Applicable Version(s)StandardProfessional
Applicable Release(sv13.1 & v13.2


In this article, we explain how to simulate a backoff attack by setting a wireless node’s (STA’s) back counter to zero. When the BO counter is forcibly set to 0 (rather than following the exponential BO algorithm), that particular STA (which we term as a malicious node) occupies the channel. Therefore, all other nodes (within carrier sense range) sense the channel to be busy and do not transmit data. 


This article is based on a toy example comprising two STAs and one AP all operating per 802.11b. The same can be extended to (i) Single AP with N STAs (ii) a Multi-cell scenario comprising multiple APs each with STAs (iii) Any other (nonzero) back counter value (iv) Different STAs with different backoff values … and so on


Figure 1: We see a WiFi back off attack in a simple 2STA scenario with 1 “normal” STA and one malicious node. The two nodes have data to upload to the server. Since the malicious nodes has BO set to set, it always gets the transmit opportunity and starves the “normal” STA of airtime.

Code modifications
We make two minor modifications (see red highlight) to the WiFi 802.11 source C code, 

  • defining a malicious node and
  • setting the backoff-counter of the malicious node to zero

Step 1: Code modification (red highlight) in CSMACA.c under IEEE802.11 project


#define MALICIOUS_NODE <node ID>   // specify the ID per the scenario in the GUI


static void fn_NetSim_IEEE802_11_CSMACA_StartBackOff()


            char str[BUFSIZ];

            sprintf(str, "%s\\Backofflog.csv", pszIOLogPath);

            static FILE* fp = NULL;

            if (fp == NULL)


                        fp = fopen(str, "w");

                        if(fp) fprintf(fp, "DeviceId,CurrentTime,PacketId,BackOffTime,CW,RetryCount,\n");


            PIEEE802_11_MAC_VAR mac = IEEE802_11_CURR_MAC;

            PIEEE802_11_PHY_VAR phy = IEEE802_11_CURR_PHY;

            NETSIM_ID nDeviceId = pstruEventDetails->nDeviceId;

            mac->dBackOffStartTime = pstruEventDetails->dEventTime;

            if (nDeviceId == MALICIOUS_NODE)

                        mac->nBackOffCounter = 0;

            if(mac->nBackOffCounter == 0 && nDeviceId!=MALICIOUS_NODE)


Step 2: Rebuild the code. 


We are now set to run the simulation via the GUI

Simulation scenario: A top example 

We create a simple scenario in NetSim as shown in Figure 2 below. The network comprises 2 Wireless nodes (STAs), 1 AP, 1 Switch, and 1 Server. Two upload applications are configured from the STAs to the server. The traffic generation rate in the applications is such that both STA queues are always full (sometimes termed full buffer or saturation)

Figure 2: NetSim Scenario to experience backoff attack

Of the two STAs, one is configured as a malicious node setting #define MALICIOUS_NODE <node ID> in the code.



We set 802.11b as the standard set for all STAs and AP. The STAs are placed close to the APs such that they see the max PHY rate of 802.11b i.e., 11 Mbps.


Application IDThroughput (Mbps)
Normal Scenario
Throughput (Mbps)
Attack Scenario

In the attack, we observe that the malicious node has always wins the medium during contention since its BO counter is set to zero.  Therefore, STA1 is unable to transmit any of its data. 


Download Link


The configuration files (scenario, settings, and other related files) of the examples discussed in this article are available for users to import and run in NetSim. 


GitHub Link:


  1. Click on the link given and download the folder 
  2. Extract the zip folder. The extracted project folder consists of one NetSim Experiments file, namely WiFi- Backoff-attack_v13.netsimexp
  3. Import per steps given in section 4.9.1 in NetSim User Manual
  4. All the experiments can now be seen folder-wise within NetSim > Your Work. 


1. Wireless Networks under a Backoff Attack: A Game Theoretical Perspective - PMC (

Useful links

1. NetSim WiFi library overview -

2. NetSim WiFi library documentation -