Wireless Denial of Service
Attacks
NIS586 Final Project
Spring 2013 Websection
Steve Kaleta
04/10/2013
1
�Wireless Systems
Wireless LANs
Mobility, easy setup, high bandwidth, industry standards, low
cost, installed everywhere
Security
Integrity- Data is reliably delivered with no corruption
Authentication- User is verified
Accounting- history of user logins, what was modified by who
�Security Issues
Wireless systems are meant for high availability and
easy access
Well known standards, cheap equipment make it easy to
attack.
Wireless systems vulnerable to DOS- denial of service
attacks since they are easy to implement
Wireless systems open to man in the middle attacks
Rogue wireless nodes- people plugging nodes where
they should not be located to access the wired
infrastructure or gain access to other networks
3
�DOS Terms
Jamming Efficiency
Energy
Jamming measurements
Packet Send ratio- packets transmitted vs packets tried to delivered
but lost or jammed
Packet delivery ratio- packets with good CRC vs packets received
Jamming to SNR-
�Packet send ratio
Packet send ratio- the efficiency of the jammer to block
transmission of the data at the transmitter end of the link
PSR =
m
Packets _ sent
=
n Packets _ Intended _ to _ be _ sent
�Packet Delivery Ratio
Packet Delivery ratio- The ratio of uncorrupted traffic at the
receiver end of the wireless link that is usable
PDR =
q Packets _ That _ pass _ CRC
=
m
Packets _ received
�Jamming to SNR
Jamming to SNR- The energy of the jammer to the receiving device.
This equation basically tells you the factors that would decrease the
effectiveness of a jamming attack. For instance Increasing the
transmitted power, increasing the gain of the antenna, and
decreasing the distance from transmitter to receiver.
J PJ G JR G RJ Rtr2 Lr Br
=
2
R Pt Gtr Grt R JR
LJ BJ
�Layer 1 Jamming models
Constant jammer- Continuous sending randomly
generated bits to corrupt data
Deceptive jammer- Jams only when between traffic to
make it seem that the channel is in continuous use
Random jammer- Jams at random time to lower the
probability of finding the jammer
Reactive jammer- Jams only when it senses traffic at the
destination receiver
�Intelligent jamming models
Intelligent Jamming- Focus on the upper layers of the protocols
beyond the physical layer. For instance network, transport, or
application layers and requires more knowledge of how the
protocol works.
Jamming gain- ratio of specific jammer algorithm versus constant
jammer
Targeted jamming- using a jammer to target specific access
nodes
Low probability of detection- using a sensing strategy to attack
the data instead of constantly transmitting
�Intelligent 802.11 Jammers
CTS corruption- destroying the CTS packet
Ack corruption- corrupting the ack frame at the MAC level
Data corruption- jams after counting down the DIFS time
Narrowband
DIFS- waits till DIFS time then jams communication channel
Identity- dissociates user from a node or disauthenticates user from
a node
Greedy behavior- transmitting at shorter interval than other users
Wireless Adhoc- attacking the routing of data traffic
10
�Intrusion detection
1.
2.
3.
4.
Signal strength- monitoring average received signal strength
Carrier sensing- MAC layer monitoring of the channel before
transmitting
Measuring PDR- This gives a rough indication that data is corrupted at
the receiver
Consistency checks- use signal consistency check and location
consistency checks
11
�Wireless Intrusion detection system
The wireless network share the following among
neighbors
Corrupted traffic data
Good traffic data
Event list of the above
A communications channel failure will have random data
packets lost. A jamming attack will cause sequential
packet losses.
12
�Wireless Adhoc IDS
Adhoc networks share limited bandwidth,
route data, have changing network topologies,
and limited energy
Wireless adhoc IDS uses SNMP with MIB
agents at nodes to send back data
An application uses a database to look for
unusual data events that might be a jammer
13
�Intrusion Prevention
Frequency hopping spread spectrum- assumption that
jammer cant jam all frequencies or follow a random hop
pattern. Nodes move to a nonjammed band.
Limitations: limited bands available, well known
sequence, possibly narrowband for jammer to cover
14
�Intrusion prevention
Spatial retreats- move away from jamming devices
A mobile node could follow the boundaries of the
jammer to keep communication channel open to
neighboring nodes
15
�Intrusion Prevention
Reservation based- reserve transmission medium for M
slots, nodes senses if channel is occupied every k slots,
if not the access node cancels the CTS request by
sending a CTSR packet.
When K <<M then a jammer would have to continuously
jam making it not very efficient and more easily
identifiable.
16
�Intrusion Prevention
Defense against layered attacks
Jammer look for packet sequences, interframe spaces,
protocol and packet size relationships
One defense against network layered attacks is to pad the
control frames, so every control frame looks the same. The
padding would disguise it from just regular traffic.
Another method is to use packet aggregation. Basically
multiplexing multiple frames into one frame to hide the
information from the jammer
17
�Intrusion Prevention
-Physical layer defense against jamming
-Simple, directional antennas, cybermines,
covert channels, wormholes, protocol
mechanism hopping
18
�Intrusion Prevention
Wormholes- channel diversity
Wired pair sensors- using wired nodes to bypass the
jammed area
Frequency hopping pairs- using another pair of non
jammed frequencies
Uncoordinated channel hopping-communicating one
packet at a time across very wide bands
19
�Summary of DOS attacks
20
�Potential applications or issues
Current applications would use the signal to jamming
equation to provide quick methods to employ against
jammers such as shorter distances, increasing gain of
antennas,
Applying physical methods to keep rogue access nodes
from being near WLANs such as secure areas or card
access to buildings
Use methods to trick the jammer into using up its energy
source so it can no longer attack the WLAN access
nodes
21
�Future directions
Cooperative jamming- using cooperative noise to reduce
jammers effectiveness
Wireless link signatures to authenticate base stations
and nodes
Changing protocols- changing protocols to make it
harder for a jammer to know when it would be most
effective time to maximize the attack
Using encryption to make it harder to employ jamming
Better error correcting codes to compensate for random
bit error attacks
22
�Summary
DOS can use a simple unintelligent attack at layer 1 just using
wideband continuously on transmitter or using more intelligent
techniques.
DOS can use more sophisticated methods attacking at the network,
transport, or application layers of a protocol.
Understanding the basic signal to jamming ratio gives you basic
methods to overcome simple jammers
More research is needed to provide countermeasures against
existing jamming attacks.
23
�Reference
1. Pelechrinis, K.; Iliofotou, M.; Krishnamurthy, S.V., "Denial of Service Attacks in
Wireless Networks: The Case of Jammers," Communications Surveys & Tutorials,
IEEE , vol.13, no.2, pp.245,257, Second Quarter 2011
doi: 10.1109/SURV.2011.041110.00022
URL: http://ieeexplore.ieee.org/stamp/stamp.jsp?tp=&arnumber=5473884&isnumber=
5764312
2. Calvert, Kenneth L. "802.11 Wi
Fi." Http://protocols.netlab.uky.edu/~calvert/classes/571/. N.p., n.d. Web. 12 Apr.
2013.
3. Scarfone, Karen. "Intrusion Detection System." Wikipedia. Wikimedia Foundation, 13
Apr. 2013. Web. 14 Apr. 2013.
24
