On Security Study of Two Distance Vector Routing Protocols for Ad Hoc Networks

1
On Security Study of Two Distance Vector Routing
Protocols for Ad Hoc Networks

• Weichao Wang, Yi Lu, Bharat Bhargava
• CERIAS and Department of Computer Sciences
• Purdue University
• March 24th, 2003

The research is supported by CERIAS, CISCO URP
and NSF CCR-0001788
2
Index

• Research motivation
• Introduction to protocols
• Security observations and simulation results
• Detecting false sequence attacks
• Intruder identification and reverse labeling
  restriction (RLR)
• Experimental studies
• Conclusion

3
Research motivation

• The hybrid of Internet, cellular system and
  mobile ad hoc networks introduces
  vulnerabilities. S. Bush, GE Research 99
• Security is a central requirement for mobile ad
  hoc networks. Hubaux et al, MobiCom 01
• More than ten routing protocols. Security and
  robustness will impact the design of the standard
  for ad hoc networks. Corson Macker, IETF MANET
  WG 02

4
Introduction to DSDV

• Destination sequenced distance vector (DSDV)
• Proposed by Perkins in SigCOMM 94
• The nodes periodically broadcast the routing
  tables and proactively construct the routes
• Using destination sequence numbers to avoid
  routing loop and identify the freshness of the
  information
• Advantages
• Short delay brought by the proactive feature
• Difficult for the attackers to control the
  propagation of false information
• Disadvantages
• Difficult to scale to large networks
• Computation and communication resources wasted on
  unused routes

5
Introduction to AODV

• Ad hoc on-demand distance vector (AODV)
• Proposed by Perkins and Royer Mobile Computing
  and Applications 99
• The routes are detected only when they are needed
  by the applications
• Broadcast routing request (RREQ) and unicast
  routing reply (RREP)
• Using destination sequence numbers to avoid
  routing loop and identify the freshness of the
  information
• Advantages
• Low overhead and smaller routing tables
• Disadvantages
• On-demand feature brings a longer delay for the
  first packet
• Malicious nodes have more flexibility on
  conducting attacks

6
Attacks on ad hoc routing procedure
Attacks on routing
Active attacks
Passive attacks
Packet silent discard
Routing information hiding
Routing procedure
Flood network
Route request
Route broken message
False reply
Wormhole attacks
False distance vector
False destination sequence
7
Example attacks on AODV and DSDV

• Silent packet discard
• False distance vector attacks
• False destination sequence attacks
• Routing request flood
• False route error packets

8
Security observations

• AODV the malicious node can immediately form a
  false route reply when it receives the route
  request.
• DSDV the malicious node must send false routes
  in advance. So the attacks require a longer
  duration.
• AODV the malicious node can make flexible
  choices on the type of attacks and timing of
  attacks when it sends false reply to a request.
• AODV the routing reply is unicast to the source,
  it is more difficult to trace back to the
  malicious node.

9
Security observations (cond)

• DSDV the routing packets are broadcast. It is
  easier for the intrusion detection system to
  detect the attacks.
• DSDV the malicious node can carry multiple false
  routes in its routing broadcast packets. So the
  communication overhead for the attacker is stable
  when it attacks multiple routes.

10
Simulation of attacks

• Two kinds of attacks
• false distance vector (hop)
• false destination sequence attacks
• Two conditions for route discovery
• one common destination
• hybrid connection (random selection of source and
  destination in multiple routes)
• Input parameters
• maximum speed of nodes
• number of connections
• Output parameters
• packet delivery ratio
• communication overhead for the attacker (number
  of false route reply)
• number of good nodes cheated by the false routes

11
Parameters in Simulation
Simulator ns-2
Protocols AODV and DSDV
Simulation duration 1000 seconds
Simulation area 1000 m x 1000 m
Number of nodes 30
Transmission range 250 m
Movement model Random waypoint
Maximum speed 5 20 m/s
Traffic type CBR (UDP)
Data payload 512 bytes/packet
Packet rate 2 packets/sec
Number of malicious node 1
Node pause time 10 seconds
Number of connections 5 29
12
Simulation results of one destination
Figure 1 Delivery ratio versus number of
connections
13
Simulation results of one destination
Figure 2 Cheated (affected) nodes versus number
of connections
14
Simulation results of one destination
Figure 3 Communication overhead versus number of
connections
15
Simulation results combining figure 2 and 3
Figure 4 cheated nodes versus number of false
route packets
16
Simulation results of hybrid connection
Figure 5 Delivery ratio versus movement of nodes
17
Simulation results of hybrid connection
Figure 6 Communication overhead versus node
movement
18
Detecting false destination sequence attacks

• The attackers must choose a large number as the
  false sequence to show its freshness. If this
  number can be detected by the destination node,
  the attack will be detected.

RREP(D, 5)
RREQ(D, 3, ?)
!! If local DS is only 5, how can other host get
20 ??
D
S3
RREQ(D, 20, ?)
S
S1
RREP(D, 20)
RREP(D, 20)
X
S2
M
S4
19
Intruder identification in AODV
For more details, refer to the tech report at
www.cs.purdue.edu/people/bb

• Problem statement
• Intruder identification in ad hoc networks is the
  procedure of identifying the user or host that
  conducts the inappropriate, incorrect, or
  anomalous activities that threaten the
  connectivity or reliability of the networks and
  the authenticity of the data traffic in the
  networks.

20
Intruder identification

• Objectives
• locate the source of attacks
• combine the information from multiple nodes and
  enable each node to make independent decision
• achieve consistency among the conclusions of a
  group of nodes

21
Evaluation Criteria

• Accuracy
• False coverage Number of normal hosts that are
  incorrectly marked as suspected.
• False exclusion Number of malicious hosts that
  are not identified as such.
• Overhead
• Overhead measures the increases in control
  packets and computation costs for identifying the
  attackers (e.g. verifying signed packets,
  updating blacklists).
• Workload of identifying the malicious hosts in
  multiple rounds

22
Evaluation Criteria

• Effectiveness
• Effectiveness Increase in the performance of ad
  hoc networks after the malicious hosts are
  identified and isolated. Metrics include the
  increase of the packet delivery ratio, the
  decrease of average delay, or the decrease of
  normalized protocol overhead (control
  packets/delivered packets).
• Robustness
• Robustness of the algorithm Its ability to
  resist different kinds of attacks.

23
Reverse Labeling Restriction (RLR)

• Basic Ideas
• Every host maintains a blacklist to record
  suspicious hosts. Suspicious hosts can be
  released from the blacklist or put there
  permanently.
• The destination host will broadcast an INVALID
  packet with its signature when it finds that the
  system is under attack on sequence. The packet
  carries the hosts identification, current
  sequence, new sequence, and its own blacklist.
• Every host receiving this packet will examine its
  route entry to the destination host. If the
  sequence number is larger than the current
  sequence in INVALID packet, the presence of an
  attack is noted. The next hop to the destination
  will be added into this hosts blacklist.

24
Reverse Labeling Restriction (RLR)

• All routing information or intruder
  identification packets from hosts in blacklist
  will be ignored, unless the information is about
  themselves.
• After a host is released from the blacklist, the
  routing information or identification results
  from it will be processed.

25
Example to illustrate RLR
D
S3
INVALID ( D, 5, 21, , SIGN )
S
S1
S2
M
S4
D sends INVALID packet with current sequence 5,
new sequence 21. S3 examines its route table,
the entry to D is not false. S3 forward packet to
S1. S1 finds that its route entry to D has
sequence 20, which is gt 5. It knows that the
route is false. The hop which provides this false
route to S1 was S2. S2 will be put into S1s
blacklist. S1 forward packet to S2 and S. S2 adds
M into its blacklist. S adds S1 into its
blacklist. S forward packet to S4. S4 does not
change its blacklist since it is not involved in
this route.
26
RLR creates suspicion trees. If a host is the
root of a quorum of suspicion trees, it is
labeled as the attacker.
27
Reverse Labeling Restriction (cond)

• Update Blacklist by INVALID Packet
• Next hop on the invalid route will be put into
  local blacklist, a timer starts, a counter
• Labeling process will be done in the reverse
  direction of route
• When timer expires, the suspicious host will be
  released from the blacklist and routing
  information from it will be accepted
• If counter gt threshold, the suspicious host will
  be permanently put into blacklist

28
Reverse Labeling Restriction (cond)

• Update local blacklist by other hosts blacklist
• Attach local blacklist to INVALID packet with
  digital signature to prevent impersonation
• Every host will count the hosts involved in
  different routes that say a specific host is
  suspicious. If the number gt threshold, it will be
  permanently added into local blacklist and
  identified as an attacker.
• Threshold can be dynamically changed or can be
  different on various hosts

29
Reverse Labeling Restriction (cond)

• Two other effects of INVALID packets
• Establish routes to the destination host when
  the host sends out INVALID packet with digital
  signature, every host receiving this packet can
  update its route to the destination host through
  the path it gets the INVALID packet.
• Enable new sequence When the destination
  sequence reaches its max number (0x7fffffff) and
  needs to round back to 0, the host sends an
  INVALID packet with current sequence
  0x7fffffff, new sequence 0.

30
Reverse Labeling Restriction (cond)

• Packets from suspicious hosts
• Route request If the request is from suspicious
  hosts, ignore it.
• Route reply If the previous hop is suspicious
  and the query destination is not the previous
  hop, the reply will be ignored.
• Route error will be processed as usual. RERR
  will activate re-discovery, which will help to
  detect attacks on destination sequence.
• INVALID if the sender is suspicious, the packet
  will be processed but the blacklist will be
  ignored.

31
Simulation parameter
Simulation duration 1000 seconds
Simulation area 1000 1000 m
Number of mobile hosts 30
Transmission range 250 m
Pause time between the host reaches current target and moves to next target 0 60 seconds
Maximum speed 5 m/s
Number of CBR connection 25/50
Packet rate 2 pkt / sec
32
Reverse Labeling Restriction (cond)Simulation
results

• The following metrics are chosen
• Delivery ratio (evaluate effectiveness of RLR)
• Number of normal hosts that identify the attacker
  (evaluate accuracy of RLR)
• Number of normal hosts that are marked as
  attacker by mistake (evaluate accuracy of RLR)
• Normalized overhead (evaluate communication
  overhead of RLR)
• Number of packets to be signed (evaluate
  computation overhead of RLR)

33
Reverse Labeling Restriction (cond)
X-axis is host pause time, which evaluates the
mobility of host. Y-axis is delivery ratio. 25
connections and 50 connections are considered.
RLR brings a 30 increase in delivery ratio. 100
delivery is difficult to achieve due to network
partition, route discovery delay and buffer.
34
Reverse Labeling Restriction (cond)
X-axis is number of attackers. Y-axis is delivery
ratio. 25 connections and 50 connections are
considered. RLR brings a 20 to 30 increase in
delivery ratio.
35
Reverse Labeling Restriction (cond)
30 hosts, 25 connections 30 hosts, 25 connections 30 hosts, 50 connections 30 hosts, 50 connections
Host Pause time (sec) of normal hosts identify the attacker of normal hosts marked as malicious of normal hosts identify the attacker of normal hosts marked as malicious
0 24 0.22 29 2.2
10 25 0 29 1.4
20 24 0 25 1.1
30 28 0 29 1.1
40 24 0 29 0.6
50 24 0.07 29 1.1
60 24 0.07 24 1.0
The accuracy of RLR when there is only one
attacker in the system
36
Reverse Labeling Restriction (cond)
30 hosts, 25 connections 30 hosts, 25 connections 30 hosts, 50 connections 30 hosts, 50 connections
of attackers of normal hosts identify all attackers of normal hosts marked as malicious of normal hosts identify all attackers of normal hosts marked as malicious
1 28 0 29 1.1
2 28 0.65 28 2.6
3 25 1 27 1.4
4 21 0.62 25 2.2
5 15 0.67 19 4.1
The accuracy of RLR when there are multiple
attackers
37
Reverse Labeling Restriction (cond)
X-axis is host pause time, which evaluates the
mobility of host. Y-axis is normalized overhead
( of control packet / of delivered data
packet). 25 connections and 50 connections are
considered. RLR increases the overhead slightly.
38
Reverse Labeling Restriction (cond)
X-axis is host pause time, which evaluates the
mobility of host. Y-axis is the number of signed
packets processed by every host. 25 connections
and 50 connections are considered. RLR does not
severely increase the computation overhead to
mobile host.
39
Reverse Labeling Restriction (cond)
X-axis is number of attackers. Y-axis is number
of signed packets processed by every host. 25
connections and 50 connections are considered.
RLR does not severely increase the computation
overhead of mobile host.
40
Robustness of RLR

• If the malicious host sends false INVALID packet
• Because the INVALID packets are signed, it cannot
  send the packets in other hosts name
• If it sends INVALID in its own name, the reverse
  labeling procedure will converge on the malicious
  host and identify the attacker. The normal hosts
  will put it into their blacklists.

41
Robustness of RLR

• If the malicious host frames other innocent hosts
  by sending false Blacklist
• If the malicious host has been identified, the
  blacklist will be ignored
• If the malicious host has not been identified,
  this operation can only lower the threshold by
  one. If the threshold is selected properly, it
  will not impact the identification results.

42
Robustness of RLR

• If the malicious host only sends false
  destination sequence about some special host
• The special host will detect the attack and send
  INVALID packets.
• Other hosts can establish new routes to the
  destination by receiving the INVALID packets.

43
Observations Conclusions

• The malicious nodes in on-demand protocols can
  cause real time attacks
• The malicious nodes in proactive protocols can
  send multiple false routes in the same round
• False destination sequence attacks cause a more
  severe impact on network performance than false
  distance vector attacks
• The destination node in proactive protocols has a
  higher probability to detect attacks because the
  false routes are broadcast throughout the network
• Using RLR, the good nodes in AODV can efficiently
  locate the attackers

44
Future work

• Study the relationship between the average
  detection delay and the mobility of the nodes
• Study more types of attacks (include gang
  attacks) and ascertain their relations to the
  vulnerabilities of the protocols
• Study the joint responses to detect attacks and
  identify intruders
• The results will lead to a secure routing
  protocol for mobile ad hoc networks
• A complete system to implement intruder
  identification