IEEE 802.11 的第11 章規範了Mobile Ad-hoc Network(MANET) 的時間同步機制，其中規定每個節點都需要維護一個以微秒(μs) 為計數單位的Timing Synchronization Function(TSF) 來同步時間，同時在Frequency Hopping Spread Spectrum (FHSS) 實體層節點由一個頻帶跳到另一個頻帶需要224μs ，這也是最大的兩個計時器之間可容忍的最大差值；此外，每個節點的時脈精準度需落在[-0.01%,+0.01%] 的範圍之中，由於節點需要藉由收到相同節點之TSF 時戳來辨別此節點是否符合標準。我們發現在這樣的規範下IEEE 802.11 的時間同步協定並沒有考慮安全性，因此本篇論文針對IEEE 802.11 時間同步協定提出Hit-and-Run 攻擊，藉由不斷的更換ID 及傳送錯誤的TSF 時戳到網路中，可以讓攻擊者無法被過濾，進而破壞網路上時間同步的運作。

我們透過Network Simulator version 2(NS2) 來了解此攻擊對網路的影響，模擬的結果顯示在100 個節點10 個攻擊者時，平均時脈差異值為386μs ，比起標準中最大的計時器容忍值224μs 高出許多，此外在模擬時間500 秒結束後累積非同步節點超過30,000 個，且受到惡意攻擊所影響而導致的分群，每個beacon interval 分群的數量從三到十個不等，群組之間最大時脈差異高達506μs ，不同步的情況相當嚴重。

Part 11 of IEEE 802.11 standard defines the time synchronization protocol of Mobile Ad-hoc Network(MANET) in which each node should maintain a Timing Synchronization Function(TSF) timer to achieve clock synchronization. The time allocated for the FHSS PHY (Frequency-Hopping spread spectrum physical layer) to hop from one frequency to another is 224μs, which is considered the upper bound of tolerable clock drift IEEE 802.11 standards also specifies the accuracy of the TSF timer should be in the range of [-0.01%,+0.01%]. In order to follow this rule, a node has to receive at least two TSF timestamps from the same neighbor node for identification. However, we found that IEEE 802.11 does not take security issues into consideration. In this thesis, we propose an effective malicious attack, the Hit-and-Run attack, by which an attacker changes its own ID in every beacon interval and sends wrong TSF timestamp into network. This attack is able to avoid from accuracy verification and destroy time synchronization of the whole network without violating IEEE 802.11 standard.

We implemented Hit-and-Run attack on Network simulator version 2(NS2) and conducted several simulation experiments to observe how it affect the network. Simulation results show that 10 attackers within 100 nodes cause an average clock difference of at least 386μs, which is far higher than 224μs. And the number of accumulated asynchronism nodes exceeded 30,000 after 500 seconds of simulation time. We also observed that Hit-and-Run attack would cause the whole network split into 3 to 10 subgroups within one beacon interval, and the maximum clock difference between different subgroups are at most 506μs.

[1] I. C. Committee, Wireless LAN Medium Access Control (MAC) and Physical Layer (PHY) Specifications. IEEE Strandard 802.11-1999, New York, NY, 1999,.
[2] ``Wi-fi alliance.'' http://www.wi-fi.org/.
[3] G. Khanna, A. Masood, and C. Rotaru, ``Synchronization attacks against 802.11,'' in Workshop of the 12th Networks and Distributed Systems Symposium (NDSS 05), Citeseer, 2005.
[4] L. Chen and J. Leneutre, ``Toward secure and scalable time synchronization in ad hoc networks,'' Computer Communications, vol. 30, no. 11, pp. 2453--2467, 2007.
[5] H. Morino, T. Miyoshi, and M. Ogawa, ``Unidirectional ad hoc routing with efficient route reconstruction using relay control of route requests,'' in Vehicular Technology Conference, 2005. VTC 2005-Spring. 2005 IEEE 61st, vol. 4, pp. 2504--2508, IEEE, 2005.
[6] F. Yang and B. Sun, ``Energy entropy efficient ad hoc routing algoritham,'' in Consumer Electronics, Communications and Networks (CECNet), 2011 International Conference on, pp. 3148--3151, IEEE, 2011.
[7] M. Kamilov, I. Karimov, J. Song, H. Kim, and S. Han, ``A real-time routing system for vehicular ad hoc networks,'' in Future Dependable Distributed Systems, 2009 Software Technologies for, pp. 88--92, IEEE, 2009.
[8] G.-N. Chen, C.-Y. Wang, and R.-H. Hwang, ``Mtsp: Multi-hop time synchronization protocol for ieee 802.11 wireless ad hoc network,'' in Wireless Algorithms, Systems, and Applications (X. Cheng, W. Li, and T. Znati, eds.), vol. 4138 of Lecture Notes in Computer Science, pp. 664--675, Springer Berlin Heidelberg, 2006.
[9] L. Qi and W. Chen, ``A clock synchronization method for ad hoc networks,'' in Artificial Intelligence, Management Science and Electronic Commerce (AIMSEC), 2011 2nd International Conference on, pp. 3614 --3617, aug. 2011.
[10] J. Sheu, C. Chao, W. Hu, and C. Sun, ``A clock synchronization algorithm for multihop wireless ad hoc networks,'' Wireless Personal Communications, vol. 43, no. 2, pp. 185--200, 2007.
[11] D. Zhou and T. Lai, ``A scalable and adaptive clock synchronization protocol for ieee 802.11-based multihop ad hoc networks,'' in Mobile Adhoc and Sensor Systems Conference, 2005. IEEE International Conference on, pp. 8 pp. --558, nov. 2005.
[12] D. Zhou and T.-H. Lai, ``An accurate and scalable clock synchronization protocol for IEEE 802.11-based multihop ad hoc networks,'' IEEE Transactions on Parallel and Distributed Systems, vol. 18, pp. 1797 --1808, dec. 2007.
[13] C. Perkins, ``Ip mobility support for ipv4,'' 2002.
[14] R. Droms, ``Dynamic host configuration protocol,'' 1997.
[15] ``The cmu monarch project's wireless and mobility extensions to ns.'' http://www.monarch.cs.cmu.edu/.
[16] B. Wu, J. Chen, J. Wu, and M. Cardei, ``A survey of attacks and countermeasures in mobile ad hoc networks,'' in Wireless Network Security, pp. 103--135, Springer, 2007.
[17] M. Jakobsson, S. Wetzel, and B. Yener, ``Stealth attacks on ad-hoc wireless networks,'' in Vehicular Technology Conference, 2003. VTC 2003-Fall. 2003 IEEE 58th, vol. 3, pp. 2103--2111, IEEE, 2003.
[18] H. Yang, H. Luo, F. Ye, S. Lu, and L. Zhang, ``Security in mobile ad hoc networks: challenges and solutions,'' Wireless Communications, IEEE, vol. 11, no. 1, pp. 38--47, 2004.
[19] S. Ganeriwal, S. ?apkun, C. Han, and M. Srivastava, ``Secure time synchronization service for sensor networks,'' in Proceedings of the 4th ACM workshop on Wireless security, pp. 97--106, ACM, 2005.
[20] ``The network simulator - ns2,'' Aug. 1998. http://www.isi.edu/nsnam/ns/.