Security in Mobile Ad Hoc Networks - Hacettepe Üniversitesi · 2014-03-24 · Security Threats in...


Citation preview

Security Threats


Mobile Ad Hoc Networks

Vulnerabilities of MANETs

o Wireless links

o Dynamic topology

o Cooperativeness

o Lack of a clear line of defense

o Limited resources

Wireless links

o Insecurity of open medium

o Make the network susceptible attacks.

o Eavedropping

o Active interference

o Attackers do not need physical access to the network to carry out these attacks.

Dynamic topology

o Difficult to differentiate normal behaviour ofthe network from anomaly/maliciousbehaviour.

o A node sending disruptive routing information

o A node who does not collaborate

o Cannot assume nodes secured in lockedcabinets.


Routing algorithms generally assume thatnodes are



A malicious node

o easily become an important routing agent

o disrupt network operations by disobeyingthe protocol specifications.

Lack of a Clear Line of Defense

o Attacks can come from all directions.

o The boundary separating the inside network from the outside is not clear.

o No well-defined place that we can deploy

o Traffic monitoring mechanisms

o Access control mechanisms

Limited Resources

o Resource-constrained nodes

o Laptops, handheld devices such as PDAs and mobile phones.

o Lead to new attacks

o Sleep deprivation torture attacks.

o DoS attacks targeting limited resources.

Security Goals

o Authentication

o Confidentiality

o The sensitivity of information can change rapidly.

o Integrity

o Availability

o modern war-goal.

o Non-Repudiation

Attacks on Network Protocol Stack

Layer Attacks

Application data corruption, viruses, worms

Transport TCP/UDP SYN flood

Network hello flood, blackhole

Data Link monitoring, traffic analysis

Physical eavesdropping, active interference

External & Internal Attackers

External Attacks: by unauthorized nodesInternal Attacks: by internal nodes

Failed Nodes: unable to perform.power failure, environmental factors, etc.

Selfish Nodes: exploit the routing protocol to theiradvantage (not cooperate), for example to savetheir resources

Malicious Nodes: aim to disrupt the network orlisten to confidential information

Misuse Goal of Attackers

Route Disruption: modifying existing routes, creatingrouting loops, and causing the packets to beforwarded along a route that is not optimal, non-existent, or otherwise erroneous

Node Isolation: isolating a node or some nodes(s) fromcommunicating with other nodes in the network,partitioning the network, etc.

Resource Consumption: decreasing networkperformance, consuming network bandwidth or noderesources, etc.

the Performance of an Attack

o Computational power

o Deployment capability

o Location control

o Mobility

o Degree of physical access

Attacks on MANETs

Passive Attacks

o Eavesdropping attacks

o Spread spectrum communication

o Frequency hoping

o Traffic analysis

o The existence and location of nodes

o The communication network topology

o The roles played by nodes

o The current sources & destination of communications

o The current location of specific individuals or functions

In MANETs nodes that are not within each other’s communicationrange must relay on other nodes to forward their packets.

Dropping Attacks

Dropping Attack

Malicious nodes drop data packet not destined

for themselves.

Disrupt network connection.

Difficult to differentiate packet droppings due

to mobility.

mobility (60%)


transmission link errors

Packet Forwarding Attacks 1/2

o Drop the packets.

o Modify the content of the packets.

o Duplicate the packets.

o Inject a large amount of junk packets into the network (DoS).

Packet Forwarding Attacks 2/2

Multi-hop networks assume that participating

nodes will faithfully forward received messages.

Selective Forwarding Attack: Malicious nodes

refuse to forward some messages and drop

them. (Integrity)

Routing Attacks

o Modify the route.

o Cause the packets to be forwarded along a route that is not optimal or non-existent.

o Create routing loops in the network.

o Prevent the source node from finding any route to the destination.

o Partition the network.

Fabrication Attacks

o Active forge

o Send faked messages without receiving any

related messages.

o Forge reply

o Sends fake route reply messages in response to

related legitimate route request messages.

Atomis Misuses of a RREQ Message

DR: dropMF: modificationAF: active forge

Possible Modifications of Fiels in a

RREQ Message


If an attacker drops all the RREQ messages it

receives, this misuse is equivalent to not having

the attacking node.

The attacker

o may also selectively drop RREQ messages.

o may separate the nodes if it is in a critical



Suppose node S broadcast a RREQ to establish a route

to node D.

o Replace the RREQ ID of node S with the RREQ ID of

node D, increase it by a small number.

o Interchange the source IP address with the

destination IP address in the RREQ message.

o Increment the dest. sequence number by at least one.

o Fill source IP address in IP header with a non-existent

IP address.


o Increase the source node’s RREQ ID by at

least one.

o Increase the source sequence number by

at least one.

o Increase the destination sequence number

by at least one.

(insider attacker is in the transmission range

of the source node).

Node Isolation (RREQ_MF)

o Attacker prevents a victim node from receiving data

packets from other nodes for a short period of time.

1. Increase the RREQ ID by a small number.

2. Replace the destination IP with a non-existent one.

3. Increase the source seq. number (by at least one).

4. Set the source IP address in IP header to a non-

existent one.

5. Broadcast the message.

Node Isolation (RREQ_MF)

o It can prevent a victim node from receiving data

packets for a short period.

o It cannot fully isolate the victim node due to the local

repair mechanism.

o If data packets cannot be delivered successfully, new

route discovert is initiated.

o The victim may still be able to send data packets to

other nodes.

Resource Consumption (RREQ_MF)

o It is difficult to consume too much resources with one

faked RREQ.

o It can still introduce unnecessary broadcast messages

into the network.

o It can make a RREQ message to appear to be fresh

(by increasing the RREQ ID).

o Repeatedly apply RREQ_MF_RC misuse to make a

real impact on the network.

Atomis Misuses of a RREP Message

DR: dropMF: modificationFR: forge replyAF: active forge


Route Disruption

o If only one RREP message is generated, the route

prevents to be established.

o Otherwise, this misuse has very limited impact.

Node Isolation

o If an attacker is the only neighbour of a victim node, it

can partially isolate the victim node by dropping all the

RREP messages.


Route Invasion

o If only one RREP message is generated, the attacker

does not have to do anything to invade the route.

o If there are other RREP messages, the attacker could

suppress other RREP messages.

(by increasing the dest. sequence number.)


Route Invasion (RREP_AF)

If the attacker has routes to both the source

and the destination nodes.


1 2



Faked RREP


1 2



a Forge Reply Attack







I1 I2



Atomis Misuses of a RERR Message

DR: dropMF: modificationAF: active forge

Possible Modifications of Fiels in a

RERR Message



2 3




1. Set the source IP address as node 5.2. Set the dest. IP address as node 0.3. Set the source seq. number to a number greater than node 5’s

seq. number.4. Set the source IP in IP header as node A.5. Node A then broadcast the faked RREQ message.

After receiving this message, node 2 & node 3 will set the node A as the next hop to node 5.

Route Invasion by Two Faked RREQs 1 (1/3)



2 3




1. Set the source IP address as node A.2. Set the dest. IP address as node 5.3. Set the dest seq. number to a number greater than node 5’s seq.

number.4. Set the source IP in IP header as node A.5. Node A then broadcast the faked RREQ message.

Route Invasion by Two Faked RREQs 1 (2/3)



2 3




Route Invasion by Two Faked RREQs 1 (3/3)

Routing Loop Attack 1 (1/2)






Faked RREP message1. Set the destination IP address to node 1. 2. Set the dest. seq. number as node 1’s seq.

number plus at least one.3. Set the source IP address to node 0.4. Set the source IP address in the IP header

to node 3.5. Set the dest. IP address in the IP header to

node 4.

Routing Loop Attack 1 (2/2)






The data packets will be dropped until the TTL fields in

the IP packets decrease to 0.

Routing Loop Attack 2 (1/3)

o Set the souce IP address as node 0.

o Set the destination IP address as node 1.

o Set the destination sequence number to a greater than

node 1’s sequence number.

o Set the source IP address in the IP header as node 3.

o Set the dest. IP address in the IP header as node 5.

0 3






Faked RREP

Routing Loop Attack 2 (2/3)

o Set the souce IP address as node 0.

o Set the destination IP address as node 1.

o Set the destination sequence number to a greater than

node 1’s sequence number.

o Set the source IP address in the IP header as node 5.

o Set the dest. IP address in the IP header as node 6.

0 3





5 Faked RREP

Routing Loop Attack 2 (3/3)

0 3






Sinkhole, Blackhole Attacks, Grayhole attacks

o Attract nearly all traffic from a particular area through acompromised node by making the compromised nodeattractive.

o Especially effective in routing protocols use advertisedinformation in the routing discovery processs.

o remaining energy

o nearest node to the destination etc.

Modification Attacks

Ad Hoc Flooding Attacks

Broadcast a lot of RREQ messages for randomly selectednodes

Aim to consume the resources of the nodes and thenetwork

Sleep Deprivation Torture Attack

o A DoS attack

o Most mobile nodes are run on battery power.

o Consumes a victim node’s battery power &

disables the node.

o More powerful than the better known DoS

attacks (CPU exhaustion).

Routing Table Overflow Attack

o A DoS attack at the Route Discovery phase.

o Attacker sends a lot of route advertisements

for nodes that do not exist.

o Overflows the victim nodes’ routing tables.

o Prevents new routes from being created.

o More effective in proactive protocols than in

reactive protocols.

Routing Cache Poisoning Attack

o A fabrication attack.

o A node can update its table with overhearing

routing control protocol messages.

o Attacker send spoofed routing information


o Neighbour nodes update their tables


Timing Attacks

o DoS attacks

o Rushing attacks

o Hello flood attacks

o broadcasts Hello packets with large transmission


o Wormhole attacks

Rushing Attack

Occur during the Route Discovery phase

In reactive routing protocols, each node forwards only the first arriving Route Request in order to limit the overhead of message flooding

If the Route Request forwarded by the attacker arrives first at the destination, routes including the attacker will be discovered instead of valid routes

by ignoring delays at MAC or routing layers,

by wormhole attacks,

by keeping other nodes’ transmission queues full,

by transmitting packets at a higher wireless transmission power.

Route Discovery

Route Req

Route Req

Route Reply





Route Discovery Under Rushing Attack

Route Req

Route Req



Route Reply

Attacker Attacker

Jellyfish Attack


o Introduces delays in the network.

o Delays all packets it receives.

o Once delays are propogated then packets

are released in the network.

o High end-to-end delays.

o High delay jitter.

o Decreasing the network performance.

Wormhole Attack



M1 M2

An attacker receives packets at one point in the network,tunnels them to an attacker at another point in the network,and then replays them into the network from this final point.

Packets sent by tunneling forestall packets forwarded by multi-hop routes.


o Prevention techniques: secure routing

o Authentication techniques

o Detection techniques

o Specification-based

o Anomaly-based

o Signature-based

o Promiscuous monitoring


1. S. Sen, J.A. Clark, J.E. Tapiador, ‘Security Threats in

Mobile Ad Hoc Networks’, Security of Self-Organizing

Networks: MANET, WSN, WMN, VANET. Auerbach

Publications, CRC Press, 2011

2. P. Ning, K. Sun, ‘How to Misuse AODV: A Case of

Insider Attacks against Mobile Ad-hoc Routing

