Upload
others
View
8
Download
0
Embed Size (px)
Citation preview
Jamming Wireless Networks: Attack and Defense Strategies
Wenyuan Xu, Ke Ma, Wade Trappe, Yanyong Zhang,WINLAB, Rutgers University
IAB, Dec. 6th, 2005
2
Roadmap Introduction and Motivation
Jammer Models– Four models– Their effectiveness
Detecting Jamming attacks– Basic statistic + Consistency check
Defenses strategy– Channel surfing– Spatial retreat
Conclusions
3
Jammers
Jamming style DoS Attack:– Behavior that prevents other nodes from using the
channel to communicate by occupying the channel that they are communicating on
A jammer– An entity who is purposefully trying to interfere with
the physical transmission and reception of wireless communications.
Is it hard to build a jammer?
Mr. X
No! Haha…
Bob Alice
Hello … Hi …@#$%%$#
@&…
Mr. X
4
Jammers – Hardware Cell phone jammer unit:– Intended for blocking all mobile phone
types within designated indoor areas – 'plug and play' unit
Waveform GeneratorTune frequency to what ever you want
MAC-layer Jammer (our focus)Mica2 Motes (UC Berkeley)
8-bit CPU at 4MHz,128KB flash, 4KB RAM916.7MHz radioOS: TinyOS
Disable the CSMAKeep sending out the preamble
5
Jammers – Hardware Cell phone jammer unit:– Intended for blocking all mobile phone
types within designated indoor areas – 'plug and play' unit
Waveform Generator– Tune frequency to what ever you want
MAC-layer Jammer (our focus)Mica2 Motes (UC Berkeley)
8-bit CPU at 4MHz,128KB flash, 4KB RAM916.7MHz radioOS: TinyOS
Disable the CSMAKeep sending out the preamble
6
Jammers – Hardware Cell phone jammer unit:– Intended for blocking all mobile phone
types within designated indoor areas – 'plug and play' unit
Waveform Generator– Tune frequency to what ever you want
MAC-layer Jammer– 802.11 laptop – Mica2 Motes (UC Berkeley)
8-bit CPU at 4MHz,128KB flash, 4KB RAM916.7MHz radioOS: TinyOS
– Disable the CSMA– Keep sending out the preamble
The Jammer Models and Their Effectiveness
8
Jammer Attack Models
Constant jammer:– Continuously emits a radio signal
Deceptive jammer:– Constantly injects regular packets to the channel without any gap
between consecutive packet transmissions– A normal communicator will be deceived into the receive state
&F*(SDJFFD(*MC*(^%&^*&(%*)(*)_*^&*FS…….
Payload …
Preamble CRC
PayloadPayload Payload Payload
9
Jammer Attack Models
Random jammer:– Alternates between sleeping and jamming
Sleeping period: turn off the radioJamming period: either a constant jammer or deceptive jammer
Reactive jammer:– Stays quiet when the channel is idle, starts transmitting a
radio signal as soon as it senses activity on the channel.– Targets the reception of a message
&F*(SDJF ^F&*D( D*KC*I^ …
…
Underling normal traffic
&F*(SDJ
Payload
^%^*&
Payload
CD*(&FG
Payload
Detecting Jamming Attacks: Basic Statistics plus Consistency Checks
11
-100
-80
-60CBR
-100
-80
-60MaxTraffic
-100
-80
-60Constant Jammer
-100
-80
-60
R
SS
I (dB
m)
Deceptive Jammer
-100
-80
-60Reactive Jammer
0 200 400 600 800 1000 1200 1400 1600-100
-80
-60
sample sequence number
Random Jammer
Basic Statistics P.1Idea:– Many measurement will be affected by the presence of a jammer– Network devices can gather measurements during a time period
prior to jamming and build a statistical model describing basic measurement in the network
Measurement– Signal strength
Moving averageSpectral discrimination
– Carrier sensing time– Packet delivery ratio
Experiment platform:– Mica2 Motes– Use RSSI ADC to
measure the signal strength
12
Basic Statistics P.2Can basic statistics differentiate between jamming scenario from a normal scenario including congestion?
Differentiate jamming scenario from all network dynamics, e.g. congestion, hardware failure – PDR is a relative good statistic, but cannot do hardware failure– Consistency checks --- using Signal strength
Normal scenarios: – High signal strength a high PDR – Low signal strength a low PDR
Low PDR:– Hardware failure or poor link quality low signal strength– Jamming attack high signal strength
Signal strength
Average Spectral Discrimination
Constant Jammer
Deceptive Jammer
Random Jammer
Reactive Jammer
Carrier sensing time
Packet delivery ratio
13
Jammed Region
PDR %
PDR VS. SS
SS
(dB
m)
Jamming Detection with Consistency Checks
Measure PDR(N){N Є Neighbors}
PDR(N) < PDRThresh ? Not Jammed
Jammed!
No
Yes
PDR(N) consistent with signal strength?
Yes
No
Build a (PDR,SS) look-up table empirically– Measure (PDR, SS) during a guaranteed time of
non-interfered network.– Divide the data into PDR bins, calculate the mean
and variance for the data within each bin.– Get the upper bound for the maximum SS that
world have produced a particular PDR value during a normal case.
– Partition the (PDR, SS) plane into a jammed-region and a non-jammed region.
Defenses against Jamming Attacks: Channel Surfing and Spatial Retreat
15
Handling Jamming: StrategiesWhat can you do when your channel is occupied?– In wired network you can cut the link that causes the problem, but
in wireless…– Make the building as resistant as possible to incoming radio signals?– Find the jamming source and shoot it down?– Battery drain defenses/attacks are not realistic!
Protecting networks is a constant battle between the security expert and the clever adversary.
Therefore, we take motivation from “The Art of War” by Sun Tze:– He who cannot defeat his enemy should retreat.
Retreat Strategies:– Channel Surfing– Spatial retreat
16
Channel SurfingIdea:– If we are blocked at a particular channel, we can resume
our communication by switching to a “safe” channel– Inspired by frequency hopping techniques, but operates at
the link layer in an on-demand fashion.Challenge– Distributed computing– Asynchrony, latency and scalability
Jammer Jammer
Node working in channel 1
Node working in channel 2
channel 1
channel 2
17
Channel SurfingCoordinated Channel Switching– The entire network changes its channel to a new channel
Spectral Multiplexing– Jammed node switch channel– Nodes on the boundary of a jammed region serve as relay nodes between
different spectral zones
Jammer
Coordinated channel surfing
Jammer
Spectral Multiplexing
Node working in channel 1
Node working in channel 2
Node working in both channel 1 & 2
channel 1
channel 2
18
Channel SurfingCoordinated Channel Switching– The entire network changes its channel to a new channel
Spectral Multiplexing– Jammed node switch channel– Nodes on the boundary of a jammed region serve as relay nodes between
different spectral zones
Jammer
Coordinated channel surfing
Jammer
Spectral Multiplexing
Node working in channel 1
Node working in channel 2
Node working in both channel 1 & 2
channel 1
channel 2
19
X
Spatial RetreatTargeted Networks—Nodes in the network should have– Mobility– GPS or similar localization
Idea:– Nodes that are located within the
jammed area move to “safe”regions.
Escaping:– Choose a random direction to
evacuate from jammed area– If no nodes are within its radio
range, it moves along the boundary of the jammed area until it reconnects to the rest of the network.
A E
C D
IGH
F
B
20
Spatial RetreatIssues:– A mobile adversary can move through the network– The network can be partitioned– After Escape Phase we need Reconstruction phase to repair the network
Reconstruction phase—Virtual force Model– “Forces” only exist between neighboring sensors– Forces are either repulsive or attractive– Forces represent a need for sensors to move in order to improve system
behavior– virtual force is calculated based on its distance to all its neighboring sensors– Direct its movement according to its force– When all sensors stop moving, the spatial coverage of the whole network is
maximized
Borrowed from Ke Ma
21
Case Study : Spatial Retreats
Borrowed from Ke Ma
22
ConclusionDue to the shared nature of the wireless medium, it is an easy feat for adversaries to perform a jamming-style denial of service against wireless networks
We proposed to use consistency check based on PDR to detect jammers
We have presented two different strategies to defend against the jamming style of DoS attacks– Channel-surfing: changing the transmission frequency to a
range where there is no interference from the adversary– Spatial retreat: moving to a new location where there is no
interference