Title: Denial of Service Resilience in Ad Hoc Networks
1Denial of Service Resilience in Ad Hoc Networks
- I. Aad, J. Hubaux and E. Knightly
- EPFL, Switzerland and Rice University
- Presented by Jeremy Holländer
2Outline
- What is a Denial of Service attack
- Types of nodes that initiate DoS attacks
- Types of attacks
- Victims response
- Analytical model
- Performance of network under DoS attack
- Conclusion
3The war on protocol design
- Attackers constantly introduce new attacks
- Retaliation by protocol designers
- This papers aims to
- Quantify the damage an attacker can have on the
performance of a wireless network - Study the scalability of DoS attacks
4Denial of Service
- Is an attempt by malicious user(s) to prevent
legitimate users from using a service - This paper studies protocol-compliant DoSs only
- Much more difficult to detect!
5JellyFish and Black Holes
- JellyFish attacks conform to all routing and
forwarding protocol specifications - Difficult to detect before the sting
- Targets closed-loop flows
- Responsive to network conditions such as loss and
delay - Black holes participate in the routing protocol
to establish routes through themselves, yet drop
all received packets - Targets open-loop flows
- Not responsive to above network conditions
6System model assumptions
- Wireless network
- Employs node authentication
- Employs message authentication
- Ensures one identity per node
- Prevents control plane misbehavior
- A malicious node will always participate in route
setup operations - Source Routing malicious nodes always relay
Route Request packets to have many routes passing
through them - Distance Vector Routing malicious nodes obey all
control-plane protocol specifications
7JellyFish Reorder Attack (1/2)
- Problem of TCP in regards to ACKs
- Msgs 1, , N sent
- Receipt of ACK-N means all msgs up to N received
successfully - Receipt of duplicate ACKs means loss or
out-of-order receipt - All TCP variants assume re-ordering is
short-lived due to network changes
8JellyFish Reorder Attack (2/2)
- JF nodes deliver all packets
- Only after placing them randomly in a FIFO buffer
- Results in near-zero goodput despite delivering
all packets - ? it is not detected by other nodes as being
malicious because not dropping packets
9JellyFish Periodic Dropping Attack
- Attacking nodes drop all packets for a short
period of time once per retransmission time-out
(RTO) - After JFs first loss duration, the victim flow
will enter timeout because JF choosing a dropping
duration long enough to result in multiple losses - When the flow attempts to exit timeout RTO
seconds later, JF will soon/immediately drop
again - Why does it work?
- Because like non-malicious nodes JFs drop only a
small fraction of time so as not to be detected
10JellyFish Delay Variance Attack
- JFs manipulate packet delays to reduce TCP
throughput - This results in
- TCP sending traffic in bursts due to
self-clocking, leads to increased collisions
and loss - Mis-estimations of available bandwidth
- Excessively high RTO value
11Impact of JF-reorder on throughput
- FIFO schedule that randomly selects one of first
k packets of the queue to send - TCP is robust with reordering buffer of two
packets - With larger reordering buffer, goodput collapses
- Solution TCP-PR ? use
- timers to detect loss
12JF-drop effect on throughput
- To obtain the null at 1 second, the JF drops
packets for 90ms every 1 second - ? dropping 9 of the time and forwarding 91 of
the time - Hard to detect because these are values that can
be incurred by a congested node - Multiple packet losses within
- a RT-time are an indication of
- severe congestion
- Flow must back off aggressively
- and wait RTO seconds before
- entering slow start
13JF-jitter effect on throughput
- JF alternates between periods of serving packets
at its maximum capacity and serving no packets - Idle and active periods are of equal length
- ? TCP goodput decreases with increasing jitter
14Black Holes
- BH participate in all routing control operations
- Once path established, BH drop all packets
- JF has nearly same impact as BH
- BH work with flows that are not
congestion-related and therefore immune to JF - ? disadvantage much easier to detect BH
15Diagnosing MisbehaviorDetection of MAC Layer
Failure (1)
- Broken routes (for instance because of mobility)
can be detected by routing protocols. - E.g. DSR uses MAC layer transmission failure to
generate a route error message - Message is sent upstream to the source node,
which will establish a new route
16Diagnosing MisbehaviorPassive Acknowledgement (2)
- Consider BH behavior BH needs to forward packet.
It first acknowledges the receipt of the packet
to the sender but does not forward the packet to
its intended destination. Can this be detected ? - PACK if node i sends a packet to k via j, then
i should overhear the subsequent transmission
from j to k (exploits broadcast nature of
wireless medium).
17Diagnosing MisbehaviorPassive Acknowledgement (2)
- Energy-efficient transmission
- PACK requires that node js transmission be
overheard by node i - Unable to use dynamic power management
- Even though j is very close to k, it must ensure
that i hears the transmission - If i does not hear the transmission it will
incorrectly infer that j is a misbehaving node
18Diagnosing MisbehaviorPassive Acknowledgement (2)
- Directional antennas
- PACK assumes that attackers will use
omni-directional antennas - Black Holes can however use a directional antenna
to fool its upstream node by beam-forming - i will have heard that j has sent a packet to k
and will not suspect that it is a malicious node
19Diagnosing MisbehaviorPassive Acknowledgement (3)
- Variable power
- i is closer to j than j is to k
- j can pretend to i that it has forwarded the
packet, yet js reduced power means that only i
but not k can receive it - In all three previous cases, k may send a message
to i to let it know that it has not received any
packets
20Diagnosing MisbehaviorLayer 4 Endpoint Detection
(4)
- Difficult to detect JFs and BH
- Attack victims will need to rely on end-to-end
mechanisms - Major trade-off
- Single packet loss implies problematic route
- Large number of packet losses implies problematic
route - Proposition use reputation route selection scheme
21Victims response
- Once malicious nodes are detected there are three
solutions - Establish new path excluding any node from prior
malfunctioning path - ? difficult to achieve in small/sparse networks!
- Employ multipath routing and adapt path weights
according to path goodput - ? severely decreases throughput
- Establish backup routes by keeping all route
reply messages - Consider a distributed victims system that keeps
track of all malicious nodes in a network
22Analytical model (1/2)
- Ad Hoc network with N nodes and a malicious nodes
where a lt N - p is probability that a randomly selected node is
an attacker, p a / N - Path traverses h relay hops
- If selected node represent a random sample of the
N network nodes, then path contains no attacking
nodes with probability (1 p)h
23Analytical model (2/2)
- E(TL) is expected liftetime of a route
- Tdiag is time it takes to diagnose route is
broken - TRL is minimum inter-spacing of route requests
allowed by routing protocol - TRR is time it takes to receive one or more route
reply messages - Normalized goodput for a flow
24Rushing Attack
- Malicious nodes use different mechanisms to
attract flows to route through them, thereby
increasing the damage they can do during attack - If attacking nodes can attract twice as many
flows compared with uniform graph (2a/N instead
of a/N), flow - goodput drops from 52
- to 34 with 10 attackers
25Assessment of performance under DoS Attack
- Baseline case
- 200 nodes move randomly in 2000m2 grid at maximum
velocity of 10m/s, pausing 10s on average - Node receive range is 250m
- Channel capacity is 1Mb/s
- 100 nodes communicate with each other to create
50 flows - Other 100 nodes a routers (only forward packets)
- JFs are compromised routers
26Offered Load and TCP
- If offered load is very high, most packets
received end-to-end will be over one hop flows
even without the attack - With a more moderate load, JF will skew the
distribution of received traffic more towards
that achieved in an over-load case
27JellyFish Placement
- Grid placement and mobile JF only slightly more
harmful than random static placement - Note that test is only 2000m2 with 250m range!
- ? could have mobile JF
- that moves around until it
- attains an optimal position
- with a large amount of flows
- passing through it
28Mobility
- Consider three speeds1m/s,10m/s, 20m/s
- With no attack, low mobility achieves (as
expected) best fairness - With 49JFs in system (24.5 of nodes), low
fairness for all three speeds
29System Size
- Smaller system size results in higher initial
fairness - With shorter path lengths flow throughputs are
nearly identical - Both system sizes incur identical reduction in
fairness when introducing JFs
30Conclusion
- JellyFish nodes are difficult to discover
- Black Holes are easier to find but are far more
devastating in terms of their effect on the
network - Effect on network can be even worst if malicious
nodes work together (not considered in this
paper) - The main question is not whether it is possible
to find malicious nodes but rather - How long will it take to discover such nodes?
- In order to ease the task a reputation system may
be used