Title: Secure routing in multi-hop wireless networks (I)
1 Secure routing in multi-hop wireless networks (I)
- ad hoc network routing protocols
- attacks on routing
- countermeasures
2outline
- 1 Routing protocols for mobile ad hoc networks
- 2 Attacks on ad hoc network routing protocols
- 3 Security countermeasures for ad hoc network
routing protocols
3Ad hoc network routing protocols
- topology-based protocols
- Proactive
- Every node knows a route to all other nodes at
any time - distance vector based (e.g., DSDV)
- link-state (e.g., OLSR)
- Requires periodic exchange of routing information
among the nodes - If only few pairs of nodes communicate to each
other, then most of the periodically exchanged
information is useless (never used) - But since the routes are always available and
up-to-date, packets can be sent with no routing
delay (no need to wait until a route is found) - reactive (on-demand)
- A route is established between a source and a
destination only when needed - distance vector based (e.g., AODV)
- source routing (e.g., DSR)
- Nodes use their resources to find routes only
when there are data packets to be sent
4Ad hoc network routing protocols
- hybrid approaches
- Try to combine the advantages of reactive and
proactive routing protocols - Use proactive approach to maintain routes from a
node to its local neighborhood (e.g. up to
certain number of hops) and use reactive
approaches when routes to far away nodes are
required - position-based protocols
- Use location information of the nodes to route
data packets - greedy forwarding (e.g., GPSR, GOAFR)
- restricted directional flooding (e.g., DREAM,
LAR) - Each node is aware of its own location and
obtains the location information of other nodes
via a location service provided by the nodes in a
distributed manner - The sender obtains the location information of
the destination node and puts it in the data
packet each intermediate node makes routing
decisions based on its own location and the
location of the destination node
5Example Dynamic Source Routing (DSR)
- DSR is an on-demand source routing protocol
- As in any other on-demand routing protocol it has
two components - route discovery
- used only when source node attempts to send a
packet to the destination node - based on flooding of Route Requests (RREQ) and
returning Route Replies (RREP) - route maintenance
- makes the source node able to detect route
errors, e.g., if a link along that route no
longer works (usually because of nodes movement)
6DSR Route Discovery
- Assume that node A has some data packets to send
to node H and has no route to it in its routing
table - it initiates and broadcasts a RREQ message
- a RREQ carries a request identifier (to prevent
other nodes from proceeding the same RREQ more
than once), the IDs of A and H and an empty list
of forwarding nodes - Each intermediate node adds its ID to the list
until the RREQ is received by H and will be
replied by a RREP message
7DSR Route Discovery
D
A ? RREQ, id, A, H () B ? RREQ, id, A,
H (B) C ? RREQ, id, A, H (C) D ?
RREQ, id, A, H (D) E ? RREQ, id, A, H
(E) F ? RREQ, id, A, H (E, F) G ?
RREQ, id, A, H (D,G)
(D)
B
G
(E, F)
E
(D, G)
A
H
C
F
(E)
H ? A RREP, ltsource routegt (E, F)
- Node A wants to transmit some data packets to
node H. - It initiates a RREQ packet which will be
broadcasted by the nodes who receive it. - When node H receives the RREQ it initiates a RREP
packet. - H copies the recorded list of identifiers from
the RREQ to the RREP.
8DSR Route Discovery
- ltsource routegt is the route used to send the
packet back to A which could be obtained - from the route cache of H (means if H already had
a route to A in its route cache) - by reversing the route received in the RREQ
- works only if all the links along the discovered
route are bidirectional - IEEE 802.11 assumes that links are bidirectional
- by executing a route discovery from H to A
- discovered route from A to H is piggy backed to
avoid infinite recursion
9DSR Route Maintenance
- DSR requires each intermediate node to make sure
that the data packet that it is forwarding
reaches the next hop - Data link layer acknowledgements can be used or
overhearing the transmission of the packet by
next intermediate node - If no acknowledgement arrives for a given packet,
the intermediate node tries to re-transmit the
packet - If still no acknowledgement arrives for that
packet, the intermediate node generates a route
error message and sends it to the source of the
packet - The source and the other intermediate nodes who
forward the error message would invalidate the
routes that contain this broken link
10Example Ad-hoc On-demand Distance Vector routing
(AODV)
- on-demand distance vector routing
- the nodes maintain routing tables
- A RREQ contains IDs of the sender and the
destination, a hop count, a packet identifier,
two sequence numbers current sequence number of
the source and the last known sequence number of
the destination - Each node has a single sequence number which is
incremented after each detected change in the
nodes neighbor set - A RREQ with an already seen packet identifier
would be discarded (duplicate RREQ) - uses sequence numbers to ensure loop-freedom and
to detect out-of-date routing information
11Ad-hoc On-demand Distance Vector routing (AODV)
- sequence numbers help to
- avoid using old/broken routes
- To determine which route is newer
- prevent formation of loops
- How the sequence numbers can prevent loops in the
rotes? - Example
- A had a route to D initially A-B-C-D
- Assume link C-D gets broken, but A does not know
about failure of link C-D (because for example
the RERR (route error packet) sent by C is lost) - Then assume node C performs a route discovery for
D. - Node A receives the RREQ of C (for example via
path C-E-A) - Node A will generate a RREP because A knows a
route to D via node B - As the results a loop is created (C-E-A-B-C )
i.e. if C sends data packets to D using the route
that it just found, the data packets will be
forwarded over and over in the loop - If sequence numbers were used, the sequence
number of the destination D in the RREQ packet
initiated by C would be greater than the one
stored in the routing table of A (for the route
A-B-C-D) as the second one belongs to an old
route.
12Ad-hoc On-demand Distance Vector routing (AODV)
- When an intermediate node receives a RREQ
- If the packet is duplicate ? packet discarded
- Otherwise, if the node has no valid entry for
that destination in its routing table or has an
entry with a sequence number smaller than the
destination sequence number in the RREQ ?
increment the hop count and re-broadcast the RREQ - If it has an entry for that destination in its
routing table with a sequence number at least as
large as the destination sequence number in the
RREQ or the node is the destination ? generate a
RREP - When a RREQ or RREP message is received, besides
processing the packet, an intermediate node would
create or update a route entry for the source (in
the case of receiving a RREQ) or for the
destination node (in the case of receiving a
RREP)
13Ad-hoc On-demand Distance Vector routing (AODV)
- a routing table entry contains the following
- destination identifier
- number of hops needed to reach the destination
- identifier of the next hop towards the
destination - destination sequence number
- list of precursor nodes (that may forward packets
to the destination via this node)
14AODV Route Discovery illustrated
D
(A, 1, D, -, snA)
B
G
(A, 2, F, -, snA)
E
A
H
C
F
(A, 1, E, -, snA)
A ? RREQ, id, A, H, 0, snA, snH B ?
RREQ, id, A, H, 1, snA, snH C ? RREQ, id,
A, H, 1, snA, snH D ? RREQ, id, A, H, 1,
snA, snH E ? RREQ, id, A, H, 1, snA, snH F
? RREQ, id, A, H, 2, snA, snH G ? RREQ,
id, A, H, 2, snA, snH
H ? F RREP, A, H, 0, snH F ? E RREP, A, H,
1, snH E ? A RREP, A, H, 2, snH
15Proactive routing protocols
- Link-state protocols
- Each node periodically broadcasts the state of
its links - such messages are propagated through the whole
network and so every node gets aware of the
link-state information of every other nodes and
therefore the topology of the whole network - Then centralized shortest path algorithms can be
used locally at each node to calculate the
shortest route to any destinations - Distance-vector based protocols
- Each node periodically send its current routing
table to its neighbors - As each node receives the routing information of
its neighbors, it can use them to find better
(shorter) routes to some destinations than the
routes it already has in its routing table - By repeating the routing table exchange and
routing table update steps, the system would
converge to a stable state, where each routing
table contains correct routing information
16Position-based routing protocols
- In position-based routing protocols there is no
route discovery phase and, instead, the data
packets are directed to the destination using
location information available - nodes are aware of their own positions and that
of their neighbors - The source node includes the position of the
destination in the packet header of the data
packets - The intermediate nodes would route the packet
toward the destination based on their own
location and the destinations location
17Position-based greedy forwarding
- Examples of Position-based greedy forwarding
- Most Forward within Radius (MFR) the node
forwards the packet to its closest neighbor to
the destination - Nearest with Forward Progress (NFP) to the
nearest neighbor among the ones closer than the
forwarding node to the destination - Compass forwarding to the neighbor who is
- closest to the straight line between the
- forwarding node and the destination
- Random forwarding a random neighbor
- among the ones who are closer than the
- forwarding node to the destination
18outline
- 1 Routing protocols for mobile ad hoc networks
- 2 Attacks on ad hoc network routing protocols
- 3 Security countermeasures for ad hoc network
routing protocols
19Attacks on routing protocols
- general objectives of attacks
- increase adversarial control over the
communications between some nodes - degrade the quality of the service provided by
the network - increase the resource consumption of some nodes
(e.g., CPU, memory, or energy). - adversary models
- insider adversary
- Controls some nodes in the network
- As the nodes in ad hoc networks are not
physically protected, they may be captured by the
adversary - Such nodes are called adversarial nodes
- outsider adversary
- Attacks the communication of some nodes
- Eavesdropping, jamming, injecting fabricated of
replayed packets into the network
20Attacks on routing protocols
- attack mechanisms
- eavesdropping, replaying, modifying, and deleting
control packets - fabricating control packets containing fake
routing information (forgery) - fabricating control packets under a fake identity
(spoofing) - dropping data packets (attack against the
forwarding function) - wormholes and tunneling
- rushing
21Attacks on routing protocols
- types of attacks
- route disruption the adversary prevents two
nodes from discovering a route between them - E.x. if the adversary controls the nodes on the
vertex-cut in the network who drop all the
control packets (route discovery packets) sent
from one part of the network to the other part - Or if the adversary forges route error messages
it can invalidate the correct routing state in
the victim nodes - In the following example, the attacker performs
tunneling attack against routing protocol. It
means the attacker tunnels the RREQ packet from
the source to an area near the destination before
the RREQ packet propagates through the network to
that area. - Therefore, later when the nodes in that area
receive the RREQ through the intermediate nodes,
they would drop it as duplicate RREQ. - The result is that no legitimate route is
discovered --gt source and destination would be
connected through wormhole.
22Example Route disruption in DSR with rushing
destination
wormhole
source
23Attacks on routing protocols
- route diversion
- The adversary tries to divert routes such that
they contain a node it controls or a link it can
observe - Then the adversary can modify or eavesdrop the
packets sent by the nodes - One way of diverting routes is by setting up
tunnels routes going through the tunnel appear
to be shorter, therefore - used by many pairs of communicating nodes and the
adversary can access their communication easier - The nodes close to the end of tunnel receive lots
of packets and they should consume more resources
- Another aim of doing route diversion by the
adversary could be increasing the length of
discovered routes to increase latency and
decrease quality of service - Route diversion can be performed by forging or
manipulating control packets, e.g. in source
routing protocols the attacker can change the
list of nodes on the RREP message
24Attacks on routing protocols
- creation of incorrect routing state
- this attack aims at jeopardizing the routing
state in some nodes so that the state appears to
be correct but, in fact, it is not - data packets routed using that state will never
reach their destinations - the objective of creating incorrect routing state
is - to increase the resource consumption of some
nodes - the victims will use their incorrect state to
forward data packets, until they learn that
something goes wrong - to degrade the quality of service
- can be achieved by
- spoofing, forging, modifying, or dropping control
packets
25Example Creation of incorrect routing state in
DSR
D
attacker B
G
E
A
H
C
H (D, F)
F
A ? RREQ, id, A, H () B ? A RREP, ltsrc
routegt, A, H (D, F)
- Route (A, D, F, H) does not exist !
- The packets will be dropped when reaching the
first non-existing - link!
26Example Creation of incorrect routing state in
AODV
(A, 1, B, -, snA)
(A, 0, -, -, snA)
F
B
E
H
A
D
C
(A, 0, -, -, snA)
(A, 1, B, -, snA)
E (C) ? F RREP, A, H, 2, snH E (D)? C RREP,
A, H, 2, snH E (B)? D RREP, A, H, 2, snH E
(F)? B RREP, A, H, 2, snH
- Creation of a routing loop.
- Some packets will be forwarded in a cycle until
their hop-count - reaches the max. allowed value and then are
discarded.
27Generation of extra control traffic
- generation of extra control traffic
- Injecting spoofed control packets into the
network - aiming at increasing resource consumption due to
the fact that such control packets are often
flooded in the entire network - Position-based routing protocols seem to be more
resistant to this attack, because they use no
control packets - But the attacker can send forged or spoofed
location update messages to the location service
which will be distributed among some nodes in the
network and generate some extra control packets.
28Setting up a gray hole
- creation of a gray hole
- an adversarial node selectively drops data
packets that it should forward - the objective is
- to degrade the quality of service
- packet delivery ratio between some nodes can
decrease considerably - to increase resource consumption
- wasting the resources of those nodes that forward
the data packets that are finally dropped by the
adversary - implementation is trivial
- adversarial node participates in the route
establishment - when it receives data packets for forwarding, it
drops them
29outline
- 1 Routing protocols for mobile ad hoc networks
- 2 Attacks on ad hoc network routing protocols
- 3 Security countermeasures for ad hoc network
routing protocols
30Countermeasures
- authentication of control packets
- protection of mutable information in control
packets - detecting wormholes and tunnels
- combating gray holes
31Authentication of control packets
- questions
- Who should authenticate the control packets?
- Who should be able to verify authenticity?
- control packets should be authenticated by their
originators - using MACs or digital signatures by the source
node - authenticity should be verifiable by the target
of the control packet - moreover, each node that updates its routing
state as a result of processing the control
packet must be able to verify its authenticity - each node that processes and re-broadcasts or
forwards the control packet must be able to
verify its authenticity - as it is not known in advance which nodes will
process a given control packet, we need a
broadcast authentication scheme
32Protection of mutable information in control
packets
- often, intermediate nodes add information to the
control packet before re-broadcasting or
forwarding it (hop count, node list, etc.) - this added information is not protected by
control packet origin authentication - each node that adds information to the packet
should authenticate that information in such a
way that each node that acts upon that
information can verify its authenticity - using MACs or digital signatures by the
forwarding node at each hop - E.g. intermediate nodes IDs added to the RREQ,
is signed by the node who adds that data - one problem is the increasing size of the
signatures when the number of hops increases
33detecting wormholes and tunnels
- Tunnels are similar to wormholes
- In tunneling, like in wormhole attacks, the two
ends of the attack look to be neighbors, so the
effect of these two attacks on routing is similar - In tunneling two far away adversarial nodes
encapsulate control packets as normal data
packets and send to each other - They use the routing facilities of the network
for sending packets - Wormhole happens in physical layers and does not
require that the adversary controls or owns nodes
in the network - In tunneling attack, the adversary should have
two addressable nodes present at the routing
layer - Some wormhole detection approaches could be
adopted to tunneling attacks
34Combating gray holes
- two approaches
- use multiple, preferably disjoint routes
(multi-path) - Even if the data packets can not reach the
destination through some routes they will be
received using other routes - increased robustness
- but also increases resource consumption
- detect and react
- monitor neighbors (to see if they forward the
packet they received to forward) and identify
misbehaving nodes - use routes that avoid those misbehaving nodes
- For this purpose reputation reports about nodes
can be spread in the network to build trust
values