Cascading Attacks On Wi-Fi Networks: Theory and Experiments

This article has been accepted for publication in a future issue of this journal, but has not been
fully edited. Content may change prior to final publication. Citation information: DOI 10.1109/TCNS.2020.2999452, IEEE
Transactions on Control of Network Systems
1
Cascading Attacks on Wi-Fi Networks:

Theory and Experiments
Liangxiao Xin, Member, IEEE, David Starobinski, Senior Member, IEEE, and Guevara Noubir, Senior
Member, IEEE
Abstract—We unveil the existence of a vulnerability in Wi- packets, and transmits these packets in accordance with the
Fi (802.11) networks, which allows an adversary to remotely IEEE 802.11 protocol. These transmissions may cause packet
launch a Denial-of-Service (DoS) attack that propagates both in collisions at a node, say node B1 , concurrently receiving
time and space. This vulnerability stems from a coupling effect
induced by hidden nodes. Cascading DoS attacks can congest an packets from another node, say node A1 . Node A1 may be
entire network and do not require the adversary to violate any unable to hear transmissions by node A0 due to the hidden
protocol. We demonstrate the feasibility of such attacks through node problem. As a result, node A1 keeps retransmitting
experiments with real Wi-Fi cards, theoretical analysis, and ns-3 packets which collide with the packets sent by node A0 . These
simulations. The experiment shows that an attacker can cause the retransmissions by node A1 may in turn affect the ability
throughput of a node outside its communication range to vanish.
To gain insight into the root-causes of the attack, we model the of other nodes in the network to successfully communicate,
network as a dynamical system and analyze its limiting behavior thus causing this phenomenon to propagate. We note that
and stability. The model predicts that a phase transition (and the total number of packet retransmissions (including the
hence a cascading attack) is possible in linear networks when original transmission) cannot exceed the so-called retry limit,
the retry limit parameter of Wi-Fi is greater or equal to 7, and after which a packet must be dropped. We will show in the
also characterizes the phase transition region in terms of the
system parameters. sequel that the retry limit plays a major role in sustaining the
propagation effect.
An optional mechanism, called request-to-send and clear-to-
I. I NTRODUCTION
send (or RTS/CTS), has been designed to combat the hidden
I-FI (IEEE 802.11) is a technology widely used to
W access the Internet. Wi-Fi connectivity is provided
by a variety of organizations operating over a shared RF
node problem. However, this mechanism increases overhead
and latency especially at high bit rates. Since the cost of
the RTS/CTS exchange usually does not justify its benefits,
spectrum. These include schools, libraries, companies, towns it is commonly disabled [4], [5]. Indeed, most manufacturers
and governments, as well as ISP hotspots and residential of Wi-Fi cards disable RTS/CTS by default and discourage
wireless routers. Wi-Fi traffic is also rapidly rising due to changing this setting as explicitly stated in [6]–[9]. Therefore,
increased offloading by cellular operators [1]. The importance most Wi-Fi systems today operate without RTS/CTS.
of Wi-Fi networks and the need to strengthen their resilience The coupling phenomenon induced by interferences creates
to intentional and non-intentional interference have been rec- multi-hop dependencies, which an adversary can take advan-
ognized by companies, such as Cisco [2]. tage of to launch a widespread network attack from a single
Wi-Fi networks rely on simple, distributed mechanisms to location. We refer to such an attack as a cascading Denial-
arbitrate access to the shared spectrum and optimize per- of-Service (DoS) attack. Cascading DoS attacks are especially
formance. Such mechanisms include carrier sensing multiple dangerous because they affect the entire network and do not
access (CSMA), exponential back-offs, and bit rate adapta- require the adversary to violate any protocol (i.e., the attacks
tion. The behavior of these mechanisms in isolated single- are protocol-compliant).
hop networks has been extensively studied and is generally The contributions of this paper are as follows. First, we
well-understood (see, e.g., [3]). However, due to interference unveil the existence of a vulnerability in the IEEE 802.11 stan-
coupling, these mechanisms result in complex interactions in dard, which allows an attacker to launch protocol-compliant
multi-hop settings, as CSMA cannot prevent collisions caused cascading DoS attacks. In contrast to existing jamming attacks,
by hidden nodes (cf. Section III for more details about the the attacker does not need to be in the vicinity of the victims.
hidden node problem). As a consequence, different networks Second, we introduce a new dynamic system model that
do not always evolve independently, even if they are located sheds light into the network behavior under attack. The model
far away. shows the existence of a phase transition. When the packet
To understand the consequence of such interactions, suppose generation rate of the attacker is lower than the phase transition
that some node A0 increases the rate at which it generates point, it has vanishing effect on the rest of the network.
L. Xin, and D. Starobinski are with the Division of Systems Engi- However, once the packet generation rate exceeds the phase
neering, Boston University, Boston, MA 02215 USA (e-mail: xlx@bu.edu; transition point, the network becomes entirely congested.
staro@bu.edu). The theoretical model shows that the sequence of node
G. Noubir is with the Khoury College of Computer and Informa-
tion Science, Northeastern University, Boston, MA 02115 USA (e-mail: utilizations always converges to a fixed point (the utilization
noubir@ccs.neu.edu). of a node is defined as the fraction of time during which the
2325-5870 (c) 2020 IEEE. Personal use is permitted, but republication/redistribution requires IEEE permission. See http://www.ieee.org/publications_standards/publications/rights/index.html for more information.
Authorized licensed use limited to: Auckland University of Technology. Downloaded on June 07,2020 at 03:53:04 UTC from IEEE Xplore. Restrictions apply.
This article has been accepted for publication in a future issue of this journal, but has not been fully edited. Content may change prior to final publication. Citation information: DOI 10.1109/TCNS.2020.2999452, IEEE
2
node transmits). We characterize the different types of fixed Our work is based on Minstrel [16], which is the most
points (stable and unstable) and show that a phase transition is recent, popular, and robust rate adaptation algorithm for Linux
associated with the existence of an unstable fixed point. The systems.
model explicitly predicts for which values of the retry limit a The attacks that we are investigating bear similarity to
phase transition (and hence a cascading attack) can occur. In cascading failures in power transmission systems [17], [18].
particular, we show that a phase transition can occur for the When one of the nodes in the system fails, it shifts its load
default value of the retry limit in Wi-Fi, which is 7. to adjacent nodes. These nodes in turn can be overloaded and
Finally, we concretely demonstrate the attack through ex- shift their load further. This phenomenon has also been studied
periments on a testbed composed of nodes equipped with real in wireless networks. For instance, [19], [20] model wireless
Wi-Fi cards and provide simulation results obtained with the networks as a random geometric graph topology generated by
ns-3 simulator that corroborate the theoretical results in various a Poisson point process. They use percolation theory to show
network topologies. that the redistribution of load induces a phase transition in
The rest of the paper is organized as follows. In Section II, the network connectivity. However, the cascading phenomenon
we discuss related work. In Section III, we provide brief that we investigate in this paper is different from cascading
background on Wi-Fi and hidden nodes, and introduce the failure studied in those works. In our work, the exogenous
network model and attack scenario. Section IV presents our generation of traffic at each node is independent. That is,
theoretical analysis. We present experimental and simulation a node will not shift its load to other nodes. The amount
results that verify the findings in Section V. Section VI of traffic measured on the channel increases due to packet
concludes the paper. retransmissions caused by packet collisions, rather than due
An earlier version of this paper appeared in the proceedings to traffic redistribution.
of the IEEE Conference on Communications and Network The work in [21] shows that interference coupling can affect
Security (CNS 2016) [10]. This journal version significantly the stability of multi-hop networks. In the case of a greedy
expands the theoretical analysis, including detailed proofs and source, a three-hop network is stable while a four-hop network
new results on stability analysis and heterogeneous traffic load, becomes unstable. In contrast, in our work, the path of each
which can be found in Section IV. Moreover, new simulation packet consists of a single-hop. Thus, network instability is
results for networks based on a realistic indoor building model not due to multi-hop communication in our case.
and ring networks are presented in Sections V. The work in [22] shows that local coupling due to inter-
ferences can have global effects on wireless networks. Thus,
it proposes a queuing-theoretic analysis and approximation to
II. R ELATED W ORK predict the probability of a packet collision in a multi-hop
In general, the main goal of a DoS attack is to make network with hidden nodes. It shows that the sequence of the
communication impossible for legitimate users. Within the packet collision probabilities in a linear network converges to
context of wireless networks, a simple and popular means to a fixed point.
launch a DoS attack is to jam the network with high power Our paper differs in several aspects. First, it considers
transmissions of random bits, hence creating interferences an adversarial context, and shows how interference-induced
and congestion. Jamming at the physical layer, together with coupling can be exploited to cause denial of service. Second, to
anti-jamming countermeasures, have been extensively studied our knowledge, it is the first work to demonstrate the existence
(cf. [11] for a monograph on this subject). of such coupling on real commodity hardware. Finally, our
More recently, several works have developed and demon- analytical model is original and captures the impact of the retry
strated smart jamming attacks. These attacks exploit protocol limit and traffic parameters. A key result is that a cascading
vulnerabilities across various layers in the stack to achieve attack can be launched for the default value of the retry limit in
high jamming gain and energy efficiency, and a low probability Wi-Fi, a result validated by the experiments and simulations.
of detection [12]. For instance, [13] shows that the energy
III. BACKGROUND AND M ODEL
consumption of a smart jamming attack can be four orders
of magnitude lower than continuous jamming. However, both A. IEEE 802.11 Back-off Mechanism
conventional and smart jamming attacks are usually non- The IEEE 802.11 standard uses the CSMA/CA mechanism
protocol compliant. Moreover, they require physical proximity. to control access to the transmission medium and avoid
These limitations can be used to identify and locate the collisions. After a packet is sent, a node waits for a short
jammer. interframe slots (SIFS) period to receive an acknolwedgment
In contrast, in this work we show how a protocol-compliant (ACK). Whenever the channel becomes idle, the node waits
DoS attack can be remotely launched by exploiting coupling for a distributed interframe space (DIFS > SIFS) period and
due to hidden nodes in Wi-Fi. Rate adaptation algorithms a random backoff before contending for the channel. The
further amplify this attack due to their inability to distinguish random backoff consists of a random number of backoff
between collisions, interferences, and poor channels. One slots, which depends on the so-called contention window.
potential mitigation is to design a rate adaptation algorithm Specifically, at the r ≥ 1 retransmission attempt (retry count),
whose behaviour is based on the observed interference pat- the contention window CWr is given by
terns [14], [15]. However, to the best of our knowledge,
r−1
2 (CW1 + 1) − 1 CWr < CWmax ,
none of these rate adaptation algorithms are used in practice. CWr = (1)
CWmax otherwise.
3
Hidden ... ...

Tx Rx node B0 A0 B1 A1 Bi Ai Bi+1 Ai+1
Bi Receiver Ai Transmitter
Fig. 2. Topology of the network. Node Ai transmits packets to node Bi .

Fig. 1. Classical hidden node problem. The transmitter and the hidden Node Ai is a hidden node with respect to Ai+1 .
node cannot sense each other. The collision happens when they transmit
simultaneously.
We assume that all the nodes communicate over the same
channel. Note that there are only three non-overlapping chan-
The number of backoff slots is chosen uniformly at random in
nels in the 2.4GHz band. Hence, it is common that several
the interval [0, CWr ]. For IEEE 802.11b, the initial contention
nodes use the same channel over time and space in crowded
window size is CW1 = 31 , the maximum contention window
areas. For instance, in a dense Wi-Fi network, each cell has
size is CWmax = 1023, and the duration of a backoff slot
multiple neighboring cells. Since there are only three non-
is 20 µs. Note that the case r = 1 corresponds to the initial
overlapping channels, some neighboring cells will necessarily
packet transmission attempt.
share the same channel (i.e., there could be other pairs of nodes
using different channels which are not shown in Figure 2).
B. The Hidden Node Problem
A typical instance of the hidden node problem is illustrated D. Attack Scenario
in Figure 1. The figure shows three nodes: a transmitter, a
receiver and a hidden node. The dashed circle represents the Our goal is to investigate how node A0 can trigger a
transmission range of the node. Since the transmitter and the cascading DoS attack, resulting in a congestion collapse over
hidden node cannot sense each other, a collision happens when the entire network. We start by increasing the packet gener-
both of them transmit packets at the same time. ation rate at node A0 . Node A0 transmits packets over its
channel, in compliance with the IEEE 802.11 standard. The
A packet collision triggers a retransmission. In IEEE 802.11,
transmissions by node A0 cause packet collisions at node B1 .
there is an upper limit on the number of retransmissions that
These collisions require node A1 to retransmit packets. The
a packet can incur, called retry limit and denoted by R (the
increased amount of packet transmissions and retransmissions
default value is R = 7). If the retry count r of a packet exceeds
by node A1 impact node A2 and so forth. If this effect keeps
the retry limit, the packet is dropped, the retry count is reset to
propagating and amplifying, then the result is a network-
r = 1, and a new packet transmission can start. The channel
wide denial of service, which we refer to as a cascading
utilization of a node increases with the probability of a packet
Denial of Service (DoS) attack. Because this attack is protocol-
collision. In the worst case, the utilization can be R times
compliant, it is difficult to detect or trace back to the initiator.
larger than in the absence of packet collisions. Therefore, the
access channel of a node can easily be saturated if it is forced
to retransmit packets. E. Impact of exponential back-off
When a hidden node retransmits its packets, it must back
C. Network Model off after each retransmission, which leaves the channel idle for
The network model considered in this paper is shown in a certain period of time. The duration of the backoff period
Figure 2. This configuration could arise over different time is generally too short to allow for a successful transmission.
and space in more complex network topologies. We consider Indeed, a packet transmission is successful only if
N + 1 pairs of nodes. Each node Ai (i = 0, 1, 2, . . ., N ) 1) The size of the contention window of the hidden node is
transmits packets to node Bi . The dashed circle represents the longer than the packet transmission time.
range of transmission. Node Bi+1 can receive packets from 2) The transmitter starts and ends its transmission entirely
both node Ai and node Ai+1 . However, node Ai and node during the backoff period of the hidden node.
Ai+1 cannot hear each other. That is, node Ai is a hidden At 1 Mb/s, the transmission time of an 1500 bytes packet lasts
node with respect to node Ai+1 (and vice-versa). A packet 12 ms. This is longer than the contention window as long as
collision happens at node Bi+1 when packet transmissions by CWr < CWmax = 1023. Hence, by Eq. (1), a transmission
node Ai and Ai+1 overlap. cannot be successful during the backoff period preceding the
In general, the linear topology considered here represents a r < 6 retransmission attempt by a hidden node. Note that in
propagation path used by an attack. It is possible for an attack the attack scenarios considered in this paper, each transmitter
to be launched in a more general network as long as such a is a hidden node (i.e., it does not hear the transmissions of
propagation path exists. We show a concrete example in our other nodes). Hence, the backoff counter keeps counting down
simulations in Section V-C. and never freezes.
4
At the r ≥ 6 retransmission attempt by a hidden node Ai , 1) Packet transmissions and retransmissions at each uncon-
CWr = CWmax = 1023. Node Ai back-offs for n slots, gested node Ai form a Poisson process with rate ri λ.
where n is an integer between 0 and 1023 that is picked 2) The probability that a packet transmitted by node Ai col-
uniformly at random (i.e., with probability 1/1024). Since the lides is independent of previous attempts. This probability
length of a backoff slot is 20 µs, the backoff delay is 0.02n ms. is denoted pi .
Without loss of generality, assume that node Ai starts backing Our model is similar to the “random-look” model used by
off at time t = 0 and ends its backoff at time t = 0.02n Kleinrock and Tobagi in their analysis of (single hop) random
(all the time units are in milliseconds). Node Ai then starts a access networks [24] (see also Ch. 4 of [25]). We stress that
packet transmission, which ends at time t = 0.02n + 0.12. beside these assumptions, the rest of our analysis is exact. Note
Node Ai+1 can transmit a packet successfully only if it that the experiments and simulations shown in Section IV do
starts its transmission during the time interval [0, 0.02n − 12]. not incorporate the simplifications used to make the analysis
This requires n > 600. Assuming that the starting time of the tractable, yet they produce the same effects.
packet transmission by node Ai+1 is uniformly distributed in
the time interval [0, 0.02n + 12], the probability that a packet
B. Iterative analysis of the utilization
is successfully transmitted by node Ai+1 is
Our goal is to find the utilization at each node i ≥ 0 and in
1023
X 1 0.02n − 12 the limit as i → ∞. We consider the same scenario as in our
· = 0.059.
1024 0.02n + 12 simulations, whereby node A0 (the attacker) varies its traffic
n=600
load
Thus, the likelihood of a successful packet transmission is low, ρ0 , λ0 T, (3)
a result validated by the experimental and simulation results
of Section V. while all other nodes Ai (i ≥ 1) have the same traffic load
ρ , λi T, (4)
IV. A NALYSIS
In this section, we develop an analytical model that provides where 0 < ρ < 1. We aim to understand if and how changes in
insight into the network behavior under attack. Specifically, the value of ρ0 affect the utilization of nodes that are located
our goals are to explain why and under what conditions an far away as function of the parameters ρ and R.
attacker can congest a remote node and cause its throughput First, we get the utilization at node A0 :
to vanish, and to shed light into the roles played by the retry
u0 = min{ρ0 , 1}. (5)
limit R and the traffic load at the different nodes.
We next develop an iterative procedure to derive ui+1 from
A. Model ui . From (2) and (4),
We consider the linear topology shown in Figure 2. Packet ui+1 = min{ri+1 ρ, 1}. (6)
generations at each node Ai form a Poisson process with
rate λi . The packet size is fixed and the duration of each We first relate ri+1 to pi+1 , the probability that a packet
packet transmission attempt is T (we assume a fixed bit rate). transmitted by node Ai+1 collides. Based on Assumption 2,
A transmission by node Ai+1 is successful only if does not the probability that a packet is successfully received after 1 ≤
overlap with any transmission by (hidden) node Ai . r ≤ R attempts is (1 − pi+1 )(pi+1 )r−1 while the probability
If a packet collides, it is retransmitted until either it is that a packet fails to be received after R attempts is (pi+1 )R .
successfully received or the retry count reaches the limit R. Hence, the mean retry count at node Ai+1 is
Let 1 ≤ ri ≤ R represent the mean retry count at node Ai . R
X
Note that the initial packet transmission is included in that ri+1 = r · (1 − pi+1 ) · (pi+1 )r−1 + R · (pi+1 )R
count. Then, the mean service time of a packet at node Ai r=1
is ri T . To keep the analysis tractable, timing details of Wi- R
X
Fi, such as DIFS, SIFS, and back-off inter-frame spacing are = (pi+1 )r−1 . (7)
ignored. Therefore the upper limit of the utilization equals 1 r=1
in our analysis. We next relate pi+1 to ui . First, suppose ui < 1 (i.e., node
We denote the utilization of node Ai by 0 ≤ ui ≤ 1, Ai is uncongested). Assume that node Ai+1 starts a packet
where ui represents the fraction of time node Ai transmits. transmission (or retransmission) at some arbitrary time t = t0 .
If ui = 1, node Ai is congested and transmits continuously. We compute pi+1 by conditioning on whether or not node Ai
Otherwise, node Ai is uncongested and transmits packets at is transmitting at time t0 . Note that due the Poisson Arrivals
rate ri λ. Therefore, the utilization of node Ai for all i ≥ 0 is See Time Averages (PASTA) property, the transmission state
of node Ai at time t = t0 is the same as at any random point
ui = min{ri λi T, 1}. (2)
of time.
Note that there is no retransmission at node A0 and r0 = 1. If node Ai transmits at time t0 , which occurs with proba-
Our model represents a special case of interacting queues, bility ui , then the packet transmitted by node Ai+1 collides
which are notoriously difficult to analyze [23]. To make the with probability 1. If node Ai does not transmit at time
analysis tractable, we assume that: t0 , which occurs with probability 1 − ui , then a collision
5
occurs only if node Ai starts a transmission during the interval We now present the main result of this section.
[t0 , t0 +T ]. Since the packet inter-arrival time on the channel is Theorem 1:
exponentially distributed with mean ri T , such an event occurs 1) Let u0 ∈ (ωk , ωk+1 ), where k ∈ {1, . . . , K − 1}. If
with probability f (u0 ) > u0 , the sequence (ui )∞ i=0 converges to ωk+1 .
(1 − e−ri λi T ) = (1 − e−ui ), (8) If f (u0 ) < u0 , the sequence (ui )∞

i=0 converges to ωk .
2) If u0 ∈ [0, ω1 ), the sequence (ui )∞i=0 converges to ω1 .
based on Assumption 1. Therefore, the unconditional proba- 3) If ωK < 1 and u0 ∈ (ωK , 1], the sequence (ui )∞ i=0
bility that a packet transmitted by node Ai+1 collides is converges to ωK .
pi+1 = 1 · ui + (1 − e−ui ) · (1 − ui ) Proof:
1) Let ωk < u0 < ωk+1 , where k ∈ {1, . . . , K − 1}. Since
= 1 − e−ui (1 − ui ). (9)
pi ∈ (0, 1). Therefore, the function f is continuous and
Next, suppose ui = 1 (i.e., node Ai is congested). In that monotonically increasing, f (ωk ) < f (u0 ) < f (ωk+1 ).
case, all the transmissions by node Ai+1 collide and pi+1 = 1. Hence, according to (12) and (13), we get
We note that (9) still provides the correct result.
Putting (6), (7), and (9) together, we obtain ωk ≤ u1 ≤ ωk+1 . (15)
( R ) Now, suppose u1 = f (u0 ) > u0 . If u1 = ωk+1 , then the
X
−ui
r−1
ui+1 = min ρ 1 − e (1 − ui ) ,1 . (10) result is proven. If u1 < ωk+1 , then by Lemma 1 and
r=1 Equation (15), we have u2 = f (u1 ) > u1 . Applying
the same argument inductively, either there exists some
C. Limiting behaviour of the utilization value M ≥ 2 such that ui = ωk+1 for all i ≥ M ,
We next analyze the limiting behaviour of the iteration or the sequence (ui )∞i=0 is monotonically increasing and
given by (10). The sequence (ui )∞ i=0 corresponds to a discrete
upper bounded by ωk+1 . According to the monotone con-
non-linear dynamical system [26]. Such systems are generally vergence theorem, the sequence converges. Since there
complex as they may converge to a point, to a cycle (i.e., they is no other fixed point between u0 and ωk+1 and f is
exhibit periodic behaviour), or not converge at all (i.e., they continuous, the sequence (ui )∞
i=0 must converge to ωk+1 .
exhibit chaotic behaviour). The case u1 = f (u0 ) < u0 is handled similarly.
The main result of this section is to show that the sequence 2) Similar to Lemma 1, one can show that if there exists
(ui )∞
i=0 always converges to a point. However, the limit
u ∈ [0, ω1 ) such that f (u) > u, then f (u0 ) > u0 for all
depends on the initial utilization u0 . u0 ∈ [0, ω1 ). Since f (0) = ρ > 0, the sequence (ui )∞i=0
To simplify notation, we define the function converges to ω1 .
R
3) This is handled similarly to case 2.
X r−1
f (ui ) , ρ 1 − e−ui (1 − ui ) . (11)
r=1 In summary, the existence of fixed points is determined by
We then rewrite (10) as follows: the utilization of all the nodes except the attacking node. The
fixed points can be computed by solving (13). Once the fixed
ui+1 = min {f (ui ), 1} . (12) points are known, Theorem 1 provides the ranges of utilization
We say that ω ∈ [0, 1] is a fixed point of (12) if of the attacking node u0 for which the sequence converges to
each fixed point.
ω = min {f (ω), 1} . (13)
Suppose (13) has K different fixed points (Theorem 2 in D. Phase transition analysis
the sequel will show that K ≥ 1). We denote by Ω the ordered In the previous section, we showed that the limit of the
set of all the fixed points of (13). That is, sequence of node utilizations (ui )∞i=0 must be one of the fixed
points in the set Ω. A phase transition represents a situation
Ω , {ω1 , . . . , ωk , . . . , ωK }, (14)
where a small change of u0 leads to an abrupt change of the
where ω1 < . . . < ωk < . . . < ωK . limit. Specifically, we focus on the case when the limit jumps
We are next going to show that for any u0 ∈ [0, 1], the limit to 1. Formally:
of the sequence (ui )∞ i=0 is one of the elements in Ω. To prove Definition 1 (Network congestion): A network is said to be
this result, we will use the following lemma. congested if (ui )∞i=0 converges to 1. Else, the network is said
Lemma 1: Let u, u0 ∈ (ωk , ωk+1 ), where k ∈ {1, . . . , K − to be uncongested.
1}. If f (u) > u, then f (u0 ) > u0 . If f (u) < u, then f (u0 ) < Definition 2 (Phase transition): A network experiences a
u0 . phase transition if there exists a fixed point ω ∈ Ω, such that
Proof: The proof goes by contradiction. Let u, u0 ∈ if u0 < ω the network is uncongested, and if u0 > ω the
(ωk , ωk+1 ). Suppose f (u) > u and f (u0 ) < u0 . Since f network is congested. We refer to ω as the phase transition
is continuous in (ωk , ωk+1 ), then by the intermediate-value point.
theorem there exists a point u00 between u and u0 such that We note that a phase transition can possibly occur only if
f (u00 ) = u00 . Thus, u00 is a fixed point of (13). This contradicts ωK = 1, since otherwise the network is never congested,
the fact that no fixed point exists between ωk and ωk+1 . irrespective of u0 .
6
A network must fall in one of the following three regimes:

0.3 0.2 0.2
1) The network is uncongested for all u0 ∈ [0, 1]. Congested Congested Congested
0.25
2) The network is congested for all u0 ∈ [0, 1]. 0.15 Phase Transition 0.15
0.2 Phase Transition
3) A phase transition occurs.
Load ρ
Load ρ
Load ρ
0.15 0.1 0.1
Uncongested Uncongested
Our goal in the following is to determine what regime prevails 0.1
Uncongested
0.05 0.05
under different network parameters. 0.05
hR(ω) hR(ω) hR(ω)
For this purpose, we investigate the existence and properties 0
0 0.5 1
0
0 0.5 1
0
0 0.5 1
of solutions of (13). First, we investigate the case ω = 1. ω ω ω
Lemma 2: If ρ > 1/R, then (a) R = 4 (b) R = 7 (c) R = 10
1) ωK = 1. Fig. 3. Illustration of the different network regimes for different values of

R. For each value of ρ, the fixed points are the solutions of hR (ω) = ρ.
2) If K = 1, then for all u0 ∈ [0, ωK ] the sequence (ui )∞
i=0 In addition, the fixed point ω = 1 always exists when ρ > 1/R. A phase
converges to ωK . transition region exists if the maximum of hR (ω), hmax
R , is strictly greater
3) If K ≥ 2, then for all u0 ∈ (ωK−1 , ωK ] the sequence than hR (1) = 1/R.
(ui )∞
i=0 converges to ωK .
Proof: network is always uncongested. Note that since hR (0) =
1) Let ρ ≥ 1/R. We compute the RHS of (13) at ω = 1 and 0, hR (1) = 1/R, and hR is continuous, (18) must have
obtain min{f (1), 1} = min{Rρ, 1} = 1, which proves at least one solution (i.e., at least one fixed point exists).
that a fixed point indeed exists at ω = 1. 2) Let ρ ∈ (1/R, hmax R ). We know that hR (0) = 0 and
2) If ρ > 1/R, then f (1) = Rρ > 1. Since f (1) > 1, hR (1) = 1/R. Since the function hR is continuous, (18)
then for all u0 ∈ (0, ωK ) , we have f (u0 ) > u0 , based must have at least one solution (i.e, at least one fixed point
on an argument similar to Lemma 1, and the sequence strictly smaller than 1 exists). Also, because ρ > 1/R, a
(ui )∞
i=0 converges to 1, following an argument similar to fixed point point at ω = 1 exists (i.e., ωK = 1), by Part
Theorem 1. 1 of Lemma 2. Thus, there are K ≥ 2 fixed points.
3) This is handled similarly to Part 2. By Part 3 of Lemma 2, the sequence (ui )∞ i=0 converges to
ωK for all u0 ∈ (ωK−1 , ωK ]. Moreover, by Theorem 1,
Lemma 2 indicates that the sequence (ui )∞
i=0 can converge the limit of the sequence (ui )∞ i=0 is no larger than ωK−1
to 1 (depending on u0 ), if ρ > 1/R. Besides this special case, for all u0 ≤ ωK−1 . Hence, a phase transition exists at
(13) can be rewritten ωK−1 .
3) If ρ > hmax
R , then (16) has no solution. Moreover, since
f (ω) = ω. (16)
ρ > hmax
R ≥ hR (1) = 1/R, we get ρ > 1/R. By Parts 1
We look for solutions of (16) that belong to the interval [0, 1]. and 2 of Lemma 2, the sequence (ui )∞ i=0 converges to 1
Each such solution is an element of Ω. for any u0 ∈ [0, 1], and the network is always congested.
Equation (16) is difficult to work with because it contains
two unknown variables, ρ and R. To circumvent this difficulty, Theorem 2 establishes whether the network is always un-
we introduce the function congested, is susceptible to a phase transition, or is always
ρω ω congested, depending on the network parameters. We illustrate
hR (ω) , = PR r−1
. (17)
f (ω) −ω this theorem for different values of R and ρ, using Figure 3.
r=1 (1 − e (1 − ω))
First, consider R = 4 as shown in Figure 3(a). Since hmaxR =
For each value of ρ, the solutions of (16) must satisfy 1/R = 0.25, there exists no traffic load ρ for which a phase
hR (ω) = ρ. (18) transition exists. Either the network is always uncongested (for
ρ < 1/R), or it is always congested (for ρ > 1/R).
We denote the maximum of hR (ω) by Next, consider R = 7 as shown in Figure 3(b). There,
hmax , max hR (ω). hmax
R = 0.166 > 1/R = 0.143. Hence, a phase transition
R
0≤ω≤1 occurs if ρ ∈ (0.143, 0.166). For instance, consider the case
The following theorem establishes the prevailing network ρ = 0.15. Then, the equation hR (ω) = ρ has two solutions.
regimes for different parameters. Including the fixed point ω = 1 (since ρ > 1/R), the set Ω
Theorem 2: has K = 3 fixed points: {ω1 = 0.265, ω2 = 0.777, ω3 = 1}.
1) If ρ < 1/R, then the network is uncongested for all u0 ∈ Hence, by Theorem 2, the network is uncongested if u0 <
[0, 1]. 0.777, and congested if u0 > 0.777.
2) If hmax > 1/R and 1/R < ρ < hmax The case R = 10 also has a phase transition region, as
R R , then a phase
transition occurs and the phase transition point is ωK−1 . shown in Figure 3(c). Furthermore, the size of this region is
3) If ρ > hmax larger since (1/R, hmaxR ) = (0.1, 0.162).
R , then the network is congested for all u0 ∈
[0, 1].
Proof: E. Sufficient condition for phase transition
1) If ρ < 1/R, then Rρ < 1 and the utilization of each In the previous section, we showed that a phase transition
node is always less than 1. Hence, for any u0 ∈ [0, 1], the exists in the region 1/R < ρ < hmax R , if hR
max
> 1/R.
7
In this section, we derive an explicit lower bound on hmax R , From Theorems 2 and 3, it follows that a phase transition
which provides a simple condition for the existence of a exists if 1/R < 0.161. Hence:
phase transition. First, we establish a relationship between the Corollary 2: A phase transition is guaranteed to exist for
derivatives of hR (ω) for different values of R, but a given R ≥ 7 and ρ ∈ [1/R, 0.161].
value of ω. The proof of the following lemma can be found We note that the lower bound on hmax R is quite tight. For
in [27]. instance, hmax
7 = 0.166. Moreover, h max
R decreases with
Lemma 3: For ω ∈ [0, 1], if there exists R∗ ≥ 1 such that R (this follows from (17), since for any ω ∈ [0, 1] the
hR∗ (ω) ≤ 0, then h0R (ω) ≤ 0 for all R > R∗ .
0 denominator increases as R gets larger).
Next, consider the function hR (ω) as R → ∞:
F. Stability of fixed points
h∞ (ω) = (1 − 1 − e−ω (1 − ω) )ω

In this subsection, we use stability theory to shed further
= e−ω (1 − ω)ω, (19) light into the limiting behaviour of the sequence (ui )∞ i=0 .
and its derivative Specifically, the sequence (ui )∞ i=0 converges to stable fixed
points of Ω and diverges from unstable fixed points of Ω.
h0∞ (ω) = e−ω (1 − 3ω + ω 2 ). (20) We will show that the stability of the fixed points of (16) are
determined by the sign of h0R (ω) at those points.
The next corollary is the logical transposition of Lemma 3.
Informally, a fixed point ω is stable (or an attractor), if
Corollary 1: If h0∞ (ω) ≥ 0, then h0R (ω) ≥ 0 for all R ≥ 1.
there exists a domain containing ω, such that if u0 belongs to
The following lemma establishes that the function hR (ω) is
that domain, then (ui )∞ i=0 converges to ω.
always strictly increasing in the interval [0, ω), where
√ Definition 3 (Stability of a fixed point): Let u0 ∈ [0, 1]. A
3− 5 fixed point ω ∈ Ω is stable if there exists > 0 such that
ω, . (21) if |u0 − ω| < , the sequence (ui )∞
2 i=0 converges to ω. It is
unstable if for all u0 6= ω the sequence (ui )∞ i=0 does not
Lemma 4: Let 0 ≤ ω < ω. Then, h0R (ω) > 0, for all R ≥ 1.
converge to ω.
Proof: Let the function h∞ (ω) and its derivative h0∞ (ω)
Recall that according to Lemma 2, a special fixed point of
be defined as in (19) and (20), respectively. Since e−ω is
(13) exists at ω = 1, if ρ > 1/R. According to Definition 3,
always positive, h0∞ (ω) has the same sign as (1 − 3ω + ω 2 ).
this fixed point is stable. Besides this special case, the rest
The unique root of (1 − 3ω + ω 2 ) = 0 for ω ∈ [0, 1] is w̄ as
of the fixed points satisfy Equation (16). To establish the
defined in (21).
stability of those fixed points, we will employ the following
Thus, (1 − 3ω + ω 2 ) is positive when 0 ≤ ω < ω, and so
proposition.
is h0∞ (ω). By Corollary 1, h0R (ω) > 0 for 0 ≤ ω < ω and for
Proposition 1 ( [26]): Suppose that a continuously differ-
all R ≥ 1.
entiable function f has a fixed point ω. Then, ω is stable if
|f 0 (ω)| < 1 and unstable if |f 0 (ω)| > 1.
The consequence of Lemma 4 is that for all R ≥ 1,
The next theorem provides a criterion to establish the
hmax
R ≥ hR (ω). (22) stability of a fixed point ω ∈ Ω with respect to the function
hR (ω).
This equation provide a lower bound on hmax R that can easily Theorem 4: Consider a fixed point ω ∈ Ω, where ω < 1.
be computed. We then obtain the following sufficient condition Then ω is stable if h0R (ω) > 0 and unstable if h0R (ω) < 0.
for the existence of phase transition. Proof: Let ω ∈ Ω. The derivative of hR (ω) with respect
Lemma 5: Let ω be defined as in (21) and suppose hR (ω) > to ω is
1/R. Then, a phase transition is guaranteed to exist for any 1 ω
ρ ∈ (1/R, hR (ω)). h0R (ω) = − · Γ0 (ω) > 0, (24)
Γ(ω) (Γ(ω))2
Proof: From Theorem 2, we know that a phase transition
exists if 1/R < ρ < hmax where
R . By (22) and the assumption that
R
hR (ω) > 1/R, the proof follows. X r−1 f (ω)
The next theorem establishes an even more explicit lower Γ(ω) , 1 − e−ω (1 − ω) = . (25)
r=1
ρ
bound on hmax
R .
Theorem 3: Let h∞ (ω) and ω be defined as in (19) and If one can show that (24) implies |f 0 (ω)| < 1, then according
(21), respectively. Then, hmax ≥ h∞ (ω) ' 0.161. to Proposition 1, the fixed point ω is stable. We multiply both
R
Proof: By (17), sides of (24) by (Γ(ω))2 and obtain
ω Γ(ω) − ωΓ0 (ω) > 0. (26)
hR (ω) = PR
−ω (1 − ω))r−1
r=1 (1 − e Using (25) and (16), we can rearrange (26) as follows:
ω
> P∞ −ω (1 − ω))r−1
= h∞ (ω). (23) Γ(ω) f (ω) 1
r=1 (1 − e Γ0 (ω) <
= = . (27)
ω ρω ρ
Thus, by (22) and (23), hmax
> h∞ (ω) ' 0.161. Note that
R From (25) and (27), we get
this bound is asymptotically tight as R → ∞ since hmax
∞ =
h∞ (ω). f 0 (ω) = ρΓ0 (ω) < 1.
8
0.2
hR (ω) A0 A1 A2
max
hR
0.15
oad ρ
0.1 1/R 70dB 70dB 70dB

Phase Trans 60dB 60dB
0.05 gested
Stable x
0 Unstable x
0 ω1 0.5 ω2 1 ω3
ω
B0 B1 B2
Fig. 4. Stability of fixed points with R = 10. Given a load ρ = 0.13 (dash
line), Ω contains three fixed points: ω1 = 0.2, ω2 = 0.7 and ω3 = 1. The Splitter RF attenuattor
fixed point ω1 is stable because h0R (ω1 ) > 0 and ω2 is unstable because
h0R (ω2 ) < 0. The fixed point ω3 = 1 exists and is stable because ρ > 1/R. Fig. 5. Experimental testbed.
Therefore, the sequence (ui )∞i=0 converges to ω1 if u0 < ω2 , and to ω3 if
u0 > ω2 .
This result shows that phase transitions are also possible in

Since f (ω) is monotonically increasing with ω, for ω ∈ [0, 1], linear networks with heterogeneous traffic loads.
we conclude
0 < f 0 (ω) < 1.
Hence, by Proposition 1, ω is a stable fixed point. V. E XPERIMENTS AND S IMULATIONS
Similarly, h0R (ω) < 0 implies f 0 (ω) > 1, which means that
ω is unstable. A. Experiments
We demonstrate the practical feasibility of launching cas-

Theorem 4 provides a stability analysis of the fixed points cading DoS attacks through experiments on a testbed com-
and helps determine the limit of the sequence (ui )∞ i=0 . Con- posed of six nodes. The testbed configuration is shown in
sider, for instance, the example shown in Figure 4 with Figure 5. We establish an IEEE 802.11n ad hoc network
parameters R = 10 and ρ = 0.13. Under these parameters, consisting of three pairs of nodes. Each node consists of a
Ω = {ω1 , ω2 , ω3 } = {0.2, 0.7, 1}. PC and a TP-LINK TL-WN722N Wireless USB Adapter. We
The fixed points ω1 and ω2 are the solutions of hR (ω) = ρ. use RF cables and splitters to link the nodes, isolate them from
According to Theorem 4, ω1 is stable and ω2 is unstable. The external traffic, and obtain reproducible results.
fixed point ω3 = 1 exists and is stable, since ρ > 1/R.
We place 70 dB attenuators on links between node Ai and
According to Theorem 2, ω2 is a phase transition point. Bi (i ∈ 0, 1, 2), and 60 dB attenuators on links between
Hence, the sequence (ui )∞ i=0 converges to ω1 if u0 < ω2 nodes Ai and Bi+1 . The difference in the signal attenuation
and the network is uncongested. If u0 > ω2 , the sequence of different links ensures that a packet loss occurs if a hidden
converges to ω3 and the network is congested. node transmits. In practice, such a situation may occur if nodes
Ai and Bi+1 communicate without obstacles, while node Ai
G. Heterogeneous traffic load and Bi are separated by an office wall [28].
In previous subsections, we assumed that node A0 varies its The transmission power of each node is set to 0 dBm. We
traffic load ρ0 , but all other nodes Ai (i ≥ 1) have the same use iPerf [29] to generate UDP data streams and to measure
traffic load ρ. We now relax this assumption and assume that the throughput achieved on each node. The length of a packet
nodes Ai (i ≥ 1) have different traffic loads ρi = λi T . We is the default IP packet size of 1500 bytes.
next prove that a phase transition still occurs, as long as all Figure 6 demonstrates the cascading DoS attack on the
the traffic loads fall in the appropriate range. experimental testbed. At first, the packet generation rates of
Theorem 5: Suppose hmax R > 1/R. If ρi ∈ (1/R, hmax
R ) for
nodes A0 , A1 and A2 are set to 400 Kb/s. We observe that
all i ≥ 1, then a phase transition occurs. the throughput of all the nodes remains in the vicinity of 400
Proof: Let ρmax = maxi≥1 ρi and ρmin = mini≥1 ρi . Kb/s during the first 300 seconds. After 300 seconds, A0 starts
According to Theorem 2, the network is uncongested when transmitting packets at 1 Mb/s. As a result, the throughput of
ρ0 = 0 and the load at each node Ai is ρmax < hmax R . Hence,
nodes A1 and A2 suddenly vanishes. Once node A0 resumes
the network must remain uncongested when the load at each transmitting at 400 Kb/s, the throughput of node A1 and node
node Ai is smaller than ρmax . A2 recovers.
Similarly, the network is congested when ρ0 = 1 and the Note that if the values of the attenuators are set equal, some
load at each node Ai is ρmin > 1/R. Hence, it must remain packets transmitted at the lowest bit rate (i.e., 1 Mb/s) may be
congested when the load at each node Ai is larger than ρmin . successfully received, even if the packets overlap. The analysis
Thus, a phase transition occurs when 1/R < ρi < hmax R for of this scenario is more complicated but simulations show that
all i ≥ 1. even in this case, cascading attacks are feasible [27, Ch. 4].
9
1
1200
Node A 0
0.9
Node A 1
1000 Node A 2 0.8
Utilization at node A 40
0.7
800
Throughput (Kb/s)
0.6
0.5
600
0.4 R=4, ρ 0=1
0.3 R=4, ρ =0
400 0
R=7, ρ 0=1
0.2 R=7, ρ 0=0
200 R=10, ρ 0=1
0.1
R=10, ρ 0=0
0
0 0 0.1 0.2 0.3 0.4
100 200 300 400 500 600 700 800 900 Load ρ at node A i (i ≥ 1)
Time (second)
Fig. 6. Throughput performance measurements in testbed. When node A0 Fig. 7. Simulation of the limiting behaviour of the node utilization in a
starts increasing its packet generation rate, the throughput of nodes A1 and network of 41 pairs of nodes. For R = 4, the limit is the same when ρ0 = 0
A2 vanishes. and ρ0 = 1, hence no phase transition is observed. However, for R = 7 and
R = 10, the limits are different, hence showing the existence of a region of
load ρ in which a phase transition occurs.
B. Simulation results for linear topologies 1
We next compare the results of the analysis of Section IV 0.9

with ns-3 simulations, for different settings of the retry limit 0.8
R and load ρ. For the simulations, we consider an ad hoc Utilization at node Ai
0.7
network composed of 41 pairs of nodes.
0.6
1) Region of phase transition: To check whether a phase ρ0 = 0.1
ρ0 = 0.5
transition exists for a given R, we run simulations both for 0.5
ρ0 = 0.6
ρ0 = 0 and ρ0 = 1. If the node utilizations in the limit (i.e., 0.4
ρ0 = 0.9
for node A40 ) is the same in both cases, then we assume that
0.3
there is no phase transition. If the limits are different, then a
0.2
phase transition exists.
Figure 7 indicates that the existence of a phase transition 0.1
is related to the retry limit, as predicted by our analysis. For 0

0 10 20 30 40
the case R = 4, there is no phase transition, while a phase Node index i
transition occurs in the cases R = 7 and R = 10. In fact, we
observed no phase transition in our simulations for any R ≤ 6. Fig. 8. Simulation with heterogeneous traffic load in a network with 41 pairs
The analysis also reasonably approximates the phase tran- of nodes. The traffic load of nodes Ai (i ≥ 1) are uniformly distributed
between 0.11 and 0.15. For R = 7, when the load ρ0 changes from 0.5 to
sition region. For R = 7, the simulations show that a phase 0.6, the limiting behavior of the sequence of node utilizations differs, thus
transition exists if ρ ∈ (0.12, 0.16), while the analysis predicts indicating the occurrence of phase transition.
ρ ∈ (0.14, 0.17). For R = 10, the simulation results are
ρ ∈ (0.08, 0.14) while the analysis predicts ρ ∈ (0.10, 0.16).
We note that the size of the phase transition region increases network is congested. We note that the convergence to steady-
with R, as predicted by the analysis. state is pretty fast, i.e., it is reached after about 10 nodes.
2) Heterogeneous traffic load: We next show the feasibility
of a cascading DoS attack in a network where the traffic load C. Simulation results for other topologies
at different node is heterogeneous, in line with the analysis We next next investigate cascading attacks in other topolo-
of Section IV-G. Specifically, the traffic load ρi at each node gies, specifically a realistic three-dimensional indoor topology
Ai (i ≥ 1) is a continuous random variable that is uniformly and a ring topolgy.
distributed between 0.11 and 0.15. 1) 3D indoor building model: In this section, we use
Figure 8 shows the simulation results for retry limit R = 7. the ns-3 HybridBuildingsPropagationLossModel
When ρ0 , the load of node A0 , is below 0.5, the network is library [30] to demonstrate the feasibility of cascading DoS
uncongested and the utilizations of nodes Ai oscillate around attacks in a 3D indoor scenario. Models in this library re-
0.35 as i gets large. Note that the sequence does not converge alistically characterize the propagation loss across different
to a fixed value due to the different traffic loads at the different spectrum bands (i.e., ranging from 200 MHz to 2.6 GHz),
nodes. However, when ρ0 exceeds 0.6, the sequence of node different environments (i.e., urban, suburban, open areas), and
utilizations converges to its upper limit, implying that the different node positions with respect to buildings (i.e., indoor,
10
20 0.4
Node A 4
Throughput (Mb/s)
0.3
10 A0, A2, A4 B0, B2, B4
Node A0 transmits
0.2
y (m)
0
0.1
-10 B1, B3 A1, A3

0
0 50 100 150 200
Time (second)
-20
-20 -10 0 10 20
x (m) Fig. 10. Simulation results using ns-3 building model. When node A0
transmits, the throughput of remote node A4 collapses.
(a) Top view.
60
B0
50 A0
Ai+1
... B0 A0
B1
40
A1
z (m)
B2 Bi+1 B1
30
A2
20 B3 Ai A1
A3
10
B4 Bi B2
...
0 A4
-20 -10 0 10 20 A3 B3 A2
y (m)
(b) Side view.
Fig. 9. Office building model. The building has 20 floors (z-axis) and 6
rooms in each floor (x and y axes). Bi Receiver Ai Transmitter
Fig. 11. Ring topology under cascading DoS attack. The dash circle represents
the transmission range of the transmitter.
outdoor and hybrid). The building models take into account
the penetration losses of the walls and floors, based on the 1
type of buildings (i.e., residential, office, and commercial). Node A 20
0.8 Node A 40
In our simulations, we consider a 20-floor office building
Throughput (Mb/s)
Node A0 increases
packet generation rate
with six rooms in each floor, as shown in Figure 9. We 0.6
assume that five pairs of Wi-Fi nodes (Ai , Bi ) are active in
0.4
the building, where node Ai transmits packets to nodes Bi
(i = 0, 1, 2, 3, 4). The bit rate is set to 1 Mb/s, the retry limit 0.2
to R = 7, and the frequency to 2.4 GHz. The generation rate
of UDP packets at nodes Ai , i ≥ 1, is λi = 8.125 pkts/s. 0
0 200 400 600 800 1000
Packets are 2000 bytes long. Time (second)
We turn on and off transmissions at node A0 to observe how
Fig. 12. Simulation results under a ring topology. When the packet generation
it impacts the throughput of other nodes. Simulation results rate of node A0 increases, the throughput of nodes A20 and A40 vanishes.
are shown in Figure 10. When node A0 does not transmit, This effect continues even when the packet generation rate of node A0
the throughput of node A4 is 0.13 Mb/s and it incurs no decreases.
packet loss. However, when node A0 starts transmitting, the
throughput of node A4 collapses. The throughput of node A4 0.5 Mb/s. At time t = 300 s, node A0 increases its packet
recovers only after node A0 stops transmitting. generation rate to 11 Mb/s. As a result, the throughput of
2) Ring topology: We next investigate cascading DoS at- all nodes vanishes. Yet, unlike results in linear topologies, the
tacks in a ring topology with 41 pairs of nodes, as shown in throughput of the nodes does not recover after node A0 reduces
Figure 11. In our previous results for linear topologies, the its packet generation rate back to 0.5 Mb/s. The cyclic nature
effect of an attack disappears once the attacker reduces its of the topology reinforces the attack even after the trigger
packet generation rate. However, the effect of an attack in a stops.
ring topology can last for a long period of time after the attack
stops. VI. C ONCLUSION
This result is illustrated in Figure 12. During the first 100 We describe a new type of DoS attacks against Wi-Fi
seconds, all the nodes Ai (i = 0, 1, . . . ) generate packets at networks, called cascading DoS attacks. The attack exploits
11
a coupling vulnerability due to hidden nodes. The attack future research. The second approach is to lower the retry
propagates beyond the starting location, lasts for long periods limit. However, this could also negatively impact performance.
of time, and forces the network to operate at its lowest bit rate. Other approaches worth investigating include using shortening
The attack can be started remotely and without violating the packet duration [27, Ch. 5], dynamic channel selection [34],
IEEE 802.11 standard, making it difficult to trace back. We and full-duplex radios [35].
demonstrate the feasibility of such attacks through experiments
on a testbed of nodes equipped with off-the-shelf Wi-Fi cards. ACKNOWLEDGMENTS
The experiments show that change in the traffic load of the This research was supported in part by the U.S. Na-
attacker can lead to a phase transition of a remote node, from tional Science Foundations under grants CNS-1409453, CNS-
uncongested to congested states. 1908087, and DGE-1661532.
To provide insight into this phenomenon, we propose a
new dynamical system model to characterize the sequence of
R EFERENCES
node utilizations, and analyze the limiting behavior of this
sequence. We show that the sequence always converges to [1] K. Lee, J. Lee, Y. Yi, I. Rhee, and S. Chong, “Mobile data offloading:
how much can WiFi deliver?” in Proceedings of the 6th International
stable fixed points while an unstable fixed point represents Conference on emerging Networking EXperiments and Technologies
a phase transition point. Based on the system parameters, (CoNEXT). ACM, 2010, p. 26.
we identify when the system remains always uncongested, [2] Cisco, “Cisco cleanair technology,” http://www.cisco.com/c/en/us/
solutions/enterprise-networks/cleanair-technology/index.html.
congested, or experiences a phase transition caused by a DoS [3] G. Bianchi, “Performance analysis of the IEEE 802.11 distributed coor-
cascading attack. dination function,” IEEE Journal on Selected Areas in Communication,
The analysis predicts that a phase transition occurs for R ≥ vol. 18, no. 3, pp. 535–547, 2000.
[4] A. Forouzan Behrouz, Data Communication and Networking. 3rd/4th
7 in a linear network topology and provides a simple and Edition, Tata McGraw, 2004.
explicit estimate of traffic load at each node under which a [5] M. Gast, 802.11 wireless networks: the definitive guide. O’Reilly
phase transition occurs (i.e., ρi ∈ (1/R, 0.161) for all i ≥ Media, Inc., 2005.
[6] http://documentation.netgear.com/WPN824EXT/enu/202-10310-
1). The network is always congested when the traffic load 02/WPN824EXT_UG-4-6.html.
is above the phase transition regime and always uncongested [7] http://www.tp-link.us/support/download-center.
when the traffic load is below the phase transition regime. [8] http://ui.linksys.com/WAG300N/1.01.01/help/h_AdvWSettings.htm.
[9] http://support.dlink.com/emulators/dir855/Advanced.html.
We also generalize our results to heterogeneous traffic load [10] L. Xin, D. Starobinski, and G. Noubir, “Cascading denial of service
scenarios. attacks on Wi-Fi networks,” in Communications and Network Security
The theoretical results are corroborated with simulations (CNS), 2016 IEEE Conference.
[11] R. Poisel, Modern communications jamming principles and techniques.
and experiments. In terms of accuracy, our model is accurate Artech House Publishers, 2011.
in predicting that the throughput vanishes during cascading [12] K. Pelechrinis, M. Iliofotou, and S. V. Krishnamurthy, “Denial of service
attacks (as shown by the real network experiments) as well attacks in wireless networks: The case of jammers,” Communications
Surveys & Tutorials, IEEE, vol. 13, no. 2, pp. 245–257, 2011.
as predicting the values of the retry parameter R for which [13] G. Lin and G. Noubir, “On link layer denial of service in data wireless
cascading attacks are feasible. Notably, cascading attacks are LANs,” Wireless Communications and Mobile Computing, vol. 5, no. 3,
feasible for the default value R = 7 used in IEEE 802.11. pp. 273–284, 2005.
[14] C. Chen, H. Luo, E. Seo, N. H. Vaidya, and X. Wang, “Rate-adaptive
The analysis is also accurate in predicting the size of the framing for interfered wireless networks,” in INFOCOM 2007. 26th
phase transition region which increases with R. However, the IEEE International Conference on Computer Communications. IEEE.
analysis is less accurate in pinpointing the exact boundaries [15] S. Rayanchu, A. Mishra, D. Agrawal, S. Saha, and S. Banerjee,
“Diagnosing wireless packet losses in 802.11: Separating collision from
of the phase transition region (which is about 20% off). We weak signal,” in INFOCOM 2008. The 27th Conference on Computer
defer the refinement of this particular aspect of the analysis Communications. IEEE.
to future work, as it would likely require a more complicated [16] “Minstrel madwifi documentation,” http://linuxwireless.org/en/
developers/Documentation/mac80211/RateControl/minstrel.
model. [17] R. Kinney, P. Crucitti, R. Albert, and V. Latora, “Modeling cascading
Exploiting the coupling vulnerability in different network failures in the north american power grid,” The European Physical
configurations represents an interesting area for future work. Journal B-Condensed Matter and Complex Systems, vol. 46, no. 1, pp.
101–107, 2005.
Experience in the security field indeed teaches that once a [18] S. Soltan, D. Mazauric, and G. Zussman, “Cascading failures in power
vulnerability is identified, more potent attacks are subsequently grids: analysis and algorithms,” in Proceedings of the 5th international
discovered (consider, for instance, the history of attacks on conference on Future energy systems. ACM, 2014, pp. 195–206.
[19] M. Haenggi, J. G. Andrews, F. Baccelli, O. Dousse, and
WEP [31] and MD5 [32]). In particular, it is possible that M. Franceschetti, “Stochastic geometry and random graphs for
interactions between different wireless protocols that use the the analysis and design of wireless networks,” Selected Areas in
same spectrum (e.g., Wi-Fi, Bluetooth, and Zigbee [33]) could Communications, IEEE Journal on, vol. 27, no. 7, pp. 1029–1046,
2009.
create a similar security issue. [20] Z. Kong and E. M. Yeh, “Wireless network resilience to degree-
Several approaches are possible to mitigate cascading DoS dependent and cascading node failures,” in Modeling and Optimization
attacks. First, one could enable the RTS/CTS exchange, al- in Mobile, Ad Hoc, and Wireless Networks, 2009. WiOPT 2009. 7th
International Symposium on. IEEE, 2009.
though this solution has several drawbacks, including major [21] A. Aziz, D. Starobinski, and P. Thiran, “Understanding and tackling
performance degradation under normal network operations, the root causes of instability in wireless mesh networks,” IEEE/ACM
as mentioned in the introduction. Devising a scheme that Transactions on Networking, vol. 19, no. 4, pp. 1178–1193, 2011.
[22] S. Ray, D. Starobinski, and J. B. Carruthers, “Performance of wireless
triggers RTS/CTS under certain circumstances (e.g., multiple networks with hidden nodes: a queuing-theoretic analysis,” Computer
consecutive packet losses) could be an interesting area for Communications, vol. 28, no. 10, pp. 1179–1192, 2005.
12
[23] B. Rong and A. Ephremides, “Protocol-level cooperation in wireless Liangxiao Xin received his B.E. degree in Control
networks: Stable throughput and delay analysis,” in Modeling and Science and Engineering (2012) from Zhejiang Uni-
Optimization in Mobile, Ad Hoc, and Wireless Networks, 2009. WiOPT versity, Zhejiang, China. In 2014 and 2018, he re-
2009. 7th International Symposium on. IEEE, 2009. ceived his M.E. degree and Ph.D degree in Systems
[24] L. Kleinrock, F. Tobagi et al., “Packet switching in radio channels: Engineering from Boston University, respectively. In
Part I–carrier sense multiple-access modes and their throughput-delay 2016, he received best paper award at IEEE CNS
characteristics,” Communications, IEEE Transactions on, vol. 23, no. 12, 2016 conference. Currently, he is working on IEEE
pp. 1400–1416, 1975. 802.11 standardization.
[25] D. Bertsekas and R. Gallager, “Data networks. 1992,” PrenticeHall,
Englewood Cliffs, NJ, 1992.
[26] S. Lynch, Dynamical systems with applications using MATLAB.
Springer, 2004.
[27] L. Xin, “Cascading attacks in Wi-Fi networks: demonstration and
counter-measures,” Ph.D. dissertation, Boston University, 2018, https:
//open.bu.edu/handle/2144/32678.
[28] J. C. Stein, “Indoor radio WLAN performance part II: Range perfor- David Starobinski is a Professor of Electrical and
mance in a dense office environment,” Intersil Corporation, vol. 2401, Computer Engineering, Systems Engineering, and
1998. Computer Science at Boston University. He received
[29] “iperf 2 user documentation,” http://iperf.fr/iperf-doc.php. his Ph.D. in Electrical Engineering from the Tech-
[30] https://www.nsnam.org/doxygen/classns3_1_1_hybrid_buildings_ nion - Israel Institute of Technology, in 1999. He
propagation_loss_model.html#details. was a visiting post-doctoral researcher in the EECS
[31] E. Tews, R.-P. Weinmann, and A. Pyshkin, “Breaking 104 bit WEP in department at UC Berkeley (1999-2000), an invited
less than 60 seconds,” in Information Security Applications. Springer, Professor at EPFL (2007-2008), and a Faculty Fel-
2007, pp. 188–202. low at the U.S. DoT Volpe National Transporta-
[32] J. Black, M. Cochran, and T. Highland, “A study of the MD5 attacks: tion Systems Center (2014-2019). Dr. Starobinski
Insights and improvements,” in Fast Software Encryption. Springer, received a CAREER award from the U.S. National
2006, pp. 262–277. Science Foundation (2002), an Early Career Principal Investigator (ECPI)
[33] W. Wang, S. He, L. Sun, T. Jiang, and Q. Zhang, “Cross-technology award from the U.S. Department of Energy (2004), the 2010 BU ECE Faculty
communications for heterogeneous iot devices through artificial doppler Teaching Award, and best paper awards at the WiOpt 2010 and IEEE CNS
shifts,” IEEE Transactions on Wireless Communications, vol. 18, no. 2, 2016 conferences. He is on the Editorial Board of the IEEE Open Journal
pp. 796–806, 2018. of the Communications Society and was on the Editorial Boards of the
[34] D. J. Leith and P. Clifford, “A self-managed distributed channel selection IEEE Transactions on Information Forensics and Security and the IEEE/ACM
algorithm for wlans,” in 2006 4th International Symposium on Modeling Transactions on Networking. His research interests are in cybersecurity,
and Optimization in Mobile, Ad Hoc and Wireless Networks. IEEE, wireless networking, and network economics.
2006, pp. 1–9.
[35] D. Bharadia, E. McMilin, and S. Katti, “Full duplex radios,” in ACM
SIGCOMM Computer Communication Review, vol. 43, no. 4. ACM,
2013, pp. 375–386.
Guevara Noubir is a professor in the College

of Computer and Information Science at North-
eastern University. His research focuses on pri-
vacy and security in networked systems. Professor
Noubir received a PhD in computer science from
Ecole Polytechnique Fédérale de Lausanne, and an
MS degree (Engineering Diploma) from Ecole Na-
tionale d’Informatique et Mathématiques Apliquées
de Grenoble. Dr. Noubir received the US NSF
CAREER Award in 2005, Google Faculty Research
Award on Privacy in 2016, best paper awards at
ACM Conference on Security and Privacy in Wireless and Mobile Networks
(WiSec) 2011, and 2018 (and runner-up best paper in 2013), and the IEEE
Conference on Communications and Network Security best paper in 2017.
He chaired the technical program committee of several security conferences
including the ACM Conference on Security and Privacy in Wireless and
Mobile Networks (WiSec) in 2015, IEEE Conference on Communications
and Network Security 2015. He serve(d) on the editorial boards of ACM
Transaction on Privacy and Security, IEEE Transactions on Mobile Comput-
ing, Elsevier Journal on Computer Networks, and IEEE Transaction on IEEE
Transactions on Information Forensics and Security.

Cascading Attacks On Wi-Fi Networks: Theory and Experiments

Uploaded by

Copyright:

Available Formats

Cascading Attacks On Wi-Fi Networks: Theory and Experiments

Uploaded by

Document Information

Original Description:

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Cascading Attacks On Wi-Fi Networks: Theory and Experiments

Uploaded by

Copyright:

Available Formats

This article has been accepted for publication in a future issue of this journal, but has not been

Cascading Attacks on Wi-Fi Networks:

Hidden ... ...

Fig. 2. Topology of the network. Node Ai transmits packets to node Bi .

(1 − e−ri λi T ) = (1 − e−ui ), (8) If f (u0 ) < u0 , the sequence (ui )∞

A network must fall in one of the following three regimes:

Lemma 2: If ρ > 1/R, then (a) R = 4 (b) R = 7 (c) R = 10

1) ωK = 1. Fig. 3. Illustration of the different network regimes for different values of

0.1 1/R 70dB 70dB 70dB

This result shows that phase transitions are also possible in

We demonstrate the practical feasibility of launching cas-

B. Simulation results for linear topologies 1

We next compare the results of the analysis of Section IV 0.9

is related to the retry limit, as predicted by our analysis. For 0

-10 B1, B3 A1, A3

Guevara Noubir is a professor in the College

You might also like