1 / 54

Secure Routing in Sensor Networks: Attacks and Countermeasures (Authors: Chris Karlof and David Wagner, UC Berkeley)

Secure Routing in Sensor Networks: Attacks and Countermeasures (Authors: Chris Karlof and David Wagner, UC Berkeley). By Mike McNett 20 Oct 2003 Computer Science Department University of Virginia. Focus of this Presentation . The Essential Ideas of Secure Routing Attacks & Countermeasures.

schuyler
Download Presentation

Secure Routing in Sensor Networks: Attacks and Countermeasures (Authors: Chris Karlof and David Wagner, UC Berkeley)

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Secure Routing in Sensor Networks: Attacks and Countermeasures(Authors: Chris Karlof and David Wagner, UC Berkeley) By Mike McNett 20 Oct 2003 Computer Science Department University of Virginia

  2. Focus of this Presentation The Essential Ideas of Secure Routing Attacks & Countermeasures Selective Forwarding Not Addressed Bogus Routing Ref: Denial of Service in Sensor Networks; Wood & Stankovic NOTES: DOS Attacks aren’t directly addressed in this paper. Defenses / Countermeasures are similar.

  3. The Essential Ideas of Secure Routing Attacks & Countermeasures • WSN’s have unique constraints that make secure routing difficult. • One must define the security goals of the network. • WSN’s offer the attacker unique attacks that aren’t found in traditional networks. • Analyzing attacks will give insight into effective countermeasures. • Not all attacks can be stopped (assuming insiders).

  4. Outline • Introduction • Novelty and Contribution • The Problem Addressed • WSN Routing Attacks • Analysis of Security of SPEED, RAP, LSRP, Trajectory Based Forwarding, Mobicast, ASCENT • Countermeasures • Cross-cutting Issues / Open Questions • Conclusions

  5. Introduction – Questions to Consider • What historical events drive us towards the need for secure networks? • Is Routing Security Necessary in all environments and applications? • How robust should the security be? • Is it even possible to have security that prohibits attacks? • If possible, then at what cost? • Can traditional routing security solutions be used in WSN’s?

  6. Introduction – WSN Routing • Base stations and sensor nodes • Node vulnerabilities • Low overhead protocols • Broadcast media • Specialized traffic patterns • Potentially every node is a router • In-network processing • Resource constraints • Dynamic topologies

  7. Outline • Introduction • Novelty and Contribution • The Problem Addressed • WSN Routing Attacks • Analysis of Security of SPEED, RAP, LSRP, Trajectory Based Forwarding, Mobicast, ASCENT • Countermeasures • Cross-cutting Issues / Open Questions • Conclusions

  8. Novelty and Contribution • Proposes threat models and security goals for secure WSN Routing. • Adapts previously known attacks to WSN’s. • Addresses two novel attacks: HELLO Floods and Sinkholes. • Presents security analysis of major WSN routing protocols and energy-conserving topology maintenance algorithms. • Discusses countermeasures and design considerations for secure WSN routing protocols.

  9. Outline • Introduction • Novelty and Contribution • The Problem Addressed: • Network Assumptions and Trust Requirements • Threat Models and Security Goals • WSN Routing Attacks • Analysis of Security of SPEED, RAP, LSRP, Trajectory Based Forwarding, Mobicast, ASCENT • Countermeasures • Cross-cutting Issues / Open Questions • Conclusions

  10. Network Assumptions • Insecure radio links • Eavesdropping, injecting bits, and packet replays • Attacker has similar capabilities (HW, etc.) • Nodes can be “turned” • Attacker controls > 1 node; collusion is possible • Attacker may have high quality communications • Tamper resistant nodes are not realistic

  11. Trust Requirements • Base Stations are trustworthy • Aggregation points may be trusted, but not guaranteed

  12. Threat Models and Secure Routing Goals • Threat Model: • Mote-class vs. laptop-class adversaries • Insiders vs. outsiders • Security Goals: • Authenticity: verifies the identity of the sender • Integrity: messages are not tampered with • Availability: messages are received by intended receivers • Link layer security still possible • Insiders and laptop-class adversaries are the main challenge

  13. Security Goals Out of Scope • Confidentiality / Secrecy of messages • Protection against Eavesdropping • Exception – protocol should prevent eavesdropping caused by misuse or abuse of the protocol itself • Protection against the replay of data packets • Claim 1 by Authors: It is possible to meet the security goals when only considering outsiders. • Claim 2 by Authors: It is most likely that some if not all of these goals are not fully attainable when considering insiders. • Question: What information / intelligence can be gained by the attacker through observing unencrypted overhead packets?

  14. Outline • Introduction • Novelty and Contribution • The Problem Addressed • WSN Routing Attacks: • Spoofing, Selective Forwarding, Sinkhole Attack, Sybil Attack, Wormholes, HELLO Flood Attack, Acknowledgement Spoofing • Analysis of Security of SPEED, RAP, LSRP, Trajectory Based Forwarding, Mobicast, ASCENT • Countermeasures • Cross-cutting Issues / Open Questions • Conclusions

  15. TinyOS Beaconing

  16. Attack: Bogus routing information • Spoofed, altered, or relayed routing information causes problems • Example: spoof routing beacons and claim to be base station

  17. Attack: Bogus routing information • Routing loops B A

  18. Problems: Bogus routing information • Attract / Repel Traffic B A1 Enemy Area A2 A3 A4

  19. Problems: Bogus routing information • Other Possibilities: • Extend / shorten source routes • Generate false error messages • Partition network • Increase end-to-end latency • Overall Affects: • Routing havoc • Low reliability • Questionable information reporting • Decreased lifetime of network • Congestion / collisions • Etc. • Allows the attacker to selectively “hide” information

  20. Attacks: Selective Forwarding / Blackholes / Sinkholes • Only forward a select few… drop / modify remaining packets • Jamming can cause similar effects • Location of node mayhave significant effects Enemy Area

  21. Attack: Sybil attack • An adversary may present multiple identities to other nodes • Geographic Routing is very susceptible – exchange of locality information B A

  22. Attack: Wormholes • Tunnel packets received in one part of the network and replay them in a different part • Exploits routing race conditions • Enables other attacks • Can be launched by insiders and outsiders

  23. Attack: HELLO floods • Protocols that use HELLO packets to announce to neighbors • Assumption: the sender of a received packet is within normal radio range • False! A powerful transmitter could reach the entire network • Can be launched by insiders and outsiders

  24. Attack: Acknowledgement Spoofing • Spoof link layer ACK packets of neighbor nodes • Selective forwarding by encouraging sender to send via weak links

  25. Protocols Analyzed in Paper All insecure

  26. Protocols Analyzed in Paper Directed Diff Geographic Routing Energy Conserving Min Cost Fwding Rumor Routing Cluster Based TinyOS Attack

  27. Outline • Introduction • Novelty and Contribution • The Problem Addressed • WSN Routing Attacks • Analysis of Security of SPEED, RAP, LSRP, Trajectory Based Forwarding, Mobicast, ASCENT • Countermeasures • Cross-cutting Issues / Open Questions • Conclusions

  28. SPEED • SPEED: A Stateless Protocol for Real-Time Communication in Sensor Networks. Uses neighbor tables Strong Back-Pressure (Congestion) Uniform Back-Pressure

  29. ID SPEED Delay 9 0.5s 20 7 0.1s 110 10 0.4s 30 3 0.1s 115 Node 5's NT SNGF - 3 (Example) 7 11 Packet Destination 5 Packet 9 2 Delay 3 10 Source Boo

  30. SPEED (and RAP): Routing Security Analysis • Convince nodes to change their state tables (delay, source, destination, distance, deadlines). • Change the radius of the last mile process. • Lower the velocity of a packet which will end up missing its deadline later and will be dropped. • Flood network with high velocity packets (i.e. short deadlines or large distances). • Drop the SpeedReceive() messages. • Local forwarding decisions allow some types of attacks to not be noticed. Example: a destination that is “beyond” the edge of the network.

  31. Local Stabilization • F-Local Stabilization • Faults be contained locally around where they occurred. • Time taken for the system to stabilize is a function of the size of the perturbed region. Locally Contained Fault Regions Correction Definite Time which is proportional to size of perturbed region

  32. Local Stabilization • Node of Fault Propagation to initiate a “Containment” action that moves faster than the stabilization (“Fault Propagation”) action. • “Corrective” action always lags behind“Fault propagation” action Correction Wave Fault Propagation Wave Containment Wave

  33. LSRP: Routing Security Analysis • Send out false waves • Delay / drop correction & containment waves • Spoof link information (affects shortest paths)

  34. Trajectory Based Forwarding • Improving routing in both mobile and fixed networks when position is available. Forbidden Zone Intermediate Destination Straightforward Path Destination Source

  35. Multipath Routing by TBF

  36. TBF: Routing Security Analysis • Change trajectory functions • Spoof nodal location information • Flood network with large broadcasts

  37. Spatiotemporal Multicast Wake up just in time Sleeping nodes Awaken nodes

  38. Adaptive Mobicast Hole Adaptive forwarding zone

  39. Mobicast: Routing Security Analysis • Increase or decrease delivery and forwarding zone sizes • Provide false locations to nodes to make paths longer than they need be • Modify delta-values in adaptive mobicast

  40. ASCENT and Energy Conserving Topology Management • Insecure routing protocol  ASCENT will not guarantee correct neighbor sets. • Attacks on routing that makes the network look overly sparse or dense may negatively affect ASCENT – increased power consumption. • Misrepresent energy remaining levels. • All (successful) attacks may potentially counteract the energy savings of any given protocol.

  41. Outline • Introduction • Novelty and Contribution • The Problem Addressed • WSN Routing Attacks • Analysis of Security of SPEED, RAP, LSRP, Trajectory Based Forwarding, Mobicast, ASCENT • Countermeasures • Cross-cutting Issues / Open Questions • Conclusions

  42. Countermeasures: Bogus routing information • Outsiders: • Authenticated Routing • Crypto techniques (globally shared key) • Mitigates Sybil, Sinkhole, Selective Forwarding • Little affect on Wormhole and HELLO Flood • Insiders: • Consistency checks • Verify through trustworthy nodes • Crypto techniques (per-link keys)

  43. Countermeasures : Selective Forwarding / Blackholes / Sinkholes • Multipath and probabilistic routing • Verify information where possible • Geographic-based protocols hold promise Enemy Area

  44. Countermeasures : Wormholes • Difficult to defend against • Can be launched by insiders and outsiders • Difficult to detect • Best solution  avoid routing race conditions • Geographic routing protocols hold promise

  45. Countermeasures : Sybil attack • Verify identities of neighbors through unique symmetric keys with base station • Establish shared keys • Limit number of neighbors with keys B A

  46. Countermeasures : HELLO floods • Bidirectional Links • Verify identities of neighbors • Base station can enforce limited number of neighbors

  47. Countermeasures (Notes) • Nodes near base stations are attractive to compromise • Clustering and Overlays may reduce their significance • Can leverage global knowledge • Send localized info to base station • Base station maps network topology • Base station is periodically updated • Drastic / suspicious changes observed

  48. Countermeasures (Notes) • Base Station Authentication – no node can spoof BS, but every node can verify messages from BS • Localized Node Authentications • SPINS - μTESLA & SNEP (next presentation)

  49. Outline • Introduction • Novelty and Contribution • The Problem Addressed • WSN Routing Attacks • Analysis of Security of SPEED, RAP, LSRP, Trajectory Based Forwarding, Mobicast, ASCENT • Countermeasures • Cross-cutting Issues / Open Questions • Conclusions

  50. SPEED Goals vs. Security • Soft real-time: predictable e2e delay • Uniform communication speed • High Scalability • Stateless Architecture • Localized Behavior • Load Balancing • Traffic Control • Void Avoidance • Security may cause unpredictable delays • Security may require stateful architecture • Security may require global behavior • Security may lessen the ability to load balance

More Related