Vulnerabilities of DCF

Many recent works [11,12,13,93,94,95,96,97,98] have showed that the current IEEE 802.11 systems are vulnerable to MAC layer misbehavior, either due to the control packets format or due to the DCF technique. In fact, the DCF technique defined for the MAC layer of IEEE 802.11 systems does not provide any control of the channel access and requires a cooperative behavior of all participating nodes. Hence, it is very vulnerable to misbehavior or malicious attacks². Malicious behavior is even more facilitated through the RTS/CTS handshake mechanism. Indeed, many attacks have been discovered that target the access scheme of the MAC layer in IEEE 802.11 systems.

In this section, we describe briefly some of the most powerful attacking strategies on the MAC layer in WLANs.

5.1.2.1 Backoff Manipulation Attack

In order to ensure a fair access to the channel, DCF assumes that all nodes obey the contention mechanism and choose a backoff value randomly in the interval [0, CW−1].

However, a misbehaving node can simply always choose a small backoff value.

Let us consider for example the widely used naive attacker model. It is a generic attacker model that is normally used to inspect the resilience of a MAC layer access scheme to different levels of misbehavior. Basically, a naive attacker chooses a random backoff in the interval [0, γ∗(CW −1)] where (1−γ) is the misbehaving coefficient.

The effect of such a misbehavior is shown in Fig. 5.3for a network of 6 nodes where 1 is misbehaving (see Section5.2.3.1for simulation parameters). We can observe that as the misbehaving coefficient increases, the throughput of the attacker (or misbehaving node) increases whereas the throughput of a well behaving node decreases dramatically.

We define also an aggressive attacker as an attacker who is in acquaintance of all protocol parameters, and who uses the optimal strategy to get the maximum share of the channel. In the case of DCF, the aggressive strategy consists of choosing always a zero backoff value. This corresponds to a misbehaving node with (1−γ) equal to 1 in Fig. 5.3. In this case, we observe that the attacker gets full access to the channel while the legitimate nodes are under a Denial-of-Service attack.

Considering its serious impact, we investigate in this dissertation mechanisms to thwart or avoid this kind of MAC layer misbehavior.

2We do not differentiate, in this thesis, between a malicious node (attacker) who targets disrupting the communication and a selfish node applying the same technique but for the purpose of getting a higher share of the channel.

76 Chapter 5. Advanced and Secure Medium Access

0 1 2 3 4 5 6

0 0.1 0.2 0.3 0.4 0.5 0.6 0.7 0.8 0.9 1

Throughput (Mbps)

Misbehaving Coefficient Misbehaving Client

Normal Client

Figure 5.3: Impact of misbehaving on the throughput distribution.

5.1.2.2 Shorter DIFS/EIFS

The DCF scheme requires each node to physically sense the radio channel for a dura-tion of DIFS before entering in the backoff state. However, a selfish node can simply manipulate these parameters and wait for a shorter DIFS to get a more prioritized access to the channel. The DOMINO framework [94] proposes a simple test based on monitoring the idle period after each ACK and detecting any station that is trans-mitting before the required DIFS period. However, such a solution requires high level synchronization.

Moreover, the DCF scheme requires each node to defer for a duration equal to the Extended Inter-Frame Space (EIFS) in case of a sensed collision or an undecodable packet. Yet, a selfish node can also choose to defer for a shorter period. This can be also detected by a similar detection test.

5.1.2.3 Duration Inflation Attack

Control frames such as RTS, CTS and ACK frames carry a duration field which informs about the duration of a data frame transmission. This field is 16 bits long and has a maximum value of 32767µs. Nodes overhearing any of these control frames defer their transmission for a time period equal to the value of this duration. An attacker can set a large duration value in the RTS frame and hence reserve the channel to the maximum

5.1. Overview of the MAC layer 77

allowed duration even when sending a short data frame or without sending any data at all³. By doing so, all stations receiving these frames will set their NAV value to the maximum set value, and enter a deferring state. This type of virtual jamming attacks is called duration inflation attack or oversized NAV [94, 98]. Detecting this kind of attack can be performed simply at the AP by comparing the actual duration of a transmission and comparing it with the NAV value in the RTS and DATA frame headers as proposed in the DOMINO detection system [94].

5.1.2.4 Jamming Attack

Jamming has always been considered as a serious problem on the physical layer of wire-less communications. Yet, this attack is further facilitated by the RTS/CTS handshake mechanism of the MAC layer. In this case, an attacker does not need to continuously jam the wireless spectrum and deplete its power. It only needs to jam the control frames of the RTS/CTS handshake mechanism to disrupt the network. The most effective way to perform such an attack is to jam the ACK packets.

In fact, all data packets need to be acknowledged on the MAC layer before being cleared from the transmission queue. The attacker can calculate easily the exact time of sending the ACK frame by subtracting the SIFS value from the NAV(DATA). When the ACK packet is successfully jammed, the sender has to reschedule the data transmission even though the data has been correctly received by the receiver. This attack called the Jamming ACK (JACK) attack [99], can be used by malicious nodes to drain the battery energy of victim nodes.

Since mitigating such an attack, as any jamming attack, requires methods for detection of the sources of jamming and isolation of the jamming node, we do not consider this type of attack in this dissertation.

5.1.2.5 Virtual Jamming Based on False CTS/ACK

The authors in [92] investigated some other hidden vulnerabilities in the control packets format. They pointed out that CTS and ACK packets do not include the address of the sender or any other authentication scheme, as we can observe in Fig. 5.2. The main reason behind this is the optimization of the packets’ sizes. However, this enables a malicious node to perform virtual jamming on the neighboring nodes using false CTS or ACK packets.

The authors propose cryptographic and non-cryptographic solutions to tackle this problem. The main idea to thwart this kind of attack is authenticating the CTS and ACK packets, and ensuring their integrity as proposed in [92].

3This refers to virtual jamming based on false-RTS packets

78 Chapter 5. Advanced and Secure Medium Access