ABSTRACT PRASAD, SUDARSHAN. IEEE 802.11g,n Multi-Network Jamming Attacks - A Cognitive Radio Based Approach. (Under the direction of Dr. David Thuente.) Wireless networks are susceptible to jamming attacks, which can severely reduce the network throughput. In our research, we study the behavior and the performance of 802.11g and 802.11n networks under hybrid jamming attacks of configuring a cognitive radio as a jammer. With characteristics such as fast channel switching, quick response time and software reconfigurability, cognitive radios can be used not only to improve the spectrum sharing management, but also to act as an effective jammer. We use OPNET v16.0 and v16.1 to present various scenarios with cognitive radio based jamming attack and its effect on throughput. We use a single cognitive radio to simultaneously jam three networks in an energy efficient manner and also to deny any channel change protocol by the targeted network to avoid jamming. With respect to 802.11g, we attack the g band OFDM channels in 2.4 Ghz band directly using the fast channel switching capability of the cognitive radio. The jammer sequentially senses traffic on each of the networks without being part of any network. We show how the cognitive radio can dynamically adjust its attack to the traffic on each network. We evaluate the performance of three networks individually and together under intelligent and reactive jamming. In this research, we also consider three 802.11n networks and show how cognitive radio based jamming attacks could be deployed at 5 GHz band. The cognitive radio uses its dynamic power adaptibility feature to adjust its transmission power depending on the jammer s baseband frequency. We show how the cognitive radio jammer can be used to attack adjacent orthogonal channels in 5 GHz band. Overall, we present the results of the jamming attacks at the MAC and physical layers.
IEEE 802.11g,n Multi-Network Jamming Attacks - A Cognitive Radio Based Approach by Sudarshan Prasad A thesis submitted to the Graduate Faculty of North Carolina State University in partial fulfillment of the requirements for the Degree of Master of Science Computer Science Raleigh, North Carolina 2012 APPROVED BY: Dr. Khaled Harfoush Dr. Mihail Sichitiu Dr. David Thuente Chair of Advisory Committee
DEDICATION To my parents, grandparents, brother and all my friends. ii
BIOGRAPHY Sudarshan Prasad was born in Coimbatore, India. He graduated from Anna University in 2006 with Bachelors degree in Computer Science (First class distinction). After his graduation, he joined Sasken Communications Technologies Ltd in Chennai, India. With three years (2006 to 2009) of experience in performance optimizations and mobile platforms and with zeal to purse Masters in Computer Science, he joined North Carolina State University in fall 2009. While working towards his degree, he worked as a Graduate Technical Intern for Mobile Wireless Group in Intel Corporation for 9 months within June 2010 to August 2011. iii
ACKNOWLEDGEMENTS I would like to thank my advisor Dr. David Thuente. His guidance has really helped me throughout my research. His willingness to help me with patience and interest has motivated me all along my Masters program. I am thankful for all his time, ideas, and contributions provided in this research. It was really a wonderful and a stimulating experience to have him as an advisor. I admire his depth of knowledge and his personal qualities and I am grateful for the opportunity to work with him. I am thankful and honored to have both Dr. Khaled Harfoush and Dr. Mihail Sichitiu in my thesis committee. I am grateful to my wonderful parents Dr. G.K. Prasad and Anusuya Prasad, who have always motivated and encouraged me. Their love and affection has been a moral support for me. My younger brother Anirudh, has also been of a great support. I would like to thank my friends for all the help and advice they have provided me. My friends Krishna and Vivek have been a great source of knowledge and support. We had a very good experience during our semesters along with lots of fun. Their help and support would always be remembered. Thank you guys! Vikram, Narayanan, Dinesh and Sethu have also helped me various ways. I would also like to thank Sagar and Mithun for their valuable inputs and help provided during my research. iv
TABLE OF CONTENTS List of Tables..................................... vii List of Figures.................................... viii Chapter 1 Introduction.............................. 1 1.1 Motivation................................... 2 1.2 Thesis Organization.............................. 3 Chapter 2 Overview of 802.11g, 802.11n and Cognitive Radio...... 4 2.1 Overview of OFDM.............................. 5 2.2 The Extended-Rate PHY (ERP) - 802.11g................. 6 2.2.1 802.11g Physical Layer Components................. 7 2.2.2 802.11g MAC Layer.......................... 8 2.2.3 Operational Modes and Protection Mechanisms.......... 10 2.3 IEEE 802.11n................................. 12 2.3.1 Modifications and Enhancements in PHY Layer.......... 13 2.3.2 Modifications and Enhancements in MAC Layer.......... 15 2.3.3 Operational Modes and Protection Mechanisms.......... 16 2.4 Overview of Cognitive Radio......................... 17 Chapter 3 Related Work............................. 19 3.1 Classification of Jammers........................... 19 3.2 Classification of Jamming Attacks...................... 21 3.3 Overview Jamming Attacks in 802.11g and 802.11n............ 22 Chapter 4 802.11g Jamming Attacks using Cognitive Radio....... 26 4.1 Simulation and Jamming Models...................... 26 4.2 Periodic and Exponential Multi-Network Jamming............. 33 4.3 Reactive and Intelligent Multi-Network Jamming............. 39 Chapter 5 Jamming Attacks and Effects in 802.11n............. 44 5.1 Simulation and Jamming Models...................... 44 5.2 Periodic and Exponential Multi-Network Jamming............. 52 Chapter 6 Conclusion and Future Work.................... 62 References....................................... 64 Appendices...................................... 67 v
Appendix A Code Snippet - Exponential and Periodic Jamming....... 68 A.1 Jammer Process Model......................... 68 A.2 Jammer Code Module......................... 69 Appendix B Code Snippet - Reactive and Intelligent Jamming........ 71 B.1 Jammer Process Model......................... 71 B.2 Jammer Code Module......................... 71 vi
LIST OF TABLES Table 2.1 MAC layer parameters of 802.11g................... 9 Table 2.2 Comparision of operational modes.................. 12 Table 2.3 MAC layer parameters of 802.11n................... 16 Table 4.1 Timings of transmitting a 1500 byte packet in pure g network.. 32 Table 4.2 Average throughput at different data rates.............. 40 Table 4.3 Jamming Efficiency - Varying packet sizes with interarrival time of exp(0.02) seconds........................... 41 Table 5.1 Overview of different scenarios in 802.11n.............. 49 vii
LIST OF FIGURES Figure 2.1 The basic CSMA/CA in 802.11b/g networks............ 8 Figure 2.2 CTS-to-Self protection mechanism.................. 11 Figure 2.3 802.11n Channel Bonding...................... 14 Figure 4.1 Base scenario model with jammer.................. 27 Figure 4.2 Channel allocation for three networks................ 27 Figure 4.3 OPNET node model for wireless workstation............ 28 Figure 4.4 Attributes of wireless workstation.................. 28 Figure 4.5 Traffic generation parameters of a wireless workstation...... 29 Figure 4.6 Baseline throughput total for three networks with no jamming.. 30 Figure 4.7 Attributes of jammer......................... 30 Figure 4.8 Constant and exponential periodic jamming............ 34 Figure 4.9 Instantaneous - exponential jamming at 18 Mbps with 10 iterations. Each color represents one of the 10 iterations with different random seeds.................................. 35 Figure 4.10 Average - exponential jamming at 18 Mbps with 10 iterations. Each color represents one of the 10 iterations with different random seeds. 36 Figure 4.11 Confidence Interval 95% : - instantaneous throughput for exponential jamming at 18 Mbps with 10 iterations. Each color represents one of the 10 iterations with different random seeds. Black line represents the confidence intervals.................. 36 Figure 4.12 Confidence Interval 95% : - average throughput for exponential jamming at 18 Mbps with 10 iterations. Each color represents one of the 10 iterations with different random seeds. Black line represents the confidence intervals.................. 37 Figure 4.13 Exponential jamming at different data rates............ 37 Figure 4.14 Exponential Jamming - Varying offered packet sizes (constant, total offered load).............................. 38 Figure 4.15 Exponential Jamming - Varying packet sizes (constant arrival rate) 39 Figure 4.16 Reactive Jamming - Three networks with different loads..... 42 Figure 5.1 Single 802.11n network........................ 45 Figure 5.2 802.11n node attributes........................ 46 Figure 5.3 802.11n high throughput parameters................ 46 Figure 5.4 Baseline average throughput of single 802.11n network without jammer................................. 47 Figure 5.5 Jammer attributes.......................... 48 Figure 5.6 Average Throughput - Baseline and under jamming conditions at 5 GHz................................. 50 viii
Figure 5.7 Jammer attacking edge of two adjacent OFDM channels..... 50 Figure 5.8 Average Throughput - Jammer attacking edge of a 5 GHz channel with 20 µw.............................. 51 Figure 5.9 Base scenario with 3 networks in a single cell............ 52 Figure 5.10 Jamming attacks in channels 36, 40 and 44 with 10 µw...... 54 Figure 5.11 Jamming attack in channel 36 with 100 µw............ 55 Figure 5.12 Average throughput - Periodic exponential jamming attack.... 56 Figure 5.13 Average Throughput - Exponential jamming attack at edges of adjacent channels........................... 57 Figure 5.14 Average Throughput - Exponential jamming attack at edges of adjacent channels with higher power................ 57 Figure 5.15 Average Throughput - Exponential jamming attack at the center of channel 36 and at the edge of channels 40 and 44........ 58 Figure 5.16 Average Throughput - Exponential jamming attack with dynamic power adjustment........................... 59 Figure 5.17 Average Throughput - Exponential jamming attack on smaller sized packets with dynamic power adjustment.............. 60 Figure A.1 Jammer Process Model........................ 68 Figure B.1 Jammer Process Model........................ 72 ix
Chapter 1 Introduction Wireless networks are ubiquitous as they facilitate easy communication and data transfer between mobile users as well as fixed resources. In contrast to wired networks, wireless networks provide a dynamic environment with wireless devices ability to roam during data transfers. There has been extensive use of 802.11 b/g/n certified devices as they provide high data rates and expanded range. Many business organizations, homes, hospitals and emergency services use wireless networks. Since wireless networks signals are broadcast, these networks create many significant security risks not germane to wired networks. These risks include a plethora of Denial of Service (DoS) attacks that have no counterpart in wired networks. Wireless networks require diligent management in their deployment. This includes avoiding adjacent channels and co-channel interference, which are frequently caused by nearby 802.11 wireless networks. Apart from these types of interference, wireless networks may suffer significant loss in throughput if other non-compliant devices are transmitting signals in the same frequency band as used by 802.11 devices. These non-compliant 802.11 devices could be devices such as microwave ovens and cordless phones. Depending on the effect of interference and the intensity of the offered load, there will be collisions in the wireless medium, which would trigger 802.11 backoff algorithms. While interference in wireless medium can be unintentional, there are cases where intentional transmitting signals causes purposeful interference. For our study, we define jamming to be any activity that seeks to deny service to legitimate users by generating signals, noise, fake or legitimate packets so as to disrupt services. The device that transmits jamming pulses, signals and packets to disrupt the service is known as a jammer. 1
Depending on the jammer, the lost network services, including the loss of data packets, can be minimal to severe. In this study, we present effective and efficient jamming techniques that could considerably degrade the network throughput. We present jamming attacks in 802.11g and 802.11n, with latter gaining popularity in the market [26]. 1.1 Motivation There are various jamming techniques, which degrade the performance of the network, thereby reducing the overall throughput of the wireless network. Various jamming attacks were studied in the past, which include attacks both at the physical layer and at the MAC layer. For example, [26] focuses on threats against 802.11 s MAC layer. Physical layer jamming attacks were also studied and proven to be effective. Primarily, these jamming attacks dealt with a single network. Also, the research on jamming concentrated more towards DSSS with respect to 802.11b devices. From an attacker s perspective, previous works include building an effective and efficient jammer. These jammers manage efficient energy use while providing strong Denial of Service (DoS). Another important characteristic of a jammer is its ability to behave less detectable in the wireless network. Our study primarily focuses on attacking multiple wireless networks simultaneously. We consider 802.11g devices as they have gained popularity and provide higher data rates and better range in 2.4 GHz band than 802.11b devices. Also, 802.11g devices use Orthogonal Frequency Division Multiplexing (OFDM) and thus jamming 802.11g networks would allow us to analyze the effects of jamming when OFDM is used at the physical layer. With respect to providing an effective and efficient jammer, we use cognitive radio capabilities in our jamming strategy. In following chapters, we provide an overview of 802.11g, 802.11n, cognitive radio concepts, background study and our jamming attacks. Parallel to the jamming attacks for 802.11g networks just outlined, we carry out jamming attacks with 802.11n multi-networks, which are known to provide better range and throughput than 802.11g or 802.11b devices. Moreover, 802.11n devices can work in both 2.4 GHz and 5 GHz band. We study jamming attacks for 802.11n in the 5 GHz band and present the results. 2
1.2 Thesis Organization The rest of this thesis is organized as follows. Chapter 2 presents an overview of 802.11g, 802.11n and cognitive radios. Chapter 3 provides background work with respect to jamming attacks in 802.11g and 802.11n networks. Chapter 4 and chapter 5 provide our method of jamming attacks in 802.11g and 802.11n networks respectively. Chapter 6 concludes this thesis and discusses possible future work. 3
Chapter 2 Overview of 802.11g, 802.11n and Cognitive Radio Prior to introduction of the IEEE 802.11g standard, the most widely used wireless standard was 802.11b. 802.11b offered considerable speed and range for wireless users in 2.4 GHz band. Similar to 802.11b, 802.11g also used 2.4 GHz band for communication. Since 2.4 GHz band was used by most of the wireless devices, interference is a common problem. In this band, the total number of available channels is 11. Both 802.11b and 802.11g are limited to use three non-overlapping channels (1, 6 and 11) for communication to overcome adjacent channel interference. Direct Sequence Spread Spectrum Technology (DSSS) with Complementary Code Keying (CCK) was the modulation technology used in 802.11b for the 5.5 Mbps and 11 Mbps capacities. This was referred to as High Rate DSSS (HR-DSSS). 802.11a was also another option for wireless users. Unlike 802.11b/g, 802.11a works in 5 GHz band. Though 802.11a provided higher data rates, its range was shorter when compared to 802.11b. 802.11a used Orthogonal Frequency Division Multiplexing (OFDM) which increases data throughput by using multiple subcarriers in parallel and multiplexing data over the set of subcarriers [6]. Other advantages of OFDM are less vulnerability to interference and resistance to negative effects of multipath. The following subsection provides a brief overview of OFDM technology. 4
2.1 Overview of OFDM A typical method of communication is a single carrier system, where information is modulated onto a single carrier using frequency phase or amplitude adjustment of the carrier [13]. Information consists of bits and a collection of multiple bits is known as symbols. This system is vulnerable to loss of information from noise and signal reflections. When the bandwidth used by single carrier system is increased, the susceptibility to interference from other continuous signal sources is also increased. Frequency division multiplexing (FDM) was introduced with a notion of improving a single carrier system. FDM extends the concept of single carrier modulation by using multiple subcarriers within the same single channel and the total data rate to be sent in the channel is divided between the various subcarriers [13]. FDM is less vulnerable to noise and signal reflections, but they require a guard band between modulated subcarriers to prevent the spectrum of one subcarrier from interfering with another. These guard bands lower the system s effective information rate when compared to a single carrier system with similar modulation [13]. Similar to FDM, OFDM subdivides a large frequency channel into number of subchannels. These subchannels are used to transmit data in parallel to achieve higher throughput. In OFDM, a single transmission is encoded into multiple subcarriers. Each of these subcarriers are used to carry information to the destination. This information is carried over the radio medium using orthogonal subcarriers. In simple terms, frequencies of all the subcarriers are selected so that at each subcarrier frequency, all other subcarriers do not contribute to the overall waveform of the signal [6]. This provides orthogonal subcarriers to carry information. A channel (16.25 MHz wide) is divided into 52 subcarriers (48 subcarriers for data and 4 subcarriers serving as pilot signals). These pilot signals are used to provide synchronization or supervisory purposes. With orthogonal subcarriers, high spectral efficiency is achieved and the complete frequency band is utilized. With a given bandwidth for communication, spectral efficiency refers to the effective use of that bandwidth by the physical layer technology. Thus, high spectrum efficiency provides effective use of the subcarriers within the channel to transmit particular information. Due to orthogonal subcarriers, guard bands are not required in between these subcarriers and thus providing a higher throughput when compared systems based on FDM. Subcarriers in OFDM use different frequencies and are packed closely into an op- 5
erating channel. Small shifts in subcarrier frequencies may cause interference between carriers known as inter-carrier interference (ICI) [6]. To prevent ICI, guard time is inserted between the symbols. Guard time is chosen carefully as the value of guard time is a tradeoff between interference and throughput. With higher guard time, interference is reduced but throughput of the system is reduced. With lower guard time, though throughput of the system is increased, susceptibility to interference is also increased. Another advantage of OFDM is its greater resistance towards narrowband interference. Narrowband interference is caused by a radio frequency signal transmitting within a narrow space of the working channel. This interference can disrupt the communication by corrupting the data packets. A form of error correction known as convolutional coding is performed in OFDM, which provides the resistance to narrowband interference. The 802.11 standard defines the use of convolutional coding as the error-correction method to be used with OFDM technology [5]. OFDM uses Binary Phase Shift Keying (BPSK) and Quadrature Phase Shift Keying (QPSK) phase modulation for the lower ODFM data rates. The higher OFDM data rates use 16-QAM and 64-QAM modulation. Quadrature amplitude modulation (QAM) is a hybrid of phase and amplitude modulation [5]. Subcarriers are modulated using BPSK, QPSK, 16-QAM, or 64-QAM, and coded using convolutional codes depending on the data rate. 2.2 The Extended-Rate PHY (ERP) - 802.11g 802.11a devices cannot communicate with 802.11b and legacy (802.11) devices for two reasons 1) 802.11a uses OFDM which is different spread spectrum technology when compared to 802.11b and 2) 802.11a works only in 5 GHz band and not in 2.4 GHz band. Since most of the wireless devices are used in 2.4 GHz band, 802.11g was introduced as a bridge between 802.11b and 802.11a. 802.11g works in the 2.4 GHz band and also uses OFDM to gain higher throughput and greater resistance to interference. The main goal of 802.11g was to improve 802.11b s physical layer by providing higher data rates and also maintain backwards compatibility with legacy 802.11 (DSSS only) and 802.11b (HR-DSSS) radios. We provide an overview of 802.11g in the following subsections. 6
2.2.1 802.11g Physical Layer Components Unlike 802.11b, where direct-sequence spread spectrum (DSSS) technology is used, 802.11g use DSSS and OFDM (or both) in the 2.4 GHz band. 802.11g also provides higher data rates up to 54 Mbps. 802.11g provides four different physical layers to make use of DSSS and OFDM. In 802.11g, these four physical layers are defined as Extended Rate Physicals (ERP). They are ERP-DSSS/CCK, ERP-OFDM, ERP-PBCC, and DSSS-OFDM. Any two wireless stations can communicate with each other through one of these four layers. 1. ERP-DSSS/CCK is backwards compatible with the original standard specification of DSSS with CCK modulation. 2. ERP-OFDM is the primary mode of 802.11g and supports data rates up to 54 Mbps. Both ERP-DSSS/CCK and ERP-OFDM are mandatory modes for 802.11g radios. It supports the same speeds as 802.11a - 6, 9, 12, 18, 24, 36, 48, and 54 Mbps [6]. 3. ERP-PBCC is not a mandatory mode for 802.11g nodes to communicate. It is an extension to Packet binary convolution coding (PBCC) in 802.11b and provides data rates of 22 Mbps and 33 Mbps [6]. This option is not widely used in the market. 4. DSSS-OFDM is a mixed mode scheme where the header of a data packet is encoded using DSSS and payload is encoded using OFDM. This mode is also optional and is not widely used. Similar to 802.11b, 802.11g uses the same channel structure and frequency band (2.4 GHz). It has an OFDM utilized channel bandwidth of 16.25 MHz. Since 802.11g devices use the same channel structure in 2.4 GHz band, they are limited to only three non-overlapping channels. 802.11g s physical layer was designed to maintain backwards compatibility with 802.11b radios. These modifications allowed g and b wireless nodes to co-exist in the same environment. Initially, 802.11 standard s underlying physical technology was DSSS (1 Mbps and 2 Mbps). 802.11b devices use CCK modulation in their physical layer, thereby providing higher data rates of 5.5 Mbps and 11 Mbps. Thus 802.11g radios physical layer was designed to hear transmissions from both 802.11b and legacy (802.11) devices. 7
2.2.2 802.11g MAC Layer The basic Carrier Sense Multiple Access with Collision Avoidance (CSMA/CA) mechanism is shown in Figure 2.1. A station desiring to transmit a frame senses (with the help of the Clear Channel Signal (CCA) of the PHY layer) the medium and if the medium is idle for at least a DIFS interval then the station is allowed to transmit its frame. If the medium is busy, the station is required to wait for a DIFS interval before contending for a transmission opportunity. This period where a station contends with other stations for transmission opportunities is known as the Contention Phase. Figure 2.1: The basic CSMA/CA in 802.11b/g networks When the medium is sensed busy, every station chooses a random backoff interval between zero and contention window. The station then needs to wait for the assigned time slots before attempting access to the channel. This additionally delays the access to the shared medium. If a station does not get access to the medium in the first attempt, it stops its back off timer, waits for the channel to be idle again. Once the channel is sensed idle, the station waits for DIFS time, and starts the backoff timer. Once the timer expires, the node accesses the medium. If a collision occurs, then the station backs off exponentially and again starts its backoff timer. The basic CSMA/CA mechanism cannot solve the hidden terminal problem and thus RTS (Request to Send) and CTS (Clear to Send) mechanisms are used to solve this problem. The problem occurs if one station STA A can receive data from two other 8
stations, STA B and STA C but those latter stations cannot receive data between each other [26]. If both of these stations sense the channel idle and send the data to the STA A, which can see both STA B and STA C, collision occurs at the receiver STA A. After waiting for DIFS (plus a random back off time if the medium was busy), the sender can issue a RTS packet. The RTS packet includes the receiver of the anticipated data transmission and the duration of that whole data transmission. This duration specifies the time interval necessary to transmit the whole data frame and the acknowledgment related to it. Every node receiving the RTS now has to set its Net Allocation Vector (NAV) in accordance with the duration field. The NAV specifies then the earliest point in time at which the station can try to access the medium again. Following a successful RTS, CTS is sent after a SIFS interval (SIFS < DIFS). After a successful reception of CTS, DATA and ACK follow, with the duration of SIFS between the frames [26]. Though, the basic mechanism of CSMA/CA is the same across 802.11g and 802.11b, there are differences in some of the parameters, such as MAC frame length, preamble duration, etc. Table 2.1 provides a summary of 802.11g MAC layer parameters. It can be noted that, if a network consists of only 802.11g devices, then the slot time used by all the g devices is 9 µs, which is shorter than the slot time used by 802.11b devices. This is one of the factors for higher throughput in 802.11g. The following subsection provides strategies on how 802.11g and 802.11/802.11b devices can co-exist. Table 2.1: MAC layer parameters of 802.11g Parameters Values Maximum MAC frame length 4095 Bytes Slot time/ No 802.11b 20 µs / 9 µs SIFS (g only, with b) time 10 µs / 28 µs Contention window size 15-1023 slots Preamble duration 20 µs 9
2.2.3 Operational Modes and Protection Mechanisms With the introduction of 802.11g standard and its support for backwards compatibility, there are three modes of operation for communication amongst the nodes in a wireless network. These modes of operation are pure b mode, pure g mode and mixed mode. 1. Pure b mode: In this mode, a wireless network consists only of 802.11b devices. These devices can transmit data packets either at the maximum data rate of 11 Mbps or with a data rate of 5.5, 2 or 1 Mbps. An 802.11g access point (AP) can be operated in this mode and only 802.11b devices can associate and send data packets. Physical layer technologies used in this mode of operation are DSSS, HR-DSSS and ERP-DSSS/CCK. 2. Pure g mode: In this mode of operation, a wireless network consists only of 802.11g devices. For a g node or a g AP, ERP-OFDM is enabled and other technologies such as DSSS, HR-DSSS and ERP-DSSS/CCK are disabled. Hence, in a network with AP in a pure g mode, only 802.11g devices can associate with the AP. Since all the nodes in the network are 802.11g devices, this mode is either known as g only mode or pure g mode. As there are only 802.11g devices, maximum throughput is achieved in this mode compared to a pure b mode or a mixed mode environment. 3. Mixed mode: In this mode of operation, both 802.11b and 802.11g devices can co-exist in a single network. This is a widely used operational mode. Thus, a mixed mode 802.11g AP provides association capability to both 802.11b and 802.11g devices. Since this mode of operation supports both 802.11b and 802.11g devices, both ERP-DSSS/CCK and ERP-OFDM are enabled. Since different technologies (DSSS and OFDM) co-exist, proper mechanism of communication is required. This mechanism is known as protection mechanism and is explained in further paragraphs. By providing co-existence between b and g devices, aggregate throughput is degraded even though protection mechanism is enabled. 802.11g devices support backwards compatibility with 802.11b devices, but they use a different modulation scheme. Unfortunately, problems still arise in a mixed mode environment where both b and g devices exist. In such an environment, 802.11b devices must be aware of any ongoing 802.11g transmissions. If a proper mechanism is not in 10
place, 802.11b devices may transmit data during 802.11g transmissions and thereby cause collisions in the medium. To avoid the above problem, there are two protection mechanisms - RTS/CTS protection and CTS-to-Self protection. RTS/CTS mechanism refers to standard RTS and CTS frame exchanges according to the IEEE 802.11 standard. The protection mechanism is as follows: In a mixed mode environment, when an 802.11g device needs to transmit data to another 802.11g device, it first sends either a CTS-to-Self or an RTS/CTS frame using a data rate (1 Mbps) and a modulation scheme that 802.11b devices can recognize. When surrounding 802.11b and 802.11g devices hear these transmissions, they would update their NAV timers with the help of the duration value present in the CTS-to-Self or RTS/CTS frames. Thus, after the CTS-to-Self or RTS/CTS frames are used to reserve the medium, the source 802.11g device can now transmit a data frame to another 802.11g device by using OFDM modulation. Figure 2.2: CTS-to-Self protection mechanism In CTS-to-Self mode, a CTS frame is sent by the source with the receiver address same as its own MAC address. In this CTS frame, the duration value helps other nodes to set their NAV timers, thus protecting future 802.11g frames. Figure 2.2 [6] shows an overview CTS-to-Self protection mechanism. One of the advantages of CTS-to-Self is its use of smaller frames for protection mechanism. Thus, CTS-to-Self yields a better 11
throughput compared to RTS/CTS. Table 2.2 provides a summary of three operational modes and a comparison amongst them. Table 2.2: Comparision of operational modes Pure b Pure g Mixed Technology DSSS, HR-DSSS, ERP-OFDM ERP-DSSS/CCK, ERP-DSSS/CCK ERP-OFDM Devices allowed Only 802.11b Only 802.11g Both 802.11b, 802.11g Data rates 1, 2, 5.5, 11 Mbps 6, 9, 12, 18, 24, 1, 2, 5.5, 6, 9, 36, 48, 54 Mbps 11, 12, 18, 24, 36, 48, 54 Mbps Protection No No Yes Mechanism Three possible scenarios where the protection mechanism is enabled are as follows: 1. Protection mechanism is enabled when a 802.11 legacy device or 802.11b (HR- DSSS) device associates with a 802.11g AP. 2. Nearby 802.11b clients or 802.11b AP transmit beacons regularly. When an 802.11g AP scans these beacons, protection mechanism is enabled in this BSS. 3. If a nearby 802.11g AP has enabled protection mechanism, beacons from this AP could be scanned by another 802.11g AP belonging to a BSS. The latter AP then triggers protection mechanism in its own BSS. 2.3 IEEE 802.11n IEEE 802.11n standard was developed to provide higher throughput, better range, better reliability and greater performance than 802.11a/b/g. For a higher performance, 802.11n had enhancements in its physical layer and MAC layer. 802.11n consists of more efficient 12
methods to increase throughput of a wireless network. These enhancements such as Channel Bonding, Multiple Input/Multiple Output (MIMO), and improved OFDM can increase the data rates to 600 Mbps. Moreover, 802.11n supports operation in both 2.4 GHz and 5 GHz bands. This is a major benefit as it provides flexibility in designing and deploying wireless networks. Another major advantage is its support for backwards compatibility with 802.11a, 802.11b, and 802.11g devices. Similar to 802.11g, protection mechanisms are used in 802.11n to aid co-existence of 802.11n and legacy devices in a BSS. We give a brief overview of the features and enhancements implemented in 802.11n standard in following subsections. 2.3.1 Modifications and Enhancements in PHY Layer 802.11n uses the same technology as that of 802.11a and 802.11g at the physical layer. With 802.11n, an enhanced OFDM is provided which increases both reliability and data throughput. The enhancements in PHY layer of IEEE 802.11n standard are given below. 1. MIMO: This concept is one of the features introduced in 802.11n. This enhancement provides capability for 802.11n nodes to transmit and receive data simultaneously with the help of multiple radio antennas. There can be multiple combinations of number of transmitters and receivers in 802.11n. M x N represents the number of transmit antennas and receive antennas, where M represents number of transmit antennas and N represents the number of receive antennas. For example, 2 x 3 represents an 802.11n device with 2 transmit antennas and 3 receive antennas. Higher data throughput can be achieved with more transmitter antennas and receiver antennas. 2. Spatial Multiplexing: This feature is an application of MIMO technology. Spatial multiplexing involves transmitting spatial streams using available antennas. Each spatial stream is a unique stream of data and both the transmitter and receiver need to be MIMO capable devices. Throughput is highly increased when spatial streams are used. In simple words, if an 802.11n node A transmits data to another 802.11n node B using two spatial streams, then the throughput can be effectively doubled when compared to sending data using a single spatial stream. According to IEEE 802.11n standard, a maximum of four spatial streams can be used during transmissions. 13
3. Channel Bonding: This is a major enhancement for 802.11n devices. Previously both 802.11b and 802.11g allowed the nodes to use only 20 MHz channels. In 802.11n, channel bandwidth can also be 40 MHz, instead of 20 MHz. This resembles using two 20 MHz channels combined together to yield a 40 MHz channel. With 40 MHz channel, throughput is effectively increased when compared to 20 MHz channel. This is due to the increased number of subcarriers in a 40 MHz channel that can carry data signals to the destination. Data throughput is further increased when channel bonding is used in combination with spatial streams. Figure 2.3 shows channel bonding considering channel 36 and channel 40 in 5 GHz band. Figure 2.3: 802.11n Channel Bonding 4. Improved OFDM: In an OFDM carrier signal, data is modulated into a collection of bits or symbols [5]. Guard intervals are used in order to decrease the inter symbol interference between OFDM symbols. Guard intervals are an overhead during data transmissions. Higher throughput is achieved when this overhead is minimal. In case of 802.11n, its guard intervals could be shorter (400 µs) than guard intervals of 802.11a (800 µs) or 802.11g (800 µs). With respect to frequency bands and channel availability, the 2.4 GHz band has three nonoverlapping 20 MHz bandwidth channels. 5 GHz band has 23 such 20 MHz bandwidth channels which are non-overlapping. For the use of channel bonding, only one nonoverlapping 40 MHz channel is available in 2.4 GHz band. In case of 5 GHz, 12 such non-overlapping channels are available. 14
2.3.2 Modifications and Enhancements in MAC Layer We have seen that the PHY layer enhancements can increase the throughput and reliability. But, it is necessary to incorporate MAC layer enhancements in 802.11n in combination with PHY layer features to sustain effective throughput gains. Following are the MAC layer enhancements in 802.11n: 1. Frame Aggregation: With 802.11b/g devices, the maximum size of payload is 2304 bytes. Frame aggregation is a technique where the MAC layer overhead can be significantly reduced by aggregating multiple frames together before a data transmission. Frame aggregation can be achieved by either of the following: (a) MAC Service Data Unit Aggregation (A-MSDU): The upper layer information that is contained in the body of an 802.11 wireless data frame is called a MSDU [5]. When multiple MSDUs are combined into single frame and then transmitted, MAC overhead factors such as medium contention and interframe spacing are reduced considerably. (b) MAC Protocol Data Unit Aggregation (A-MPDU): 802.11 frame including the MAC header, body and trailer forms a MPDU. Similar to MSDU, multiple MPDUs can be combined into a single frame and then transmitted. Each MPDU within the A-MPDU is directed to the same receiver address. A-MPDU enhances throughput of the network by reducing MAC overhead. The maximum A-MPDU size in 802.11n is 64K bytes. 2. Block Acknowledgement: In case of 802.11b and 802.11g devices, each and every data packet (other than multicast/broadcast) sent from a source node is acknowledged in the form of ACK packet from the destination node. With the higher number of unicast frames acknowledged, MAC overhead is increased and throughput is significantly decreased. To reduce this overhead, 802.11n uses block acknowledgement where multiple unicast frames can be acknowledged using a single ACK packet. This is known as Block ACK. 3. Reduced Interframe Spacing (RIFS): Wireless nodes require Short Interframe Spacing (SIFS) in between transmissions. SIFS is used to provide a small time interval between an ACK frame and subsequent transmission. 802.11b/g has a 15
SIFS interval of 20 µsec and 16 µsec respectively. With respect to 802.11n, SIFS is reduced to 2 µsec. This reduced time interval is known as RIFS. Usage of RIFS results in less overhead during transmissions yielding better throughput. Table 2.3 provides a summary of 802.11n MAC layer parameters. Table 2.3: MAC layer parameters of 802.11n Parameters Values Maximum MAC frame length 8191 Bytes Slot time 9 µs SIFS 16 µs RIFS 2 µs Contention window size 15-1023 slots Preamble duration 16 µs 2.3.3 Operational Modes and Protection Mechanisms To maintain backwards compatibility with 802.11b/g, 802.11n access points signal other 802.11n clients using four protection modes. Depending on the devices being associated to this AP, one of the protection modes is set in the BSS. These four protection modes are: 1. Greenfield Mode: In this mode, all the nodes are HT 802.11n. Since all the nodes are n devices, high throughput is achieved with this mode. Thus no protection mechanism is required in this mode. 2. Non-Member Protection Mode: In this mode, all the stations in the BSS must be HT stations. Protection mechanism is enabled when only a non-ht client or a non-ht AP is heard that is not a member of the BSS [5]. 3. 20 MHz Protection Mode: In this mode, all stations in the BSS must be HT 802.11n stations and are associated with an AP capable to work in either 20 MHz 16
or 40 MHz (20/40 MHz) channel. If an 802.11n client capable of working only in 20 MHz channel, associates with an 20/40 MHz AP, protection must be enabled [5]. 4. Mixed Mode: This is a commonly used mode of operation. Here, 802.11b (HR-DSSS), 802.11g (ERP-OFDM) and HT 802.11n clients associate with an HT 802.11n AP. Since there are different PHY technologies involved in the same environment, the protection mechanism is enabled. For the above modes, protection mechanisms that are used are either CTS-to-Self, RTS/CTS or Dual-CTS. Dual-CTS protection mode was introduced in 802.11n. In this mode both RTS/CTS and CTS-to-Self frames are exchanged. In a BSS, a protection mode changes dynamically depending upon the clients associating with an AP. 2.4 Overview of Cognitive Radio A cognitive radio (CR) is an intelligent system, which was mainly designed for efficient use of dynamically available spectrum. A cognitive radio is an intelligent wireless communication system that is aware of its surrounding environment (i.e., outside world), and uses the methodology of understanding-by-building to learn from the environment and adapt its internal states to statistical variations in the incoming RF stimuli by making corresponding changes in certain operating parameters in real time [8]. Wireless channels in the frequency spectrum are licensed to particular users. These users are known as primary users. Other non-license users of the spectrum are known as secondary users. CR technology overcomes spectral shortage problems by enabling secondary (unlicensed) wireless devices to communicate without interfering with the primary users [25]. Thus CR technology is designed for dynamic spectrum allocation. That is, CRs provide the capacity to share the wireless channel with the licensed users in an opportunistic way [4]. To provide dynamic spectrum allocation, cognitive radios require spectrum sensing and rapid channel switching capabilities. Capabilities of CRs are summarized in [4] as follows: 1. Spectrum Sensing: This is an important capability for cognitive radios. CR can sense the spectrum and find available channels for secondary users. 17
2. Location identification: Location identification is another capability of a cognitive radio where it determines the location of other transmitters and then selects appropriate parameters such as the power required and frequency allowed at its location. 3. Network Discovery: CRs are capable of doing network discovery in order to access resources that are reachable. 4. Fast Switching Capability: CRs switch between different channels with lesser delay compared to an 802.11 radio. Other advantages of CR are dynamic frequency selection, adaptive modulation depending on the interoperability of the system in use, adaptive power control and switching dynamically between different power levels. All of these features make the CR an ideal candidate for a robust jamming device. Moreover, cognitive radios are aware of the surrounding networks and the load generated in each of the networks. 18
Chapter 3 Related Work In this chapter, we present classification and characteristics of a jammer. We review some of the research literature on jamming attacks in wireless networks with greater emphasis on jamming attacks with respect to 802.11g and 802.11n networks. 3.1 Classification of Jammers A jammer is a malicious node, which transmits radio signals that interferes with legitimate signals in a wireless network. A jammer can be a simple device which emits jamming signals to disrupt the communication. They also can be devices capable of emitting radio signals with intelligence (discussed later in this section). Henceforth, we will refer to radio signals emitted by jammers as jamming pulses. Jammers can be classified into four basic categories [17]. Constant Jammer: In a wireless medium, a constant jammer transmits jamming pulses continuously. An important aspect of constant jammer is its non-adherence to 802.11 MAC protocols. For example, in a wireless medium, a constant jammer starts transmitting jamming pulses, without its need to follow 802.11 MAC protocol by waiting for the medium to be free. Data packets in transit can be corrupted when a constant jammer starts its transmission of jamming pulses. Thus, by transmitting constant jamming pulses, the medium is always busy for the legitimate nodes. Since, a constant jammer transmits jamming pulses continuously, energy consumption is of the higher order. This is considered as a major drawback for constant jammers. 19
Deceptive jammer: This type of jammer is similar to a constant jammer because both of them constantly transmit jamming pulses. In case of deceptive jammer, the transmitted pulses are not random. In deceptive jamming, the jammer emits regular packets or fabricated packets, which will seem identical to a regular data packet sent by a legitimate wireless node. Due to this behavior, all the nodes in the wireless medium will defer their transmissions, as they will sense the medium to be busy. Since a deceptive jammer transmits jamming pulses in the form of regular packets, the probability of detection is lower compared to a constant jammer. Similar to a constant jammer, a deceptive jammer consumes considerable energy and is not an energy efficient jammer. Random jammer: Unlike a constant jammer or a deceptive jammer, random jammers do not transmit jamming pulses continuously. A random jammer transmits jamming pulse for a specific duration (known as pulse duration) and then sleeps for a certain duration known as silence duration. Thus, by varying pulse duration or sleep duration or both, a random jammer achieves a variation in jamming strategy. Energy consumption of a random jammer depends on the length of the silence duration and pulse duration. Reactive jammer: All the above types of jammers do not consider whether the wireless medium is busy or not. For example, a constant jammer starts its transmission irrespective of data packets in the medium. With reactive jamming, the jammer transmits the jamming pulse only after sensing the medium for busy status. Thus, reactive jammers sense for regular data packets in the medium and transmit jamming pulses as soon as they find the medium to be busy. Thus data packets may be corrupted and could degrade the overall throughput of the network. Due to its reactive nature, these jammers consume energy based on the amount of data packets they sense and jam in the medium. There are other types of reactive jammers. For example, some jammers react to various protocol situations rather than just busy status. With the above types of jammer, different jamming techniques are carried out [15] classifies jamming techniques as follows 1. Spot Jamming: In this type of jamming, the attacker targets a specific frequency to jam and transmits jamming pulses with its total power. 2. Sweep Jamming: With sweep jamming, the attacker sweeps across all the frequencies in the band to disrupt the communication. 3. Barrage Jamming: With barrage jamming, a range of frequencies is jammed at 20
the same time. 4. Deceptive Jamming: Here, jamming is performed in a single frequency or with a range of frequencies with the attacker in a deceptive mode (i.e. difficult to detect the attacker). 3.2 Classification of Jamming Attacks Jamming attacks can be classified [10], [17] as follows: 1. PHY Layer attacks: In PHY layer jamming attacks, jamming signals are transmitted in the same channel, which is used for communication by the nodes. Due to jamming at the PHY layer, interference significantly reduces the signal-to-noise ratio (SNR) and thus, the performance of the network is degraded. [28] highlights PHY layer jamming attacks, where a constant jammer sends jamming pulses targeting a particular frequency without following any MAC layer protocol. Reactive jamming is also used in PHY layer attack. [2] provides different PHY layer jamming attacks such as continuous low power jamming, bursty high power jamming and busy jamming. In each of the jamming techniques, the total energy consumed by the jammer is calculated and compared amongst each other. With jamming attacks, energy consumption is an important factor, since conservation of energy by a jammer leads to longevity and effective disruption of communication in the network. 2. MAC Layer attacks: Here, jamming attacks target various protocols in 802.11 MAC layer. For example, jamming attacks target the association and disassociation processes of a node with an AP, power management, etc. In MAC layer attacks such as deauthentication and disassociation attacks, the attacker spoofs the deauthentication and disassociation message packets and attacks a single wireless station in the network by denying association with the AP. [3] focuses MAC layer attacks such as disassociation and deauthentication attacks. All the wireless nodes are required to associate (after authentication process) with an AP in the BSS for data communication. In disassociation attack, the attacker exploits the association process by spoofing a disassociation frame after a successful 21
association process. This will disassociate the node with the AP, thereby leading to a link failure. Similarly, when a node authenticates itself with an AP, an attacker can spoof deauthentication frame and deny association with the AP. Another type of attack is the power saving attack [3]. Here, the attacker spoofs messages related to power conservation functionality of a node. 3. Intelligent attacks: In this type of attack, the jammer continuously listens to the medium and transmits jamming pulses with the knowledge of the protocol [2]. The jammer is designed with a capability to analyze the type of packet (controls packets or data packets) and jam accordingly. [26] provides intelligent jamming attacks which are more efficient in terms of jammer s power consumption and lower probability of detection. Intelligent jamming attacks [26] target specific aspects of the protocol such as CTS/RTS, ACK, data corruption jamming and DIFS wait jamming. Goals of intelligent jamming [17] include maximized jamming gain, targeted jamming and reduced probability of detection. 4. Greedy Behavior attacks: In this type of attack, a single node or multiple nodes behave selfishly in order to gain a higher throughput in the network. For example, a selfish node need not follow the backoff mechanism of 802.11 CSMA/CA protocol. Thus, a selfish node gains an unfair advantage by increasing its performance at the cost of other nodes. [27] provides jamming vulnerabilities in 802.11e by using misbehaving (greedy behavior) nodes in the network. [11] and [12] also provide example scenarios of selfish nodes intending to gain higher throughput when compared to the other nodes in the network. 3.3 Overview Jamming Attacks in 802.11g and 802.11n As discussed earlier intelligent jamming attacks target specific aspects of the protocol such as CTS/RTS, ACK, data corruption jamming and DIFS wait jamming. [26] provides intelligent attacks in 802.11b which can directly be applied to 802.11g networks. By using intelligent jamming attacks, [26] achieves maximized jamming gain, targeted jamming and reduced probability of detection. 22
[7] focuses on the effects of interference in wireless networks. For 802.11g, [7] shows that, though 802.11g networks provide high data throughputs, small interference in the channel considerably degrades the performance. In [9], 802.11b/g WLAN usability under jamming is analyzed theoretically. [9] shows that, when an 802.11g system is exposed to single carrier jamming, its performance depends highly on the jamming frequency. [18] emphasizes that the effect of jamming depends on the number of orthogonal channels available for use and the frequency separation between these orthogonal bands. Depending on these two factors, a jammer in one of the channel causes interference not only in that particular channel but also in the adjacent channel. In [18] experiments were conducted on 802.11a and 802.11g networks and the impact on performance due to jamming was studied. 802.11g networks had lower degradation in performance when compared with 802.11a networks. This is because orthogonal channels in 802.11g (working in 2.4GHz band) had larger channel separation compared to the channel separation between orthogonal channels in 802.11a (5 GHz band). A general approach to using cognitive radios to launch jamming attacks on multiple channels of wireless networks was presented in [22]. They examine the number of channels or users blocked by simple constant periodic jamming attacks using TCP traffic while varying the channel switching delay, jamming packet sizes and the number of users on the channel. We look at this in more detail, incorporating our approach in chapter 4. With respect to 802.11n, [19] provides details on jamming effects on 802.11n networks. Here, 802.11 indoor testbeds are used to study the impact of the jammer that resides on channels that are orthogonal to the one used by the actual nodes for legitimate communication. Then they analyze the results of 802.11b/g/n networks under this jamming condition. Results suggest that 802.11n is more vulnerable than 802.11b or 802.11g networks. Their observation on 802.11n is that a jammer working on an adjacent orthogonal channel to a communication link affects the transmission of data packets in that link. With channel bonding in 802.11n the impact of the jammer on the network is further increased because channel bonding starts to eliminate orthogonality. Their results indicate that frequency hopping would not be a feasible option to mitigate jamming attacks in 802.11n networks with channel bonding. This is because channel bonding results in fewer available channels to hop and the jammer affects the legitimate communication from an adjacent orthogonal channel. Other types of 802.11n DoS attacks are provided in [10]. In [10], DoS attacks are 23
performed by targeting the management frames. In 802.11n management frames such as beacon frames, action frames etc. are not encrypted in the medium. Hence, they are susceptible to DoS attacks. These two new MAC layer attacks exploit the weaknesses of 802.11n standard and are referenced as quiet attack and channel switch attack. A node can send channel switch announcement frames to all other nodes when the channel measurement reveals that the channel already in use needs to be switched. This announcement frame consists of the new channel number and a time limit within which the channel change should take place. An attacker spoofs by providing invalid channel number to switch or provides a larger time limit, in which case the nodes will remain silent for that period until they switch channels. [10] also provides two other MAC layer attacks - DELBA attack and ATIM attack in 802.11n. The DELBA attack exploits the block acknowledgement, which has been introduced in 802.11n. The sender node sends an add block acknowledgment (ADDBA) request which provides buffer size and the starting sequence number of the data stream [10]. The receiver sends an ADDBA response and may adapt the buffer size to its capabilities. The sender node sends multiple data packets and requests block ACK from the receiver. In the tear down phase, the sender sends a delete block acknowledgement (DELBA) message, which ends the communication, and frees the buffers of sender and receiver. Authors in [10] propose forgery of the DELBA message. The DELBA message terminates block acknowledgement communication and frees buffers on sender and receiver side. By impersonating the sender in an already established block acknowledgement process, the block acknowledgment process between two stations can be terminated prematurely this way. This frees allocated resources and will also drop all packets received so far. Wireless nodes sleep to preserve their battery consumption. An announcement traffic indication message (ATIM) provides an indication whether data is intended to be sent to the node after they wake up from the sleep state. In ATIM attack, by forging the ATIM message, an adversary can force all or specific stations to always stay awake. [24] provides experimental studies on 802.11n. The primary focus of [24] is to present 802.11n physical and MAC layer features and study their effectiveness in different cases such as adjacent channel interference, presence of 802.11g node, etc. 802.11n links are degraded in the presence of 802.11g nodes. Also, though use of 40 MHz bandwidth increases throughput, [24] presents scenarios where the presence of interference in 40 MHz significantly degrades the throughput. 24
[23] focuses on how narrowband interference can be mitigated via multi-antenna techniques at the receiver. Here, jamming pulses are transmitted in a particular channel to study the effects of jamming. Nodes in this channel use multi-antenna techniques to increase the throughput. [23] shows that multi-antenna techniques can be used to reject narrow band jammers. It is possible to sustain a high throughput communications link in the presence of a narrowband interference source. The authors of [14] study how an intelligent adversary can disrupt MIMO communication by targeting the channel estimation procedure. MIMO systems require channel state information (CSI). [14] analyzes the vulnerabilities associated with jamming the CSI estimation procedure. CSI refers to known channel properties of a communication link. This information describes how a signal propagates from the transmitter to the receiver and represents the combined effect of, for example, scattering, fading, and power decay with distance. By attacking only the CSI, the jammer remains fairly covert and power conservative as the jammer only needs to operate during a small fraction of user transmission time. Our approach is different from [14] because, the authors jam the CSI, which is jamming before any data packets are in the medium. In our case, we intelligently jam the packets in the medium by dynamically adjusting jamming activity using a cognitive radio. For a DoS attack directed towards the wireless client, [21] focused on monitoring the effective throughput and stability of 802.11n and 802.11g. The DoS attack under consideration is packet flooding [PHY layer]. This cannot be classified as a MAC layer attack as there is no exploitation of control or management frames. Although this is a less-intrusive DoS attack method, [21] focuses on the effectiveness of MIMO architecture against DoS attacks. [21] compares the impact of DoS attack on throughput for 802.11n and 802.11g networks. [7] highlights effects of interference in 802.11b/g/n networks. With respect to 802.11n, small amounts of interference can cause significant performance degradation of the network. In [16], an anti-jamming system has been developed for 802.11 networks. [16] examines that, although 802.11n consists of MIMO, they present the same vulnerabilities as that of 802.11g links in the presence of a jammer. This is due to the fact that 802.11n still employs CSMA/CA and as a result the jamming signals can render the medium busy for a MIMO node as well. 25
Chapter 4 802.11g Jamming Attacks using Cognitive Radio We have implemented jamming scenarios for 802.11g using a model of a cognitive radio as a jammer [20]. We provide the simulation setup along with different jamming scenarios and evaluate their results. We have used OPNET v16 and v16.1 modeler for network simulation. The following sections provide the initial jamming model, description of each 802.11g jamming scenarios and their results. 4.1 Simulation and Jamming Models We have used the 802.11 wireless LAN model from OPNET v16. For our simulation study, we extended the wireless LAN model from [1] but with the network and transport layers removed. Inclusion of network and transport layers will exaggerate the effects of jamming attack and hence we have not used them in our simulations. We have heavily modified this OPNET model for our simulation study. To study the effects of jamming on network throughput, we used the scenario shown in Figure 4.1. For our simulation, we have three separate networks, each consisting of 12 wireless nodes and an AP. The AP relays messages between the twelve nodes on one network and is shown to be a bottleneck. Each node in the network sends data packets randomly to the other eleven nodes through the AP. The three networks are essentially independent but respectively use channels 1, 6, and 11 of the 802.11g spectrum. Figure 4.2 provides 26
Figure 4.1: Base scenario model with jammer Figure 4.2: Channel allocation for three networks the overview of the base setup with respect to the channel usage by the three networks. In OPNET, a wireless node model uses a source and sink module to simulate the higher layers (IP, TCP, Application, etc.). Our source model generates packets sent to random destination addresses. The packets received at the destination nodes are discarded at the sink module [26]. The OPNET node model for a wireless workstation is given in Figure 4.3. Figure 4.4 shows the wireless attributes such as channel number, data rate, etc. of a wireless station node. We see that all the stations are configured with ERP 802.11g 27
Figure 4.3: OPNET node model for wireless workstation as its physical characteristics. We set the data rate to 18 Mbps but also consider other bandwidths in our simulations which are shown later in this chapter. Figure 4.4: Attributes of wireless workstation In our scenarios, we assume all three networks to be pure g networks. Thus, there are no 802.11b stations in any of the networks. If 802.11b devices are present, the jamming becomes significantly more effective. The majority of the simulations will be carried out for the BSS only. Early results will show that both the CTS-to-Self and the RTS/CTS have very impaired throughput and moderate jamming makes the final throughput for 28
Figure 4.5: Traffic generation parameters of a wireless workstation these cases essentially zero. Hence, the primary set up consists of pure g devices as both CTS-to-Self and RTS/CTS options are not set. All nodes follow the standard CSMA/CA mechanism. The traffic generation parameters of a wireless station node are shown in Figure 4.5. The packet size is constant 1500 bytes with packet interarrival time of exp(0.02) seconds. These traffic generation parameters are used for all nodes in all three networks. All packets are sent to the AP and then relayed to a random node. We can easily see that this load saturates the network. The offered load for each network of 12 nodes is: (1500 + 28 header) * 50 pkts/sec. * 8 bits/byte* 12 nodes = 7.33 Mbps. Since, this offered load must be sent to the AP and the AP must relay to the destination node, the net offered load becomes nearly 15 Mbps. Many of the scenarios considered use the nominal 802.11g bps rate of 18 Mbps. We measure the throughput for any of the networks to be just over 2 Mbps and over 6 Mbps for the sum of the three networks as given in Figure 4.6. As we mentioned earlier, all the packets are sent to the AP and then the AP sends these packets to the destination nodes. Thus, AP is a bottleneck and the overall throughput of each network is nearly halved. Figure 4.6 provides a baseline throughput without the jammer. It should be noted that baseline throughput with protection mechanisms is lower due to the overhead of CTS-to-Self and RTS/CTS frames. For our simulations, we have modified the single band jammer from OPNET v16. Figure 4.7 shows the attributes of the single band jammer. This jammer module is modified such that jamming packets are transmitted separately and at different times on the three orthogonal channels. The center frequencies of channel 1, channel 6 and channel 11 are 2412 MHz, 2437 29
Figure 4.6: Baseline throughput total for three networks with no jamming Figure 4.7: Attributes of jammer MHz and 2462 MHz respectively. Using our jammer, we attack the center of these channels with a narrow jammer bandwidth of 1/10th of the total channel bandwidth (20000 KHz). Thus, base frequency of the jammer is set as 2411 MHz for channel 1 with a jammer bandwidth of 2000 khz. The jammer is designed such that it switches to 2436 MHz (for channel 6) again with a jammer bandwidth of 2000 khz and 2461 MHz (for channel 11) and then backs to channel 1. This cycle of channel switching occurs until the end of the simulation. The power of the jammer is set to 0.001 W. During our study, we also varied the jammer bandwidth in each of the channels. We varied the jammer bandwidth from 1000 KHz to 20000 KHz and found that the effect on throughput remains the same for different jammer bandwidth values with constant power of 0.001 W. In the following sections, we provide two types of multi-network jamming: 1) periodic and exponential multi-network jamming and 2) reactive and intelligent multi-network jamming. We have assumed our cognitive radio based jammer has a channel switching delay of 400 µs. This is based on the fast switching capability of the cognitive radio [22]. 30
Thus, with jammer packet delay of 100 µs within the channel and with an additional 400 µs of channel switching delay, periodic jamming takes 500 µs per channel from the jamming on the earlier channel. We show by analysis that periodic jamming (500 µs per channel) of 1500 B packets (requires 747 µs for a complete transmission) should reduce the throughput to approximately 25% of the original throughput. With 802.11g networks, basic timing parameters are: 1. 802.11g SIFS = 10 µs. 2. 802.11g fast slot time = 9 µs. This fast slot time is used only when there is a pure g network without any 802.11b devices. 3. 802.11g DIFS = 2 x Slot time + SIFS. 4. As mentioned earlier, 802.11g transmissions consist of series of symbols. At 18 Mbps, each symbol encodes 72 bits. Thus, for packet size of 1500 bytes along with header of 36 bytes, a total of 12288 bits can be encoded in 170 symbols. Transmission time of each symbol is 4 µs. 5. Each packet requires a 20 µs header before transmission to synchronize the receiver. Also at the end of each packet, 6 µs is added for signal extension to provide backwards compatibility. Each network receives a jamming signal on average every 1500 µs. For example, the jammer intially attacks channel 1 and takes on average 1500 µs to come back to channel 1 for attacking this network. The complete transmission time for a packet size 1500 B is provided in the Table 4.1. Because of the additional collisions generated, the expected reduction in throughput should be even more than caused by jamming. Our results in the following sections provide a reasonable verification for our work. Thus, with 747 µs as the total time for transmitting a 1500 B packet and jammer transmits a jamming pulse on each network on average every 1500 µs. An approximate probability is given by P (Jammer packet hitting a 1500 B pkt in transmission) = (747µs)/(1550µs) = 0.498 31
Table 4.1: Timings of transmitting a 1500 byte packet in pure g network Data Details DIFS 28 µs (2*9) + 10 Data 709 µs 20 + (4 * 170) + 6 SIFS 10 µs SIFS for 802.11g = 10 µs Total 747 µs 28 + 709 + 10 The actual jamming can occur prior to the data being sent and hence the total time of the effect of the jamming will be slightly less than the 747 µs. However 677 µs is attributed to the transmission of the packet itself. Thus, P (1500 B pkt in transmission not to be hit by jamming packet) = 1 P (Jammer packet hitting a 1500 B pkt in transmission) = 0.502 Since packets are transmitted from a source node to AP and then the AP to the destination node, P (Successful transmission of 1500 B packet) = P (Successful transmission of 1500 B packet from source to AP) P(Successful transmission of 1500 B packet from AP to destination) = = 0.502 0.502 = 0.25 Thus, periodic jamming (500 µs per channel) of 1500 B packets should reduce the throughput to approximately 25% of the original throughput. 32
4.2 Periodic and Exponential Multi-Network Jamming In this section, we provide simulation results for periodic and exponential jamming attacks. For all attacks presented here, the jammer is not required to be a part of the targeted network but needs to be able to sense transmission energy in the appropriate frequency. For these attacks, a short jamming pulse is transmitted that causes interference or makes the network appear busy. We label networks running on channel 1, 6, and 11 as N1, N2, and N3 respectively. The CR acts as a jammer sending a short pulse (8 bits) on N1, then switches to N2 and then switches to N3 to complete one cycle. As mentioned earlier, we have assumed the switching delay between networks to be 400 µs based on the fast switching capability of a CR. This is incorporated in the modified version of our jammer module. The jammer starts transmitting packets five seconds after the start of the simulation. A general algorithm for periodic and exponential jamming is provided in Algorithm 1. Appendix A provides the jammer code module modifications required for periodic and exponential jamming. Our first jamming scenario consists of periodic jamming attacks with constant and exponential delays after the jammer switches to the new network. We consider two values a) 100 µs and b) 400 µs for each case of constant delay and exponential delay. This value is modified in Jammer Packet Interarrival Time of the jammer attributes. Along with the jammer packet interarrival time, we also add the channel switch time. Thus, the simulation was done with 100 µs and 400 µs plus the 400 µs channel switch time as the time between jamming transmissions. Effect of periodic jamming attack with constant and exponential delay is shown in Figure 4.8. Constant delay instead of exponential delay is significantly more effective in reducing the network throughput. 33
Figure 4.8: Constant and exponential periodic jamming Algorithm 1: Periodic and Exponential Jamming Data: Jammer attributes: base frequency, bandwidth, etc.; Set base frequency to 2411 ; /* Set the base frequency (MHz) to ch1 */ Set bandwidth to 2000 ; /* Set the narrow jammer bandwidth (KHz) */ Set channel switch delay to 400 ; /* Set CR channel switch delay (µs) */ while simulation duration not expired do sendjammingpkt () ; /* Sends jamming packet in ch 1 */ wait for channel switch delay Add 25 to base frequency ; /* Switch to center frequency ch 6 */ sendjammingpkt () ; /* Sends jamming packet in ch 6 */ wait for channel switch delay Add 25 to base frequency ; /* Switch to center frequency ch 11 */ sendjammingpkt () ; /* Sends jamming packet in ch 11 */ wait for channel switch delay switch to channel 1 ; /* Switch to center frequency of ch 1 */ end Check for network throughput at the end of simulation 34
However, periodic jamming with constant intervals would be easily detected and the nodes could adjust their transmission patterns to evade the jammer and optimize throughput. Thus, all scenarios after Figure 4.8 are conducted with exponential jammer delays. Figure 4.9: Instantaneous - exponential jamming at 18 Mbps with 10 iterations. Each color represents one of the 10 iterations with different random seeds. 802.11g devices can communicate in the distinct data rates of 6, 9, 12, 18, 24, 36, 48 and 54 Mbps. In this scenario, we show the effects of our jamming attack and the degradation in throughput at five of these different data rates. This simulation uses the base scenario with all nodes generating 1500 bytes packets with interarrival rate of exp(0.02) seconds. All the jamming scenarios in this section were run for 10 iterations with different random seeds. Figure 4.9 shows 10 iterations with different random seeds for exponential jamming at 18 Mbps. We have shown a snapshot from the OPNET simulation to provide results with better clarity. While Figure 4.9 shows instantaneous throughput result, Figure 4.10 shows average throughput result for the same scenario. With 10 iterations, Figure 4.11 and Figure 4.12 present 95% confidence interval for exponential jamming at 18 Mbps for instantaneous and average throughput respectively. Signal-to-Noise Ratio (SNR) is a critical factor when data is transferred with different data rates. This is due to the fact that the data rates have different underlying modulation techniques. Greater SNR is required for more efficient modulation techniques (QAM-64), but less efficient modulation techniques such as BPSK tolerate lower SNR and therefore, are more resilient to channel noise. Figure 4.13 shows exponential jamming with a total 35
Figure 4.10: Average - exponential jamming at 18 Mbps with 10 iterations. Each color represents one of the 10 iterations with different random seeds. Figure 4.11: Confidence Interval 95% : - instantaneous throughput for exponential jamming at 18 Mbps with 10 iterations. Each color represents one of the 10 iterations with different random seeds. Black line represents the confidence intervals. of 500 µs delay at different data rates. We have again provided a snapshot result from OPNET simulation which presents the results with more clarity. It can be seen that at 54 Mbps, there is significant reduction in the aggregate throughput of all three networks. This is because networks with data rates at 54 Mbps have higher SNR requirements than networks with lower data rates. Also, at 54 Mbps and 36 Mbps, the throughput is degraded due to the transmission power (0.005 W) of the g nodes. With 36 Mbps and 36
Figure 4.12: Confidence Interval 95% : - average throughput for exponential jamming at 18 Mbps with 10 iterations. Each color represents one of the 10 iterations with different random seeds. Black line represents the confidence intervals. Figure 4.13: Exponential jamming at different data rates 54Mbps, if we increase the 802.11g nodes transmission power from 0.005 W to 0.05 W, then the throughput under jamming conditions improves to 5.5 Mbps from 0.5 Mbps. In the previous scenario with different data rates, all nodes generate 1500 bytes packets with interarrival rate of exp(0.02) seconds. The jammer generates packets (8 bits) with exp(100) µs additional delay. Thus, each network is effectively jammed on an dis- 37
tributed iteration period of 1500 µs that consists of fixed 1200 µs and then an Erlang distribution with mean 300 µs (i.e. 1200 µs + (3 * Exponential(100) µs)). We use the same interarrival time in the following simulations unless otherwise specified. Figure 4.14: load) Exponential Jamming - Varying offered packet sizes (constant, total offered We next varied the offered packet sizes generated by the wireless nodes in the three networks but with constant bps load and thus the interarrival times were changed accordingly. The packets generated were of sizes 1500 bytes, 1000 bytes, 500 bytes and 200 bytes. It is to be noted that all nodes in the scenario would generate the same four packet sizes. It can be seen in Figure 4.14, that with larger packet sizes, exponential jamming is very effective, but is less effective when the packet sizes are smaller. For example, with packet size of 1500 bytes and 1000 bytes there is significant throughput reduction when compared to the reduction for packet sizes of 500 bytes and 200 bytes. The base throughput for each case is purposefully omitted to provide more clarity in the results but can easily be extrapolated from the first five seconds. This scenario has all three networks fully loaded. As would be expected, without jamming, when the packets are larger the throughput is greater and when the packets are smaller (200 bytes) the throughput is diminished. 38
Figure 4.15: Exponential Jamming - Varying packet sizes (constant arrival rate) The next scenario varies the packet sizes as above, but keeps a constant interarrival rate. In this case, we are going from heavily loaded to lightly loaded networks. Specifically, we study the effect of exponential jamming attacks with varying the packet sizes as 1500 bytes, 750 bytes, 375 bytes and 187 bytes and keeping the interarrival time as exp(0.02) seconds. Again all nodes in the scenario generate the same packet size. Figure 4.15 clearly shows that for smaller packets, the effect of exponential jamming attack is minimal. This is due to the fact that with the jammer iteration period of 1500 µs, many smaller packets are transmitted successfully. To successfully jam in the above scenario and to increase the effectiveness of CR jammer, reactive and intelligent jamming attacks are introduced in the next section. 4.3 Reactive and Intelligent Multi-Network Jamming Though periodic and exponential jamming attacks significantly reduced the combined throughput of the three networks, the CR based jammer can be used more effectively and efficiently in terms of decreasing throughput and its power requirements. Reactive and intelligent jamming attacks not only lower the power consumption of the CR jammer, but also increase the effectiveness of the jamming attack. 39
Table 4.2: Average throughput at different data rates Exponential Jamming Reactive Jamming Data rates Avg Number of Avg Number of (Mbps) Throughput Jamming signals Throughput Jamming signals (bps) sent (bps) sent 6 6,76,852 50,665 39,183 5,953 12 12,73,907 50,012 34,893 10,359 18 9,80,200 49,975 1,83,673 14,684 36 1,55,304 50,444 25,593 31,880 54 2,62,040 50,114 46,530 43,099 In this type of attack, the CR jammer can dynamically modify its jamming activity to the traffic on any of the three networks. The CR must monitor the activity on each network for a fixed time before it can intelligently jam. We can jam to minimize the total throughput of the three networks or to attack one network very strongly while still reducing the throughput on the other two to, perhaps, 50% of the original throughput. Appendix B provides the jammer code module modifications required for reactive and intelligent jamming. Also in reactive intelligent jamming, we do not jam any transmissions that have already suffered a collision with another 802.11g message. To study the jamming effectiveness, we consider the scenario used in Figure 4.13. We use reactive intelligent jamming attacks for the Figure 4.13 scenario. In this scenario, we find the average throughput for different data rates under jamming attack. We vary the data rate and study the throughput degradation for different capacities (6, 12, 18, 36 and 54 Mbps). Also, all nodes transmit 1500 bytes sized packets with interarrival time of exp(0.02) seconds. Table 4.2 provides the average throughput at each of the data rates during the time of jamming. The CR jammer spends a maximum time of 200 µs in each of the networks to sense whether the medium is busy or not. If the medium is busy during this time, the CR jammer sends jamming noise for a duration of eight bits and switches to the next network. If the medium is not busy within the maximum wait time, the jammer does not transmit but just moves to next network. This cycle is carried out throughout the simulation. All experiments in this section are run for duration of 10 40
Table 4.3: seconds Jamming Efficiency - Varying packet sizes with interarrival time of exp(0.02) Avg. throughput (bps) Pkt Sizes Exponential Reactive (Bytes) Jamming Jamming 1,500 9,80,200 1,83,673 500 15,74,488 98,847 375 13,23,177 1,14,520 187 7,73,986 1,04,620 seconds during which the CR jammer starts its transmission at 5 seconds. The limited duration of the simulation was due to OPNETs running time. It can be seen from Table 4.2 that reactive jamming is efficient and effective compared to the exponential jamming since the throughput is reduced by factor of 4 to 30 and fewer jamming transmissions were needed. In Figure 4.15 we saw that exponential jamming was not very effective for lightly loaded networks with small packets. We now apply reactive intelligent jamming to this scenario to show how effective and efficient this jamming technique is. The jammer spends 200 µs in each of the networks to sense whether the medium is busy or not before moving on to next network. Table 4.3 provides a comparison of average throughput for exponential jamming and reactive jamming for different packet sizes (1500 B, 500 B, 375 B and 187 B) with constant interarrival time of exp(0.02) seconds. This clearly shows that reactive jamming has a significant effect on lightly loaded networks with smaller packet sizes. The reason for this effect is that CR jammer waits for the medium to be busy and then transmits jamming signals. This way, it ensures that the smaller data packet is tangled rather than just randomly hitting larger data packets. Since a CR jammer monitors the network for the medium to be busy, reactive and intelligent jamming does not transmit except when it is destroying an uncollided data packet or its ACK. We now consider very lightly loaded networks (20% of the load of Table 4.3). All nodes generate packets every exp(0.1) seconds. Nodes belonging to N1, N2 and N3 generate 41
Figure 4.16: Reactive Jamming - Three networks with different loads packet of 1500 bytes, 375 bytes, and 187 bytes respectively. Figure 4.16 presents the results. Since each network has a different load, the CR monitors and dynamically adjusts its time spent in each network to sense the medium before switching to next network. This maximum jammer time spent in each network depends on the importance of DoS for that network. For example, if we want to affect a lightly loaded network N2, we would spend more time waiting for a data packet/ack in that network before moving on to next network. The jammer can easily target one network and obtain complete DoS for that network. However, to successfully jam three networks simultaneously, the CR jammer needs to adjust the resources it allocates to each network. In Figure 4.16, the CR jammer potentially spends 500 µs, 1500 µs and 2000 µs in N1, N2 and N3 respectively. As soon as the jammer senses a non-colliding transmission in that network, it jams and moves to the next network. Thus, it can be seen that with this combination of packet size and jammer time in network, we still have N1 achieving the greatest percentage of jamming. A general algorithm for reactive and intelligent multi-network jamming is provided in Algorithm 2. 42
Algorithm 2: Reactive and Intelligent Multi-Network Jamming Data: Jammer attributes: base frequency, bandwidth, etc.; Set base frequency to 2411 ; /* Set the base frequency (MHz) to ch 1 */ Set bandwidth to 2000 ; /* Set the narrow jammer bandwidth (KHz) */ Set channel switch delay to 400 ; /* Set CR channel switch delay (µs) */ Set busy wait time to 200 ; /* Wait time for busy status in the medium (µs) */ while simulation duration not expired do SenseAndJam(channel 1) ; /* Sense and jam in ch 1 */ wait for channel switch delay Add 25 to base frequency ; /* Switch to center frequency of ch 6 */ SenseAndJam(channel 6) ; /* Sense and jam in ch 6 */ wait for channel switch delay Add 25 to base frequency ; /* Switch to center frequency of ch 11 */ SenseAndJam(channel 11) ; /* Sense and jam in ch 11 */ wait for channel switch delay switch back to channel 1 ; /* Switch to center frequency of ch 1 */ end Function : SenseAndJam(ChannelNumber) while busy wait time not expired do if medium is busy then sendjammingpkt () ; /* Sends jamming packet in ch 1 */ exit loop ; else continue checking for busy status end end Check for network throughput at the end of simulation 43
Chapter 5 Jamming Attacks and Effects in 802.11n In this chapter, we study jamming attacks in 802.11n network. Firstly, we provide a single 802.11n network without any jammer and study the throughput under different conditions such as a) nodes working in 2.4 GHz band b) nodes working in 5 GHz band c) introduction of a legacy 802.11g node etc. With some of these base scenarios, we introduce a jammer in an 802.11n network and study the throughput degradation. Similar to 802.11g multi-network jamming, we provide 802.11n multi-network jamming attack using a cognitive radio as a jammer. In this chapter, we provide a different style of jamming attacks with three 802.11n networks working in 5 GHz band. We have used OPNET v16.1 for 802.11n simulations. The following section provides the initial jamming model, description of the 802.11n jamming scenarios and their results. 5.1 Simulation and Jamming Models We have used the 802.11 wireless LAN model from OPNET v16.1. Similar to our simulation study in 802.11g, we have the network and transport layers removed from the wireless node model. The effects of jamming attacks will be increased when we include network and transport layers and hence we have not used them in our simulations. For our initial study on the effects of jamming on network throughput, we used the scenario shown in Figure 5.1. 44
Figure 5.1: Single 802.11n network Our primary scenario consists of a single 802.11n network with 12 wireless nodes and an AP. All the nodes in our base scenario use IEEE 802.11n. We provide base throughput with nodes running in both 2.4 GHz and 5 GHz band. Similar to our 802.11g simulations, the AP relays messages between these twelve nodes and is a bottleneck. Also, data packets are sent randomly from each of the nodes to all other nodes in the network. As mentioned earlier in chapter 4, our wireless node model uses source and sink modules to eliminate the higher layers (IP, TCP, Application etc.). Our source model generates packets sent to random destination addresses. The packets received at the destination nodes are discarded at the sink module [26]. The wireless node model was shown in Figure 4.3 and is not repeated here. 802.11n varies from 802.11g in its physical node attributes. Figure 5.2 shows the wireless attributes such as channel number, data rate, etc. of a wireless station node. We see that, all the stations are configured with HT PHY 5 GHz (802.11n) physical characteristics. We set the data rate to 19.5 Mbps in all our simulations unless otherwise specified. As mentioned in chapter 2, 802.11n provides the capability to achieve high throughput by varying some of its parameters such as guard interval, spatial streams, etc. These parameters are provided in 802.11n node s attributes. Figure 5.3 provides these high throughput parameters. The number of spatial streams could either be 1, 2, 3 or 4. As reasoned out in chapter 2, higher throughput can be achieved by using spatial streams. The guard interval could either be 800 ns (regular) or 400 ns. The shorter guard interval increases the overall network throughput. 45
Figure 5.2: 802.11n node attributes Figure 5.3: 802.11n high throughput parameters In our scenarios, we assume our network to be a pure n network. Thus there are no 802.11a/b/g stations in the network and thus we have disabled RTS/CTS and CTS-to- Self protection, as there are no legacy devices in the network. Inclusion of a legacy device (802.11a/b/g) degrades the overall network throughput and causes jamming to be more effective. In our primary scenario, we show that both CTS-to-Self and the RTS/CTS have lesser throughput compared to the case where both the protection mechanisms are disabled. All the nodes follow the standard CSMA/CA mechanism. The traffic generation parameters of an 802.11n wireless station node are the same as those of 802.11g nodes traffic parameters used in chapter 4. Traffic generation parameters were shown in Figure 4.5 and thus it is not repeated here. The packet size is constant 1500 bytes with packet interarrival time of exp(0.02) seconds. These traffic generation parameters are set for all the nodes in the network. Also, in all the scenarios, the 802.11n 46
nodes use 400 ns as the guard interval and a single spatial stream for transmitting data packets unless otherwise specified. We can calculate the offered load for this base network to be: (1500 + 28 header) * 50 pkts/sec. * 8 bits/byte * 12 nodes = 7.33 Mbps. In all our scenarios, the AP is a bottleneck as all the packets are sent to the AP and then the AP sends these packets to the destination nodes. Figure 5.4a provides a baseline throughput without the jammer for a pure n network. Here all the nodes use channel 1 of 2.4 GHz band for communication. We measure the throughput for a single pure n network to be around 6.5 Mbps. Figure 5.4a also shows the throughput of the network when a 802.11b legacy device is present in the network. We can see that the throughput is significantly degraded when a b legacy device is present. (a): at 2.4 GHz with b device (b): at 2.4 GHz with g device Figure 5.4: Baseline average throughput of single 802.11n network without jammer Figure 5.4b provides the throughput when a g legacy device is present in the network. In both the scenarios, protection mechanisms such as RTS/CTS and CTS-to-Self are used to improve the overall network throughput. When g devices co-exist with n devices, both g and n devices use OFDM for communication with 18 Mbps of data rate and 19.5 Mbps of data rate. Since both g and n devices use OFDM for communication, 47
the throughput of the network is not severely degraded. But, when b devices and n devices co-exist in a network, b devices use DSSS for communication with 11 Mbps of data rate and n devices use OFDM with 19.5 Mbps of data rate. For successful communication between an n device and an b device, data rate of 11 Mbps is used. Thus, the overall throughput is degraded. This is similar to networks with g and b devices. Again, g and b devices use OFDM and DSSS respectively for communication. For communication between an g device and an b device, the data rate of 11 Mbps is used and thus throughput is considerably degraded. By comparing Figure 5.4a and Figure 5.4b, we can see that an 802.11n network with a g legacy device provides a higher throughput than an 802.11n network with a b legacy device. With 802.11n, similar to 802.11g scenarios, initial jamming scenarios were run in 2.4 GHz band. The throughput degradation was similar to the results obtained in 802.11g scenarios. As 802.11n provides nodes to operate in 5 GHz band, we perform our jamming attacks with scenarios in 5 GHz band unless otherwise mentioned specifically. Our primary scenario is a single 802.11n network. We use single band jammer from OPNET v16.1. Figure 5.5 provides the attributes of the single band jammer attacking channel 36 in the 5 GHz band. The jammer base band frequency is set to 5179 MHz. In the case of the 2.4 GHz band, the jammers base band frequency would be set as 2411 (for channel 1). Again, we attack the center of these channels with a narrow jammer bandwidth (1/10 of the total channel bandwidth) of 2000 KHz. The jammer generates packets (8 bits) with delay of exp(100) µs plus 400 µs additional delay. The power of the jammer is set to 10 µw. Figure 5.5: Jammer attributes Table 5.1 provides an overview of different scenarios considered in 802.11n and the transmission powers of the jammer. Table 5.1 can be referenced for all the jamming scenarios we have considered for 802.11n. 48
Table 5.1: Overview of different scenarios in 802.11n Figure Jamming frequency Transmission Power 5.6 Center of ch 36 10 µw 5.8 Edge of ch 36 and 40 10 µw and 20 µw 5.10 Center of 1) ch 36 2) ch 40 3) ch 44 10 µw 5.11 Center of 1) ch 36 2) ch 40 3) ch 44 100 µw 5.12 Exp jamming at center 10 µw of ch 36, 40, 44 5.13 Exp jamming at edge of ch 36 and 40, 10 µw and then at edge of ch 40 and 44 5.14 Exp jamming at edge of ch 36 and 40, 10 µw and 20 µw and then at edge of ch 40 and 44 5.15 Exp jamming at center of ch 36, 10 µw and 20 µw then at edge of ch 40 and 44 5.16 Exp jamming at center of ch 36, 10 µw at center and then at edge of ch 40 and 44 50 µw at the edge 5.17 Exp jamming (500 B pkt) at center, 10 µw at center and of ch 36, then at edge of ch 40 and 44 50 µw at the edge Figure 5.6 provides a baseline throughput of a single pure n network at 5 GHz band without the jammer. Here all the nodes use channel 36 of 5 GHz band. We measure the throughput for this network to be just over 6 Mbps. With jammer parameters for 5 GHz band, Figure 5.6 also shows the degradation of throughput under jammer s presence. All scenarios after Figure 5.6 are conducted in 5 GHz band. We again consider our single pure n network in channel 36 of 5 GHz band. We have already seen in previous scenario that the throughput of the network decreases when the jammer attacks the center of the working channel. With 5 GHz band, there are 23 orthogonal channels adjacent to each other. All these orthogonal channels have 20 MHz bandwidth. Since these orthogonal channels are adjacent to each other, we study the overall network throughput degradation when the jammer attacks the edge of two adjacent channels. Figure 5.7 shows the jammer s baseband frequency and the edge of two adjacent channels. In this case, jammer s base band frequency is set as 5189 MHz with 2000 KHz of jammer bandwidth. 49
Figure 5.6: Average Throughput - Baseline and under jamming conditions at 5 GHz Figure 5.7: Jammer attacking edge of two adjacent OFDM channels In this simulation, we set the jammer power to 10 µw and then carry out the jamming attack at the edge of two adjacent channels. Overall network throughput degrades when the jammer attacks the edge of channels 36 and 40. From Figure 5.8, we can see that the throughput degradation is significantly higher when center frequency of the channel is considered for jamming. Next, we increased the jammer power level to 20 µw and carried out the jamming attack at the edge of two adjacent channels. From Figure 5.8, we can see that with higher power (20 µw) at the edge of the channel, degradation of throughput is similar to jamming attack at the center of the channel with power set to 10 µw. When we jam with 50
lower power at the edge of the channel, interference across the whole bandwidth of the channel is modest and thus the throughput of the network would be marginally higher compared to jamming with higher power at the edge of the channel. With higher power, interference across the channel is higher, thus lowering the throughput significantly. Figure 5.8: Average Throughput - Jammer attacking edge of a 5 GHz channel with 20 µw During our study, we conducted the above experiment with two networks (one network using channel 36 and other using channel 40) and found that by attacking at the edge of two adjacent channels (channel 36 and channel 40) with 20 µw of power, we not only degrade the throughput of the network in channel 36 but also degrade the throughput of the network in channel 40. In the following section, we use this result for our multinetwork jamming attack. 51
5.2 Periodic and Exponential Multi-Network Jamming In this section, we provide simulation results for periodic and exponential jamming attacks in 802.11n. Similar to the periodic and exponential multi-network jamming attacks in 802.11g networks, the jammer is not required to be a part of the network, but must be able to sense transmission energy in the appropriate frequency. To study the effects of jamming on network throughput, we have used the scenario shown in Figure 5.9. Figure 5.9: Base scenario with 3 networks in a single cell In 802.11n multi-network attacks, we have three separate networks each consisting of 12 nodes and a corresponding AP. In order to provide simple multi-network scenario, all three networks are present in a single cell. This is necessary in order to provide nearly identical distances from the single jammer. These three networks are independent and use channels 36, 40 and 44 of the 5 GHz spectrum respectively. We label the networks running on channel 36, 40, and 44 as N1, N2 and N3 respectively. Under Unlicensed National Information Infrastructure (U-NII), a set of channels are grouped together in 5 GHz as U-NII low, U-NII middle and U-NII upper. Channel 36, 40, 44 and 48 come 52
under U-NII low. The channels are numbered as 36, 40, 44 and 48 (and not 36, 37, 38, 39 etc.) but each of these channels are 20 MHz wide. To provide consistency with our scenarios in 802.11g, we have used three multi-networks using three channels 36, 40 and 44 in 802.11n. Each of these networks use the same traffic generation parameters and node attribute settings discussed in our primary single network study (section 5.1). We assume all the nodes to be 802.11n and thus there are no legacy devices in the network. Figure 5.2 and Figure 4.5 should be referenced for nodes attribute settings and traffic generation parameters respectively. The packet size is constant 1500 bytes with packet interarrival time of exp(0.02) seconds. These traffic generation parameters are set for all the nodes in the network. Also, the 802.11n nodes use 400 ns as the guard interval and a single spatial stream for transmitting data packets. Again, within each network, AP is a bottleneck as all the packets are sent to the AP and then the AP sends these packets to the destination nodes. The base throughput of these three networks is just over 6 Mbps and is not shown in a separate figure but is shown along with our first jamming scenario. Our first jamming scenario consists of simple jamming attack without the use of a CR as a jammer. Thus, a simple single band jammer is used here. Throughput degradation is studied in the following three cases where the jammer s baseband frequency is set as a) 5179 MHz (center of channel 36) b) 5199 MHz (center of channel 40) and c) 5219 MHz (center of channel 44). The transmission power of the jammer is 10 µw. Figure 5.10 shows throughput for the above three cases along with the base throughput. It can be seen that the throughput degraded in each of the cases is similar and also not very significantly because, jamming at the center of channel 36 affects the throughput only in channel 36 and not in channels 40 and 44. Similarly, jamming at the center of channel 40 affects the throughput only in channel 40 and not in channels 36 and 44. Though channel 36 and channel 40 are adjacent to each other, jamming either one of the channels does not affect the other adjacent channel since these two channels are orthogonal to each other. Similar to previous scenario, we again to study the throughput degradation in the following three cases where the jammer s baseband frequency is set as a) 5179 MHz (center of channel 36) b) 5199 MHz (center of channel 40) and c) 5219 MHz (center of channel 44). The jamming transmission power is increased by a factor of 10 compared to the previous scenario and is set as 100 µw. Figure 5.11 shows the effect on throughput 53
Figure 5.10: Jamming attacks in channels 36, 40 and 44 with 10 µw in channel 36. Throughput degradation in channel 40 and 44 were similar to channel 36 and thus are not shown in Figure 5.11. It can be seen that the throughput degradation under higher jamming power (100 µw) is similar the throughput degradation with a jamming power of 10 µw. Also the throughput is not significantly degraded because, jamming at the center of channel 36 affects the throughput only in channel 36 and not in channels 40 and 44. Similarly, jamming at the center of channel 40 affects the throughput only in channel 40 and not in channels 36 and 44. Though channel 36 and channel 40 are adjacent to each other, jamming at a higher power in either one of the channels does not affect the other adjacent channel since these two channels are orthogonal to each other. In the following scenarios, we use a CR as a jammer to effectively decrease the throughput. Next, the CR acts as a jammer sending a short pulse (8 bits) on N1, then switches to N2 and then switches to N3 to complete one cycle. We have used the same modified jammer used in section 4.2. The center frequencies of channel 36, channel 40 and channel 44 are 5180 MHz, 5200 MHz and 5220 MHz respectively. Using our jammer, we attack the center of these channels with a narrow jammer bandwidth of 1/10th of the total channel bandwidth (20000 KHz). Thus, base frequency of the jammer is set as 5179 MHz for channel 36 with a jammer bandwidth of 2000 khz. The jammer is designed such that it switches to 5199 MHz (for channel 40) again with a jammer bandwidth of 54
Figure 5.11: Jamming attack in channel 36 with 100 µw 2000 khz and 5219 MHz (for channel 44) and then backs to channel 36. This cycle of channel switching occurs till the end of the simulation. The power of the jammer is set to 10 µw. Based on the CR jammer, our jamming scenario consists of periodic jamming attacks with exponential delays after the jammer switches to the new network. The effect of periodic jamming attack with exponential delay is shown in Figure 5.12. We consider 100 µs of exponential delay in our scenarios. This value is modified in Jammer Packet Interarrival Time of the jammer attributes. Along with the jammer packet interarrival time, we also add the channel switch time. Thus, the simulation was done with 100 µs plus the 400 µs channel switch time as the time between jamming transmissions. At the end of section 5.1, we had discussed jamming attacks at the edge of two adjacent orthogonal channels. By attacking the edge of two adjacent channels, throughput is degraded in both the adjacent channels. We use this concept in our multi-network jamming attack. The CR jammer is modified to switch between the edges of the adjacent channels rather than switching at the center of these channels. That is, considering channels 36, 40 and 44, the CR acts as a jammer sending a short pulse (8 bits) on the edge channel 36 and channel 40, and then switches to the edge of channel 40 and channel 44 to complete one cycle. We label the edge channel 36 and channel 40 and the edge 55
Figure 5.12: Average throughput - Periodic exponential jamming attack of channel 40 and channel 44 as E1 and E2 respectively. Thus, base frequency of the jammer is set as 5189 MHz for E1 with a jammer bandwidth of 2000 khz. The jammer is designed such that it switches to 5209 MHz (for E2) again with a jammer bandwidth of 2000 khz and then backs to E1. This cycle of switching occurs till the end of the simulation. The power of the jammer is set to 10 µw (same as previous scenario). Figure 5.13 provides the degraded throughput when the CR jammer attacks E1 and E2. We can see that when we attack the center of each channel, the throughput is lower than the throughput achieved while jamming at E1 and E2. Jamming attack at the center of the channel has more effect than jamming at the edge of a channel. However when the CR jammer attacks E1 and E2, significant additional throughput degradation is achieved by increasing jammers transmission power. This is discussed in the following scenarios. In our next scenario, the CR jammer attacks the edge of two orthogonal adjacent channels with a higher transmission power of the jammer. The jammer s power is set to 20 µw. We can see from Figure 5.14 that the throughput is degraded significantly more than periodic exponential jamming attack at the center of each channel. Since, the CR jammer switches only between the edges of the channels, the number of channel hops is lesser compared to the periodic exponential jamming at the center of the channels (three 56
Figure 5.13: channels Average Throughput - Exponential jamming attack at edges of adjacent hops). This increases the frequency of attacking each network. Figure 5.14: Average Throughput - Exponential jamming attack at edges of adjacent channels with higher power 57
Our next scenario consists of the CR jammer sending a short pulse of 8 bits on N1 and then switches to E2 to complete one cycle. Thus, we attack the center of channel 36 and then switch to the edge of channels 40 and channel 44. For this scenario, we use two values of jammer transmission power a) 10 µw and b) 20 µw. The throughput degradation is shown in Figure 5.15. In this scenario, since we attack the center of channel 36 and only at the edge of channel 40 and 44, the throughput is significantly degraded for channel 36 when compared to the throughput degradation of channels 40 and 44. We now use higher jammer transmission power of 20 µw to study the throughput degradation for the previous scenario. The CR jammer with a higher power attacks the center of the channel 36 and then switches to the edge of the channels 40 and channel 44 for the 10 µw case. From Figure 5.15, it can be seen that the throughput degradation by attacking a center of a channel and the edge of two adjacent channels with marginally higher jammer transmission power yields significant throughput degradation compared to exponential jamming at the centers of the three channels. Figure 5.15: Average Throughput - Exponential jamming attack at the center of channel 36 and at the edge of channels 40 and 44 In our simulation tests, we also increased the jammer s transmission power to 100 µw and found that throughput degrades significantly by attacking the center of channel 36 58
and edges of channel 40 and 44. Also with CR s capability of sensing the traffic in each of the networks, a CR jammer can dynamically adjust its jamming frequency depending on the traffic in each network. Next, we use jamming cycle similar to previous scenario where the CR jammer attacks by sending a short pulse of 8 bits on N1 and then switches to E2 to complete one cycle. A jammer is capable of modifying its transmission power before transmitting the jamming pulse. Using this capability, we have modified the CR jammer such that, when the jammer attacks the center of channel 36, it adjusts its jammer power to 10 µw (enough power to attack center of a channel) and when the jammer attacks E2, it adjusts its jammer power to 50 µw (enough power to attack edge of two adjacent channels). Figure 5.16 shows the throughput degradation for this type of attack. It can be seen that there is significant throughput degradation compared to exponential jamming attack on center of three channels. Similar to previous scenario, the CR jammer can dynamically adjust its jamming frequency depending on the traffic in each network and also adjust its transmission power accordingly. Figure 5.16: adjustment Average Throughput - Exponential jamming attack with dynamic power In our final scenario, we consider the same scenario as shown above, but all the nodes 59
in the networks send data packets of 500 B in size instead of 1500 B. The interarrival time of the packets is exp(0.02) µs. Here we study the effect of throughput degradation on smaller sized packets. As in previous scenario, we have modified the CR jammer such that, when the jammer attacks the center of channel 36, it adjusts its jammer power to 10 µw and when the jammer attacks E2, it adjusts its jammer power to 20 µw. Figure 5.17 shows the throughput degradation for smaller sized packets. We can see that there is significant throughput degradation when the CR jammer attacks the center of channel 36 and the edge of channels 40 and 44. The effect of throughput degradation is more severe on the smaller sized packets when the CR jammer attacks the network by switching between N1 and E1 ( two channel hops) rather than the attacking the center of each channels (3 channel hops). The probability of jamming the smaller sized packets is higher when the CR jammer attacks a center of a channel and an edge of two adjacent channels. Thus, this jamming attack using CR as an jammer is effective. Figure 5.17: Average Throughput - Exponential jamming attack on smaller sized packets with dynamic power adjustment In our research, we have considered jamming attacks on 802.11g and 802.11n networks. From our study, we have seen that the overall network throughput significantly degrades by using CR as a jammer. With respect to 802.11g, we studied exponential 60
jamming attacks on three 802.11g networks in 2.4 GHz band. These three networks use the orthogonal channels 1, 6 and 11. With respect to 802.11n, we studied exponential jamming attack on three 802.11n networks in 5 GHz band. Comparing jamming attacks in 802.11g and 802.11n neworks (with same load and exponential jamming at center of three channels), the throughput degradation is severe in both the cases. In 802.11g, periodic jamming effect reduces the base throughput (sum of all three networks) of 6.2 Mbps to 1.5 Mbps. With respect to 802.11n, periodic jamming with three networks, reduces the throughput from 6.5 Mbps to 1.3 Mbps. The throughput degradation 802.11g and 802.11n is almost similar as both use OFDM for data communication. In 802.11n, there are adjacent non-overlapping channels in 5 GHz band, which allows us to attack pairs of channels simultaneously by transmitting jamming pulses at the intersection of two channels. This type of attack is not suitable in 802.11g as the non-overlapping channels are not adjacent to each other. With doubling of the transmission power of the jammer targeting the intersections of two channels, the throughput degradation in 802.11n networks was significant and more effective than the exponential jamming attacks on the three channels separately. The next section concludes our research work and provides possible future work in this area. 61
Chapter 6 Conclusion and Future Work We have shown that CR jamming with exponential or constant delays can be very effective in simultaneously attacking three 802.11g networks which are moderately and heavily loaded. The jammer that periodically visits each network is able to have the networks increase collisions among its nodes. This reduced throughput until the jammer was able to return and again create additional collisions. We then showed that we could mount an effective and efficient attack that works well for three lightly loaded as well as the moderately and heavily loaded networks. The key is to jam only when the packets have not been collided and when there is a clear data or ACK. This is easy to implement if there is only one network but it is challenging to accomplish for three networks at the same time with only one jammer. The capabilities of the CR are important aspects of the reactive intelligent jammer. The improved efficiency (energy and number of times activated) of the reactive jammer over the periodic jammer is an important result of the current work that needs further study for its optimization. This would involve more analysis of collisions and how cognitive radio jammers are effective in lightly loaded network scenarios. With respect to 802.11n, we have performed sufficient jamming attacks to show how 802.11n networks perform under jamming. We have considered 5 GHz band and shown how adjacent orthogonal channels can be attacked using a CR jammer. As a part of jamming attacks in 802.11n networks, jamming attacks in 2.4 GHz band should be done parallel those done in 2.4 GHz for 802.11g. In the future, we would like to do reactive and intelligent jamming attacks in 802.11n. Also, with newer version of OPNET, we plan to perform our jamming attacks on channels with 40 MHz bandwidth in 5 GHz. We also 62
plan to perform analysis of collisions and consider 802.11n networks with different traffic conditions. Spatial streams is an important part of 802.11n for reliable transmissions. We plan to study the effects of spatial streams on our jamming results. Finally, we will perform some of these scenarios for a broad group of transmission speeds below and beyond 19.5 Mbps. 63
REFERENCES [1] Lab for session 1332: Planning and analyzing wireless lans. OPNETWORK, 2008. [2] M. Acharya, T. Sharma, D. Thuente, and D. Sizemore. Intelligent jamming in 802.11 b wireless networks. Proceedings of OPNETWORK. Washington DC, USA: OPNET, 2004. [3] J. Bellardo and S. Savage. 802.11 denial-of-service attacks: Real vulnerabilities and practical solutions. In Proceedings of the 12th conference on USENIX Security Symposium-Volume 12, pages 2 2. USENIX Association, 2003. [4] K.C. Chen and R. Prasad. Cognitive radio networks. Wiley Online Library, 2009. [5] David D. Coleman and David A. Westcott. CWNA: Certified Wireless Network Administrator Official Study Guide. SYBEX Inc., Alameda, CA, USA, 2009. [6] Matthew S Gast. 802.11 Wireless Networks: The Definitive Guide, Second Edition. O Reilly Media, Inc., 2005. [7] R. Gummadi, D. Wetherall, B. Greenstein, and S. Seshan. Understanding and mitigating the impact of rf interference on 802.11 networks. In Proceedings of the 2007 conference on Applications, technologies, architectures, and protocols for computer communications, pages 385 396. ACM, 2007. [8] S. Haykin. Cognitive radio: brain-empowered wireless communications. Selected Areas in Communications, IEEE Journal on, 23(2):201 220, 2005. [9] T. Karhima, A. Silvennoinen, M. Hall, and S.G. Haggman. 802.11 b/g wlan tolerance to jamming. In Military Communications Conference, 2004. MILCOM 2004. IEEE, volume 3, pages 1364 1370. IEEE, 2004. [10] B. Konings, F. Schaub, F. Kargl, and S. Dietzel. Channel switch and quiet attack: New dos attacks exploiting the 802.11 standard. In Local Computer Networks, 2009. LCN 2009. IEEE 34th Conference on, pages 14 21. IEEE, 2009. [11] P. Kyasanur and N.H. Vaidya. Detection and handling of mac layer misbehavior in wireless networks. 2003. [12] P. Kyasanur and N.H. Vaidya. Selfish mac layer misbehavior in wireless networks. IEEE Transactions on Mobile Computing, pages 502 516, 2005. [13] L. Litwin and M. Pugel. The principles of ofdm. RF signal processing, 2:30 48, 2001. 64
[14] R. Miller and W. Trappe. Subverting mimo wireless systems by jamming the channel estimation procedure. In Proceedings of the third ACM conference on Wireless network security, pages 19 24. ACM, 2010. [15] A. Mpitziopoulos, D. Gavalas, C. Konstantopoulos, and G. Pantziou. A survey on jamming attacks and countermeasures in wsns. Communications Surveys & Tutorials, IEEE, 11(4):42 56, 2009. [16] K. Pelechrinis, I. Broustis, S.V. Krishnamurthy, and C. Gkantsidis. Ares: An antijamming reinforcement system for 802.11 networks. In Proceedings of the 5th international conference on Emerging networking experiments and technologies, pages 181 192. ACM, 2009. [17] K. Pelechrinis, M. Iliofotou, and V. Krishnamurthy. Denial of service attacks in wireless networks: The case of jammers. Communications Surveys & Tutorials, IEEE, (99):1 13, 2011. [18] K. Pelechrinis, C. Koufogiannakis, and S.V. Krishnamurthy. Gaming the jammer: Is frequency hopping effective? In Modeling and Optimization in Mobile, Ad Hoc, and Wireless Networks, 2009. WiOPT 2009. 7th International Symposium on, pages 1 10. IEEE, 2009. [19] Konstantinos Pelechrinis, Christos Koufogiannakis, and Srikanth V. Krishnamurthy. On the efficacy of frequency hopping in coping with jamming attacks in 802.11 networks. IEEE Transactions on Wireless Communications, 9(10):3258 3271, 2010. [20] Sudarshan Prasad and David Thuente. Jamming attacks in 802.11 g - a cognitive radio based approach. In Proceedings of the 30th IEEE Communications Society Military Communications Conference (MILCOM), November 2011. [21] William Pung and Andrew Woodward. Does the use of mimo technology used by 802.11n reduce or increase the impact of denial of service attacks? In Proceedings of the 8th Australian Digital Forensics Conference, November 2010. [22] A. Sampath, H. Dai, H. Zheng, and B.Y. Zhao. Multi-channel jamming attacks using cognitive radios. In Computer Communications and Networks, 2007. ICCCN 2007. Proceedings of 16th International Conference on, pages 352 357. IEEE, 2007. [23] A. Shah, W. Zhu, and B. Daneshrad. Narrowband jammer resistance for mimo ofdm. In Military Communications Conference, 2008. MILCOM 2008. IEEE, pages 1 5. IEEE. [24] V. Shrivastava, S. Rayanchu, J. Yoonj, and S. Banerjee. 802.11 n under the microscope. In Proceedings of the 8th ACM SIGCOMM conference on Internet measurement, pages 105 110. ACM, 2008. 65
[25] S. Srinivasa and S.A. Jafar. Cognitive radio networks: how much spectrum sharing is optimal? In Global Telecommunications Conference, 2007. GLOBECOM 07. IEEE, pages 3149 3153. IEEE, 2007. [26] David Thuente and Mithun Acharya. Intelligent jamming in wireless networks with applications to 802.11b and other networks. In Proceedings of the 25th IEEE Communications Society Military Communications Conference (MILCOM), pages 1075 1081, October 2006. [27] D.J. Thuente, B. Newlin, and M. Acharya. Jamming vulnerabilities of ieee 802.11 e. In Military Communications Conference, 2007. MILCOM 2007. IEEE, pages 1 7. IEEE, 2007. [28] W. Xu, W. Trappe, Y. Zhang, and T. Wood. The feasibility of launching and detecting jamming attacks in wireless networks. In Proceedings of the 6th ACM international symposium on Mobile ad hoc networking and computing, pages 46 57. ACM, 2005. 66
APPENDICES 67
Appendix A Code Snippet - Exponential and Periodic Jamming A.1 Jammer Process Model The jammer process model consists of three transition states: a) init b) generate and c) stop. Init state is the first state of the process model, which consists of initialization of the required variables such as jammer s bandwidth, frequency etc. Generate state generates the jammer packets. Stop state is the end state of the process model. Figure A.1 provides the jammer process model. Figure A.1: Jammer Process Model 68
A.2 Jammer Code Module Given below in the code snippet from init state of the jammer. /*-----------------------------------------------------------------*/ /*Declare the state variables */ // Provides the number of channel switches int num_intervals; // Provides the frequency interval between each channel switch int freq_interval; // Provides a counter to find the next channel int freq_slot; // Provides the transmission frequency to be used by the jammer int freq_tx; /*Initialize the variables*/ num_intervals = 3; freq_interval = 25; freq_slot = 0; freq_tx = 0; /* Determine the object id of the transmitter being used. */ my_tx_objid = op_topo_assoc (own_id, OPC_TOPO_ASSOC_OUT, OPC_OBJMTYPE_MODULE, 0); if (my_tx_objid == OPC_OBJID_INVALID) printf("\n Unable to get object ID of transmitter: is one attached? \n"); /* Get the compound attribute tx id */ tx_comp_attr_objid = op_topo_child (my_tx_objid, OPC_OBJTYPE_COMP, 0); /* Get the object id of the transmitter s channel. */ my_txch_objid = op_topo_child (tx_comp_attr_objid, OPC_OBJTYPE_RA_TX_CH, 0); if (my_txch_objid == OPC_OBJID_INVALID) printf("\n Unable to get object ID of transmitter channel. \n"); 69
/* Get the minimum frequency and bandwidth of the jammer */ if (op_ima_obj_attr_get (my_txch_objid, "min frequency", &freq_base) == OPC_COMPCODE_FAILURE op_ima_obj_attr_get (my_txch_objid, "bandwidth", &bandwidth) == OPC_COMPCODE_FAILURE ) { printf("\n Unable to get frequency range from attributes \n"); } /*-----------------------------------------------------------------*/ Given below is the code snippet for switching the channel before the transmission of each channel. /* Compute the frequency of transmission */ freq_tx = freq_base + freq_slot * freq_interval; /* Advance the frequency slot for next transmssion. */ freq_slot = (freq_slot + 1) % num_intervals; /* Assign the selected frequency to the transmitter channel */ if (op_ima_obj_attr_set (my_txch_objid, "min frequency", freq_tx) == OPC_COMPCODE_FAILURE) { printf("\n Error in setting frequency"); } 70
Appendix B Code Snippet - Reactive and Intelligent Jamming B.1 Jammer Process Model For reactive and intelligent jamming, the process model for the jammer has been modified to sense the medium before the jamming packet is transmitted in that particular channel. This modified jammer process model consists of four transition states: a) init b) detect busy c) generate and d) stop. Init state is the first state of the process model, which consists of initialization of the required variables such as jammer s bandwidth, frequency etc. Detect busy state senses whether the channel is busy at that particular time. If the channel is busy, then generate state is invoked. Generate state generates the jammer packets. Stop state is the end state of the process model. Figure B.1 provides the jammer process model for reactive and intillegent jamming. B.2 Jammer Code Module The init state of reactive jammer is same as the init state of periodic jammer. Also, the code snippet remains the same for switching the channel before the transmission of each jamming pulse. Thus, above code snippets in Appendix A are applicable here without any modifications. Given below is the code snippet for sensing the medium for busy status. A busy status indicates that the packets are being transmitted in the channel. 71
Figure B.1: Jammer Process Model /*---------------------------------------------------------*/ /* These changes are made in function block of wlan process model. */ /* Global variable */ // Variable to indicate whether channel 1 is busy or not int CH1_BUSY_RCV; // Variable to indicate whether channel 6 is busy or not int CH6_BUSY_RCV; // Variable to indicate whether channel 11 is busy or not int CH11_BUSY_RCV; /* Check whether the receiver is busy; indicates the status whether the medium is busy or not */ if (!wlan_flags->collision && wlan_flags->receiver_busy) { wlan_flags->collision = OPC_TRUE; 72