.com/2grndv.
layer interference. Glass et al. [14] describe a DoS attack on both [8] CC2420 Data Sheet, http://tinyurl.com/ytut3k.
the MAC and the PHY layers. At the MAC layer, they use tech- [9] CC2500 Data Sheet, http://tinyurl.com/7xfhm.
niques similar to those in [6], and at the PHY layer, they intro- [10] Citywide wireless broadband projects around the world,
duce interference to study CCA deferrals at the transmitter. Simi- http://www.muniwireless.com/.
larly, Wullems et al. [11] also study CCA deferrals. In contrast, we [11] Denial of Service Vulnerability in IEEE 802.11 Wireless
mainly consider losses at the receiver because these losses are the Devices, http://tinyurl.com/26x94r.
key contributors to severe degradation seen in practice. [12] J. Eriksson, S. Agarwal, P. Bahl, and J. Padhye. Feasibility study
of mesh networks for all-wireless offices. In MobiSys 2006.
Channel Hopping. Recently, Navda et al. [23] propose a rapid [13] F. Ferreri, M. Bernaschi, and L. Valcamonici. Access points
channel hopping scheme to combat jamming in the 802.11a band. vulnerabilities to DoS attacks in 802.11 networks. In WCNC
Since the 802.11a channels are non-overlapping, they do not con- 2004.
sider channel hopping within overlapping channels. Also, a recent [14] S. Glass and V. Muthukkumarasamy. 802.11 DCF denial of
system design, called SSCH [5], uses channel hopping to improve service vulnerabilities. In 3rd Australian Computer, Network &
the capacity of multi-hop ad hoc networks. SSCH uses channel hop- Information Forensics Conference.
ping to prevent interference between simultaneous transmissions at [15] HFA3683A RF Front-End Data Sheet,
http://tinyurl.com/24yxml.
adjacent nodes. SSCH proposes a slot time of 10ms but does not [16] HFA3863 Baseband Processor Data Sheet,
include an implementation for rapidly switching slots. Similarly, http://tinyurl.com/22tkwt.
Mishra et al. [21] explore the use of channel hopping to improve [17] K. Jain, J. Padhye, V. N. Padmanabhan, and L. Qiu. Impact of
the fairness and performance of overlapping 802.11 network de- interference on multi-hop wireless network performance. In
ployments. Their system, called MAXchop, uses slow channel hop- MobiCom ’03.
ping rate of around one second per hop, and, thus, does not address [18] T. Karhima, A. Silvennoinen, M. Hall, and S.-G. Haggman.
malicious interference. Finally, while the original 802.11 standard IEEE 802.11b/g wlan tolerance to jamming. In MILCOM 2004.
[19] M. Kodialam and T. Nandagopal. Characterizing achievable
allowed both FH and DSSS, FH alone is not used in the 802.11b rates in multi-hop wireless networks: the joint routing and
and later standards because of the difficulty of scaling pure FH to scheduling problem. In MobiCom ’03.
high data capacities and LAN-size physical networks while staying [20] M. Lacage and T. Henderson. Yet Another Network Simulator.
within the FCC regulations [2]. Our rapid channel hopping is used In WNS2’06: Proc. of the 2006 workshop on ns-2.
in conjunction with DSSS. [21] A. Mishra, V. Shrivastava, D. Agrawal, S. Banerjee, and
S. Ganguly. Distributed channel management in uncoordinated
wireless environments. In MobiCom’06, .
8 Conclusions [22] A. Mishra, V. Shrivastava, S. Banerjee, and W. Arbaugh.
The experiments we report in this paper show that relatively small Partially overlapped channels not considered harmful. In
amounts of RF interference from devices that share the ISM band SIGMETRICS ’06, .
[23] V. Navda, A. Bohra, S. Ganguly, R. Izmailov, and D. Rubenstein.
but are not 802.11 compliant can result in substantial performance Using channel hopping to increase 802.11 resilience to jamming
problems for commodity 802.11 NICs. We found several under- attacks. In IEEE Infocom Minisymposium, May 2007.
lying causes for these problems that allow even attenuated and [24] J. Park, D. kim, C. Kang, and D. Hong. Effect of partial band
narrow-band interferers to be highly effective. By incorporating jamming on ofdm-based wlan in 802.11g. In ICASSP 2003.
these causes into an extended SINR model, we were able to predict [25] PRISM Driver Programmer’s Manual,
and experimentally confirm that changing 802.11 operational pa- http://tinyurl.com/yrqh27.
rameters (e.g., CCA threshold, rates) is not effective at withstand- [26] Quick guide to IEEE 802.11 WG activities,
http://tinyurl.com/ypojvc.
ing interference compared to moving to a different channel, even [27] T. Rappaport. Wireless Communications: Principles and
if it overlaps the interference. We then designed and implemented Practice. Prentice Hall PTR.
a rapid channel hopping scheme (10ms dwell time per channel) [28] The Stargate platform, http://tinyurl.com/2bld2v.
that greatly improves the interference tolerance of commodity NICs [29] Wii interference with 802.11,
with low overhead in terms of throughput. While our findings can http://tinyurl.com/y4gyvv.
only hold for the 802.11b/g NICs that we measured, we believe that [30] Wireless camera jammer for privacy,
the performance vulnerabilities of commodity NICs at much lower http://tinyurl.com/2esyv4.
[31] WirelessUSB from Cypress Semiconductors,
levels of interference than expected and the measures that are and http://tinyurl.com/ywjo8s.
are not effective at withstanding interference are more widely ap-