|Applicable Release(s||v13.1 & v13.2|
In this article, we explain how to simulate a backoff attack by setting a wireless node’s (STA’s) back counter to zero. When the BO counter is forcibly set to 0 (rather than following the exponential BO algorithm), that particular STA (which we term as a malicious node) occupies the channel. Therefore, all other nodes (within carrier sense range) sense the channel to be busy and do not transmit data.
This article is based on a toy example comprising two STAs and one AP all operating per 802.11b. The same can be extended to (i) Single AP with N STAs (ii) a Multi-cell scenario comprising multiple APs each with N STAs (iii) Any other (nonzero) back counter value (iv) Different STAs with different backoff values … and so on
Figure 1: We see a WiFi back off attack in a simple 2STA scenario with 1 “normal” STA and one malicious node. The two nodes have data to upload to the server. Since the malicious nodes has BO set to set, it always gets the transmit opportunity and starves the “normal” STA of airtime.
We make two minor modifications (see red highlight) to the WiFi 802.11 source C code,
- defining a malicious node and
- setting the backoff-counter of the malicious node to zero
Step 1: Code modification (red highlight) in CSMACA.c under IEEE802.11 project
#define MALICIOUS_NODE <node ID> // specify the ID per the scenario in the GUI
static void fn_NetSim_IEEE802_11_CSMACA_StartBackOff()
sprintf(str, "%s\\Backofflog.csv", pszIOLogPath);
static FILE* fp = NULL;
if (fp == NULL)
fp = fopen(str, "w");
if(fp) fprintf(fp, "DeviceId,CurrentTime,PacketId,BackOffTime,CW,RetryCount,\n");
PIEEE802_11_MAC_VAR mac = IEEE802_11_CURR_MAC;
PIEEE802_11_PHY_VAR phy = IEEE802_11_CURR_PHY;
NETSIM_ID nDeviceId = pstruEventDetails->nDeviceId;
mac->dBackOffStartTime = pstruEventDetails->dEventTime;
if (nDeviceId == MALICIOUS_NODE)
mac->nBackOffCounter = 0;
if(mac->nBackOffCounter == 0 && nDeviceId!=MALICIOUS_NODE)
Step 2: Rebuild the code.
We are now set to run the simulation via the GUI
Simulation scenario: A top example
We create a simple scenario in NetSim as shown in Figure 2 below. The network comprises 2 Wireless nodes (STAs), 1 AP, 1 Switch, and 1 Server. Two upload applications are configured from the STAs to the server. The traffic generation rate in the applications is such that both STA queues are always full (sometimes termed full buffer or saturation)
Figure 2: NetSim Scenario to experience backoff attack
Of the two STAs, one is configured as a malicious node setting #define MALICIOUS_NODE <node ID> in the code.
We set 802.11b as the standard set for all STAs and AP. The STAs are placed close to the APs such that they see the max PHY rate of 802.11b i.e., 11 Mbps.
|Application ID||Throughput (Mbps)|
In the attack, we observe that the malicious node has always wins the medium during contention since its BO counter is set to zero. Therefore, STA1 is unable to transmit any of its data.
The configuration files (scenario, settings, and other related files) of the examples discussed in this article are available for users to import and run in NetSim.
- Click on the link given and download the folder
- Extract the zip folder. The extracted project folder consists of one NetSim Experiments file, namely WiFi- Backoff-attack_v13.netsimexp
- Import per steps given in section 4.9.1 in NetSim User Manual
- All the experiments can now be seen folder-wise within NetSim > Your Work.
1. NetSim WiFi library overview - https://tetcos.com/wlan.html
2. NetSim WiFi library documentation - https://tetcos.com/help/v13.2/Technology-Libraries/Internetworks.html#wlan_80211