360 likes | 526 Views
Secure routing in multi-hop wireless networks (I). ad hoc network routing protocols; attacks on routing; countermeasures;. outline. 1 Routing protocols for mobile ad hoc networks 2 Attacks on ad hoc network routing protocols 3 Security countermeasures for ad hoc network routing protocols.
E N D
Secure routing in multi-hop wireless networks (I) ad hoc network routing protocols; attacks on routing; countermeasures;
outline 1 Routing protocols for mobile ad hoc networks 2 Attacks on ad hoc network routing protocols 3 Security countermeasures for ad hoc network routing protocols
Ad hoc network routing protocols • topology-based protocols • Proactive: • Every node knows a route to all other nodes at any time • distance vector based (e.g., DSDV) • link-state (e.g., OLSR) • Requires periodic exchange of routing information among the nodes • If only few pairs of nodes communicate to each other, then most of the periodically exchanged information is useless (never used) • But since the routes are always available and up-to-date, packets can be sent with no routing delay (no need to wait until a route is found) • reactive (on-demand): • A route is established between a source and a destination only when needed • distance vector based (e.g., AODV) • source routing (e.g., DSR) • Nodes use their resources to find routes only when there are data packets to be sent
Ad hoc network routing protocols • hybrid approaches • Try to combine the advantages of reactive and proactive routing protocols • Use proactive approach to maintain routes from a node to its local neighborhood (e.g. up to certain number of hops) and use reactive approaches when routes to far away nodes are required • position-based protocols • Use location information of the nodes to route data packets • greedy forwarding (e.g., GPSR, GOAFR) • restricted directional flooding (e.g., DREAM, LAR) • Each node is aware of its own location and obtains the location information of other nodes via a location service provided by the nodes in a distributed manner • The sender obtains the location information of the destination node and puts it in the data packet; each intermediate node makes routing decisions based on its own location and the location of the destination node
Example: Dynamic Source Routing (DSR) • DSR is an on-demand source routing protocol • As in any other on-demand routing protocol it has two components: • route discovery • used only when source node attempts to send a packet to the destination node • based on flooding of Route Requests (RREQ) and returning Route Replies (RREP) • route maintenance • makes the source node able to detect route errors, e.g., if a link along that route no longer works (usually because of nodes’ movement)
DSR Route Discovery • Assume that node A has some data packets to send to node H and has no route to it in its routing table • it initiates and broadcasts a RREQ message; • a RREQ carries a request identifier (to prevent other nodes from proceeding the same RREQ more than once), theIDs of A and H and an empty list of forwarding nodes • Each intermediate node adds its ID to the list until the RREQ is received by H and will be replied by a RREP message
( ) ( ) ( ) ( ) DSR Route Discovery D A *: [RREQ, id, A, H; ()] B *: [RREQ, id, A, H; (B)] C *: [RREQ, id, A, H; (C)] D *: [RREQ, id, A, H; (D)] E *: [RREQ, id, A, H; (E)] F *: [RREQ, id, A, H; (E, F)] G *: [RREQ, id, A, H; (D,G)] (D) B G (E, F) E (D, G) A H C F (E) H A: [RREP, <source route>; (E, F)] Node A wants to transmit some data packets to node H. It initiates a RREQ packet which will be broadcasted by the nodes who receive it. When node H receives the RREQ it initiates a RREP packet. H copies the recorded list of identifiers from the RREQ to the RREP.
DSR Route Discovery • <source route> is the route used to send the packet back to A which could be obtained: • from the route cache of H (means if H already had a route to A in its route cache) • by reversing the route received in the RREQ • works only if all the links along the discovered route are bidirectional • IEEE 802.11 assumes that links are bidirectional • by executing a route discovery from H to A • discovered route from A to H is piggy backed to avoid infinite recursion
DSR Route Maintenance • DSR requires each intermediate node to make sure that the data packet that it is forwarding reaches the next hop: • Data link layer acknowledgements can be used; or overhearing the transmission of the packet by next intermediate node • If no acknowledgement arrives for a given packet, the intermediate node tries to re-transmit the packet • If still no acknowledgement arrives for that packet, the intermediate node generates a route error message and sends it to the source of the packet • The source and the other intermediate nodes who forward the error message would invalidate the routes that contain this broken link
Example: Ad-hoc On-demand Distance Vector routing (AODV) • on-demand distance vector routing • the nodes maintain routing tables • A RREQ contains: IDs of the sender and the destination, a hop count, a packet identifier, two sequence numbers: current sequence number of the source and the last known sequence number of the destination • Each node has a single sequence number which is incremented after each detected change in the node’s neighbor set • A RREQ with an already seen packet identifier would be discarded (duplicate RREQ) • uses sequence numbers to ensure loop-freedom and to detect out-of-date routing information
Ad-hoc On-demand Distance Vector routing (AODV) • sequence numbers help to: • avoid using old/broken routes • To determine which route is newer • prevent formation of loops: • How the sequence numbers can prevent loops in the rotes? • Example: • A had a route to D initially: A-B-C-D • Assume link C-D gets broken, but A does not know about failure of link C-D (because for example the RERR (route error packet) sent by C is lost) • Then assume node C performs a route discovery for D. • Node A receives the RREQ of C (for example via path C-E-A) • Node A will generate a RREP because A knows a route to D via node B • As the results a loop is created (C-E-A-B-C ): i.e. if C sends data packets to D using the route that it just found, the data packets will be forwarded over and over in the loop • If sequence numbers were used, the sequence number of the destination D in the RREQ packet initiated by C would be greater than the one stored in the routing table of A (for the route A-B-C-D) as the second one belongs to an old route.
Ad-hoc On-demand Distance Vector routing (AODV) • When an intermediate node receives a RREQ: • If the packet is duplicate packet discarded • Otherwise, if the node has no valid entry for that destination in its routing table or has an entry with a sequence number smaller than the destination sequence number in the RREQ increment the hop count and re-broadcast the RREQ • If it has an entry for that destination in its routing table with a sequence number at least as large as the destination sequence number in the RREQ or the node is the destination generate a RREP • When a RREQ or RREP message is received, besides processing the packet, an intermediate node would create or update a route entry for the source (in the case of receiving a RREQ) or for the destination node (in the case of receiving a RREP)
Ad-hoc On-demand Distance Vector routing (AODV) • a routing table entry contains the following: • destination identifier • number of hops needed to reach the destination • identifier of the next hop towards the destination • destination sequence number • list of precursor nodes (that may forward packets to the destination via this node)
(A, 0, -, -, snA) (A, 0, -, -, snA) (A, 0, -, -, snA) (A, 0, -, -, snA) (H, 2, E, -, sn’H) (A, 1, E, H, snA) (A, 0, -, F, snA) (H, 0, -, E, sn’H) (H, 1, F, A, sn’H) AODV Route Discovery illustrated D (A, 1, D, -, snA) B G (A, 2, F, -, snA) E A H C F (A, 1, E, -, snA) A *: [RREQ, id, A, H, 0, snA, snH] B *: [RREQ, id, A, H, 1, snA, snH] C *: [RREQ, id, A, H, 1, snA, snH] D *: [RREQ, id, A, H, 1, snA, snH] E *: [RREQ, id, A, H, 1, snA, snH] F *: [RREQ, id, A, H, 2, snA, snH] G *: [RREQ, id, A, H, 2, snA, snH] H F: [RREP, A, H, 0, sn’H] F E: [RREP, A, H, 1, sn’H] E A: [RREP, A, H, 2, sn’H]
Proactive routing protocols • Link-state protocols: • Each node periodically broadcasts the state of its links • such messages are propagated through the whole network and so every node gets aware of the link-state information of every other nodes and therefore the topology of the whole network • Then centralized shortest path algorithms can be used locally at each node to calculate the shortest route to any destinations • Distance-vector based protocols • Each node periodically send its current routing table to its neighbors • As each node receives the routing information of its neighbors, it can use them to find better (shorter) routes to some destinations than the routes it already has in its routing table • By repeating the routing table exchange and routing table update steps, the system would converge to a stable state, where each routing table contains correct routing information
Position-based routing protocols • In position-based routing protocols there is no route discovery phase and, instead, the data packets are directed to the destination using location information available • nodes are aware of their own positions and that of their neighbors • The source node includes the position of the destination in the packet header of the data packets • The intermediate nodes would route the packet toward the destination based on their own location and the destination’s location
Position-based greedy forwarding • Examples of Position-based greedy forwarding • Most Forward within Radius (MFR): the node forwards the packet to its closest neighbor to the destination • Nearest with Forward Progress (NFP): to the nearest neighbor among the ones closer than the forwarding node to the destination • Compass forwarding: to the neighbor who is closest to the straight line between the forwarding node and the destination • Random forwarding: a random neighbor among the ones who are closer than the forwarding node to the destination
outline 1 Routing protocols for mobile ad hoc networks 2 Attacks on ad hoc network routing protocols 3 Security countermeasures for ad hoc network routing protocols
Attacks on routing protocols • general objectives of attacks • increase adversarial control over the communications between some nodes; • degrade the quality of the service provided by the network; • increase the resource consumption of some nodes (e.g., CPU, memory, or energy). • adversary models • insider adversary • Controls some nodes in the network • As the nodes in ad hoc networks are not physically protected, they may be captured by the adversary • Such nodes are called adversarial nodes • outsider adversary • Attacks the communication of some nodes • Eavesdropping, jamming, injecting fabricated of replayed packets into the network
Attacks on routing protocols • attack mechanisms • eavesdropping, replaying, modifying, and deleting control packets • fabricating control packets containing fake routing information (forgery) • fabricating control packets under a fake identity (spoofing) • dropping data packets (attack against the forwarding function) • wormholes and tunneling • rushing
Attacks on routing protocols • types of attacks • route disruption: the adversary prevents two nodes from discovering a route between them • E.x. if the adversary controls the nodes on the vertex-cut in the network who drop all the control packets (route discovery packets) sent from one part of the network to the other part; • Or if the adversary forges route error messages it can invalidate the correct routing state in the victim nodes • In the following example, the attacker performs tunneling attack against routing protocol. It means the attacker tunnels the RREQ packet from the source to an area near the destination before the RREQ packet propagates through the network to that area. Therefore, later when the nodes in that area receive the RREQ through the intermediate nodes, they would drop it as duplicate RREQ. The result is that no legitimate route is discovered --> source and destination would be connected through wormhole.
Example: Route disruption in DSR with rushing destination wormhole source
Attacks on routing protocols • route diversion: • The adversary tries to divert routes such that they contain a node it controls or a link it can observe • Then the adversary can modify or eavesdrop the packets sent by the nodes • One way of diverting routes is by setting up tunnels: routes going through the tunnel appear to be shorter, therefore: • used by many pairs of communicating nodes and the adversary can access their communication easier • The nodes close to the end of tunnel receive lots of packets and they should consume more resources • Another aim of doing route diversion by the adversary could be increasing the length of discovered routes to increase latency and decrease quality of service • Route diversion can be performed by forging or manipulating control packets, e.g. in source routing protocols the attacker can change the list of nodes on the RREP message
Attacks on routing protocols • creation of incorrect routing state: • this attack aims at jeopardizing the routing state in some nodes so that the state appears to be correct but, in fact, it is not • data packets routed using that state will never reach their destinations • the objective of creating incorrect routing state is • to increase the resource consumption of some nodes • the victims will use their incorrect state to forward data packets, until they learn that something goes wrong • to degrade the quality of service • can be achieved by • spoofing, forging, modifying, or dropping control packets
Example: Creation of incorrect routing state in DSR D attacker B G E A H C H: (D, F) F A *: [RREQ, id, A, H; ()] B A: [RREP, <src route>, A, H; (D, F)] • Route (A, D, F, H) does not exist ! • The packets will be dropped when reaching the first non-existing • link!
(A, 1, B, C, snA) (A, 1, B, D, snA) (A, 0, -, B, snA) (A, 0, -, F, snA) (H, 3, F, A, sn’H) (H, 3, C, B, sn’H) (H, 3, D, B, sn’H) (H, 3, B, A, sn’H) Example: Creation of incorrect routing state in AODV (A, 1, B, -, snA) (A, 0, -, -, snA) F B E H A D C (A, 0, -, -, snA) (A, 1, B, -, snA) E (C) F: [RREP, A, H, 2, sn’H] E (D) C: [RREP, A, H, 2, sn’H] E (B) D: [RREP, A, H, 2, sn’H] E (F) B: [RREP, A, H, 2, sn’H] • Creation of a routing loop. • Some packets will be forwarded in a cycle until their hop-count • reaches the max. allowed value and then are discarded.
Generation of extra control traffic • generation of extra control traffic: • Injecting spoofed control packets into the network • aiming at increasing resource consumption due to the fact that such control packets are often flooded in the entire network • Position-based routing protocols seem to be more resistant to this attack, because they use no control packets • But the attacker can send forged or spoofed location update messages to the location service which will be distributed among some nodes in the network and generate some extra control packets.
Setting up a gray hole • creation of a gray hole: • an adversarial node selectively drops data packets that it should forward • the objective is • to degrade the quality of service • packet delivery ratio between some nodes can decrease considerably • to increase resource consumption • wasting the resources of those nodes that forward the data packets that are finally dropped by the adversary • implementation is trivial • adversarial node participates in the route establishment • when it receives data packets for forwarding, it drops them
outline 1 Routing protocols for mobile ad hoc networks 2 Attacks on ad hoc network routing protocols 3 Security countermeasures for ad hoc network routing protocols
Countermeasures • authentication of control packets • protection of mutable information in control packets • detecting wormholes and tunnels • combating gray holes
Authentication of control packets • questions: • Who should authenticate the control packets? • Who should be able to verify authenticity? • control packets should be authenticated by their originators • using MACs or digital signatures by the source node • authenticity should be verifiable by the target of the control packet • moreover, each node that updates its routing state as a result of processing the control packet must be able to verify its authenticity • each node that processes and re-broadcasts or forwards the control packet must be able to verify its authenticity • as it is not known in advance which nodes will process a given control packet, we need a broadcast authentication scheme
Protection of mutable information in control packets • often, intermediate nodes add information to the control packet before re-broadcasting or forwarding it (hop count, node list, etc.) • this added information is not protected by control packet origin authentication • each node that adds information to the packet should authenticate that information in such a way that each node that acts upon that information can verify its authenticity • using MACs or digital signatures by the forwarding node at each hop: • E.g. intermediate nodes’ IDs added to the RREQ, is signed by the node who adds that data • one problem is the increasing size of the signatures when the number of hops increases
detecting wormholes and tunnels • Tunnels are similar to wormholes • In tunneling, like in wormhole attacks, the two ends of the attack look to be neighbors, so the effect of these two attacks on routing is similar • In tunneling two far away adversarial nodes encapsulate control packets as normal data packets and send to each other • They use the routing facilities of the network for sending packets • Wormhole happens in physical layers and does not require that the adversary controls or owns nodes in the network • In tunneling attack, the adversary should have two addressable nodes present at the routing layer • Some wormhole detection approaches could be adopted to tunneling attacks
Combating gray holes • two approaches: • use multiple, preferably disjoint routes (multi-path) • Even if the data packets can not reach the destination through some routes they will be received using other routes • increased robustness • but also increases resource consumption • detect and react • monitor neighbors (to see if they forward the packet they received to forward) and identify misbehaving nodes • use routes that avoid those misbehaving nodes • For this purpose reputation reports about nodes can be spread in the network to build trust values