Rushing Attacks and Defense in Wireless Ad Hoc Network Routing Protocols

1
Rushing Attacks and Defense in Wireless Ad Hoc
Network Routing Protocols

• ACM workshop on Wireless security (2003)
• Yih-Chun Hu, Adrian Perrig,
• David B.Johnson
• ???

2
Content

• What is Rushing Attack
• On-demand routing protocols (DSR/AODV)
• How to attack
• How to defense
• Evaluation
• Conclusion

3
What is Rushing Attack? (DSR) 1/5
B
G
D
A
H
E
C
F
4
What is Rushing Attack? (AODV) 2/5

• Example

5
What is Rushing Attack? (AODV) 3/5
6
What is Rushing Attack? (AODV) 4/5
Forward pointer
RREP ltS, D, 12, 3, lifetimegt
S
E
F
B
C
J
A
G
H
D
K
I
N
timeout
7
What is Rushing Attack? 5/5

• Effective to existing on-demand routing protocols
• Packet being forwarded to require a route is
  predictable
• Goal How to rush to the targets neighbors
• Cannot be prevented by existing secure protocols

dest
Initiator
8
How to attack (How to Rush)

• Ignore delays in MAC or routing layers
• Make nearby nodes busy
• Keep their queues full using bogus messages
• Use higher power level
• 1 hop? ??? ??? ?? (processing delay)
• Use a wormhole

9
How to defense (RAP) 1/5

• Secure neighbor detection
• Sender-receiver can check that the other is
  within the normal communication range
• Three-round mutual authentication protocol (tight
  delay)

sender
receiver
neighbor ?? S nonce1
broadcast
neighbor ?? S R nonce1 nonce2
neighbor ?? S R nonce1 nonce2
10
How to defense (RAP) 2/5

• Secure route delegation
• Delegate neighbor to forward the RouteRequest
  packet
• Can verify that all the secure neighbor detection
  protocols were executed

11
How to defense (RAP) 3/5

• Randomized message forwarding
• Minimize the chance that a rushing adversary can
  dominate all returned routes
• First, collect a number of REQUESTs
• Second, select a REQUEST at random to forward

1
2
3
1
12
How to defense (RAP) 4/5

• Need to prevent an attacker from filling too many
  REQUESTs
• Legitimate nodes forward only one REQUEST per
  discovery
• Keep nodes lists neighbor verification
  Duplicate-suppression-unique

REQUEST packets in the buffer
C-B-A-D
Route record 1
Route record 2
R-K-A-D
13
How to defense 5/5

• Integrating secure route discovery
• With DSR
• Perform a SND exchange with the previous hop
• Perform a SNV when forwarding the REQUEST
• With AODV
• Require RREQ packet to carry a node list
• Execute SRD -gt randomly select one RREQ in the
  buffer
• Bad security properties due to absence of
  multiple routes
• First, use only secure on-demand routing protocol
  
• Use RAP when route discovery is attacked by the
  attacker

14
Evaluation 1/5

• Analyze the cost
• Comparing performance with Ariadne when there are
  no attacker
• RAP Ariadne vs Ariadne
• Using ns-2
• 100 nodes in 1000m 1000m
• 0, 30, 60, 120, 300, 600, 900 seconds of pause
  time
• Moving velocity between 0 and 20 meters/sec
• 5 flows, each producing 4packets/sec
  (1packet64byte)
• Enough for network congestion
• 2Mbps of Link layer data rate

15
Evaluation 2/5
16
Evaluation 3/5
17
Evaluation 4/5
18
Evaluation 5/5
19
Conclusion

• Introduced a possible attack against on-demand
  routing protocol
• Duplicate suppression technique made attack
  possible
• Presented RAP, a new protocol that thwarts the
  attack
• It can find usable routes when other protocols
  cannot.
• It can be integrated with existing secure routing
  protocols