Secure Routing in Wireless Sensor Networks: Attacks and Countermeasures - PowerPoint PPT Presentation

1 / 50
About This Presentation
Title:

Secure Routing in Wireless Sensor Networks: Attacks and Countermeasures

Description:

Sinkhole attack and the Sybil attack are two mechanisms by which an adversary ... information, selective forwarding, sinkholes, Sybil, wormholes, HELLO floods ... – PowerPoint PPT presentation

Number of Views:2284
Avg rating:3.0/5.0
Slides: 51
Provided by: herb70
Category:

less

Transcript and Presenter's Notes

Title: Secure Routing in Wireless Sensor Networks: Attacks and Countermeasures


1
Secure Routing in Wireless Sensor Networks
Attacks and Countermeasures
  • Chris Karlof, David Wagner_at_UC Berkeley
  • IEEE International Workshop on Sensor Network
    Protocols and Applications, May 2003
  • Presentation by Yi-jui Wu

2
Outline
  • Introduction
  • Background
  • Problem Statement
  • Attacks on Sensor Network Routing
  • Attacks on Specific Sensor Network Protocols
  • Countermeasures
  • Conclusions

3
Introduction
  • The authors focus on routing security in WSN.
  • Most the major WSN routing protocols are
    insecure, and this is non-trivial to fix.
  • Sensor network routing protocols must be designed
    with security in mind.

4
Introduction
  • Five main contributions
  • They propose threat models and security goals for
    secure routing in WSN.
  • They introduce two novel classes of previously
    undocumented attacks against sensor networks
    sinkhole and HELLO floods.

5
Introduction
  • Five main contributions (cont.)
  • They show, for the first time, how attacks
    against ad-hoc wireless networks and peer-to-peer
    networks, can be adapted into powerful attacks
    against sensor networks.
  • They present the first detailed security analysis
    of all the major routing protocols and energy
    conserving topology maintenance algorithms for
    sensor networks.
  • They discuss countermeasures and design
    considerations for secure routing protocols in
    sensor networks.

6
Background
  • Sensor network a heterogeneous system combining
    tiny sensors and actuators.
  • They assume that all nodes locations are fixed
    for the duration of their lifetime in this paper.
  • Target TinyOS platform in their work.

7
Background
  • We must discard many preconceptions about network
    security.
  • Public-key cryptography is so expensive as to be
    unusable, and even fast symmetric-key ciphers
    must be used sparingly. (thus some ad-hoc network
    security mechanisms based on key cryptography are
    unsuitable for sensor networks.)
  • Security protocols cannot maintain much state.
  • Communication bandwidth is extremely dear.
  • Power is the scarcest resource of all.

8
Problem Statement Network Assumptions
  • The radio links are insecure.
  • The adversary can deploy a few malicious nodes
    with similar hardware capabilities as the
    legitimate nodes.
  • By purchasing them separately, or by turning a
    few legitimate nodes.
  • Sensor nodes are note tamper resistant.

9
Problem Statement Trust Requirements
  • The base stations are trustworthy.
  • Aggregation points may not necessarily be
    trustworthy.

10
Problem Statement Threat Models
  • Mote-class attacks vs. Laptop-class attacks
  • Outsider attacks vs. Insider attacks.

11
Problem Statement Security Goals
  • In the ideal world, a secure routing protocol
    should guarantee the integrity, authenticity, and
    availability of messages in the presence of
    adversaries.
  • In the authors view, protection against
    eavesdropping is not an explicit security goal of
    a secure routing algorithm.
  • Secrecy is usually most relevant to application
    data.
  • Prevent eavesdropping cause by misuse or abuse of
    the protocol itself.

12
Problem Statement Security Goals
  • Protection against the replay of data packets
    should not be a security goal of a secure routing
    protocol
  • Only the application can fully and accurately
    detect the replay of data packets.

13
Problem Statement Security Goals
  • In the presence of only outsider adversaries, it
    is conceivable to achieve these idealized goals.
  • However, in the presence of compromised or
    insider attackers, especially those with
    laptop-class capabilities, it is most likely that
    some of these goals are not fully attainable.
  • Graceful degradation.

14
Attacks on Sensor Network Routing
  • Spoofed, altered, or replayed routing information
    (Bogus routing information).
  • Selective forwarding
  • Sinkhole attacks
  • Sybil attacks
  • Wormholes
  • HELLO flood attacks
  • Acknowledgement spoofing

15
Attacks on WSN Routing Bogus Routing
  • Target the routing information exchanged between
    nodes.
  • The attackers may be able to create routing
    loops, attract or repel network traffic, extend
    or shorten source routes, generate false error
    messages, partition the network, increase
    end-to-end latency, etc.

16
Attacks on WSN Routing Selective forwarding
  • In a selective forwarding attack, malicious nodes
    may refuse to forward certain messages and simply
    drop them.
  • Black hole.
  • Selectively forwards packets.
  • Typically most effective when the attacker is
    explicitly included on the path of a data flow.
  • Sinkhole attack and the Sybil attack are two
    mechanisms by which an adversary can efficiently
    include herself on the path of the targeted data
    flow.

17
Attacks on WSN Routing Sinkhole attacks
Sinkhole
18
Attacks on WSN Routing Sinkhole attacks
  • By making a compromised node look especially
    attractive to surrounding nodes.
  • Spoof or replay an advertisement for an extremely
    high quality route to a base station.
  • Laptop-class adversary.
  • Wormhole attack.
  • Sensor networks are particularly susceptible to
    sinkhole attacks.
  • All packets share the same ultimate destination
    (the base station).

19
Attacks on WSN Routing The Sybil Attack
Fake nodes
Real node
20
Attacks on WSN Routing The Sybil Attack
  • The Sybil attack can significantly reduce the
    effectiveness of fault-tolerant schemes. (such as
    multi-path routing)
  • Pose a significant threat to geographic routing
    protocols.

21
Attacks on WSN Routing - Wormholes
B.S.
22
Attacks on WSN Routing - Wormholes
  • Use private channels.
  • An adversary situated close to a base station may
    be able to completely disrupt routing by creating
    a well-place wormhole.
  • Sinkhole.
  • To convince two distant nodes that they are
    neighbors.

23
Attacks on WSN Routing HELLO flood
attack
24
Attacks on WSN Routing HELLO flood
attack
  • A laptop-class attacker broadcasting routing or
    other information with large enough transmission
    power could convince every node in the network
    that the adversary is its neighbor.
  • HELLO floods can be thought of as one-way,
    broadcast wormholes.

25
Attacks on WSN Routing Acknowledgement
Spoofing
  • Several sensor network routing algorithms rely on
    link layer acknowledgements.
  • To convince the sender that a weak link is strong
    or a dead or disabled node is alive.

dead node.
26
Attacks on Specific Sensor Network Protocols
27
Attacks on Specific Sensor Network Protocols
Selective forwarding
Bogus routing
HELLO floods
Wormholes
Sinkholes
Sybil
28
Attacks on TinyOS beaconing Protocols
29
Attacks on TinyOS beaconing Protocols (bogus
routing)
  • Routing updates are not authenticated.
  • Any nodes can claim to be base station
  • Authenticated routing updates will prevent an
    attacker from claiming to be a base station.

30
Attacks on TinyOS beaconing Protocols (selective
forwarding/blackhole/sinkhole)
31
Attacks on TinyOS beaconing Protocols
(Wormholes/sinkhole attack)
32
Attacks on TinyOS beaconing Protocols (HELLO
flood attack)
33
Attacks on Directed diffusion protocols
  • Directed diffusion is a data-centric routing
    algorithm.
  • Base station flood interests for named data.
  • Set up gradients.
  • Positive reinforcement.
  • Nodes generate data events.

34
Attacks on Directed diffusion protocols
  • Due to the robust nature of flooding, it may be
    difficult for an adversary to prevent interests
    from reaching targets.
  • Once sources begin to generate data events an
    adversarys attack may have on of four goals
  • Suppression (by spoofing negative reinforcements)
  • Cloning (replay a interest with itself listed as
    a base station)
  • Path influence (by spoofing positive or negative
    reinforcements)
  • Selective forwarding and data tampering (by path
    influence)

35
Attacks on Directed diffusion protocols
  • Wormhole attacks
  • Node A located next a base station and node B
    located B close to where events are likely to be
    generated.
  • Interests advertised by the base station are sent
    through the wormhole and rebroadcast by node B.
  • Node A broadcast negative reinforcements
  • Node B broadcast positive reinforcements
  • Pushes data flows away from the base station.
  • Result a sinkhole centered at node B.

36
Attacks on Geographic routing
  • Geographic and Energy Aware Routing (GEAR) and
    Greedy Perimeter Stateless Routing (GPSR)
    leverage nodes positions and explicit geographic
    packet destinations to efficiently disseminate
    queries and route replies.
  • In GPSR, packets along a single flow will always
    use the same nodes for routing of each packet.
  • GEAR attempts to remedy this problem.
  • Both protocols require location information.

37
Attacks on Geographic Routing Protocols
  • Location information can be misrepresented.
  • GEAR tries to distribute the responsibility of
    routing based on remaining energy.

38
Attacks on Minimum cost forwarding protocols
4
5
4
3
5
2
4
2
1
3
BS (cost 0)
2
4
In Essence, this is a distributed shortest-paths
algorithm.
39
Attacks on Minimum cost forwarding protocols
  • Extremely susceptible to sinkhole attacks.
  • By simply advertising cost zero anywhere in the
    network.
  • A laptop-class adversary can use a wormhole to
    help synchronize this attack.
  • HELLO flood a laptop-class adversary can
    advertise cost zero to every node in the network.

40
Attacks on LEACH Low-Energy Adaptive
Clustering Hierarchy
  • LEACH assumes every node can directly reach a
    base station by transmitting with sufficiently
    high power.
  • LEACH organizes nodes into clusters with one node
    from each cluster serving as a cluster-head.
  • Set-up phase steady-state phase.

41
Attacks on LEACH Low-Energy Adaptive
Clustering Hierarchy
  • Nodes choose a cluster-head based on received
    signal strength using the HELLO flood attack can
    disable the entire network.
  • Selective forwarding.
  • Simple countermeasures (refusing to use the same
    cluster-head or randomized selection of a
    cluster-head) can easily be defeated by a Sybil
    attack.

42
Countermeasures Outsiders attacks and link
layer security
  • Link layer encryption and authentication using a
    globally shared key.
  • Sybil attack is no longer relevant.
  • The majority of selective forwarding and sinkhole
    attacks are not possible.
  • Link layer acknowledgements can be authenticated.
  • Little affect on Wormhole and HELLO flood.
  • Can do nothing to prevent black hole
  • Ineffective in presence of insider attacks.

43
Countermeasures The Sybil attack
  • Generating and verifying digital signatures is
    beyond the capabilities of sensor nodes.
  • Verify identities of neighbors through unique
    symmetric keys with base station
    (Needham-Schroeder like protocol).
  • A sends nonce Na to B (using Kb)
  • B decrypts it to obtain Na, and then B returns
    (Na . Nb) to A (using Ka)
  • When A receives this message, it concludes it
    talking to B.
  • Limit number of neighbors.

44
Countermeasures HELLO flood attacks
  • To verify the bidirectionality of a link before
    taking meaningful actions.
  • Use the protocol on previous slides to verify
    identity.

45
Countermeasures Wormhole and sinkhole attacks
  • Very difficult to defend against
  • Wormholes use private channel
  • Sinkholes some information (such as remaining
    energy) is hard to verify.
  • Combination hop-count can be completely
    misrepresented through a worm hole.
  • A technique for detecting wormhole attacks is
    presented in 1
  • Temporal leash requires extremely tight time
    synchronization
  • Geographical leash similar to geographic routing

46
Countermeasures Wormhole and sinkhole attacks
  • Geographic routing protocols hold promise.
  • The main problem is that location information
    advertised form neighboring nodes must be
    trusted.
  • Restrict the structure of the topology. For ex.,
    node can be arranged in a grid with square,
    triangular, or hex shaped cells.

47
Countermeasures Selective forwarding
  • Selective forwarding is very difficult to defend
    against in some case.
  • Strategically located near the source or a bs.
  • Multi-path routing and probabilistic routing.

48
Countermeasures - Notes
  • Nodes near base stations are attractive to
    compromise
  • Clustering may reduce their significance.
  • Randomly rotating set of virtual stations to
    create overlay network.
  • Can leverage global knowledge
  • Send localized info to base station
  • Base station maps network topology
  • Periodically updated
  • Drastic / suspicious changes observed

49
Countermeasures - Notes
  • Base Station Authentication no node can spoof
    BS, but every node can verify messages from BS
  • SPINS Security protocols for sensor networks -
    µTESLA SNEP

50
Conclusion
  • Secure routing is a prerequisite to effective
    WSN.
  • Traditional security solutions arent applicable.
  • Currently proposed routing protocols for WSN are
    insecure.
  • Link layer encryption and authentication
    mechanisms may be a reasonable first
    approximation for defense against mote-class
    outsiders.
  • Careful protocol design is needed as well.
Write a Comment
User Comments (0)
About PowerShow.com