By Mike McNett 20 Oct 2003 Computer Science Department University of Virginia Secure Routing in...

By Mike McNett

20 Oct 2003

Computer Science Department

University of Virginia

Secure Routing in Sensor Networks: Attacks and

Countermeasures(Authors: Chris Karlof and David Wagner, UC Berkeley)

The Essential Ideas of Secure Routing Attacks & Countermeasures

Ref: Denial of Service in Sensor Networks; Wood & Stankovic

Focus of this Presentation

Selective ForwardingNot Addressed

Bogus Routing

NOTES: DOS Attacks aren’t directly addressed in this paper. Defenses / Countermeasures are similar.

The Essential Ideas of Secure Routing Attacks & Countermeasures

WSN’s have unique constraints that make secure routing difficult.

One must define the security goals of the network.

WSN’s offer the attacker unique attacks that aren’t found in traditional networks.

Analyzing attacks will give insight into effective countermeasures.

Not all attacks can be stopped (assuming insiders).

Outline

Introduction Novelty and Contribution The Problem Addressed WSN Routing Attacks Analysis of Security of SPEED, RAP, LSRP, Traject

ory Based Forwarding, Mobicast, ASCENT Countermeasures Cross-cutting Issues / Open Questions Conclusions

Introduction – Questions to Consider

What historical events drive us towards the need for secure networks?

Is Routing Security Necessary in all environments and applications?

How robust should the security be? Is it even possible to have security that

prohibits attacks? If possible, then at what cost? Can traditional routing security solutions be

used in WSN’s?

Base stations and sensor nodes

Node vulnerabilities Low overhead protocols Broadcast media Specialized traffic

patterns Potentially every node is

a router In-network processing Resource constraints Dynamic topologies

Introduction – WSN Routing

Outline



Novelty and Contribution

Proposes threat models and security goals for secure WSN Routing.

Adapts previously known attacks to WSN’s. Addresses two novel attacks: HELLO Floods and

Sinkholes. Presents security analysis of major WSN routing

protocols and energy-conserving topology maintenance algorithms.

Discusses countermeasures and design considerations for secure WSN routing protocols.

Outline

Introduction Novelty and Contribution The Problem Addressed:

Network Assumptions and Trust Requirements Threat Models and Security Goals

WSN Routing Attacks Analysis of Security of SPEED, RAP, LSRP, Trajectory Base

d Forwarding, Mobicast, ASCENT Countermeasures Cross-cutting Issues / Open Questions Conclusions

Network Assumptions

Insecure radio links Eavesdropping, injecting bits, and packet

replays Attacker has similar capabilities (HW, etc.) Nodes can be “turned” Attacker controls > 1 node; collusion is

possible Attacker may have high quality

communications Tamper resistant nodes are not realistic

Trust Requirements

Base Stations are trustworthy Aggregation points may be trusted,

but not guaranteed

Threat Models and Secure Routing Goals

Threat Model: Mote-class vs. laptop-class adversaries Insiders vs. outsiders

Security Goals: Authenticity: verifies the identity of the sender Integrity: messages are not tampered with Availability: messages are received by intended receivers

Link layer security still possible Insiders and laptop-class adversaries are the main

challenge

Security Goals Out of Scope

Confidentiality / Secrecy of messages Protection against Eavesdropping

Exception – protocol should prevent eavesdropping caused by misuse or abuse of the protocol itself

Protection against the replay of data packets

Claim 1 by Authors: It is possible to meet the security goals when only considering outsiders.

Claim 2 by Authors: It is most likely that some if not all of these goals are not fully attainable when considering insiders.

Question: What information / intelligence can be gained by the attacker through observing unencrypted overhead packets?

Outline

Introduction Novelty and Contribution The Problem Addressed WSN Routing Attacks:

Spoofing, Selective Forwarding, Sinkhole Attack, Sybil Attack, Wormholes, HELLO Flood Attack, Acknowledgement Spoofing

Analysis of Security of SPEED, RAP, LSRP, Trajectory Based Forwarding, Mobicast, ASCENT

Countermeasures Cross-cutting Issues / Open Questions Conclusions

TinyOS Beaconing

Attack: Bogus routing information

Spoofed, altered, or relayed routing information causes problems

Example: spoof routing beacons and claim to be base station

Attack: Bogus routing information

Routing loops

B

A

Problems: Bogus routing information

Attract / Repel Traffic

Enemy Area

BA1

A3

A2

A4

Problems: Bogus routing information

Other Possibilities: Extend / shorten source routes Generate false error messages Partition network Increase end-to-end latency

Overall Affects: Routing havoc Low reliability Questionable information reporting Decreased lifetime of network Congestion / collisions Etc.

Allows the attacker to selectively “hide” information

Enemy Area

Attacks: Selective Forwarding / Blackholes / Sinkholes

Only forward a select few… drop / modify remaining packets

Jamming can cause similar effects

Location of node mayhave significant effects

Attack: Sybil attack

An adversary may present multiple identities to other nodes

Geographic Routing is very susceptible – exchange of locality information

A

B

Attack: Wormholes

Tunnel packets received in one part of the network and replay them in a different part

Exploits routing race conditions

Enables other attacks

Can be launched by insiders and outsiders

Attack: HELLO floods

Protocols that use HELLO packets to announce to neighbors

Assumption: the sender of a received packet is within normal radio range

False! A powerful transmitter could reach the entire network


Attack: Acknowledgement Spoofing

Spoof link layer ACK packets of neighbor nodes

Selective forwarding by encouraging sender to send via weak links

Protocols Analyzed in Paper

Protocol Relevant attacksTinyOS beaconing Bogus routing information, selective forwarding,

sinkholes, Sybil, wormholes, HELLO floods

Directed diffusion and multipath variant

Bogus routing information, selective forwarding, sinkholes, Sybil, wormholes, HELLO floods

Geographic routing (GPSR,GEAR)

Bogus routing information, selective forwarding, Sybil

Minimum cost forwarding

Bogus routing information, selective forwarding, sinkholes, wormholes, HELLO floods

Clustering based protocols (LEACH,TEEN,PEGASIS)

Selective forwarding, HELLO floods

Rumor routing Bogus routing information, selective forwarding, sinkholes, Sybil, wormholes

Energy conserving topology maintenance

Bogus routing information, Sybil, HELLO floods

All insecure

Protocols Analyzed in Paper

Bogus routing X X X X X X

Selective forwarding

X X X X X X

Sinkholes X X X X

Sybil X X X X X

Wormholes X X X X

HELLO floods X X X X X

Tiny

OS

Direc

ted

Diff

Geo

grap

hic

Rou

ting

Min

Cos

t Fw

ding

Clu

ster

Bas

edRum

or R

outing

Ener

gy C

onse

rvin

g

Attack

Outline



SPEED

SPEED: A Stateless Protocol for Real-Time Communication in Sensor Networks. Uses neighbor tables

UniformBack-Pressure

Strong Back-Pressure(Congestion)

SNGF - 3 (Example)

23

5

9

10

7

Delay

11

Boo

SPEED20

11030

115

Node 5's NT

Delay0.5s0.1s0.4s0.1s

ID97

103

Packet

Packet

Source

Destination

SPEED (and RAP): Routing Security Analysis

Convince nodes to change their state tables (delay, source, destination, distance, deadlines). Change the radius of the last mile process. Lower the velocity of a packet which will end up

missing its deadline later and will be dropped. Flood network with high velocity packets (i.e.

short deadlines or large distances). Drop the SpeedReceive() messages. Local forwarding decisions allow some types of

attacks to not be noticed. Example: a destination that is “beyond” the edge of the network.

Local Stabilization

F-Local Stabilization Faults be contained locally around where they occurred. Time taken for the system to stabilize is a function of the

size of the perturbed region.

LocallyContainedFault Regions

Definite Time which is proportional to size of perturbed region

Correction

Local Stabilization

Node of Fault Propagation to initiate a “Containment” action that moves faster than the stabilization (“Fault Propagation”) action.

“Corrective” action always lags behind “Fault propagation” action

Containment Wave

Fault Propagation Wave

Correction Wave

LSRP: Routing Security Analysis

Send out false waves Delay / drop correction & containment waves Spoof link information (affects shortest

paths)

Trajectory Based Forwarding

Source

Destination

Improving routing in both mobile and fixed networks when position is available.

Forbidden Zone Intermediate Destination

StraightforwardPath

Multipath Routing by TBF

TBF: Routing Security Analysis

Change trajectory functions Spoof nodal location information Flood network with large broadcasts

Spatiotemporal Multicast

Wake up just in timeSleeping nodesAwaken nodes

Adaptive Mobicast

Adaptive forwarding zone

Hole

Mobicast: Routing Security Analysis

Increase or decrease delivery and forwarding zone sizes

Provide false locations to nodes to make paths longer than they need be

Modify delta-values in adaptive mobicast

ASCENT and Energy Conserving Topology Management

Insecure routing protocol ASCENT will not guarantee correct neighbor sets.

Attacks on routing that makes the network look overly sparse or dense may negatively affect ASCENT – increased power consumption.

Misrepresent energy remaining levels. All (successful) attacks may potentially

counteract the energy savings of any given protocol.

Outline



Countermeasures: Bogus routing information

Outsiders: Authenticated Routing Crypto techniques (globally shared

key) Mitigates Sybil, Sinkhole, Selective

Forwarding Little affect on Wormhole and HELLO

Flood Insiders:

Consistency checks Verify through trustworthy nodes Crypto techniques (per-link keys)

Enemy Area

Countermeasures : Selective Forwarding / Blackholes / Sinkholes

Multipath and probabilistic routing

Verify information where possible

Geographic-based protocols hold promise

Countermeasures : Wormholes

Difficult to defend against


Difficult to detect Best solution avoid routing race conditions

Geographic routing protocols hold promise

Countermeasures : Sybil attack

Verify identities of neighbors through unique symmetric keys with base station

Establish shared keys Limit number of

neighbors with keys

A

B

Countermeasures : HELLO floods

Bidirectional Links Verify identities of

neighbors Base station can

enforce limited number of neighbors

Countermeasures (Notes)

Nodes near base stations are attractive to compromise Clustering and Overlays may reduce their

significance Can leverage global knowledge

Send localized info to base station Base station maps network topology Base station is periodically updated Drastic / suspicious changes observed

Countermeasures (Notes)

Base Station Authentication – no node can spoof BS, but every node can verify messages from BS

Localized Node Authentications SPINS - μTESLA & SNEP (next presentation)

Outline



SPEED Goals vs. Security

Soft real-time: predictable e2e delay

Uniform communication speed

High Scalability Stateless Architecture Localized Behavior

Load Balancing Traffic Control Void Avoidance

Security may cause unpredictable delays

Security may require stateful architecture

Security may require global behavior

Security may lessen the ability to load balance

RAP Goals vs. Security

Minimize e2e deadline miss ratio

Provide high-level services APIs (similar to SPEED)

High scalability Minimize communication

and processing overhead

Security may cause unpredictable delays

Security may not be as scalable

Security may increase communication and processing overhead

Trajectory Based Forwarding vs. Security

Scalability. Power management.

Along one trajectory. Multiple trajectories.

Data centrism. Event localization. Event handling.

Security. Trajectory specification.

Stability. Temporary faults. Permanent faults.

Security may not be as scalable Security may require single,

multiple, no trajectories Security may require symmetric

trajectories for bi-directional communications

If one knows where compromised nodes are, trajectories may help

Summary & Discussion

Tamper resistant nodes – realistic or necessary? How do you know you’re being attacked? If you have a secure application layer, but don’t hav

e secure routing, can the WSN be effective? Local vs. Global Routing advantages / disadvantages Will data mining help detect malicious /

compromised nodes? If stopping all attacks on routing is impossible,

what alternatives are there? What are the cost-benefit trade-offs of secure WSN ro

uting? How do you evaluate these? How can traffic analysis / homing be defeated?

Conclusions

Secure routing is a prerequisite to effective WSNs … in the face of threats

Traditional security solutions aren’t applicable. One must define the security goals of the network. Analyzing attacks will give insight into effective counter

measures. Must consider both insider and outsider threats. Must incorporate security at design time. The paper “Report on a Working Session on Security

in Wireless Ad-Hoc Networks” provides possible solutions (e.g., SRP, SEAD, Ariadne, geographical leashes, temporal leashes, etc.)

By Mike McNett 20 Oct 2003 Computer Science Department University of Virginia Secure Routing in...

Documents

Transcript of By Mike McNett 20 Oct 2003 Computer Science Department University of Virginia Secure Routing in...