Title: Secure Routing in Wireless Sensor Networks: Attacks and Countermeasures
1Secure Routing in Wireless Sensor Networks
Attacks and Countermeasures
- Chris Karlof David Wagner
- University of Califonia at Berkeley
- Paper review and Present by
- Run dong
2Outline
- Overview Background
- Statement of routing security problem
- Attacks on sensor network routing
- Attacks on specific sensor network protocols
- Countermeasures
3Routing protocols
- Layer 3 protocols
- determine the routing path and transmit the
packets reliably - Traditional routing protocols
- RIP (routing information protocol)
- Distance vector
- OSPF (open shortest path first)
- Link state
- BGP
- Mobile Ad-hoc Network protocols
- On demand vs table driven
- WSN Routing Protocols
4Current Routing Protocols Goals
- Low Energy
- Minimize communication
- Radio cost more than instructions executed
- Aggregate data in network
- Low Node Duty Cycle
- Shut down nodes when possible
- Robust
- Adapt to unpredictable environment without
intervention - Scalable
- Rely on localized algorithms no centralized
control - Low Latency
- Must meet application latency and accuracy
requirements - Small Footprint
- Must run on hardware with severe memory and
computational power constraints
5Overview
- Current sensor routing protocols are not designed
for security and be insecure, mostly optimized
for the limited capabilities of the nodes - Wireless sensor network cannot depend on many of
the resources available to traditional networks
for security - Analyze current protocols to find attacks and
suggest countermeasures and design consideration - The effective solution for secure routing is to
design such sensor routing protocols with
security in mind
6Problem statement
- Assumption about underlying network
- Different Threat Models
- Security goal in this setting
7Problem statement
- Assumption about underlying network
- radio link are insecure (easily eavesdropping)
- sensor nodes are not tamper resistant
- The physical and MAC layers are susceptible to
direct attack - Base station is trustworthy
- Aggregation points may be trusted in certain
protocols - Different Threat Models
- Security goal in this setting
8Problem statement
- Assumption about underlying network
- Different Threat Models
- Mote class vs Laptop class
- Outsider vs insider
- Security goal in this setting
9Problem statement
- Assumption about underlying network
- Threat Models
- Security goal in this setting
- The goal of conventional network is reliable
delivery of messengers - Sensor network need in-network processing
(aggregation, compression, duplicate elimination) - Graceful degration
- Confidentiality Protection against Replay of data
packets should better handled by higher level
10Attacks model
- Spoofed, altered, or replayed routing information
- Selective forwarding
- Sinkhole attacks
- Sybil attacks
- Wormholes attacks
- HELLO flood attacks
- Acknowledgement spoofing
11Attacks model
- Spoofed, altered or replayed routing information
- May be used for loop construction, attracting or
repelling traffic, extend or shorten source route - Selective forwarding
- Refuse to forward certain messengers, selective
forwarding packets or simply drop them try to
Follow the path of least resistance and attempt
to include itself on the actual data path flow - Sinkhole attacks
- Lure nearly all traffic from a particular area
through a specific compromised node
12Attacks model
- Sybil attack
- forging of multiple identities -- having a set of
faulty entities represented through a larger set
of identities. - Sybil Attack undermines assumed mapping between
identity to entity - Wormholes
- tunneling of messages over alternative
low-latency links, - e.g. confuse the routing protocol, create
sinkholes. etc. - Exploit routing race condition
- Hello flood attack
- an attacker sends or replays a routing protocols
hello packets with more energy - Acknowledgement spoofing
- Spoof link layer acknowledgement to trick other
nodes to believe that a link or node is either
dead or alive
13Attacks on specific protocols
- General typical sensor routing protocol type
- Flooding
- Gradient
- Clustering and Cellular
- Geographic
- Energy Aware
- TinyOS beaconing
- Directed diffusion
- Geographic routing
- Minimal cost forwarding
- Cluster-head- LEACH
- Rumor routing
- Energy conserving topology maintenance
14TinyOS beaconing
- Base station broadcast Route update(beacon)
periodly, Nodes received the update and mark the
base station as parent and broadcast it - Relevent Attack mode
- Bogus routing information
- Selective forwarding
- Sinkholes
- Sybil
- Wormholes
- Hello floods
15TinyOS beacon
Spoof information
Bogus and replayed routing information (such like
I am base station) send by an adversary can
easily pollute the entire network.
16TinyOS beacon
Wormhole sinkhole Combination
- Tunnel packets received in one place of the
network and replay them in another place - The attacker can have no key material. All it
requires is two transceivers and one high quality
out-of-band channel
Adapted from Chris Karlof and David Wagner's
WSNPA slides
17TinyOS beacon
Wormhole sinkhole Combination
- Most packets will be routed to the wormhole
- The wormhole can drop packets directly (sinkhole)
- or more subtly selectively forward packets to
avoid detection
Adapted from Chris Karlof and David Wagner's
WSNPA slides
18TinyOS beacon
Hello flood attack
- A Laptop class adversary that can retransmit a
routing update with enough power to be received
by the entire network
Adapted from Chris Karlof and David Wagner's
WSNPA slides
19Directed diffusion
- Data and Application Specific
- Content based naming
- Interest distribution
- Interests are injected into the network from base
station. - Interval specifies an event data rate.
- Interest entry also maintains gradients.
- Data flows from the source to the sink along the
gradient - Data propagation and reinforcement
- Reinforcement to single path delivery.
- Multipath delivery with probabilistic forwarding.
- Multipath delivery with selective quality along
different paths.
20Directed diffusion
- Relevant attack
- Suppression- by spoof negative reinforcement
- Cloning- by replay information with malicious
listed as a base station (send both) - Path influence- by spoof positive or negative
reinforcements and bogus data events - Selective forwarding and data tampering- by above
attack method to put the malicious node in the
data flow - Wormholes attack
- Sybil attack
21Geographic routing
- GEARGPSR
- Cost function based on destination location and
neighbor node energies used to determine next hop
- Greedy geographic query routing technique
- Improvement over Directed Diffusions interest
flooding technique - Restricted broadcast within sampling region
22Geographic routing
- Relevant attack
- Sybil attack
- Bogus routing information
- Selective forwarding
- No wormholes and sinkholes attack
An adversary may present multiple identities to
other nodes. The Sybil attack can disrupt
geographic and multi-path routing protocols by
being in more than one place at once and
reducing diversity.
From B-gtC, now will go through B-gtA3-gtC
23Geographic routing
- Relevant attack
- Sybil attack
- Bogus routing information
- Selective forwarding
- No wormholes and sinkholes attack
From B-gtD, A forge a wrong information to claim B
is in (2,1), so C will send packets back to B
which cause loop at last.
24Minimum cost forwarding
- Is an backoff-based cost field algorism for
efficiently forwarding packets from senor nodes
to a base station. - Once the field is established, the message,
carrying dynamic cost information, flows along
the minimum cost path in the cost field. Each
intermediate node forwards the message only if it
finds itself on the optimal path for this message
based on the messages cost states.
A110, will select B
25Minimum cost forwarding
- Relevant attack mode
- Sinkhole attack
- Mote-class adversary advertising cost zero
anywhere in network - Hello flood attack
- Bogus routing informaiton
- Selective forwarding
- wormholes
26LEACH
- Low-Energy Adaptive Clustering Hierarchy
- randomized, self-configuration
- Low energy media access control
- Cluster-head collect data and perform processing
then transmit to BS - Relevant attack mode
- Hello floods
- Selective forwarding
- Sybil attack
27LEACH
- Relative attack mode
- Hello floods
- Cluster-head selection based on signal strengh
what mean a powerful advertisement can make the
malicious attacker be its cluster-head. - Sybil attack
- Combined with hello floods if nodes try to
randomly select cluster-head instead of strongest
signal strength.
28Rumor Routing
Observation Two lines in a bounded rectangle
have a 69 chance of intersecting, 5 line more
than 99
- Designed for query/event ratios between query and
event flooding - Lower the energy cost of flooding
29Rumor routing
30Rumor routing
- Relevant attack mode
- Bogus routing information
- Create tendrils by FWD copies of agent
- Send them as long as possible (TTL)
- Selective forwarding
- Sinkholes
- Sybil
- wormholes
31Energy conserving topology maintenance
- GAF-Geographical Adaptive Fidelity
- Physical space is divided into equal virtual size
squares. Each nodes know its location and nodes
with a square are equivalent - Identifies nodes for routing based on location
information - Dense nodes deployment, Turns off unnecessary
nodes - Sleeping, discovery, active state
- Each grid square has one active node
- Nodes are ranked with respect to current state
and expected lifetime
32Energy conserving topology maintenance
- Relevant attack mode for GAF
- Bogus routing information
- Broadcast high ranking discovery messages, then
can use some selective forwarding attack - Sybil Hello floods
- Target individual grids by a high ranking
discovery messages with a non-existent node,
frequently advertisements can disable the whole
network by making most node sleep -
33Energy conserving topology maintenance
- SPAN
- An energy-efficient coordination algorism for
topology maintenance - Backbone for routing fidelity is build by
coordinators - A node becomes eligible to be a coordinator if
two of its neighbors cannot reach other directly
or via one or two coordinators. - Traffic only routed by coordinator
- Random backoff for delay coordinator announcement
- Utility and energy level decide coordinator
selection by adjusting the backoff time - Hello messengers being broadcasted periodically.
34Energy conserving topology maintenance
- Relevant attack mode for SPAN
- Hello floods
- Broadcast n Hello messages with fake coordinators
and neighbors which will preventing nodes from
becoming coordinators when they should. then can
use some selective forwarding attack -
35Summary of attacks
Protocol Relevant Attacks
TinyOS beaconing Bogus routing information, selective forwarding, sinkholes, Sybil, wormholes, HELLO floods
Directed diffusion and its multipath variant Bogus routing information, selective forwarding, sinkholes, Sybil, wormholes, HELLO floods
Geographic routing (GPSR, GEAR) Bogus routing information, selective forwarding, Sybil
Minimum cost forwarding Bogus routing information, selective forwarding, sinkholes, wormholes, HELLO floods
Clustering based protocols (LEACH, TEEN, PEGASIS) Selective forwarding, HELLO floods
Rumor routing Bogus routing information, selective forwarding, sinkholes, Sybil, wormholes
Energy conserving topology maintenance (SPAN, GAF, CEC, AFECA) Bogus routing information, Sybil, HELLO floods
36Countermeasures
- Multipath and probabilistic routing limits
effects of selective forwarding - Link layer security with key management can
prevent the majority of outsider attacks bogus
routing information, Sybil, selective forwarding,
sinkholes. However, it provides little protection
against insiders, HELLO floods, and wormholes. - Establish link keys using a trusted base station.
Verifies the bidirectionality of links and
prevents Sybil attacks and HELLO floods
37Countermeasures
- Wormholes are difficult to defend against. Can be
mounted effectively by both laptop-class insiders
and outsiders. Good protocol design is the best
solution geographic and clustering-based
protocols hold the most promise. Wormholes are
ineffective against these protocols - Authenticated broadcast and flooding are
important primitives. - Nodes near base stations are attractive to
compromise. Clustering-based protocols and
overlays can reduce their significance
38Conclusion
- Conclusion
- Link layer encryption and authentication,
multipath routing, identity verification,
bidirectional link verification and authenticated
broadcast is important, - cryptography is not enough for insiders and
laptop-class adversaries, careful protocol design
is needed as well.
39