Denial of Services in Sensor Networks

1
Denial of Services in Sensor Networks

• Anthony D. Wood John A. Stankovic
• IEEE Computer Magazine, Vol. 35, No. 10, Oct.
  2002, pp. 54- 62
• Presented by Yi-jui Wu

2
Outline

• Introduction
• DoS Attack to Physical Layer
• DoS Attack to Link Layer
• DoS Attack to Network and Routing Layer
• DoS Attack to Transport Layer
• Protocol Vulnerabilities
• Conclusion

3
Introduction

• What is a Denial of Service (DoS) Attack?
• A DoS attack is any event that diminishes or
  eliminates a networks capacity to perform its
  expected function.
• Hardware failures, software bugs, resource
  exhaustion, environmental conditions, or any
  complicated interaction between these factors can
  cause a Dos.
• In wired network, ping flood, TCP SYN flood,
  Blast worm are common examples of DoS Attack.

4
Introduction (cont.)

• The security issue is critical for many sensor
  network.
• Disasters, public safety, home healthcare, war
• Sensor networks destined for harsh environments
  should already be designed to continue
  functioning in the presence of faults. But
  developers must factor the complication of an
  intelligent, determined adversary into design
  separately.

5
Introduction (cont.)

• The authors consider primarily protocol or
  design-level vulnerabilities.

Sensor Network layers and denial-of-service
defenses. Network layer Attacks Defenses Physical
Jamming Spread-spectrum, priority messages,
lower duty cycle, region mapping, mode
change Tampering Tamper-proofing,
hiding Link Collision Error-correcting
code Exhaustion Rate limitation Unfairness Sma
ll frames
6
Introduction (cont.)
Sensor Network layers and denial-of-service
defenses. Network layer Attacks Defenses Network
and Neglect and greed Redundancy,
probing routing Homing Encryption Misdirection
Egress filtering, authorization,
monitoring Black holes Authorization,
monitoring, redundancy Transport Flooding C
lient puzzles Desynchronization Authentication
7
DoS Attack to Physical Layer - Jamming

• Jam interferes with the radio frequencies a
  networks node are using.
• An adversary can disrupt the entire network with
  k randomly distributed jamming nodes, putting N
  nodes out of service, where k is much less than N.

8
DoS Attack to Physical Layer - Jamming

• The standard defense against jamming involves
  various forms of spread-spectrum communication.
• Mobile-phone networks commonly use code spreading
  as a defense against.
• But spread-spectrum is not suitable for low-cost,
  low-power sensor devices.

9
DoS Attack to Physical Layer - Jamming

• Strategy for combating jamming attacks
• Permanent jamming nodes switch to a lower duty
  cycle and conserving as much power as possible.
  Periodically, the nodes can wake up and check
  whether the jamming has ended.
• Intermittent jamming nodes can send a few
  high-power, high-priority messages back to a base
  station to report the attack.
• Use any available alternate modes of
  communication, such as infrared or optical.

10
DoS Attack to Physical Layer - Jamming
11
DoS Attack to Physical Layer - Tampering

• Realistically, we cannot expect to control access
  to hundreds of nodes spread over several
  kilometers.
• So the attackers can damage or replace sensor and
  computation hardware or extract sensitive
  material such as cryptographic keys to gain
  unrestricted access to high levels of
  communication.

12
DoS Attack to Physical Layer - Tampering

• Defense against tampering
• Tamper-proofing.
• How accurately and completely designers
  considered potential threats at design time
• The resources available for design, construction,
  and test
• The attackers cleverness determination
• Camouflaging or hiding nodes.

13
DoS Attack to Link Layer Collision

• Adversaries may only need to induce a collision
  in one octet of a transmission to disrupt an
  entire packet.
• A change in the data portion would cause a
  checksum mismatch at some other receiver.
• A corrupted ACK control message could induce
  costly exponential back-off in some MAC protocols.

14
DoS Attack to Link Layer Collision

• Error-correcting codes provide a flexible
  mechanism for tolerating variable levels
  corruption in messages at any layer.
• But these codes work best to environmental or
  probabilistic errors.
• The error-correcting codes also incur overhead.
• The network can use collision detection to
  identify these malicious collisions.

15
DoS Attack to Link Layer Exhaustion

• A naive link-layer implementation may attempt
  retransmission repeatedly, even when triggered by
  an unusually late collision.
• This may trigger a DoS condition of exhaustion
  of battery resources in nearby nodes.

16
DoS Attack to Link Layer Exhaustion

• IEEE 802.11 based MAC protocols use RTS, CTS, and
  Data/Ack to reserve channel access and transmit
  data.
• The node could repeatedly request channel access
  with RTS, eliciting a CTS response from the
  targeted neighbor.

17
DoS Attack to Link Layer Exhaustion

• Strategy for avoiding exhaustion
• Rate limitation
• Designers usually code this capability into the
  system for general efficiency, bug coding to
  handle possible attacks may require additional
  logic.

18
DoS Attack to Link Layer Unfairness

• Intermittent application of these attacks of
  abusing a cooperative MAC-layer priority scheme
  can cause unfairness, a weaker form of DoS.

19
DoS Attack to Link Layer Unfairness

• One defense against this threat uses small frames
  so that an individual node can capture the
  channel only for a short time.
• However this approach increases framing overhead.
• An adversary can defeat this defense by cheating
  when vying for access.

20
DoS Attack to Network Layer Neglect
and Greed

• One simple form of DoS attacks the node-as-router
  vulnerability by arbitrarily neglecting to route
  some messages.
• A neglectful node A subverted or malicious node
  drops message on a random or arbitrary basis.
• A greedy node A node gives undue priority to
  its own messages.

21
DoS Attack to Network Layer Neglect
and Greed

• The dynamic source routing (DSR) protocol is
  susceptible to this attack.
• Using multiple routing paths or sending redundant
  messages can reduce the effect of this attack.
• Differentiating a greedy node from a failed node
  can be difficult, so prevention is safer than
  relying on detection.

22
DoS Attack to Network Layer - Homing

• In most sensor networks, some nodes will have
  special responsibilities. These nodes attract an
  adversarys interest.
• Location-based network protocols (e.g. GPSR)
  expose the network to homing attacks.

23
DoS Attack to Network Layer - Homing

• One approach to hiding important nodes provides
  confidentiality for both message headers and
  their content.

24
DoS Attack to Network Layer - Misdirection

• A more active attack forwards message along wrong
  paths, perhaps by fabricating malicious route
  advertisements.
• Diverting traffic away from its intended
  destination or misdirecting many traffic flows in
  one direction.
• Internet smurf attacks the attack forges the
  victims address as the sourceof many broadcast
  ICMP echos.

25
DoS Attack to Network Layer - Misdirection

• A sensor network relies on a hierarchical routing
  mechanism can use an approach similar to the
  egress filtering in Internet gateways.

26
DoS Attack to Network Layer Black Holes

• Within the networks using distance-vector based
  protocols, nodes may advertise zero-cost routes
  to every other node, forming routing black holes.
• The neighbors around the malicious node may be
  exhausted prematurely, causing a hole or
  partition in the network.
• Nodes with untainted knowledge of the network
  topology may suspect inconsistent adver-tisements.

27
DoS Attack to Network Layer Defenses

• Authorization
• Lets only authorized nodes exchange routing
  information.
• Monitoring
• Nodes monitor their neighbors to ensure they
  observer proper routing behavior.
• Probing
• Redundancy
• Sending duplicate messages
• Using diversity coding Go to Slides 5

28
DoS Attack to Transport Layer - Flooding

• Protocols that must maintain state are vulnerable
  to memory exhaustion through flooding
• TCP SYN flood

29
DoS Attack to Transport Layer - Flooding

• Limiting the number of connections to prevent
  complete resource exhaustion.
• But also this method also prevents legitimate
  use.
• Using stateless protocols.
• Client puzzles.

30
DoS Attack to Transport Layer -
Desynchronization

• An adversary repeatedly forges messages carrying
  sequence numbers or control flags that cause the
  end points to request retransmission of missed
  frames to one or both end points of an existing
  connection.
• If the adversary can maintain proper timing, it
  can prevent the end points from ex-changing any
  useful information.

31
DoS Attack to Transport Layer -
Desynchronization

• Counter to this attack
• Authenticating all packets exchanged.

32
Protocol Vulnerabilities Adaptive rate
control

• Alec Woo David Culler describe a series of
  improvements to standard MAC protocols that make
  them more applicable in sensor networks.
• Woo and Culler propose giving preference to
  route-through traffic in admission control by
  making its probabilistic multiplicative back-off
  factor 50 percent less than the back-off factor
  of originating traffic

33
Protocol Vulnerabilities Adaptive rate
control

• This approach may make flooding attacks more
  effective.
• An adversary can generates high-bandwidth packet
  streams, and the network must not only bear the
  malicious traffic, it also gives preference to
  it.

34
Protocol Vulnerabilities RAP

• RAP - Real-Time Communication Architecture for
  Large-Scale Wireless Sensor Networks.

35
Protocol Vulnerabilities RAP

• The VMS layer stamps packets with a desired
  velocity, calculated from the distance to travel
  and the end-to-end deadline.
• An adversary can exploit the RAP protocols
  vulnerabilities by flooding the entire network
  with high-velocity packets.
• By making the deadline short or distance large.

36
Protocol Vulnerabilities RAP

• In dynamically recomputed velocity scheduling, a
  malicious node could just drop the packet an
  attack of neglect, or it can intentionally lower
  its velocity so that the packet misses its
  deadline at the destination.

37
Protocol Vulnerabilities RAP

• RAP can use clock synchronization so that each
  node can prioritize all packets based on the time
  left before their deadlines.
• A desynchronized node with a sufficiently
  erroneous clock will always choose to drop
  packets instead of forwarding them (inducing a
  routing black hole).

38
Conclusion

• Attempts to add DoS resistance to existing
  protocols often focus on cryptographic-authenticat
  ion mechanisms. But its may be impractical in
  sensor networks.
• Design-time consideration of security offers the
  most effective defense against attacks on
  availability.
• Security is the linchpin of good sensor network
  design. Without sufficient protection from DoS
  and other attacks, sensor networks may not
  deployable in many areas.