Secure routing in Wireless sensor Networks: Attacks and Countermeasures
By Mike McNett 20 Oct 2003 Computer Science Department University of Virginia Secure Routing in...
-
Upload
christal-stokes -
Category
Documents
-
view
213 -
download
0
Transcript of By Mike McNett 20 Oct 2003 Computer Science Department University of Virginia Secure Routing in...
By Mike McNett
20 Oct 2003
Computer Science Department
University of Virginia
Secure Routing in Sensor Networks: Attacks and
Countermeasures(Authors: Chris Karlof and David Wagner, UC Berkeley)
The Essential Ideas of Secure Routing Attacks & Countermeasures
Ref: Denial of Service in Sensor Networks; Wood & Stankovic
Focus of this Presentation
Selective ForwardingNot Addressed
Bogus Routing
NOTES: DOS Attacks aren’t directly addressed in this paper. Defenses / Countermeasures are similar.
The Essential Ideas of Secure Routing Attacks & Countermeasures
WSN’s have unique constraints that make secure routing difficult.
One must define the security goals of the network.
WSN’s offer the attacker unique attacks that aren’t found in traditional networks.
Analyzing attacks will give insight into effective countermeasures.
Not all attacks can be stopped (assuming insiders).
Outline
Introduction Novelty and Contribution The Problem Addressed WSN Routing Attacks Analysis of Security of SPEED, RAP, LSRP, Traject
ory Based Forwarding, Mobicast, ASCENT Countermeasures Cross-cutting Issues / Open Questions Conclusions
Introduction – Questions to Consider
What historical events drive us towards the need for secure networks?
Is Routing Security Necessary in all environments and applications?
How robust should the security be? Is it even possible to have security that
prohibits attacks? If possible, then at what cost? Can traditional routing security solutions be
used in WSN’s?
Base stations and sensor nodes
Node vulnerabilities Low overhead protocols Broadcast media Specialized traffic
patterns Potentially every node is
a router In-network processing Resource constraints Dynamic topologies
Introduction – WSN Routing
Outline
Introduction Novelty and Contribution The Problem Addressed WSN Routing Attacks Analysis of Security of SPEED, RAP, LSRP, Traject
ory Based Forwarding, Mobicast, ASCENT Countermeasures Cross-cutting Issues / Open Questions Conclusions
Novelty and Contribution
Proposes threat models and security goals for secure WSN Routing.
Adapts previously known attacks to WSN’s. Addresses two novel attacks: HELLO Floods and
Sinkholes. Presents security analysis of major WSN routing
protocols and energy-conserving topology maintenance algorithms.
Discusses countermeasures and design considerations for secure WSN routing protocols.
Outline
Introduction Novelty and Contribution The Problem Addressed:
Network Assumptions and Trust Requirements Threat Models and Security Goals
WSN Routing Attacks Analysis of Security of SPEED, RAP, LSRP, Trajectory Base
d Forwarding, Mobicast, ASCENT Countermeasures Cross-cutting Issues / Open Questions Conclusions
Network Assumptions
Insecure radio links Eavesdropping, injecting bits, and packet
replays Attacker has similar capabilities (HW, etc.) Nodes can be “turned” Attacker controls > 1 node; collusion is
possible Attacker may have high quality
communications Tamper resistant nodes are not realistic
Trust Requirements
Base Stations are trustworthy Aggregation points may be trusted,
but not guaranteed
Threat Models and Secure Routing Goals
Threat Model: Mote-class vs. laptop-class adversaries Insiders vs. outsiders
Security Goals: Authenticity: verifies the identity of the sender Integrity: messages are not tampered with Availability: messages are received by intended receivers
Link layer security still possible Insiders and laptop-class adversaries are the main
challenge
Security Goals Out of Scope
Confidentiality / Secrecy of messages Protection against Eavesdropping
Exception – protocol should prevent eavesdropping caused by misuse or abuse of the protocol itself
Protection against the replay of data packets
Claim 1 by Authors: It is possible to meet the security goals when only considering outsiders.
Claim 2 by Authors: It is most likely that some if not all of these goals are not fully attainable when considering insiders.
Question: What information / intelligence can be gained by the attacker through observing unencrypted overhead packets?
Outline
Introduction Novelty and Contribution The Problem Addressed WSN Routing Attacks:
Spoofing, Selective Forwarding, Sinkhole Attack, Sybil Attack, Wormholes, HELLO Flood Attack, Acknowledgement Spoofing
Analysis of Security of SPEED, RAP, LSRP, Trajectory Based Forwarding, Mobicast, ASCENT
Countermeasures Cross-cutting Issues / Open Questions Conclusions
TinyOS Beaconing
Attack: Bogus routing information
Spoofed, altered, or relayed routing information causes problems
Example: spoof routing beacons and claim to be base station
Attack: Bogus routing information
Routing loops
B
A
Problems: Bogus routing information
Attract / Repel Traffic
Enemy Area
BA1
A3
A2
A4
Problems: Bogus routing information
Other Possibilities: Extend / shorten source routes Generate false error messages Partition network Increase end-to-end latency
Overall Affects: Routing havoc Low reliability Questionable information reporting Decreased lifetime of network Congestion / collisions Etc.
Allows the attacker to selectively “hide” information
Enemy Area
Attacks: Selective Forwarding / Blackholes / Sinkholes
Only forward a select few… drop / modify remaining packets
Jamming can cause similar effects
Location of node mayhave significant effects
Attack: Sybil attack
An adversary may present multiple identities to other nodes
Geographic Routing is very susceptible – exchange of locality information
A
B
Attack: Wormholes
Tunnel packets received in one part of the network and replay them in a different part
Exploits routing race conditions
Enables other attacks
Can be launched by insiders and outsiders
Attack: HELLO floods
Protocols that use HELLO packets to announce to neighbors
Assumption: the sender of a received packet is within normal radio range
False! A powerful transmitter could reach the entire network
Can be launched by insiders and outsiders
Attack: Acknowledgement Spoofing
Spoof link layer ACK packets of neighbor nodes
Selective forwarding by encouraging sender to send via weak links
Protocols Analyzed in Paper
Protocol Relevant attacksTinyOS beaconing Bogus routing information, selective forwarding,
sinkholes, Sybil, wormholes, HELLO floods
Directed diffusion and multipath variant
Bogus routing information, selective forwarding, sinkholes, Sybil, wormholes, HELLO floods
Geographic routing (GPSR,GEAR)
Bogus routing information, selective forwarding, Sybil
Minimum cost forwarding
Bogus routing information, selective forwarding, sinkholes, wormholes, HELLO floods
Clustering based protocols (LEACH,TEEN,PEGASIS)
Selective forwarding, HELLO floods
Rumor routing Bogus routing information, selective forwarding, sinkholes, Sybil, wormholes
Energy conserving topology maintenance
Bogus routing information, Sybil, HELLO floods
All insecure
Protocols Analyzed in Paper
Bogus routing X X X X X X
Selective forwarding
X X X X X X
Sinkholes X X X X
Sybil X X X X X
Wormholes X X X X
HELLO floods X X X X X
Tiny
OS
Direc
ted
Diff
Geo
grap
hic
Rou
ting
Min
Cos
t Fw
ding
Clu
ster
Bas
edRum
or R
outing
Ener
gy C
onse
rvin
g
Attack
Outline
Introduction Novelty and Contribution The Problem Addressed WSN Routing Attacks Analysis of Security of SPEED, RAP, LSRP, Traject
ory Based Forwarding, Mobicast, ASCENT Countermeasures Cross-cutting Issues / Open Questions Conclusions
SPEED
SPEED: A Stateless Protocol for Real-Time Communication in Sensor Networks. Uses neighbor tables
UniformBack-Pressure
Strong Back-Pressure(Congestion)
SNGF - 3 (Example)
23
5
9
10
7
Delay
11
Boo
SPEED20
11030
115
Node 5's NT
Delay0.5s0.1s0.4s0.1s
ID97
103
Packet
Packet
Source
Destination
SPEED (and RAP): Routing Security Analysis
Convince nodes to change their state tables (delay, source, destination, distance, deadlines). Change the radius of the last mile process. Lower the velocity of a packet which will end up
missing its deadline later and will be dropped. Flood network with high velocity packets (i.e.
short deadlines or large distances). Drop the SpeedReceive() messages. Local forwarding decisions allow some types of
attacks to not be noticed. Example: a destination that is “beyond” the edge of the network.
Local Stabilization
F-Local Stabilization Faults be contained locally around where they occurred. Time taken for the system to stabilize is a function of the
size of the perturbed region.
LocallyContainedFault Regions
Definite Time which is proportional to size of perturbed region
Correction
Local Stabilization
Node of Fault Propagation to initiate a “Containment” action that moves faster than the stabilization (“Fault Propagation”) action.
“Corrective” action always lags behind “Fault propagation” action
Containment Wave
Fault Propagation Wave
Correction Wave
LSRP: Routing Security Analysis
Send out false waves Delay / drop correction & containment waves Spoof link information (affects shortest
paths)
Trajectory Based Forwarding
Source
Destination
Improving routing in both mobile and fixed networks when position is available.
Forbidden Zone Intermediate Destination
StraightforwardPath
Multipath Routing by TBF
TBF: Routing Security Analysis
Change trajectory functions Spoof nodal location information Flood network with large broadcasts
Spatiotemporal Multicast
Wake up just in timeSleeping nodesAwaken nodes
Adaptive Mobicast
Adaptive forwarding zone
Hole
Mobicast: Routing Security Analysis
Increase or decrease delivery and forwarding zone sizes
Provide false locations to nodes to make paths longer than they need be
Modify delta-values in adaptive mobicast
ASCENT and Energy Conserving Topology Management
Insecure routing protocol ASCENT will not guarantee correct neighbor sets.
Attacks on routing that makes the network look overly sparse or dense may negatively affect ASCENT – increased power consumption.
Misrepresent energy remaining levels. All (successful) attacks may potentially
counteract the energy savings of any given protocol.
Outline
Introduction Novelty and Contribution The Problem Addressed WSN Routing Attacks Analysis of Security of SPEED, RAP, LSRP, Traject
ory Based Forwarding, Mobicast, ASCENT Countermeasures Cross-cutting Issues / Open Questions Conclusions
Countermeasures: Bogus routing information
Outsiders: Authenticated Routing Crypto techniques (globally shared
key) Mitigates Sybil, Sinkhole, Selective
Forwarding Little affect on Wormhole and HELLO
Flood Insiders:
Consistency checks Verify through trustworthy nodes Crypto techniques (per-link keys)
Enemy Area
Countermeasures : Selective Forwarding / Blackholes / Sinkholes
Multipath and probabilistic routing
Verify information where possible
Geographic-based protocols hold promise
Countermeasures : Wormholes
Difficult to defend against
Can be launched by insiders and outsiders
Difficult to detect Best solution avoid routing race conditions
Geographic routing protocols hold promise
Countermeasures : Sybil attack
Verify identities of neighbors through unique symmetric keys with base station
Establish shared keys Limit number of
neighbors with keys
A
B
Countermeasures : HELLO floods
Bidirectional Links Verify identities of
neighbors Base station can
enforce limited number of neighbors
Countermeasures (Notes)
Nodes near base stations are attractive to compromise Clustering and Overlays may reduce their
significance Can leverage global knowledge
Send localized info to base station Base station maps network topology Base station is periodically updated Drastic / suspicious changes observed
Countermeasures (Notes)
Base Station Authentication – no node can spoof BS, but every node can verify messages from BS
Localized Node Authentications SPINS - μTESLA & SNEP (next presentation)
Outline
Introduction Novelty and Contribution The Problem Addressed WSN Routing Attacks Analysis of Security of SPEED, RAP, LSRP, Traject
ory Based Forwarding, Mobicast, ASCENT Countermeasures Cross-cutting Issues / Open Questions Conclusions
SPEED Goals vs. Security
Soft real-time: predictable e2e delay
Uniform communication speed
High Scalability Stateless Architecture Localized Behavior
Load Balancing Traffic Control Void Avoidance
Security may cause unpredictable delays
Security may require stateful architecture
Security may require global behavior
Security may lessen the ability to load balance
RAP Goals vs. Security
Minimize e2e deadline miss ratio
Provide high-level services APIs (similar to SPEED)
High scalability Minimize communication
and processing overhead
Security may cause unpredictable delays
Security may not be as scalable
Security may increase communication and processing overhead
Trajectory Based Forwarding vs. Security
Scalability. Power management.
Along one trajectory. Multiple trajectories.
Data centrism. Event localization. Event handling.
Security. Trajectory specification.
Stability. Temporary faults. Permanent faults.
Security may not be as scalable Security may require single,
multiple, no trajectories Security may require symmetric
trajectories for bi-directional communications
If one knows where compromised nodes are, trajectories may help
Summary & Discussion
Tamper resistant nodes – realistic or necessary? How do you know you’re being attacked? If you have a secure application layer, but don’t hav
e secure routing, can the WSN be effective? Local vs. Global Routing advantages / disadvantages Will data mining help detect malicious /
compromised nodes? If stopping all attacks on routing is impossible,
what alternatives are there? What are the cost-benefit trade-offs of secure WSN ro
uting? How do you evaluate these? How can traffic analysis / homing be defeated?
Conclusions
Secure routing is a prerequisite to effective WSNs … in the face of threats
Traditional security solutions aren’t applicable. One must define the security goals of the network. Analyzing attacks will give insight into effective counter
measures. Must consider both insider and outsider threats. Must incorporate security at design time. The paper “Report on a Working Session on Security
in Wireless Ad-Hoc Networks” provides possible solutions (e.g., SRP, SEAD, Ariadne, geographical leashes, temporal leashes, etc.)