Embed Size (px)
DESCRIPTION
Secure Routing in Wireless Sensor Networks: Attacks and Countermeasures. Chris Karlof David Wagner University of Califonia at Berkeley Paper review and Present by Run dong. Outline. Overview & Background Statement of routing security problem Attacks on sensor network routing - PowerPoint PPT Presentation
Citation preview
Secure Routing in Wireless Sensor Networks: Attacks and Countermeasures
Chris Karlof David WagnerUniversity of Califonia at Berkeley
Paper review and Present byRun dong
Outline Overview & Background Statement of routing security problem Attacks on sensor network routing Attacks on specific sensor network protocols Countermeasures
Routing protocols Layer 3 protocols
determine the routing path and transmit the packets reliably
Traditional routing protocols RIP (routing information protocol)
Distance vector
OSPF (open shortest path first) Link state
BGP
Mobile Ad-hoc Network protocols On demand vs table driven
WSN Routing Protocols
Current Routing Protocols Goals Low Energy
Minimize communication Radio cost more than instructions executed Aggregate data in network
Low Node Duty Cycle Shut down nodes when possible
Robust Adapt to unpredictable environment without intervention
Scalable Rely on localized algorithms – no centralized control
Low Latency Must meet application latency and accuracy requirements
Small Footprint Must run on hardware with severe memory and computational
power constraints
Overview Wireless sensor network cannot depend on many of the
resources available to traditional networks for security Current sensor routing protocols are not designed for
security and be insecure, mostly optimized for the limited capabilities of the nodes
Analysis current protocols to find attacks and suggest countermeasures and design consideration
The effective solution for secure routing is to design such sensor routing protocols with security in mind
Problem statement Assumption about underlying network Different Threat Models Security goal in this setting
Problem statement Assumption about underlying network1. radio link are insecure (easily eavesdropping)
2. sensor nodes are not tamper resistant
3. The physical and MAC layers are susceptible to direct attack
4. Base station is trustworthy
5. Aggregation points may be trusted in certain protocols Different Threat Models Security goal in this setting
Problem statement Assumption about underlying network Different Threat Models1. Mote class vs Laptop class
2. Outsider vs insider Security goal in this setting
Problem statement Assumption about underlying network Threat Models Security goal in this setting1. The goal of conventional network is reliable delivery of
messengers
2. Sensor network need in-network processing (aggregation, compression, duplicate elimination)
3. Confidentiality Protection against Replay of data packets should better handled by higher level
Attacks model Spoofed, altered, or replayed routing information Selective forwarding Sinkhole attacks Sybil attacks Wormholes attacks HELLO flood attacks Acknowledgement spoofing
Attacks model Spoofed, altered, or replayed routing information Create Loops Attract or repel network traffic Extend or shorten source routes, Generate false error messages Partition network Selective forwarding Blackhole: refuse to forward certain messengers and simply
drop them Either “in-path” or “beneath path” by deliberately jamming,
(unique pair key to init FH or spread spectrum will prevent this) Follow the path of least resistance and attempt to include itself
on the actual data path flow
Attacks model Sinkhole attacks Lure nearly all traffic from a particular area through a
compromised node Makes selective forwarding trivial Specialized communication pattern cause this problem( base
station mode)
Sybil attack forging of multiple identities -- having a set of faulty entities
represented through a larger set of identities. Sybil Attack undermines assumed mapping between identity
to entity and hence number of faulty entities
Attack model Wormholes tunneling of messages over alternative low-latency links, e.g. confuse the routing protocol, create sinkholes. etc. Exploit routing race condition
Hello flood attack an attacker sends or replays a routing protocol’s hello packets
with more energy
Acknowledgement spoofing Spoof link layer acknowledgement to trick other nodes to
believe that a link or node is either dead or alive
Attacks on specific protocols General typical sensor routing protocol type:
Flooding Gradient Clustering and Cellular Geographic Energy Aware
TinyOS beaconing Directed diffusion Geographic routing Minimal cost forwarding Cluster-head- LEACH Rumor routing Energy conserving topology maintenance
TinyOS beaconing Base station broadcast Route update(beacon)
periodly, Nodes received the update and mark the base station as parent and broadcast it
Relevent Attack mode Bogus routing information Selective forwarding Sinkholes Sybil Wormholes Hello floods
TinyOS beacon
Bogus and replayed routing information (such like “I am base station”) send by an adversary can easily pollute the entire network.
Spoof information
TinyOS beacon
Tunnel packets received in one place of the network and replay them in another place
The attacker can have no key material. All it requires is two transceivers and one high quality out-of-band channel
Wormhole & sinkhole Combination
Adapted from Chris Karlof and David Wagner's WSNPA slides
TinyOS beacon
Most packets will be routed to the wormhole
The wormhole can drop packets directly (sinkhole)
or more subtly selectively forward packets to avoid detection
Adapted from Chris Karlof and David Wagner's WSNPA slides
Wormhole & sinkhole Combination
TinyOS beacon
A Laptop class adversary that can retransmit a routing update with enough power to be received by the entire network
Adapted from Chris Karlof and David Wagner's WSNPA slides
Hello flood attack
Directed diffusion Data and Application Specific Content based naming Interest distribution Interests are injected into the network from base station. Interval specifies an event data rate. Interest entry also maintains gradients. Data flows from the source to the sink along the gradient
Data propagation and reinforcement Reinforcement to single path delivery. Multipath delivery with probabilistic forwarding. Multipath delivery with selective quality along different paths.
Directed diffusion Relevant attack Suppression- by spoof negative reinforcement Cloning- by replay information with malicious listed as a base
station Path influence- by spoof positive or negative reinforcements
and bogus data events Selective forwarding and data tampering- by above attack
method to put the malicious node in the data flow Wormholes attack Hello floods Sybil attack
Geographic routing Greedy geographic query routing technique Cost function based on destination location and
neighbor node energies used to determine next hop
Improvement over Directed Diffusion’s interest flooding technique
Restricted broadcast within sampling region
Geographic routing Relevant attack Sybil attack Bogus routing information Selective forwarding No wormholes and
sinkholes attack
An adversary may present multiple identities to other nodes. The Sybil attack can disrupt geographic and multi-path routing protocols by “being in more than one place at once” and reducing diversity.From B->C, now will go through B->A3->C
Geographic routing Relevant attack Sybil attack Bogus routing information Selective forwarding No wormholes and sinkholes
attack
From B->D, A forge a wrong information to claim B is in (2,1), so C will send packets back to B which cause loop at last.
Minimum cost forwarding Is an backoff-based cost field
algorism for efficiently forwarding packets from senor nodes to a base station.
Once the field is established, the message, carrying dynamic cost information, flows along the minimum cost path in the cost field. Each intermediate node forwards the message only if it finds itself on the optimal path for this message based on the message’s cost states. A=110, will select
B
Minimum cost forwarding Relevant attack mode Sinkhole attack
Mote-class adversary advertising cost zero anywhere in network
Hello flood attack Bogus routing informaiton Selective forwarding wormholes
LEACH Low-Energy Adaptive Clustering Hierarchy randomized, self-configuration Low energy media access control Cluster-head collect data and perform processing then
transmit to BS Relevant attack mode Hello floods Selective forwarding Sybil attack
LEACH Relative attack mode Hello floods
Cluster-head selection based on signal strengh what mean a powerful advertisement can make the malicious attacker be it’s cluster-head.
Sybil attack Combined with hello floods if nodes try to randomly select
cluster-head instead of strongest signal strength.
Rumor Routing Designed for
query/event ratios between query and event flooding
Lower the energy cost of flooding
Observation: Two lines in a bounded rectangle have a 69% chance of intersecting, 5 line more than 99%
Event
Source
Rumor routing
Rumor routing Relevant attack mode Bogus routing information Selective forwarding Sinkholes Sybil wormholes
Energy conserving topology maintenance GAF-Geographical Adaptive Fidelity Identifies equivalent nodes for routing based on location
information Dense nodes deployment, Turns off unnecessary nodes Physical space is divided into equal virtual size squares. Each
nodes know it’s location and nodes with a square are equivalent
Sleeping, discovery, active state Each grid square has one active node Nodes are ranked with respect to current state and expected
lifetime
Energy conserving topology maintenance Relevant attack mode for GAF Bogus routing information
Broadcast high ranking discovery messages, then can use some selective forwarding attack
Sybil & Hello floods Target individual grids by a high ranking discovery messages with a non-
existent node, frequently advertisements can disable the whole network by making most node sleep
Energy conserving topology maintenance SPAN An energy-efficient coordination algorism for topology
maintenance Traffic only routed by coordinator Backbone for routing fidelity is build by coordinators A node becomes eligible to be a coordinator if two of its
neighbors cannot reach other directly or via one or two coordinators.
Random backoff for delay coordinator announcement Utility and energy level decide coordinator selection by
adjusting the backoff time Hello messengers being broadcasted periodically.
Energy conserving topology maintenance Relevant attack mode for SPAN Hello floods
Broadcast n Hello messages with fake coordinators and neighbors which will preventing nodes from becoming coordinators when they should. then can use some selective forwarding attack
Summary of attacksProtocol Relevant Attacks
TinyOS beaconing Bogus routing information, selective forwarding, sinkholes, Sybil, wormholes, HELLO floods
Directed diffusion and its multipath variant
Bogus routing information, selective forwarding,
sinkholes, Sybil, wormholes, HELLO floods
Geographic routing (GPSR, GEAR)
Bogus routing information, selective forwarding, Sybil
Minimum cost forwarding Bogus routing information, selective forwarding,
sinkholes, wormholes, HELLO floods
Clustering based protocols (LEACH, TEEN, PEGASIS)
Selective forwarding, HELLO floods
Rumor routing Bogus routing information, selective forwarding, sinkholes, Sybil, wormholes
Energy conserving topology maintenance (SPAN, GAF, CEC, AFECA)
Bogus routing information, Sybil, HELLO floods
Countermeasures• Link layer security with a globally shared key can
prevent the majority of outsider attacks: bogus routing information, Sybil, selective forwarding, sinkholes. However, it provides little protection against insiders, HELLO floods, and wormholes.
Establish link keys using a trusted base station. Verifies the bidirectionality of links and prevents Sybil attacks and HELLO floods
Multipath and probabilistic routing limits effects of selective forwarding
Countermeasures Wormholes are difficult to defend against. Can
be mounted effectively by both laptop-class insiders and outsiders. Good protocol design is the best solution: geographic and clustering-based protocols hold the most promise. Wormholes are ineffective against these protocols
Authenticated broadcast and flooding are important primitives.
Nodes near base stations are attractive to compromise. Clustering-based protocols and overlays can reduce their significance
Conclusion• Conclusion: Link layer security is important, but
cryptography is not enough for insiders and laptop-class adversaries: careful protocol design is needed as well.
