Security of Routing Protocols in Ad Hoc Wireless Networks

1
Security of Routing Protocols in Ad Hoc Wireless
Networks
presented by Reza Curtmola600.647 Advanced
Topics in Wireless Networks
2
Our focus MANETs

• Multi-hop routing
• unicast
• multicast
• infrastructure access

3
Our focus MANETs

• Multi-hop routing
• unicast
• multicast
• infrastructure access

4
Our focus MANETs

• Multi-hop routing
• unicast
• multicast
• infrastructure access

5
Security of Ad Hoc Wireless Networks

• Security is essential because
• Lack of physical security makes devices
  susceptible to theft
• All nodes participate in routing, must rely on
  untrusted nodes
• Lack of security leads to degradation of service
  because medium is shared
• Difficult to provide because
• Collaborative nature
• Less-robust and shared medium
• Requires solution for internal adversaries

6
More Basics

• Transmission range is usually smaller than
  network span
• Need for multi-hop routing
• All nodes can potentially participate in the
  routing protocol

7
Security concerns

• Must define adversarial model
• Effect on network operation
• Passive attacks
• Active attacks
• Attackers are authorized to participate in the
  network operation
• Outside attacks
• Inside attacks

8
Outside Attacks

• Attackers do not posses credentials
• Include
• packet injection
• packet modification
• impersonation
• In general preventable using standard
  cryptographic mechanisms that ensure
  authentication and data integrity

9
Inside (Byzantine) Attacks

• Byzantine behavior
• Arbitrary action by an authenticated node
  resulting in disruption of the routing service
• All nodes participate in routing
• Authentication and data integrity mechanisms do
  not provide any guarantees
• Different than the selfish node problem

Trivia Byzantine devious The History of the
Decline and Fall of the Roman Empire, by Edward
Gibbon
10
Attacks against routing

• Black Hole Attack
• Flood Rushing Attack
• Wormhole Attack
• Overlay Network Attack
• (super-wormhole)

Traditional Byzantine

• Adversaries can act individually or can collude

11
Other Attacks

• Traffic analysis
• Sybil attacks
• A malicious node illegitimately claims multiple
  identities
• Node replication
• Adversary captures, replicates and inserts
  duplicated nodes
• Difficult to detect without centralized
  monitoring

12
Routing protocols

• Routing act of moving information from source
  to destination
• Types of routing protocols
• Pro-active continuously learn network topology
• ? routes are available immediately
• ? high updating cost for dynamic topology
• examples RIP, OSPF, DSDV, OLSR
• Reactive establish routes when needed
• ? less control traffic
• ? additional delay, involve flooding
• examples AODV, DSR

13
On-Demand Routing Protocols

• Route Discovery phase
• Based on flooding
• RouteRequest usually flooded
• RouteReply flooded or unicast
• Route Maintenance Phase

Ad Hoc Network
S
14
Black Hole Attack

• Adversary selectively drops only data packets,
  but still participates in the routing protocol
  correctly
• The damage is directly related to the likelihood
  of an adversary being selected as part of the
  route

15
Black Hole Attack Mitigation

• Watchdog and Pathrater
• (S. Marti, T. Giuli, K. Lai, M. Baker,
  Mitigating routing misbehavior in mobile ad hoc
  networks, MobiCom 2000)
• A node can overhear its neighboring nodes
  forwarding packets to other destinations
• Watchdog and Pathrater
• Local monitoring can detect
• Packet forge An outgoing packet that has no
  corresponding incoming packet
• Packet modification Difference between the
  incoming and outgoing packet fields
• Intentional packet delay A packet was forwarded
  after a threshold time instead of immediately
• Packet drop Packets were not forwarded within a
  maximum acceptable timeout threshold

16
Black Hole Attack Mitigation

• Watchdog and Pathrater
• What can go wrong?
• Missed detection A malicious event goes
  undetected at guard G because
• A collision occurs at G when the malicious node S
  transmits
• False detection A normal event is classified by
  a guard G as a malicious event because
• A collision occurs at G when the sender S
  transmits a packet
• A collision occurs at G when the monitored node D
  forwards the packet
• Does not work when power control and multi-rate
  are used
• Also vulnerable to attacks from two consecutive
  colluding adversaries

17
Black Hole Attack Mitigation

• Secure Data Transmission (SDT)
• (P. Papadimitratos, Z. Haas, Secure data
  transmission in mobile ad hoc networks, WiSe
  2003)
• Uses end-to-end acknowledgements from DST
• Disseminates a packet across several
  node-disjoint paths
• Good for well connected networks
• Bad for sparsely connected networks
• Protection of node-disjoint path discovery is not
  fully achieved against colluding adversaries
• Also vulnerable to flood rushing attacks

18
Flood Rushing Attack

• Majority of on-demand routing protocols use
  flooding for route discovery
• Attack takes advantage of the
• flood suppression mechanism
• Adversary rushes packets through the network,
  propagating its flood faster than the legitimate
  flood

19
Flood Rushing Attack

• Attacker disseminates RREQ, RREP quickly
  throughout the network suppressing any later
  legitimate RREQ, RREP
• By avoiding the delays that are part of the
  design of both routing and MAC (802.11b)
  protocols
• By sending at a higher wireless transmission
  level
• By using a wormhole to rush the packets ahead of
  the normal flow
• Result an attacker gets selected on many paths,
  or no path is established
• Why is the attack possible flood suppressing
  mechanism

20
Flood Rushing Attack Mitigation

• Rushing Attack Prevention (RAP)
• (Y.-C. Hu, A. Perrig, D.B. Johnson, Rushing
  Attacks and defense in wireless ad hoc network
  routing protocols,
• WiSe 2003)
• Wait to receive up to k requests (flood
  re-broadcasts)
• Randomly selects one to forward
• Random selection reduces advantage gained by
  reaching a node first
• Disadvantages
• Secure neighbor discovery and secure route
  delegation gt multiple rounds of communication gt
  a lot of overhead
• Is ineffective if the adversary has compromised k
  or more nodes

21
Byzantine Wormhole Attack
Adv2
Adv1
wormhole
Destination
Source

• Attacker (or colluding attackers) records a
  packet at one location in the network, tunnels
  the packet to another location, and replays it
  there.
• End-points of the virtual link can not be trusted
• Result Allows an adversary to get selected on
  many paths

22
Two types of wormhole
Adv2
Adv1
wormhole
Destination
Source

• Traditional wormhole adversaries are outside
  attackers (non-authenticated)
• honest nodes believe there is a direct link
  between them
• Byzantine wormhole adversaries are inside
  attackers (authenticated)
• wormhole link exists between compromised nodes

23
Wormhole Attack Mitigation

• Packet Leashes (Y.-C. Hu, A. Perrig, D.B.
  Johnson, Packet Leashes A defense against
  wormhole attacks in wireless ad hoc networks,
  Infocom 2003)
• Prevents wormhole creation by limiting the
  transmission distance of a link
• A temporal leash (extremely tight time
  synchronization)
• A geographical leash (location information)
• May require additional hardware (very accurate
  clocks or GPS receivers), but is effective
  against traditional wormholes
• Ineffective against Byzantine wormholes

24
Wormhole Attack Mitigation

• Directional Antenna
• (L. Hu, D. Evans, Using directional antennas to
  prevent wormhole attacks, NDSS 2004)
• Uses the angle of arrival information available
  when using directional antennas
• Takes advantage of topology distortion that
  occurs when nodes communicate through a wormhole
• To verify a link between two nodes, a third node
  is required
• Disadvantage in low density networks, the number
  of available links is reduced
• Ineffective against Byzantine wormholes

25
Super-Wormhole

• a more general (and stronger) variant of the
  wormhole attack
• several adversaries collude and form an overlay
  of Byzantine wormholes
• for n adversaries, it is equivalent to n2
  wormholes

26
Related Work

• Perlman 88 Byzantine robustness for Link
  State routing protocol in wired networks)
• Blackhole Marti, Giuli, Lai, Baker - 00
• Papadimitratos, Haas - 03
• Authentication and integrity Zhou, Haas 99
• Hubaux, Buttyan, Capkun 01
• Dahill, Levine, Shields, Royer 02
• Hu, Perrig, Johnson 01, 02
• Flood rushing Hu, Perrig, Johnson 03
• Wormhole Hu, Perrig, Johnson 03
• Hu, Evans 04
• NO PROTOCOL THAT CAN WITHSTAND ALL OF THE
  CONSIDERED BYZANTINE ATTACKS
• ODSBR fills this gap! (software-only solution))
• Awerbuch, Holmer, Nita-Rotaru, Rubens Wise
  02
• Awerbuch, Curtmola, Holmer, Nita-Rotaru, Rubens
  SecureComm 05