Secure Routing in Wireless Sensor Networks: Attacks and Countermeasures

1
Secure Routing in Wireless Sensor Networks
Attacks and Countermeasures

• Chris Karlof David Wagner
• University of Califonia at Berkeley
• Paper review and Present by
• Run dong

2
Outline

• Overview Background
• Statement of routing security problem
• Attacks on sensor network routing
• Attacks on specific sensor network protocols
• Countermeasures

3
Routing protocols

• Layer 3 protocols
• determine the routing path and transmit the
  packets reliably
• Traditional routing protocols
• RIP (routing information protocol)
• Distance vector
• OSPF (open shortest path first)
• Link state
• BGP
• Mobile Ad-hoc Network protocols
• On demand vs table driven
• WSN Routing Protocols

4
Current Routing Protocols Goals

• Low Energy
• Minimize communication
• Radio cost more than instructions executed
• Aggregate data in network
• Low Node Duty Cycle
• Shut down nodes when possible
• Robust
• Adapt to unpredictable environment without
  intervention
• Scalable
• Rely on localized algorithms no centralized
  control
• Low Latency
• Must meet application latency and accuracy
  requirements
• Small Footprint
• Must run on hardware with severe memory and
  computational power constraints

5
Overview

• Current sensor routing protocols are not designed
  for security and be insecure, mostly optimized
  for the limited capabilities of the nodes
• Wireless sensor network cannot depend on many of
  the resources available to traditional networks
  for security
• Analyze current protocols to find attacks and
  suggest countermeasures and design consideration
• The effective solution for secure routing is to
  design such sensor routing protocols with
  security in mind

6
Problem statement

• Assumption about underlying network
• Different Threat Models
• Security goal in this setting

7
Problem statement

• Assumption about underlying network
• radio link are insecure (easily eavesdropping)
• sensor nodes are not tamper resistant
• The physical and MAC layers are susceptible to
  direct attack
• Base station is trustworthy
• Aggregation points may be trusted in certain
  protocols
• Different Threat Models
• Security goal in this setting

8
Problem statement

• Assumption about underlying network
• Different Threat Models
• Mote class vs Laptop class
• Outsider vs insider
• Security goal in this setting

9
Problem statement

• Assumption about underlying network
• Threat Models
• Security goal in this setting
• The goal of conventional network is reliable
  delivery of messengers
• Sensor network need in-network processing
  (aggregation, compression, duplicate elimination)
• Graceful degration
• Confidentiality Protection against Replay of data
  packets should better handled by higher level

10
Attacks model

• Spoofed, altered, or replayed routing information
• Selective forwarding
• Sinkhole attacks
• Sybil attacks
• Wormholes attacks
• HELLO flood attacks
• Acknowledgement spoofing

11
Attacks model

• Spoofed, altered or replayed routing information
• May be used for loop construction, attracting or
  repelling traffic, extend or shorten source route
• Selective forwarding
• Refuse to forward certain messengers, selective
  forwarding packets or simply drop them try to
  Follow the path of least resistance and attempt
  to include itself on the actual data path flow
• Sinkhole attacks
• Lure nearly all traffic from a particular area
  through a specific compromised node

12
Attacks model

• Sybil attack
• forging of multiple identities -- having a set of
  faulty entities represented through a larger set
  of identities.
• Sybil Attack undermines assumed mapping between
  identity to entity
• Wormholes
• tunneling of messages over alternative
  low-latency links,
• e.g. confuse the routing protocol, create
  sinkholes. etc.
• Exploit routing race condition
• Hello flood attack
• an attacker sends or replays a routing protocols
  hello packets with more energy
• Acknowledgement spoofing
• Spoof link layer acknowledgement to trick other
  nodes to believe that a link or node is either
  dead or alive

13
Attacks on specific protocols

• General typical sensor routing protocol type
• Flooding
• Gradient
• Clustering and Cellular
• Geographic
• Energy Aware
• TinyOS beaconing
• Directed diffusion
• Geographic routing
• Minimal cost forwarding
• Cluster-head- LEACH
• Rumor routing
• Energy conserving topology maintenance

14
TinyOS beaconing

• Base station broadcast Route update(beacon)
  periodly, Nodes received the update and mark the
  base station as parent and broadcast it
• Relevent Attack mode
• Bogus routing information
• Selective forwarding
• Sinkholes
• Sybil
• Wormholes
• Hello floods

15
TinyOS beacon
Spoof information
Bogus and replayed routing information (such like
I am base station) send by an adversary can
easily pollute the entire network.
16
TinyOS beacon
Wormhole sinkhole Combination

• Tunnel packets received in one place of the
  network and replay them in another place
• The attacker can have no key material. All it
  requires is two transceivers and one high quality
  out-of-band channel

Adapted from Chris Karlof and David Wagner's
WSNPA slides
17
TinyOS beacon
Wormhole sinkhole Combination

• Most packets will be routed to the wormhole
• The wormhole can drop packets directly (sinkhole)
• or more subtly selectively forward packets to
  avoid detection

Adapted from Chris Karlof and David Wagner's
WSNPA slides
18
TinyOS beacon
Hello flood attack

• A Laptop class adversary that can retransmit a
  routing update with enough power to be received
  by the entire network

Adapted from Chris Karlof and David Wagner's
WSNPA slides
19
Directed diffusion

• Data and Application Specific
• Content based naming
• Interest distribution
• Interests are injected into the network from base
  station.
• Interval specifies an event data rate.
• Interest entry also maintains gradients.
• Data flows from the source to the sink along the
  gradient
• Data propagation and reinforcement
• Reinforcement to single path delivery.
• Multipath delivery with probabilistic forwarding.
• Multipath delivery with selective quality along
  different paths.

20
Directed diffusion

• Relevant attack
• Suppression- by spoof negative reinforcement
• Cloning- by replay information with malicious
  listed as a base station (send both)
• Path influence- by spoof positive or negative
  reinforcements and bogus data events
• Selective forwarding and data tampering- by above
  attack method to put the malicious node in the
  data flow
• Wormholes attack
• Sybil attack

21
Geographic routing

• GEARGPSR
• Cost function based on destination location and
  neighbor node energies used to determine next hop
  
• Greedy geographic query routing technique
• Improvement over Directed Diffusions interest
  flooding technique
• Restricted broadcast within sampling region

22
Geographic routing

• Relevant attack
• Sybil attack
• Bogus routing information
• Selective forwarding
• No wormholes and sinkholes attack

An adversary may present multiple identities to
other nodes. The Sybil attack can disrupt
geographic and multi-path routing protocols by
being in more than one place at once and
reducing diversity.
From B-gtC, now will go through B-gtA3-gtC
23
Geographic routing

• Relevant attack
• Sybil attack
• Bogus routing information
• Selective forwarding
• No wormholes and sinkholes attack

From B-gtD, A forge a wrong information to claim B
is in (2,1), so C will send packets back to B
which cause loop at last.
24
Minimum cost forwarding

• Is an backoff-based cost field algorism for
  efficiently forwarding packets from senor nodes
  to a base station.
• Once the field is established, the message,
  carrying dynamic cost information, flows along
  the minimum cost path in the cost field. Each
  intermediate node forwards the message only if it
  finds itself on the optimal path for this message
  based on the messages cost states.

A110, will select B
25
Minimum cost forwarding

• Relevant attack mode
• Sinkhole attack
• Mote-class adversary advertising cost zero
  anywhere in network
• Hello flood attack
• Bogus routing informaiton
• Selective forwarding
• wormholes

26
LEACH

• Low-Energy Adaptive Clustering Hierarchy
• randomized, self-configuration
• Low energy media access control
• Cluster-head collect data and perform processing
  then transmit to BS
• Relevant attack mode
• Hello floods
• Selective forwarding
• Sybil attack

27
LEACH

• Relative attack mode
• Hello floods
• Cluster-head selection based on signal strengh
  what mean a powerful advertisement can make the
  malicious attacker be its cluster-head.
• Sybil attack
• Combined with hello floods if nodes try to
  randomly select cluster-head instead of strongest
  signal strength.

28
Rumor Routing
Observation Two lines in a bounded rectangle
have a 69 chance of intersecting, 5 line more
than 99

• Designed for query/event ratios between query and
  event flooding
• Lower the energy cost of flooding

29
Rumor routing
30
Rumor routing

• Relevant attack mode
• Bogus routing information
• Create tendrils by FWD copies of agent
• Send them as long as possible (TTL)
• Selective forwarding
• Sinkholes
• Sybil
• wormholes

31
Energy conserving topology maintenance

• GAF-Geographical Adaptive Fidelity
• Physical space is divided into equal virtual size
  squares. Each nodes know its location and nodes
  with a square are equivalent
• Identifies nodes for routing based on location
  information
• Dense nodes deployment, Turns off unnecessary
  nodes
• Sleeping, discovery, active state
• Each grid square has one active node
• Nodes are ranked with respect to current state
  and expected lifetime

32
Energy conserving topology maintenance

• Relevant attack mode for GAF
• Bogus routing information
• Broadcast high ranking discovery messages, then
  can use some selective forwarding attack
• Sybil Hello floods
• Target individual grids by a high ranking
  discovery messages with a non-existent node,
  frequently advertisements can disable the whole
  network by making most node sleep

33
Energy conserving topology maintenance

• SPAN
• An energy-efficient coordination algorism for
  topology maintenance
• Backbone for routing fidelity is build by
  coordinators
• A node becomes eligible to be a coordinator if
  two of its neighbors cannot reach other directly
  or via one or two coordinators.
• Traffic only routed by coordinator
• Random backoff for delay coordinator announcement
• Utility and energy level decide coordinator
  selection by adjusting the backoff time
• Hello messengers being broadcasted periodically.

34
Energy conserving topology maintenance

• Relevant attack mode for SPAN
• Hello floods
• Broadcast n Hello messages with fake coordinators
  and neighbors which will preventing nodes from
  becoming coordinators when they should. then can
  use some selective forwarding attack

35
Summary of attacks
Protocol Relevant Attacks
TinyOS beaconing Bogus routing information, selective forwarding, sinkholes, Sybil, wormholes, HELLO floods
Directed diffusion and its multipath variant Bogus routing information, selective forwarding, sinkholes, Sybil, wormholes, HELLO floods
Geographic routing (GPSR, GEAR) Bogus routing information, selective forwarding, Sybil
Minimum cost forwarding Bogus routing information, selective forwarding, sinkholes, wormholes, HELLO floods
Clustering based protocols (LEACH, TEEN, PEGASIS) Selective forwarding, HELLO floods
Rumor routing Bogus routing information, selective forwarding, sinkholes, Sybil, wormholes
Energy conserving topology maintenance (SPAN, GAF, CEC, AFECA) Bogus routing information, Sybil, HELLO floods
36
Countermeasures

• Multipath and probabilistic routing limits
  effects of selective forwarding
• Link layer security with key management can
  prevent the majority of outsider attacks bogus
  routing information, Sybil, selective forwarding,
  sinkholes. However, it provides little protection
  against insiders, HELLO floods, and wormholes.
• Establish link keys using a trusted base station.
  Verifies the bidirectionality of links and
  prevents Sybil attacks and HELLO floods

37
Countermeasures

• Wormholes are difficult to defend against. Can be
  mounted effectively by both laptop-class insiders
  and outsiders. Good protocol design is the best
  solution geographic and clustering-based
  protocols hold the most promise. Wormholes are
  ineffective against these protocols
• Authenticated broadcast and flooding are
  important primitives.
• Nodes near base stations are attractive to
  compromise. Clustering-based protocols and
  overlays can reduce their significance

38
Conclusion

• Conclusion
• Link layer encryption and authentication,
  multipath routing, identity verification,
  bidirectional link verification and authenticated
  broadcast is important,
• cryptography is not enough for insiders and
  laptop-class adversaries, careful protocol design
  is needed as well.

39

• THANK YOU