THE ATRIUM, SOUTHERN GATE, CHICHESTER, WEST SUSSEX P019 8SQ ***IMMEDIATE RESPONSE REQUIRED*** Your article may be published online via Wiley's EarlyView® service (http://www.interscience.wiley.com/) shortly after receipt of corrections. EarlyView® is Wiley's online publication of individual articles in full-text HTML and/or pdf format before release of the compiled print issue of the journal. Articles posted online in EarlyView® are peer-reviewed, copy-edited, author-corrected, and fully citable via the article DOI (for further information, visit www.doi.org). EarlyView® means you benefit from the best of two worlds - fast online availability as well as traditional, issue-based archiving. Please follow these instructions to avoid delay of publication READ PROOFS CAREFULLY •

This will be your only chance to review these proofs. Please note that once your corrected article is posted online, it is considered legally published, and cannot be removed from the Web site for further corrections.

•

Please note that the volume and page numbers shown on the proofs are for position only.

ANSWER ALL QUERIES ON PROOFS (Queries for you to answer are attached as the last page of your proof.) •

List all corrections and send back via e-mail to the production contact as detailed in the covering e-mail, or mark all corrections directly on the proofs and send the scanned copy via e-mail. Please do not send corrections by fax or in the post.

CHECK FIGURES AND TABLES CAREFULLY • •

Check size, numbering, and orientation of figures. All images in the PDF are downsampled (reduced to lower resolution and file size) to facilitate Internet delivery. These images will appear at higher resolution and sharpness in the printed article.

•

Review figure legends to ensure that they are complete.

•

Check all tables. Review layout, title, and footnotes.

COMPLETE CTA (if you have not already signed one) •

Please send a scanned copy with your proofs and post your completed original form to the address detailed in the covering e-mail. We cannot publish your paper until we receive the original signed form.

OFFPRINTS •

25 complimentary offprints of your article will be dispatched on publication. Please ensure that the correspondence address on your proofs is correct for despatch of the offprints. If your delivery address has changed, please inform the production contact for the journal details in the covering e-mail. Please allow six weeks for delivery.

Additional reprint and journal issue purchases

•

• •

• •

Additional paper reprints (minimum quantity 100 copies) are available on publication to contributors. Quotations may be requested from mailto:[email protected]. Orders for additional paper reprints may be placed in advance in order to ensure that they are fulfilled in a timely manner on publication of the article in question. Please note that offprints and reprints will be dispatched under separate cover. PDF files of individual articles may be purchased for personal use for $25 via Wiley’s Pay-Per-View service (see http://www3.interscience.wiley.com/aboutus/ppv-articleselect.html). Please note that regardless of the form in which they are acquired, reprints should not be resold, nor further disseminated in electronic or print form, nor deployed in part or in whole in any marketing, promotional or educational contexts without further discussion with Wiley. Permissions requests should be directed to mailto:[email protected] Lead authors are cordially invited to remind their co-authors that the reprint opportunities detailed above are also available to them. If you wish to purchase print copies of the issue in which your article appears, please contact our Journals Fulfilment Department mailto:[email protected] when you receive your complimentary offprints or when your article is published online in an issue. Please quote the Volume/Issue in which your article appears.

Vulnerability assessment of ad hoc networks to MAC layer misbehavior

O

FS

Lei Guang*,† and Chadi Assi Concordia Institute for Information System Engineering, Concordia University, Montr´eal, Qu´ebec, Canada H3G 1M8

O

Summary

EC

TE

D

PR

This paper describes a new vulnerability for the IEEE 802.11 protocol and studies its impact on degrading the performance of ad hoc networks. A host that exploits this new simple, but practical, vulnerability could cause devastating effects on the proper operation of the network protocols and hence severely degrade the performance. In this work, a misbehaving node fully cooperates by forwarding packets for other nodes and completely adheres to the proper selection of backoff intervals; however, it maliciously forces the forwarding operation to fail in order to either disrupt the route discovery process or to cause damage to existing flows routed though that node. As a result, the medium around the misbehaving node will be less congested and hence the node will obtain an increased unfair access to the channel. We use network simulations to show that such malicious misbehaviors have devastating effect on demoting the network performance and disrupting the protocol functioning. Hence, necessary extensions for existing detection systems are required to mitigate the effects of these new vulnerabilities. Copyright © 2006 John Wiley & Sons, Ltd.

Introduction

O

1.

R

R

KEY WORDS: ad hoc networks; MAC; routing; security; performance evaluation

N

C

Security in mobile ad hoc network (MANET) has attracted growing interest in recent years. In ad hoc networks, where mobile nodes communicate with each other through multi-hop wireless links, the corresponding routing and medium access control protocols were designed under the assumptions that all hosts would obey the protocols specifications. However, in such an open and dynamic environment, misbehaving hosts could compromise the network functionality by either

U

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56

WIRELESS COMMUNICATIONS AND MOBILE COMPUTING Wirel. Commun. Mob. Comput. 2006; 6:1–13 Published online in Wiley InterScience (www.interscience.wiley.com). DOI: 10.1002/wcm.391

attacking the physical layer, the MAC layer, or the network layer. Accordingly, these adversaries may have devastating effects on the performance of the network by degrading the end-to-end throughput [2], increasing the unfairness by starving multi-hop flows [3], indefinitely increasing delays, depleting channel capacity, and preventing access to the wireless channel [4–6]. Host misbehavior in MANET can be classified into two categories; namely, selfish misbehavior [4] and malicious misbehavior [3]. Selfish hosts typically misbehave to improve their own performance; this includes

*Correspondence to: Lei Guang, Concordia Institute for Information System Engineering, Concordia University, 1455 de Maisonneuve Blvd. Ouest, Montr´eal, Qu´ebec, Canada H3G 1M8. † E-mail: l [email protected] Contract/grant sponsor: Natural Science and Engineering Council of Canada (NSERC). Copyright © 2006 John Wiley & Sons, Ltd.

57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112

2.

PR

O

O

FS

data packets from the network layer. Unlike the backoff manipulation attack where a node attempts at gaining extra share of the medium bandwidth, this attack is malicious and schemes previously devised for preventing [6,14] or detecting [4,5] selfish hosts cannot be used to counter this misbehavior. Moreover, since this vulnerability is rooted at the access layer and aims at disrupting the routing discovery mechanism, systems like watchdog and path rater [15] are inefficient in detecting these malicious attacks. The rest of the paper is organized as follows. In Section 2, we present an introduction to the IEEE 802.11 MAC protocol. In Section 3, we summarize some work directly related to this paper. New media access vulnerabilities are presented in Section 4 and Section 5 presents some case studies. In Section 6, we study the performance of MANET under these new categories of attacks and in Section 7 we conclude the paper.

Overview of IEEE 802.11

The IEEE 802.11 defines two basic access methods [1]: (1) a fully distributed mechanism called distributed coordination function (DCF), which allows contention access for wireless media; (2) a centralized mechanism called point coordinator function (PCF), which requires centralized access points. DCF is the MAC layer basic access method for ad hoc networks. It is also known as carrier sense multiple access with collision avoidance (CSMA/CA). CSMA/CA is designed to reduce collisions when multiple nodes access the shared medium. Carrier Sense is performed by both physical sense and virtual sense mechanisms. There are two communication options in DCF: (1) four-way handshaking, that is, RTS-CTS-DATA-ACK, which is suitable for long frame data transmission (as shown in Figure 1); (2) two-way handshaking, that is, DATA-ACK, which is suitable for short frame data transmission. In this work, we use the four-way handshaking version of 802.11. A node with packets to transmit first senses the medium. If the medium is idle for at least a certain period DCF interface space DIFS, it will immediately request the channel by sending a short control frame request to send (RTS) to the receiver node. If the receiver correctly receives the RTS, it will reply with a short control frame clear to send (CTS). Once the sender receives the CTS, it will start to transfer DATA. After the successful reception of DATA, the receiver sends an ACK to the sender. The exchange of RTS/CTS prior to the actual data transmission reduces the high collision probability by distributing the medium reservation information and

N

C

O

R

R

EC

TE

hosts that refuse to forward packets on behalf of other hosts in order to conserve energy, or hosts that manipulate the backoff selection to obtain larger throughput [4]. For example, IEEE 802.11 requires hosts competing for the channel to wait for backoff interval before any transmissions. A selfish host may choose to wait for a smaller backoff interval, thereby increasing its chance of accessing the channel and hence reducing the throughput share received by well-behaved users. The authors of Reference [4] showed that such selfish misbehavior can seriously degrade the performance of the network and accordingly they proposed some modifications for the protocol (e.g., by allowing the receiver to assign backoff values rather than the sender) to detect and penalize misbehaving nodes. Similarly, the authors of Reference [5] addressed the same problem and proposed a system, DOMINO, to detect greedy misbehavior, such as backoff attack based on manipulations of IEEE 802.11 DCF mode. Alternatively, malicious misbehavior aims primarily at disrupting the normal operation of the network; this, for example, includes colluding adversaries that continuously send data to each other in order to deplete the channel capacity in their vicinity (i.e., causing a denial of service attack, DoS) and hence prevent other legitimate users from communicating [6]. Another example of malicious misbehaviors is the JellyFish [3]; JellyFish (JF) is a protocol compliant DoS attack, which targets closed-loop flows (such as TCP) that are responsive to network conditions (e.g., delays and loss). Although JF conforms to all routing and forwarding operations, it is capable of reducing the goodput of all traversing flows to near zero while dropping zero or very small fraction of packets. Another area that has also attracted numerous research attentions is that of securing routing protocols; in particular, the security of routing establishment mechanism, the protection of routing information and the security of packet forwarding [8,9]. In this work, however, we assume a secure routing protocol and rather focus on new and practical media access vulnerabilities and show their impacts on successfully disrupting some of the network services. In this paper, we identify new vulnerabilities in the IEEE 802.11 MAC protocol and we show that a misbehaving host can successfully disrupt the routing discovery mechanism by forcing some flows to be routed through longer routes away from the adversary. We also show that a flow routed through a misbehaving node can easily be disrupted. A misbehaving host could act either as a malicious receiver or as a malicious transmitter while fully cooperating in receiving/forwarding

U

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56

L. GUANG AND C. ASSI

D

2

Copyright © 2006 John Wiley & Sons, Ltd.

Wirel. Commum. Mob. Comput. 2006; 6:1–13

57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112

VULNERABILITY ASSESSMENT OF AD HOC NETWORKS

FS O O PR

Fig. 1. RTS/CTS/DATA/ACK handshaking in DCF mode.

D

time (i.e., SSRC for a short frame DATA, or station long retry limit SLRC for a long frame DATA).

3.

N

C

O

R

R

EC

TE

solves the hidden terminal problem [7]. The RTS/CTS contains a duration field indicating the time (in microseconds) after the end of present frame transmission that the channel will be reserved to complete the data or management frame transmission. Any node within the transmission range of either the sending node or the receiving node hears the RTS/CTS exchange will learn about the medium reservation and adjust its network allocation vector (NAV), which indicates the amount of time that the node should defer. The collision will mostly happen when the current node completes its transmission and multiple nodes are waiting to contend for the channel. Thus each node with data to transmit will generate a random backoff number from the range [0, CW] for an additional deferring time after the channel is idle for a DIFS time, where CW is the contention window size maintained by each node. The backoff counter is decremented as long as the channel is sensed idle, stopped when a transmission is detected on the channel, and restarted when the channel is sensed idle again for more than a DIFS. Once the backoff counter reaches zero, the sending node will reserve the channel by exchanging RTS/CTS as described above. If a node sends RTS but does not receive CTS within certain time, the node will defer by doubling its CW size and choosing a random value from the new range and retransmit RTS with limited times. If the RTS retry time is more than the station short retry count (SSRC) the sending node will drop the DATA packet and inform the network layer of a link breakage. Alternatively, if the ACK is not received within certain time, the sending node will retransmit the DATA packet for limited

U

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56

3

Copyright © 2006 John Wiley & Sons, Ltd.

Related Work

IEEE 802.11 DCF is originally designed for one-hop ad hoc network and not for multi-hop networks; it is designed under the assumption that all the participating nodes are well behaved. One problem with the IEEE 802.11 is the capture effect [18]; that is, even when all the nodes are well behaved, a node with heavy load traffic tends to capture the channel by continuously sending packets which causes a host with light load traffic to continuously backoff and therefore will have less chance to capture the channel. With the implementation of MAC protocol in software rather than hardware or firmware in network access cards, it is easy to modify the protocol by a selfish or greedy node [5,14]. Simple changes of several protocol parameters in one or a set of nodes can have devastating effects on the overall network performance which could lead to DoS. While a well-behaved node strictly obeys the pre-defined protocol operation, the misbehaving nodes may deviate from the standard more or less to cause unfairness problem. This misbehavior may be hard to distinguish, a misbehaving node may keep on sending packets in order to reduce the chance of another node with light load to transmit. Moreover, a node may send large amount of packets to a specific victim (or to other nodes with the victim being a forwarding node) thus draining out the energy of the Wirel. Commum. Mob. Comput. 2006; 6:1–13

57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112

Problem Statement

PR

4.

O

O

FS

ment information to ensure complete randomness and to verify that none of the hosts is misbehaving prior to the assignment. Any detected misbehavior (whether from the receiver or the sender) is reported to a reputation management system. Backoff manipulation attacks could result in serious performance degradation (both in infrastructure-based as well as ad hoc networks), and accordingly most recent research efforts have focused on detecting and preventing these misbehaviors. However, other 802.11 MAC vulnerabilities have been largely neglected albeit they can cause severe harm to the correct operation of the network. We will explore some additional vulnerabilities in the next section that allow a hard to detect host to maliciously misbehave in order to disrupt some of the network services.

The medium access control protocol (IEEE 802.11) is designed under the assumption that all nodes will comply with the protocol specifications in order to achieve successful operation. In Section 3, we showed that hosts could misbehave simply to achieve better share of the wireless channel by continuously selecting small backoff values upon contentions. Similarly, a compromised node that selectively drops RTS/DATA packets from other nodes could force a sender to continuously backoff and retransmit beyond the allowed retry times (e.g., RTS can be retried for a maximum SSRC while DATA can be retried for a maximum SLRC); ultimately the sender will declare a link breakage to the network layer and the routing protocol will trigger its route maintenance to establish new routes and reroute the affected flows [10]. This malicious attack, if successful, could have severe performance degradation by disrupting the route discovery process of routing schemes such as AODV and DSR. Schemes developed for mitigating similar effects (e.g., nodes that agree to forward packets but fail to do so) such as watchdog and path rater [15] could be used to detect these malicious nodes and isolate them. In the following we present one similar attack that is, however, not straight forward to detect with schemes such as watchdog. Recall that in order to prioritize access to the wireless medium, DCF defines three time windows (SIFS, DIFS, and EIFS); only the first two are important for the purpose of our discussions. Prior to the transmission of any frame, a node must observe a quiet medium for one of the defined window periods. The SIFS is used for frames sent as part of a pre-existing frame exchange (e.g., CTS or ACK frames sent in response

N

C

O

R

R

EC

TE

victim. Two nodes may also collude with each other to establish a flow with continuous data transmission, which can deplete the channel capacity in their vicinity [6]. A selfish node may adjust its backoff mechanism in different ways to access the channel with higher probability. One way is to choose a small backoff value rather than a valid generated random number by the backoff algorithm, for example, using range [0, CW/2] rather than [0, CW] or always generating small random value regardless of the range. In the presence of a collision or busy medium or retry, the selfish node will have more chance to win the channel than other nodes. A selfish node may also set longer time duration than the actual transmission time in its RTS/CTS. Those nodes that overhear the exchange will have to adjust their NAV accordingly and consequently defer longer time before transmission. Or it can even adjust the DIFS or short interframe space (SIFS) time (by selecting smaller values) to further exacerbate the unfairness. Currently, several techniques have been proposed to mitigate the impact of backoff manipulation by selfish hosts [4,5]. For example, the authors of Reference [5] presented a detection system called DOMINO that does not require any modification to the MAC protocol and they presented several procedures for detecting misbehaviors that aim at altering protocol parameters (e.g., shorter than DIFS, oversized NAV, and backoff manipulation). On the other hand, the authors of Reference [4] proposed modifications to 802.11 for facilitating the detection of misbehaving nodes. Here, the receiver (e.g., a trusted access point) assigns backoff values to the sender and monitors the sender for any potential misbehavior; in case of misbehavior, the receiver penalizes the sender by increasing its backoff values for next transmissions. If the sender deviates repeatedly (more than a threshold in a fixed sliding window), then it is considered as misbehaving and appropriate measures are taken by the sender in order to isolate the host. One drawback, however, for this approach in ad hoc networks (as opposed to infrastructure-based wireless networks) is that hosts may not be trusted and hence a receiver itself may misbehave by assigning different backoff values to different senders (colluding attack) or by overhearing neighboring transmissions and selecting appropriate backoff values to cause collisions. The authors of Reference [14] highlighted these issues and proposed extensions for the detection system of Reference [4] under the assumption that at least one of the parties involved is honest. Their approach follows that of Reference [4] wherein the receiver assigns a backoff value for the sender; however, both sender and receiver will exchange some additional commit-

U

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56

L. GUANG AND C. ASSI

D

4

Copyright © 2006 John Wiley & Sons, Ltd.

Wirel. Commum. Mob. Comput. 2006; 6:1–13

57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112

VULNERABILITY ASSESSMENT OF AD HOC NETWORKS

(2)

EC

TOCTS = TRTS + 2δ + sifs + TCTS

N

C

O

R

R

where, δ is the maximum propagation delay. If the timer expires before the arrival of a CTS packet, then the sender‡ infers that either interference caused the RTS to be lost, or the receiver has its NAV value set (i.e., the medium around the receiver is busy). In either case, the transmission of the RTS is deemed failed and the sender will invoke its backoff procedure and schedules a retransmission for a new RTS frame. On the other hand, when a host receives an RTS, it shall wait for a SIFS period and transmit a CTS frame only if the NAV at the receiving station indicates that the medium is idle. A duration field (CTS field, cf) is also computed and transmitted along with the CTS frame: cf = rf − sifs − TCTS

‡

(3)

In a single handshaking process, a node will play two different roles, that is, transmitter or receiver. To avoid confusion in the following sections, we use sender (receiver) to refer to the source (destination) of a MAC DATA frame. Moreover, Tx is refereed when a station transmitts any MAC frame, that is, RTS/CTS/DATA/ACK. Rx is refereed when a station receives any MAC frame. Copyright © 2006 John Wiley & Sons, Ltd.

FS

(4)

O

O

The sender will also compute an ACK timeout interval (TOACK ), after which if no ACK is received from the receiver, then the sender concludes that the DATA frame transmission failed and subsequently invokes backoff procedure and schedules retransmission of DATA. TOACK = TDATA + 2δ + sifs + TACK

(5)

Note that, as mentioned earlier, IEEE 802.11 allows only for a limited retry for the transmission of both the RTS and DATA frames. In order to misbehave, a node needs only to alter the value of SIFS. Rather than selecting a small value (which will result in a selfish attack as mentioned earlier [4,10]), a node could select a larger value for SIFS (sifs∗ , larger than the nominal value, sifs, plus 10% of one slot time [1]) and hence force a sender to timeout every time it transmits either an RTS frame or a DATA frame. After successive unsuccessful retransmissions, the sender will drop the data packet and report a link breakage to the network layer. Here, detection systems like watchdog§ will fail to detect this malicious misbehavior since the malicious node (receiver) is sending CTS or ACK frames, however, they arrive after their corresponding timeout timers at the sender expire. Malicious nodes of this category aim primarily at disrupting the route discovery process from discovering routes through them; therefore forcing packets of other hosts to go through non-optimal routes. As a result, such a node will conserve its battery power by refusing to forward packets of no direct interest to the node. Moreover, since flows are forced away, such a malicious node can access the medium with less contention and hence achieves a larger throughput share of the wireless channel without modifying its backoff interval.

TE

where, TCTS , TDATA , TACK are the transmission time of CTS, DATA, and ACK frames correspondingly. This duration field is used by other nodes in the vicinity of the sender to adjust their NAV value. The sender also computes a CTS timeout (TOCTS ), a time during which the sender expects a CTS response from the receiver host:

df = TACK + sifs

PR

rf = sifs + TCTS + sifs + TDATA + sifs + TACK (1)

This duration field is used by all stations in the vicinity of the receiver to adjust their NAV accordingly. The recognition of a valid CTS frame sent by the recipient of the RTS shall be interpreted as successful response permitting the frame sequence to continue. In this case, the sender will send a DATA frame, after waiting for a SIFS period, along with a duration field (DATA field, df):

D

to previously transmitted RTS or DATA frames). DIFS is used for nodes wishing to initiate a new frame exchange; after the channel is sensed idle for a DIFS time, a node waits for an additional backoff time after which the frame is transmitted. To completely manipulate the channel, a node could transmit a signal after a short SIFS [11,16] and to achieve a notable increase in the bandwidth a node could transmit after SIFS but before DIFS when the channel is idle [6]. What happens however when a node transmit after a larger SIFS value rather than shorter one? To answer this question, one needs to take a closer look at the functionality of DCF, namely the CTS procedure, and the ACK procedure [1]. When a particular host transmits an RTS, it also computes a duration field (RTS field, rf) that is transmitted in the RTS frame:

U

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56

5

§

We assume that a watchdog system is capable of monitoring the link layer communication. Wirel. Commum. Mob. Comput. 2006; 6:1–13

57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112

EC

O

TE

We use a simple topology with three fixed nodes to show the impact of this type of MAC layer misbehavior. As shown in Figure 2, there exists a data flow from Node S to Node D, where S and D stand for the source and the destination, respectively. Node M is the only intermediate node of the flow S → D. All the nodes are completely identical, that is, the same transmission range, carrier sense range, transmission power, etc. The routing protocol used here is AODV [12,13]. A flow first is established when node M is well behaved; later, however, it commences its misbehavior to disrupt the existing flow. We consider the following four cases:

PR

Case Study

D

5.

transmission after a corresponding backoff (to successfully follow the operation of the protocol). This same procedure proceeds and after a limited number of retries, node M will drop the DATA packet; the network layer infers that the link is broken and a route maintenance procedure of AODV is triggered to reroute the affected flow. Similarly, if the attack occurs during the DATA/ACK handshaking process, the DATA will be retransmitted over the limited retry times until ultimately the link will be claimed broken. Note, however, a necessary condition for a route breakage is that (sifs − sifs∗ ) is not very small (e.g., at least 2 ␮s). That is because TO∗CTS is computed based on the maximum propagation delay δ; whereas, the actual propagation delay between M and D is δ ≤ δ. Hence, although TO∗CTS ≤ TOCTS , the sender (M) may still receive the CTS before it times out if (sifs − sifs∗ ) is very small and accordingly there will be no route breakage. In other words, a small variation of sifs∗ can be absorbed by the TO∗CTS , which is computed according to δ. (b) S is the sender and M is the receiver—When S sends a RTS to M, M will wait for a sifs∗ and send back a CTS. Since sifs∗ is smaller than the default sifs, the CTS message will arrive during the TOCTS period at the sender. Hence, the handshake will succeed and there will be no route breakage. Note that some implementation of 802.11 [17] allows the receiver upon sending a CTS to compute a timeout for receiving the DATA from the sender, so that it does not keep on waiting for receiving DATA, TODATA :

O

Fig. 2. SIFS∗ < SIFS. (a) SIFS∗ < SIFS, route breakage; (b) SIFS∗ < SIFS, failed route discovery.

5.1.1.

R

5.1. sifs∗ < sifs: A Misbehaved Node Chooses a Smaller sifs∗

Route breakage process (Figure 2(a))

N

C

O

R

Assume that a flow already exists between nodes S and D routed through node M. (a) M is the sender and D is the receiver—When node M successfully receives a data packet from node S, it should forward the packet to node D. M will first send a RTS frame and sets its Tx status to send RTS¶ [1]; it will also calculate a timeout interval for this RTS as shown in the previous section (see Equation (2)). Since sifs∗ is smaller than the actual sifs, the computed timeout is TO∗CTS < TOCTS . When node D receives this RTS, it will send back a CTS frame after a sifs period only if the medium is idle. Now, M will not receive the CTS frame during the timeout interval (since TO∗CTS < TOCTS ) and hence it shall conclude that the RTS transmission has failed and reschedule its

U

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56

L. GUANG AND C. ASSI

FS

6

¶

This indicates the medium around the Tx is busy.

Copyright © 2006 John Wiley & Sons, Ltd.

TODATA = TCTS + 2δ + sifs + TDATA

(6)

Since TDATA is unknown at the receiver, the receiver will use the rf value (as advertized by the sender, Equation (1)) to compute: TDATA = rf − (sifs + TCTS + sifs + sifs + TACK ) (7) Note that since the receiver is computing Equations 6 and 7, the same value of sifs will be used; hence, TODATA = TCTS + 2δ − 2 × sifs + rf + TACK

(8)

Accordingly, if the receiver M selects a sifs∗ ≤ sifs, then TO∗DATA ≥ TODATA . That means, the receiver has an extended timeout and therefore DATA sent by S will be received by M. Wirel. Commum. Mob. Comput. 2006; 6:1–13

57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112

VULNERABILITY ASSESSMENT OF AD HOC NETWORKS

FS

O

O

PR

5.2.2. Route discovery failure process (Figure 3(b))

EC

TE

This attack aims at disrupting the route discovery process. The source node initiates a route discovery by broadcasting a route request (RREQ) control packet. Node M will receive the packet (note, the sender broadcasts the packet, hence no handshaking with M is taking place and as a result node M receives the RREQ packet) and broadcast the RREQ further to its neighbors (D in this case). Node D unicasts a route reply (RREP) packet over the reverse path (D-M-S). Since node D initiates the handshake with node M, and node D has a sifs > sifs∗ , the RREP will be accepted by node M. Node M further unicasts the RREP to node S by initiating a four-way handshake. Here, the transmission of the RREP packet will fail because the source node (i.e., M) will timeout and reach its retry limit until eventually the RREP packet is dropped at node M. Ultimately, the RREP packet will never reach the source node S and hence no data transmission is allowed over this single route. Note that if multiple routes exist between nodes S and D, then the flow will be routed over a longer path (in case S-M-D is the shortest), which could lead to performance degradation (e.g., additional end to end delays, increased routing overhead). Summary 1. When sifs∗ < sifs, the attack is effective only when M is a Rx and sifs − sifs∗ ≥ δ.

appropriate backoff period) to M and schedules accordingly a CTS timeout. When node M receives the RTS frame, if the channel is free it will send back a CTS after waiting for a sifs∗ period. Since sifs∗ is larger than sifs, the CTS will arrive at the source S upon the expiration of the CTS timeout timer (we assume that sifs∗ − sifs is sufficiently large). When S does not receive CTS within the appropriate CTS timeout period, it will set its transmitter status to idle and schedule a new retransmission of RTS after increasing its backoff interval. Thus, when the CTS sent by M arrives at S, it will be simply dropped because the transmitter status is idle (i.e., indicating that no RTS was transmitted). After several retransmissions of RTS, the data packet from S to M will be dropped and the network layer will be notified by the MAC layer of a link breakage along the route. However, when node M is a misbehaved transmitter, the handshake between M and the receiver will succeed since the TO∗CTS ≥ TOCTS (i.e., M has enough time to receive the CTS from D) or alternatively the receiver will have larger TODATA (i.e., enough time for D to receive DATA from M).

D

5.1.2. Route discovery failure process (Figure 2(b))

5.2. sifs∗ > sifs: A Misbehaved Node Chooses a Larger sifs∗

Route breakage process (Figure 3(a))

R

5.2.1.

N

C

O

R

We consider, as before, the same flow exists between nodes S and D and routed through node M. We first consider the case of a malicious receiver M. When source S has a packet to send to D, it will start by sending an RTS frame (after waiting for a DIFS and

U

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56

7

Fig. 3. SIFS∗ > SIFS. (a) SIFS∗ > SIFS, route breakage; (b) SIFS∗ > SIFS, failed route discovery. Copyright © 2006 John Wiley & Sons, Ltd.

Similar to case 5.1.2, when source S initiates a route discovery, it broadcasts a RREQ to its neighbors (M in this case); M in turn broadcasts the RREQ to its neighbors (D in this case). When node D receives the broadcasted RREQ, it unicasts a RREP back to the source S over the collected route (D-M-S). For this reason, D sends an RTS frame to node M. This transmission will fail since node M will wait for a period sifs∗ > sifs to transmit its CTS frame (if the medium is idle) and accordingly the CTS arrives at node D after the timeout. After a limited number of unsuccessful retries, node D will eventually drop the RREP packet and the route discovery process is disrupted (unless there is an alternate route from S to D that does not traverse node M). Here, note that node M successfully cooperates in the forward discovery process; however, it then succeeds in hiding itself in order to force the data flow to be routed away, which otherwise would have been routed through the shortest path traversing by M (in case the shortest path is S-M-D). Additionally, node D will do no further actions after dropping the packet. Since node M is cooperative in forwarding downstream routing packets, it completely renders detection systems like watchdog ineffective. Summary 2. When sifs∗ > sifs, the attack is effective only when M is a Tx and sifs∗ − sifs ≥ δ. Wirel. Commum. Mob. Comput. 2006; 6:1–13

57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112

Fig. 4. Misbehaved Tx.

6.1.

Simulation Results and Analysis Simulation Setup

O

R

R

In order to study the impacts of MAC layer misbehavior on the overall network performance, in this section we have used ns-2 simulator with CMU Monarch project multi-hop wireless extension [17] to perform an extensive set of simulation experiments. Simulation Metrics: the performance metrics used in our assessment are the packet delivery ratio, the average packet delay, the normalized routing load, and the number of packets forwarded by misbehaved nodes:

O

O

PR

D




Misbehavior Model: we compare the performance of the network under two categories of MAC misbehavior: of 13 ␮s, where the nominal sifs value is 10 ␮s


BO Attack (BackOff): a MN manipulates its backoff selection. recall that under normal operation, a host with data to transmit selects a random backoff value from range [0, CW], where CW is the contention windows size maintained by each host. To simulate an BO attack misbehavior, a node sets CWmin = 3 and CWmax = 127 to always ensure the selection of a smaller backoff than well-behaved nodes. Simulation Scenario: the traffic class is CBR (UDP) with data packet size of 512 bytes; the data rate for

N

C




cessfully delivered to the destination to those generated by the source; Average Packet Delay: average end-to-end delay for each successfully delivered data packet, which includes all the possible delays caused by route buffering, MAC interface queue, retransmission delays. Normalized Routing Load: the number of routing packets used for each successfully delivered data packet.


TO Attack (TimeOut): a MN chooses a sifs∗ value

EC

6.


Packet Delivery Ratio: ratio of the data packets suc-

TE

As mentioned earlier, this malicious behavior aims at (1) disrupting the route discovery process and (2) interrupting the crossing flows and forcing packets to be rerouted around the malicious nodes. In addition, this category of misbehavior relies on modifying the timeout operation of IEEE 802.11 protocol by failing to follow communication procedures or changing predefined parameters in the standard. An example is that a misbehaved Rx can transmit CTS after DIFS/EIFS instead of SIFS without any change of the standard parameters. We will refer to this attack throughout the paper as the TimeOut TO attack. Figures 4 and 5 illustrate all the variations of TO attack.

U

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56

L. GUANG AND C. ASSI

FS

8

Fig. 5. Misbehaved Rx. Copyright © 2006 John Wiley & Sons, Ltd.

Wirel. Commum. Mob. Comput. 2006; 6:1–13

57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112

VULNERABILITY ASSESSMENT OF AD HOC NETWORKS

Results and Discussions

FS O O

will be more attempts to reroute them. Clearly, the possibility that some of these flows will not find a functioning routes (i.e., routes that do not contain any MN) increases as the percentage of MN increases. Thus, a reduction in the packet delivery ratio (almost a 50% reduction as the percentage of MN increases beyond 20% under TO). On the other hand, the impact of BO is less serious on the network performance as shown in Figure 6. Unlike TO, where a node can totally disrupt the communication and prevent packets from reaching their destinations, a SN (selfish node) in this category manipulates its backoff to increase only its share of the bandwidth rather than completely obstructing the packet forwarding procedure. This attack, however, may have an impact on flows that are routed in the vicinity of the SN. These flows either will obtain a smaller

N

C

O

R

R

EC

TE

We start by first comparing the network performance under both attacks. Figures 6, 7, and 8 show the packet delivery ratio, the average packet delay, and the normalized routing load in the network for different percentage of misbehaving nodes. Clearly, the impact of TO is more devastating than BO; that is because a host in the former case can either disrupt the route discovery process (e.g., force a flow to be routed through another path, possibly longer, if the malicious host is an intermediate node along the shortest path) or can disrupt an ongoing communication, and hence force the routing protocol to discover or select new route for the flow. As the percentage of MN (malicious nodes) however increases, more flows will be broken and hence there

PR

6.2.

Fig. 7. Average packet delays versus percent of misbehaving nodes.

D

each CBR flow is 8 packets/s. The routing protocol under consideration is AODV. Every node has a 64packet sending buffer which buffers packets waiting for a valid route to be established and a 50-packets interface queue, which buffers all packets to be sent at the link layer. The channel bit rate is 2 Mbps, the total simulation time is 200 s and the results are averaged over 10 simulation runs. We use a randomly generated network topology with 50 nodes. For simplicity, the position for each node is fixed; every node has a transmission range of 250 m and a carrier sense range of 550 m. There is a total number of 10 flows in the network. These 10 flows start incrementally within 50 s according to a uniform distribution. Under both attacks, TO and BO, all nodes are initially well behaved; soon after establishing the flows (e.g., after 50 s), some percentage of the nodes will misbehave in order to disrupt the network services.

U

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56

9

Fig. 6. Packet delivery ratio versus percent of misbehaving nodes. Copyright © 2006 John Wiley & Sons, Ltd.

Fig. 8. Normalized routing load versus percent of misbehaving nodes. Wirel. Commum. Mob. Comput. 2006; 6:1–13

57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112

FS O O

PR

Fig. 9. Data packets forwarded by the misbehaving nodes.

very effective in disrupting ongoing communications and degrading the network performance. Alternatively, and unlike TO, selfish nodes in BO will attract traffic rather than forcing flows away. That is, because when a node initiates a route discovery, RREQ packets will be forwarded quicker by a SN rather than a normal node. Hence, a RREQ traversing through one (or more) SN will arrive to the destination earlier and accordingly a flow is more likely to be routed through one (or more) SN. Figure 9 shows the number of packets forwarded by the 25 selected nodes. Contrary to TO, here as the %SN increases in the network, the number of packets forwarded increases. Figure 10 presents the amount of packets forwarded only by the selfish nodes and compare it with the scnenario where these same nodes behave normally. The figure shows that selfish nodes

N

C

O

R

R

EC

TE

share of the bandwidth or may be totally disrupted (if no access is obtained to the channel) and accordingly will be routed through alternate paths. The latter case is likely to happen only if the SN has a flow or forwarding one at very high data rates. When a flow is disrupted, the route discovery process will find an alternate route, possibly through the selfish node(s) since it(they) can forward RREQ packets faster than other nodes. Accordingly, as Figure 6 shows, the packet delivery ratio is only slightly impacted as the percent of SN increases. As explained above, under TO, after the flows are disrupted the routing protocol attempts to find alternate routes for these flows; the route discovery will fail due to the existence of other malicious nodes along the possible routes. This is further explained by the results obtained in Figure 7. The figure shows that when 10% of the nodes are malicious, some flows are broken and rerouted through longer routes (or even not capable of finding a new route). As this percentage increases, longer paths will be blocked and hence the average packet delay decreases. Only few flows with short routes are admitted/allowed in the network. Alternatively, the network under BO shows consistent and low packet delays; that is because route breakage is less likely to occur (note the relatively low data rates that is used in our simulation|| ) and the flows follow the same routes throughout the simulations. Similarly, Figure 8 confirms our observations; the normalized routing load in the network under TO is much higher than that under BO. This suggests that more routes are broken and hence more route repairs and route discovery are triggered. Figure 9 shows the number of packets forwarded by a set of 25 nodes (out of the 50 nodes in the network) during the total simulation time. When the percentage of misbehaving nodes is 50%, these 25 nodes are all malicious (or selfish); when the percentage is 10%, 5 nodes out of these selected 25 are misbehaving. First, from the simulation we notice that after the attack starts (i.e., after 50 s), all flows routed through malicious nodes (MNs) will be disrupted (for the reasons we explained in Section 5) and hence those flows will be forced to find alternate, longer, routes away from the misbehaving nodes. Therefore, the malicious nodes will not forward any additional packets after 50 s. The figure shows that when the percentage of malicious nodes is 20% of the total number of nodes, the number of packets forwarded by the nodes (25 nodes) is almost 9000 packets less. This suggests that TO is

U

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56

L. GUANG AND C. ASSI

D

10

||

The same behavior is also obtained at higher data rates.

Copyright © 2006 John Wiley & Sons, Ltd.

Fig. 10. Number of packets forwarded by the selfish node. Wirel. Commum. Mob. Comput. 2006; 6:1–13

57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112

VULNERABILITY ASSESSMENT OF AD HOC NETWORKS

FS O

PR

O

Fig. 11. Packets forwarded versus different sifs values.

D

interest to the node, whereas it will behave normally for its own traffic. This will ensure a better share of the channel bandwidth without any backoff manipulation. A hybrid attack could also be implemented where a misbehaving node selects a small backoff (i.e., selfish attack) with nominal sifs value for its own traffic and chooses a larger sifs∗ for crosssing traffic (i.e., malicious attack). We study the effects of these misbehaviors on a 4 × 4 grid network with 8 CBR flows each of 0.4 Mbps data rate. Only one misbehaving node is chosen at the center of the grid and the sifs∗ value is set to 13 ␮s. For the backoff attack, the misbehaving node chooses a CWmin = 3 and a CWmax = 127 for its own traffic. Figure 12 shows the throughput of the misbehaving flow (f).

N

C

O

R

R

EC

TE

always forward more packets when they misbehave. Additionally, as the percentage of selfish nodes increases in the network, the additional amount of packets forwarded by these nodes increases since more flows will traverse through them (please see the increase in the difference between the bars before and after attack in Figure 10 as SN% increases). Further increasing the SN% will cause a drop in this difference (i.e., less additional packets are forwarded by selfish nodes) since only few flows will be diverted from routes without SNs to routes with SNs. Next, we study the effects that different sifs∗ values may have on the network performance. We consider 20% of the nodes in the network are malicious nodes and we vary the sifs∗ value between 0 and 20 ␮s. We measure the number of additional packets forwarded by the 10 malicious nodes and we present the results in Figure 11. The figure shows similar effects for the two cases (sifs∗ < sifs and sifs∗ > sifs), as explained in Section 5. In both of these cases, a MN node can either disrupt the routing discovery or the ongoing transmission of crossing flows. The number of packets forwarded by malicious nodes is around 1500 packets (i.e., 3500 packets less than the normal case, i.e. 9 ␮s ≤ sifs ≤ 11 ␮s); note that these packets are forwarded before the attack takes place (i.e., before 50 s). Next we consider the case where the misbehaving node (SN or MN) has traffic of its own to send into the network and we quantify the gain achieved by that node. In order to be more effective, the MN selects a larger sifs∗ for crossing flows and uses the nominal sifs value for its local traffic. In other words, the MN will try to disrupt any crossing flows that are of no direct

U

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56

11

Fig. 12. Average Throughput under different attacks. Copyright © 2006 John Wiley & Sons, Ltd.

Wirel. Commum. Mob. Comput. 2006; 6:1–13

57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112

O O

D

detection systems fail to counter the malicious attack studied here. As a result, the node will obtain a larger throughput (as shown in Figure 12) and conserve more of its energy. For this reason, new detection methods are required to limit or mitigate the effects of these misbehaviors. Finally, the number of packets that are forwarded (i.e., cross-traffic) by the malicious node is shown in Figure 13. The figure shows that under normal case, the node forwards around 4500 packets (a similar result is also obtained with selfish attack). However, when the node starts misbehaving maliciously (after 50 s from the beginning of the simulation) all the crossing flows are disrupted and a total of only 1600 packets is forwarded by the MN. Note, these 1600 packets are forwarded before the malicious attack starts, that is, in the first 50 s of the simulation time. The same results are obtained for the hybrid attack.

N

C

O

R

R

EC

TE

Clearly, under normal operation (i.e., sifs∗ = sifs = 10 ␮s, and CWmin = 31), a throughput of 125 Kpbs is achieved by flow f (as shown in Figure 12). However, when the node manipulates its backoff (e.g., CWmin = 3) a large throughput of 350 Kbps is achieved. Alternatively, when the node acts maliciously (i.e., only change its sifs) then a throughput of almost 200 Kbps can be achieved and finally for the hybrid attack a throughput of 350 Kbps is obtained. Here, when a node acts selfishly it will continuously transmit data by refusing to backoff and hence the sole objective of the node is to unfairly increase its access to the channel at the expense of well-behaved nodes. Other nodes in the vicinity of the selfish node will contend for transmission but continuously backoff and ultimately fail to transmit. On the other hand, in the malicious attack the objective is to force flows away from the misbehaving node by either disrupting the route discovery or by prohibiting the forwarding of cross-traffic. The motive for the MN could be to conserve its own energy (i.e., greedy behavior) by refusing to forward data packets of no direct interest to itself. As a result, flows will be routed or rerouted around the MN. This means less congestion in the medium close to the malicious node and hence less contentions for the channel. Accordingly a notable increase in the throughput for flow f is achieved as our simulation results show. Similar discussion is valid for the hybrid attack as well. Note that, as mentioned in Section 3, recent research studies have proposed systems for detecting backoff manipulation attacks. Therefore, it is not in the best interest for a node to misbehave by changing its backoff since it could be detected and isolated from the network. However, those same

PR

Fig. 13. Number of packets forwarded by the misbehaving node under different attacks.

U

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56

L. GUANG AND C. ASSI

FS

12

Copyright © 2006 John Wiley & Sons, Ltd.

7.

Conclusions

In this paper we quantified the impacts of two categories of MAC misbehavior on the ad hoc network performance. A host exploiting the IEEE 802.11 timeout mechanisms will completely cooperate in forwarding data packets but maliciously forces the forwarding operation to fail. This attack mainly targets the route discovery process in order to cause packets to be routed through longer routes and consume more network resources. Moreover, the attack also targets crossing flows by disrupting their communication and forcing the routing protocol to reroute packets around the misbehaved node. Detection and prevention Wirel. Commum. Mob. Comput. 2006; 6:1–13

57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112

VULNERABILITY ASSESSMENT OF AD HOC NETWORKS

15.

16.

17.

D

18.

N

C

O

R

R

EC

TE

1. IEEE802.11 wireless LAN media access control (MAC) and physical layer (PHY) specifications. 1999. 2. Gupta V, Krishnamurthy S, Faloutsous M. Denial of service attacks at the mac layer in wireless ad hoc networks. In Proceedings of MILCOM, October 7–10, 2002. 3. Aad I, Hubaux J-P, Knightly EW. Denial of service resilience in ad hoc networks. In MobiCom’04: Proceedings of the 10th annual international conference on Mobile computing and networking, Philadelphia, PA, USA, September, 2004. DOI: 10.1145/1023720.1023741; 202–215. 4. Kyasanur P, Vaidya N. Selfish MAC layer misbehavior in wireless networks. IEEE Transactions on Mobile Computing 2005; 4(5): 502–516, DOI: 10.1109/TMC.2005.71. 5. Raya M, Hubaux JP, Aad I. Domino: a system to detect greedy behavior in ieee 802.11 hotspots. In MobiSys’04: Proceedings of the 2nd international conference on Mobile systems, applications, and services, Boston, MA, USA, June, 2004. DOI: 10.1145/990064.990077; 84–97. 6. Zhou Y, Wu D, Nettles S. Analyzing and preventing MAC-layer denial of service attacks for stock 802.11 systems. In IEEE/ACM First International Workshop on Broadband Wireless Services and Applications (BroadWISE’04), San Jos´e, CA, USA, October, 2004. 7. Tobagi FA, Kleinrock L. Packet switching in radio channels: the hidden terminal problem in carrier sense multiple access models and the busy tone solution. IEEE Transactions on Communications 1975; 23(12): 1417–1433. 8. Hu YC, Perrig A, Johnson DB. Ariadne: a secure on-demand routing protocol for ad hoc networks. In MobiCom’02: Proceedings of the 8th annual international conference on Mobile computing and networking, Atlanta, Georgia, USA, 2002. DOI: 10.1145/570645.570648; 12–23. 9. Papadimitratos P, Haas Z. Secure routing for mobile ad hoc networks. In CNDS’02: Proceedings of SCS Communication Networks and Distributed Systems Modeling and Simulation Conference, San Antonio, Texas, USA, January, 2002. 10. Guang L, Assi C. Vulnerabilities of ad hoc network routing protocols to MAC misbehavior. In WiMob’05: Proceedings of IEEE International Conference on Wireless And Mobile Computing, Networking And Communications, Montr´eal, Qu´ebec, Canada, August, 2005; 146–153. 11. Guang L, Assi C. On the resiliency of mobile ad hoc networks to MAC layer misbehavior. In PE-WASUN’05: Proceedings of the 2nd ACM international workshop on Performance evaluation of wireless ad hoc, sensor, and ubiquitous

FS

14.

O

13.

O

References

12.

networks, Montr´eal, Qu´ebec, Canada, October, 2005. DOI: 10.1145/1089803.1089981; 160–167. Perkins CE, Belding-Royer EM, Chakeres ID. Ad hoc ondemand distance vector (AODV) routing. IETF Internet Draft, draft-perkins-manet-aodvbis-01.txt, January 2004. Maltz DA, Broch J, Jetcheva J, Johnson DB. Packet switching in radio channels: the effects of on-demand behavior in routing protocols for ad hoc networks. IEEE Journal on Selected Areas in Communications 1999; 17(8): 1439–1453. C´ardenas A, Radosavac S, Baras JS. Detection and prevention of MAC layer misbehavior for ad hoc networks. In SASN’04: Proceedings of ACM Workshop on Security of Ad Hoc and Sensor Networks, Washington, DC, USA, October 2004. DOI: 10.1145/1029102.1029107. Marti S, Giuli TJ, Lai K, Baker M. Mitigating routing misbehavior in mobile ad hoc networks. In MobiCom ’00: Proceedings of the 6th annual international conference on Mobile computing and networking, Boston, MA, USA, 2000. DOI: 10.1145/345910.345955; 255–265. Bellardo J, Savage S. 802.11 denial-of-service attacks: real vulnerabilities and practical solutions. In USENIX’03: Proceedings of 12th USENIX Security Symposium, Washington, DC, August, 2003; 15–28. Fall K, Varadhan K. NS notes and documentation. Technical report, UC Berkley, LBL, USC/ISI. In Xerox PARC, 2002. Weinmiller J, Woesner H, Wolisz A. Modeling, analysis, and simulation of computer and telecommunication systems. In MASCOTS’96.: Proceedings of the Fourth International Workshop on Modeling, Analysis, and Simulation of Computer and Telecommunication Systems, Febuary, 1996. DOI: 10.1109/MASCOT.1996.501018; 200–206.

PR

systems previously designed to deal with MAC layer misbehaviors (e.g., backoff manipulation) or network layer misbehaviors, such as Watchdog, are incapable of detecting or preventing this attack. The effects of these new attacks are devastating; simulation experiments have shown a 50% decrease in the network throughput as well as increased average packet delays. The performance of the network under this malicious attack is compared to that under another selfish attack wherein a node manipulates its backoff and our results have shown that the malicious attack has more severe consequences.

U

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56

13

Copyright © 2006 John Wiley & Sons, Ltd.

Authors’ Biographies

Lei GuangQ1 received the B.Eng degree in automatic control from Nanjing University of Science and Technology, Nanjing, China, in 2002 and the M.A.Sc degree in electrical engineering from Concordia University, Montr´eal, Canada in 2005. At present, he is pursuing his Ph.D at Concordia University. His current research interests include wireless networking, mobile systems, and wireless network security. Chadi M. Assi received the B.S. degree in engineering from the Lebanese University, Beirut, Lebanon, in 1997 and his Ph.D. from the Graduate Center, City University of New York, New York, in April 2003. He was a visiting researcher at Nokia Research Center, Boston, MA, from September 2002 to August 2003, working on quality-of-service in optical access networks. He joined the Concordia Institute for Information Systems Engineering (CIISE), Concordia University, Montr´eal, QC, Canada, in August 2003 as an assistant professor. Dr. Assi received the Mina Rees Dissertation Award from the City University of New York in August 2002 for his research on wavelength-division-multiplexing optical networks. His current research interests are in the areas of provisioning and restoration of optical networks, wireless and ad hoc networks, and quality of service.

Wirel. Commum. Mob. Comput. 2006; 6:1–13

Q1

57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112

Author Query Form (WCM/391) Special Instructions: Author please write response to queries directly on Galley proofs and then fax back. Alternatively please list response in an e-mail.

N

C

O

R

R

EC

TE

D

PR

O

O

FS

Q1: Author: Please provide photograph of Lei Guang.

U

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56

57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112