Survey of RTS-CTS Attacks in Wireless Network - IEEE Xplore

4 downloads 244 Views 201KB Size Report
Survey of RTS/CTS attacks in Wireless network. Supriya S. Sawwashere. Computer Science and Engineering. G. H. Raisoni College of Engineering.
2014 Fourth International Conference on Communication Systems and Network Technologies

Survey of RTS/CTS attacks in Wireless network

Supriya S. Sawwashere

Sonali U. Nimbhorkar

Computer Science and Engineering G. H. Raisoni College of Engineering Nagpur (Maharashtra), India [email protected]

Department of Computer Science and Engineering G. H. Raisoni College of Engineering Nagpur (Maharashtra), India [email protected]

Vector (NAV) value set. The frame formats for RTS and CTS are as shown in Figure 2 and Figure 3 respectively.

Abstract— DoS (Denial-of-Service) attack is used to make the requested users waiting for the machine or network resources. The attack mainly efforts to temporarily suspend services of a server connected to the Internet. Low Rate DoS attacks are new types of DoS attacks, which cannot be detected easily since the attacks are sent with the low volume. The different methods to handle the high rate DoS attack. But these methods cannot be used to grab or detect the low rate attacks. RTS/CTS attack is a new type of low rate DoS attacks. RTS/CTS (Request to Send / Clear to Send) mechanism is a reservation scheme used in the wireless networks. It is used to minimize frame collisions created due to the hidden node problem. The attacker nodes modify the duration field value of the RTS packets to reserve the channel for additional time. Since well-behaved nodes will respond to RTS with CTS, an attacker could exploit authenticated nodes to spend CTS with manipulated duration field value irrespective of the attack could do by itself. This results in the decrease of network performance and increase in transmission delay.

SIFS

DIFS

Time

RTS

Data

Source SIFS

SIFS

ACK

CTS Destination

DIFS

NAV(RTS)=3*SIFS+Data+ACK Other NAV(CTS)=RTS-(CTS+SIFS)

Differ access BackOffs

Keywords — Denial-of-Service, Low Rate attacks, RTS/CTS attacks, NAV.

Figure1. RTS/CTS Communication with NAV

I. INTRODUCTION The wireless networking protocol specifies a common MAC (media access control) layer. It provides variety of functions that support the operations of wireless LANs. The wireless communication works in two modes: Infrastructure mode and Ad-hoc mode. In Infrastructure mode, channel allocation between different nodes is controlled by a centralized node called as access point (AP) [1]. In Ad-hoc mode, there is no designated centralized node. In such cases, the channel allocation process is distributed among nodes. In wireless networking, the hidden terminal problem arises for a visible node from a wireless AP, rather than from other nodes communicating with the AP. This creates the problems in (MAC) media access control. A simple and well-dressed solution to this hidden terminal problem is to use Request to Send/Clear to Send (RTS/CTS) frames. RTS/CTS mechanism is a handshaking mechanism to reserve the channel for a specific duration before actual data transfer starts. This mechanism generally works in the infrastructure mode. Figure 1 shows the use of RTS and CTS with the Network Allocation

978-1-4799-3070-8/14 $31.00 © 2014 IEEE DOI 10.1109/CSNT.2014.158

2

2

6

6

Frame control

Duration

Receiver Address

Transmitter Address

6

Bytes

FCS

Figure2. RTS Frame 2

2

6

Frame control

Duration

Receiver Address

4

Bytes FCS

Figure3. CTS Frame After waiting for Distributed Inter Frame Space (DIFS) the sender issues a RTS packet. The RTS packet contains the duration of the whole data transmission. This field specifies the time interval required to transmit the whole data frame and the acknowledgement related to it. Every node in the network, receiving this RTS frame sets its NAV in accordance with the duration field as follows. NAV (RTS) =3*SIFS + Data +ACK The NAV specifies the most primitive instance of time, at which the stations can request to access the resources again. At the receiver side, it receives the RTS frame and gives a 752

possible attacks that could exploit them. These vulnerabilities at the MAC layer are analyzed, like the false CTS and false packet validation attacks which exploit the CTS and ACK packets format vulnerability. The negative impacts of these attacks on the network are illustrated by the analytical, simulation’s and experimentation’s results. Xiaocheng Zou et.al. [7] studied that in Wireless networks, MAC layer has many vulnerabilities and can suffer from different types of attacks. They have investigated the fabricated CTS attacks to the MAC scheme in wireless LANs. In this attack, an attacker sends fabricated CTS packets with large NAV values to falsely claim the use of the shared channel. Also they proposed AIS to mitigate the impact of such jamming attacks. With the help of tow-hop neighborhood information, nodes could distinguish legitimate CTS packets from fabricated ones by observing the targeting address on the CTS packet. K. Sugantha et al. [8] proposed the statistical method to detect the misbehavior due to NAV attack. They have investigated that more serious vulnerability arises from the virtual carrier sense mechanism used to mitigate collisions from hidden terminals. This feature may be exploited by the attacker. It can be done by inserting a larger duration field, and preventing legitimate users for getting the access to the channel. The misbehaving nodes set the value of the duration of the RTS packets to reserve the channel for an additional time. Since well-behaved nodes will typically respond to RTS with CTS, an attacker could exploit legitimate nodes to propagate CTS with manipulated duration field beyond what the attack could do by itself. Changwang Zhang et. al [9] proposed an effective and efficient approach to detect and filter TCP-targeted LDDoS attacks based on a novel metric – Congestion Participation Rate (CPR). The CPR-based approach can achieve per-flowlevel detection of LDDoS attacks, analytically expressed the upper bound of the average CPR for normal TCP flows and the lower bound of the average CPR for LDDoS flows, using several network parameters that are directly measureable. Hsueh-Wen Tseng et.al. [10] proposed the scheme that detects the hidden devices addresses based on the overlapped signals in the PHY layer, and the dubious addresses are checked by the HDP address verification procedure performed in the MAC layer. The verified hidden devices are then allocated to different sub-periods for transmissions. The proposed crosslayer scheme significantly reduces the chance of hidden device problem. Lin Dai et. al. [11] presented the stability, throughput, and delay analysis of buffered IEEE 802.11 DCF networks. It has revealed that an IEEE 802.11 DCF network has two steady-state points. It operates at the desired stable point if it is unsaturated, and a stable throughput can be always achieved at stable point. If it becomes saturated, it shifts to the undesired stable point and a stable throughput can be achieved if and only if the backs off parameters are

reply with a CTS packet, to inform its neighbors, after waiting for Short Interframe Space (SIFS) time. This CTS packet also consists of the duration field. After receiving the packet from the receiver, the neighbor stations adjust their NAV. NAV (CTS) = RTS - (CTS + SIFS) Other nodes within the range are informed to wait for more time before accessing the medium. The sender node cannot proceed for the transmission until it receives the CTS packet. Basically, this mechanism reserves the medium for one sender exclusively. Therefore it is called as virtual reservation scheme [8].

II. RELATED WORK RTS/CTS is a handshaking mechanism to reserve the channel for a specific duration before actual data transfer starts. Many times DOS attacks try to violate the network by attacking RTS/CTS frames. PMD Nagarjun et.al. [1] studied the RTS/CTS attack which exploits the medium reservation mechanism of 802.11 networks through duration field. They proposed variants of RTS/CTS attacks in wireless networks, also created an application that has the capability to create test bed environment for the attacks, perform RTS/CTS attacks and generate suitable graphs to analyze the attack's behavior. In John Bellardo et.al. [2] provided an experimental analysis of 802.11-specific attacks – their practicality, their efficiency and potential low-overhead implementation changes to mitigate the underlying vulnerabilities. Dazhi Chen et.al. [3] proposed a NAV validation scheme to eliminate vulnerabilities and to successfully defend against a Denial of Service (DoS) attack based on virtual jamming. They worked on investigation of other consequences of these vulnerabilities and provide solution through analytical and simulation methods. Bo Chen et.al. [4] proposed a method of identifying the vulnerabilities posed by the 802.11 DCF mechanism and investigating the effectiveness of DoS attacks targeting at the 802.11 DCF. They have proved that the jamming signal generated by the 802.11b network card based on DSSS physical layer will stop the 802.11b mode and 802.11b/g multi-mode networks. Mi Kyung et.al. [5] work focuses on the effects of greedy receivers in fixed rate environments. Rate adaption introduces strong interactions with several misbehaviors. In this, the damage of faking ACKs may reduce under autorate, since without correct feedback the transmitter may not choose the best modulation scheme and cause performance degradation on the other hand damage of spoofing ACKs can increase with auto-rate. With ACK spoofing, the sender may not be able to select a good data rate to use and incur significant performance degradation, which may benefit the greedy receiver. Abderrezak Rachedi et.al. [6] studied some new hidden vulnerability in IEEE 802.11 and the

753

properly selected from their corresponding stable regions. Minho Kim et. al. [12] proposed a novel HD mechanism that is simple to implement by using new features in IEEE 802.11n system, which does not need to modify the IEEE 802.11n standard, detects hidden nodes well in a practical network environment in which frames can be lost due to any combination of collisions, hidden nodes, and channel impairments. Kyung Jae Kim et. al. [13] proposed OSA protocols in the single channel and the multi-channel cognitive radio networks with one control channel and several licensed channels where a slot is divided into contention phase and transmission phase. A slot is divided into reporting phase, contention phase and transmission phase. The reporting phase plays a role of finding idle channels by PUs and the contention phase plays a role of selecting a SU who will send packets in the data transmission phase. One SU is selected by CSMA/CA with RTS/CTS mechanism on control channel and the SU is allowed to occupy all remaining part of the control channel and all idle channels during the current slot. Tian TIAN et. al. [14] studied the interference avoidance based on multifrequency RTS/CTS CR scheme. They also derived a closed form of the interference avoidance criterion base on the scheme as well as analyze the impacts of the radio propagation. Ha Cheol Lee [15] analyzed the effect of RTS/CTS frames on the network performance in the ad hocbased mobile LAN. It specially described the role of the RTS and CTS frames in avoiding the hidden node problem usually induced by node mobility in wireless LAN.

I. VARIOUS RTS/CTS ATTACK, THEIR EFFECTS ON NETWORK PERFORMANCE AND COUNTERMEASURES

Types of RTS/CTS attacks Deauthentic ation attack

Virtual carrier sense attack

Features

Highly effective

Theoretically vulnerable, harder to defend

Effects on network performance

Counterme asures

Immediately halts the packet transfer

Authenticate management frames and drop the invalid requests

Blocks the channel completely for the duration of the attack

Spurious RTS/CTS attack

Effective when misbehaving node is mobile

Falsely blocks the nodes

Discard the frame if reservation time is not equal to fixed constant

NAV attack

Easily detected

Virtual jamming

NAV validation scheme

Physical layer attack

Generates the narrow band jamming signal

Blocks the network traffic

Use of modulation changing

MAC layer attack

Difficult to detect, generates the arbitrary frames

Stops the network functioning

Use network sniffers

Increasing NAV

Allows greedy receivers to silence all nearby nodes

Causes the damage regardless of using RTS/CTS frame

Ignore the inflated NAV and replace with expected NAV

Spoofing ACKs

Works when greedy receiver is TCP and link is lossy

Causes the packet losses and unnecessary retransmission

Use a Cross layer approach to detect greedy receiver

Sending false ACKs

The traffic to greedy receiver is carried by non TCP connections

Modifies MAC layer ACKs transmission under corrupted /lost packets

Estimate the loss rate by using active probing

of

Table 1. Different types of RTS/CTS attacks with their performance and Countermeasures

Place a limit on duration values accepted by nodes

IV.CONCLUSION RTS/CTS mechanism minimizes the frame collisions made by the hidden nodes in the network. The attack made on these frame is a type of low rate Denial of Service attack and is

754

and Mobile Computing Conference (IWCMC'2008),Crete Island : Greece (2008).

called as RTS/CTS attack. The attacker nodes in the network keep the channel engaged for an additional time by changing the duration field value of the RTS frame packets. Since legitimate users will obviously respond to RTS request by sending the CTS frame as a reply, an attacker could exploit legitimate nodes to disseminate CTS with manipulated duration field, which causes the attack automatically. The attack made on RTS/CTS frames can affect on the network throughput and the transmission delay and increase the congestion in the network. Table1 illustrates different forms of RTS/CTS attacks, their effects on the network performance and the countermeasures on them. These types of attacks on RTS /CTS frame can be identified and removed in order to improve performance efficiency, throughput of network. The detection and nullifying the effects of DoS attacks on RTS/CTS frames in wireless communication, helps to establish a highly secured network which maintain the authenticity of data and to generate the reliable and very efficient network. The node synchronization mechanism can be added with the RTS/CTS frame transmission in order to detect the attacker nodes. The attacker nodes detected by the mechanism, can be blocked for all transmissions performed in further transmission.

[9] Changwang Zhang, Zhiping Cai, Weifeng Chen, Xiapu Luo and Jianping Yin “Flow level detection and filtering of low-rate DDoS”, Computer Networks 56 (2012) 3417–3431.

V.REFERENCES

[12] Minho Kim and Chong-Ho Choi “Hidden-Node Detection in IEEE 802.11n Wireless LANs” IEEE Transactions On Vehicular Technology, Vol. 62, No. 6, July 2013.

[7] Xiaocheng Zou and Jing Deng,"Detection of Fabricated CTS Packet Attacks in Wireless LANs", Institute for Computer Sciences, Social Informatics and Telecommunications Engineering LNICST, pp. 75–85, 2011. [8] K. Sugantha and S. Shanmugavel, “A statistical approach to detect NAV attack at MAC layer,” International Workshop on Wireless Ad-hoc Networks, London, UK, 2005

[10] Hsueh-Wen Tseng, Shan-Chi Yang, Ping-Cheng Yeh, and Ai-Chun Pang “A Cross-Layer Scheme for Solving Hidden Device Problem in IEEE 802.15.4 Wireless Sensor Networks”, IEEE Sensors Journal, Vol. 11, No. 2, February 2011. [11] Lin Dai and Xinghua Sun “A Unified Analysis Of IEEE 802.11 DCF Networks: Stability, Throughput, And Delay”, IEEE Transactions On Mobile Computing, Vol. 12, No. 8, August 2013.

[1] PMD Nagarjun, V. Anil Kumar, Ch Aswani Kumar, Ahkshaey Ravi “Simulation and Analysis of RTS/CTS DoS Attack Variants in 802.11 Networks”, IEEE Proceedings of the 2013 International Conference on Pattern Recognition, Informatics and Mobile Engineering (PRIME) February 2122.

[13] Kyung Jae Kim, Kyung Sup Kwak, and Bong Dae Choi“ Performance Analysis of Opportunistic Spectrum Access Protocol for Multi-Channel Cognitive Radio Networks”

[2] J. Bellardo and S. Savage, “802.11 Denial-of-Service attacks: Real vulnerabilities and practical solutions,” 12th USENIX Security Symposium, Washington D.C., USA, vol. 12, pp. 2-2, Aug. 2003.

[14] Tian TIAN, Hisato IWAI, Hideichi SASAOKA “Statistical Analysis of Interference Avoidance based on Multi-Frequency RTS/CTS Cognitive Radio” 2011 6th International ICST Conference on Cognitive Radio Oriented Wireless Networks and Communications (CROWNCOM).

[3] Dazhi Chen, Jing Deng and K. Varshney Pramod, "Protecting wireless networks against a Denial of Service attack based on Virtual jamming," MobiCom 2003, CA, USA, Sept. 2003, unpublished.

[15] Ha Cheol Lee “The Effect of RTS/CTS Frames on the Performance of Ad Hoc-Based Mobile LAN” 2010 Third International Conference on Advances in Mesh Networks, IEEE.

[4] Bo Chen, Muthukkumarasamy and Vallipuram, "Denial of Service attacks against 802.11 DCF," IADIS International Conference: Applied Computing, pp. 552-556, 2006. [5] Mi Kyung Han and Lili Qiu, "Greedy receivers in IEEE 802.11 Hotspots: impacts and Detection," Dependable and Secure Computing,vol. 7, pp. 410-423, 2010. [6] Abderrezak Rachedi and Abderrahim Benslimane," Smart Attacks based on Control Packets Vulnerabilities with IEEE 802.11 MAC," The International Wireless Communications

755