# Cascading DoS Attacks on Wi-Fi Networks

posted by Liangxiao Xin (xlx@bu.edu)

##### Outline:

#### About cascading DoS attack

A cascading DoS attack exploits a coupling vulnerability due to hidden nodes. The attack propagates beyond the starting location, lasts for long periods of time, and forces the network to operate at its lowest bit rate. The attack can be started remotely and without violating the IEEE 802.11 standard, making it difficult to trace back.

Figure 1 serves to illustrate this phenomenon at a high level. Suppose that an attacker increases the rate at which it generates packets, and transmits these packets in accordance with the IEEE 802.11 protocol. These transmissions may cause packet collisions at nodes concurrently receiving packets from other sources. Due to the infamous hidden node problem, which is hard to avoid in wireless networks, transmitters may be unable to hear transmission by other nodes, even when using CSMA, and hence keep retransmitting packets until they reach the so-called retry limit of the back-off procedure. These retransmissions affect other neighbours and may propagate.

#### Feasibility of the attack

##### Network model

The network model considered in this paper is shown in Figure 2. We consider pairs of nodes. Each node () transmits packets to node . The dashed circle represents the range of transmission. Node can receive packets from both node and node . However, node and node cannot hear each other. That is, node is a hidden node with respect to node (and viceversa). A packet collision happens at node when packet transmissions by node and overlap.##### Attack goal

Our goal is to investigate how node can trigger a cascading DoS attack, resulting in a congestion collapse over the entire network. We start by increasing the packet generation rate at node . Node transmits packets over its channel, in compliance with the IEEE 802.11 standard. The transmissions by node cause packet collisions at node . These collisions require node to retransmit packets. The increased amount of packet transmissions and retransmissions by node impact node and so forth. If this effect keeps propagating and amplifying, then the result is a network-wide denial of service, which we refer to as a cascading Denial of Service (DoS) attack. Because this attack is protocol-compliant, it is difficult to detect or trace back to the initiator. We note that the topology studied here could arise over different time and space in more complex network configurations.

##### Experimental result

We set up an experimental testbed composed of six nodes. The testbed configuration is shown in Figure 3. We establish an IEEE 802.11n ad hoc network consisting of three pairs of nodes. Each node consists of a PC and a TP-LINK TLMN722N Wireless USB Adapter. We use RF cables and splitters to link the nodes, isolate them from external traffic, and obtain reproducible results. We place 70 dB attenuators on links between node and (), and 60 dB attenuators on links between nodes and . The difference in the signal attenuation of different links insures that a packet loss occurs if a hidden node transmits. The transmission power of each node is set to 0 dBm. We use iPerf to generate UDP data streams and to measure the throughput achieved on each node. The length of a packet is the default IP packet size of 1500 bytes.

Figure 4 demonstrates the cascading DoS attack on the experimental testbed. At first, the packet generation rates of nodes , and are set to 400 Kb/s. We observe that the throughput of all the nodes remains in the vicinity of 400 Kb/s during the first 300 seconds. After 300 seconds, starts transmitting packets at 1 Mb/s. As a result, the throughput of nodes and suddenly vanishes. Once node resumes transmitting at 400 Kb/s, the throughput of node and node recovers.

##### Simulation result

In order to gain a better insight into the attack in large-scale networks, we resort to ns-3.22 simulations, a state-of-the-art simulator which includes high-fidelity wireless libraries. We show the occurrence of cascading DoS attacks in ad hoc networks with fixed bit rate. We describe the occurrence of a cascading DoS attack in an ad hoc network with fixed bit rate. We consider a linear topology consisting of 40 pairs of nodes (i.e. a sequence of 40 hidden nodes), as shown in Figure 2. We fix the bit rate to 1 Mb/s and the retry limit to . We set up a Wi-Fi network using the standard IEEE 802.11 library in ns-3. At each node , , UDP packets arrive at rate pkts/s. The packet generation rate at node , , varies from 1.25 to 61.25 pkts/s. The size of each packet is 2000 bytes. Each node has the same transmission power (40 mW). We set the propagation loss between node and to 80 dB and the propagation loss between node and to 70 dB. We run each simulation five times for 1,000 seconds, and average out the results. The source code is available on Github. The**(exogenous) load**at each node is denoted , where represents the duration of each packet transmission attempt (0.016 second in our case). The

**utilization**of a node , denoted , is defined as the fraction of time the node is busy transmitting bits on the channel. Figures 5 and 6 depict the utilization , , and as a function of , the load at node . The utilization of node , , increases smoothly until it reaches its upper limit. However, the utilization of nodes and remains low until reaches a certain threshold around , at which point and suddenly jump to a high value. This sudden jump corresponds to a phase transition, and the critical threshold represents the phase transition point.

##### Analysis

We develop an analytical model that provides insight into the network behaviour observed in the simulations and experiments. Specifically, our goal is to explain why and under what conditions the phase transition occurs, and shed light into the roles played by the retry limit R and the traffic load at the different nodes.**Notations:**- : utilization of node
- : (exogenous) load of node (
- : retry limit
- : average retry count at node
- : exogenous packet arrival rate

**Assumptions:**- Packet transmissions and retransmissions at each uncongested node A_i form a Poisson process with rate .
- The probability that a packet transmitted by node A_i collides is independent of previous attempts.
**Iterative analysis of the utilization:**Our goal is to find the utilization at each node and in the limit as . We consider the same scenario as in our simulations, whereby node (the attacker) varies its traffic load

while all other nodes () have the same traffic load

where . We aim to understand if and how changes in the value of affect the utilization of nodes that are located far away as a function of the parameters and . We develop an iterative procedure to derive from .

, (1)

where

.

**Limiting behavior of the utilization:**We next analyze the limiting behaviour of the iteration given by (1). The sequence corresponds to a discrete non-linear dynamical system. We say that is a fixed point of (1) if

, (2)

The limit of the sequence is always one of fixed points in (2).

**Phase transition analysis:**A network is said to be congested if converges to 1. Else, the network is said to be uncongested. A network experiences a

**phase transition**if there exists a fixed point , such that if the network is uncongested, and if the network is congested. We refer to as the phase transition point.We introduce the function

. (3)

For each value of , the fixed point must satisfy

.

We denote the maximum of by

(4)

A network must fall in one of the following three regimes for different parameters.

**Theorem**If , then the network is uncongested for all .

If and , then a phase transition occurs.

If , then the network is congested for all .

**Example**We illustrate the theorem above at . As shown in Figure , we observe a phase transition region, whose size is .

Our model represents a special case of interacting queues, which are notoriously difficult to analyze. To make the analysis tractable, we assume that

The above assumptions are similar to the “random-look” model used by Kleinrock and Tobagi in their analysis of (single hop) random access networks. We stress that beside these assumptions, the rest of our analysis is exact.

#### Conclusion

#### Reference

Liangxiao Xin, David Starobinski, and Guevara Noubir, “Cascading DoS Attacks on Wi-Fi Networks,”*IEEE CNS 2016,*Philadelphia, PA, October 2016. pdf code (Best paper award)