The Modeling and Comparison of Wireless NetworkDenial of Service Attacks

Martin EianDepartment of Telematics

Norwegian University of Science andTechnology (NTNU)Trondheim, Norway

martin.eian@item.ntnu.no

Stig F. MjølsnesDepartment of Telematics

Norwegian University of Science andTechnology (NTNU)Trondheim, Norway

stig.mjolsnes@item.ntnu.no

ABSTRACTMobile handhelds with wireless access are used innumerous safety critical applications. The wirelessnetwork protocols in use are vulnerable to a widearray of denial of service attacks. We propose a for-mal method for modeling semantic denial of serviceattacks against wireless network protocols. We thenuse our proposed model to find a new deadlock vul-nerability in IEEE 802.11. The history of publisheddenial of service attacks against wireless protocolsindicates that formal methods can contribute to theconstruction of robust protocols.

1. INTRODUCTIONThe use of mobile handhelds in safety critical ap-

plications is increasing. Such devices are used in lifecritical medical systems, intelligent transport sys-tems (ITS), emergency communications and alarmsystems. Furthermore, the current trend is to usestandard commercial off the shelf (COTS) equip-ment and protocols in safety critical applications.Such safety critical applications require that thewireless networks used for communication by themobile handhelds are available when needed.

The availability of a wireless network can be dis-rupted by denial of service (DoS) attacks. An ad-versary mounting a DoS attack on a wireless net-work used in safety critical applications could causeinjury or death, as well as significant material dam-

age.We divide wireless network DoS attacks into four

categories: Jamming attacks, flooding attacks, se-mantic attacks and implementation specific attacks.Jamming attacks are mounted by transmitting noisein the radio frequencies used by the wireless net-work. Flooding attacks exhaust resources by send-ing a large amount of messages to a protocol par-ticipant. Semantic attacks exploit protocol weak-nesses by transmitting valid protocol messages withforged message fields. One example of a semanticattack is the deauthentication attack against IEEE802.11 networks [1]. Finally, implementation spe-cific attacks target implementation vulnerabilitiesin specific hardware or software. This category ofattacks includes transmitting invalid protocol mes-sages, since a correct implementation should dis-card all invalid messages. Implementation specificattacks are not related to the protocol design andwill not be considered further in this paper.

The link layer protocols used in current wirelessnetworks are vulnerable to semantic DoS attacks.Vulnerable protocols are used in 802.11 wireless lo-cal area networks (WLANs) [1, 2, 11, 3], 802.16broadband networks [4], and GSM and UMTS mo-bile networks [10]. Due to functionality, perfor-mance or cost requirements, certain signaling mes-sages used by these protocols are not integrity pro-tected. One obvious solution to this problem is tointegrity protect every message. However, a wire-less network needs to exchange signaling messages,e.g. signal strength measurements, before it startsthe authentication and key agreement (AKA) pro-cedure. These initial signaling messages cannot beprotected using the keys derived from the AKA pro-cedure. Furthermore, small battery powered de-vices might not have the resources to verify theintegrity of every message. The integrity protec-tion of time critical signaling messages in wireless

1

networks might limit the usable bandwidth. Thefunctionality of the wireless network might even de-pend on the use of unprotected messages, e.g. anetwork that has to provide service to clients thatdo not support any security mechanisms. As a con-sequence, these link layer protocols only protect asubset of all protocol messages. Any unprotectedmessage could potentially be used by an adversaryto disrupt the wireless network. Even the securitymechanisms in the long term evolution (LTE) fourthgeneration (4G) mobile networks only protect a sub-set of the protocol messages [20].

A significant research effort has been invested inmaking network protocols more robust against jam-ming and flooding attacks. The research results areformal methods, models, tools and design princi-ples to aid protocol designers [18, 16, 19, 21, 22,13, 12]. The research effort on semantic DoS attackdetection and prevention has been of a more infor-mal nature. A multitude of semantic DoS attackshave been discovered in existing wireless protocols,practical attacks have been demonstrated, and adhoc countermeasures have been proposed [1, 2, 11,3]. The fact that new semantic vulnerabilities areroutinely being discovered in proposed and opera-tive protocols indicates that it is difficult to avoidprotocol vulnerabilities. To improve the robustnessof wireless networks used in safety critical applica-tions, we need to verify that an adversary cannot ex-ploit unprotected protocol messages to disrupt theservice provided by the protocol.

Narayana et. al. proposed a formal model forevaluating semantic DoS attacks in 2006 [17]. Tothe best of our knowledge, this is the only pro-posed model of semantic DoS attacks in the litera-ture prior to our work. Narayana et. al. use thetemporal logic of actions (TLA+) to model the pro-tocol and adversary, and to specify the model prop-erties. They then apply the TLA+ model checker(TLC) to find DoS vulnerabilities. They define aDoS attack as a situation where the protocol partic-ipants cannot reach their final state. Our proposedmodel has three major contributions compared totheir model. First, we propose a cost model. Thecost model provides an objective quantification ofthe severity of the protocol vulnerabilities. Second,our model is able to detect scenarios where partic-ipants reach their final state, and are then desyn-chronized by a new attack. This kind of attack willnot be detected in the model proposed by Narayanaet. al., since the participants in this case are able toreach their final state. Third, we demonstrate the

Initiator Adversary Responder

Figure 1: Protocol model with initiator andresponder. The adversary is modeled as thenetwork. The adversary can read, replayor forge every unprotected protocol message.The adversary cannot delete or intercept (i.e.read and delete) protocol messages.

usefulness of our model through the detection andexperimental validation of a previously unknowndeadlock vulnerability in the 802.11 standard.

In this paper we propose a formal method andmodel for evaluating wireless network protocol vul-nerabilities to semantic DoS attacks. We analyzethe adversary goals to find an appropriate quantifi-cation of the adversary cost. We then quantify thethe protocol participant cost, and propose an attackefficiency definition. Finally, we use our model todiscover a new deadlock vulnerability in the IEEE802.11 family of standards. The proposed formalmethod is not protocol specific, it can be used toanalyze any wireless protocol.

Our work complements the research efforts to makewireless networks more robust against jamming andflooding attacks. A network must be robust againstall categories of DoS attacks. If one category of at-tacks is not addressed, then an adversary may stillbe able to disrupt the network.

The rest of this paper is structured as follows:Section 2 presents the formal protocol model andadversary model. Section 3 presents the cost model.Section 4 presents our model of IEEE 802.11 andSection 5 presents the experimental results. Finally,Section 6 gives the conclusions.

2. PROTOCOL AND ADVERSARY MODELWe model a two party protocol P as illustrated in

Figure 1. The protocol participants are the initiatorI and responder R.

Each participant has a set of local protocol states.We model I and R as deterministic finite statetransducers defined by the 7-tuples

I = (Σ,SI , sI0 , δI , ωI , γP ,FI)

R = (Σ,SR, sR0 , δR, ωR, γR,FR)

where:

• ε is the empty string

• Σ = {σ|σ is a protocol message} ∪ {ε}

2

• SI = {sI |sI is a protocol initiator state}

• SR = {sR|sR is a protocol responder state}

• sI0 ∈ SI is the protocol initiator initial state

• sR0 ∈ SR is the protocol responder initial state

• δI : SI × Σ→ SI is the initiator state transi-tion function

• δR : SR × Σ→ SR is the responder state tran-sition function

• ωI : SI × Σ→ Σ is the initiator output func-tion

• ωR : SR × Σ→ Σ is the responder output func-tion

• γI : SI × Σ→ R+is the initiator cost function

• γR : SR × Σ→ R+is the responder cost func-tion

• FI ⊆ SI = {sI |sI ∈ SI and P provides service}

• FR ⊆ SR = {sR|sR ∈ SR and P provides service}

The service provided by a protocol depends on theprotocol’s purpose. One common service is the trans-port of higher layer user data. The protocol P isin a state (sI , sR) where it provides service when(sI , sR) ∈ (FI × FR).

We model an adversaryA who can read, replay orforge every unprotected protocol message σA ∈ ΣA.The adversary cannot delete or intercept (i.e. readand delete) messages. These capabilities correspondto a real world adversary who utilizes commercialoff the shelf hardware and software. An example ofsuch an adversary is someone with an 802.11 net-work interface card with driver support for monitormode and frame injection. When not attacking, theadversary simply forwards all messages between Iand R. We model the attack behavior of the adver-sary as a nondeterministic finite state transducerdefined by the 7-tuple

A = (ΣA,SA, sA0 , δA, ωA, γA,FA)

where:

• ΣA ⊆ Σ = {σA|σA ∈ Σ and A can forgeσA} ∪ {ε}

• SA = {sA|sA is an adversary state}

• sA0 ∈ SA is the adversary initial state

• δA : SA → P(SA) is the adversary state tran-sition function

• ωA : SA → ΣA × ΣA is the adversary outputfunction

• γA : SA → R+is the adversary cost function

• FA ⊆ SA = {sA|sA ∈ SA and A has finished attack}

The function ωA outputs a pair of messages. Thefirst message is transmitted to I, and the secondmessage to R. If the output is (ε, ε), then no mes-sages are transmitted. The adversary mounts anattack by transmitting one or more messages σA.A successful attack triggers a transition from a pro-tocol state (sI , sR) ∈ (FI × FR) to a protocol state(sI , sR) /∈ (FI × FR). We limit the number of mes-sages that the adversary can transmit. Once thislimit is reached, the adversary transitions to a statesA ∈ FA .

3. COST MODELThe model presented in Section 2 can be used

without a cost model to find deadlock vulnerabili-ties in a protocol. However, we have to define a costmodel to find other semantic DoS vulnerabilitiesthat do not cause a deadlock, since a protocol mightbe vulnerable to highly efficient attacks that causetemporary disruption. First, we define four addi-tional functions. The function τm : Σ→ R+, withτm(ε) = 0, represents the transmission time of a pro-tocol message σ. The function τo : Σ→ R+, withτo(ε) = 0, represents the protocol overhead time ofa message σ, e.g. waiting for a time slot before mes-sage transmission. Finally, we define the functions:

τ(σ) = τm(σ) + τo(σ)

τmsum(σ1, σ2) = τm(σ1) + τm(σ2)

We assume that the adversary seeks to maximizenetwork disruption and minimize the probability ofbeing located. The adversary has to be in physicalproximity of a wireless network in order to mountan attack. Location determination methods suchas triangulation or trilateration can be used by thenetwork operator to determine the physical locationof the adversary. If an adversary is located, thenan ongoing attack can be stopped and the adver-sary can be apprehended. The precision of locationdetermination depends on the number of measure-ments. The longer an adversary transmits a wirelesssignal, the higher the probability of being located.An adversary would thus limit his transmission timeto a minimum to avoid being located.

The time spent transmitting a signal is also stronglycorrelated with energy consumption. If an adver-

3

sary can mount an attack by very infrequent trans-missions, then he could use a battery powered de-vice to cause long term disruption of the network.Such long lived, low power devices are referred toas “cyber mines” [18]. The ability to use “cybermines” reduces the risk to the adversary, since heno longer has to be physically present when the at-tack is mounted.

The adversary constraints are thus location de-termination time and energy usage. We proposethat the transmission time of the messages used forthe attack, measured in seconds, is the most ap-propriate quantification of the adversary cost ΓA.Formally, we first define γA as follows:

γA(sA) =τmsum(ωA(sA))

We define the adversary cost ΓA as the cumula-tive output of γA, with ΓA = 0 in the initial statesA0 . A more sophisticated adversary model couldinclude the computational cost of constructing amessage or breaking certain cryptographic primi-tives as part of the cost function γA. We do notinclude these costs in our model, since we modelan adversary that only transmits unprotected mes-sages. The energy costs of computation are thusinsignificant compared to the energy costs of trans-mission.

A wireless network provides one or more services.A DoS attack causes a time period where service isnot provided. In our model, this is represented bythe time spent in protocol states (sI , sR) /∈ (FI × FR).We propose to use this time period, measured in sec-onds, to quantify the protocol cost ΓP . Formally,we first define γI and γR as follows:

γI(sI , σ) =

0 if sI ∈ FI andδ(sI , σ) ∈ FI

τ(ω(sI , σ)) if sI /∈ FI

τ(ω(sI , σ)) if sI ∈ FI andδ(sI , σ) /∈ FI

γR(sR, σ) =

0 if sR ∈ FR andδ(sR, σ) ∈ FR

τ(ω(sR, σ)) if sR /∈ FR

τ(ω(sR, σ)) if sR ∈ FR andδ(sR, σ) /∈ FR

We then define ΓI as the cumulative output of γI ,with ΓI = 0 in the initial state sI0 . Next, we defineΓR as the cumulative output of γR, with ΓR = 0in the initial state sR0 . Finally, we define ΓP =ΓI + ΓR.

We compare the cumulative cost functions ΓA

and ΓP to a physical layer jamming attack as anillustration. In a constant jamming attack, the ad-versary transmits noise in the radio frequencies usedby the wireless network. As long as the adversaryis transmitting, the protocol does not provide ser-vice. Once the adversary stops transmitting, theprotocol immediately provides service again. In ourmodel, ΓA represents the time spent transmittingby the adversary and ΓP represents the time periodwhere the protocol does not provide service. Thus,an equivalent semantic attack would have ΓA = ΓP .

To achieve his goals, an adversary would try tofind attacks where ΓP � ΓA. Such attacks couldbe considered as an amplifier for the adversary. Anattack where ΓP = 2ΓA is twice as efficient as aconstant jamming attack, i.e. it has an amplifica-tion of 2. We define this amplification as the attackefficiency E:

E =ΓP

ΓA

The adversary’s goal is thus to find an attack withthe highest possible attack efficiency E. A semanticattack with E > 1 could be considered a protocolweakness. However, it is up to the protocol designerto decide the acceptable attack efficiency threshold.

Note that the cost model can be replaced by mod-ifying the cost functions of the protocol and adver-sary models. Our proposed cost model is simple,which makes it easy to implement and model check.A more sophisticated cost model might give morerealistic results. The tradeoff between realism andpracticality in the cost model is one possible avenueof future work.

4. MODELING IEEE 802.11We validate the usefulness of our proposed model

by model checking IEEE 802.11 [9]. IEEE 802.11is a family of standards for wireless local area net-works (WLANs). The standard specifies the WLANmedium access control (MAC) and physical (PHY)layers. The 802.11 specification is unclear on sev-eral points, which require interpretation. We usethe open source hostapd [14] and wpa supplicant[15] implementations of 802.11 as a guideline forhow to interpret ambiguities. We model a subset ofthe IEEE 802.11 MAC layer with the 802.11i [8] and802.11h [7] amendments. The cost parameters arebased on the 802.11g [6] PHY layer with a 54 Mbit/stransfer speed. We use the Promela language to im-plement the model and the SPIN model checker tofind protocol vulnerabilities [5]. Our model consistsof three entities: An access point (AP), a station(STA) and an adversary. The AP acts as the re-

4

sponder R and the STA acts as the initiator I. Theentities are modeled as Promela processes. The cu-mulative cost functions ΓA and ΓP are global vari-ables that are incremented during state transitions.The network is modeled as two asynchronous mes-sage channels in Promela, one in each direction.The STA initiates a connection setup whenever it isin state sI0 .

Once the AP and STA have performed the 802.11authentication, association and key agreement pro-cedures, they alternately send and receive data frames.We model (sI , sR) ∈ (FI × FR) as the state wherethe STA receives a valid data frame from the APand then transmits a data frame to the AP. Onemajor challenge of using the proposed cost basedmodel is how to avoid an infinite state space. If theprotocol participants enter an infinite loop throughprotocol states (sI , sR) /∈ (FI × FR), then ΓP , andthus the state space, will keep increasing. We solvethis by letting only one of the participants initiatethe transfer of data frames once the protocol tran-sitions from a state (sI , sR) /∈ (FI × FR) to a state(sI , sR) ∈ (FI × FR). While in (sI , sR) ∈ (FI × FR)the participants only transmit a data frame oncethey receive a data frame. If an attack causes adesynchronization of the participants, then the 802.11resynchronization mechanisms will enable the APand STA to resume communication. If, however,the resynchronization mechanisms fail, then the modelwill deadlock. This property makes checking forprotocol deadlock vulnerabilities simple, since SPINhas a built-in test for deadlocks.

Having implemented the model in Promela, wethen need to specify the properties to be checked.We use linear temporal logic (LTL) for this purpose.The LTL formula used for checking the cost basedmodel is:

�((ΓA = 0) ∨ (ΓP

ΓA< T ))

The parameter T specifies the attack efficiencythreshold. The most efficient published DoS attackagainst 802.11 is the quiet attack from [11].

5. EXPERIMENTAL RESULTSWe first set the threshold to the efficiency of the

quiet attack to verify that the attack is found bythe model checker. The result is that SPIN findsthe quiet attack. We then proceed to set the thresh-old to slightly more than the efficiency of the quietattack to see if a more efficient attack exists. Theresult is negative, the quiet attack is the most effi-cient attack against 802.11 in our model. We thengradually lower the threshold in order to find other

less efficient attacks. The results are that the modelchecker is able to find the previously known seman-tic DoS attacks against 802.11, but we do not findany new attacks.

We then proceed to check for deadlocks. The re-sult is that SPIN finds a new deadlock vulnerabilityin 802.11i. The adversary transmits a valid 802.11Open System authentication request from the STAto the AP while the protocol participants are ina state (sI , sR) ∈ (FI × FR). The AP deletes its802.11i security association with the STA, but staysin 802.11 State 3. All data frames from the STA tothe AP are dropped, since they are encrypted andintegrity protected with a key that the AP no longerhas access to. The AP cannot transmit any dataframes to the STA, since it is unable to sign andencrypt them. The 802.11 resynchronization mech-anisms are not triggered since both the AP and theSTA are in 802.11 State 3.

We proceed to experimentally validate the vul-nerability. We set up an 802.11 network using awireless router with the hostapd software as theAP and a laptop computer with the wpa supplicantsoftware as the STA. The adversary causes a pro-tocol deadlock by transmitting a single authentica-tion request frame. In practice, the STA is ableto recover after approximately 7 minutes due to aninternal timeout. This timeout is not specified inthe 802.11 standard, however, so there is no guar-antee that other implementations would be able torecover. Even with this ability to recover, the at-tack is far more efficient than any published DoSattacks against 802.11. The author of hostapd andwpa supplicant has been notified about the vulner-ability.

6. CONCLUSIONSThe history of published attacks against existing

wireless protocols shows that the design of robustprotocols could greatly benefit from formal analy-sis tools. We have proposed a formal method formodeling semantic DoS attacks against wireless net-works and shown how the model can be used todiscover protocol vulnerabilities. By this, we havefound a new deadlock vulnerability in 802.11 andexperimentally validated it. Our proposed modelcan facilitate the design of robust protocols by dis-covering vulnerabilities during the design process.

7. REFERENCES[1] Bellardo, J., and Savage, S. 802.11

denial-of-service attacks: Real vulnerabilitiesand practical solutions. In Proceedings of the

5

12th USENIX Security Symposium (Berkeley,CA, USA, 2003), USENIX Association.

[2] Eian, M. Fragility of the robust securitynetwork: 802.11 denial of service. InProceedings of the 7th InternationalConference on Applied Cryptography andNetwork Security (2009), vol. 5536 of LectureNotes in Computer Science, Springer-Verlag,pp. 400–416.

[3] Eian, M. A practical cryptographic denial ofservice attack against 802.11i TKIP andCCMP. In Proceedings of the NinthInternational Conference on Cryptology AndNetwork Security (2010), vol. 6467 of LectureNotes in Computer Science, Springer-Verlag,pp. 62–75.

[4] Han, T., Zhang, N., Liu, K., Tang, B.,and Liu, Y. Analysis of mobile WiMAXsecurity: Vulnerabilities and solutions. InMobile Ad Hoc and Sensor Systems, 2008.MASS 2008. 5th IEEE InternationalConference on (2008), pp. 828 –833.

[5] Holzmann, G. Spin model checker, the:primer and reference manual, first ed.Addison-Wesley Professional, 2003.

[6] IEEE. IEEE Std 802.11g-2003. New York,NY, USA, 2003.

[7] IEEE. IEEE Std 802.11h-2003, IEEE802.11-1999 Amendment 5: Spectrum andTransmit Power Management Extensions inthe 5 GHz band in Europe. New York, NY,USA, 2003.

[8] IEEE. IEEE Std 802.11i-2004, IEEE802.11-1999 Amendment 6: Medium AccessControl (MAC) Security Enhancements. NewYork, NY, USA, 2004.

[9] IEEE. IEEE Std 802.11-2007, IEEE Standardfor Information technology –Telecommunications and informationexchange between systems – Local andmetropolitan area networks – Specificrequirements Part 11: Wireless LAN MediumAccess Control (MAC) and Physical Layer(PHY) Specifications. New York, NY, USA,2007.

[10] Kambourakis, G., Kolias, C., Gritzalis,S., and Hyuk-Park, J. Signaling-orientedDoS attacks in UMTS networks. In Advancesin Information Security and Assurance,vol. 5576 of Lecture Notes in ComputerScience. Springer-Verlag, 2009, pp. 280–289.

[11] Konings, B., Schaub, F., Kargl, F., andDietzel, S. Channel switch and quiet attack:

New DoS attacks exploiting the 802.11standard. In LCN 2009: Proceedings of theIEEE 34th Conference on Local ComputerNetworks (2009), pp. 14–21.

[12] Lafrance, S., and Mullins, J. Usingadmissible interference to detect denial ofservice vulnerabilities. In Sixth InternationalWorkshop in Formal Methods. ElectronicWorkshops in Computing (eWiC) by BritishComputer Society (BCS) (2003), pp. 1–19.

[13] Mahimkar, A., and Shmatikov, V.Game-based analysis of denial-of-serviceprevention protocols. In Proceedings of the18th IEEE workshop on Computer SecurityFoundations (Washington, DC, USA, 2005),IEEE Computer Society, pp. 287–301.

[14] Malinen, J. hostapd: IEEE 802.11 AP,IEEE 802.1X / WPA / WPA2 / EAP /RADIUS Authenticator, 2011.http://hostap.epitest.fi/hostapd.

[15] Malinen, J. Linux WPA/WPA2/IEEE802.1X Supplicant, 2011.http://hostap.epitest.fi/wpa supplicant.

[16] Meadows, C. A formal framework andevaluation method for network denial ofservice. IEEE Computer Security FoundationsWorkshop 00 (1999), 4.

[17] Narayana, P., Chen, R., Zhao, Y.,Chen, Y., Fu, Z., and Zhou, H. Automaticvulnerability checking of IEEE 802.16WiMAX protocols through TLA+. In SecureNetwork Protocols, 2006. 2nd IEEE Workshopon (2006), pp. 44 –49.

[18] Pelechrinis, K., Iliofotou, M., andKrishnamurthy, V. Denial of serviceattacks in wireless networks: The case ofjammers. Communications Surveys Tutorials,IEEE PP, 99 (2010), 1 –13.

[19] Ramachandran, V. AnalyzingDoS-resistance of protocols using a cost-basedframework. Tech. rep., Yale University, 2002.

[20] Sankaran, C. Network access security innext-generation 3GPP systems: A tutorial.Communications Magazine, IEEE 47, 2(2009), 84 –91.

[21] Smith, J. Denial of Service: Prevention,Modelling and Detection. Brisbane, Australia,2007. PhD Thesis, Queensland University ofTechnology.

[22] Tritilanunt, S. Protocol engineering forprotection against denial-of-service attacks.Brisbane, Australia, 2009. PhD Thesis,Queensland University of Technology.

6