Wireless networks are meant for transferring information of any kind between two or more points that are not physically connected. Wireless networks are vulnerable to various kinds of attacks because of its shared medium. There is need to deal with numerous security issues. Attackers with a transceiver can be able to hinder wireless transmission, insert unwanted messages, or jam messages of high importance. Jamming can be considered as one of a fundamental way of degrading network performance. In the simplest form of jamming, the adversary corrupts the content of the original message by transmitting radio frequency signals in the network or by blocking the message so that it cannot reach to the intended receiver. Radio interference attacks cannot be easily addressed by conventional security methods. An adversary can simply disregard the medium access protocol and continually transmit on Wireless networks.
Typically, jamming can be done in two forms. One is external threat model in which jammer will not be the part of the network. Another one is internal threat model in which jammer will be part of the network.
Jamming makes use of intentional radio interferences to harm wireless communications by keeping communicating medium busy, causing a transmitter to back-off whenever it senses busy wireless medium or corrupted signal received at receivers. Jamming mostly targets attacks at the physical layer but sometimes cross-layer attacks are possible too. In this section, we elaborate on various types of jammers and the placement of jammers to maximize the jammed area.
Types of jammers
Jammers are malicious wireless nodes planted by an attacker to cause intentional interference in a wireless network. Depending upon the attack strategy, a jammer can either have the same or different capabilities from legitimate nodes in the network which they are attacking. The jamming effect of a jammer depends on its radio transmitter power, location and influence on the network or the targeted node. A jammer may jam a network in various ways to make the jamming as effective as possible. Basically, a jammer can be either elementary or advanced depending upon its functionality. For the elementary jammers, we divided them into two subgroups: proactive and reactive. The advanced ones are also classified into two sub-types: function-specific and smart-hybrid. The detailed classification of different jammers can be found in Fig. shown below.
Proactive jammer – Proactive jammer transmits jamming (interfering) signals whether or not there is data communication in a network. It sends packets or random bits on the channel it is operating on, putting all the others nodes on that channel in non-operating modes. However, it does not switch channels and operates on only one channel until its energy is exhausted. There are three basic types of proactive jammers: constant, deceptive and random. From here on, whenever we use proactive jammers it can mean all these three. Constant jammer emits continuous, random bits without following the CSMA protocol. According to the CSMA mechanism, a legitimate node has to sense the status of the wireless medium before transmitting. If the medium is continuously idle for a DCF Interframe Space (DIFS) duration, only then it is supposed to transmit a frame. If the channel is found busy during the DIFS interval, the station should defer its transmission. A constant jammer prevents legitimate nodes from communicating with each other by causing the wireless media to be constantly busy. This type of attack is energy inefficient and easy to detect but is very easy to launch and can damage network communications to the point that no one can communicate at any time.
Deceptive jammer continuously transmits regular packets instead of emitting random bits (as in constant jammer). It deceives other nodes to believe that a legitimate transmission is taking place so that they remain in receiving states until the jammer is turned off or dies. Compared to a constant jammer, it is more difficult to detect a deceptive jammer because it transmits legitimate packets instead of random bits. Similar to the constant jammer, the deceptive jammer is also energy inefficient due to the continuous transmission but is very easily implemented. Random jammer intermittently transmits either random bits or regular packets into networks. Contrary to the above two jammers, it aims at saving energy. It continuously switches between two states: sleep phase and jamming phase. It sleeps for a certain time of period and then becomes active for jamming before returning back to a sleep state. The sleeping and jamming time periods are either fixed or random. There is a tradeoff between jamming effectiveness and energy saving because it cannot jam during its sleeping period. The ratios between sleeping and jamming time can be manipulated to adjust this tradeoff between efficiency and effectiveness.
Reactive jammer starts jamming only when it observes a network activity occurs on a certain channel. As a result, a reactive jammer targets on compromising the reception of a message. It can disrupt both small and large sized packets. Since it has to constantly monitor the network, the reactive jammer is less energy efficient than a random jammer. However, it is much more difficult to detect a reactive jammer than a proactive jammer because the packet delivery ratio (PDR) cannot be determined accurately in practice.
Reactive RTS/CTS jammer jams the network when it senses a request-to-send (RTS) message is being transmitted from a sender. It starts jamming the channel as soon as the RTS is sent. In this way, the receiver will not send back clear-to-send (CTS) reply because the RTS packet sent from a sender is distorted. Then, the sender will not send data because it believes the receiver is busy with another on-going transmission. Alternatively, the jammer can wait after the RTS to be received and jams when the CTS is sent by the receiver. That will also result in the sender not sending data and the receiver always waiting for the data packet.
Reactive Data/ACK jammer jams the network by corrupting the transmissions of data or acknowledgment (ACK) packets. It does not react until a data transmission starts at the transmitter end. This type of jammer can corrupt data packets, or it waits until the data packets reach the receiver and then corrupts the ACK packets. The corruptions of both data packets and ACK messages will lead to re-transmissions at the sender end. In the first case, because the data packets are not received correctly at the receiver, they have to be re-transmitted. In the second case, since the sender does not receive the ACKs, it believes something is wrong at the receiver side, e.g. buffer overflow. Therefore, it will retransmit the data packets.
Function-specific Jammers – Function-specific jamming is implemented by having a pre-determined function. In addition to being either proactive or reactive, they can both work on a single channel to conserve energy or jam multiple channels and maximize the jamming throughput irrespective of the energy usage. Even when the jammer is jamming a single channel at a time, they are not fixed to that channel and can change their channels according to their specific functionality. Follow-on jammer hops over all available channels very frequently (thousand times per second) and jams each channel for a short period of time. If a transmitter detects the jamming and switches its channel, the follow-on jammer will scan the entire band and search for a new frequency to jam again. Or, it may follow a pseudo-random frequency hopping sequence. This type of jammer conserves power by limiting its attack to a single channel before hopping to another. Due to its high-frequency hopping rate, the follow-on jammer is particularly effective against some anti-jamming techniques, e.g. frequency hopping spread spectrum (FHSS) which use a slow-hopping rate.
Channel-hopping jammer hops between different channels proactively. This type of jammer has direct access to channels by overriding the CSMA algorithm provided by the MAC layer. Moreover, it can jam multiple channels at the same time. During its discovery and vertex-coloring phases, the jammer is quiet and is invisible to its neighbors. Then, it starts performing attacks on different channels at different times according to a predetermined pseudorandom sequence.
Pulsed-noise jammer can switch channels and jam on different bandwidths at different periods of time. Similar to the random jammer, pulsed-noise jammer can also save energy by turning off and on according to the schedule it is programmed for. Unlike the elementary proactive random jammer which attacks only one channel, pulsed-noise jammer can attack multiple channels. Moreover, it can be implemented to simultaneously jam multiple channels.
Smart-hybrid Jammers – We call them smart because of their power efficient and effective jamming nature. The main aim of these jammers is to magnify their jamming effect in the network they intend to jam. Moreover, they also take 4 care of themselves by conserving their energy. They place sufficient energy in the right place so as to hinder the communication bandwidth for the entire network or a major part of the network, in very large networks. Each of this type of jammer can be implemented as both proactive and reactive, hence hybrid.
Control channel jammers work in multi-channel networks by targeting the control channel, or the channel used to coordinate network activity. A random jammer that targets the control channel could cause a severe degradation of network performance, while a continuous jammer targeting the control channel might deny access to the network altogether. These attacks are usually accomplished by compromising a node in the network. Furthermore, future control channel locations can be obtained from the compromised nodes.
Implicit jamming attacks are those that in addition to disabling the functionality of the intended target, cause denial-of-service state at other nodes of the network too. This attack exploits the rate adaptation algorithm used in wireless networks, where the AP (Access Point) caters to the weak node by reducing its rate. Due to this process, the AP spends more time communicating with this weak node than the other nodes. Therefore, when the implicit attacker jams a node which is communicating with the AP, the rate adaptation effect will increase the AP’s focus on the jammed node while causing other clients to suffer.
Flow-jamming attacks involve multiple jammers throughout the network which jams packets to reduce traffic flow. These attacks are launched by using information from the network layer. This type of jamming attack is good for the resource-constrained attackers. If there is centralized control, then the minimum power to jam a packet is computed and the jammer acts accordingly. In a non-centralized jammer model, each jammer shares information with neighbor jammers to maximize efficiency. For every type of jammer, we determine whether it is a proactive or reactive, energy efficient or not, and its ability to jam single channel or multiple channels.
Considering a scenario where jammer jams the channel by blocking one or more nodes and block or corrupts the packets. This continuous jamming can be used as a denial of service attacks. The jammer controls the probability of jamming and transmission range to cause maximal damage to the network in terms of corrupted transmission links. The jammer action ceases when it is monitored detecting node and a notification message is passed out of the jamming region. To detect jamming attacks some statistics are used such as signal strength, carrier sensing time, packet delivery ratio. In the existing system, the objective of the jammer is to interfere with legitimate wireless networks and assumptions is made such as A and B are participating nodes and X is jamming node, now A is unable to send the packets for many reasons. For example, X can continuously transmit the signal so that a can never sense channel idle or, A can send packets to A and force A to receive the junk packets all the time. So, it is necessary to measure the effectiveness of jammer and for this two matrices has been defined which are packet send ratio and packet delivery ratio.
Jamming attacks are usually introduced by emitting radio frequency signal, such attacks cannot be preventable by conventional security measures. The objective of a jammer is to interfere with legitimate wireless traffic. Jammer can achieve this goal by either blocking real traffic or, by preventing reception of messages. There are different jamming models which can be used by jammer to address jamming attacks. This is the main reason why detecting jamming is very difficult as well as important as it is the first step towards building secure and dependable wireless channel. In existing systems, jammer jams an area in the single wireless channel. Jammer controls the probability of jamming and transmission range in order to cause maximal damage.
Anti-jamming in wireless mobile networks
Most jamming detection and countermeasure are designed and evaluated in static networks. The ant jamming problem becomes more challenging in a mobile network environment where jammers may move and cause the malfunction of jammer detection and localization algorithms. So far, spatial retreats seem to be the only strategy implemented on the mobile nodes. Having an effective approach for wireless mobile networks with acceptable overhead is still an open issue. The anti-jamming system for mobile networks should provide fast-detecting and fast-reacting mechanism jamming in wireless networks. Moreover, since the same jammer may move and cause jamming in other areas in the networks, how to prevent jamming based on historical jamming information will be very interesting.
Universal anti-jamming technology
Finally, we want to pose the ultimate question: is it possible to have a single practical anti-jamming solution which can deal with all types of wireless networks (whether it is static or mobile, sensor or Wi-Fi, infrastructure-based or ad-hoc) and detect all kinds of jammers? In addition, since we have so many effective jamming techniques, can we use them for any useful purpose?
In this extensive study on jamming and anti-jamming techniques in wireless networks, we have contributed by classifying and summarizing various approaches and discussing open research issues in the field. Different jammers attack wireless networks in various ways so that their attack effects are significantly different. For instance, a constant jammer consumes all resources available and continuously jams the network, but it is easily detected. On the other hand, a reactive jammer senses the medium and only attack when a certain condition is satisfied, so it is a good choice for resource-constrained hardware. In summary, if a jammer is a periodic low power one, it is hard to be detected; a powerful jammer will certainly jam most of the networks but will be easily detected. We also investigate the placement of jammers which is considered to be helpful in making jamming more effective.
For example, to achieve a better jamming effect, it is possible to decrease the power of jammers by tactically placing them in the interference ranges of communicating nodes. No matter how smart or effective a jammer is, there is always one or more corresponding anti-jamming techniques. After elaborating on various types of jamming detection and countermeasure schemes, we discover that ant jamming is such an interesting problem that many methods are tried to solve this issue. For example, artificial intelligence, game theory, mobile-agent, cross layer, spatial retreat, consistency check, and channel or frequency hopping have all been applied to this field. Some approaches, e.g. JAM, map out the area that is jammed to avoid forwarding packets within that area. Other approaches, e.g. Hermes node, detect jamming and switch channels or move nodes to a new physical location. In summary, after detecting jamming in networks, nodes either choose to switch the jammed channel to a non-jammed one, forward packets outside the jamming areas or simply move to a non-jammed area.