1 rushing attacks and defense in wireless ad hoc network routing protocols yih-chun hu, adrian...
TRANSCRIPT
1
Rushing Attacks and Defense in Wireless Ad Hoc Network Routing Protocols
Yih-Chun Hu, Adrian Perrig, and David B. Johnson
Presented By: Nitin Subramanian(Slides Courtesy: Sandeep Mapakshi
CS 6910-ACIS – Project 6Instructor: Prof. Leszek T. Lilien, Fall 2006
Department of Computer ScienceWestern Michigan University)
2
Outline
On-Demand Routing Protocols Rushing Attacks Rushing Attack Prevention Evaluation Conclusion
3
On-Demand Route Discovery
A
A
A-B
A-C
A-C-E
A-C-E
A-C-E
A-B-D
A-B-D-GA-B-D-G
A-B-D-G
B
G
D
E
C
A
F
H
source
Destination
4
The Rushing Attack On-demand routing protocols use duplicate suppression at each node: first
ROUTE REQUEST that reaches a node is considered legitimate, next are discarded (all have the same identifier, higher identifiers denote new requests)
Attacker scatters RREQ quickly throughout the network suppressing any later legitimate RREQ
Initiator will be unable to discover any usable routes containing at least two hops
An effective denial-of-service attack
5
Why is the Attack Possible?
An attacker can send faster, by avoiding the delays that are part of the design of both routing and MAC (802.11b) protocols.
Why Delay in ROUTE REQUEST forwarding ? In a MAC protocols using time division On-demand protocols generally specify a delay Remove these delays at both the MAC and routing layers?
- more collisions
Attacker can send at a higher wireless transmission level
An attacker can take advantage of a wormhole, to create flood rushing attacks, use the wormhole to rush the packets ahead of the normal flow
6
Rushing Attack
S
D
Slide courtesy: [2]
7
Rushing Attack Example
●A sends a ROUTE REQUEST
8
Rushing Attack Example
●A sends a ROUTE REQUEST
●B forwards the REQUEST without checking the signature, or otherwise rushes the REQUEST
9
Rushing Attack Example
●A sends a ROUTE REQUEST
●B forwards the REQUEST without checking the signature, or otherwise rushes the REQUEST
●C correctly processes the REQUEST, and forwards it later as a result
10
Rushing Attack Example
●A sends a ROUTE REQUEST
●B forwards the REQUEST without checking the signature, or otherwiserushes the REQUEST
●C correctly processes the REQUEST, and forwards it later as a result
●Since D has already heard a REQUEST from this discovery, D discards the REQUEST
11
Rushing Attack Example
●B rushes the REQUEST
●C forwards it later
●Since D has already heard a REQUEST from this discovery, D discards the REQUEST
●A discovers a path through B because B rushed the REQUEST
12
Rushing Attack Example
Route discovery process under no attack
B
E
D
C
ARoute Query
Route Query
Route Query
Route Reply
13
Rushing Attack ExampleRoute discovery process under attack
B
E
D
C
ARoute Query
Route Query
Route Query
Route Reply
Attacker Attacker
14
Wormhole Attack Attacker records a packet at one location in the network,
tunnels the packet to another location. Packets may be replayed from the far end of the wormhole. Puts attacker in a powerful position. It’s a replay so authentication does not help
Applications of the Wormhole Attack Denial-of-Service Routing Disruptions Unauthorized Access
15
Routing Tree
Adapted from Chris Karlof and David Wagner's WSNPA slides
16
Routing
Adapted from Chris Karlof and David Wagner's WSNPA slides
17
Wormhole Attack Tunnel packets received in
one place of the network and replay them in another place
The attacker can have no key material. All it requires is two transceivers and one high quality out-of-band channel
Adapted from Chris Karlof and David Wagner's WSNPA slides
18
Disrupted Routing Most packets will be routed
to the wormhole
The wormhole can drop packets or selectively forward packets to avoid detection
Adapted from Chris Karlof and David Wagner's WSNPA slides
19
What Protocols Are Vulnerable?
On-demand unsecure (AODV, DSR) and secure (ARAN, Ariadne, etc) protocols
Result: when under attack, the routing protocol will not be able to discover paths longer than 2 hops
20
Network Assumption Network links are bidirectional
Ignore unidirectional links
Ignore jamming attack Requires additional hardware Easier to detect
Disregard attacks on MAC protocol MAC (Medium Access Control) ALOHA and Slotted ALOHA
Medium-sized 50 ~ 500 nodes Clustering
21
Security Assumptions And Key Setup
Fast authentication protocol Instantly-verifiable broadcast authentication
Keys setup Broadcast authentication key are distributed in
advance
Powerful attacker Coordinated attacker
22
Secure Routing Requirements And Protocol
Secure Neighbor Detection Secure route delegation Randomized ROUTE REQUEST forwarding
Single-Hop?
Gather nREQUESTS;
RandomlyChoose 1
Secure NeighborDetection
Original RoutingProtocol
yes
no
23
Secure Neighbor Detection Neighbor Detection
Two nodes detect a bidirectional link between themselves In Proactive routing protocol In Reactive routing protocol
Requirements Sender-receiver can check that the other is within the normal
communication range Node needs to hear Neighbor Request
24
Secure Neighbor Detection Three-round mutual authentication protocol
S broadcasts a Neighbor Request packet R return a Neighbor Reply packet to S S sends a Neighbor Verification to B
Short delay timing Within a maximum communication range
neighbor Request broadcast neighbor reply
sender receiver
neighbor verfication
25
Notation
M
M
R
MA
MA
MBA
AHMBA
A
A
BA
signature its with message broadcasts node that means
,:
nonce the withedconcatenat idnetifier s A'of hash the
and message the sends node that means
,:
nonce long bit an selectsrandmoly node that denotes
1,0:
nodes ingcommunicat denote or
26
Secure Neighbor Detection (cont.)
3
3
2
2
1
1
,:
,,,,ion VerificatNeighbor:
,:
,,,,Reply Neighbor
1,0:
,:
,,onSolicitati Neighbor
1,0:
3
3
213
2
2
212
2
1
1
11
1
M
M
M
M
R
M
M
R
MRS
MHSign
RSMS
MSR
MHSign
RSM
R
MS
MHSign
SM
S
Nonces η1, η2
freshness
S
R1
R2
<M1,ΣM1>
<M2,ΣM2><M3,ΣM3>
27
Secure Neighbor Detection (cont.)
Integration with an On-Demand Protocol A * : REQUEST || Neighbor RequestA
BA: Neighbor ReplyBA || Neighbor RequestB
AB: Neighbor VerificationAB || Neighbor ReplyAB
B * : REQUEST || Neighbor VerificationAB
|| Neighbor VerificationBA
28
Secure Route Delegation
Delegate neighbor to forward the Route Request packet To verify that both nodes of each adjacent node pair indeed
believes to be a neighbor
A received ROUTE REQUESTSR || id MA =<Route Delegation,A,B,S,R,id>
ΣMA =Sign(H(MA))AB: <ΣMA>
29
Randomized Message Forwarding To minimize the chance that a rushing adversary can dominate all returned
routes
Randomized message forwarding Collects a number of REQUESTs Selects a REQUEST at random to forward
The number of REQUEST packets collected The more the better?
The algorithm by which timeouts are chosen Topology closer Geographically closer Randomly
30
Secure Route Discovery To secure any protocol using an on-demand Route Discovery protocol
Secure Neighbor Detection Secure route delegation Randomized ROUTE REQUEST forwarding
To limit the number of REQUESTs that traverse an attacker
The nodes that don’t have n distinct path to the source of the REQUEST Choose a random timeout
Two addition security optimizations Each REQUEST signed Use location information
31
Evaluation
Simulation Evaluation Underlying protocol: Adriane HORS as broadcast signature 100 nodes 1000 m x 1000 m Random waypoint model Pause Time: 0, 30, 60, 120, 300, 600, 900 Workload: 5 flows
4 packets per second 64-byte packets
32
Overall Evaluation
RAP adds significant costs Higher costs due to congestion at lower bit rates. RAP is designed to be used only when necessary
Only when underlying protocol is unable to discover a working route
Security Analysis Attacker needs to propagate ROUTE REQUEST from each
ROUTE DISCOVERY from many locations. Wouldn’t do it if they considered due to intrusion detection
33
Conclusion
Described the Rushing attack
Presented RAP (Rushing Attack Prevention)
RAP incurs higher overhead, but it can find usable routes when other protocols cannot work
34
[Backup Slides] Packet Delivery Ratio
% of Offered traffic DSR
99.8% to 100% Ariadne
95% to 100% RAP
7.6% to 47.7% MAC-layer congestion
Slide courtesy: [2]
35
[Backup Slides] Median Latency
DSR and Ariadne zero mean latency
RAP Congestion Waiting to forward a
REQUEST
Slide courtesy: [2]
36
[Backup Slides] Packet Overhead
5 flows has 5x as much overhead
Reduces usefulness Overhead should reduce
when congestion not an issue
Slide courtesy: [2]
37
[Backup Slides] Introduction
Wireless Ad hoc network a collection of mobile computers (or nodes) cooperate
to forward packets dynamic topology self-organization
38
[Backup Slides] Introduction (cont.)
Routing protocol Transport Subsystem Neighbor State Maintenance Database Maintenance
Ad hoc network routing protocols Run in untrusted environments Provide resilience against misconfigured nodes
39
[Backup Slides] Routing Protocols
Proactive routing protocol Table-Driven routing protocol
Reactive routing protocol Source-Initiated On-Demand routing protocol Forward ROUTE REQUEST packets when needed
40
[Backup Slides] Comparison between Table-Driven Routing and On-Demand Routing
Table-driven Routing On-demand Routing
Availability of Routing information
Immediately from Route Table
After Route discovery
Route updatesPeriodic advertisements When requested
Routing overhead Proportional to size of network regardless of network traffic
Proportional to number of communication nodes and increase with increased node mobility
41
References
[1] Yih-Chun Hu,Adrian Perrig, David B.Johnson ,
“Rushing attacks and defense in wireless ad hoc network routing protocols”, Proceedings of the 2003 ACM workshop on Wireless security, San Diego, CA, USA. Available at: http://www.ece.cmu.edu/~adrian/projects/secure-routing/wise2003.pdf
[2] Rushing Attacks and Defense in Wireless Ad Hoc Network Routing Protocols Yih-Chun Hu, Adrian Perrig, and David B. Johnson
Presenter: Tammy Nguyen. Available at: http://www.eecs.wsu.edu/~smedidi/teaching/Spring05/rushing1.ppt