Jamming Wireless Networks: Attack and Defense Strategies Wenyuan Xu, Ke Ma, Wade Trappe, Yanyong Zhang, WINLAB, Rutgers University IAB, Dec. 6 th, 2005
Roadmap Introduction and Motivation Jammer Models Four models Their effectiveness Detecting Jamming attacks Basic statistic + Consistency check Defenses strategy Channel surfing Spatial retreat Conclusions 2
Jammers Bob @#$%%$# Hello @& Hi Alice Mr. X Jamming style DoS Attack: Behavior that prevents other nodes from using the channel to communicate by occupying the channel that they are communicating on A jammer An entity who is purposefully trying to interfere with the physical transmission and reception of wireless communications. Is it hard to build a jammer? No! Haha Mr. X 3
Jammers Hardware Cell phone jammer unit: Intended for blocking all mobile phone types within designated indoor areas 'plug and play' unit Waveform Generator Tune frequency to what ever you want MAC-layer Jammer (our focus) Mica2 Motes (UC Berkeley) 8-bit CPU at 4MHz, 128KB flash, 4KB RAM 916.7MHz radio OS: TinyOS Disable the CSMA Keep sending out the preamble 4
Jammers Hardware Cell phone jammer unit: Intended for blocking all mobile phone types within designated indoor areas 'plug and play' unit Waveform Generator Tune frequency to what ever you want MAC-layer Jammer (our focus) Mica2 Motes (UC Berkeley) 8-bit CPU at 4MHz, 128KB flash, 4KB RAM 916.7MHz radio OS: TinyOS Disable the CSMA Keep sending out the preamble 5
Jammers Hardware Cell phone jammer unit: Intended for blocking all mobile phone types within designated indoor areas 'plug and play' unit Waveform Generator Tune frequency to what ever you want MAC-layer Jammer 802.11 laptop Mica2 Motes (UC Berkeley) 8-bit CPU at 4MHz, 128KB flash, 4KB RAM 916.7MHz radio OS: TinyOS Disable the CSMA Keep sending out the preamble 6
The Jammer Models and Their Effectiveness
Jammer Attack Models &F*(SDJFFD(*MC*(^%&^*&(%*)(*)_*^&*FS. Constant jammer: Continuously emits a radio signal Preamble CRC Payload Payload Payload Payload Payload Deceptive jammer: Constantly injects regular packets to the channel without any gap between consecutive packet transmissions A normal communicator will be deceived into the receive state 8
Jammer Attack Models &F*(SDJF ^F&*D( D*KC*I^ Random jammer: Alternates between sleeping and jamming Sleeping period: turn off the radio Jamming period: either a constant jammer or deceptive jammer Underling normal traffic Payload &F*(SDJ Payload ^%^*& Payload CD*(&FG Reactive jammer: Stays quiet when the channel is idle, starts transmitting a radio signal as soon as it senses activity on the channel. Targets the reception of a message 9
Detecting Jamming Attacks: Basic Statistics plus Consistency Checks
Basic Statistics P.1 Idea: Many measurement will be affected by the presence of a jammer Network devices can gather measurements during a time period prior to jamming and build a statistical model describing basic measurement in the network Measurement Signal strength Moving average Spectral discrimination Carrier sensing time Packet delivery ratio Experiment platform: Mica2 Motes Use RSSI ADC to measure the signal strength RSSI (dbm) -60-80 -100-60 -80-100 -60-80 -100-60 -80-100 -60-80 -100-60 -80 CBR MaxTraffic Constant Jammer Deceptive Jammer Reactive Jammer Random Jammer -100 0 200 400 600 800 1000 1200 1400 1600 sample sequence number 11
Basic Statistics P.2 Can basic statistics differentiate between jamming scenario from a normal scenario including congestion? Average Signal strength Spectral Discrimination Carrier sensing time Packet delivery ratio Constant Jammer Deceptive Jammer Random Jammer Reactive Jammer Differentiate jamming scenario from all network dynamics, e.g. congestion, hardware failure PDR is a relative good statistic, but cannot do hardware failure Consistency checks --- using Signal strength Normal scenarios: High signal strength a high PDR Low signal strength a low PDR Low PDR: Hardware failure or poor link quality low signal strength Jamming attack high signal strength 12
Jamming Detection with Consistency Checks Measure PDR(N) {N Є Neighbors} PDR(N) < PDRThresh? No Build a (PDR,SS) look-up table empirically Measure (PDR, SS) during a guaranteed time of non-interfered network. Divide the data into PDR bins, calculate the mean and variance for the data within each bin. Get the upper bound for the maximum SS that world have produced a particular PDR value during a normal case. Partition the (PDR, SS) plane into a jammedregion and a non-jammed region. Not Jammed PDR VS. SS Yes PDR(N) consistent with signal strength? Yes Jammed Region No SS(dBm) Jammed! PDR % 13
Defenses against Jamming Attacks: Channel Surfing and Spatial Retreat
Handling Jamming: Strategies What can you do when your channel is occupied? In wired network you can cut the link that causes the problem, but in wireless Make the building as resistant as possible to incoming radio signals? Find the jamming source and shoot it down? Battery drain defenses/attacks are not realistic! Protecting networks is a constant battle between the security expert and the clever adversary. Therefore, we take motivation from The Art of War by Sun Tze: He who cannot defeat his enemy should retreat. Retreat Strategies: Channel Surfing Spatial retreat 15
Channel Surfing Idea: If we are blocked at a particular channel, we can resume our communication by switching to a safe channel Inspired by frequency hopping techniques, but operates at the link layer in an on-demand fashion. Challenge Distributed computing Asynchrony, latency and scalability Jammer Jammer Node working in channel 1 Node working in channel 2 channel 1 channel 2 16
Channel Surfing Coordinated Channel Switching The entire network changes its channel to a new channel Spectral Multiplexing Jammed node switch channel Nodes on the boundary of a jammed region serve as relay nodes between different spectral zones Jammer Jammer Coordinated channel surfing Spectral Multiplexing Node working in channel 1 Node working in channel 2 Node working in both channel 1 & 2 channel 1 channel 2 17
Channel Surfing Coordinated Channel Switching The entire network changes its channel to a new channel Spectral Multiplexing Jammed node switch channel Nodes on the boundary of a jammed region serve as relay nodes between different spectral zones Jammer Jammer Coordinated channel surfing Spectral Multiplexing Node working in channel 1 Node working in channel 2 Node working in both channel 1 & 2 channel 1 channel 2 18
Spatial Retreat Targeted Networks Nodes in the network should have Mobility GPS or similar localization Idea: Nodes that are located within the jammed area move to safe regions. B A C X I E D H G F Escaping: Choose a random direction to evacuate from jammed area If no nodes are within its radio range, it moves along the boundary of the jammed area until it reconnects to the rest of the network. 19
Spatial Retreat Issues: A mobile adversary can move through the network The network can be partitioned After Escape Phase we need Reconstruction phase to repair the network Reconstruction phase Virtual force Model Forces only exist between neighboring sensors Forces are either repulsive or attractive Forces represent a need for sensors to move in order to improve system behavior virtual force is calculated based on its distance to all its neighboring sensors Direct its movement according to its force When all sensors stop moving, the spatial coverage of the whole network is maximized Borrowed from Ke Ma 20
Case Study : Spatial Retreats Borrowed from Ke Ma 21
Conclusion Due to the shared nature of the wireless medium, it is an easy feat for adversaries to perform a jamming-style denial of service against wireless networks We proposed to use consistency check based on PDR to detect jammers We have presented two different strategies to defend against the jamming style of DoS attacks Channel-surfing: changing the transmission frequency to a range where there is no interference from the adversary Spatial retreat: moving to a new location where there is no interference 22