Hidden Terminal based Attack, Diagnosis and Detection

Yao Zhao, Leo Zhao, Yan Chen

Lab for Internet & Security Tech, Northwestern Univ.

Outline

• Motivation

• Background on Hidden Terminal Problem

• Hidden Terminal based DoS attacks in WLAN

• Current Work on Diagnosis and Detection

Motivation

• Hidden terminal problem is usually studied in wireless ad hoc networks

• Hidden terminal problem for WLAN– HT exists in large WLAN

• Limited channels: only 3 out of 11 channels are orthogonal to each other

• To cover a large hotspot, hidden terminal problems may occur because of the deployment of APs

– Easy to launch DoS attack to WLAN

Outline

• Motivation

• Background on Hidden Terminal Problem

• Hidden Terminal based DoS attacks in WLAN

• Current Work on Diagnosis and Detection

What’s Hidden Terminal Problem

S D H

• S sends a packet to D

• H doesn’t know D is receiving packet and broadcast a packet to another node during S’s sending

• Two packets are collided at D

Mitigation of HT Problem• RTS-CTS-DATA-ACK procedure• NAV is included in RTS and CTS

S D HRTSCTS CTSDATAACK

Problem of RTS-CTS

• WLAN doesn’t enable RTS-CTS by default– RTS and CTS are overhead– In single AP scenario, no HT at all since

every clients only communicate with the AP

• RTS-CTS cannot totally solve HT problem– A packet may not be correctly received

if there’s interference whose strength is much weaker than the packet (1/10)

HT Problem Still Exists• CTS can’t be received by H• H can send P to interfere with DATA

S D HRTSCTS CTSDATA P

Interference

Outline

• Motivation

• Background on Hidden Terminal Problem

• Hidden Terminal based DoS attacks in WLAN

• Current Work on Diagnosis and Detection

• Hard to deploy WLAN to avoid HT

• No global deployment in some environments

HT Problem in WLAN

12

3

3

2

2

3

1A B

Example of HT in WLAN

HT based DoS• Use two laptops in ad hoc mode• Simple: no extra hardware or change of MAC

needed• Powerful• Stealthy

Powerful Attack: Cover Range (1)

• P~dα, α=4 (usually 2<α<4)• Packet can’t be received correctly if interferin

g packets’ power > 1/10 power of the packet

AP H1

0.56

Powerful Attack: Cover Range (2)

• AP as sender• Receivers in shaded area suffer HT

problem

AP H

x 1.78x

Conclusion on HT Based Attack

• Powerful– About ½ of the coverage of an AP is

affected by HT

• Stealthy– The victim cannot receive packets from HT– The packets from HT are legal packets– Several factors have the same symptoms:

low signals but normal noises• Long distance between AP and clients• Hidden terminal• Phone/Microwave/Bluetooth interference

Current Work on Diagnosis

• Preliminary ideas:– Pre-define the coverage area– Strategic walk from different directions

V H

Q&A

Thanks!

Future Works

• Identify the reason of low throughput – Long distance between AP and clients– HT problem– Phone/Microwave interference

• Locate the HT– The victim cannot receive packets from

HT– Triangulation approach may not work in

indoor environment