<%BANNER%>

Jamming and Anti-Jamming in Ieee 802.11 Wireless Lans

Permanent Link: http://ufdc.ufl.edu/UFE0024678/00001

Material Information

Title: Jamming and Anti-Jamming in Ieee 802.11 Wireless Lans
Physical Description: 1 online resource (53 p.)
Language: english
Creator: Chinta, Raviteja
Publisher: University of Florida
Place of Publication: Gainesville, Fla.
Publication Date: 2009

Subjects

Subjects / Keywords: ad, anti, jamming, mac, markov, network, wlan
Electrical and Computer Engineering -- Dissertations, Academic -- UF
Genre: Electrical and Computer Engineering thesis, M.S.
bibliography   ( marcgt )
theses   ( marcgt )
government publication (state, provincial, terriorial, dependent)   ( marcgt )
born-digital   ( sobekcm )
Electronic Thesis or Dissertation

Notes

Abstract: In wireless local area networks (WLANs) that use the Distributed Coordinated Function (DCF) of the IEEE 802.11 MAC protocol, a collision may occur when two or more devices transmit simultaneously. When a collision results in failed reception of a packet, the stations involved increase their backoff window which decreases the probability of transmission. A jammer trying to disrupt the communications can take advantage of this behavior to reduce the throughput of the system significantly with little energy expense. In this thesis, this behavior of the stations is analyzed by deriving the expressions for throughput and jammer's power expenditure as a function of probability of jamming. These results are experimentally verified with the help of a jammer built in the lab. Under the standard DCF, the jammer's power expenditure decreases with an increase in jamming probability beyond a threshold. A simple modification to the standard DCF can make jamming more power expensive for the jammer. A detection scheme is proposed to detect the presence of a jammer and its performance characteristics are determined.
General Note: In the series University of Florida Digital Collections.
General Note: Includes vita.
Bibliography: Includes bibliographical references.
Source of Description: Description based on online resource; title from PDF title page.
Source of Description: This bibliographic record is available under the Creative Commons CC0 public domain dedication. The University of Florida Libraries, as creator of this bibliographic record, has waived all rights to it worldwide under copyright law, including all related and neighboring rights, to the extent allowed by law.
Statement of Responsibility: by Raviteja Chinta.
Thesis: Thesis (M.S.)--University of Florida, 2009.
Local: Adviser: Wong, Tan F.
Local: Co-adviser: Shea, John M.

Record Information

Source Institution: UFRGP
Rights Management: Applicable rights reserved.
Classification: lcc - LD1780 2009
System ID: UFE0024678:00001

Permanent Link: http://ufdc.ufl.edu/UFE0024678/00001

Material Information

Title: Jamming and Anti-Jamming in Ieee 802.11 Wireless Lans
Physical Description: 1 online resource (53 p.)
Language: english
Creator: Chinta, Raviteja
Publisher: University of Florida
Place of Publication: Gainesville, Fla.
Publication Date: 2009

Subjects

Subjects / Keywords: ad, anti, jamming, mac, markov, network, wlan
Electrical and Computer Engineering -- Dissertations, Academic -- UF
Genre: Electrical and Computer Engineering thesis, M.S.
bibliography   ( marcgt )
theses   ( marcgt )
government publication (state, provincial, terriorial, dependent)   ( marcgt )
born-digital   ( sobekcm )
Electronic Thesis or Dissertation

Notes

Abstract: In wireless local area networks (WLANs) that use the Distributed Coordinated Function (DCF) of the IEEE 802.11 MAC protocol, a collision may occur when two or more devices transmit simultaneously. When a collision results in failed reception of a packet, the stations involved increase their backoff window which decreases the probability of transmission. A jammer trying to disrupt the communications can take advantage of this behavior to reduce the throughput of the system significantly with little energy expense. In this thesis, this behavior of the stations is analyzed by deriving the expressions for throughput and jammer's power expenditure as a function of probability of jamming. These results are experimentally verified with the help of a jammer built in the lab. Under the standard DCF, the jammer's power expenditure decreases with an increase in jamming probability beyond a threshold. A simple modification to the standard DCF can make jamming more power expensive for the jammer. A detection scheme is proposed to detect the presence of a jammer and its performance characteristics are determined.
General Note: In the series University of Florida Digital Collections.
General Note: Includes vita.
Bibliography: Includes bibliographical references.
Source of Description: Description based on online resource; title from PDF title page.
Source of Description: This bibliographic record is available under the Creative Commons CC0 public domain dedication. The University of Florida Libraries, as creator of this bibliographic record, has waived all rights to it worldwide under copyright law, including all related and neighboring rights, to the extent allowed by law.
Statement of Responsibility: by Raviteja Chinta.
Thesis: Thesis (M.S.)--University of Florida, 2009.
Local: Adviser: Wong, Tan F.
Local: Co-adviser: Shea, John M.

Record Information

Source Institution: UFRGP
Rights Management: Applicable rights reserved.
Classification: lcc - LD1780 2009
System ID: UFE0024678:00001


This item has the following downloads:


Full Text

PAGE 1

1

PAGE 2

2

PAGE 3

3

PAGE 4

IsincerelythankDr.SheaandDr.Wongforgivingmethisopportunitytoworkonthetestbed,forallthesupportandencouragement,fortheirexcellentadvice,forinvestingtheirtimeinthisproject,fortheirpatienceandtolerenceandforeverythingelse.IthankallmyWINGmates:Sien,Kareem,Eric,Gaurav,ManishandByong,Ryan,TD,DDinnoparticularorder.Ithankmyparentsfortheirsupportandencouragement,withoutwhichthiswouldn'tbepossible.IthankGodaboveall. 4

PAGE 5

page ACKNOWLEDGMENTS ................................. 4 LISTOFTABLES ..................................... 7 LISTOFFIGURES .................................... 8 ABSTRACT ........................................ 9 CHAPTER 1INTRODUCTION .................................. 10 1.1JamminginWirelessLANs .......................... 10 1.2AntiJamming .................................. 11 1.3OrganizationofThesis ............................. 12 2ANIMPLEMENTATIONOFJAMMERONTESTBED ............. 13 2.1HardwareandSoftwareConguration ..................... 14 2.2TheAth5kDriver ................................ 14 2.2.1Ath5kTransmitChain ......................... 15 2.2.2TransmitTasklet ............................ 16 2.3JammerModule ................................. 16 2.3.1jammerInterface ............................. 16 2.3.2tx pktsInterface ............................ 18 2.4FileDescription ................................. 20 2.4.1jamming.c 20 2.4.2base jammer.c 22 2.5ManipulatedRegisters ............................. 22 3ANALYSISOFJAMMERANDJAMMINGATTACKS ............. 24 3.1MarkovChain(Markovian)ModelforDCF .................. 24 3.2Throughput ................................... 27 3.3NumericalandExperimentalResults ..................... 28 3.4DesignofJammer ................................ 30 3.4.1PowerExpenditureofJammer ..................... 31 3.4.2ImpactonThroughput ......................... 32 4ANALYSISOFANANTI-JAMMINGSCHEME ................. 34 4.1DetectionofJamming ............................. 34 4.2DCFModication ................................ 36 5

PAGE 6

...................... 43 5.1Conclusions ................................... 43 5.2FutureWork ................................... 43 APPENDIX:SOURCECODE .............................. 47 REFERENCES ....................................... 51 BIOGRAPHICALSKETCH ................................ 53 6

PAGE 7

Table page 2-1Tablelistingtheregistersthathavebeenmodied ................. 23 3-1Listofallsystemparametersusedinexperiments ................. 25 7

PAGE 8

Figure page 2-1EectoftwotypesofjammersonWLANs. ..................... 13 2-2Jammeroperationinaowchart. .......................... 17 2-3Asnapshotofjammingwithprobability1. ..................... 19 2-4Asnapshotofjammingwithprobabilityof0:9. .................. 19 2-5Tendatapacketstransmittedusingtx pktsinterface. ............... 21 2-6Asnapshotoftenpacketssentfromtx pktsinterfacegettingjammed. ..... 21 3-1Anexampleofbasicaccessmechanism. ....................... 24 3-2StandardDCF. .................................... 25 3-3CalculationofTcandTs. .............................. 28 3-4Packetfailureprobabilityvsjammingprobability. ................. 29 3-5Theoreticalvsexperimentalthroughputresultsforframesizeof512B. ..... 30 3-6Energyexpenditureforjammerversusprobabilityofpacketfailure. ....... 32 3-7Choiceofjammingprobabilityvsenergyconstraint. ................ 33 4-1ReceiverOperatingCharacteristicofthedetector ................. 37 4-2ModiedDCF ..................................... 38 4-3EnergyexpenditureofJammerw/andw/ocollisiondetection,standardandmodiedDCFfor3,10,20,50stations ........................ 40 4-4ThroughputcomparisonofstandardandmodiedDCFofsystemwith3,10,20,50stations ..................................... 41 4-5pcvs.N ........................................ 42 4-6vs.P ......................................... 42 5-13statetransitiondiagram .............................. 44 8

PAGE 9

Inwirelesslocalareanetworks(WLANs)thatusetheDistributedCoordinatedFunction(DCF)oftheIEEE802.11MACprotocol,acollisionmayoccurwhentwoormoredevicestransmitsimultaneously.Whenacollisionresultsinfailedreceptionofapacket,thestationsinvolvedincreasetheirbackowindowwhichdecreasestheprobabilityoftransmission.Ajammertryingtodisruptthecommunicationscantakeadvantageofthisbehaviortoreducethethroughputofthesystemsignicantlywithlittleenergyexpense.Inthisthesis,thisbehaviorofthestationsisanalyzedbyderivingtheexpressionsforthroughputandjammer'spowerexpenditureasafunctionofprobabilityofjamming.Theseresultsareexperimentallyveriedwiththehelpofajammerbuiltinthelab.UnderthestandardDCF,thejammer'spowerexpendituredecreaseswithanincreaseinjammingprobabilitybeyondathreshold.AsimplemodicationtothestandardDCFcanmakejammingmorepowerexpensiveforthejammer.Adetectionschemeisproposedtodetectthepresenceofajammeranditsperformancecharacteristicsaredetermined. 9

PAGE 10

Advancementsincomputationalpowerandsilicontechnologieshavemademobile/portabledevicesubiquitous.Mostofthesedevicessupportwirelessinterfaces,andavastmajorityprimarilycommunicatethroughwirelessmedia.Wirelesscommunicationsarehighlysusceptibletointerferenceandhencearevulnerabletojammingattacks.UnlicensedbandsareusedforalargenumberofapplicationsincludingtheextremelypopularIEEE802.11-basedwirelesslocalareanetworks(WLANs).Tofacilitateanecientmediumaccess,anumberofMediumAccessControl(MAC)protocolsareputforward[ 1 2 ]ofwhichCarrierSenseMultipleAccess/CollisionAvoidance(CSMA/CA)iswidelyimplementedandisincludedinIEEE802.11WLANstandards.Reference[ 2 ]describesCSMAindetail. Foreectivecommunication,onlyonetransmissioncanoccuratanygivenpointintimeinagivenarea.Theeventofsimultaneoustransmissionsiscalleda\collision",wheretheintendedreceiversfailtodecodethemessage.Forthisreason,CSMArequiressensingifthechannelisidlebeforeatransmittercantransmit.Apacketisassumedtobelostincollisionwhenthetransmitterdoesn'treceiveanacknowledgement(ACK)fromthereceiver(exception:broadcastmessages).Thereisnootherwaytodetectacollisionunderthisprotocol. 3 ].Atthephysical(PHY)layer,interferencedegradesthesignal-to-noiseratioandcouldmakethecommunicationimpossible.Atthemediumaccesscontrol(MAC)layer,collisionscanbeinducedtomakethecontentionwindowlargeandmakethestationstransmitlessoften.Atthenetworkandtransportlayers,injectingerroneouspackets,destroyingroutingcontrolpackets,forcingTCPmultiplicativedecreasetokeepthecongestionwindowsmallandjammingTCPACKaresomeofthenumerouswaystojam. 10

PAGE 11

4 5 ]describevarioustypesofjammerslikeconstantjammer,periodicjammer,randomjammer,reactivejammerandsoon.Thefocusofthisthesisisreactivejamming;i.e.,jamminginresponsetopackettransmission.Bycorruptingeverypacketbeingtransmitted,theeectivetransferrateisalsozero,butcomparedtothetrivialcase,thisismorepowerecient.Bylearningtheprotocolbeingused,ecientschemescanbedesignedforthesameeect.Forexample,inthecasewhereACKsareneededtoconveyasuccessfultransmission,theACKisabottleneck.Comparedtothedatabeingsent,theACKframeisveryshortandisneededtoindicatesuccessfulreceptionofapacket.CorruptingtheACKframewouldbesucienttocausetheentiretransmissiontobetreatedasafailure.Thetransmittermightthenattempttosendthepacketagain.Thismeansthatwithoutevencorruptingallpackets,andwithverylittlepower,WLANcommunicationscanbedisruptedveryeasilyifthejammerissmartenough. 4 ]describesfewmethodstodetectjammingbasedonaveragesignalstrength,signalstrengthspectraldiscrimination,carriersensetime,packetdeliveryratioandconsistencychecks.InChapter 4 ,adetection 11

PAGE 12

3 Classicaljammingconsistsofinjectinganinterferingsignalthatcorruptsthedesiredsignalatthereceiver.Resistancetojammingistraditionallyachievedbytuningvariousparameterssuchastransmissionpower,directionalantennasandreceivercommunicationbandwidth.Byincreasingthetransmissionpowerlevel,thesignal-to-interferenceratiocanbeincreased,butisnotaveryecienttechnique.Themostcommonlyusedanti-jammingtechniqueisspreadspectrum,inwhichasignalisspreadacrossaverylargefrequencybandwiththehelpofaspreadingsequence,typicallyapseudo-randomnoise.Ifthespreadingsequenceisunknowntothejammer,thistechniqueachievesasignal-to-noiseratioimprovementofG,whereGisthespreadinggain.Existinganti-jammingsystemsrelyonextensiveuseofphysicallayertechniques,suchasspreadspectrumtechniques,andonacombinationoferror-correctioncodesandinterleavers[ 6 ]. 2 describesthejammerasbuiltinthelabindetail.Thehardwareandsoftwareusedforimplementingthejammerisexplained.Chapter 3 describesamathematicalmodeltomodelthebehaviorofstandardWLANstationsinthepresenceofajammer.TheMACprotocolateachstationismodeledusingaMarkovchain,andexpressionsforthroughputandpowerexpenditureofthejammerarederived.Theoreticalandexperimentalresultsarecompared.Chapter 4 discussesananti-jammingschememotivatedbythepowerexpenditurecurveofthejammerfromChapter 3 .Italsodescribesaschemetodetectthepresenceofjamming.Chapter 5 mentionsamoregeneralizedproblemofdesigningajammer. 12

PAGE 13

Ingeneral,ajammerisadevicethatcausesintentionalinterferencetoanycommunication.HerewefocusonjammersforIEEE802.11-basedWLANs.TostudytheeectsofjammingonIEEE802.11-basedWLANs,ajammerisbuiltusingregularWLANhardwarethattransmitsapacketinresponsetoanongoingtransmission.SimultaneoustransmissionsresultinatransmissionfailureintheseWLANs.Thisisonetypeofjammerofthemanypossible.Anaiveapproachistotransmitcontinuouslyintheoperatingfrequencyband.Thismakesthestationsdefertheirtransmissions,astheyneedtosensethatthechannelisidlebeforetheyproceedwithtransmission,asseeninFigure 2-1 .Ananalogcordlesswhichoperatesin2.4GHzfrequencybandisusedtooverwhelmchannel1. BPhoneswitchedON CTestbedjammerinactive DJammeractive EectoftwotypesofjammersonWLANs. 13

PAGE 14

2-1A and 2-1B showtheusualtraconchannel1withthecordlessphoneswitchedOFFandONrespectively.Figures 2-1C and 2-1D show10packetstransmittedusingtx pktsinterfaceandjammedusingjammerinterfaceofthejammermoduledescribedinSection 2.3 7 8 ].OpensourcedriverssuchasMadwiandAth5k[ 9 10 ]supportAtherosAR5414chipsets,ofwhichAth5kdoesnotneedtheBinaryHardwareAbstractionLayer(HAL)tofunction.TheHALactslikeaninterfacebetweenthehardwareanddriver.AsAth5kdoesnotdependonHAL,on-chipregisterscanbedirectlyaccessedusingthedriver.MoredetailsaregiveninAth5kinSection 2.2 11 ].ItfeaturestheproprietarySuperAGandAtherosXReXtendedRangetechnologies.Reference[ 12 13 ]statesthatSuperAGis1.5to2timesfasterbyutilizingdualchannelstodoubledatarates.AtheroseXtendedRangetechnologyenablesthecardtodoubleitsrangebyenhancingitsreceiversensitivityand\XRmodesupport"[ 11 14 ]. 10 ].Reference[ 15 ]hasgooddocumentationonath5k-installing,conguringandsupportonDebian.CurrentlyAth5kisinaconstantstateofdevelopmentwithvaryinglevelsofsupportforchipsetsdependingontheirage.Currentlystationmode,adhocmodeand 14

PAGE 15

16 ]. TherearetwoveryimportantstructuresusedbyAth5kwhicharecentraltothefunctioningofthejammerandAth5k.Theyareath5k softc(sc)andath5k hw(ah).Bothscandahhavepointerstoeachotherandpointerstotheieee80211structures.Thesestructureshavebeenmodiedslightlybyaddingafewentriestopassinformationfromthedrivermoduletothejammermoduleandviceversa.Formoreinformation,base.h,hasanelementbyelementdescriptionofsc,andhw.chasdetailsofah. TheentirefunctioningofAth5kisnotnecessaryhereandonlythetransmitchainisdescribed. txistherstfunctiontoreceivethepacket.Itprocessespacketbypacket,andeverypacketislinkedtoabuerthatispulledfromapreallocatedlistofbuers.Onceallthebuersareused,thepacketisdropped,andthehigherlayerqueueisrequestedtohalt.Thebuerisreturnedtothelistwhenthepackettransmissionisdone.Apointertothesebuersisavailableintheath5k softcstructure.Allchangestothelistaredonewithlockstopreventsimultaneousaccesstothelist. Aftersettingupthedescriptor(a4-bytewordcontainingthecontrolinformationforthepacket),thepacketistransferredtothecardbyenablingthequeueinath5k hw tx start().Thisisaccomplishedbywriting0x1totheTXE(transmitenable)register(address:0x0840),toalocationcorrespondingtothequeuenumber.Thedescriptorissetupusingthecontrolinformationpassedfromthehigherlayercontainedintheieee80211 tx controlstructure.Itcontainsinformationsuchastransmitrate,retrylimit,antennanumber,queuenumber,etc. 15

PAGE 16

tasklet tx())isthenscheduledbytheinterrupthandlertoclearthepacketfromthememoryandreturnthebuertothelist.Italsocollectsvariousparametersrelevanttothepacket,liketheretrycount,descriptorstatus(rate,timestamp,ACKsignalstrength)etc. PHY CURRENT RSSI0x9C1C.Itisan8-bitregisteranditscontentsarein2'scomplementformat.Whenthevalueofthisregistergoesaboveacertainthreshold,itimmediatelytriggersthetransmissionofapacket,causingacollision.Totransmitpackets,theuserhastocalltheprocinterfacetx pktsandinputthenumberofpacketsandpacketlength.Moredetailsaregiveninthefollowingsections. jam.sh,whichtakescareoftheorderofinputsintotheprocinterface. AsshowninFigure 2-2 ,thejammerconstructsitsownpacketandreleasesitintoitstransmitchain.Thepacketiscreatedwhentheusercallsthejamming readfunctionthroughtheprocinterface.Thepacketpassesthroughvariousfunctions,whichsetupthe 16

PAGE 17

Jammeroperationinaowchart. necessaryparametersforthetransmission,andisheldupatthelastfunction,go jam.ThisfunctionraisesthevalueofNAVtimer,usedforVCS(VirtualCarrierSensing),toHIGHandpreventsthepacketfrombeingtransmittedevenwhenthequeueisenabled.BasedontheRSSIlevel,asexplainedabove,thevalueofNAVispulledLOWwhichallowsthecardtosendthepacket.Oncethisisdone,wewaitforthepackettransmissiontoendandwriteHIGHtoNAVtimer,writetothedescriptorregisterandenablethequeueandwaitforanotherriseinRSSIlevel.Tojamwithagivenprobability,arandombyteisgeneratedusingget random bytesandactionistakenaccordingly.Thisnumberof1byteisuniformlydistributedbetween0and255.Thejammerisseparatefromtheath5k 17

PAGE 18

Thecardsenseswhetherthechannelisidleanddoesnottransmitwhenthechannelisbusy.Tomeetourpurpose,weneedtheopposite.Wetriedvariousapproaches(raisingsensitivitythreshold,raisingnoiseoor,etc)tooverridethefunctionalityofcarrier-sensingbutwerenotsuccessful.FinallytheExtendedRange(XR)mode,anAtherosproprietarymode,enabledustotransmitpacketsevenwhenthechannelisbusy.However,thecardseemstolistenforthedurationofpacketheaderandthendecidetotransmitbasedonthetypeofpacket.Datapacketsareallowedtobe\stomped",i.e.,thecardtransmitsiftheon-goingpacketisadatapacket.However,ACKs,whicharegivenhigherprioritycannotbestompedoratleastwehavenotguredoutawaytodoit.Thisisalldonebywritingdierentvaluestotheregisters.MoredetailsaregiveninSection 2.5 .Toensurethequickestresponse,theInterframeSpacing(IFS)registersaresetto'0'. Figure 2-3 isacapturefromthechannelmonitorshowingthejammingofpackets.ItisaplotofthechannelRSSIrelativetothenoiseoorvs.time,asseenbythemonitor.Therisingedgesrepresentthebeginningsofdatapackets.Weguessthatthecardatthejammerthenreadsthepacketheader,determinesthepackettype,andthendecideswhethertotransmit.HigherprioritypacketssuchasACKpacketsaresparedfromstomping.Theuncoloredportionisduetothepresenceofthejammer'spacket,whichmakesthemonitorrecordajumpintheRSSIandrecognizeitasanotherpacket.Theabsenceofanacknowledgment(ACK)packetisanindicationthatthedatapacketiscorrupted.Thenextpacketisaretry.Figure 2-3 isasnapshotofjammingwithprobability1.In 2-4 ,thejammingprobabilityis0:9. pktsInterface 18

PAGE 19

Asnapshotofjammingwithprobability1. Figure2-4. Asnapshotofjammingwithprobabilityof0:9. 19

PAGE 20

tx control,whichcontainsthenecessarycontrolinformationforthedrivertouse.Thisstructurecontainstheinformationsuchasthemaximumallowableretries,rateandvariousagsforthedrivertosetupthetransmitdescriptor.Twotimestampsaretaken,oncebeforetransmittingtherstpacketandonceafterthelastpackettogetanestimateofthetotaltimetakenforthestationtotransmittherequestednumberofpackets.Afterthetransmissionofapacket,ath5k tasklet txisscheduled,whichthencollectsthedatasuchastheACKsignalstrength,numberofretriesincurred,andifthepacketisafailure,amongmanyothers.Todistinguishthepackettransmittedbytheinterfacefromaregularpacket,0xABiswrittentothe50thlocationinthepacket.Thestatisticscollectedfromthisprocinterfaceareusedtocalculatethethroughput. Figure 2-5 showstenpacketsbeingtransmittedusingthetx pktsinterface.Boththedatapacketsandacknowledgementpacketscanbeseen.ACKfollowseverydataframe.Figure 2-6 showstheeectofjammingonthistransmission.Thejammingprobabilityusedis0:5.RetriescanbeseenwheneverACKisabsentfollowingthedataframe.Forexample,thersttwodatatransmissionshaveACKsimmediatelyfollowingthem.Thethirddatatransmissionisnotsuccessfuluntilthefthattempt. jam: PHY CURRENT RSSIregister 20

PAGE 21

Tendatapacketstransmittedusingtx pktsinterface. Figure2-6. Asnapshotoftenpacketssentfromtx pktsinterfacegettingjammed. 21

PAGE 22

hw reg read(),andiftheRSSIvalueiswithintherangespecied,0x0iswrittentoAR5K NAVregister,triggeringapackettransmission.Afterthis,itwaitsforthetransmissiontoendandthenwrites0xFFFFFFFFtotheNAVregister,anaddresstodescriptorregister,andenablesthehardwarequeue.SincethevalueoftheNAVregisterissettoHIGH,thepacketisnotsentyet,andthejammerwaitsforanotherriseinRSSI.AlowerRSSIthresholdissettoavoidthecircumstanceswhenchannelnoisemaybemistakenlyidentiedforapackettransmissionandtojamstationsthatareonlycloseinproximity(jamonlylaptopsinthelab).Timeelapsedismeasuredusingthedo.gettimeofday()systemfunction. write:Thisfunctionisaprocinterfacefunctionthatreadsparametersfromtheuser.ParameterssuchaslowerRSSIthreshold,higherRSSIthreshold,jammeractivetime,jammingpacketlengthandjammingprobabilitycanbechangedwiththisfunction. read:Thisfunctioninitiatesthejammer.Itconstructsthepacketandthenpassesintothetransmitchainwithinthejammermodule. ath5k *:Allthefunctionswhosenamestartswithjammer ath5karefunctionsfromAth5k'stransmitchaincopiedintothisleandslightlymodied. jammer.c jammer.cisresponsibleforthecreationofthejammermodule.Itcontainsthehanet initandhanet exitfunctionswhichareinitandexitfunctionsofthejammermodule.Thesefunctionscalltheappropriatefunctionstocreateandremovetheprocinterfacerespectively. Thelebase jammer.histheheaderle. ABORTbitwhich,whensetto1,abortsreceivingapacketandproceedstotransmit.Bitsmaskedwith0xFF0000settheRSSIthresholdforstomping;i.e.,thepacketswhose 22

PAGE 23

Tablelistingtheregistersthathavebeenmodied AddressValuewrittenDescription RSSIisabovethethresholdarenotstomped.Itissetto0x7F,whichisthehighest2'scomplement8-bitvalue. 23

PAGE 24

TounderstandtheeectofjammingonIEEE802.11-basedWLANs,weneedtounderstandthebehaviorofthesedevicesundercollisions.Todecreasetheprobabilityofcollisions,the802.11standardprovidestheDCF(DistributedCoordinatedFunction),whichusesaformofexponentialbacko.Essentially,itdecreasestheprobabilitythatastationtransmitsapacketinresponsetothenumberofcollisionsthatthepacketincurs.Section 3.1 modelsandanalyzesastandardWLANstation,thesystemthroughputisfoundinSection 3.2 andjammer'senergyexpenditureisanalyzedinSection 3.4.1 17 ].AsshowninFigure 3-1 ,whenapacketarrivesatastationfortransmission,itrstneedstosensethatthechannelisidleforatleastatimeequaltoDistributedInter-FrameSpace(DIFS),whichistypically50s[ 18 ].Afterthis,acountdowntimer(backocounter)ischoosenasauniformrandomvariableon(0;W01)andiscounteddowntozero.W0isthecontentionwindowsizeoftherstbackostate.ThebackocounterstopswhenthestationsensesabusychannelandresumesaftersensinganidlechannelforatleastadurationofDIFS.ThestationspendsatimeequaltoaSlotTime,typically20s[ 18 ],ineachstate,bi;k;k6=0untilitreachesbi;0.Whenthebackocounterreacheszero(k=0),itsendsapacket.Ifthedestinationreceivesthepacketcorrectly,itwaitsforatimeequaltoShortInter-FrameSpace(SIFS),whichistypically Anexampleofbasicaccessmechanism. 24

PAGE 25

StandardDCF. 10s[ 18 ].Apacketisconsideredafailurewhenthesourcestationdoesnotreceiveanacknowledgement(ACK).Shouldthepacketfail,thestationincreasesitscontentionwindowsizetoW1andchoosesanumberuniformlybetween(0;W11)andrepeatstheaboveprocessbyincreasingitswindowsizewithsubsequentfailures.Whenexponentialbackoisused,Wi=2iW0.Whenastationreachesthelastbackostate,itstaysinthatstateuntilthepacketissuccessfulorthemaximumallowednumberoftransmissionsisreached,inwhichcasethepacketisdropped.Whenthepacketissuccessful,DCFreturnstothezerobackostate. Table3-1. Listofallsystemparametersusedinexperiments ParameterValue slottime20sSIFS10sDIFSSIFS+2slottimeMACframesize512bytesstationtransmissionrate11MbpsPHYheaderduration192sJammerpktlength128bytesJammertransmissionrate1Mbps ThisbehaviorcanbemodeledusingaMarkovchain,asillustratedinFigure 3-2 .Thismodelassumesthatthenumberofretransmissionsallowedforeachpacketisinnite 25

PAGE 26

Wibi0: 2=1b00=2

PAGE 27

(3{1) 27

PAGE 28

Thethroughputofthesystemcannowbedenedas =SEp whereEpistheaveragepacketlengthinslots;Tc;Tsistheaveragetime(inslots)requiredduetoafailedandsuccessfultransmission.TcandTsarecalculatedfromgure 3-3 CalculationofTcandTs. 2 explainsindetailaboutthejammerbuiltinthelab,whichisusedingeneratingtheexperimentaldata.Inthissubsectiontheoreticalandexperimentalresultsarecompared.Table 3-1 listsalltheparametersusedfortheexperimentsandtheplotsofthetheoreticalresultsobtainedfromtheMarkovianmodelinSections 3.1 and 3.2 .Figure 3-4 showstheconditionalpacketfailureprobabilitygiventhatapacketistransmitted,whichisgivenby( 3{1 ).Toobtaintheexperimentalresults,vestationsareused.Oneforjamming,threefortransmittingupto500uniquepacketseachandtosimulatesaturationcondition(innitepacketsinqueue),andthefthstationisusedasasinkforallthepackets;i.e.,itservesasthedestinationforallthepacketstransmittedbytheabovesaidthreestations.Acountofpacketfailuresandtotalnumberpacketstransmittedareobtained(moredetailsinChapter 2 )fromthetx pktsinterface.Experimentally,the 28

PAGE 29

#totalpacketsand (3{3) experimental=#successesEp(ins) Totaltime(ins): Itcanbeobservedthatforjammingprobabilityof0,thepacketfailureprobabilityisaround0:1,whichisapproximatelytheregularcollisionprobabilityundersaturationconditions.Theexperimentalresultsmatchwellwiththenumericalresultswhichindicatesthattheparametersusedinthetheoreticalmodel(andgiveninTable 3-1 )matchthoseusedbytheAtheroschips. Packetfailureprobabilityvsjammingprobability. Figure 3-5 comparesexperimentalandtheoreticalthroughputresultsforthecaseofthreestationswhenthetransmittedframesizeis512bytes.Forplottingtheoreticalresults,Ep,Ts,andTcarecalculatedasin( 3{7 ).Asexplainedabove,upto500packetsweretransmittedfromeachstation,simulatingsaturationcondition(again,moredetails 29

PAGE 30

2 ).Twotimestampsaretakenfromeachstationtodeterminethestartandendoftheactiveperiod,whichareusedincalculatingthethroughput.Experimentalthroughputisestimatedasin( 3{3 ). slottime (3{5) slottime (3{6) Pfjammerpktduration+pc slottime: Theoreticalvsexperimentalthroughputresultsforframesizeof512B. Asexpected,atjammingprobability(Q)of1,thethroughputreacheszeroasPfisequalto1andincreasesasQdecreases.ExperimentalresultsmatchwellwiththeoreticalresultsindicatingthattheMarkovianmodelchosenisaccurate. 30

PAGE 31

minQsubjecttoCC0: Ifweassumethatjammercandetectacollision,Ctakesthefollowingform,whereQistheconditionalprobabilitythatjammerjamsgiventhatthecurrentpacketisnotafailure:C=Pr[onlyonenodetransmits]Q=N(1)N1Q: 3-6 isaplotofthejammer'senergyexpenditureforbothcases.Thehorizontalaxisisthepacketfailureprobability,andtheverticalaxisistheenergyexpenditureofjammerforthethreenodescase.Wecanseethattheenergyexpenditurewithcollisiondetectionissmallerthanwithoutcollisiondetectionforagivenpacketfailureprobability. FromFigures 3-6 and 3-4 ,theenergyexpendedbyjammerincreasesandthendecreaseswithjammingprobability.ThejammerforcestheDCFtousethemaximumcontentionwindow,whichdecreasesthetransmissionprobabilityandhencedelaysgetlongerbetweensubsequenttransmissions.Thisreducesthenumberoftransmissionsfor 31

PAGE 32

Energyexpenditureforjammerversusprobabilityofpacketfailure. thejammerinagivendurationoftime,andhencethepowerconsumptionforjammerdecreaseswithincreaseinQ. 3-5 ,weseethatthethroughputisamonotonouslydecreasingfunctioninjammingprobability(Q)andreaches0whenQreaches1.ThepowerexpenditurefromFigure 3-6 increasesanddecreaseswithpacketfailureprobabilityandhencejammingprobability. FromFigure 3-7 ,ifC0>C(1),whereC(1)isthevalueofCatQ=1,thenthechoiceofQisalwaysgoingtobe1becausethehigherthejammingprobability,thelowertheenergyexpenditureandthelowerthethroughput.Onchoosingjammingprobabilityof1,thejammerforcestheDCFtousemaximumcontentionwindowandincreasesthedelaysbetweensubsequenttransmissions.Thisreducesthenumberoftransmissionsforjammerinagivendurationoftimeandhencehelpsreducejammer'spowerconsumption.Only 32

PAGE 33

Choiceofjammingprobabilityvsenergyconstraint. whenC0
PAGE 34

ThevulnerabilityofIEEE802.11-basedWLANstojammingattacksisinherentinitsprotocol,andtheshared-accessnatureoftheprotocolparticularlymaketheseattackseective.Collisionscausedbyjammingarenotdistinguishedfromregularcollisions.Todetectthepresenceofjamming,weneedtoknowthestatisticsthatareavailablethatcanbeusedinthedetectionprocess.BasedonthemathematicalmodelintroducedinChapter 3 ,wetrytodeterminethepresenceofjammingbyobservingthestatetransitionsintheDCFoveracertainnumberofpackettransmissions. FromFigure 3-6 andthediscussioninSection 3.4.1 ,thestandardDCFmakesitfavorableforthejammertoreducethethroughputtozero.Asthejammingprobabilityincreases,thestationsarepushedintothebackostatethatusesthelargestcontentionwindowsize.Thisreducesthetransmissionprobabilityofeachstationandreducesthenumberoftransmissionsforthejammer.Whenitchoosesthejammingprobabilityof1,everypacketislostincollision,andhencethethroughputreducestozero.InthischapterwemodifytheDCFsothatthepowerexpenditureofthejammerincreaseswithanincreaseinjammingprobability. 3-2 andtriestodetectthepresenceofjammimgbyobtainingthestate.isavectorwhoseelementsarenbi;0,thenumberofvisitstostatebi;0.=[nb0;0nb1;0nbm;0] Theproblemofdetectingjamminginthepresenceofnormalcollisionsisacompositehypothesistestingproblem,andonepopularwaytosolvethisisageneralizedlikelihood 34

PAGE 35

19 20 ].ThetwohypothesisH0andH1areH0:nojamming)Q=0H1:jamming)0
PAGE 36

4-1 showstheROC(ReceiverOperatingCharacteristic)ofthedetector,whichcharacterizesitsperformance.ThehorizontalaxisisplottedinlogscaleduetotheextremelysmallvaluesofPFA.Itcanbeseenthatthedetectordoesaverygoodjobindetectingjamming.ForQ=0:25andPD=0:9,PFAisapproximately0:01.ThechoiceofthresholdisbasedonthisROC.Forexample,iftheminimumQthatneedstobedetectedis0.25,thenischosenfromthecorrespondingcurvebyxingeitherPDorPFA. 3-2 ,reducestheprobabilitythatastationtransmitswithanincreaseinthenumberofcollisionsapacketincurs.Thisisactuallyfavorabletothejammer.AsseeninFigure 3-6 ,theamountofenergyajammerhastoexpendrstincreaseswiththeprobabilityofjammingandthendecreases.Thismeansthatthejammercansavemoreenergybyjammingwithhigherprobability.Figure 4-2 showsourproposedmodicationtoDCF.Itisaimedatincreasingtheprobabilityoftransmittingastheprobabilityofjammingincreases,whichrequiresajammertotransmitmorepacketsandthusburningitsenergyasafasterrate.Whenthe 36

PAGE 37

ReceiverOperatingCharacteristicofthedetector jammingdevicesarehighlypowerconstrained,theygetexhaustedquicklyandthenormalWLANoperationresumesimmediately. Byworkingthroughequationssimilarto 3{1 ,itcanbeshownthatb00=2 2iW+1)P+P3 1Pq:b10=Pb00;b30=P3

PAGE 38

ModiedDCF Theprobabilitythatastationtransmits()andtheprobabilityofacollision(pc)giventhatastationtransmitsareequalto=6Xi=0bi0;pc=1(1)N1: 3{10 )andwithoutcollisiondetectionfrom( 3{9 ).Figure 4-3 showstheincreaseinjammer'spowerexpenditurewithmodiedDCFforq=1.InFigure 4-3A ,jammingwithandwithoutcollisiondetectionexpendalmostthesameamountofaveragepoweranditincreasestoaveryhighvalueforourmodied 38

PAGE 39

4-3D collisiondetectingjammerexpendsmuchlesspowerwhenthemodiedDCFisused.Thisisduetothefactthatcollisionsaccountformostofthetransmissionswhenthenumberofstationsisincreasedto50foracontentionwindowsize(W)of32.However,forthecaseofajammerwithoutcollisiondetection,thepowerexpenditureisstillveryhigh.HencetheproposedDCFwouldworkverywellifthejammerdoesnotusecollisiondetectionorthenumberofstationsissmall. Figure 4-4 showsthethroughputcalculatedusing( 3{2 )usingthesamesystemparametersfromTable 3-1 .Figure 4-4A showsamarginalimprovementinthroughputbyusingthemodiedDCF.HoweverFigure 4-4D showsdegradationinthroughputbyusingthemodiedDCFwhenthenumberofstationsisincreasedto50.Thisisduetothehigherincrease(fromgure 4-5 )inpcwhenmodiedDCFisused.Theaimhereistogetridofthejammerassoonaspossiblebyexpendingitsenergyatahigherrateandrestorenormaloperation.Sinceajammertypicallyuseshighertransmitpowerthanastationandtransmitsjammingsignalinresponsetotransmissionsfromanyofthestations,ithashigherenergyrequirementthanthestations,whichmakestheproposedschemeeective. Figure 4-5 comparestheincreaseinprobabilityofcollisionwithincreaseinNforbothstandardandmodiedDCF.ItcanbeobservedthatpcformodiedDCFreaches1fasterthanthestandardDCF.ThisisduetothefactthatstationstransmitmoreofteninthecaseofmodiedDCFcomparedtostandardDCF.FromFigure 4-6 itcanbeseenthatpcdecreasesandthenincreaseswithP.ThisisduetothenatureofthemodiedDCF{thebackowindowincreasesanddecreases. 39

PAGE 40

B10stations C20stations D50stations EnergyexpenditureofJammerw/andw/ocollisiondetection,standardandmodiedDCFfor3,10,20,50stations

PAGE 41

B10stations C20stations D50stations ThroughputcomparisonofstandardandmodiedDCFofsystemwith3,10,20,50stations

PAGE 42

42

PAGE 43

3.4.1 .UsingregularWLANhardwareandfreelyavailableopensourcesoftware,wehavedemonstratedthatbuildingthistypeofjammerisnotdicultandveriedthepredictedeectofjammingonaWLANusingaMarkovianmodelfortheDCF. Asacountermeasure,wehaveproposedasimplemodicationtoDCFthatmakesthestationstransmitmoreoftenwithanincreaseinjammingprobability.Thisexhaustsajammer'senergyatafasterrateandwillbeeectivewithjammersthatareenergyconstrained.Thisisparticularlytruewithsmalljammingdeviceswithlittlebatteriesthatareeasytodeployacrossnetwork.Byburningthebatteriesofthesedevicesquickly,thenetworkgetsrestoredtoitsnormaloperation. 5-1 showsthetransitiondiagramwhichissimilartoFigure 3-2 exceptthattheprobabilitythatapacketfailsisdierentforeachbackostateintheformercase. FromFigure 5-1 ,thefollowingequationscanbewritten. 43

PAGE 44

3statetransitiondiagram Wibi0: ,Pf,Psdenedin 3.1 takethefollowingform,=b00+b10+b20=(1+P0+P0P1

PAGE 45

3.1 )byPi=pc+(1pc)Qi; SandF,theprobabilityofasuccessfultransmissionandfailureare =SEp 3.2 Theaveragepowerexpenditureofthejammeris 3.4.1 ,wewantto minQiwithCC0 45

PAGE 46

Thisisanoptimizationprobleminvolvingalargenumberofvariableswhengeneralizedtotanynumberofbackostatesandhencesolvingforaclosedformexpressionwasfoundtobedicult.Itmightbeapproachednumericallywiththeuseofanecientalgorithmtondtheglobalminimumin( 5{1 ),butworkstillneedstobedone. 46

PAGE 47

Thego jamfunction,foundinnet/jamming/jamming.c,isthecorefunctionofthejammingprocedure.Itdependsonotherstructures,functionsandvariablesthatarenotdenedinthisappendix. jam(structath5k hwah) attempt startednn"); bufbf=ah>jam ah bf; pktstart,timestamp pktend,inter pkt time; entering sec,time entering usec; ah queue; gettimeofday(×tamp); time entering sec=timestamp.tv sec; time entering usec=timestamp.tv usec; rssi; descds=bf>desc; hw tx statustx status; tx status=&ds>ud.ds tx5212.tx stat; end wait; registers once(ah,queue);

PAGE 48

hw reg write(ah,bf>daddr,AR5K QUEUE TXDP(queue)); AR5K REG WRITE Q(ah,AR5K QCU TXE,queue); ath5k hw reg write(ah,0xFFFFFFFF,AR5K AR5212 NAV); timer=0; printk("time now=%dnt time enter=%dnt Jamming time= %dnn", timestamp.tv sec,time entering sec,JAMMING TIME); u8toss; JAMMED PKT COUNTER=0; PKT COUNTER=0; sectime entering secJAMMING RSSI THRESHOLD LOWER&&inst rssi10) inst rssi=ath5k hw reg read(ah,AR5K PHY CURRENT RSSI); rssi<20)//waitforack rssi=ath5k hw reg read(ah,AR5K PHY CURRENT RSSI); rssi>10)//waitforacktoend rssi=ath5k hw reg read(ah,AR5K PHY CURRENT RSSI);

PAGE 49

hw reg write(ah,0x7F0010,AR5K XRSTOMP); ENABLE) ath5k hw reg write(ah,0x0,AR5K AR5212 NAV); //ravitejac:Makethehwreadyfortransmittinganotherpacket //Iguesssettingupthedescriptorissufficient pkt time.tv sec=timestamp pktstart.tv sectimestamp pktend.tv sec; inter pkt time.tv usec=timestamp pktstart.tv usectimestamp pktend.tv usec; printk("RSSI chased = %dnt toss=%dnt JAM PKTS = %ld", inst rssi,toss,JAMMED PKT COUNTER); ENABLE) end wait=5000; pkt timer=0; status>tx status 1&AR5K DESC TX STATUS1 DONE)==0)&&(tx end wait>0)) end wait; udelay(1); ath5k hw reg write(ah,0x0,AR5K AR5212 NAV); pkt timer++; status>tx status 1=0; gettimeofday(×tamp pktend);

PAGE 50

hw reg write(ah,bf>daddr,AR5K QUEUE TXDP(queue));//settinguptransmitdescriptordesc REG WRITE Q(ah,AR5K QCU TXE,queue); JAMMED PKT COUNTER++; hw reg write(ah,0xFFFFFFFF,AR5K AR5212 NAV); do gettimeofday(×tamp); jammer>jamming enable=0; ah>ah jammer>jamming hijack=0; reset registers once(ah,queue); printk("nt/nnJamming attempt endednnnt/nn");

PAGE 51

[1] T.S.Rappaport,WirelessCommunicationsPriciplesandPractice.PrenticeHallPTR,1996. [2] A.Leon-GarciaandI.Widjaja,CommunicationNetworks,FundamentalConceptsandKeyArchitectures.McGraw-Hill,2000. [3] A.D.WoodandJ.A.Stankovic,\Denialofserviceinsensornetworks,"IEEEJournalonSelectedAreasInCommunications,vol.35,pp.54{62,2002. [4] W.Xu,W.Trappe,Y.Zhang,andT.Wood,\Thefeasibilityoflaunchinganddetectingjammingattacksinwirelessnetworks,"inProceedingsofthe6thACMInternationalSymposiumonMobileAdHocNetworkingandComputing,2005,pp.46{57. [5] D.J.TheunteandM.Acharya,\Intelligentjamminginwirelessnetworkswithapplicationsto802.11bandothernetworks,"inProceedingsofthe25thIEEECommunicationSocietyMilitaryCommunicationsConference(MILCOM2006),vol.7,2006. [6] G.LinandG.Noubir,\Onlinklayerdenialofserviceindatawirelesslans,"WirelessCommunicationsandMobileComputing,vol.5,pp.273{284,2004. [7] \Kernelv2.6,"TheLinuxKernelArchivesv2.6,updated2009;citedMarch252009.[Online].Available: http://www.kernel.org/pub/linux/kernel/v2.6 [8] \Debian\etch"releaseinformation,"DebianOperatingSystemWebsite,updatedApril152009;citedApril222009.[Online].Available: http://debian.org/releases/etch [9] \Themadwiproject,"MadwiProjectWebsite,updated2009;citedMarch252009.[Online].Available: http://madwi-project.org [10] \Ath5k,"LinuxWirelesswiki,updated2009;citedMarch252009.[Online].Available: http://wireless.kernel.org/en/users/Drivers/ath5k [11] \Atherosproductbulletin,"Atheroswebsite,updated2009;citedMarch202009.[Online].Available: http://www.atheros.com/pt/AR5006XS.htm [12] \SuperG,"AtherosWebsite,updated2009;citedMarch252009.[Online].Available: http://www.super-g.com/performance.html [13] \SuperG:Maximizingwirelessperformance,"WhitepaperonSuperG,updatedMarch2004;citedMarch272009.[Online].Available: http://www.super-g.com/collateral/atheros superg whitepaper.pdf [14] \WhitepaperonAtheroseXtendedRangeXRtechnologygoingthedistance,"AtheroseXtendedRangeXRtechnology,updatedApril2004;citedMarch272009.[Online].Available: www.atheros.com/pt/whitepapers/atheros XR whitepaper.pdf 51

PAGE 52

\Wikientryforath5k,"Debianwiki,updatedMarch212009;citedMarch252009.[Online].Available: http://wiki.debian.org/ath5k [16] \Featuresofath5k,"LinuxWirelesswiki,updated2009;citedMarch252009.[Online].Available: http://wireless.kernel.org/en/users/Drivers/ath5k#features [17] G.Bianchi,\Performanceanalysisoftheieee802.11distributedcoordinationfunction,"IEEEJournalOnSelectedAreasInCommunications,vol.18,pp.535{547,2000. [18] \IEEE802.11-2007standard,,"TheIEEEstandardsassociation,updatedJune2007;citedFeb252009.[Online].Available: http://standards.ieee.org/getieee802/download/802.11-2007.pdf [19] H.L.V.Trees,Detection,EstimationandModulationTheory,Part1.JohnWileyandSons,Inc.,2001. [20] S.M.Kay,FundamentalsofStatisticalSignalProcessing,DetectionTheory,VolumeII.PrenticeHallPTR,1998. 52

PAGE 53

RaviTejaisanMSstudentinelectricalengineeringatUniversityofFlorida(2007-2009).Hereceivedhisbachelor'sdegreeinelectronicsandcommunicationengineeringfromInternational(formerlyIndian)InstituteofInformationTechnology,Hyderabadin2007.Hisinterestsareinthebroadeldofcommunicationsandsignalprocessing. 53