LDoS attack in ad-hoc network

Page 1

EEL6951 Project: Simulation of “LDoS Attack in Ad-hoc Network”
by Y. He et al.
By Paul Muri, Carlo Pascoe, and Brian Sapp
I. Introduction
Research Paper: “LDoS Attack in Ad-hoc Network” by Y. He et al.
Citation: Yanxiang He; Yi Han; Qiang Cao; Tao Liu; Libing Wu, "LDoS attack in ad-hoc
network," Wireless On-Demand Network Systems and Services, 2009. WONS 2009. Sixth
International Conference on , vol. 1, no., pp.251-257, 2-4 Feb. 2009 (7pages)
Abstract: LDoS (Low-rate Denial of Service) attack is periodic, stealthy, and with high
efficiency, which has become a great threat to the network security. Previous researches
about LDoS attack mainly focus on its impact on wired networks. However, our analysis
shows that such attack could also be launched in Ad-hoc network, and as a completely
distinct MAC layer protocol is adopted in this environment, the form and effect of the attack
could be different and need re-evaluation. This paper presents a study of LDoS attack in Ad-
hoc network: (1) We investigate the differences of attack form brought by the medium
reservation mechanism and CSMA/CA of 802.11b, and find that decreasing the period of
LDoS attack into a smaller time scale would achieve a higher attack efficiency; (2) We show
that the attack effect differs from that in wired networks, and the attacker’s location has an
impact on it; (3) We verify our findings by simulation experiments in ns-2; (4) Detection
and defense methods are explored to counter against such attack.
URL: http://ieeexplore.ieee.org/stamp/stamp.jsp?tp=&arnumber=4801858&isnumber=4801825
Definition of Selected Topic
While previous research has gone into low-rate denial of service (LDoS) attacks on wired
networks, our paper addresses the analysis of this type of attack in an ad-hoc network. By
sending short bursts periodically, LDoS attacks exploit the Transmission Control Protocol
(TCP) congestion deficiencies. As a result, LDoS attacks could also be done in an ad-hoc
network. However, since an ad-hoc network has a different MAC layer protocol, the effect of
the attack will be different. First, the paper states that with a medium reservation

Page 2

mechanism and carrier sense multiple access with collision avoidance (CSMA/CA) in
802.11b, decreasing the period of LDoS attack into smaller time scales would result in a
more severe attack. Second, the paper shows that an attack effect is different from wired
network because attackers can be at different locations. The paper verifies this with
simulations. Last, the paper suggests detection and defense methods to counter an attack.
Our project will simulate an LDoS attack on wireless ad-hoc network. For ns-2 we are going
to use the dynamic source routing (dsr) protocol, and a standard 802.11 MAC protocol.
Specifically, the paper says CSMA/CA in 802.11b. We shall simulate and analyze the impact
of varying the attack period (T), burst duration (t), amplitude (R), contention window
minimum (CWmin), and location of attacker.
Paper’s Architecture
The paper’s network architecture shows four nodes. The nodes are labeled as 0, 1, 2, and 3.
Node 0 and 1, Node 1 and 2, Node 1 and 3 are all 200 meters apart. The carrier sense
distance of each node is 550 meters and the data transmission distance is 250 meters. The
paper uses a MAC layer 802.11b protocol, so the data transmission rate is 11 Mbps and the
route protocol is dsr. The legal sender is Node 0 which sends TCP packets to Node 2. Node 1
is a forwarding node. Node 3 is an attacker, which floods Node 1 with UDP packets. Node 1
forwards the UDP packets to Node 2. The attack causes a packet loss for the TCP packets.
Figure 1 shows the LDoS attack model in the paper while figure 2 shows the LDoS attack
model created in ns2 run on the network animator (nam) below.


Figure 1 LDoS attack model from the paper
Figure 2 LDoS attack model from ns2 simulation
shown in the NAM

Page 3

Paper’s Algorithm
The paper’s network algorithm considers the MAC layer’s uniqueness in an Ad-hoc network
simulation. The measurement algorithm is based on the variance of jitter and throughput of
request to send (RTS) frames. A TCP-targeted LDoS attack is launched by the attacker
sending short duration, high-rate burst at the time attack period (T), which causes all legal
TCP packets to be dropped. So, a good TCP sender will have to wait for the retransmission
timer to expire and multiply its retransmission timeout (RTO) by a constant known as q. q is
typically two and when q is two it is known as a binary exponential back-off. So, the
retransmission timeout equation would be RTO[K+1] = q × RTO [K]. So, the legal TCP
senders retransmit their lost packets at time T + RTO, which is the same time the attacker
sends a burst. The same occurs at T + 3*RTO, T + 7*RTO, T + 15*RTO, … , the attacker can
deny service to legal TCP flows even with a low rate or large period.

Figure 3 An example of a square-wave LDoS stream
II. Reference Paper’s Algorithm
Topologies
This paper presented an analysis of LDoS attacks in an Ad-hoc network through simulation
experiments in NS-2. The experiment is setup as follows. Three mobile nodes are
stationary in an Ad-hoc network with node 0 200m from node 1, node 1 200m from node 2,
and node 2 400m from node 0. Each node has a carrier sense distance of 550m and a data
transmission distance of 250m (defualt values). By use of the DSR protocol it is established
that node 1 can transmit to either 0 or 2, but nodes 0 and 2 can only communicate with each
other by forwarding packets through 1. Node 0, fully adhering to the 802.11b MAC protocol,

Page 4

begins sending an endless stream of tcp packets to node 2, through node 1, achieving some
throughput in Mb/s. An attacker node, positioned 200m from node 1 and 283m from nodes
0 and 2, begins transmitting udp packets to node 2, through node 1, while only loosely
following the 802.11b MAC protocol in a malicious attempt to disrupt the connection that
node 0 has established with node 2, the inevitable result being a reduction in the realized
throughput from node 0. A diagram of this setup can be seen in Figure 4 of the paper
(reproduced in Figure 1 of this report). The frequency, duration, and severity of these
attacks are variables in the experiment, with T defining the attack period, t defining the
attack duration, and R defining attack amplitude, the transmission rate of the udp packets
during an attack duration. The remainder of this section discusses how the authors vary
these attack parameters, along with contention window parameters, in order to fully assess
the effects of LDoS attacks on such an Ad-hoc network.
Attack period (T) Effects
The goal of a LDoS attack is to degrade the tcp performance of a valid connection; the effect
of such attacks is to minimize the throughput of a tcp connection by causing the dropping of
packets. Unlike the medium reservation mechanisms available in wired networks, the
wireless network under discussion here requires the exchange of rts and cts frames prior to
the actual data frame; unlike wired networks, LDoS attacks in this wireless network mostly
cause the dropping of rts and cts packets rather than data packets. In order to maximize the
number of packets dropped, the attack period should be chosen in order to minimize the
sender’s cwnd (ie T should be shorter than the recovery time of the sender’s cwnd which
gets decreased due to the last LDoS burst). The authors’ analysis shows that decreasing the
period of LDoS attacks into smaller time scales will achieve higher attack efficiency because
it will cause more frequent disruption of the channel and therefore more dropped packets.
Burst duration/Period and Amplitude Effect
In order to keep the low-rate characteristic of an LDoS attack the burst duration and attack
amplitude should be made large enough to cause the loss of tcp packets but as small as
possible to minimize the amount of attacker traffic. The authors propose that as the attack
burst duration moves closer to the attack period in a ratio of t/T, the attack efficiency
increases by reducing the normalized throughput (though not properly defined in the
paper, we assume to be the ratio of the throughput under attack to the throughput not

Page 5

under attack) but only to a limit of 0.5; as the ratio increases past 0.5, attack efficiency is not
increased significantly and the increased traffic does not conform to the low-rate
characteristic. The attack amplitude needs to be larger than the achieved throughput of the
tcp connections under attack so that it is high enough to overwhelm the legitimate tcp flows.
The authors’ analysis shows that increasing the attack amplitude improves attack efficiency,
but only to a point (when the attacker’s rate matches the achieved throughput of the tcp
connection) after which performance remains almost constant. Although the transmission
rate of this experiment can reach theoretically reach 11Mb/s according to 802.11b, in real
scenarios the actual throughput of a tcp connection is far below that value, so the amplitude
of a LDoS attack need not be even close to 11Mb/s (for this experiment the sweet spot is
shown to be 2Mb/s).
Simulation Experiments
The body of the paper is centered on four separate experiments that analyze the impact of
an LDoS attack on an Ad-hoc network. The experiments are titled as follows: Impact of
attack period and burst duration on attack Effect, Impact of attack amplitude on attack
effect, Impact of CWMin and CWMax on LDoS stream, and Impact of attacker’s location on
attack effect.
Impact of Attack Period and burst duration on attack Effect
In the set of experiments assessing impact of attack period and burst duration on attack
effect, the amplitude of the LDoS stream is held constant at 2Mb/s, the attack period is
varied from 0.05s to 2.0s, and the burst duration is proportional to the period using several
t/T constant values ranging from 0.1 to 0.5. It is observed that with the same proportion, as
the attack period decreases, the normalized throughput diminishes significantly as one
would expect given the analysis previously discussed. These experiments are extended
further to record the cwnd of the victim node under LDoS attacks for different periods and
burst durations. It is observed that when the period decreases from 2.0s to 0.5s, cwnd of
the victim node decreases as anticipated, but only to a point and even reverses as the period
further decreases to 0.05s. This phenomenon can be explained because if the burst duration
is too short, legal tcp packets won’t be dropped at every LDoS burst.