Secure routing in multi-hop wireless networks (I)

1
Secure routing in multi-hop wireless networks (I)

• ad hoc network routing protocols
• attacks on routing
• countermeasures

2
outline

• 1 Routing protocols for mobile ad hoc networks
• 2 Attacks on ad hoc network routing protocols
• 3 Security countermeasures for ad hoc network
  routing protocols

3
Ad hoc network routing protocols

• topology-based protocols
• Proactive
• Every node knows a route to all other nodes at
  any time
• distance vector based (e.g., DSDV)
• link-state (e.g., OLSR)
• Requires periodic exchange of routing information
  among the nodes
• If only few pairs of nodes communicate to each
  other, then most of the periodically exchanged
  information is useless (never used)
• But since the routes are always available and
  up-to-date, packets can be sent with no routing
  delay (no need to wait until a route is found)
• reactive (on-demand)
• A route is established between a source and a
  destination only when needed
• distance vector based (e.g., AODV)
• source routing (e.g., DSR)
• Nodes use their resources to find routes only
  when there are data packets to be sent

4
Ad hoc network routing protocols

• hybrid approaches
• Try to combine the advantages of reactive and
  proactive routing protocols
• Use proactive approach to maintain routes from a
  node to its local neighborhood (e.g. up to
  certain number of hops) and use reactive
  approaches when routes to far away nodes are
  required
• position-based protocols
• Use location information of the nodes to route
  data packets
• greedy forwarding (e.g., GPSR, GOAFR)
• restricted directional flooding (e.g., DREAM,
  LAR)
• Each node is aware of its own location and
  obtains the location information of other nodes
  via a location service provided by the nodes in a
  distributed manner
• The sender obtains the location information of
  the destination node and puts it in the data
  packet each intermediate node makes routing
  decisions based on its own location and the
  location of the destination node

5
Example Dynamic Source Routing (DSR)

• DSR is an on-demand source routing protocol
• As in any other on-demand routing protocol it has
  two components
• route discovery
• used only when source node attempts to send a
  packet to the destination node
• based on flooding of Route Requests (RREQ) and
  returning Route Replies (RREP)
• route maintenance
• makes the source node able to detect route
  errors, e.g., if a link along that route no
  longer works (usually because of nodes movement)

6
DSR Route Discovery

• Assume that node A has some data packets to send
  to node H and has no route to it in its routing
  table
• it initiates and broadcasts a RREQ message
• a RREQ carries a request identifier (to prevent
  other nodes from proceeding the same RREQ more
  than once), the IDs of A and H and an empty list
  of forwarding nodes
• Each intermediate node adds its ID to the list
  until the RREQ is received by H and will be
  replied by a RREP message

7
DSR Route Discovery
D
A ? RREQ, id, A, H () B ? RREQ, id, A,
H (B) C ? RREQ, id, A, H (C) D ?
RREQ, id, A, H (D) E ? RREQ, id, A, H
(E) F ? RREQ, id, A, H (E, F) G ?
RREQ, id, A, H (D,G)
(D)
B
G
(E, F)
E
(D, G)
A
H
C
F
(E)
H ? A RREP, ltsource routegt (E, F)

• Node A wants to transmit some data packets to
  node H.
• It initiates a RREQ packet which will be
  broadcasted by the nodes who receive it.
• When node H receives the RREQ it initiates a RREP
  packet.
• H copies the recorded list of identifiers from
  the RREQ to the RREP.

8
DSR Route Discovery

• ltsource routegt is the route used to send the
  packet back to A which could be obtained
• from the route cache of H (means if H already had
  a route to A in its route cache)
• by reversing the route received in the RREQ
• works only if all the links along the discovered
  route are bidirectional
• IEEE 802.11 assumes that links are bidirectional
• by executing a route discovery from H to A
• discovered route from A to H is piggy backed to
  avoid infinite recursion

9
DSR Route Maintenance

• DSR requires each intermediate node to make sure
  that the data packet that it is forwarding
  reaches the next hop
• Data link layer acknowledgements can be used or
  overhearing the transmission of the packet by
  next intermediate node
• If no acknowledgement arrives for a given packet,
  the intermediate node tries to re-transmit the
  packet
• If still no acknowledgement arrives for that
  packet, the intermediate node generates a route
  error message and sends it to the source of the
  packet
• The source and the other intermediate nodes who
  forward the error message would invalidate the
  routes that contain this broken link

10
Example Ad-hoc On-demand Distance Vector routing
(AODV)

• on-demand distance vector routing
• the nodes maintain routing tables
• A RREQ contains IDs of the sender and the
  destination, a hop count, a packet identifier,
  two sequence numbers current sequence number of
  the source and the last known sequence number of
  the destination
• Each node has a single sequence number which is
  incremented after each detected change in the
  nodes neighbor set
• A RREQ with an already seen packet identifier
  would be discarded (duplicate RREQ)
• uses sequence numbers to ensure loop-freedom and
  to detect out-of-date routing information

11
Ad-hoc On-demand Distance Vector routing (AODV)

• sequence numbers help to
• avoid using old/broken routes
• To determine which route is newer
• prevent formation of loops
• How the sequence numbers can prevent loops in the
  rotes?
• Example
• A had a route to D initially A-B-C-D
• Assume link C-D gets broken, but A does not know
  about failure of link C-D (because for example
  the RERR (route error packet) sent by C is lost)
• Then assume node C performs a route discovery for
  D.
• Node A receives the RREQ of C (for example via
  path C-E-A)
• Node A will generate a RREP because A knows a
  route to D via node B
• As the results a loop is created (C-E-A-B-C )
  i.e. if C sends data packets to D using the route
  that it just found, the data packets will be
  forwarded over and over in the loop
• If sequence numbers were used, the sequence
  number of the destination D in the RREQ packet
  initiated by C would be greater than the one
  stored in the routing table of A (for the route
  A-B-C-D) as the second one belongs to an old
  route.

12
Ad-hoc On-demand Distance Vector routing (AODV)

• When an intermediate node receives a RREQ
• If the packet is duplicate ? packet discarded
• Otherwise, if the node has no valid entry for
  that destination in its routing table or has an
  entry with a sequence number smaller than the
  destination sequence number in the RREQ ?
  increment the hop count and re-broadcast the RREQ
• If it has an entry for that destination in its
  routing table with a sequence number at least as
  large as the destination sequence number in the
  RREQ or the node is the destination ? generate a
  RREP
• When a RREQ or RREP message is received, besides
  processing the packet, an intermediate node would
  create or update a route entry for the source (in
  the case of receiving a RREQ) or for the
  destination node (in the case of receiving a
  RREP)

13
Ad-hoc On-demand Distance Vector routing (AODV)

• a routing table entry contains the following
• destination identifier
• number of hops needed to reach the destination
• identifier of the next hop towards the
  destination
• destination sequence number
• list of precursor nodes (that may forward packets
  to the destination via this node)

14
AODV Route Discovery illustrated
D
(A, 1, D, -, snA)
B
G
(A, 2, F, -, snA)
E
A
H
C
F
(A, 1, E, -, snA)
A ? RREQ, id, A, H, 0, snA, snH B ?
RREQ, id, A, H, 1, snA, snH C ? RREQ, id,
A, H, 1, snA, snH D ? RREQ, id, A, H, 1,
snA, snH E ? RREQ, id, A, H, 1, snA, snH F
? RREQ, id, A, H, 2, snA, snH G ? RREQ,
id, A, H, 2, snA, snH
H ? F RREP, A, H, 0, snH F ? E RREP, A, H,
1, snH E ? A RREP, A, H, 2, snH
15
Proactive routing protocols

• Link-state protocols
• Each node periodically broadcasts the state of
  its links
• such messages are propagated through the whole
  network and so every node gets aware of the
  link-state information of every other nodes and
  therefore the topology of the whole network
• Then centralized shortest path algorithms can be
  used locally at each node to calculate the
  shortest route to any destinations
• Distance-vector based protocols
• Each node periodically send its current routing
  table to its neighbors
• As each node receives the routing information of
  its neighbors, it can use them to find better
  (shorter) routes to some destinations than the
  routes it already has in its routing table
• By repeating the routing table exchange and
  routing table update steps, the system would
  converge to a stable state, where each routing
  table contains correct routing information

16
Position-based routing protocols

• In position-based routing protocols there is no
  route discovery phase and, instead, the data
  packets are directed to the destination using
  location information available
• nodes are aware of their own positions and that
  of their neighbors
• The source node includes the position of the
  destination in the packet header of the data
  packets
• The intermediate nodes would route the packet
  toward the destination based on their own
  location and the destinations location

17
Position-based greedy forwarding

• Examples of Position-based greedy forwarding
• Most Forward within Radius (MFR) the node
  forwards the packet to its closest neighbor to
  the destination
• Nearest with Forward Progress (NFP) to the
  nearest neighbor among the ones closer than the
  forwarding node to the destination
• Compass forwarding to the neighbor who is
• closest to the straight line between the
• forwarding node and the destination
• Random forwarding a random neighbor
• among the ones who are closer than the
• forwarding node to the destination

18
outline

• 1 Routing protocols for mobile ad hoc networks
• 2 Attacks on ad hoc network routing protocols
• 3 Security countermeasures for ad hoc network
  routing protocols

19
Attacks on routing protocols

• general objectives of attacks
• increase adversarial control over the
  communications between some nodes
• degrade the quality of the service provided by
  the network
• increase the resource consumption of some nodes
  (e.g., CPU, memory, or energy).
• adversary models
• insider adversary
• Controls some nodes in the network
• As the nodes in ad hoc networks are not
  physically protected, they may be captured by the
  adversary
• Such nodes are called adversarial nodes
• outsider adversary
• Attacks the communication of some nodes
• Eavesdropping, jamming, injecting fabricated of
  replayed packets into the network

20
Attacks on routing protocols

• attack mechanisms
• eavesdropping, replaying, modifying, and deleting
  control packets
• fabricating control packets containing fake
  routing information (forgery)
• fabricating control packets under a fake identity
  (spoofing)
• dropping data packets (attack against the
  forwarding function)
• wormholes and tunneling
• rushing

21
Attacks on routing protocols

• types of attacks
• route disruption the adversary prevents two
  nodes from discovering a route between them
• E.x. if the adversary controls the nodes on the
  vertex-cut in the network who drop all the
  control packets (route discovery packets) sent
  from one part of the network to the other part
• Or if the adversary forges route error messages
  it can invalidate the correct routing state in
  the victim nodes
• In the following example, the attacker performs
  tunneling attack against routing protocol. It
  means the attacker tunnels the RREQ packet from
  the source to an area near the destination before
  the RREQ packet propagates through the network to
  that area.
• Therefore, later when the nodes in that area
  receive the RREQ through the intermediate nodes,
  they would drop it as duplicate RREQ.
• The result is that no legitimate route is
  discovered --gt source and destination would be
  connected through wormhole.

22
Example Route disruption in DSR with rushing
destination
wormhole
source
23
Attacks on routing protocols

• route diversion
• The adversary tries to divert routes such that
  they contain a node it controls or a link it can
  observe
• Then the adversary can modify or eavesdrop the
  packets sent by the nodes
• One way of diverting routes is by setting up
  tunnels routes going through the tunnel appear
  to be shorter, therefore
• used by many pairs of communicating nodes and the
  adversary can access their communication easier
• The nodes close to the end of tunnel receive lots
  of packets and they should consume more resources
  
• Another aim of doing route diversion by the
  adversary could be increasing the length of
  discovered routes to increase latency and
  decrease quality of service
• Route diversion can be performed by forging or
  manipulating control packets, e.g. in source
  routing protocols the attacker can change the
  list of nodes on the RREP message

24
Attacks on routing protocols

• creation of incorrect routing state
• this attack aims at jeopardizing the routing
  state in some nodes so that the state appears to
  be correct but, in fact, it is not
• data packets routed using that state will never
  reach their destinations
• the objective of creating incorrect routing state
  is
• to increase the resource consumption of some
  nodes
• the victims will use their incorrect state to
  forward data packets, until they learn that
  something goes wrong
• to degrade the quality of service
• can be achieved by
• spoofing, forging, modifying, or dropping control
  packets

25
Example Creation of incorrect routing state in
DSR
D
attacker B
G
E
A
H
C
H (D, F)
F
A ? RREQ, id, A, H () B ? A RREP, ltsrc
routegt, A, H (D, F)

• Route (A, D, F, H) does not exist !
• The packets will be dropped when reaching the
  first non-existing
• link!

26
Example Creation of incorrect routing state in
AODV
(A, 1, B, -, snA)
(A, 0, -, -, snA)
F
B
E
H
A
D
C
(A, 0, -, -, snA)
(A, 1, B, -, snA)
E (C) ? F RREP, A, H, 2, snH E (D)? C RREP,
A, H, 2, snH E (B)? D RREP, A, H, 2, snH E
(F)? B RREP, A, H, 2, snH

• Creation of a routing loop.
• Some packets will be forwarded in a cycle until
  their hop-count
• reaches the max. allowed value and then are
  discarded.

27
Generation of extra control traffic

• generation of extra control traffic
• Injecting spoofed control packets into the
  network
• aiming at increasing resource consumption due to
  the fact that such control packets are often
  flooded in the entire network
• Position-based routing protocols seem to be more
  resistant to this attack, because they use no
  control packets
• But the attacker can send forged or spoofed
  location update messages to the location service
  which will be distributed among some nodes in the
  network and generate some extra control packets.

28
Setting up a gray hole

• creation of a gray hole
• an adversarial node selectively drops data
  packets that it should forward
• the objective is
• to degrade the quality of service
• packet delivery ratio between some nodes can
  decrease considerably
• to increase resource consumption
• wasting the resources of those nodes that forward
  the data packets that are finally dropped by the
  adversary
• implementation is trivial
• adversarial node participates in the route
  establishment
• when it receives data packets for forwarding, it
  drops them

29
outline

• 1 Routing protocols for mobile ad hoc networks
• 2 Attacks on ad hoc network routing protocols
• 3 Security countermeasures for ad hoc network
  routing protocols

30
Countermeasures

• authentication of control packets
• protection of mutable information in control
  packets
• detecting wormholes and tunnels
• combating gray holes

31
Authentication of control packets

• questions
• Who should authenticate the control packets?
• Who should be able to verify authenticity?
• control packets should be authenticated by their
  originators
• using MACs or digital signatures by the source
  node
• authenticity should be verifiable by the target
  of the control packet
• moreover, each node that updates its routing
  state as a result of processing the control
  packet must be able to verify its authenticity
• each node that processes and re-broadcasts or
  forwards the control packet must be able to
  verify its authenticity
• as it is not known in advance which nodes will
  process a given control packet, we need a
  broadcast authentication scheme

32
Protection of mutable information in control
packets

• often, intermediate nodes add information to the
  control packet before re-broadcasting or
  forwarding it (hop count, node list, etc.)
• this added information is not protected by
  control packet origin authentication
• each node that adds information to the packet
  should authenticate that information in such a
  way that each node that acts upon that
  information can verify its authenticity
• using MACs or digital signatures by the
  forwarding node at each hop
• E.g. intermediate nodes IDs added to the RREQ,
  is signed by the node who adds that data
• one problem is the increasing size of the
  signatures when the number of hops increases

33
detecting wormholes and tunnels

• Tunnels are similar to wormholes
• In tunneling, like in wormhole attacks, the two
  ends of the attack look to be neighbors, so the
  effect of these two attacks on routing is similar
• In tunneling two far away adversarial nodes
  encapsulate control packets as normal data
  packets and send to each other
• They use the routing facilities of the network
  for sending packets
• Wormhole happens in physical layers and does not
  require that the adversary controls or owns nodes
  in the network
• In tunneling attack, the adversary should have
  two addressable nodes present at the routing
  layer
• Some wormhole detection approaches could be
  adopted to tunneling attacks

34
Combating gray holes

• two approaches
• use multiple, preferably disjoint routes
  (multi-path)
• Even if the data packets can not reach the
  destination through some routes they will be
  received using other routes
• increased robustness
• but also increases resource consumption
• detect and react
• monitor neighbors (to see if they forward the
  packet they received to forward) and identify
  misbehaving nodes
• use routes that avoid those misbehaving nodes
• For this purpose reputation reports about nodes
  can be spread in the network to build trust
  values