Denial of Service Resilience in Ad Hoc Networks

1
Denial of Service Resilience in Ad Hoc Networks

• I. Aad, J. Hubaux and E. Knightly
• EPFL, Switzerland and Rice University
• Presented by Jeremy Holländer

2
Outline

• What is a Denial of Service attack
• Types of nodes that initiate DoS attacks
• Types of attacks
• Victims response
• Analytical model
• Performance of network under DoS attack
• Conclusion

3
The war on protocol design

• Attackers constantly introduce new attacks
• Retaliation by protocol designers
• This papers aims to
• Quantify the damage an attacker can have on the
  performance of a wireless network
• Study the scalability of DoS attacks

4
Denial of Service

• Is an attempt by malicious user(s) to prevent
  legitimate users from using a service
• This paper studies protocol-compliant DoSs only
• Much more difficult to detect!

5
JellyFish and Black Holes

• JellyFish attacks conform to all routing and
  forwarding protocol specifications
• Difficult to detect before the sting
• Targets closed-loop flows
• Responsive to network conditions such as loss and
  delay
• Black holes participate in the routing protocol
  to establish routes through themselves, yet drop
  all received packets
• Targets open-loop flows
• Not responsive to above network conditions

6
System model assumptions

• Wireless network
• Employs node authentication
• Employs message authentication
• Ensures one identity per node
• Prevents control plane misbehavior
• A malicious node will always participate in route
  setup operations
• Source Routing malicious nodes always relay
  Route Request packets to have many routes passing
  through them
• Distance Vector Routing malicious nodes obey all
  control-plane protocol specifications

7
JellyFish Reorder Attack (1/2)

• Problem of TCP in regards to ACKs
• Msgs 1, , N sent
• Receipt of ACK-N means all msgs up to N received
  successfully
• Receipt of duplicate ACKs means loss or
  out-of-order receipt
• All TCP variants assume re-ordering is
  short-lived due to network changes

8
JellyFish Reorder Attack (2/2)

• JF nodes deliver all packets
• Only after placing them randomly in a FIFO buffer
• Results in near-zero goodput despite delivering
  all packets
• ? it is not detected by other nodes as being
  malicious because not dropping packets

9
JellyFish Periodic Dropping Attack

• Attacking nodes drop all packets for a short
  period of time once per retransmission time-out
  (RTO)
• After JFs first loss duration, the victim flow
  will enter timeout because JF choosing a dropping
  duration long enough to result in multiple losses
• When the flow attempts to exit timeout RTO
  seconds later, JF will soon/immediately drop
  again
• Why does it work?
• Because like non-malicious nodes JFs drop only a
  small fraction of time so as not to be detected

10
JellyFish Delay Variance Attack

• JFs manipulate packet delays to reduce TCP
  throughput
• This results in
• TCP sending traffic in bursts due to
  self-clocking, leads to increased collisions
  and loss
• Mis-estimations of available bandwidth
• Excessively high RTO value

11
Impact of JF-reorder on throughput

• FIFO schedule that randomly selects one of first
  k packets of the queue to send
• TCP is robust with reordering buffer of two
  packets
• With larger reordering buffer, goodput collapses
• Solution TCP-PR ? use
• timers to detect loss

12
JF-drop effect on throughput

• To obtain the null at 1 second, the JF drops
  packets for 90ms every 1 second
• ? dropping 9 of the time and forwarding 91 of
  the time
• Hard to detect because these are values that can
  be incurred by a congested node
• Multiple packet losses within
• a RT-time are an indication of
• severe congestion
• Flow must back off aggressively
• and wait RTO seconds before
• entering slow start

13
JF-jitter effect on throughput

• JF alternates between periods of serving packets
  at its maximum capacity and serving no packets
• Idle and active periods are of equal length
• ? TCP goodput decreases with increasing jitter

14
Black Holes

• BH participate in all routing control operations
• Once path established, BH drop all packets
• JF has nearly same impact as BH
• BH work with flows that are not
  congestion-related and therefore immune to JF
• ? disadvantage much easier to detect BH

15
Diagnosing MisbehaviorDetection of MAC Layer
Failure (1)

• Broken routes (for instance because of mobility)
  can be detected by routing protocols.
• E.g. DSR uses MAC layer transmission failure to
  generate a route error message
• Message is sent upstream to the source node,
  which will establish a new route

16
Diagnosing MisbehaviorPassive Acknowledgement (2)

• Consider BH behavior BH needs to forward packet.
  It first acknowledges the receipt of the packet
  to the sender but does not forward the packet to
  its intended destination. Can this be detected ?
• PACK if node i sends a packet to k via j, then
  i should overhear the subsequent transmission
  from j to k (exploits broadcast nature of
  wireless medium).

17
Diagnosing MisbehaviorPassive Acknowledgement (2)

• Energy-efficient transmission
• PACK requires that node js transmission be
  overheard by node i
• Unable to use dynamic power management
• Even though j is very close to k, it must ensure
  that i hears the transmission
• If i does not hear the transmission it will
  incorrectly infer that j is a misbehaving node

18
Diagnosing MisbehaviorPassive Acknowledgement (2)

• Directional antennas
• PACK assumes that attackers will use
  omni-directional antennas
• Black Holes can however use a directional antenna
  to fool its upstream node by beam-forming
• i will have heard that j has sent a packet to k
  and will not suspect that it is a malicious node

19
Diagnosing MisbehaviorPassive Acknowledgement (3)

• Variable power
• i is closer to j than j is to k
• j can pretend to i that it has forwarded the
  packet, yet js reduced power means that only i
  but not k can receive it
• In all three previous cases, k may send a message
  to i to let it know that it has not received any
  packets

20
Diagnosing MisbehaviorLayer 4 Endpoint Detection
(4)

• Difficult to detect JFs and BH
• Attack victims will need to rely on end-to-end
  mechanisms
• Major trade-off
• Single packet loss implies problematic route
• Large number of packet losses implies problematic
  route
• Proposition use reputation route selection scheme

21
Victims response

• Once malicious nodes are detected there are three
  solutions
• Establish new path excluding any node from prior
  malfunctioning path
• ? difficult to achieve in small/sparse networks!
• Employ multipath routing and adapt path weights
  according to path goodput
• ? severely decreases throughput
• Establish backup routes by keeping all route
  reply messages
• Consider a distributed victims system that keeps
  track of all malicious nodes in a network

22
Analytical model (1/2)

• Ad Hoc network with N nodes and a malicious nodes
  where a lt N
• p is probability that a randomly selected node is
  an attacker, p a / N
• Path traverses h relay hops
• If selected node represent a random sample of the
  N network nodes, then path contains no attacking
  nodes with probability (1 p)h

23
Analytical model (2/2)

• E(TL) is expected liftetime of a route
• Tdiag is time it takes to diagnose route is
  broken
• TRL is minimum inter-spacing of route requests
  allowed by routing protocol
• TRR is time it takes to receive one or more route
  reply messages
• Normalized goodput for a flow

24
Rushing Attack

• Malicious nodes use different mechanisms to
  attract flows to route through them, thereby
  increasing the damage they can do during attack
• If attacking nodes can attract twice as many
  flows compared with uniform graph (2a/N instead
  of a/N), flow
• goodput drops from 52
• to 34 with 10 attackers

25
Assessment of performance under DoS Attack

• Baseline case
• 200 nodes move randomly in 2000m2 grid at maximum
  velocity of 10m/s, pausing 10s on average
• Node receive range is 250m
• Channel capacity is 1Mb/s
• 100 nodes communicate with each other to create
  50 flows
• Other 100 nodes a routers (only forward packets)
• JFs are compromised routers

26
Offered Load and TCP

• If offered load is very high, most packets
  received end-to-end will be over one hop flows
  even without the attack
• With a more moderate load, JF will skew the
  distribution of received traffic more towards
  that achieved in an over-load case

27
JellyFish Placement

• Grid placement and mobile JF only slightly more
  harmful than random static placement
• Note that test is only 2000m2 with 250m range!
• ? could have mobile JF
• that moves around until it
• attains an optimal position
• with a large amount of flows
• passing through it

28
Mobility

• Consider three speeds1m/s,10m/s, 20m/s
• With no attack, low mobility achieves (as
  expected) best fairness
• With 49JFs in system (24.5 of nodes), low
  fairness for all three speeds

29
System Size

• Smaller system size results in higher initial
  fairness
• With shorter path lengths flow throughputs are
  nearly identical
• Both system sizes incur identical reduction in
  fairness when introducing JFs

30
Conclusion

• JellyFish nodes are difficult to discover
• Black Holes are easier to find but are far more
  devastating in terms of their effect on the
  network
• Effect on network can be even worst if malicious
  nodes work together (not considered in this
  paper)
• The main question is not whether it is possible
  to find malicious nodes but rather
• How long will it take to discover such nodes?
• In order to ease the task a reputation system may
  be used