Cascading Attacks On Wi-Fi Networks: Theory and Experiments
Cascading Attacks On Wi-Fi Networks: Theory and Experiments
Cascading Attacks On Wi-Fi Networks: Theory and Experiments
fully edited. Content may change prior to final publication. Citation information: DOI 10.1109/TCNS.2020.2999452, IEEE
Transactions on Control of Network Systems
1
Abstract—We unveil the existence of a vulnerability in Wi- packets, and transmits these packets in accordance with the
Fi (802.11) networks, which allows an adversary to remotely IEEE 802.11 protocol. These transmissions may cause packet
launch a Denial-of-Service (DoS) attack that propagates both in collisions at a node, say node B1 , concurrently receiving
time and space. This vulnerability stems from a coupling effect
induced by hidden nodes. Cascading DoS attacks can congest an packets from another node, say node A1 . Node A1 may be
entire network and do not require the adversary to violate any unable to hear transmissions by node A0 due to the hidden
protocol. We demonstrate the feasibility of such attacks through node problem. As a result, node A1 keeps retransmitting
experiments with real Wi-Fi cards, theoretical analysis, and ns-3 packets which collide with the packets sent by node A0 . These
simulations. The experiment shows that an attacker can cause the retransmissions by node A1 may in turn affect the ability
throughput of a node outside its communication range to vanish.
To gain insight into the root-causes of the attack, we model the of other nodes in the network to successfully communicate,
network as a dynamical system and analyze its limiting behavior thus causing this phenomenon to propagate. We note that
and stability. The model predicts that a phase transition (and the total number of packet retransmissions (including the
hence a cascading attack) is possible in linear networks when original transmission) cannot exceed the so-called retry limit,
the retry limit parameter of Wi-Fi is greater or equal to 7, and after which a packet must be dropped. We will show in the
also characterizes the phase transition region in terms of the
system parameters. sequel that the retry limit plays a major role in sustaining the
propagation effect.
An optional mechanism, called request-to-send and clear-to-
I. I NTRODUCTION
send (or RTS/CTS), has been designed to combat the hidden
I-FI (IEEE 802.11) is a technology widely used to
W access the Internet. Wi-Fi connectivity is provided
by a variety of organizations operating over a shared RF
node problem. However, this mechanism increases overhead
and latency especially at high bit rates. Since the cost of
the RTS/CTS exchange usually does not justify its benefits,
spectrum. These include schools, libraries, companies, towns it is commonly disabled [4], [5]. Indeed, most manufacturers
and governments, as well as ISP hotspots and residential of Wi-Fi cards disable RTS/CTS by default and discourage
wireless routers. Wi-Fi traffic is also rapidly rising due to changing this setting as explicitly stated in [6]–[9]. Therefore,
increased offloading by cellular operators [1]. The importance most Wi-Fi systems today operate without RTS/CTS.
of Wi-Fi networks and the need to strengthen their resilience The coupling phenomenon induced by interferences creates
to intentional and non-intentional interference have been rec- multi-hop dependencies, which an adversary can take advan-
ognized by companies, such as Cisco [2]. tage of to launch a widespread network attack from a single
Wi-Fi networks rely on simple, distributed mechanisms to location. We refer to such an attack as a cascading Denial-
arbitrate access to the shared spectrum and optimize per- of-Service (DoS) attack. Cascading DoS attacks are especially
formance. Such mechanisms include carrier sensing multiple dangerous because they affect the entire network and do not
access (CSMA), exponential back-offs, and bit rate adapta- require the adversary to violate any protocol (i.e., the attacks
tion. The behavior of these mechanisms in isolated single- are protocol-compliant).
hop networks has been extensively studied and is generally The contributions of this paper are as follows. First, we
well-understood (see, e.g., [3]). However, due to interference unveil the existence of a vulnerability in the IEEE 802.11 stan-
coupling, these mechanisms result in complex interactions in dard, which allows an attacker to launch protocol-compliant
multi-hop settings, as CSMA cannot prevent collisions caused cascading DoS attacks. In contrast to existing jamming attacks,
by hidden nodes (cf. Section III for more details about the the attacker does not need to be in the vicinity of the victims.
hidden node problem). As a consequence, different networks Second, we introduce a new dynamic system model that
do not always evolve independently, even if they are located sheds light into the network behavior under attack. The model
far away. shows the existence of a phase transition. When the packet
To understand the consequence of such interactions, suppose generation rate of the attacker is lower than the phase transition
that some node A0 increases the rate at which it generates point, it has vanishing effect on the rest of the network.
L. Xin, and D. Starobinski are with the Division of Systems Engi- However, once the packet generation rate exceeds the phase
neering, Boston University, Boston, MA 02215 USA (e-mail: xlx@bu.edu; transition point, the network becomes entirely congested.
staro@bu.edu). The theoretical model shows that the sequence of node
G. Noubir is with the Khoury College of Computer and Informa-
tion Science, Northeastern University, Boston, MA 02115 USA (e-mail: utilizations always converges to a fixed point (the utilization
noubir@ccs.neu.edu). of a node is defined as the fraction of time during which the
2325-5870 (c) 2020 IEEE. Personal use is permitted, but republication/redistribution requires IEEE permission. See http://www.ieee.org/publications_standards/publications/rights/index.html for more information.
Authorized licensed use limited to: Auckland University of Technology. Downloaded on June 07,2020 at 03:53:04 UTC from IEEE Xplore. Restrictions apply.
This article has been accepted for publication in a future issue of this journal, but has not been fully edited. Content may change prior to final publication. Citation information: DOI 10.1109/TCNS.2020.2999452, IEEE
Transactions on Control of Network Systems
2
node transmits). We characterize the different types of fixed Our work is based on Minstrel [16], which is the most
points (stable and unstable) and show that a phase transition is recent, popular, and robust rate adaptation algorithm for Linux
associated with the existence of an unstable fixed point. The systems.
model explicitly predicts for which values of the retry limit a The attacks that we are investigating bear similarity to
phase transition (and hence a cascading attack) can occur. In cascading failures in power transmission systems [17], [18].
particular, we show that a phase transition can occur for the When one of the nodes in the system fails, it shifts its load
default value of the retry limit in Wi-Fi, which is 7. to adjacent nodes. These nodes in turn can be overloaded and
Finally, we concretely demonstrate the attack through ex- shift their load further. This phenomenon has also been studied
periments on a testbed composed of nodes equipped with real in wireless networks. For instance, [19], [20] model wireless
Wi-Fi cards and provide simulation results obtained with the networks as a random geometric graph topology generated by
ns-3 simulator that corroborate the theoretical results in various a Poisson point process. They use percolation theory to show
network topologies. that the redistribution of load induces a phase transition in
The rest of the paper is organized as follows. In Section II, the network connectivity. However, the cascading phenomenon
we discuss related work. In Section III, we provide brief that we investigate in this paper is different from cascading
background on Wi-Fi and hidden nodes, and introduce the failure studied in those works. In our work, the exogenous
network model and attack scenario. Section IV presents our generation of traffic at each node is independent. That is,
theoretical analysis. We present experimental and simulation a node will not shift its load to other nodes. The amount
results that verify the findings in Section V. Section VI of traffic measured on the channel increases due to packet
concludes the paper. retransmissions caused by packet collisions, rather than due
An earlier version of this paper appeared in the proceedings to traffic redistribution.
of the IEEE Conference on Communications and Network The work in [21] shows that interference coupling can affect
Security (CNS 2016) [10]. This journal version significantly the stability of multi-hop networks. In the case of a greedy
expands the theoretical analysis, including detailed proofs and source, a three-hop network is stable while a four-hop network
new results on stability analysis and heterogeneous traffic load, becomes unstable. In contrast, in our work, the path of each
which can be found in Section IV. Moreover, new simulation packet consists of a single-hop. Thus, network instability is
results for networks based on a realistic indoor building model not due to multi-hop communication in our case.
and ring networks are presented in Sections V. The work in [22] shows that local coupling due to inter-
ferences can have global effects on wireless networks. Thus,
it proposes a queuing-theoretic analysis and approximation to
II. R ELATED W ORK predict the probability of a packet collision in a multi-hop
In general, the main goal of a DoS attack is to make network with hidden nodes. It shows that the sequence of the
communication impossible for legitimate users. Within the packet collision probabilities in a linear network converges to
context of wireless networks, a simple and popular means to a fixed point.
launch a DoS attack is to jam the network with high power Our paper differs in several aspects. First, it considers
transmissions of random bits, hence creating interferences an adversarial context, and shows how interference-induced
and congestion. Jamming at the physical layer, together with coupling can be exploited to cause denial of service. Second, to
anti-jamming countermeasures, have been extensively studied our knowledge, it is the first work to demonstrate the existence
(cf. [11] for a monograph on this subject). of such coupling on real commodity hardware. Finally, our
More recently, several works have developed and demon- analytical model is original and captures the impact of the retry
strated smart jamming attacks. These attacks exploit protocol limit and traffic parameters. A key result is that a cascading
vulnerabilities across various layers in the stack to achieve attack can be launched for the default value of the retry limit in
high jamming gain and energy efficiency, and a low probability Wi-Fi, a result validated by the experiments and simulations.
of detection [12]. For instance, [13] shows that the energy
III. BACKGROUND AND M ODEL
consumption of a smart jamming attack can be four orders
of magnitude lower than continuous jamming. However, both A. IEEE 802.11 Back-off Mechanism
conventional and smart jamming attacks are usually non- The IEEE 802.11 standard uses the CSMA/CA mechanism
protocol compliant. Moreover, they require physical proximity. to control access to the transmission medium and avoid
These limitations can be used to identify and locate the collisions. After a packet is sent, a node waits for a short
jammer. interframe slots (SIFS) period to receive an acknolwedgment
In contrast, in this work we show how a protocol-compliant (ACK). Whenever the channel becomes idle, the node waits
DoS attack can be remotely launched by exploiting coupling for a distributed interframe space (DIFS > SIFS) period and
due to hidden nodes in Wi-Fi. Rate adaptation algorithms a random backoff before contending for the channel. The
further amplify this attack due to their inability to distinguish random backoff consists of a random number of backoff
between collisions, interferences, and poor channels. One slots, which depends on the so-called contention window.
potential mitigation is to design a rate adaptation algorithm Specifically, at the r ≥ 1 retransmission attempt (retry count),
whose behaviour is based on the observed interference pat- the contention window CWr is given by
terns [14], [15]. However, to the best of our knowledge,
r−1
2 (CW1 + 1) − 1 CWr < CWmax ,
none of these rate adaptation algorithms are used in practice. CWr = (1)
CWmax otherwise.
2325-5870 (c) 2020 IEEE. Personal use is permitted, but republication/redistribution requires IEEE permission. See http://www.ieee.org/publications_standards/publications/rights/index.html for more information.
Authorized licensed use limited to: Auckland University of Technology. Downloaded on June 07,2020 at 03:53:04 UTC from IEEE Xplore. Restrictions apply.
This article has been accepted for publication in a future issue of this journal, but has not been fully edited. Content may change prior to final publication. Citation information: DOI 10.1109/TCNS.2020.2999452, IEEE
Transactions on Control of Network Systems
3
Bi Receiver Ai Transmitter
2325-5870 (c) 2020 IEEE. Personal use is permitted, but republication/redistribution requires IEEE permission. See http://www.ieee.org/publications_standards/publications/rights/index.html for more information.
Authorized licensed use limited to: Auckland University of Technology. Downloaded on June 07,2020 at 03:53:04 UTC from IEEE Xplore. Restrictions apply.
This article has been accepted for publication in a future issue of this journal, but has not been fully edited. Content may change prior to final publication. Citation information: DOI 10.1109/TCNS.2020.2999452, IEEE
Transactions on Control of Network Systems
4
At the r ≥ 6 retransmission attempt by a hidden node Ai , 1) Packet transmissions and retransmissions at each uncon-
CWr = CWmax = 1023. Node Ai back-offs for n slots, gested node Ai form a Poisson process with rate ri λ.
where n is an integer between 0 and 1023 that is picked 2) The probability that a packet transmitted by node Ai col-
uniformly at random (i.e., with probability 1/1024). Since the lides is independent of previous attempts. This probability
length of a backoff slot is 20 µs, the backoff delay is 0.02n ms. is denoted pi .
Without loss of generality, assume that node Ai starts backing Our model is similar to the “random-look” model used by
off at time t = 0 and ends its backoff at time t = 0.02n Kleinrock and Tobagi in their analysis of (single hop) random
(all the time units are in milliseconds). Node Ai then starts a access networks [24] (see also Ch. 4 of [25]). We stress that
packet transmission, which ends at time t = 0.02n + 0.12. beside these assumptions, the rest of our analysis is exact. Note
Node Ai+1 can transmit a packet successfully only if it that the experiments and simulations shown in Section IV do
starts its transmission during the time interval [0, 0.02n − 12]. not incorporate the simplifications used to make the analysis
This requires n > 600. Assuming that the starting time of the tractable, yet they produce the same effects.
packet transmission by node Ai+1 is uniformly distributed in
the time interval [0, 0.02n + 12], the probability that a packet
B. Iterative analysis of the utilization
is successfully transmitted by node Ai+1 is
Our goal is to find the utilization at each node i ≥ 0 and in
1023
X 1 0.02n − 12 the limit as i → ∞. We consider the same scenario as in our
· = 0.059.
1024 0.02n + 12 simulations, whereby node A0 (the attacker) varies its traffic
n=600
load
Thus, the likelihood of a successful packet transmission is low, ρ0 , λ0 T, (3)
a result validated by the experimental and simulation results
of Section V. while all other nodes Ai (i ≥ 1) have the same traffic load
ρ , λi T, (4)
IV. A NALYSIS
In this section, we develop an analytical model that provides where 0 < ρ < 1. We aim to understand if and how changes in
insight into the network behavior under attack. Specifically, the value of ρ0 affect the utilization of nodes that are located
our goals are to explain why and under what conditions an far away as function of the parameters ρ and R.
attacker can congest a remote node and cause its throughput First, we get the utilization at node A0 :
to vanish, and to shed light into the roles played by the retry
u0 = min{ρ0 , 1}. (5)
limit R and the traffic load at the different nodes.
We next develop an iterative procedure to derive ui+1 from
A. Model ui . From (2) and (4),
We consider the linear topology shown in Figure 2. Packet ui+1 = min{ri+1 ρ, 1}. (6)
generations at each node Ai form a Poisson process with
rate λi . The packet size is fixed and the duration of each We first relate ri+1 to pi+1 , the probability that a packet
packet transmission attempt is T (we assume a fixed bit rate). transmitted by node Ai+1 collides. Based on Assumption 2,
A transmission by node Ai+1 is successful only if does not the probability that a packet is successfully received after 1 ≤
overlap with any transmission by (hidden) node Ai . r ≤ R attempts is (1 − pi+1 )(pi+1 )r−1 while the probability
If a packet collides, it is retransmitted until either it is that a packet fails to be received after R attempts is (pi+1 )R .
successfully received or the retry count reaches the limit R. Hence, the mean retry count at node Ai+1 is
Let 1 ≤ ri ≤ R represent the mean retry count at node Ai . R
X
Note that the initial packet transmission is included in that ri+1 = r · (1 − pi+1 ) · (pi+1 )r−1 + R · (pi+1 )R
count. Then, the mean service time of a packet at node Ai r=1
is ri T . To keep the analysis tractable, timing details of Wi- R
X
Fi, such as DIFS, SIFS, and back-off inter-frame spacing are = (pi+1 )r−1 . (7)
ignored. Therefore the upper limit of the utilization equals 1 r=1
in our analysis. We next relate pi+1 to ui . First, suppose ui < 1 (i.e., node
We denote the utilization of node Ai by 0 ≤ ui ≤ 1, Ai is uncongested). Assume that node Ai+1 starts a packet
where ui represents the fraction of time node Ai transmits. transmission (or retransmission) at some arbitrary time t = t0 .
If ui = 1, node Ai is congested and transmits continuously. We compute pi+1 by conditioning on whether or not node Ai
Otherwise, node Ai is uncongested and transmits packets at is transmitting at time t0 . Note that due the Poisson Arrivals
rate ri λ. Therefore, the utilization of node Ai for all i ≥ 0 is See Time Averages (PASTA) property, the transmission state
of node Ai at time t = t0 is the same as at any random point
ui = min{ri λi T, 1}. (2)
of time.
Note that there is no retransmission at node A0 and r0 = 1. If node Ai transmits at time t0 , which occurs with proba-
Our model represents a special case of interacting queues, bility ui , then the packet transmitted by node Ai+1 collides
which are notoriously difficult to analyze [23]. To make the with probability 1. If node Ai does not transmit at time
analysis tractable, we assume that: t0 , which occurs with probability 1 − ui , then a collision
2325-5870 (c) 2020 IEEE. Personal use is permitted, but republication/redistribution requires IEEE permission. See http://www.ieee.org/publications_standards/publications/rights/index.html for more information.
Authorized licensed use limited to: Auckland University of Technology. Downloaded on June 07,2020 at 03:53:04 UTC from IEEE Xplore. Restrictions apply.
This article has been accepted for publication in a future issue of this journal, but has not been fully edited. Content may change prior to final publication. Citation information: DOI 10.1109/TCNS.2020.2999452, IEEE
Transactions on Control of Network Systems
5
occurs only if node Ai starts a transmission during the interval We now present the main result of this section.
[t0 , t0 +T ]. Since the packet inter-arrival time on the channel is Theorem 1:
exponentially distributed with mean ri T , such an event occurs 1) Let u0 ∈ (ωk , ωk+1 ), where k ∈ {1, . . . , K − 1}. If
with probability f (u0 ) > u0 , the sequence (ui )∞ i=0 converges to ωk+1 .
2325-5870 (c) 2020 IEEE. Personal use is permitted, but republication/redistribution requires IEEE permission. See http://www.ieee.org/publications_standards/publications/rights/index.html for more information.
Authorized licensed use limited to: Auckland University of Technology. Downloaded on June 07,2020 at 03:53:04 UTC from IEEE Xplore. Restrictions apply.
This article has been accepted for publication in a future issue of this journal, but has not been fully edited. Content may change prior to final publication. Citation information: DOI 10.1109/TCNS.2020.2999452, IEEE
Transactions on Control of Network Systems
6
Load ρ
Load ρ
Load ρ
0.15 0.1 0.1
Uncongested Uncongested
Our goal in the following is to determine what regime prevails 0.1
Uncongested
0.05 0.05
under different network parameters. 0.05
hR(ω) hR(ω) hR(ω)
For this purpose, we investigate the existence and properties 0
0 0.5 1
0
0 0.5 1
0
0 0.5 1
of solutions of (13). First, we investigate the case ω = 1. ω ω ω
2325-5870 (c) 2020 IEEE. Personal use is permitted, but republication/redistribution requires IEEE permission. See http://www.ieee.org/publications_standards/publications/rights/index.html for more information.
Authorized licensed use limited to: Auckland University of Technology. Downloaded on June 07,2020 at 03:53:04 UTC from IEEE Xplore. Restrictions apply.
This article has been accepted for publication in a future issue of this journal, but has not been fully edited. Content may change prior to final publication. Citation information: DOI 10.1109/TCNS.2020.2999452, IEEE
Transactions on Control of Network Systems
7
In this section, we derive an explicit lower bound on hmax R , From Theorems 2 and 3, it follows that a phase transition
which provides a simple condition for the existence of a exists if 1/R < 0.161. Hence:
phase transition. First, we establish a relationship between the Corollary 2: A phase transition is guaranteed to exist for
derivatives of hR (ω) for different values of R, but a given R ≥ 7 and ρ ∈ [1/R, 0.161].
value of ω. The proof of the following lemma can be found We note that the lower bound on hmax R is quite tight. For
in [27]. instance, hmax
7 = 0.166. Moreover, h max
R decreases with
Lemma 3: For ω ∈ [0, 1], if there exists R∗ ≥ 1 such that R (this follows from (17), since for any ω ∈ [0, 1] the
hR∗ (ω) ≤ 0, then h0R (ω) ≤ 0 for all R > R∗ .
0 denominator increases as R gets larger).
Next, consider the function hR (ω) as R → ∞:
F. Stability of fixed points
h∞ (ω) = (1 − 1 − e−ω (1 − ω) )ω
In this subsection, we use stability theory to shed further
= e−ω (1 − ω)ω, (19) light into the limiting behaviour of the sequence (ui )∞ i=0 .
and its derivative Specifically, the sequence (ui )∞ i=0 converges to stable fixed
points of Ω and diverges from unstable fixed points of Ω.
h0∞ (ω) = e−ω (1 − 3ω + ω 2 ). (20) We will show that the stability of the fixed points of (16) are
determined by the sign of h0R (ω) at those points.
The next corollary is the logical transposition of Lemma 3.
Informally, a fixed point ω is stable (or an attractor), if
Corollary 1: If h0∞ (ω) ≥ 0, then h0R (ω) ≥ 0 for all R ≥ 1.
there exists a domain containing ω, such that if u0 belongs to
The following lemma establishes that the function hR (ω) is
that domain, then (ui )∞ i=0 converges to ω.
always strictly increasing in the interval [0, ω), where
√ Definition 3 (Stability of a fixed point): Let u0 ∈ [0, 1]. A
3− 5 fixed point ω ∈ Ω is stable if there exists > 0 such that
ω, . (21) if |u0 − ω| < , the sequence (ui )∞
2 i=0 converges to ω. It is
unstable if for all u0 6= ω the sequence (ui )∞ i=0 does not
Lemma 4: Let 0 ≤ ω < ω. Then, h0R (ω) > 0, for all R ≥ 1.
converge to ω.
Proof: Let the function h∞ (ω) and its derivative h0∞ (ω)
Recall that according to Lemma 2, a special fixed point of
be defined as in (19) and (20), respectively. Since e−ω is
(13) exists at ω = 1, if ρ > 1/R. According to Definition 3,
always positive, h0∞ (ω) has the same sign as (1 − 3ω + ω 2 ).
this fixed point is stable. Besides this special case, the rest
The unique root of (1 − 3ω + ω 2 ) = 0 for ω ∈ [0, 1] is w̄ as
of the fixed points satisfy Equation (16). To establish the
defined in (21).
stability of those fixed points, we will employ the following
Thus, (1 − 3ω + ω 2 ) is positive when 0 ≤ ω < ω, and so
proposition.
is h0∞ (ω). By Corollary 1, h0R (ω) > 0 for 0 ≤ ω < ω and for
Proposition 1 ( [26]): Suppose that a continuously differ-
all R ≥ 1.
entiable function f has a fixed point ω. Then, ω is stable if
|f 0 (ω)| < 1 and unstable if |f 0 (ω)| > 1.
The consequence of Lemma 4 is that for all R ≥ 1,
The next theorem provides a criterion to establish the
hmax
R ≥ hR (ω). (22) stability of a fixed point ω ∈ Ω with respect to the function
hR (ω).
This equation provide a lower bound on hmax R that can easily Theorem 4: Consider a fixed point ω ∈ Ω, where ω < 1.
be computed. We then obtain the following sufficient condition Then ω is stable if h0R (ω) > 0 and unstable if h0R (ω) < 0.
for the existence of phase transition. Proof: Let ω ∈ Ω. The derivative of hR (ω) with respect
Lemma 5: Let ω be defined as in (21) and suppose hR (ω) > to ω is
1/R. Then, a phase transition is guaranteed to exist for any 1 ω
ρ ∈ (1/R, hR (ω)). h0R (ω) = − · Γ0 (ω) > 0, (24)
Γ(ω) (Γ(ω))2
Proof: From Theorem 2, we know that a phase transition
exists if 1/R < ρ < hmax where
R . By (22) and the assumption that
R
hR (ω) > 1/R, the proof follows. X r−1 f (ω)
The next theorem establishes an even more explicit lower Γ(ω) , 1 − e−ω (1 − ω) = . (25)
r=1
ρ
bound on hmax
R .
Theorem 3: Let h∞ (ω) and ω be defined as in (19) and If one can show that (24) implies |f 0 (ω)| < 1, then according
(21), respectively. Then, hmax ≥ h∞ (ω) ' 0.161. to Proposition 1, the fixed point ω is stable. We multiply both
R
Proof: By (17), sides of (24) by (Γ(ω))2 and obtain
ω Γ(ω) − ωΓ0 (ω) > 0. (26)
hR (ω) = PR
−ω (1 − ω))r−1
r=1 (1 − e Using (25) and (16), we can rearrange (26) as follows:
ω
> P∞ −ω (1 − ω))r−1
= h∞ (ω). (23) Γ(ω) f (ω) 1
r=1 (1 − e Γ0 (ω) <
= = . (27)
ω ρω ρ
Thus, by (22) and (23), hmax
> h∞ (ω) ' 0.161. Note that
R From (25) and (27), we get
this bound is asymptotically tight as R → ∞ since hmax
∞ =
h∞ (ω). f 0 (ω) = ρΓ0 (ω) < 1.
2325-5870 (c) 2020 IEEE. Personal use is permitted, but republication/redistribution requires IEEE permission. See http://www.ieee.org/publications_standards/publications/rights/index.html for more information.
Authorized licensed use limited to: Auckland University of Technology. Downloaded on June 07,2020 at 03:53:04 UTC from IEEE Xplore. Restrictions apply.
This article has been accepted for publication in a future issue of this journal, but has not been fully edited. Content may change prior to final publication. Citation information: DOI 10.1109/TCNS.2020.2999452, IEEE
Transactions on Control of Network Systems
8
0.2
hR (ω) A0 A1 A2
max
hR
0.15
oad ρ
B0 B1 B2
Fig. 4. Stability of fixed points with R = 10. Given a load ρ = 0.13 (dash
line), Ω contains three fixed points: ω1 = 0.2, ω2 = 0.7 and ω3 = 1. The Splitter RF attenuattor
fixed point ω1 is stable because h0R (ω1 ) > 0 and ω2 is unstable because
h0R (ω2 ) < 0. The fixed point ω3 = 1 exists and is stable because ρ > 1/R. Fig. 5. Experimental testbed.
Therefore, the sequence (ui )∞i=0 converges to ω1 if u0 < ω2 , and to ω3 if
u0 > ω2 .
2325-5870 (c) 2020 IEEE. Personal use is permitted, but republication/redistribution requires IEEE permission. See http://www.ieee.org/publications_standards/publications/rights/index.html for more information.
Authorized licensed use limited to: Auckland University of Technology. Downloaded on June 07,2020 at 03:53:04 UTC from IEEE Xplore. Restrictions apply.
This article has been accepted for publication in a future issue of this journal, but has not been fully edited. Content may change prior to final publication. Citation information: DOI 10.1109/TCNS.2020.2999452, IEEE
Transactions on Control of Network Systems
9
1
1200
Node A 0
0.9
Node A 1
1000 Node A 2 0.8
Utilization at node A 40
0.7
800
Throughput (Kb/s)
0.6
0.5
600
0.4 R=4, ρ 0=1
0.3 R=4, ρ =0
400 0
R=7, ρ 0=1
0.2 R=7, ρ 0=0
200 R=10, ρ 0=1
0.1
R=10, ρ 0=0
0
0 0 0.1 0.2 0.3 0.4
100 200 300 400 500 600 700 800 900 Load ρ at node A i (i ≥ 1)
Time (second)
Fig. 6. Throughput performance measurements in testbed. When node A0 Fig. 7. Simulation of the limiting behaviour of the node utilization in a
starts increasing its packet generation rate, the throughput of nodes A1 and network of 41 pairs of nodes. For R = 4, the limit is the same when ρ0 = 0
A2 vanishes. and ρ0 = 1, hence no phase transition is observed. However, for R = 7 and
R = 10, the limits are different, hence showing the existence of a region of
load ρ in which a phase transition occurs.
for node A40 ) is the same in both cases, then we assume that
0.3
there is no phase transition. If the limits are different, then a
0.2
phase transition exists.
Figure 7 indicates that the existence of a phase transition 0.1
2325-5870 (c) 2020 IEEE. Personal use is permitted, but republication/redistribution requires IEEE permission. See http://www.ieee.org/publications_standards/publications/rights/index.html for more information.
Authorized licensed use limited to: Auckland University of Technology. Downloaded on June 07,2020 at 03:53:04 UTC from IEEE Xplore. Restrictions apply.
This article has been accepted for publication in a future issue of this journal, but has not been fully edited. Content may change prior to final publication. Citation information: DOI 10.1109/TCNS.2020.2999452, IEEE
Transactions on Control of Network Systems
10
20 0.4
Node A 4
Throughput (Mb/s)
0.3
10 A0, A2, A4 B0, B2, B4
Node A0 transmits
0.2
y (m)
0
0.1
60
B0
50 A0
Ai+1
... B0 A0
B1
40
A1
z (m)
B2 Bi+1 B1
30
A2
20 B3 Ai A1
A3
10
B4 Bi B2
...
0 A4
-20 -10 0 10 20 A3 B3 A2
y (m)
(b) Side view.
Fig. 9. Office building model. The building has 20 floors (z-axis) and 6
rooms in each floor (x and y axes). Bi Receiver Ai Transmitter
Fig. 11. Ring topology under cascading DoS attack. The dash circle represents
the transmission range of the transmitter.
outdoor and hybrid). The building models take into account
the penetration losses of the walls and floors, based on the 1
type of buildings (i.e., residential, office, and commercial). Node A 20
0.8 Node A 40
In our simulations, we consider a 20-floor office building
Throughput (Mb/s)
Node A0 increases
packet generation rate
with six rooms in each floor, as shown in Figure 9. We 0.6
assume that five pairs of Wi-Fi nodes (Ai , Bi ) are active in
0.4
the building, where node Ai transmits packets to nodes Bi
(i = 0, 1, 2, 3, 4). The bit rate is set to 1 Mb/s, the retry limit 0.2
to R = 7, and the frequency to 2.4 GHz. The generation rate
of UDP packets at nodes Ai , i ≥ 1, is λi = 8.125 pkts/s. 0
0 200 400 600 800 1000
Packets are 2000 bytes long. Time (second)
We turn on and off transmissions at node A0 to observe how
Fig. 12. Simulation results under a ring topology. When the packet generation
it impacts the throughput of other nodes. Simulation results rate of node A0 increases, the throughput of nodes A20 and A40 vanishes.
are shown in Figure 10. When node A0 does not transmit, This effect continues even when the packet generation rate of node A0
the throughput of node A4 is 0.13 Mb/s and it incurs no decreases.
packet loss. However, when node A0 starts transmitting, the
throughput of node A4 collapses. The throughput of node A4 0.5 Mb/s. At time t = 300 s, node A0 increases its packet
recovers only after node A0 stops transmitting. generation rate to 11 Mb/s. As a result, the throughput of
2) Ring topology: We next investigate cascading DoS at- all nodes vanishes. Yet, unlike results in linear topologies, the
tacks in a ring topology with 41 pairs of nodes, as shown in throughput of the nodes does not recover after node A0 reduces
Figure 11. In our previous results for linear topologies, the its packet generation rate back to 0.5 Mb/s. The cyclic nature
effect of an attack disappears once the attacker reduces its of the topology reinforces the attack even after the trigger
packet generation rate. However, the effect of an attack in a stops.
ring topology can last for a long period of time after the attack
stops. VI. C ONCLUSION
This result is illustrated in Figure 12. During the first 100 We describe a new type of DoS attacks against Wi-Fi
seconds, all the nodes Ai (i = 0, 1, . . . ) generate packets at networks, called cascading DoS attacks. The attack exploits
2325-5870 (c) 2020 IEEE. Personal use is permitted, but republication/redistribution requires IEEE permission. See http://www.ieee.org/publications_standards/publications/rights/index.html for more information.
Authorized licensed use limited to: Auckland University of Technology. Downloaded on June 07,2020 at 03:53:04 UTC from IEEE Xplore. Restrictions apply.
This article has been accepted for publication in a future issue of this journal, but has not been fully edited. Content may change prior to final publication. Citation information: DOI 10.1109/TCNS.2020.2999452, IEEE
Transactions on Control of Network Systems
11
a coupling vulnerability due to hidden nodes. The attack future research. The second approach is to lower the retry
propagates beyond the starting location, lasts for long periods limit. However, this could also negatively impact performance.
of time, and forces the network to operate at its lowest bit rate. Other approaches worth investigating include using shortening
The attack can be started remotely and without violating the packet duration [27, Ch. 5], dynamic channel selection [34],
IEEE 802.11 standard, making it difficult to trace back. We and full-duplex radios [35].
demonstrate the feasibility of such attacks through experiments
on a testbed of nodes equipped with off-the-shelf Wi-Fi cards. ACKNOWLEDGMENTS
The experiments show that change in the traffic load of the This research was supported in part by the U.S. Na-
attacker can lead to a phase transition of a remote node, from tional Science Foundations under grants CNS-1409453, CNS-
uncongested to congested states. 1908087, and DGE-1661532.
To provide insight into this phenomenon, we propose a
new dynamical system model to characterize the sequence of
R EFERENCES
node utilizations, and analyze the limiting behavior of this
sequence. We show that the sequence always converges to [1] K. Lee, J. Lee, Y. Yi, I. Rhee, and S. Chong, “Mobile data offloading:
how much can WiFi deliver?” in Proceedings of the 6th International
stable fixed points while an unstable fixed point represents Conference on emerging Networking EXperiments and Technologies
a phase transition point. Based on the system parameters, (CoNEXT). ACM, 2010, p. 26.
we identify when the system remains always uncongested, [2] Cisco, “Cisco cleanair technology,” http://www.cisco.com/c/en/us/
solutions/enterprise-networks/cleanair-technology/index.html.
congested, or experiences a phase transition caused by a DoS [3] G. Bianchi, “Performance analysis of the IEEE 802.11 distributed coor-
cascading attack. dination function,” IEEE Journal on Selected Areas in Communication,
The analysis predicts that a phase transition occurs for R ≥ vol. 18, no. 3, pp. 535–547, 2000.
[4] A. Forouzan Behrouz, Data Communication and Networking. 3rd/4th
7 in a linear network topology and provides a simple and Edition, Tata McGraw, 2004.
explicit estimate of traffic load at each node under which a [5] M. Gast, 802.11 wireless networks: the definitive guide. O’Reilly
phase transition occurs (i.e., ρi ∈ (1/R, 0.161) for all i ≥ Media, Inc., 2005.
[6] http://documentation.netgear.com/WPN824EXT/enu/202-10310-
1). The network is always congested when the traffic load 02/WPN824EXT_UG-4-6.html.
is above the phase transition regime and always uncongested [7] http://www.tp-link.us/support/download-center.
when the traffic load is below the phase transition regime. [8] http://ui.linksys.com/WAG300N/1.01.01/help/h_AdvWSettings.htm.
[9] http://support.dlink.com/emulators/dir855/Advanced.html.
We also generalize our results to heterogeneous traffic load [10] L. Xin, D. Starobinski, and G. Noubir, “Cascading denial of service
scenarios. attacks on Wi-Fi networks,” in Communications and Network Security
The theoretical results are corroborated with simulations (CNS), 2016 IEEE Conference.
[11] R. Poisel, Modern communications jamming principles and techniques.
and experiments. In terms of accuracy, our model is accurate Artech House Publishers, 2011.
in predicting that the throughput vanishes during cascading [12] K. Pelechrinis, M. Iliofotou, and S. V. Krishnamurthy, “Denial of service
attacks (as shown by the real network experiments) as well attacks in wireless networks: The case of jammers,” Communications
Surveys & Tutorials, IEEE, vol. 13, no. 2, pp. 245–257, 2011.
as predicting the values of the retry parameter R for which [13] G. Lin and G. Noubir, “On link layer denial of service in data wireless
cascading attacks are feasible. Notably, cascading attacks are LANs,” Wireless Communications and Mobile Computing, vol. 5, no. 3,
feasible for the default value R = 7 used in IEEE 802.11. pp. 273–284, 2005.
[14] C. Chen, H. Luo, E. Seo, N. H. Vaidya, and X. Wang, “Rate-adaptive
The analysis is also accurate in predicting the size of the framing for interfered wireless networks,” in INFOCOM 2007. 26th
phase transition region which increases with R. However, the IEEE International Conference on Computer Communications. IEEE.
analysis is less accurate in pinpointing the exact boundaries [15] S. Rayanchu, A. Mishra, D. Agrawal, S. Saha, and S. Banerjee,
“Diagnosing wireless packet losses in 802.11: Separating collision from
of the phase transition region (which is about 20% off). We weak signal,” in INFOCOM 2008. The 27th Conference on Computer
defer the refinement of this particular aspect of the analysis Communications. IEEE.
to future work, as it would likely require a more complicated [16] “Minstrel madwifi documentation,” http://linuxwireless.org/en/
developers/Documentation/mac80211/RateControl/minstrel.
model. [17] R. Kinney, P. Crucitti, R. Albert, and V. Latora, “Modeling cascading
Exploiting the coupling vulnerability in different network failures in the north american power grid,” The European Physical
configurations represents an interesting area for future work. Journal B-Condensed Matter and Complex Systems, vol. 46, no. 1, pp.
101–107, 2005.
Experience in the security field indeed teaches that once a [18] S. Soltan, D. Mazauric, and G. Zussman, “Cascading failures in power
vulnerability is identified, more potent attacks are subsequently grids: analysis and algorithms,” in Proceedings of the 5th international
discovered (consider, for instance, the history of attacks on conference on Future energy systems. ACM, 2014, pp. 195–206.
[19] M. Haenggi, J. G. Andrews, F. Baccelli, O. Dousse, and
WEP [31] and MD5 [32]). In particular, it is possible that M. Franceschetti, “Stochastic geometry and random graphs for
interactions between different wireless protocols that use the the analysis and design of wireless networks,” Selected Areas in
same spectrum (e.g., Wi-Fi, Bluetooth, and Zigbee [33]) could Communications, IEEE Journal on, vol. 27, no. 7, pp. 1029–1046,
2009.
create a similar security issue. [20] Z. Kong and E. M. Yeh, “Wireless network resilience to degree-
Several approaches are possible to mitigate cascading DoS dependent and cascading node failures,” in Modeling and Optimization
attacks. First, one could enable the RTS/CTS exchange, al- in Mobile, Ad Hoc, and Wireless Networks, 2009. WiOPT 2009. 7th
International Symposium on. IEEE, 2009.
though this solution has several drawbacks, including major [21] A. Aziz, D. Starobinski, and P. Thiran, “Understanding and tackling
performance degradation under normal network operations, the root causes of instability in wireless mesh networks,” IEEE/ACM
as mentioned in the introduction. Devising a scheme that Transactions on Networking, vol. 19, no. 4, pp. 1178–1193, 2011.
[22] S. Ray, D. Starobinski, and J. B. Carruthers, “Performance of wireless
triggers RTS/CTS under certain circumstances (e.g., multiple networks with hidden nodes: a queuing-theoretic analysis,” Computer
consecutive packet losses) could be an interesting area for Communications, vol. 28, no. 10, pp. 1179–1192, 2005.
2325-5870 (c) 2020 IEEE. Personal use is permitted, but republication/redistribution requires IEEE permission. See http://www.ieee.org/publications_standards/publications/rights/index.html for more information.
Authorized licensed use limited to: Auckland University of Technology. Downloaded on June 07,2020 at 03:53:04 UTC from IEEE Xplore. Restrictions apply.
This article has been accepted for publication in a future issue of this journal, but has not been fully edited. Content may change prior to final publication. Citation information: DOI 10.1109/TCNS.2020.2999452, IEEE
Transactions on Control of Network Systems
12
[23] B. Rong and A. Ephremides, “Protocol-level cooperation in wireless Liangxiao Xin received his B.E. degree in Control
networks: Stable throughput and delay analysis,” in Modeling and Science and Engineering (2012) from Zhejiang Uni-
Optimization in Mobile, Ad Hoc, and Wireless Networks, 2009. WiOPT versity, Zhejiang, China. In 2014 and 2018, he re-
2009. 7th International Symposium on. IEEE, 2009. ceived his M.E. degree and Ph.D degree in Systems
[24] L. Kleinrock, F. Tobagi et al., “Packet switching in radio channels: Engineering from Boston University, respectively. In
Part I–carrier sense multiple-access modes and their throughput-delay 2016, he received best paper award at IEEE CNS
characteristics,” Communications, IEEE Transactions on, vol. 23, no. 12, 2016 conference. Currently, he is working on IEEE
pp. 1400–1416, 1975. 802.11 standardization.
[25] D. Bertsekas and R. Gallager, “Data networks. 1992,” PrenticeHall,
Englewood Cliffs, NJ, 1992.
[26] S. Lynch, Dynamical systems with applications using MATLAB.
Springer, 2004.
[27] L. Xin, “Cascading attacks in Wi-Fi networks: demonstration and
counter-measures,” Ph.D. dissertation, Boston University, 2018, https:
//open.bu.edu/handle/2144/32678.
[28] J. C. Stein, “Indoor radio WLAN performance part II: Range perfor- David Starobinski is a Professor of Electrical and
mance in a dense office environment,” Intersil Corporation, vol. 2401, Computer Engineering, Systems Engineering, and
1998. Computer Science at Boston University. He received
[29] “iperf 2 user documentation,” http://iperf.fr/iperf-doc.php. his Ph.D. in Electrical Engineering from the Tech-
[30] https://www.nsnam.org/doxygen/classns3_1_1_hybrid_buildings_ nion - Israel Institute of Technology, in 1999. He
propagation_loss_model.html#details. was a visiting post-doctoral researcher in the EECS
[31] E. Tews, R.-P. Weinmann, and A. Pyshkin, “Breaking 104 bit WEP in department at UC Berkeley (1999-2000), an invited
less than 60 seconds,” in Information Security Applications. Springer, Professor at EPFL (2007-2008), and a Faculty Fel-
2007, pp. 188–202. low at the U.S. DoT Volpe National Transporta-
[32] J. Black, M. Cochran, and T. Highland, “A study of the MD5 attacks: tion Systems Center (2014-2019). Dr. Starobinski
Insights and improvements,” in Fast Software Encryption. Springer, received a CAREER award from the U.S. National
2006, pp. 262–277. Science Foundation (2002), an Early Career Principal Investigator (ECPI)
[33] W. Wang, S. He, L. Sun, T. Jiang, and Q. Zhang, “Cross-technology award from the U.S. Department of Energy (2004), the 2010 BU ECE Faculty
communications for heterogeneous iot devices through artificial doppler Teaching Award, and best paper awards at the WiOpt 2010 and IEEE CNS
shifts,” IEEE Transactions on Wireless Communications, vol. 18, no. 2, 2016 conferences. He is on the Editorial Board of the IEEE Open Journal
pp. 796–806, 2018. of the Communications Society and was on the Editorial Boards of the
[34] D. J. Leith and P. Clifford, “A self-managed distributed channel selection IEEE Transactions on Information Forensics and Security and the IEEE/ACM
algorithm for wlans,” in 2006 4th International Symposium on Modeling Transactions on Networking. His research interests are in cybersecurity,
and Optimization in Mobile, Ad Hoc and Wireless Networks. IEEE, wireless networking, and network economics.
2006, pp. 1–9.
[35] D. Bharadia, E. McMilin, and S. Katti, “Full duplex radios,” in ACM
SIGCOMM Computer Communication Review, vol. 43, no. 4. ACM,
2013, pp. 375–386.
2325-5870 (c) 2020 IEEE. Personal use is permitted, but republication/redistribution requires IEEE permission. See http://www.ieee.org/publications_standards/publications/rights/index.html for more information.
Authorized licensed use limited to: Auckland University of Technology. Downloaded on June 07,2020 at 03:53:04 UTC from IEEE Xplore. Restrictions apply.