270 likes | 443 Views
Denial of Service Attacks (DoS) in Wireless Sensor Networks (WSNs). Presented by OYA ŞİMŞEK. WSNs & Applications. WSNs facilitate large-scale, real-time data processing in complex environments.
E N D
Denial of Service Attacks (DoS) in Wireless Sensor Networks (WSNs) Presented by OYA ŞİMŞEK
WSNs & Applications • WSNs facilitate large-scale, real-time data processing in complex environments. • Their foreseeableapplications will help protect and monitor military, environmental, safety-critical, or domestic infrastructures and resources. • In a military scenario, WSNs • may gatherintelligence in battlefield conditions, • track enemytroop movements, • monitor a secured zone for activity,or measure damage and casualties.
WSNs & Applications Cont. • WSNs could be used to rescue personnel at disastersites, or they could themselves help locatecasualties. • They could monitor conditions at therim of a volcano, along an earthquake fault, oraround a critical water reservoir. • Such networkscould also provide always-on monitoring of homehealthcare for the elderly or detect a chemical orbiological threat in an airport or stadium.
DoS Attacks • A DoS attack is any event that diminishes or eliminates a network’s capacity to perform its expected function (Hardware failures, software bugs, resource exhaustion, environmental conditions, or their combination; or intentional attack) • DoS attacks target availability (which ensures that authorized parties can access data, services, or other computer and network resources when requested) by preventing communication between network devices or by preventing a single device from sending traffic.
WSNs Characteristics • WSN platforms (mostly) have limited processing capability and memory. • A primary weakness shared by all wireless networking devices is the inability to secure the wireless medium. • Any adversary in radio range can eavesdrop traffic, transmit bogus data, or jam the network. • Sensors are also vulnerable to physical tampering and destruction if deployed in an unsecured area.
WSNs Characteristics Cont. • Another vulnerability is the sensor devices’ extremely limited and often nonreplenishable power supplies. • Attackers aren’t always limited by the same constraints as the sensor devices. • An adversary might have unlimited power supply, significant processing capability, and the capacity for high-power radio transmission.
Physical Layer: Jamming • A well-known attack on wireless communication,jamming interferes with the radio frequenciesa network’s nodes are using. • An adversary can disrupt the entire network with k randomly distributedjamming nodes, putting N nodes out ofservice, where k is much less than N. • For single frequency networks, this attack is simple and effective, renderingthe jammed node unable to communicate or coordinatewith others in the network. • Constant transmission of a jamming signal is an expensiveuse of energy. If the attacker is limited in energy, she may use sporadic or burst jamminginstead. • She jams only when detecting radiotransmissions in the area of the victim, which requiresthat she be nearby.
Defense Against Jamming • Spread-spectrum communication is a common defense against physical-layer jamming in wireless networks. • Due to the synchronization and cost requirements, lowcost,low-power sensor devices may be limited to single-frequency use. • If the adversary can permanently jam the entire network, and if the nodes can identify a jamming attack, a logical defense is to put sensors into a long-term sleep mode and have them wake periodically to test the channel for continued jamming. • Although this won’t prevent a DoS attack, it could significantly increase the life of sensor nodes by reducing power consumption. An attacker would then have to jam for a considerably longer period, possibly running out of power before the targeted nodes do.
Defense Against Jamming Cont. • If jamming is intermittent, nodes may be ableto send a few high-power, high-priority messagesback to a base station to report the attack. • Nodes should cooperate to maximize theprobability of successfully delivering such messages. • In a large-scale deployment, an adversary is lesslikely to succeed at jamming the entire network. • In this scenario a moreappropriate response would be to call on the nodessurrounding the affected region tocooperativelymap and report the DoS attack boundary to a base station.
Physical Layer: Tampering • An attacker can also tamper with nodes physically,and interrogate and compromise them. • An attacker can damage or replace sensor and computationhardware or extract sensitive material such as cryptographickeys to gain unrestricted access to higher levels of communication. • Node destruction may be indistinguishable from fail-silent behavior.
Defense Against Tampering • Although you can’t prevent destruction of nodes deployed in an unsecured area, redundant nodes and camouflaging can mitigate this threat. • Hiding or camouflaging nodes, tamper-proofing packages, or implementing tamper reaction such as erasing all program or cryptographic memory. • These may increase thecost and complexity of WSN design.
Link Layer: Exhaustion • A self-sacrificing node could exploit the interactivenature of most MAC-layer protocols in aninterrogation attack. • For example, • IEEE 802.11-based MAC protocols use Request To Send, ClearTo Send, and Data/Ack messages to reserve channelaccess and transmit data. • The node couldrepeatedly request channel access with RTS, elicitinga CTS response from the targeted neighbor node. • Constant transmission would exhaustthe energy resources of both nodes.
Defense Against Exhaustion • One solution makes the MAC admission controlrate limiting, so that the network can ignore excessiverequests without sending expensive radio transmissions. • Antireplay protection and strong link-layer authentication can mitigate these attacks. • However, a targeted node receiving the bogus RTS messages still consumes energy and network bandwidth.
Network Layer: Homing • In most sensor networks, morepowerful nodes might serve as cryptographic keymanagers, query or monitoring access points, ornetwork uplinks. These nodes attract an adversary’sinterest because they provide critical services to the network. • Location-based network protocols that rely ongeographic forwarding expose the network tohoming attacks. • A passive adversary observestraffic, learning the presence and location of criticalresources. • Once found, these nodes can beattacked by collaborators or mobile adversaries using other active means.
Defense Against Homing • One approach to hiding important nodes providesconfidentiality for both message headers andtheir content. If all neighbors share cryptographickeys, the network can encrypt the headers at eachhop. • This would prevent a passive adversary fromeasily learning about the source or destination ofoverheard messages.
Network Layer: Black Holes • Distance-vector-based protocols provide another easy avenue for an even more effective DoS attack. • Nodes advertise zero-cost routes to every othernode, forming routing black holes within the network. • As their advertisement propagates, the networkroutes more traffic in their direction. • Inaddition to disrupting message delivery, this causesintense resource contention around the maliciousnode as neighbors compete for limited bandwidth. • These neighbors may themselves be exhausted prematurely,causing a hole or partition in the network.
Defense Against Black Holes • Authorization • Through letting only authorized nodes exchange routinginformation. • Monitoring • Through monitoring their neighbors to ensure that they observe proper routing behavior. • The node relays a message to the next hop and then acts as awatchdog that verifies the next-hop transmissionof the same packet. • The watchdogcan detect misbehavior, subject to limitationscaused by collisions, asymmetric physicalconnectivity, collusion, and so on.
Defense Against Black Holes Cont. • Probing • Networks using geography-based routingcan use knowledge of the physical topologyto detect black holes by periodically sendingprobes that cross the network’s diameter. • Subjectto transient routing errors and overload, a probingnode can identify blackout regions. • To detect malicious nodes, probes must be indistinguishable from normal traffic. • Redundancy • The network can send duplicate messages along the same path toprotect against intermittent routing failure. • If each message uses a different path,one of them might bypass consistently neglectfuladversaries or even black holes.
Transport Layer: Flooding • As in the classic TCP SYNflood, an adversary sends many connectionestablishment requests to the victim. Each request causes the victim to allocate resourcesthat maintain state for that connection. • Limiting the number of connections prevents complete resource exhaustion, which would interfere with all other processes at thevictim. • However, this solution also preventslegitimate clients from connecting to the victim,as queues and tables fill with abandoned connections.
Defense Against Flooding • One defense requires clients to demonstrate thecommitment of their own resources to each connectionby solving client puzzles. • The server cancreate and verify the puzzles easily, and storage ofclient-specific information is not required whileclients are solving the puzzles. Servers distribute thepuzzle, and clients wishing to connect must solveand present the puzzle to the server before receiving a connection. • An adversary must therefore be able tocommit far more computational resources per unittime to flood the server with valid connections. • This solution is most appropriate for combatingadversaries that possess the same limitations as sensornodes. • It has the disadvantage of requiring more computational energy for legitimate sensor nodes, but it is less costly than wasting radio transmissions by flooding.
Transport Layer: Desynchronization • An existing connection between two end pointscan be disrupted by desynchronization. • In thisattack, the adversary repeatedly forges messages toone or both end points. • These messages carrysequence numbers or control flags that cause the endpoints to request retransmission of missed frames. • If the adversary can maintain proper timing, it canprevent the end points from exchanging any usefulinformation, causing them to waste energy in an endless synchronization-recovery protocol.
Defense Against Desynchronization • One counter to this attack authenticates all packetsexchanged, including all control fields in thetransport protocol header.
References • A.D. Wood and J.A. Stankovic, “Denial of Service in Sensor Networks,” Computer, vol. 35, no. 10, 2002, pp. 54–62. • A.D. Wood and J.A. Stankovic, “A Taxonomy for Denial-of-Service Attacks in Wireless Sensor Networks”,Handbook of Sensor Networks: Compact Wireless and Wired Sensing Systems, 2004. • David R. Raymond and Scott F. Midkiff, "Denial-of-Service in Wireless Sensor Networks: Attacks and Defenses," IEEE Pervasive Computing, vol. 7, no. 1, 2008, pp. 74-81.