JamRF: Performance Analysis, Evaluation, and Implementation of RF Jamming Over Wi-Fi

Jamming attacks significantly degrade the performance of wireless communication systems and can lead to significant overhead in terms of re-transmissions and increased power consumption. Although different jamming techniques are discussed in the literature, numerous open-source implementations have used expensive equipment in the range of thousands of dollars, with the exception of a few. These implementations have also tended to be partial-band and do not cover the whole available bandwidth of the system under attack. In this work, we demonstrate that flexible, reliable, and low-priced software-defined radio (SDR) jamming is feasible by designing and implementing different types of jammers against IEEE 802.11n networks. First, to demonstrate the optimal jamming waveform, we present an analytical bit error rate expression of the system under attack by employing two common jamming waveforms: Gaussian noise and digitally modulated in an additive white Gaussian noise channel to obtain a lower bound performance. Then, we validated the finding obtained by the analysis via realistic end-to-end simulations using the MATLAB WLAN toolbox. Afterwards, we implement JamRF, a toolkit that employs a low-cost SDR to implement numerous types of jammers to further validate the analysis and simulation findings. The obtained results demonstrated that the Gaussian noise waveform outperformed the digitally modulated waveforms. Furthermore, in terms of jamming attack strategies, experimental results showed that to jam the whole 2.4GHz spectrum, a stateful-reactive jammer employing a random channel hopping jamming strategy achieves a packet loss ratio above 90%.


I. INTRODUCTION
The broadcast nature of wireless channels renders transmitted wireless signals vulnerable to external interference, as well as potential malicious jamming attacks.Adversarial users are generally categorized into passive eavesdroppers, that try to intercept transmitted signals and extract information without being detected, and active jammers, that aim to degrade signals quality, and hence, prevent the recipient from receiving the required transmitted information.These security threats have been deemed as a critical concern due to the increasing reliance on wireless services [1].A swarm of Unmanned Aerial Vehicles (UAVs), for example, commonly employ off-the-shelf infrastructure-less wireless communication (such as 802.11s in mesh mode) which can be significantly affected by external threats [2].
Furthermore, with the recent advances in low-cost SDR technologies, it has become remarkably easy to launch jamming attacks on wireless networks, and off-the-shelf devices such as a USRP [3], HackRF [4], or BladeRF [5] have introduced a low-barrier to entry.These devices are powerful, flexible, and can be tuned to cover a wide range of radio frequency (RF), costing between hundreds to a few thousand dollars.On the other hand, SDRs, such as rtl-SDR [6] and Airspy [7], can be obtained with more affordable prices, with some limitations on the operating frequency.Military and commercial jamming devices [8][9][10] can be employed to launch attacks on various types of wireless networks.These however, are very expensive and are less flexible compared to SDRs.
Within this context, different types of jamming strategies have been proposed in the literature, in order to significantly deteriorate the performance of a particular wireless communication system.This has further motivated the renewed research on RF jamming mitigation schemes, with the aim to study different kinds of jamming strategies, and hence, mitigate their effects.To the best of the authors' knowledge, there is no prior work that provides both extensive analysis, simulation study and real-world implementation of different types of jamming attacks on Wi-Fi systems using SDR.
Therefore, in this work we study the performance of a WLAN IEEE 802.11n communication networks in the presence of jamming.Furthermore, we provide an implementation of different types of jammers on a HackRF 1 .Specifically, the main contributions of this work are: i) Presenting the Bit Error Rate (BER) performance analysis for the IEEE 802.11n communication system in the presence of jammers and under the assumption of Gaussian noise and digitally modulated (QPSK) waveforms; ii) Validation of the analysis through MATLAB simulation 2 : evaluating the impact of these jamming waveforms (Gaussian noise and QPSK) on the performance of IEEE 802.11n communications; iii) The development and implementation of 'JamRF', a jamming toolkit for the HackRF SDR; and iv) Investigating the impact of the considered different jamming techniques on IEEE 802.11n communications through practical experimentation within an RF isolation chamber.
This rest of the paper is organized as follows.Background and related works is presented in Sec.II.We introduce the employed system model in Sec.III.In Sec.IV we present 1 Available at https://github.com/tiiuae/sdr-jammer/HackRF 2 https://github.com/tiiuae/sdr-jammer/simulationthe performance analysis of the victim system under jamming attack.Simulation results are presented and discussed in Sec.V. Sec.VI presents the experiments and the discussions of the obtained results.Finally, the paper is concluded in Sec.VII.
Fig. 1: Classification of Jammers in Wireless Networks.

II. BACKGROUND AND RELATED WORKS
Jamming techniques have been covered in the earlier literature, where the physical layer jammer is modeled as single or multi-tone [22][23][24][25][26].Alternatively, jamming attacks are sometimes modeled as partial-band or broadband additive white Gaussian noise (AWGN) [24].
Jia et al. [25] introduced a cognitive radio network where a secondary transmitter communicates with a secondary receiver via multiple cognitive relays.One of the cognitive relays is employed for transmission, while the remaining relays cooperate in jamming multiple eavesdroppers.A coordinated jamming and communications technique, based on a linear minimum mean square error multi-user detection-based algorithm, was proposed in [26] with the aim to achieve simultaneous friendly jamming and reliable communication.In [27], the performance analysis of ultra-wideband systems employing a multi-carrier code division multiple access scheme in the presence of wideband jammer was presented.Optimal jamming over an AWGN channel was investigated in [28], where the optimal jamming signal for various digital amplitude-phase-modulated constellations was derived.It was assumed that the modulation of the legitimate receiver was known by the jammer.
Owing to the advances in SDR, one can easily program a small, low-cost, USB dongle device to jam a 20 MHz bandwidth below 6 GHz, with up to 100 mW transmission power [29].Such a USB dongle is sufficient to disrupt the Wi-Fi services in a home or office scenarios.Other off-the-shelf SDR devices such as the HackRF [4], USRP [3] and BladeRF [5] are even more powerful and flexible.These SDRs are presented in Generally speaking, jammers can be classified into five types based on their capability to sense the wireless medium, react and maintain a state that dictates their future actions as presented in Fig. 1.
Proactive jammers are also known as channel-oblivious jammers, in which a malicious node transmits jamming signals -whether there is a channel activity or not.The aim of this jammer is to put all nodes in the network, that intend to transmit over the jammed channel, into a non-operating mode [30].This type of jammers are relatively easy to implement [20].Proactive jammers are memoryless due to the fact that they are channel-oblivious.
Reactive jammers are also known as channel-aware jammers, in which a malicious node sends an interfering radio signal when it detects legitimate packets transmitted over the air [19].Reactive jamming attacks are widely regarded as an energy-efficient attack strategy since the jammer is active only when there are data transmissions in the network.Reactive jamming attacks, however, require tight timing constraints (e.g., < 1 OFDM symbols, 4 µs) for real-world system implementation, as it needs to switch from listening mode to transmitting mode quickly [20].In practice, a jammer may be triggered by either channel energy-sensing or part of a legitimate packet's detection (e.g., preamble detection).Prasad and Thuente [13] implemented a reactive jamming attack in legacy Wi-Fi networks using the energy detection capability of cognitive radio devices.In [14,15], the authors studied a reactive jamming attack where a jammer sends a jamming signal after detecting the preamble of the transmitted Wi-Fi packets.By doing so, the jammer is capable of effectively attacking Wi-Fi packet payloads.A stateful reactive jammer is the most sophisticated type, due to its capability to maintain a state that dictates its future actions [17].
Constant jammers are also known as single-band jammers, in which the jammer may target the entire or a fraction of a channel bandwidth occupied by legitimate users [30][31][32].Such a jammer continually emits radio signals on the wireless medium.The signals can consist of a completely random sequence of bits or regular packets.Karhima et al. [11] analyzed the performance of legacy Wi-Fi communications under broadband and partial-band constant jamming attacks through theoretical exploration and experimental measurement [11].
Deceptive jammer is a type of jammer similar in operation to the constant jammer.However, here, the malicious jamming device sends meaningful radio signals to a Wi-Fi access point or legitimate Wi-Fi client devices, with the aim of wasting the network resources and preventing legitimate users from channel access.Broustis et al. [12] implemented a deceptive jamming attack using a commercial Wi-Fi card.Also, Gvozdenovic et al. [16] proposed a deceptive jamming attack on Wi-Fi networks called truncate after preamble (TaP) jamming and evaluated its performance on a USRP testbed.
Frequency Sweeping jammer are multi-band jamming attacks proposed to get around of the constraints posed by constant jammers ability to only jam a single-band, such that a jammer can quickly switch to different channels [30,32].In [18], the authors analyzed Wi-Fi networks' performance under frequency-sweeping jamming attacks on 2.4 GHz, where there are only 3 non-overlapping 20 MHz channels, and demonstrated the negative impact of jamming on the performance of a WLAN system.
Random channel hopping jammer is similar to the sweeping jammer in its operation.In this jammer, however, the channel to jam is chosen randomly.This random behavior increases the detection difficulty when compared to the sweeping jammer.
Periodic jammer refers to the type of jammer that emits signals for random periods whilst sleeping the rest of the time.This type of jamming attacks allows the jammer to save more energy compared to a continuous jamming attack by continuously switching between two states: a sleep phase and a jamming phase.However, it is less effective compared to continuous jamming attacks [30].Bayraktaroglu et al. [17] investigated the impact of periodic jamming attacks on Wi-Fi networks, realizing that periodic, memoryless jamming is the least effective type of jamming attacks.
Single and Multi band jammers as discussed, there are multiple channels available for Wi-Fi communications on ISM bands.A single-band jammer only jams a single channel at a given time.For instance, a low-cost jammer, is constrained by its hardware circuit (e.g., very high ADC sampling rate and broadband power amplifier) to attack a large number of channels simultaneously.On the other hand, a multi-band jammer can jam multiple channels at the same time [32].
Table II compares different types of JamRF and summarizes the earlier presented discussion.

III. SYSTEM MODEL
In order to investigate the BER performance of a wireless system, in the presence of a jamming attack and while considering the IEEE 802.11n standard, in this section we introduce the considered jamming scenario.As illustrated in Fig. 2, the considered system model comprises a single transmitter communicating with a legitimate receiver, and a jammer.Without loss of generality, we employ a modulation and coding scheme (MCS) of 4, which implies a single antenna Wi-Fi transmitter emitting a 16-QAM digitally modulated signal.The receiver is equipped with a single antenna to detect the digitally modulated transmitted signal.
The baseband equivalent waveform of the transmitted signal is represented as , where m is the modulation index, P T is the average transmit power, g(t) is the real valued pulse shape and T is the symbol interval.
At the same time, an SDR-based jammer aims to corrupt the received signal at the receiver.The baseband equivalence of the jamming signal is represented as , where P J is the average jammer transmit power, while j m denotes the transmitted jamming symbols.It is assumed that at time t a symbol x i (t); i = 1, 2, • • • , M where M is the modulation order, is transmitted over the interval 0 ≤ t ≤ T .The noise is modeled as AWGN, with power spectral density (PSD) of N 0 /2.Thus, the received signal r(t) at the receiver can be expressed as The transmitted symbol x i (t) can be represented in terms of orthonormal basis functions as where ψ k is the kth basis function, while x ik can be given as The signal model for a QAM waveform is expressed as where α is an arbitrary yet fixed phase and f c denotes the center frequency of the transmit signal.Also, the signal components can be expressed as where m = 1, 2, • • • , M , A m1i and A m2i are the informationbearing signal amplitudes of the quadrature carriers.Hence, the signal model can be rewritten as where Moreover, assuming that x i (t), j(t), and n(t) are statistically independent of each other, with respective power levels P T , P J , and σ 2 , the signal to noise ratio (SNR) can thus be expressed as SNR = P T σ 2 .Similarly, the jamming to noise ratio (JNR) can be expressed as JNR = P J σ 2 .Hence, based on the free space path loss model, the jamming to signal ratio can be denoted as where G T and G J are the transmitter and jammer antenna gains respectively, and ERP T and ERP J are the effective radiated powers of the transmitter and jammer respectively expressed in dB as: where f T and f J are the frequencies of the transmitter and jammer respectively.
IV. PERFORMANCE ANALYSIS Advanced communication technology stems from spread spectrum, error correction coding, and waveform modulation techniques [33].Utilizing, time, frequency, and coding schemes, communication efficiency, design flexibility, and immunity to jamming attacks in communication systems are enhanced [34].In this section, we will demonstrate the system performance experienced under different jamming attacks in AWGN channels.
The average error probability of M -QAM with signal model given in (4) in AWGN channel is given by [34] where E b represents the average bit energy, and For a gray-encoded WLAN IEEE 802.11n with MCS = 4, the average bit error rate in AWGN in the absence or jamming of interference is approximated as [35] P e,16QAM = 3 8 erfc 2 5 where erfc(•), is the complementary error function defined as A jamming waveform can be generated either in the form of a tone signal, a Gaussian noise, or a digitally modulated signal to disrupt the communication between a transmitter and a receiver.Here, we carry out the performance analysis of the considered IEEE 802.11n system, and we assume that the receiver is unaware of the presence of the jamming signal.

A. Gaussian Noise Jamming Waveform
For noise jamming, the jamming carrier signal is modulated with a random noise waveform with the aim of disrupting the communication, by injecting noise into the system.The bandwidth of the signal can be as wide as the entire spectrum width used by the IEEE 802.11n system or much narrower, occupying only a single channel.The noise is generally assumed to be Gaussian for theoretical analysis, however, theoretical Gaussian noise has an infinite frequency extent.In situations where the filtering effects are important, colored Gaussian noise is the appropriate type to use [35].
Here, we assume that at time t, x m (t) is transmitted, and a colored Gaussian noise jammer is attacking the IEEE 802.11n system.Hence, the received signal can be expressed as such that where (16) This shows that r k is a Gaussian random variable, with mean value equals to Therefore, ( 17) can be expanded as As indicated earlier, the noise and jamming signals are independent, and hence, r 1 and r 2 are independent random variables, with variance equals to where K j (•) is the jammer auto-correlation function.The joint probability density function (PDF) of r 1 and r 2 can be expressed as If the symbol x m (t) is transmitted, the probability that the receiver decodes it correctly P r (C|m) is given as [36] P r (C|m) = P r (L where L 1 ml and L 1 mu , and L 2 ml and L 2 mu are the lower and upper bounds of r 1 , and r 2 respectively, Therefore, 21 can be expanded as where the integration limits in (22) are dependent on the particular transmitted signal.Hence (22) becomes where Following [36] to evaluate (23) based on (24), the average probability of error P e of 16-QAM signal in an AWGN channel in the presence of Gaussian noise jamming waveform j(t) is given by: where d is a constant defined as B. QPSK modulated Jamming Waveform It was shown in [37] that QPSK modulated waveform is the optimal digitally modulated waveform for jamming an M -QAM system.From a practical standpoint, digitally modulated signal is a more realistic choice to perform denial of service attacks [38].Here, a perfect channel estimation is assumed such that the jamming signal perfectly synchronized with the WLAN IEEE 802.11n signal in both time and phase.The signal model representation of an M -PSK modulated jamming signal is denoted as It was shown in [37] that, in the presence of any jamming signal j, the average probability of error P e of an M -QAM signal in an AWGN channel is given by √ JNRj (28) where j = R⌉⊣↕ j or j = I⇕⊣} j, and d min denotes the minimum distance of the M -QAM modulation scheme.
The jammer intends to maximize (28) by transmitting a sequence of symbols j which are chosen based on the operating SNR and JNR.Let the signal level be a = |j| with energy denoted as E(a 2 ) ≤ 1/2 and PDF f A .In the following, we aim to find the optimum distribution to model a at the jammer, in order to maximize the probability of error.The optimization problem can hence be formulated as max Considering that the jamming signal has at most two signal levels a 1 and a 2 [37], the pdf of the jamming signal along any signalling dimension can be expressed as where λ and (1 − λ) denote the probabilities that the jammer sends signals with levels a 1 and a 2 , respectively and δ(a) is the Dirac-delta function.Hence, based on (30), the overall P e along any signaling dimension can be generalized to where Γ 1 and Γ 2 are expressed as For a QPSK jamming signal when the IEEE 802.11n signal uses M -QAM, it was shown that [37] From (34), it can be noted that when SNR 2 ≪ JNR.Based on this, it was shown in [21,37] that for the case of using QPSK as a jamming signal with an M -QAM signal, (31) can be simplified as (35) Therefore, for WLAN IEEE 802.11n signal employing MCS = 4, d min = 2, and JNR = 2 * JSR * SNR, the average probability of error P e in the presence of QPSK modulated jamming waveform j(t) is obtained as Fig. 3: The BER of IEEE 802.11n system in the presence of Gaussian noise jamming signal.

V. NUMERICAL AND SIMULATION EVALUATIONS
In this section, we present numerical and simulation results, in order to identify the most effective jamming waveforms in WLAN IEEE 802.11n.In particular, we quantify the impact of the earlier analyzed jamming waveforms namely: (i) Gaussian noise, and (ii) QPSK modulated signals, on the considered IEEE 802.11n system.Fig. 4: The BER of IEEE 802.11n system in the presence of QPSK modulated jamming signal.

A. Numerical Results for AWGN Channel Scenario
In Sec.IV, the BER performance of the underlying system model under Gaussian noise and QPSK jamming waveforms were obtained as in ( 25) and ( 36) respectively.Fig. 3 demonstrates the impact of Gaussian noise jamming signal on the BER performance of the IEEE 802.11n system under study.It is observed that at JSR = −100dB, the jammer has a negligible effect on the system performance.However, as the JSR increases to 0dB, the performance is severely degraded where a BER > 0.1 is experienced over all SNR values.
Similarly, Fig. 4, shows that the QPSK modulated jamming waveform has a destructive impact on the considered system.From the figure, it can be noticed that for JSR > 0dB, a BER > 0.1 is achieved.It can be further observed from Figs. 3 and 4 that, the impact of QPSK jamming is less than that of Gaussian noise jamming.Also, it can be observed that for both Gaussian noise and QPSK modulated jamming signals, the system performance is significantly degraded for all SNR values when JSR > 0dB.This indicates that both two waveforms are able to completely corrupt all transmitted packets when JSR ≥ 0dB, regardless of the SNR value.

B. Simulation Results for Realistic Channel Scenario
In this subsection, we investigate and compare the performance of the considered jamming waveforms under a realistic channel model, and compare their performance with a baseline single-tone signal.The signal model representation of the singletone jamming waveform is expressed as: where f j is the jamming tone frequency, and θ j is the random jammer phase.All the simulations were performed by employing the wlanHTConfig and wlanTGnChannel system objects of the MATLAB WLAN toolbox.Unless otherwise stated, adopted simulation parameters are presented in Table III.Fig. 5, shows that the Gaussian noise jamming waveform has a destructive impact on the considered system.We find that for JSR > 0dB, the BER > 0.1 is achieved.This agree with the analysis results obtained for the AWGN scenario.However, it should be noted that even at lower −10 < JSR < 0dB, BER > 0.1 is still experienced due to the fact that, the simulation tries to model a realistic communication channel and not an AWGN channel.
Similarly, Fig. 6, demonstrates that QPSK modulated waveform jammer also cause degrading effect on the victim system which is also in agreement with the analysis results.This indicates that both two waveforms are able to completely corrupt all transmitted packets when JSR ≥ 0dB.Overall, the simulation results further demonstrate that the Gaussian noise is a more effective jamming waveform to attack IEEE 802.11n victim system with MCS = 4 compared to digitally modulated waveforms.Fig. 5: The BER of IEEE 802.11n victim system in the presence Gaussian noise waveform with varying JSR.Fig. 7 compare the effect of different jamming waveforms (as well as the absence of jamming).Fig. 7, shows that both the wideband noise and the QPSK modulated waveform have more noticeable impact than the single-tone waveforms.In specific, it can be observed that BER ≈ 0.6 is experienced when Guassian noise, and QPSK modulated waveforms are employed for jamming.Furthermore, it can be seen that, for SNR < 20dB, the single-tone jamming has negligible impact on the system performance, and hence, the BER performance of the system under single-tone jamming is similar to the scenario where no jamming is present.Alternatively, it can be observed that Gaussian noise, and QPSK waveforms can cause significant deterioration to the system BER performance, in which an error floor is observed at the entire SNR range.Bit Error Rate (BER) No Jamming Single-tone Jamming QPSK Jamming Gaussian Noise Jamming Fig. 7: The BER of IEEE 802.11n victim system in the presence of jamming signals.

VI. EXPERIMENTAL RESULTS
We implement JamRF, a jamming framework based on GNU Radio interfaced with HackRF SDR, and make this available to the community3 as a platform for further research.The experimental setup depicted in Fig. 8 is employed to measure the impact of RF jamming on the victim IEEE 802.11n system.Focusing on distributed ad-hoc networks, we consider the Better Approach to Mobile Ad Hoc Networking Advanced (BATMAN-Adv) [39] as a routing protocol instead of Hybrid Wireless Mesh Protocol (HWMP) of IEEE 802.11s standard.The specific implemented jammers are summarized in Table IV.
Constant jammer.JamRF implements a constant signal that jams a 20 MHz band centered at a center frequency f c .Sweeping jammer.Since the HackRF has a maximum bandwidth of 20 MHz, it cannot be used to emit jamming signals that can disrupt the whole frequency spectrum of Wi-Fi.Therefore, we implement a sweep signal that sweeps 20 MHz band centered at a center frequency f c .This allows the blockage of all transmissions within 20 MHz of the center frequency.The center frequency is shifted every few seconds to sweep over the whole frequency spectrum.For instance, in a 2.4 GHz Wi-Fi with 14 channels, the jammer sequentially hops from one channel to the next sequentially.Random channel hopping jammer.This is implemented similar to the sweeping jammer.However, the center frequency is randomly shifted every few seconds over the whole Wi-Fi frequency spectrum.For instance, in a 2.4 GHz Wi-Fi with 14 channels, the jammer continuously hops from one channel to the next in a random manner.Reactive jammer.Frequency sweeping and random channel hopping jamming strategies can also be employed to jam a channel reactively.In the case of reactive jamming, a sensing mechanism is required to detect channel activity.JamRF, implements an energy detection technique to detect channel activity.During the sensing, the HackRF is employed as a receiver and is interfaced with GNU radio software to interpret the incoming IQ samples.The power of the received IQ samples can be expressed as where N is the number of obtained IQ samples, and x(i) are the received IQ samples.Channel is active when P is greater than or equal to a fixed threshold of 0.002 and channel is inactive when P is less than the threshold.Moreover, we enable the reactive jammer to remember the state (active or idle) of the current channel.If the current channel is active, the jammer senses the current channel again after the elapse of the jamming duration before moving to the next channel.Periodic jammer.Furthermore, we aim to save energy during jamming duration by continuously switching between two states: sleep phase and jamming phase.In JamRF, a predetermined duty cycle is set at the onset to determine the duration of each of the two phases.

A. Experimental Setup
The project requires both hardware and software tools.These are presented in Table V    The HackRF has three gain settings that need to be tuned in order to realize a specific transmit power.The gain controls are at the RF, intermediate frequency (IF), and baseband (BB) stages.In this experiment, we tuned the gains of the HackRF and measure the transmit power using a spectrum analyzer.The measurements are as presented in Table VIII.
Moreover, the aim of jamming is to achieve 100% transmission disruption even in challenging conditions.An RF jammer needs to react quickly to hit the packet for the minimal required jamming duration.For instance, in IEEE 802.11n, a 1000 byte packet transmitted with a rate of 10 Mbps has an on-air time of 800 µs.Due to this tight requirement, we carry out some time constraint measurements for the HackRF, in order to identify the timing requirements, see Fig. 9, and Table IX, where t boot , t sense , and t jam are the time required by the Hackrf to boot, sense, and jam respectively.In proactive jammer, the minimum time requirement to execute jamming operation is 1.82s.Whereas, reactive jammer has the t sense that allows it to detect channel activity before jamming.The minimum timing requirement for reactive jammer to jam a channel using HackRF is ≈ 4.81s which is ≈ 2.6× greater than proactive jammer.Table X presents the obtained measurement for the CPU consumption for jamming and sensing on the Raspberry Pi 4 (Broadcom BCM2711, Quad core Cortex-A72 (ARM v8) 64-bit SoC @ 1.5GHz, 8GB LPDDR4-3200 SDRAM), and a laptop (Intel i9-10885H CPU @ 2.40GHz, 32GB SDRAM).
It can be seen from Table X that single-tone waveform jammers consumed the least CPU resources compared with the Gaussian noise and QPSK modulated waveforms.Among the two analyzed waveforms, the Gaussian noise consumes fewer resources in the order of 10% compared with the QPSK waveform.It can also be observed that the sensing operation consumes approximately 6× fewer resources than jamming  If the transmission frequency is known, a simple constant jammer can be employed to determine the optimal jamming waveform.The packet receive ratio (PRR) with the varying jammer transmit power is measured as shown in Fig. 10.It is observed that to reach a PRR < 0.1 we need a jamming transmit power of 6dBm, 4dBm and 2dBm for the single-tone, QPSK modulated and Gaussian noise waveforms respectively.This shows that the Gaussian noise waveform requires less power to achieve significant performance degradation on the IEEE 802.11n system compared to both single-tone and QPSK modulated waveforms.This confirms both the analysis and simulation results presented earlier in Secs.III and V.
However, when the transmission frequency is unknown, a constant jammer cannot be employed.Therefore, other jamming strategies are employed that can jam multiple bands.This promotes the need to determine how much of the band these jamming strategies should employ to optimally jam the entire target spectrum.To that extent, a frequency sweeping jammer is deployed with varying distance between adjacent channels and the PRR in order to quantify the optimal distance between adjacent channels.We set the jamming duration per channel to t jam = 5s and vary the distance between adjacent channels.For instance, using a distance between adjacent channels of 5MHz, it will take 5 × 14 = 70s to sweep the whole 2.4GHz spectrum.However for 20MHz distance between channels, it will take about 5 × 4 = 20s to sweep over the whole spectrum.In Fig. 11, it is observed that PRR decreases with increasing distance between adjacent channels.
The optimal distance between adjacent channels for the HackRF with 20MHz transmit bandwidth is observed to be 20 MHz.Also, for this value, Gaussian noise waveform exhibits the best performance by making the victim system to only achieve a PRR of about 45%.
In Fig. 12, the performance of the proactive jammer is compared with that of reactive jammer when the jamming duration t jam is varied with Gaussian noise jamming waveform.It is observed that both frequency sweeping and random channel hopping proactive jammers have relatively similar performance.Furthermore, at lower jamming duration, proactive jammers  outperform the sweeping reactive jammer.This is due to the additional time the reactive jammer takes to sense the channels, which is aligned with the timing constraints discussed earlier.
For instance, at t jam = 5s, frequency sweeping reactive jammer caused the PRR of the IEEE 802.11n system to be ≈ 70%, whereas the corresponding proactive jammer resulted in PRR ≈ 50%.However, at higher jamming durations, both sweeping and random channel hopping reactive jammers outperform the corresponding proactive jammers.For t jam = 20s, frequency sweeping and random channel hopping reactive jammers resulted in a PRR of about 38% and 32%, respectively.Whereas the corresponding proactive jammers resulted in a PRR of about 51% and 56%, respectively.The performance of a reactive jammer with and without memory is demonstrated in Fig. 13.It is observed that, at all jamming durations, the stateful reactive jammer outperforms the memoryless reactive jammer.At t jam = 20s, frequency sweeping and channel hopping memoryless reactive jammers resulted in PRR of about 39% and 37% respectively.Whereas the corresponding frequency sweeping and channel hopping stateful reactive jammers resulted in PRR of about 18% and 9% respectively.Overall, the best implemented jammer is the random channel hopping stateful reactive jammer that resulted in a very low PRR of about 9%.

VII. CONCLUSIONS
In this paper, we present the error rate performance analysis of WLAN IEEE 802.11n wireless communication systems in the presence of jammer employing different types of jamming waveform.Simulations and practical experiments were carried out to demonstrate the impact of jamming on the victim system.Furthermore, practical experimentation was performed on IEEE 802.11n links in an isolation chamber, using a HackRF SDR as the jamming device.To this end, we have developed JamRF, a jamming 'toolbox' with multiple implemented jammer types, and make this available to the research community.It was observed that the obtained analytical and simulation results, as well as the experimental results, demonstrated system performance degradation under jamming attacks.The simulation results agree with the analytical results in terms of determining the effective jamming waveform.Furthermore, although the simulation results depict a 100% PER when QPSK modulated and Gaussian noise waveforms are employed, the experimental results demonstrate a packet loss ratio (1 − PRR) of about 80% for both QPSK modulated and Gaussian noise waveforms under constant jamming attack.The 20% difference between simulation and experimental results is due to the t boot = 450ms HackRF time constraint in a proactive jammer.This indicates that, when the traffic flow and jamming operations are executed at the same time, a certain amount of traffic will pass through before the jamming kicks in after 450ms.This demonstrates that the major drawback of using lowcost SDRs (such as the HackRF) to implement these jamming techniques is the hardware time constraints.To mitigate this, we added channel awareness feature to further enhance the performance of the reactive jammer by about 10%.
We additionally show that the effective jamming waveform to attack IEEE 802.11n system is Gaussian noise.The Gaussian noise is shown to consume fewer CPU resources compared to QPSK and at the same time achieves 100% PER.Furthermore, in order to jam the full spectrum, a stateful random channel hopping reactive jammer outperforms other types of jammers.Overall, the obtained results indicate that, despite the flexibility and affordability of SDRs, they are still wanting when compared to high grade military jammers.The limitations of these SDRs can be exploited in designing relatively easy anti-jamming strategies to mitigate the effects of these type of jammers.
Accordingly, as a future work, we will implement antijamming strategies to mitigate the effects of the implemented  jammers in an IEEE 802.11n victim system.We will exploit the limitations posed by the hardware time constraints of the SDRs in order to design an efficient anti-jamming strategy.

Fig. 6 :
Fig.6: The BER of IEEE 802.11n victim system in the presence QPSK modulated waveform with varying JSR.

Fig. 8 :
Fig. 8: Experimentation Testbed: A Host for HackRF, B HackRF One, C SME Cable, D SME Antenna, E, and G Raspberry pi nodes, F, and H Wi-Fi dongles, and I RF Isolation Chamber.

Fig. 11 :
Fig.11: Impact of the distance between adjacent channels for jamming using HackRF.

TABLE I :
Comparisons of common Wide-band Commercial SDRs

Table I
and can be used to implement different types of generic jammers.

TABLE II :
Comparison of JamRF with prior works

TABLE III :
Simulation Parameters and VI respectively.Unless otherwise stated, are summarized in TableVII.

TABLE IV :
Implemented jammers and features in JamRF.

TABLE V :
Experimental testbed hardware specifications

TABLE VI :
Experimental testbed software specifications

TABLE VII :
Experimental Parameters

TABLE VIII :
Mapping HackRF gain settings to Power

TABLE IX :
HackRF time constraints

TABLE X :
CPU consumption for jamming and sensing