Boncheol Gu

1
Secure Routing in Wireless Sensor
Networks Attacks and Countermeasures
Chris Karlof and David Wagner University of
California at Berkeley
1st IEEE International Workshop on Sensor Network
Protocols and Applications, 2003

• Boncheol Gu

2
Contents
Introduction
1
Background
2
Attacks on Routing Protocols
3
Countermeasures
4
Conclusion
5
3
Introduction

• Motivation
• Current proposals for routing protocols in sensor
  networks do not consider security.
• In sensor networks, in-network processing makes
  end-to-end security mechanisms harder to deploy.
• Contributions
• Propose security goals for routing in WSN
• Show how certain attacks against Ad-hoc networks
  and peer-to-peer networks can be adapted into
  more powerful attacks against sensor networks
• Provide a list of attacks and their
  countermeasures

4
Background

• Sensor Network
• Heterogeneous system consisting of tiny sensors
  and actuators having some computing elements
• Base Station (aka. sink)
• Point of centralized control
• Gateway to another network, powerful data
  processing unit, or point of human interface
• More processing capability, memory power
• Aggregation points
• Node at which the messages are processed before
  sending to base station
• POWER constrained environment

5
Background contd.

• A representative sensor network architecture

6
Sensor Networks vs. Ad-hoc Wireless Networks

• Similarity
• Support Multi-hop networking
• Differences
• Ad-hoc Routing between any two nodes
• Sensor Supports Specialized communication
  patterns
• Many-to-One
• One-to-Many
• Local Communication
• Sensor nodes more resource constrained than
  Ad-hoc nodes
• Higher level of trust relationship among sensor
  nodes
• In-network processing, aggregation, duplication
  elimination

7
Problem Statement

• Network Assumptions
• Insecure Radio links
• Eavesdropping, injection and replay
• Malicious nodes collude to attack the system.
• By purchasing or capturing them
• No tamper resistance on nodes
• Adversary can access all key material, data, and
  code stored on the captured node.
• Trust Requirements
• Base stations are trustworthy.
• Aggregation points not necessarily trustworthy

8
Problem Statement contd.

• Threat Models 2 types
• Based on device capability
• Mote-class attacker
• ? access to few sensor nodes
• Laptop-class attacker
• ? Access to more powerful devices. Have more
  battery power, better CPU, sensitive antenna,
  powerful radio TX, etc
• Based on attacker type / attacker location
• Outside attacks
• ? attacker external to the network
• Inside attacks
• ? Authorized node in the network is
  malicious/compromised.

9
Problem Statement contd.

• Security Goals
• In the presence of outsider adversaries
• Integrity, authenticity, and confidentiality
• Guaranteed by link layer security mechanisms
• Availability
• Still must rely on the routing protocol
• In the presence of insider adversaries
• Graceful degradation
• The effectiveness of a routing protocol should
  degrade no faster that a rate proportional to the
  ratio of compromised nodes to total nodes in the
  network.
• Protection against the replay attack is not a
  security goal of a secure routing protocol
• Delegate it to the application layer

10
Attacks on Sensor Network Routing

• Spoofed, altered, or replayed routing information
• To create loops, attract or repel network
  traffic, extend or shorten source routes,
  generate false message, partition network, induce
  delay, etc
• Selective forwarding
• Malicious node forwards only some messages, drop
  others.
• Attacker tries to be on the actual path of data
  flow.
• Sinkhole Attacks
• Due to specialized communication patterns of WSN
• All packets share same destination (i.e. base
  station)
• Making a compromised node look attractive to
  neighbors w.r.t. the routing algorithm
• Make selective forwarding trivial

11
Attacks on Sensor Network Routing contd.

• Sybil Attack
• Single node presents multiple identities to other
  nodes.
• Significantly affect fault-tolerance schemes like
  distributed storage, multi-path routing,
  topology maintenance
• Threat to geographical routing protocols
• Wormholes
• A shortcut through space and time
• An adversary tunnels message received in one part
  of the network over a low latency link and
  replays them in a different part.
• Used to create a sinkhole
• Effective even if routing information is
  authenticated or encrypted

12
Attacks on Sensor Network Routing contd.

• HELLO flood attack
• Many protocols require nodes to broadcast HELLO
  packets to advertise themselves.
• Laptop-class attacker can convince every node
  that it is their neighbor by transmitting at high
  power
• Acknowledgement spoofing
• Some routing algorithms require explicit/implicit
  link layer ACKs
• Spoofing link layer ACKs for overheard packets
• To convince the sender that a weak link is strong
  or that a dead node is alive
• ? Causing packet losses

13
Attacks on Specific Protocols

• General Concept
• Adversaries try to be on the actual path.
• For selective forwarding or modifying packets
• Use other attacks such as spoofing, sinkhole,
  wormhole, and Hello flood attack
• When defender tries to use multipath routing etc,
• Use Sybil attack To enhance attacks

14
Attacks on Specific Protocols contd.

• TinyOS beaconing
• Constructing a breadth first spanning tree rooted
  at the base station
• Base station periodically broadcasts route
  updates.
• Packets travel through the paths along the tree.

15
Attacks on Specific Protocols contd.

• Attacks on TinyOS beaconing
• Unauthenticated route updates
• Malicious node acts as base station.

16
Attacks on Specific Protocols contd.

• Attacks on TinyOS beaconing
• Authenticated route updates
• A wormhole between two colluding laptop-class
  nodes
• To direct all traffic through them
• Laptop-class attackers use HELLO flood attack.
• Every node marks the attacker as its parent.
• Mote-class attacker can cause Routing loops
  between two nodes

17
Attacks on Specific Protocols contd.

• Directed diffusion
• Data-centric routing algorithm
• Base station floods interests.
• Positively/negative reinforcements
• Attacks
• Suppression
• Spoofing negative reinforcements
• Cloning
• Replay of interest by the adversary
• Path influence
• Spoofing positive and negative reinforcements and
  bogus data events
• Selective forwarding and data tampering
• Wormhole Sybil attack by a laptop-class
  adversary

18
Attacks on Specific Protocols contd.

• Geographic routing
• Greedy Perimeter Stateless Routing (GPSR)
• Greedy forwarding at each hop, routing each
  packet to the neighbor closest to the destination
• Geographic and Energy Aware Routing (GEAR)
• Weighting the choice of the next hop both
  remaining energy and distance from the target
• Attacks
• Adversaries advertise wrong information to place
  them in the path.

19
Attacks on Specific Protocols contd.

• Attacks on geographic routing
• Sybil attack
• Routing loops

20
Attacks on Specific Protocols contd.

• Minimum cost forwarding
• Not require path information or unique node id
• Distributed shortest-path algorithm

60
70
70
130
70
source 200
70
80
optimal path
70
70
70
210
140
21
Attacks on Specific Protocols contd.

• Attacks on minimum cost forwarding
• Sinkhole Wormhole
• By advertising cost zero
• Hello flood attack
• Transmitting an advertisement with cost zero
  through the entire network
• ? Disabling entire network

22
Attacks on Specific Protocols contd.

• LEACH Low-Energy Adaptive Clustering Hierarchy
• Attacks
• Hello flood attack
• To choose the adversary as its cluster-head
• Rumor routing
• DOS attack
• By removing event information or refusing to
  forward agents
• Sinkhole
• By forwarding multiple copies of a received agent
• TTL reset to maximum, Hop counts of paths reset
  to zero

23
Attacks on Specific Protocols contd.

• Energy conserving topology maintenance
• GAF
• Periodically broadcasting high ranking discovery
  messages
• ? Disabling other nodes
• Sybil attack and HELLO flood attack
• SPAN
• GAF without virtual grid squares
• Bogus coordinator with HELLO messages
• ? Preventing other nodes from becoming
  coordinators

24
Countermeasures

• Secret shared key Link layer encryption
• Prevents the majority of outsider attacks
• Sybil attacks, Selective forwarding, Sinkhole
  attacks, ACK spoofing
• Ineffective against
• Wormhole and Hello flood attacks
• Insider attacks
• Base station as a sort of TA (Trusted Authority)
• Against Sybil attack and Hello flood attack
• Every node shares a unique symmetric key with the
  base station.
• Then two nodes establish pair-wise shared secret
  key between them
• Limit the number of neighbors for a node
• ? prevent adversary from establishing shared keys
  with everyone

25
Countermeasures contd.

• Wormhole, SinkHole
• No viable solution
• Just carefully design routing protocols to avoid
  them
• e.g. Geographical Routing protocols
• Leveraging global knowledge
• When the network size is small
• Base station monitors suspicious changes to the
  topology.
• Probabilistic selection of a next hop multipath
  routing
• Against selective forwarding and Sybil attacks
• Not perfect solution

26
Countermeasures contd.

• Authenticated broadcast and flooding
• uTESLA
• Using symmetric key cryptography and minimal
  packet overhead
• Randomly rotating set of virtual base stations
• Make it hard for adversaries to choose the right
  nodes to compromise

27
Conclusion

• Link-layer encryption and authentication may be a
  reasonable defense.
• Against outsiders, bogus routing information,
  Sybil attacks, HELLO floods, and ACK spoofing
• It is crucial to good design routing protocols.
• Against sinkhole attacks, wormholes, and insiders

28
Thank You