1 / 29

Denial of Service Resilience in Ad Hoc Networks

Denial of Service Resilience in Ad Hoc Networks. I. Aad, J. Hubaux and E. Knightly EPFL, Switzerland and Rice University Presented by Jeremy Holländer. Outline. What is a Denial of Service attack Types of nodes that initiate DoS attacks Types of attacks Victim’s response Analytical model

fedora
Download Presentation

Denial of Service Resilience in Ad Hoc Networks

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Denial of Service Resilience in Ad Hoc Networks I. Aad, J. Hubaux and E. Knightly EPFL, Switzerland and Rice University Presented by Jeremy Holländer

  2. Outline • What is a Denial of Service attack • Types of nodes that initiate DoS attacks • Types of attacks • Victim’s response • Analytical model • Performance of network under DoS attack • Conclusion

  3. The war on protocol design • Attackers constantly introduce new attacks • Retaliation by protocol designers • This papers aims to • Quantify the damage an attacker can have on the performance of a wireless network • Study the scalability of DoS attacks

  4. Denial of Service • Is an attempt by malicious user(s) to prevent legitimate users from using a service • This paper studies protocol-compliant DoSs only • Much more difficult to detect!

  5. JellyFish and Black Holes • JellyFish attacks conform to all routing and forwarding protocol specifications • Difficult to detect before the sting • Targets closed-loop flows • Responsive to network conditions such as loss and delay • Black holes participate in the routing protocol to establish routes through themselves, yet drop all received packets • Targets open-loop flows • Not responsive to above network conditions

  6. System model assumptions • Wireless network • Employs node authentication • Employs message authentication • Ensures one identity per node • Prevents control plane misbehavior • A malicious node will always participate in route setup operations • Source Routing: malicious nodes always relay Route Request packets to have many routes passing through them • Distance Vector Routing: malicious nodes obey all control-plane protocol specifications

  7. JellyFish Reorder Attack (1/2) • Problem of TCP in regards to ACKs • Msgs 1, …, N sent • Receipt of ACK-N means all msgs up to N received successfully • Receipt of duplicate ACKs means loss or out-of-order receipt • All TCP variants assume re-ordering is short-lived due to network changes

  8. JellyFish Reorder Attack (2/2) • JF nodes deliver all packets • Only after placing them randomly in a FIFO buffer • Results in near-zero goodput despite delivering all packets •  it is not detected by other nodes as being malicious because not dropping packets

  9. JellyFish Periodic Dropping Attack • Attacking nodes drop all packets for a short period of time once per retransmission time-out (RTO) • After JF’s first loss duration, the victim flow will enter timeout because JF choosing a dropping duration long enough to result in multiple losses • When the flow attempts to exit timeout RTO seconds later, JF will soon/immediately drop again • Why does it work? • Because like non-malicious nodes JFs drop only a small fraction of time so as not to be detected

  10. JellyFish Delay Variance Attack • JFs manipulate packet delays to reduce TCP throughput • This results in • TCP sending traffic in bursts due to “self-clocking”, leads to increased collisions and loss • Mis-estimations of available bandwidth • Excessively high RTO value

  11. Impact of JF-reorder on throughput • FIFO schedule that randomly selects one of first k packets of the queue to send • TCP is robust with reordering buffer of two packets • With larger reordering buffer, goodput collapses • Solution: TCP-PR  use timers to detect loss

  12. JF-drop effect on throughput • To obtain the null at 1 second, the JF drops packets for 90ms every 1 second •  dropping 9% of the time and forwarding 91% of the time • Hard to detect because these are values that can be incurred by a congested node • Multiple packet losses within a RT-time are an indication of severe congestion • Flow must back off aggressively and wait RTO seconds before entering slow start

  13. JF-jitter effect on throughput • JF alternates between periods of serving packets at its maximum capacity and serving no packets • Idle and active periods are of equal length •  TCP goodput decreases with increasing jitter

  14. Black Holes • BH participate in all routing control operations • Once path established, BH drop all packets • JF has nearly same impact as BH • BH work with flows that are not congestion-related and therefore immune to JF •  disadvantage: much easier to detect BH

  15. Diagnosing MisbehaviorDetection of MAC Layer Failure (1) • Broken routes (for instance because of mobility) can be detected by routing protocols. • E.g.: DSR uses MAC layer transmission failure to generate a route error message • Message is sent upstream to the source node, which will establish a new route

  16. Diagnosing MisbehaviorPassive Acknowledgement (2) • Consider BH behavior: BH needs to forward packet. It first acknowledges the receipt of the packet to the sender but does not forward the packet to its intended destination. Can this be detected ? • PACK : if node i sends a packet to k via j, then i should overhear the subsequent transmission from j to k (exploits broadcast nature of wireless medium).

  17. Diagnosing MisbehaviorPassive Acknowledgement (2) • Energy-efficient transmission • PACK requires that node j’s transmission be overheard by node i • Unable to use dynamic power management • Even though j is very close to k, it must ensure that i hears the transmission • If i does not hear the transmission it will incorrectly infer that j is a misbehaving node

  18. Diagnosing MisbehaviorPassive Acknowledgement (2) • Directional antennas • PACK assumes that attackers will use omni-directional antennas • Black Holes can however use a directional antenna to fool its upstream node by beam-forming • i will have heard that j has sent a packet to k and will not suspect that it is a malicious node

  19. Diagnosing MisbehaviorPassive Acknowledgement (3) • Variable power • i is closer to j than j is to k • j can pretend to i that it has forwarded the packet, yet j’s reduced power means that only i but not k can receive it • In all three previous cases, k may send a message to i to let it know that it has not received any packets

  20. Diagnosing MisbehaviorLayer 4 Endpoint Detection (4) • Difficult to detect JFs and BH • Attack victims will need to rely on end-to-end mechanisms • Major trade-off • Single packet loss implies problematic route • Large number of packet losses implies problematic route • Proposition: use reputation route selection scheme

  21. Victim’s response • Once malicious nodes are detected there are three solutions: • Establish new path excluding any node from prior malfunctioning path •  difficult to achieve in small/sparse networks! • Employ multipath routing and adapt path weights according to path goodput •  severely decreases throughput • Establish backup routes by keeping all route reply messages • Consider a distributed victims system that keeps track of all malicious nodes in a network

  22. Analytical model (1/2) • Ad Hoc network with N nodes and a malicious nodes where a < N • p is probability that a randomly selected node is an attacker, p = a / N • Path traverses h relay hops • If selected node represent a random sample of the N network nodes, then path contains no attacking nodes with probability (1 – p)h

  23. Analytical model (2/2) • E(TL) is expected liftetime of a route • Tdiag is time it takes to diagnose route is broken • TRL is minimum inter-spacing of route requests allowed by routing protocol • TRR is time it takes to receive one or more route reply messages • Normalized goodput for a flow :

  24. Rushing Attack • Malicious nodes use different mechanisms to attract flows to route through them, thereby increasing the damage they can do during attack • If attacking nodes can attract twice as many flows compared with uniform graph (2a/N instead of a/N), flow goodput drops from 52% to 34% with 10% attackers

  25. Assessment of performance under DoS Attack • Baseline case • 200 nodes move randomly in 2000m2 grid at maximum velocity of 10m/s, pausing 10s on average • Node receive range is 250m • Channel capacity is 1Mb/s • 100 nodes communicate with each other to create 50 flows • Other 100 nodes a routers (only forward packets) • JFs are compromised routers

  26. JellyFish Placement • Grid placement and mobile JF only slightly more harmful than random static placement • Note that test is only 2000m2 with 250m range! •  could have mobile JF that moves around until it attains an optimal position with a large amount of flows passing through it

  27. Mobility • Consider three speeds:1m/s,10m/s, 20m/s • With no attack, low mobility achieves (as expected) best fairness • With 49JFs in system (24.5% of nodes), low fairness for all three speeds

  28. System Size • Smaller system size results in higher initial fairness • With shorter path lengths flow throughputs are nearly identical • Both system sizes incur identical reduction in fairness when introducing JFs

  29. Conclusion • JellyFish nodes are difficult to discover • Black Holes are easier to find but are far more devastating in terms of their effect on the network • Effect on network can be even worst if malicious nodes work together (not considered in this paper) • The main question is not whether it is possible to find malicious nodes but rather • How long will it take to discover such nodes? • In order to ease the task a reputation system may be used

More Related