slide1 n.
Download
Skip this Video
Loading SlideShow in 5 Seconds..
Presenter: Sandeep Mapakshi CS 6910-ACIS – Project 6 Instructor: Prof. Leszek T. Lilien, Fall 2006 PowerPoint Presentation
Download Presentation
Presenter: Sandeep Mapakshi CS 6910-ACIS – Project 6 Instructor: Prof. Leszek T. Lilien, Fall 2006

Loading in 2 Seconds...

play fullscreen
1 / 41

Presenter: Sandeep Mapakshi CS 6910-ACIS – Project 6 Instructor: Prof. Leszek T. Lilien, Fall 2006 - PowerPoint PPT Presentation


  • 123 Views
  • Uploaded on

Rushing Attacks and Defense in Wireless Ad Hoc Network Routing Protocols Yih-Chun Hu, Adrian Perrig, and David B. Johnson. Presenter: Sandeep Mapakshi CS 6910-ACIS – Project 6 Instructor: Prof. Leszek T. Lilien, Fall 2006 Department of Computer Science Western Michigan University. Outline.

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about 'Presenter: Sandeep Mapakshi CS 6910-ACIS – Project 6 Instructor: Prof. Leszek T. Lilien, Fall 2006' - thea


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
slide1

Rushing Attacks and Defense in Wireless Ad Hoc Network Routing ProtocolsYih-Chun Hu, Adrian Perrig, and David B. Johnson

Presenter: Sandeep Mapakshi

CS 6910-ACIS – Project 6

Instructor: Prof. Leszek T. Lilien, Fall 2006

Department of Computer Science

Western Michigan University

outline
Outline
  • On-Demand Routing Protocols
  • Rushing Attacks
  • Rushing Attack Prevention
  • Evaluation
  • Conclusion
introduction
Introduction
  • Wireless Ad hoc network
    • a collection of mobile computers (or nodes) cooperate to forward packets
    • dynamic topology
    • self-organization
introduction cont
Introduction (cont.)
  • Routing protocol
    • Transport Subsystem
    • Neighbor State Maintenance
    • Database Maintenance
  • Ad hoc network routing protocols
    • Run in untrusted environments
    • Provide resilience against misconfigured nodes
routing protocols
Routing Protocols
  • Proactive routing protocol
    • Table-Driven routing protocol
  • Reactive routing protocol
    • Source-Initiated On-Demand routing protocol
    • Forward ROUTE REQUEST packets when needed
comparison between table driven routing and on demand routing
Comparison between Table-Driven Routing and On-Demand Routing

On-demand Routing

Table-driven Routing

Immediately from Route Table

Availability of Routing information

After Route discovery

When requested

Periodic advertisements

Route updates

Proportional to number of communication nodes and increase with increased node mobility

Proportional to size of network regardless of network traffic

Routing overhead

on demand route discovery

A-B-D-G

A-B-D-G

A-B-D-G

A-B

A

A-B-D

A-C-E

A

A-C-E

A-C-E

A-C

On-Demand Route Discovery

B

G

Destination

D

A

source

H

E

C

F

the rushing attack
The Rushing Attack
  • On-demand routing protocols use duplicate suppression at each node: first ROUTE REQUEST that reaches a node is considered legitimate, next are discarded (all have the same identifier, higher identifiers denote new requests)
  • Attacker scatters RREQ quickly throughout the network suppressing any later legitimate RREQ
  • Initiator will be unable to discover any usable routes containing at least two hops
  • An effective denial-of-service attack
why is the attack possible
Why is the Attack Possible?
  • An attacker can send faster, by avoiding the delays that are part of the design of both routing and MAC (802.11b) protocols.
  • Why Delay in ROUTE REQUEST forwarding ?
    • In a MAC protocols using time division
    • On-demand protocols generally specify a delay
    • Remove these delays at both the MAC and routing layers? - more collisions
  • Attacker can send at a higher wireless transmission level
  • An attacker can take advantage of a wormhole, to create flood rushing attacks, use the wormhole to rush the packets ahead of the normal flow
rushing attack
Rushing Attack

D

S

Slide courtesy: [2]

rushing attack example
Rushing Attack Example
  • A sends a ROUTE REQUEST
rushing attack example1
Rushing Attack Example
  • A sends a ROUTE REQUEST
  • B forwards the REQUEST without checking the signature, or otherwise rushes the REQUEST
rushing attack example2
Rushing Attack Example
  • A sends a ROUTE REQUEST
  • B forwards the REQUEST without checking the signature, or otherwise rushes the REQUEST
  • C correctly processes the REQUEST, and forwards it later as a result
rushing attack example3
Rushing Attack Example
  • A sends a ROUTE REQUEST
  • B forwards the REQUEST without checking the signature, or otherwise

rushes the REQUEST

  • C correctly processes the REQUEST, and forwards it later as a result
  • Since D has already heard a REQUEST from this discovery, D discards the REQUEST
rushing attack example4
Rushing Attack Example
  • B rushes the REQUEST
  • C forwards it later
  • Since D has already heard a REQUEST from this discovery, D discards the REQUEST
  • A discovers a path through B because B rushed the REQUEST
rushing attack example5
Rushing Attack Example

Route discovery process under no attack

B

C

Route Query

A

E

Route Query

Route Query

Route Reply

D

rushing attack example6
Rushing Attack Example

Route discovery process under attack

Attacker

Attacker

B

C

Route Query

Route Reply

A

E

Route Query

Route Query

D

wormhole attack
Wormhole Attack
  • Attacker records a packet at one location in the network, tunnels the packet to another location.
  • Packets may be replayed from the far end of the wormhole.
  • Puts attacker in a powerful position.
  • It’s a replay so authentication does not help

Applications of the Wormhole Attack

  • Denial-of-Service
  • Routing Disruptions
  • Unauthorized Access
routing tree
Routing Tree

Adapted from Chris Karlof and David Wagner's WSNPA slides

routing
Routing

Adapted from Chris Karlof and David Wagner's WSNPA slides

wormhole attack1
Wormhole Attack
  • Tunnel packets received in one place of the network and replay them in another place
  • The attacker can have no key material. All it requires is two transceivers and one high quality out-of-band channel

Adapted from Chris Karlof and David Wagner's WSNPA slides

disrupted routing
Disrupted Routing
  • Most packets will be routed to the wormhole
  • The wormhole can drop packets or selectively forward packets to avoid detection

Adapted from Chris Karlof and David Wagner's WSNPA slides

what protocol s are vulnerable
What Protocols Are Vulnerable?
  • On-demand unsecure (AODV, DSR) and secure (ARAN, Ariadne, etc) protocols
  • Result: when under attack, the routing protocol will not be able to discover paths longer than 2 hops
network assumption
Network Assumption
  • Network links are bidirectional
    • Ignore unidirectional links
  • Ignore jamming attack
    • Requires additional hardware
    • Easier to detect
  • Disregard attacks on MAC protocol
    • MAC (Medium Access Control)
    • ALOHA and Slotted ALOHA
  • Medium-sized
    • 50~500 nodes
    • Clustering
security assumptions and key setup
Security Assumptions And Key Setup
  • Fast authentication protocol
    • Instantly-verifiable broadcast authentication
  • Keys setup
    • Broadcast authentication key are distributed in advance
  • Powerful attacker
    • Coordinated attacker
secure routing requirements and protocol

yes

Single-Hop?

Gather n

REQUESTS;

Randomly

Choose 1

Secure Neighbor

Detection

Original Routing

Protocol

no

Secure Routing Requirements And Protocol
  • Secure Neighbor Detection
  • Secure route delegation
  • Randomized ROUTE REQUEST forwarding
secure neighbor detection
Secure Neighbor Detection
  • Neighbor Detection
    • Two nodes detect a bidirectional link between themselves
    • In Proactive routing protocol
    • In Reactive routing protocol
  • Requirements
    • Sender-receiver can check that the other is within the normal communication range
    • Node needs to hear Neighbor Request
secure neighbor detection1
Secure Neighbor Detection
  • Three-round mutual authentication protocol
    • S broadcasts a Neighbor Request packet
    • R return a Neighbor Reply packet to S
    • S sends a Neighbor Verification to B
  • Short delay timing
    • Within a maximum communication range

sender

receiver

neighbor Request

broadcast

neighbor reply

neighbor verfication

secure neighbor detection cont
Secure Neighbor Detection (cont.)
  • Nonces η1,η2
    • freshness

<M2,ΣM2>

<M3,ΣM3>

R1

<M1,ΣM1>

S

R2

secure neighbor detection cont1
Secure Neighbor Detection (cont.)
  • Integration with an On-Demand Protocol
    • A*: REQUEST || Neighbor RequestA
    • BA: Neighbor ReplyBA || Neighbor RequestB
    • AB: Neighbor VerificationAB || Neighbor ReplyAB
    • B*: REQUEST || Neighbor VerificationAB || Neighbor VerificationBA
secure route delegation
Secure Route Delegation
  • Delegate neighbor to forward the Route Request packet
  • To verify that both nodes of each adjacent node pair indeed believes to be a neighbor
  • A received ROUTE REQUESTSR || id
    • MA =<Route Delegation,A,B,S,R,id>ΣMA=Sign(H(MA))AB: <ΣMA>
randomized message forwarding
Randomized Message Forwarding
  • To minimize the chance that a rushing adversary can dominate all returned routes
  • Randomized message forwarding
    • Collects a number of REQUESTs
    • Selects a REQUEST at random to forward
  • The number of REQUEST packets collected
    • The more the better?
  • The algorithm by which timeouts are chosen
    • Topology closer
    • Geographically closer
    • Randomly
secure route discovery
Secure Route Discovery
  • To secure any protocol using an on-demand Route Discovery protocol
    • Secure Neighbor Detection
    • Secure route delegation
    • Randomized ROUTE REQUEST forwarding
  • To limit the number of REQUESTs that traverse an attacker
  • The nodes that don’t have n distinct path to the source of the REQUEST
    • Choose a random timeout
  • Two addition security optimizations
    • Each REQUEST signed
    • Use location information
evaluation
Evaluation
  • Simulation Evaluation
    • Underlying protocol: Adriane
    • HORS as broadcast signature
    • 100 nodes
    • 1000 m x 1000 m
    • Random waypoint model
    • Pause Time: 0, 30, 60, 120, 300, 600, 900
    • Workload: 5 flows
      • 4 packets per second
      • 64-byte packets
packet delivery ratio
Packet Delivery Ratio
  • % of Offered traffic
    • DSR
      • 99.8% to 100%
    • Ariadne
      • 95% to 100%
    • RAP
      • 7.6% to 47.7%
      • MAC-layer congestion

Slide courtesy: [2]

median latency
Median Latency
  • DSR and Ariadne
    • zero mean latency
  • RAP
    • Congestion
    • Waiting to forward a REQUEST

Slide courtesy: [2]

packet overhead
Packet Overhead
  • 5 flows has 5x as much overhead
  • Reduces usefulness
  • Overhead should reduce when congestion not an issue

Slide courtesy: [2]

overall
Overall
  • Evaluation
    • RAP adds significant costs
    • Higher costs due to congestion at lower bit rates.
    • RAP is designed to be used only when necessary
      • Only when underlying protocol is unable to discover a working route
  • Security Analysis
    • Attacker needs to propagate ROUTE REQUEST from each ROUTE DISCOVERY from many locations.
      • Wouldn’t do it if they considered due to intrusion detection
conclusion
Conclusion
  • Described the Rushing attack
  • Presented RAP (Rushing Attack Prevention)
  • RAP incurs higher overhead, but it can find usable routes when other protocols cannot work
references
References
  • [1]Yih-Chun Hu,Adrian Perrig, David B.Johnson ,

“Rushing attacks and defense in wireless ad hoc network routing protocols”, Proceedings of the 2003 ACM workshop on Wireless security, San Diego, CA, USA. Available at: http://www.ece.cmu.edu/~adrian/projects/secure-routing/wise2003.pdf

  • [2] Rushing Attacks and Defense in Wireless Ad Hoc Network Routing Protocols Yih-Chun Hu, Adrian Perrig, and David B. Johnson

Presenter: Tammy Nguyen. Available at: http://www.eecs.wsu.edu/~smedidi/teaching/Spring05/rushing1.ppt