330 likes | 603 Views
Denial-of-Service ( DoS ) Attacks in Wireless Sensor Networks. Md. Musfiq Rahman Dalhousie University. Overview. Wireless Sensor Networks and Components DoS Attacks WSN Characteristics Detail of the technology: Layered model Layer-wise description of different attacks Conclusion
E N D
Denial-of-Service (DoS) AttacksinWireless Sensor Networks Md. MusfiqRahman Dalhousie University
Overview • Wireless Sensor Networks and Components • DoS Attacks • WSN Characteristics • Detail of the technology: Layered model • Layer-wise description of different attacks • Conclusion • Reference
Wireless Sensor Network • Tiny sensors capable of wireless communication • Placed in ad hoc manner and embedded in the physical environment • Operating together in a large wireless network • Applications • Ecological habitat monitoring • Structure health monitoring • Environmental contaminant detection • Industrial process control • Military target tracking • Etc.
Components of WSN devices • Low-power embedded processor • Limited processing • Memory/storage • Limited memory • Radio transceiver • short-range wireless radio (10–100 kbps, <100 m) • Low power • Low rate • Sensor • Scalar sensor: temperature, light, etc. • Cameras, microphones • Power • Finite battery power Sensors Power Processor Radio Storage
DoS Attacks • A DoS attack is an explicit attempt for preventing a legitimate user from using a service (Hardware failures, software bugs, resource exhaustion, environmental conditions, or their combination; or intentional attack) • DoS attacks target availability (which ensures that authorized parties can access data, services, or other computer and network resources when requested) by preventing communication between network devices or by preventing a single device from sending traffic.
WSNs Characteristics • WSN platforms (mostly) have limited processing capability and memory. • A primary weakness shared by all wireless networking devices is the inability to secure the wireless medium. • Any adversary in radio range can eavesdrop traffic, transmit bogus data, or jam the network. • Sensors are also vulnerable to physical tampering and destruction if deployed in an unsecured area.
WSNs Characteristics Cont. • Another vulnerability is the sensor device’s extremely limited and often nonreplenishable power supplies. • Attackers aren’t always limited by the same constraints as the sensor devices. • An adversary might have unlimited power supply, significant processing capability, and the capacity for high-power radio transmission.
Physical Layer: Jamming • A well-known attack on wireless communication,jamming interferes with the radio frequenciesa network’s nodes are using. • An adversary can disrupt the entire network with k randomly distributedjamming nodes, putting N nodes out ofservice, where k is much less than N. • For single frequency networks, this attack is simple and effective, renderingthe jammed node unable to communicate or coordinatewith others in the network. • Constant transmission of a jamming signal is an expensiveuse of energy. If the attacker is limited in energy, she may use sporadic or burst jamminginstead. • She jams only when detecting radiotransmissions in the area of the victim, which requiresthat she be nearby.
Defense Against Jamming • Spread-spectrum communication is a common defense against physical-layer jamming in wireless networks. • Due to the synchronization and cost requirements, lowcost,low-power sensor devices may be limited to single-frequency use. • If the adversary can permanently jam the entire network, and if the nodes can identify a jamming attack, a logical defense is to put sensors into a long-term sleep mode and have them wake periodically to test the channel for continued jamming. • Although this won’t prevent a DoS attack, it could significantly increase the life of sensor nodes by reducing power consumption. An attacker would then have to jam for a considerably longer period, possibly running out of power before the targeted nodes do.
Defense Against Jamming Cont. • If jamming is intermittent, nodes may be ableto send a few high-power, high-priority messagesback to a base station to report the attack. • Nodes should cooperate to maximize theprobability of successfully delivering such messages. • In a large-scale deployment, an adversary is lesslikely to succeed at jamming the entire network. • In this scenario a moreappropriate response would be to call on the nodessurrounding the affected region tocooperativelymap and report the DoS attack boundary to a base station.
Physical Layer: Tampering An attacker can also tamper with nodes physically,and interrogate and compromise them. An attacker can damage or replace sensor and computationhardware or extract sensitive material such as cryptographickeys to gain unrestricted access to higher levels of communication. Node destruction may be indistinguishable from fail-silent behavior.
Defense Against Tampering Although you can’t prevent destruction of nodes deployed in an unsecured area, redundant nodes and camouflaging can mitigate this threat. Hiding or camouflaging nodes, tamper-proofing packages, or implementing tamper reaction such as erasing all program or cryptographic memory. These may increase thecost and complexity of WSN design.
Link Layer: Exhaustion • A self-sacrificing node could exploit the interactivenature of most MAC-layer protocols in aninterrogation attack. • For example, • IEEE 802.11-based MAC protocols use Request To Send, ClearTo Send, and Data/Ack messages to reserve channelaccess and transmit data. • The node couldrepeatedly request channel access with RTS, elicitinga CTS response from the targeted neighbor node. • Constant transmission would exhaustthe energy resources of both nodes.
Defense Against Exhaustion • One solution makes the MAC admission controlrate limiting, so that the network can ignore excessiverequests without sending expensive radio transmissions. • Antireplay protection and strong link-layer authentication can mitigate these attacks. • However, a targeted node receiving the bogus RTS messages still consumes energy and network bandwidth.
Link Layer: Denial-of-Sleep • In this type of attack the attacker intentionally prevents the radio from going to sleep. • MAC layer is targeted because they control the functionality of the transceiver, which consumes the more energy than any other components • Mac layer dictates when the radio should transmit, listen, receive frame or sleep to conserve power
Link Layer: Denial-of-Sleep Cond. • The operational mode of the radio is directly proportional to the power consumptions • Two standard 3,000 mAh (AA) battery will last over 4,000 days for a devices in sleep mode but only 10 days for a device in receive mode. • Because of the difference in packet structure and timing between WSN MAC protocols, it is not very difficult to determine which MAC protocol the WSN is using • This is enough to launch the denial-of-sleep attack.
Defence: Denial-of-Sleep • One approach to mitigate the denial-of-sleep attack is to enhance the link-layer capabilities by including the followings • Strong link-layer authentication • Anti-replay protection • Broadcast attack protection • Temper-resistance
Network Layer: Homing • In most sensor networks, morepowerful nodes might serve as cryptographic keymanagers, query or monitoring access points, ornetwork uplinks. These nodes attract an adversary’sinterest because they provide critical services to the network. • Location-based network protocols that rely ongeographic forwarding expose the network tohoming attacks. • A passive adversary observestraffic, learning the presence and location of criticalresources. • Once found, these nodes can beattacked by collaborators or mobile adversaries using other active means.
Defense Against Homing • One approach to hiding important nodes providesconfidentiality for both message headers andtheir content. If all neighbors share cryptographickeys, the network can encrypt the headers at eachhop. • This would prevent a passive adversary fromeasily learning about the source or destination ofoverheard messages.
Network Layer: Black Holes • Distance-vector-based protocols provide another easy avenue for an even more effective DoS attack. • Nodes advertise zero-cost routes to every othernode, forming routing black holes within the network. • As their advertisement propagates, the networkroutes more traffic in their direction. • Inaddition to disrupting message delivery, this causesintense resource contention around the maliciousnode as neighbors compete for limited bandwidth. • These neighbors may themselves be exhausted prematurely,causing a hole or partition in the network.
Defense Against Black Holes • Authorization • Through letting only authorized nodes exchange routinginformation. • Monitoring • Through monitoring their neighbors to ensure that they observe proper routing behavior. • The node relays a message to the next hop and then acts as awatchdog that verifies the next-hop transmissionof the same packet. • The watchdogcan detect misbehavior, subject to limitationscaused by collisions, asymmetric physicalconnectivity, collusion, and so on.
Defense Against Black Holes Cont. • Probing • Networks using geography-based routingcan use knowledge of the physical topologyto detect black holes by periodically sendingprobes that cross the network’s diameter. • Subjectto transient routing errors and overload, a probingnode can identify blackout regions. • To detect malicious nodes, probes must be indistinguishable from normal traffic. • Redundancy • The network can send duplicate messages along the same path toprotect against intermittent routing failure. • If each message uses a different path,one of them might bypass consistently neglectfuladversaries or even black holes.
Transport Layer: Flooding • As in the classic TCP SYNflood, an adversary sends many connectionestablishment requests to the victim. Each request causes the victim to allocate resourcesthat maintain state for that connection. • Limiting the number of connections prevents complete resource exhaustion, which would interfere with all other processes at thevictim. • However, this solution also preventslegitimate clients from connecting to the victim,as queues and tables fill with abandoned connections.
Defense Against Flooding • One defense requires clients to demonstrate thecommitment of their own resources to each connectionby solving client puzzles. • The server cancreate and verify the puzzles easily, and storage ofclient-specific information is not required whileclients are solving the puzzles. Servers distribute thepuzzle, and clients wishing to connect must solveand present the puzzle to the server before receiving a connection. • An adversary must therefore be able tocommit far more computational resources per unittime to flood the server with valid connections. • This solution is most appropriate for combatingadversaries that possess the same limitations as sensornodes. • It has the disadvantage of requiring more computational energy for legitimate sensor nodes, but it is less costly than wasting radio transmissions by flooding.
Transport Layer: Desynchronization • An existing connection between two end pointscan be disrupted by desynchronization. • In thisattack, the adversary repeatedly forges messages toone or both end points. • These messages carrysequence numbers or control flags that cause the endpoints to request retransmission of missed frames. • If the adversary can maintain proper timing, it canprevent the end points from exchanging any usefulinformation, causing them to waste energy in an endless synchronization-recovery protocol.
Defense Against Desynchronization One counter to this attack authenticates all packetsexchanged, including all control fields in thetransport protocol header.
Application Layer: Overwhelming Attack • An attacker overwhelms the network nodes with sensor stimuli, causing the network to forward a large amount of data to a base station. • Consumes network bandwidth and drains nodes power • Efficient only when particular sensor readings trigger communication
Defense: Overwhelming Attack • Tuning the sensor nodes so that specifically desired stimulus will trigger communication • Rate limit and effective data aggregation algorithms can mitigate this type of attack
Application Layer: Path-based DoS Attack • Another application-layer attack involves injecting spurious or replayed packets into the network at leaf nodes in a path-based DoS attack. • As the packet is forwarded to its destination, nodes along the path to the base station waste bandwidth and energy transmitting the traffic • This attack can starve the network of legitimate traffic, because it consumes resources on the path to the base station, thus preventing other nodes from sending data to the base station
Application Layer: Deluge Attack • Protocols such as TinyOS’s Deluge network-programming system let you remotely reprogram nodes in deployed networks. • If the reprogramming process isn’t secure, an intruder can hijack this process and take control of large portions of a network • Defense • Some security techniques use authentication streams to secure the reprogramming process
References • Raymond, D. R. and Midkiff, S. F., “Denial-of-Service in Wireless Sensor Networks: Attacks and Defenses,” IEEE Pervasive Computing 7, vol. 1, Jan. 2008, pp. 74-81. • A.D. Wood and J.A. Stankovic, “Denial of Service in Sensor Networks,” Computer, vol. 35, no. 10, 2002, pp. 54–62. • A.D. Wood and J.A. Stankovic, “A Taxonomy for Denial-of-Service Attacks in Wireless Sensor Networks”,Handbook of Sensor Networks: Compact Wireless and Wired Sensing Systems, 2004. • David R. Raymond and Scott F. Midkiff, "Denial-of-Service in Wireless Sensor Networks: Attacks and Defenses," IEEE Pervasive Computing, vol. 7, no. 1, 2008, pp. 74-81.
Thank You… Questions?