DoS/Sleep Deprivation Attack

From charlesreid1

Revision as of 03:14, 20 June 2026 by Admin (talk | contribs) (Create DoS/Sleep Deprivation Attack page following the style and structure of DoS/Wormhole Attack (via create-page on MediaWiki MCP Server))
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)

The sleep deprivation attack (also known as the denial-of-sleep attack or battery exhaustion attack) is a denial-of-service attack that targets battery-powered devices by preventing them from entering low-power sleep modes, thereby rapidly draining their energy reserves. Unlike traditional DoS attacks that disrupt availability through traffic flooding, the sleep deprivation attack operates at the MAC/link layer and exploits the duty-cycling mechanisms designed to conserve power in energy-constrained devices such as wireless sensor network (WSN) nodes, IoT devices, and mobile computing platforms.

The attack is particularly insidious because the attacker can be extremely energy-efficient — the most efficient variants can keep victim nodes awake 100% of the time while the attacker sleeps 99% of the time. Once a device's battery is fully depleted, the attacker can simply move on to the next target; unlike network-flooding DoS, the denial of service persists even after the attacker stops. In wireless sensor networks, a successful sleep deprivation attack can reduce network lifetime from years to days.

How It Works

The core principle exploits the energy asymmetry between a device's active and sleep states. In modern low-power wireless protocols (e.g., S-MAC, T-MAC, B-MAC, ContikiMAC, X-MAC, and IEEE 802.15.4-based protocols), nodes spend the vast majority of their time in a deep sleep state where the radio is powered off, consuming orders of magnitude less power than when actively listening or transmitting. A sleep deprivation attack subverts this by injecting crafted traffic, replaying captured frames, or exploiting protocol timing to force the victim's radio to remain in receive or transmit mode.

The basic attack can be executed via:

  • Replay of legitimate traffic: The attacker captures packets during the network's active period and replays them during the sleep period, tricking the victim into staying awake to process spurious frames.
  • Barrage attack: The attacker floods the victim with a continuous stream of packets, preventing the MAC protocol's inactivity timer from ever expiring and thus never allowing a transition to sleep.
  • Synchronization attack: In synchronous MAC protocols (e.g., S-MAC, T-MAC), the attacker spoofs SYNC packets or exploits the cluster synchronization mechanism to extend the active period or shift the sleep schedule.
  • Collision attack: The attacker deliberately causes frame collisions during the data period, forcing retransmissions and extending the awake time.
  • Broadcast attack: The attacker sends unsolicited broadcast frames that must be received and processed by all nodes in range, preventing any of them from sleeping.
  • Protocol-specific exploitation: Exploiting nuances of a particular MAC protocol — for instance, in S-MAC, an attacker can manipulate the Network Allocation Vector (NAV) to prevent NAV-based sleep; in T-MAC, bursting traffic during the Timeout period keeps nodes in receive mode indefinitely.

Classification

Sleep deprivation attacks are commonly categorized by the attacker's knowledge of the MAC protocol and the attacker's ability to bypass authentication and encryption. The seminal taxonomy by Raymond et al. (Virginia Tech) identifies four threat levels:

Class Attacker Knowledge of MAC Protocol Encryption/Authentication Bypass Description
Class 1 (Full-Dominance) Full knowledge of protocol timing, frame structure, and duty-cycle parameters Yes — can forge authenticated packets Attacker can craft packets that appear legitimate at every layer. The most devastating: can reduce network lifetime to the theoretical minimum by keeping radios continuously active.
Class 2 (Protocol-Aware, No Encryption Bypass) Full knowledge of protocol timing and structure No — cannot forge authenticated frames Attacker replays captured legitimate frames during sleep periods. Still highly effective: can reduce lifetime by orders of magnitude.
Class 3 (Partial Protocol Knowledge) Knowledge of channel access patterns and frame timing, but not full protocol semantics No Attacker jams or transmits during suspected active periods. Less efficient per attacker, but still damaging at scale.
Class 4 (Zero-Knowledge / Jamming) None — blind jamming No Continuous or pulsed jamming of the channel. Least efficient; attacker must transmit almost continuously, exhausting its own battery alongside the victim's.

Practical Execution

Wireless Sensor Networks (S-MAC / T-MAC / B-MAC / G-MAC)

In WSN MAC protocols, practical denial-of-sleep implementations have been demonstrated in both simulation and hardware:

  • S-MAC (Sensor-MAC): The attacker exploits the SYNC/RTS/CTS/ACK exchange. By sending spurious SYNC packets advertising an incorrect sleep schedule, nodes in a virtual cluster can be forced to listen during what should be their sleep period. Alternatively, a barrage of RTS frames with fabricated duration fields sets long NAV timers that prevent NAV-based sleep. Research shows a Class 2 attacker sleeping 99% of the time can keep a cluster of S-MAC nodes awake 100% of the time. Network lifetime drops from approximately 1,200 days to 99 days under the most efficient attack.
  • T-MAC (Timeout-MAC): T-MAC's adaptive duty cycle — which ends the active period early if no traffic is detected — is vulnerable to an attacker who periodically sends short bursts just before the TA (Timeout Active) timer expires. This resets the timer and keeps nodes in receive mode. Attackers on T-MAC can keep victims awake 100% of the time while sleeping 92% of the time.
  • B-MAC (Berkeley-MAC): B-MAC uses Low Power Listening (LPL) with long preambles. An attacker can exploit the clear channel assessment (CCA) mechanism by continuously transmitting, forcing nodes that wake to sample the channel to detect carrier and remain awake for a full preamble-plus-data duration. Repeating this at intervals shorter than the sleep period prevents any meaningful sleep.
  • G-MAC (Gateway-MAC): G-MAC uses a centralized gateway-based cluster architecture. While more resistant to per-node attacks, the gateway itself becomes a single point of failure — compromising or impersonating the gateway allows an attacker to control the duty cycle of the entire cluster.

The practical steps for a Class 2 attack on a WSN:

  1. Deploy an attacker node within radio range of the target cluster
  2. Passively eavesdrop to determine the MAC protocol in use and its timing parameters
  3. Capture legitimate traffic (SYNC packets, RTS/CTS, data frames) during the active period
  4. Replay captured frames during the sleep period through the attacker's radio
  5. Legitimate nodes process the replayed frames, remaining in receive mode
  6. Repeat periodically to prevent any node from entering deep sleep
  7. Monitor the network; once target nodes are exhausted, relocate to another cluster

IoT / ContikiMAC / 6LoWPAN Networks

In IoT networks running Contiki OS with ContikiMAC (the default radio duty-cycling protocol for 6LoWPAN):

  • ContikiMAC: Uses a sender-initiated wake-up mechanism with repeated strobed transmissions during the receiver's wake-up phase. An attacker can exploit the Clear Channel Assessment (CCA) phase by transmitting continuously, causing the receiver to detect activity and stay awake. Multiple denial-of-sleep attacks have been demonstrated in the Cooja simulator: replay attacks on the RPL DIO/DAO messages, broadcast-storm attacks, and targeted preamble attacks that force specific nodes to remain in receive mode.
  • RPL (Routing Protocol for Low-Power and Lossy Networks): DODAG Information Object (DIO) and Destination Advertisement Object (DAO) messages can be replayed or forged to create a continuous stream of control-plane traffic that prevents nodes from sleeping between trickle-timer intervals.

Mobile Devices and Smartphones

Martin et al. (2004) first demonstrated sleep deprivation attacks on battery-powered mobile computers, showing that an attacker on the same wireless network (Wi-Fi or Bluetooth) could:

  • Send unsolicited TCP SYN packets, forcing the device to awaken its radio and process the connection request
  • Exploit WLAN power-saving mode (PSM) by spoofing beacon frames with the TIM (Traffic Indication Map) bit set, causing the device to stay awake awaiting data that never arrives
  • Target Bluetooth devices in sniff/sniff-subrating modes with periodic polling, draining batteries that would normally last days within hours
  • On modern smartphones, malicious apps can achieve similar results by holding wakelocks, scheduling repeated network requests, or exploiting push notification channels to prevent the modem from entering low-power states

Tools and Examples

  • OPNET Modeler: Used by Raymond et al. to model and simulate denial-of-sleep attacks on S-MAC, T-MAC, B-MAC, and G-MAC. Custom process models implemented attacks and measured energy consumption, network lifetime, throughput, and latency impacts. Example attack scenarios are published with the Caisson defense framework.
  • Contiki OS / Cooja Simulator: The standard platform for IoT denial-of-sleep research. ContikiMAC-specific attacks (replay, broadcast, preamble manipulation) have been implemented and evaluated in cycle-accurate Cooja simulations. Researchers at multiple institutions have demonstrated attacks against 6LoWPAN/RPL networks.
  • NS2 / NS3: Widely used for wireless network attack simulation. Custom MAC-layer modules for jamming, replay, and barrage attacks have been developed and shared in the research community.
  • Scapy-based Frame Injection: Python/Scapy can be used to craft and inject arbitrary 802.11 or 802.15.4 frames for penetration testing of sleep deprivation vulnerabilities. A laptop with a monitor-mode-capable radio can impersonate access points, inject beacon frames with fabricated TIM elements, and force client devices to remain awake.
  • Software-Defined Radio (SDR): GNU Radio and USRP/Ettus platforms enable precise, low-level MAC attacks. An SDR-based attacker can replay captured frames with nanosecond timing precision, or generate continuous interference tailored to a specific protocol's channel access mechanism.
  • XBee / ZigBee Testbed: Physical implementations using XBee Series 2 modules have demonstrated that a single malicious node can dominate the channel in a ZigBee network, preventing coordinator and end-device nodes from sleeping by exploiting the CSMA-CA backoff and clear channel assessment in IEEE 802.15.4.

Countermeasures

Several approaches exist for detecting and mitigating sleep deprivation attacks:

Method Description Limitation
Clustered Adaptive Rate Limiting (CARL) Requires careful threshold tuning; legitimate traffic bursts can trigger false positives.
Clustered Anti-Replay Protection (CARP) Adds per-packet overhead; requires secure counter distribution.
Sensor Anti-Jamming Engine (SAJE) Channel hopping increases coordination overhead and latency.
Fake Schedule Switch with RSSI Risk of packet loss if the fake schedule causes legitimate neighbors to misalign.
Dynamic Sleep Time Control Computationally complex; may not converge under rapidly changing attack patterns.
Cross-Layer Authentication Increases protocol complexity and energy overhead for constrained devices.
Machine Learning Detection Requires training data; model updates are challenging in deployed sensor fields.
Wake-Up Radio (WuR) Adds hardware cost; wake-up radio itself can be jammed if not frequency-agile.

See Also

  • DoS — Main Denial of Service page
  • DoS/Wormhole Attack — Wormhole attack (often used as a precursor to route traffic toward nodes targeted for sleep deprivation)
  • DoS/Black Hole Attack — Black hole / packet-drop attack
  • DoS/Sinkhole Attack — Sinkhole attack (attracts traffic, enabling focused battery exhaustion of intermediate nodes)

References

  • Martin, T., Hsiao, M., Ha, D., & Krishnaswami, J. (2004). "Denial-of-Service Attacks on Battery-Powered Mobile Computers." Proceedings of the Second IEEE International Conference on Pervasive Computing and Communications (PerCom).
  • Brownfield, M., Gupta, Y., & Davis, N. (2005). "Wireless Sensor Network Denial of Sleep Attack." Proceedings of the Sixth Annual IEEE SMC Information Assurance Workshop (IAW).
  • Raymond, D. R., & Midkiff, S. F. (2008). "Denial-of-Service in Wireless Sensor Networks: Attacks and Defenses." IEEE Pervasive Computing, 7(1), 74–81.
  • Raymond, D. R., Marchany, R. C., Brownfield, M. I., & Midkiff, S. F. (2008). "Effects of Denial-of-Sleep Attacks on Wireless Sensor Network MAC Protocols." IEEE Transactions on Vehicular Technology, 58(1), 367–380.
  • Raymond, D. R., & Midkiff, S. F. (2007). "Clustered Adaptive Rate Limiting: Defeating Denial-of-Sleep Attacks in Wireless Sensor Networks." Proceedings of IEEE MILCOM 2007.
  • Raymond, D. R. (2008). "Denial-of-Sleep Vulnerabilities and Defenses in Wireless Sensor Networks." PhD Dissertation, Virginia Polytechnic Institute and State University.
  • Bhattasali, T., Chaki, R., & Sanyal, S. (2012). "Sleep Deprivation Attack Detection in Wireless Sensor Network." arXiv preprint arXiv:1203.0231.
  • Chen, C., Hui, L., & Pei, Q. (2009). "An Effective Scheme for Defending Denial-of-Sleep Attack in Wireless Sensor Networks." Proceedings of the 5th International Conference on Information Assurance and Security (IAS).
  • Kaur, R., & Sharma, V. (2013). "A Survey on the Solutions for the Problems of Denial of Sleep Attacks." International Journal of Innovative Research in Computer and Communication Engineering.
  • Pericle, D., et al. "Countering Three Denial-of-Sleep Attacks on ContikiMAC." — Contiki OS / Cooja simulation and countermeasures for IoT.

Flags


Defcon.png
Denial of Service
denial of service attacks for denying users access to resources that they are otherwise entitled to access.


DoS


DoS at Layers 1 and 2:

Layer 1 and 2 DoS Attacks

CAM Table Overflow/MAC Flood: DoS/Mac Flood

CAM Table Poisoning: DoS/Cam Poisoning


DoS at Layers 3 and 4:

Layer 3 and 4 DoS Attacks

Syn Flood: DoS/SYN Flood

Smurf Attack (Ping Flood): DoS/Smurf Attack

DNS Attacks: DoS/DNS

DNSSmurf Attack: DoS/DNSSmurf

Wormhole Attack: DoS/Wormhole Attack

Black Hole Attack: DoS/Black Hole Attack

Byzantine Attack: DoS/Byzantine Attack

Sleep Deprivation Attack: DoS/Sleep Deprivation Attack

Stale Packets: DoS/Stale Packets


Toolz:

Hping  · Macof  · Tcpnice  · Hammer  · Tors Hammer


Category:DoS  · Category:Attacks  · Category:Kali Attack Layers

Flags  · Template:DoSFlag  · e





Retrieved from "https://charlesreid1.com/w/index.php?title=DoS/Sleep_Deprivation_Attack&oldid=30682"