Authors : Chris Karlof, David Wagner

1
Secure Routing in Wireless Sensor Networks
Attacks and Countermeasures

• Authors Chris Karlof, David Wagner
• Presenter Shan Bai

2
Presentation Outline

• Introduction
• Background
• Sensor Networks vs. Ad-Hoc networks
• Problem Statement
• Attacks
• Countermeasures

3
Introduction

• Propose security goals for routing in wireless
  Sensor networks
• Show how certain attacks against Ad-hoc networks
  and peer-to-peer networks can be adapted into
  more powerful attacks against sensor networks
• Provide a list of attacks and their
  countermeasures

4
Contributions

• Propose threat models and security goals for
  secure routing in wireless sensor networks
• Introduce TWO new classes of Attacks for Sensor
  networks
• SinkHole attacks
• HELLO flood attacks
• Show how the attacks against Ad-hoc networks and
  peer-to-peer networks can be adapted into
  powerful attacks against sensor networks
• Give a thorough security analysis of major
  routing protocols and energy conservation
  topology maintenance algorithms for sensor
  networks
• Discuss countermeasures and design considerations
  for secure routing protocols

5
Background

• Sensor Network Heterogeneous system consisting
  of tiny sensors and actuators having some
  computing elements
• Base Station
• Point of centralized control
• Gateway to another network, powerful data
  processing unit, or point of human interface
• More processing capability, memory power
• Aggregation points Node at which the messages
  are processed before sending to base station
• POWER constrained environment

6
Sensor N/w vs. Ad-Hoc N/w

• Similarity Support Multi-hop networking
• Differences
• Ad-hoc Routing between any two nodes
• Sensor Supports Specialized communication
  patterns
• Many-to-One
• One-to-Many
• Local Communication
• Sensor nodes more resource constrained than
  Ad-hoc nodes
• Higher level of trust relationship among sensor
  nodes ? In-network processing, aggregation,
  duplication elimination

7
(No Transcript)
8
Problem Statement

• Network Assumptions
• Insecure Radio links
• Malicious node collude to attack the system
• No tamper resistance on nodes
• Adversary can access all key material, data, and
  code stored on the captured node
• Trust Requirements
• Base stations are trustworthy
• Aggregation points not necessarily trustworthy

9
Problem Statement contd.

• Threat Models 2 types
• Based on device capability
• Mote-class attacker ? access to few sensor nodes
• Laptop-class attacker ? Access to more powerful
  devices. Have more battery power, better CPU,
  sensitive antenna, powerful radio Tx, etc
• Based on attacker type / attacker location
• Outside attacks ? attacker external to the
  network
• Inside attacks ? Authorized node in the network
  is malicious/compromised

10
Problem Statement contd.

• Security Goals
• Secure routing protocol should guarantee
  integrity, authenticity, availability of messages
  in presence of adversaries
• Secrecy of application data is must

11
Attacks

• Two Categories
• Attacks on general sensor network routing
• Attacks on specific sensor network protocols

12
Attacks on General Routing

• By Spoofing, Altering, or Replaying routing
  information ? Attacker can create loops, attract
  or repel network traffic, generate false message,
  partition network, induce delay, etc
• Selective forwarding ? Malicious node forwards
  only some messages, drop others. Attacker tries
  to be on the actual path of data flow
• Sinkhole Attacks ?
• Main Reason Specialized communication patterns
  supported by wsn All packets have same
  destination i.e. base station
• Adversary tries to attract traffic from a
  particular area to pass through a compromised
  node, thereby creating sinkhole with adversary at
  the center
• A node may be made to look attractive to
  neighbors in some routing algorithm
• Laptop class adversary provide a high quality
  route to base station by transmitting at high
  power OR creating a wormhole
• Can enable other attacks e.g. selective forwarding

13
Attacks on General Routing Contd.

• Sybil Attack ?
• Single node presents multiple identities to other
  nodes
• Significantly affect fault-tolerance schemes like
  distributed storage, multi-path routing,
  topology maintenance
• Threat to geographical routing protocols
• Wormholes ? do I need to explain this ?
• HELLO flood attack ?
• Some protocols require that nodes broadcast
  hello packets to advertise themselves
• Laptop-class attacker can convince every node
  that it is their neighbor by transmitting at high
  power
• Acknowledgement spoofing ?
• Some routing algorithms require explicit/implicit
  link layer ACKs
• Adversary can spoof ACKs for control packets and
  try to convince the sender that a weak link is
  strong or a dead link is alive causing packet
  losses

14
Attacks on specific protocols

• TinyOS beaconing ?
• Protocol Desc.
• It constructs a Breadth first spanning tree
  rooted at the base station
• Base station periodically broadcast route updates
• Immediate nodes ? parent, base station other
  nodes ? parent, from who they receive the first
  update
• Packets travel through the paths along tree
• Attacks
• Unauthenticated route updates ?Malicious node
  acts as base station
• Authenticated route updates ?
• Two colluding nodes (laptop-class attacker) form
  wormhole to direct all traffic through them
• Laptop-class attacker use HELLO flood attack ?
  every node marks attacker as parent
• Mote-class attacker can cause Routing loops
  between two nodes

15
(No Transcript)
16
Attacks on specific protocols

• Directed diffusion ?
• Protocol desc. ?
• Data-centric routing algorithm
• Base station send the named data which is
  flooded as interests throughout the network
• Gradients are set up to draw events (data
  matching the interests)
• Base station positively reinforces high data
  rates paths
• Attacks ?
• Cloning i.e. Replay of interest by the adversary
• Selective forwarding and data tampering

17
Attacks on specific protocols

• Geographic routing ?
• Two protocols
• GEAR (Geographic and Energy Aware Routing)
• GPSR (Greedy Perimeter Stateless Routing)
• Leverage nodes positions explicit geographic
  packet destinations to efficiently disseminate
  queries and route updates
• Require exchange of location information
• Attack Location information misrepresented ?
• Adversary advertise wrong location info. so as to
  place himself in the path
• Adversary forge location advertisements creating
  routing loops
• In GEAR, energy is also considered ? adversary
  advertise maximum energy (Laptop class attacker
  again !!)

18
Countermeasures

• Secret shared key Link layer encryption?
• Prevents Outsider attacks like Sybil attacks,
  Selective forwarding, Sinkhole attacks, ACK
  spoofing
• Ineffective against Insider attacks like
  Wormhole, Hello floods, TinyOS beaconing
• Hello flood, Sybil ?
• Every node shares a unique symmetric key with the
  base station
• Then two nodes generate pair-wise shared secret
  key between them (Needham Schroeder symmetric
  key exchange) for Identity verification
• Limit the number of neighbors for a node ?
  prevent adversary from establishing shared keys
  with everyone
• Wormhole, SinkHole ? No viable solution except
  Good routing protocol design to avoid them e.g.
  Geographical Routing protocols

19
Countermeasures contd.

• Geographical routing attacks? Restrict the
  structure of topology to eliminate the need for
  location information by the node. Use fixed
  topology like square, triangular or Hex Grid
  structure
• Selective forwarding ? Use Multipath Routing
  messages routed over disjoint paths
• Authenticated Broadcast and flooding ?
• µTESLA protocol to prevent replay of broadcast
  messages issued by the base station
• Flood the information about the malicious nodes
  in the network

20
Conclusions

• Paper describes
• Too... many types of attacks! With lots of
  (overlapping) details.
• Two new types of attacks (Attn Bad Guys! want
  to try them?)
• And their countermeasures...
• Over to contrarian..

21
Countermeasures

• Outsider attacks vs. Insider attacks
• The majority of outsider attacks can be prevented
  by Secret shared key Link layer encryption.
• Prevents Sybil attacks, Selective forwarding,
  Sinkhole attacks
• Ineffective against Wormhole, Hello floods
  attacks.
• Completely ineffective in the presence of insider
  attacks
• Bogus routing information
• Create sinkholes
• Selectively forward packets
• Sybil attacks
• HELLO floods

22
Countermeasures

• Countermeasure to Insider Sybil attacks
• Every node shares a unique symmetric key with the
  base station
• A pair of neighbor nodes use the resulting key to
  implement an authenticated, encrypted link
  between them.
• Base station limit the number of neigbors a node
  is allowed to have prevent an insider attacker
  establishing shared keys with every node in the
  network.
• Not perfect
• Malicious nodes can still communicating with its
  verified neighbors
• Two or more colluding nodes may attack the
  network more powerfully

23
Countermeasures

• Countermeasure to HELLO flood attacks
• Verify the bidirectionality of the link between
  two nodes
• How about the adversary have highly sensitive
  receivers?

24
Countermeasures

• Countermeasure to Wormhole, SinkHole attacks
• Geographical Routing protocols.
• Problems How to get the location information
  attackers may disseminate spoofed location
  information
• Solution Restrict the structure of topology to
  eliminate the need for location information by
  the node. Use fixed topology like square,
  triangular or Hex Grid structure. However, it
  also restrict its application.
• Suggestions using multipath routing, and design
  effective evaluation methods to determine the
  quality of each routes.

25
Countermeasures

• Countermeasure to Selective forwarding
• Multipath routing using completely disjoint paths
  or Braided paths
• Allowing nodes dynamically choose a packets next
  hop from a set of possible candidates.
• Not enough add evaluation method to discriminate
  different routes

26
Countermeasures

• Authenticate Broadcast and flooding
• Base station is trustworthy.
• Adversaries must not be able to spoof broadcast
  or flooded messages from any base station.
• HELLO message from neighbor nodes should be
  authenticated and impossible to spoof.
• Attention authentication should be efficient
  public key cryptography and digital signatures is
  beyond the capabilities of sensor nodes.