Denial of Service in Sensor Networks

1
Denial of Service in Sensor Networks

• Authors Anthony D. Wood,
• John A. Stankovic
• Presented by Aiyaz Amin Paniwala

2
The paper

• Introduction
• Theory and Application
• Denial of Service Threat
• Physical Layer
• Link Layer
• Networking Layer
• Transport Layer
• Conclusion
• References

3
Introduction

• WSN involves large-scale, real time data
  processing in complex environments
• WSN is used for various applications
• Availability is of great importance
• Consideration of security at design time is
  essential

4
Theory

• Growing use of application dependent sensor
  networks
• Many limitations exist in WSN like power
  reserves, wireless communication, identifiers
• Network must operate under partial failure
• Network must meet real time requirements
• Data may be intrinsically valid for short time

5
Application

• Sensor Networks are used in different
  environments with different needs
• Military application is primary
• Can be used in inaccessible locations like
  volcanoes
• Can be used in critical situations like natural
  or man made disasters
• In all applications network must be resilient to
  individual node failure

6
Denial of Service Threat

• Any event that diminishes or eliminates a
  networks capacity to perform its expected
  function
• Caused by hardware failures, software bugs,
  resource exhaustion, environmental conditions or
  other complicated interactions

7
The Layered Approach

• A layered network architecture improves
  robustness
• Each layer has different attacks and different
  defensive mechanisms
• Some attacks are applicable across multiple
  layers

8
Tabular Representation
9
Physical Layer

• This layer deals with the physical transmission
  in the form of signals
• Nodes use wireless communication
• Base Stations use wired or satellite
  communication.
• Attacks
• Jamming
• Tampering

10
Jamming

• Interferes with radio frequencies
• An adversary can use k randomly distributed
  jamming nodes
• These k nodes can put N nodes out of service
  (kltltN)
• Effective for single frequency network

11
Detection of Jamming

• Determined by constant energy as opposed to lack
  of response
• Jamming can be sporadic and hence more difficult
  to detect yet effective
• Jamming itself prevents exchanging data or even
  reporting the attack

12
Prevention and Mitigation

• Spread spectrum communication (code spreading)
• It is less feasible due to design complexity,
  more power and more cost
• Attacked nodes can switch to lower duty cycle and
  wake up to check for jamming
• For intermittent jamming nodes send few high
  power, high priority messages to report attack

13
Local Jamming
14
Tampering

• Attacker can physically tamper nodes
• Likewise nodes can be interrogated and
  compromised
• Attacker can damage or replace sensor and
  computation hardware
• Attacker can extract sensitive material and use
  it for further attacks

15
Prevention and Mitigation

• Tamper proofing against physical damage
• Camouflaging or hiding nodes
• React to tampering by erasing cryptographic or
  program memory

16
Link Layer

• Provides Channel arbitration
• Cooperative schemes are vulnerable to DoS attacks
• Sensor Network is susceptible to
• Collision
• Exhaustion
• Unfairness

17
Collision

• Adversary may cause disruption by inducing
  collision in just one octet of transmission
• Corruption of ACK can induce costly exponential
  back-off
• The attacker requires minimum energy for listening

18
Detection, Prevention and Mitigation

• Errors are detected using checksum mismatch
• There is no effective way of defending against
  such an attack
• Error Correcting codes can be used at the cost of
  increased overheads

19
Exhaustion

• Repeated retransmissions are triggered even by
  unusually late collisions
• This leads to exhaustion of battery source
• It can potentially block availability
• A node could repeatedly request channel access
  with RTS
• This causes power losses on both requesting and
  responding node

20
Detection, Prevention and Mitigation

• Random back-offs can be used for prevention
• Ineffective as they would only decrease
  probability of inadvertent collisions
• Time division multiplexing
• Solve the indefinite postponement problem
• MAC admission control rate limiting
• Limiting the extraneous responses required

21
Unfairness

• It is a weaker form of DoS
• It mostly degrades service than denies it
• It exploits MAC-Layer priority schemes
• It can be prevented by use of small frames
• This may increase framing overheads
• Adversary can cheat while vying for access

22
Network and Routing Layer

• Messages may traverse many hops before reaching
  the destination
• The cost of relaying a packet and the probability
  of its loss increases in an aggregate network
• Every node can act as a router
• Hence the routing protocols should be simple and
  robust

23
Neglect and Greed

• A neglectful node arbitrarily neglects to route
  some messages
• Its undue priority to messages originating from
  it makes it greedy
• Multiple routes or sending redundant messages can
  reduce its effect.
• It is difficult to detect

24
Homing

• Important nodes and their identities are exposed
  to mount further attacks
• A passive adversary observes traffic to learn the
  presence and location of critical resources
• Shared cryptographic keys are an effective
  mechanism to conceal the identity of such nodes
• This makes the assumption that none of the nodes
  have been subverted

25
Misdirection

• Messages are forwarded in wrong paths
• This attack targets the sender
• Adversary can forge replies to route discovery
  requests and include the spoofed route
• Sensor networks can use an approach similar to
  egress filtering

26
Black Holes

• Nodes advertise zero cost routes to every other
  node
• Network traffic is routed towards these nodes
• This disrupts message delivery and causes intense
  resource contention
• These are easily detected but more disruptive

27
Authorization

• This is a defense mechanism against misdirection
  and black-hole
• Only authorized node can share information
• Public-key encryption can be used for routing
  updates
• The problems are with computational and
  communication overheads and key management

28
Monitoring

• Nodes can keep monitoring their neighbors
• Nodes become watchdogs for transmitted packets
• Each of them has a quality-rating mechanism

29
Probing

• A network probe tests network connectivity
• This mechanism can be used to easily detect Black
  holes
• A distributed probing scheme can detect malicious
  nodes

30
Redundancy

• Lessens the probability of encountering a
  malicious node
• Duplicate messages can also be sent using same
  path to deal with intermittent failure

31
Transport Layer

• Manages end-to-end connections
• Sensor Networks utilize protocols with minimum
  overhead
• The potential threats are
• Flooding
• Desynchronization

32
Flooding

• Adversary send many connection establishment
  request to victim
• Each request causes allocation of resources
• It can be prevented by limiting the number of
  connections
• Connectionless protocols are not susceptible to
  this attack
• Another solution is client puzzles

33
Desynchronization

• The attacker forges messages to one or both ends
  with sequence numbers
• This causes the end points to request
  retransmissions of missed frames
• This may lead to lack of availability and
  resource exhaustion
• Authentication can prevent such an attack

34
Adaptive rate control

• Describe a series of improvements to standard MAC
  protocols
• Key mechanisms include
• Random delay for transmissions
• Back-off that shifts an applications periodicity
  phase
• Minimization of overhead in contention control
  mechanisms
• Passive adaptation of originating and
  route-through admission control rates
• Anticipatory delay for avoiding multihop hidden
  node problems

35
Conclusion

• Attempts at adding security focus on
  cryptographic-authentication mechanisms
• Use of higher security mechanisms poses serious
  complications in Sensor Networks
• It is essential to incorporate security
  considerations during design-time
• Without adequate protection against DoS and other
  attacks sensor networks may not be deployable at
  all

36
References

• C.L.Schuba et al., Analysis of a Denial of
  Service Attack on TCP, Proc. IEEE Symp. Security
  and Privacy, IEEE Press, Piscataway, N.J., 1997,
  pp. 208-223
• A Perrig et al., SPIN Security Protocols for
  Sensor Networks, Proc. 7th Ann. Intl. Conf.
  Mobile Computing and Networking (MobiCom 2001),
  ACM Press, New York, 2001, pp. 189-199
• CERT Coordination Center, Smurf IP
  Denial-of-Service Attacks, CERT Advisory
  CA-9801,Jan. 1998.
• A. Woo and D.E. Culler, A Transmission Control
  Scheme for Media Access in Sensor Networks,
  Proc. 7th Ann Intl Conf. Mobile Computing and
  Networking (MobiCom 2001), ACM Press, New York,
  2001, pp. 221-235