Title: Protecting Ad Hoc Networks in real-time
1- Protecting Ad Hoc Networks in real-time
Course Security and Privacy on the Internet
Instructor Dr. A.K. Aggarwal
Presented By Fadi Farhat Fall, 2007
2Table of Contents
- What is a mobile ad-hoc network (MANet)?
- What are the drawbacks of MANet and how to limit
it? - The Optimized Link State Routing (OLSR) protocol
- OLSR threats and solutions
- Ad-hoc On-Demand Distance Vector (AODV) protocol
- AODV threats
- Real time intrusion detection for AD hoc networks
RIDAN
3Mobile ad-hoc network (MANet)
-
- Wired ad hoc network is the identical of LAN
while ad-hoc networks mean ad-hoc wireless
networks - Wireless ad-hoc network is a computer network
uses wireless mediums in its communication links.
Connection launched for one session without the
need to a base station. - Nodes are Self-organized, decentralized, no need
for (router, switch or hub) in wired network or
Access points in WI-FI networks.
4Mobile ad-hoc network (MANet)
-
- Packet radio networks was the earliest wireless
ad-hoc network, many latter versions were
developed like wireless mesh networks, wireless
sensor networks. Mobile ad-hoc networks (MANets)
will be the focus of this survey. - MANet is a self-configuring network ,set
unstable nodes (move randomly) forms wireless
network dynamic topology. - Connectivity in MANet needs the collaboration of
all involving nodes and the acting as a router
(finds the target of a packet it receives,
chooses the best lane to that target, sends data
packets to the next node in the lane
5Drawbacks of MANet and how to limit it
-
- The instability caused by the moving nodes
(Dynamic topology) - Decentralization where every node is self
initiative (no routers or APs) - Those drawbacks arise the need of a network
layer protocol to help keeping the stable
connectivity and supporting security requirements
6The Optimized Link State Routing (OLSR) protocol
-
- OLSR protocol for mobile ad hoc networks is an
optimization of the classical link state - Developed for ad-hoc networks where each node
should know about the network topology to find
the suitable next hop - All appropriate next hops will form the routing
table for the node
7The Optimized Link State Routing (OLSR) protocol
-
- Every single information which moved through the
nodes in a link-state protocol will be used to
build the connectivity maps. - OLSR keeps the routes maintained up-to-date,
which will provide any node that requests to send
a message with the best route - MultiPoint Relays (MPR), the least subset of
neighbors (2-hop neighbors), must be determined
for each node of the network in order to reduce
control messages (TC) number and to shrink the
transmitted broadcast traffic send from the node
to only its MPRs.
8The Optimized Link State Routing (OLSR) protocol
-
- OLSR operation depends up on three mechanisms
- Neighbor sensing (Hello messages)
- MPRs flooding
- Topology diffusion (TC messages)
9The Optimized Link State Routing (OLSR) protocol
-
- Neighbor sensing
- Each node broadcasts from time to time to its
adjacent (1-hop) neighbors Hello messages (not to
be forwarded) including node neighbors list with
their link status which will allow the knowing of
MPR selector list (2-hop neighbors). Thus, nodes
forward only messages received from their MPR
selectors
10The Optimized Link State Routing (OLSR) protocol
- MPRs flooding
- Used to eliminate the duplicate transmission and
to minimize duplicate reception. -
11The Optimized Link State Routing (OLSR) protocol
-
- Topology diffusion
- Is the mechanism of building routing tables
(topology tables) by spreading periodically TC
messages to all network nodes declaring links
between itself and the nodes in its MPR selector
set.
12The Optimized Link State Routing (OLSR) protocol
- OLSR threat and solution
- MPR nodes are the only allowed nodes to spread
routing messages to other nodes so if malicious
nodes want to intercept routing messages, it have
to personate the status of MPR. After appearing
as MPR node they can modify the contents of
messages, skipping to forward them, etc. - Two threat scenarios targeting the two main
control messages in OLSR (Hello and TC) will be
presented. The intruder nodes are authenticated
(belong legally to the network.
13OLSR threat and solution
- Cheating through TC messages
- The intruder is not an MPR but he produces and
spreads faked TC messages presenting for his
1-hop neighbors sorter routes to reach node D in
order to diverge all messages passing through B
to D by him. - The defect within OLSR is that when the node D
receives the TC message of the intruder it does
not react about the erroneous announcement
concerning him.
14OLSR threat and solution
- Cheating through TC messages
- A is 3-hop distance from D through B and C
- 1. When C sends a TC message, the intruder
identifies - D with 3-hop distance
- 2. The intruder announces in a forged TC message
that - D belongs to its MPR Selector set.
- gtConsequences
- The intruder presents for A a shortest route to
reach D than B
15OLSR threat and solution
-
- Cheating through Hello messages
- The intruder cheated with hello message
proclaiming a false number of 1-hop neighbors
deceiving his neighbors about his ability to
reach 2-hop neighbors by passing only by him.
16OLSR threat and solution
- Cheating through Hello messages
- B is MPR of A. C is 2-hop distance from A
- 1. B sends a Hello message
- 2. A sends a Hello message
- 3. The intruder sends a Hello message announcing
that he has symmetric links with A, B, C, D and X
(X could be one of the other nodes) - gt Consequences
- The intruder presents for A a shortest route to
reach D than B, and also to reach other
destinations (C, X) - A selects the intruder as MPR
- A stops sending traffic to D through B
- A sends traffic to D through the intruder
17OLSR threat and solution
- Proposed solutions
- we cant apply IDS of wired networks for ad-hoc
networks due to - Data monitoring in wired networks is done at
centralized entities (switches, routers, etc)
which is inexistent in ad hoc networks. - The continuous leave and join at any time which
leads to a change in the topology. - Limitations of bandwidth, transmission rates,
energy, processing and memory.
18OLSR threat and solution
- Proposed solutions
- The solution of such a problem will be by
supporting the protocol by an Intrusion Detection
System in order to control messages by testing
the reality of their content. As each node knows
its 1-hop neighbor set, its 2-hop neighbor set
and its MPR set then each node knows a partial
graph of the network which is complete at least
until a 2-hop range.
19OLSR threat and solution
- Solution for cheating TC message
- The proposed solution for Cheating through TC
messages will come from D (the targeted node)
when he receives the flooded message of the
intruder (in order to fake A) which he claims in
it that he belongs to the MPR set of D but
actually he is not (after comparing with his MPR
set), at that time D has to flood an alert
message announcing a possible threat from the
intruder.
20OLSR threat and solution
- Cheating through TC messages
- The weakness of the solution
- It is based only on the targeted node as detector
and which is supposed to be honest. But what if a
dishonest node launched a faked alert against an
honest node.
21OLSR threat and solution
- Cheating through TC messages
- Enhancement of the solution
- In order to support the solution, the 1-hop
neighbors of the targeted node have to
collaborate in detection of threats in addition
to the targeted node itself. If we take the
example, nodes H, G, J and D have to detect the
forged TC message against node D which is
possible as each node knows its 1-hop neighbors,
2-hops neighbors (and those chosen as MPR).
22OLSR threat and solution
- Solution for cheating Hello message
- When the intruder sends a Hello message to inform
A, B, C and D that he is their symmetric links - The neighbors of the forged nodes (B as example)
can easily detect the trick of the intruder
through the in Hello messages of his neighbors - Then he can generate and flood an alert message
to inform about the threat from the intruder.
Consequently, all 1-hop neighbors can do the same
23Ad-hoc On-Demand Distance Vector (AODV) protocol
- AODV allows active, standalone and multi-hop
routing between involving mobile nodes. - It helps providing mobile nodes by the quick
routes for their destinations. - It also permits the nodes to react to any changes
in network topology. - It can quickly rebuild the network topology after
the move of a node. - It informed a links break affected set of nodes
in order to modify the routes using by the lost
link.
24Ad-hoc On-Demand Distance Vector (AODV) protocol
- What differentiates AODV from others is the
destination sequence number for each route entry
it uses. -
- This destination sequence number will be send
with the destination of any route information it
launches to a calling nodes. - Route Requests (RREQs), Route Replies (RREPs),
and Route Errors (RERRs) are the message kinds
used by AODV.
25Ad-hoc On-Demand Distance Vector (AODV) protocol
- Route Requests (RREQs)
- Node X will generate and broadcast a RREQ through
a message flooded through the network in order to
know the route of a special destination. The
route will be determined when the RREQ reaches
the destination or a suitable route for the
destination with a sequence number larger than
that of RREQ
26Ad-hoc On-Demand Distance Vector (AODV) protocol
- Route Replies (RREPs)
- All intermediate nodes that receive the RREQ will
reply to it using a route reply (RREP) message
only if it has a route to that destination, and
if not they broadcast the RREQ packet to their
neighbors until it reaches the destination
27Ad-hoc On-Demand Distance Vector (AODV) protocol
- Route Errors (RERRs)
- The route maintenance process utilizes link-layer
notifications, which are intercepted by nodes
neighboring the one that caused the error. These
nodes generate and forward route error (RERR)
messages to their neighbors that have been using
routes that include the broken link.
28AODV threats
- Sequence number (or black hole) attack
- When a source node begins a route discovery
operation directed to a destination node by
sending a RREQ packet, if the attacker was one of
the intermediate nodes then by receiving the RREQ
it will generate a RREP with a faked high
sequence number to fake the sender which will
satisfy the first step of a man in-the-middle
attack.
29AODV threats
- Resource consumption
- Malicious node will generate and send repeated
unnecessary routing traffic (only RREQ and RERR
packets as RREPs are automatically discarded due
to the specification of the AODV protocol). - The aim is to consume power and processing energy
of the involving nodes and to overflow the
network with false routing packets to consume all
the available network bandwidth with unconnected
traffic.
30AODV threats
- Dropping routing traffic
- limitations of hardware of mobile nodes
(restricted battery life and incomplete
processing capabilities) any of those nodes may
prefer not to share in the routing process in
order to preserve energy. - Consequently, a malicious node may drop any
received packet which doesnt belong to it which
may cause network segmentation especially if some
other nodes are just connected through this
malicious node then they become inaccessible and
lonely from the rest of the network.
31Real-time intrusion detection for ad hoc networks
(RIDAN)
- RIDAN is another IDS designed for those using
AODV routing protocol. - It utilizes timed finite state machines (TFSMs)
which upon its real-time knowledge-based
methodology they can detect network intrusions. -
- It operates locally in every involving node
- TFSM may be triggered upon the observed packets
based on previous discovered patterns from a
normal state and from an attack state many
32Real-time intrusion detection for ad hoc networks
(RIDAN)
- RIDAN works under assumptions on which the
system relies - Links are bidirectional
- All nodes operate in promiscuous mode (in order
to listen to their neighbors) - RIDAN is activated on all the legitimated nodes.
33Real-time intrusion detection for ad hoc networks
(RIDAN)
- IDS for Sequence number attack
- TFSM will be triggered at any time a node begins
a route discovery process - If a RREP message does not arrive within a
predefined time period the TFSM timeouts and
resets to its initial state
34Real-time intrusion detection for ad hoc networks
(RIDAN)
- IDS for Sequence number attack
- If the included destination sequence number is
much higher than the sequence number included in
the RREQ the TFSM will directly go to the alarm
state. - If not, it remains in the same state for time t
till it expires then resets. - When an alarm occurs the source node will know
that the RREP is faked and it will not update the
routing table
35Real-time intrusion detection for ad hoc networks
(RIDAN)
- IDS for Dropping Routing Packets attack
- As all the nodes are working in promiscuous mode
then there will not be any node which can hide a
packet and not forwarding it without being
disclosed. -
36Real-time intrusion detection for ad hoc networks
(RIDAN)
- IDS for Dropping Routing Packets attack
- TFSM cant generate alarm directly
- Some times it happened due to traffic overload
- Instead TFSM moves to a pre-alarm state (for time
t) - The node is written in the suspected list
- TFSM unicasts the routing packet to the offending
node again -
37Real-time intrusion detection for ad hoc networks
(RIDAN)
- IDS for Dropping Routing Packets attack
- The link with the attacking node will be marked
as broken. If this mischievous node tried to
forward packets again it will be slowly added to
the routing function. - If node responds pre-alarm canceled and node
removed from the suspected nodes list - Else TFSM goes to an alarm state and the node
will be marked as malicious node. In this case
the node which initiates the RREQ does not send
supposed traffic through the recognized attacker
and also sends a RERR to its upstream neighbors.
38Real-time intrusion detection for ad hoc networks
(RIDAN)
-
- IDS for Resource Consumption attack
- A list with all nodes from which a node has
lately received routing traffic - A counter that signifies the number of packets
from a specific node - A timer
-
- All will judge if the TFSM has to be triggered or
no. -
39Real-time intrusion detection for ad hoc networks
(RIDAN)
- IDS for Resource Consumption attack
-
- When new routing packet received from a specific
node - TFSM increments the counter and remains in
pre-alarm for time t. - If the counter reaches the threshold value
- TFSM moves to the alarm state and the node drops
all the incoming routing traffic from that node
for a finite time interval. - If the timer expired, the TFSM resets to its
initial state indicating that the generated
traffic from the monitored node was normal.
40References
- 1 A. Fourati and K. Al Agha. An IDS First Line
of Defense for Ad Hoc Networks. In IEEE WCNC'07
Wireless Communications and Networking
Conference, Hong Kong, China, March 2007, pages
26192624. - 2 L. Stamouli, P.G. Argyroudis, and H. Tewari.
Real-time intrusion detection for ad hoc
networks. Sixth IEEE International Symposium on
a World of Wireless Mobile and Multimedia
Networks, June 2005, pages 374380. - 3 http//en.wikipedia.org/wiki/Mobile_ad-hoc_net
work - 4 http//www.ietf.org/rfc/rfc3561.txt
41Questions