Presented by OYA SIMSEK

1
Denial of Service Attacks (DoS) in Wireless
Sensor Networks (WSNs)

• Presented by OYA SIMSEK

2
WSNs Applications

• WSNs facilitate large-scale, real-time data
  processing in complex environments.
• Their foreseeable applications will help protect
  and monitor military, environmental,
  safety-critical, or domestic infrastructures and
  resources.
• In a military scenario, WSNs
• may gather intelligence in battlefield
  conditions,
• track enemy troop movements,
• monitor a secured zone for activity, or measure
  damage and casualties.

3
WSNs Applications Cont.

• WSNs could be used to rescue personnel at
  disaster sites, or they could themselves help
  locate casualties.
• They could monitor conditions at the rim of a
  volcano, along an earthquake fault, or around a
  critical water reservoir.
• Such networks could also provide always-on
  monitoring of home healthcare for the elderly or
  detect a chemical or biological threat in an
  airport or stadium.

4
DoS Attacks

• A DoS attack is any event that diminishes or
  eliminates a networks capacity to perform its
  expected function (Hardware failures, software
  bugs, resource exhaustion, environmental
  conditions, or their combination or intentional
  attack)
• DoS attacks target availability (which ensures
  that authorized parties can access data,
  services, or other computer and network resources
  when requested) by preventing communication
  between network devices or by preventing a single
  device from sending traffic.

5
WSNs Characteristics

• WSN platforms (mostly) have limited processing
  capability and memory.
• A primary weakness shared by all wireless
  networking devices is the inability to secure the
  wireless medium.
• Any adversary in radio range can eavesdrop
  traffic, transmit bogus data, or jam the network.
• Sensors are also vulnerable to physical tampering
  and destruction if deployed in an unsecured area.

6
WSNs Characteristics Cont.

• Another vulnerability is the sensor devices
  extremely limited and often nonreplenishable
  power supplies.
• Attackers arent always limited by the same
  constraints as the sensor devices.
• An adversary might have unlimited power supply,
  significant processing capability, and the
  capacity for high-power radio transmission.

7
Layered Model
8
Physical Layer Jamming

• A well-known attack on wireless communication,
  jamming interferes with the radio frequencies a
  networks nodes are using.
• An adversary can disrupt the entire network with
  k randomly distributed jamming nodes, putting N
  nodes out of service, where k is much less than
  N.
• For single frequency networks, this attack is
  simple and effective, rendering the jammed node
  unable to communicate or coordinate with others
  in the network.
• Constant transmission of a jamming signal is an
  expensive use of energy. If the attacker is
  limited in energy, she may use sporadic or burst
  jamming instead.
• She jams only when detecting radio transmissions
  in the area of the victim, which requires that
  she be nearby.

9
Defense Against Jamming

• Spread-spectrum communication is a common defense
  against physical-layer jamming in wireless
  networks.
• Due to the synchronization and cost requirements,
  low cost, low-power sensor devices may be limited
  to single-frequency use.
• If the adversary can permanently jam the entire
  network, and if the nodes can identify a jamming
  attack, a logical defense is to put sensors into
  a long-term sleep mode and have them wake
  periodically to test the channel for continued
  jamming.
• Although this wont prevent a DoS attack, it
  could significantly increase the life of sensor
  nodes by reducing power consumption. An attacker
  would then have to jam for a considerably longer
  period, possibly running out of power before the
  targeted nodes do.

10
Defense Against Jamming Cont.

• If jamming is intermittent, nodes may be able to
  send a few high-power, high-priority messages
  back to a base station to report the attack.
• Nodes should cooperate to maximize the
  probability of successfully delivering such
  messages.
• In a large-scale deployment, an adversary is less
  likely to succeed at jamming the entire network.
• In this scenario a more appropriate response
  would be to call on the nodes surrounding the
  affected region to cooperatively map and report
  the DoS attack boundary to a base station.

11
Physical Layer Tampering

• An attacker can also tamper with nodes
  physically, and interrogate and compromise them.
• An attacker can damage or replace sensor and
  computation hardware or extract sensitive
  material such as cryptographic keys to gain
  unrestricted access to higher levels of
  communication.
• Node destruction may be indistinguishable from
  fail-silent behavior.

12
Defense Against Tampering

• Although you cant prevent destruction of nodes
  deployed in an unsecured area, redundant nodes
  and camouflaging can mitigate this threat.
• Hiding or camouflaging nodes, tamper-proofing
  packages, or implementing tamper reaction such as
  erasing all program or cryptographic memory.
• These may increase the cost and complexity of WSN
  design.

13
Link Layer Exhaustion

• A self-sacrificing node could exploit the
  interactive nature of most MAC-layer protocols in
  an interrogation attack.
• For example,
• IEEE 802.11-based MAC protocols use Request To
  Send, Clear To Send, and Data/Ack messages to
  reserve channel access and transmit data.
• The node could repeatedly request channel access
  with RTS, eliciting a CTS response from the
  targeted neighbor node.
• Constant transmission would exhaust the energy
  resources of both nodes.

14
Defense Against Exhaustion

• One solution makes the MAC admission control rate
  limiting, so that the network can ignore
  excessive requests without sending expensive
  radio transmissions.
• Antireplay protection and strong link-layer
  authentication can mitigate these attacks.
• However, a targeted node receiving the bogus RTS
  messages still consumes energy and network
  bandwidth.

15
Network Layer Homing

• In most sensor networks, more powerful nodes
  might serve as cryptographic key managers, query
  or monitoring access points, or network uplinks.
  These nodes attract an adversarys interest
  because they provide critical services to the
  network.
• Location-based network protocols that rely on
  geographic forwarding expose the network to
  homing attacks.
• A passive adversary observes traffic, learning
  the presence and location of critical resources.
• Once found, these nodes can be attacked by
  collaborators or mobile adversaries using other
  active means.

16
Defense Against Homing

• One approach to hiding important nodes provides
  confidentiality for both message headers and
  their content. If all neighbors share
  cryptographic keys, the network can encrypt the
  headers at each hop.
• This would prevent a passive adversary from
  easily learning about the source or destination
  of overheard messages.

17
Network Layer Black Holes

• Distance-vector-based protocols provide another
  easy avenue for an even more effective DoS
  attack.
• Nodes advertise zero-cost routes to every other
  node, forming routing black holes within the
  network.
• As their advertisement propagates, the network
  routes more traffic in their direction.
• In addition to disrupting message delivery, this
  causes intense resource contention around the
  malicious node as neighbors compete for limited
  bandwidth.
• These neighbors may themselves be exhausted
  prematurely, causing a hole or partition in the
  network.

18
Defense Against Black Holes

• Authorization
• Through letting only authorized nodes exchange
  routing information.
• Monitoring
• Through monitoring their neighbors to ensure that
  they observe proper routing behavior.
• The node relays a message to the next hop and
  then acts as a watchdog that verifies the
  next-hop transmission of the same packet.
• The watchdog can detect misbehavior, subject to
  limitations caused by collisions, asymmetric
  physical connectivity, collusion, and so on.

19
Defense Against Black Holes Cont.

• Probing
• Networks using geography-based routing can use
  knowledge of the physical topology to detect
  black holes by periodically sending probes that
  cross the networks diameter.
• Subject to transient routing errors and overload,
  a probing node can identify blackout regions.
• To detect malicious nodes, probes must be
  indistinguishable from normal traffic.
• Redundancy
• The network can send duplicate messages along the
  same path to protect against intermittent routing
  failure.
• If each message uses a different path, one of
  them might bypass consistently neglectful
  adversaries or even black holes.

20
Transport Layer Flooding

• As in the classic TCP SYN flood, an adversary
  sends many connection establishment requests to
  the victim. Each request causes the victim to
  allocate resources that maintain state for that
  connection.
• Limiting the number of connections prevents
  complete resource exhaustion, which would
  interfere with all other processes at the victim.
  
• However, this solution also prevents legitimate
  clients from connecting to the victim, as queues
  and tables fill with abandoned connections.

21
Defense Against Flooding

• One defense requires clients to demonstrate the
  commitment of their own resources to each
  connection by solving client puzzles.
• The server can create and verify the puzzles
  easily, and storage of client-specific
  information is not required while clients are
  solving the puzzles. Servers distribute the
  puzzle, and clients wishing to connect must solve
  and present the puzzle to the server before
  receiving a connection.
• An adversary must therefore be able to commit far
  more computational resources per unit time to
  flood the server with valid connections.
• This solution is most appropriate for combating
  adversaries that possess the same limitations as
  sensor nodes.
• It has the disadvantage of requiring more
  computational energy for legitimate sensor nodes,
  but it is less costly than wasting radio
  transmissions by flooding.

22
Transport Layer Desynchronization

• An existing connection between two end points can
  be disrupted by desynchronization.
• In this attack, the adversary repeatedly forges
  messages to one or both end points.
• These messages carry sequence numbers or control
  flags that cause the end points to request
  retransmission of missed frames.
• If the adversary can maintain proper timing, it
  can prevent the end points from exchanging any
  useful information, causing them to waste energy
  in an endless synchronization-recovery protocol.

23
Defense Against Desynchronization

• One counter to this attack authenticates all
  packets exchanged, including all control fields
  in the transport protocol header.

24
References

• A.D. Wood and J.A. Stankovic, Denial of Service
  in Sensor Networks, Computer, vol. 35, no. 10,
  2002, pp. 5462.
• A.D. Wood and J.A. Stankovic, A Taxonomy for
  Denial-of-Service Attacks in Wireless Sensor
  Networks, Handbook of Sensor Networks Compact
  Wireless and Wired Sensing Systems, 2004.
• David R. Raymond and Scott F. Midkiff,
  "Denial-of-Service in Wireless Sensor Networks
  Attacks and Defenses," IEEE Pervasive Computing,
  vol. 7, no. 1, 2008, pp. 74-81.