Two different kinds of security attacks can be launched against mobile ad- hoc networks, passive and active attacks. The attacker rests unnoticed in the background while performing a passive attack. He does not disturb the functions of the routing protocol, but he is able to eavesdrop on the routing traffic in order to extract worthwhile information about the participating nodes. Running an active attack, the attacking node has to invest some of its energy to launch this attack. In active attacks, malicious nodes can dis- turb the correct functionality of the routing protocol by modifying routing information, by redirecting network traffic, or launching Denial of Service attacks (DoS) by altering control message fields or by forwarding routing messages with falsified values. Attack categories that can occur associated with vulnerabilities of mobile ad-hoc systems are described below.
Spiewak and Engel
among others a short, fast, online, flexible, uncertain and incomplete Trust evidence model and should be independent of pre-established in- frastructures. In this context, Pirzada and McDonald [21] emphasize the interdependency of Trust and security, while security is highly dependent
Applying Trust in Mobile and Wireless Networks 41
tant information from the system by monitoring and listening on the communication between parties within the mobile ad-hoc network. For instance, if the malicious node observes that the connection to a certain node is requested more frequently than to other nodes, the passive attacker would be able to recognize, that this node is crucial for special functionalities within the MANET, like for example routing.
Switching its role from passive to active, the attacker at this moment has the ability to put a certain node out of operation, for example by perform- ing a Denial of Service attack, in order to collapse parts or even the com- plete MANET. Additional examples of a passive attack represent selfish nodes. They derivate from the usual routing protocol for the reason of pre- venting power loss for instance by not forwarding incoming messages. In [5] the importance of Trust is emphasized in order to isolate these mali- cious nodes and to be able to establish reputation systems in all nodes that enable them to detect misbehavior of network participants.
3.2.2 Active attacks
Active attacks mainly occur subsequent to passive attacks, for example af- ter the malicious node finished eavesdropping required information on the malicious node attempts to learn impor
network traffic. The variety of active attacks on mobile ad-hoc networks is similar to the attacks in traditional and hierarchical networks. But due to the lack in infrastructure and the vulnerability of wireless links, the cur- rently admitted routing protocols for mobile ad-hoc networks allow launching also new types of attacks. Compared to passive attacks, mali- cious nodes running an active attack can interrupt the accurate execution of a routing protocol by modifying routing data, by fabricating false routing information or by impersonating other nodes. Basically, active security at- tacks against ad-hoc routing protocols can be classified in three groups [23], such as integrity, masquerade and tamperingattacks.
Integrity Attacks in MANETs
Particularly attacks using modifications are aimed against the integrity of routing information. By launching this type of attack, the malicious entity can drop messages, redirect traffic to a different destination, or compute longer routes to the destination in order to increase the communication de- lays. For example, by sending fake routing packets to other nodes, all traffic
3.2.1 Passive attacks
A malicious node in the mobile ad-hoc network executes a passive attack, without actively initiating malicious actions. However, he can fool other network participants, simply by ignoring operations. Furthermore, the
42
the malicious node analyzes the routing protocol by the use of a passive at- tack, like eavesdropping information on the network traffic. Subsequently, this node lies and announces itself, during the route discovery phase of a routing protocol, as knowing an accurate path to the requested target node, in order to be able to intercept packets. Finally, all packets are transferred to the attacker’s node and he discards all of them. Consequently, the mali- cious node, which is controlled by the attacker, represents the Blackhole in the MANET, where all packets will be swallowed.
As an extension of the Blackhole attack, the active attacker might gener- ate a Greyhole [11]. In this case, the malicious grey node has the ability to switch its course of action from forwarding routing packets or discarding others. The decisions of its behavior depend on the intention of the attack. For example, for the purpose of isolating particular nodes in the MANET the malicious grey node drops packets which pilot towards their destina- tion. Packets meant for other nodes rest unmodified und are forwarded to their destination accordingly.
Even trickier is the generation of a tunnel in the network between two or more cooperating and by the attacker compromised malicious nodes that are linked through a private network connection within the MANET. This attack is known as a Wormhole [12]. It allows the attacker to short-cut the normal flow of routing messages by the construction of a fictitious vertex cut in the network that is controlled by the two cooperating malicious nodes. The attacker records packets or parts of packets at one selected location in the MANET. After tunneling them to another point in the MANET, the attacker replays the packets into the network. In particular, ad-hoc network routing protocols are vulnerable to Wormhole attacks. For example, launching this attack against a routing protocol allows the at- tacker to tunnel each ROUTE REQUEST packet, which is transmitted dur- ing the route discovery phase, straight to the target destination node. Con- sequently, any routes other than through the Wormhole are avoided from being discovered. By this technique the attacker has the capability to create an appearance to know the shortest path to a desired destination node. This grants the attacker an exceptionally high probability of being selected by the routing protocol to forward packets. Once selected, the attacker is able to subsequently launch a Blackhole or Greyhole attack by discarding se- lected packets.
Furthermore, Wormhole attacks empower the attacker to influence the neighbor discovery functionality of several routing protocols. For example, assuming node A wishes to communicate with its neighbors and tries to knock at their doors by sending a HELLO broadcast packet. At the same time the attacker uses the Wormhole to tunnel this packet directly to node B.
Spiewak and Engel
can be redirected to the attacker or another compromised node. An ex- ample of a modification attack is the set-up of a Blackhole [22]. First of all,
Applying Trust in Mobile and Wireless Networks 43
On the other side he tunnels all HELLO packets sent by B directly to node A. Finally, A and B belief that they are neighbors, which would cause the routing protocol to fail to discover routes when they are not really neighbors. Additional advantages of the Wormhole for the attacker are his possibility to discard selected data packets or to maintain a Denial of Service attack, be- cause no other route to the destination can be determined as long as the at- tacker controls the Wormhole. Yin-Chun Hu, Adrian Perrig and David B. Johnson introduce in [12] a mechanism, called “Packet Leashes” for effec- tively detecting and defending against Wormhole attacks by limiting the transmission distance of a link. The authors present the TIK protocol which implements temporal leashes using hash trees.
Both, Blackhole and Wormhole attacks belong to the group of Byzantine Attacks in ad-hoc networks and are discussed in [2]. The scheme of Worm- hole can be even extended to the concept of Byzantine Wormhole attacks. The difference to traditional Wormhole attacks is the fact that in traditional Wormhole attacks the attacker can fool two honest nodes into believing that there exists a direct link between them. But in the Byzantine case the Wormhole link exists between the compromised nodes and not between the honest nodes, which means that the end nodes cannot be trusted to follow the protocol accordingly.
Therefore, the previously mentioned “Packet Leashes” [12] are effec- tive against traditional Wormhole attacks but they can not be used to dis- cover and to prevent the extended Byzantine Wormhole attacks. Figure 3.1 shows the classification of these attacks in MANETs.
44
Masquerade Attacks in MANETs
By masquerading as another node, malicious nodes can run many attacks in a network. These types of attack are often known as Spoofing. The at- tacker modifies either the MAC or the IP address in outgoing packets in order to adopt another identity in the network and appear as a good- natured node. By this technique he is then able to operate as a trustworthy node and can for example advertise incorrect routing information to other participants of the network. Creation of loops in the routing computation is one famous example of this exploit and results in unreachable nodes or a partitioned network. Another dangerous attack in MANETs is known as the Sybil Attack [7]. Here malicious nodes may not only impersonate one node but can even represent multiple identities by maintaining false identi- ties. This attack particularly weakens systems and protocols that employ redundancy. Basically, redundancy is deployed to resist security threats from faulty or malicious network participants and is mostly used to ensure that transmitted packets are forwarded from node A to node B accordingly. By launching a Sybil Attack the attacker can pretend that the supposedly different paths are formed by disjoint nodes, although in reality these paths share at least one node which is the attacker’s one.
Particularly MANETs that apply a Recommendations-Based Trust Model are vulnerable to Sybil attacks. Here the malicious node, which represents multiple identities, can generate fake recommendations about the trustworthiness of a particular node in order to attract more network traffic to it. This offers the attacker an ideal starting point for subsequent attacks, like for example the Byzantine Wormhole attack. Generally, forg- ing of multiple identities for malicious intent leads to a set of faulty nodes in the network which results in compromising of all reliability-based net- work models.
Tampering Attacks in MANETs
This group of attacks, often called Fabrication Attacks, is based on the generation of falsified routing messages. Because of the fact that these routing packets are received as valid, fabrication attacks are very difficult to identify and trace. An example for such an attack is the in [13] intro- duced Rushing Attack which acts as an effective Denial of Service attack against all currently proposed on-demand ad-hoc network routing proto- cols, including those designed to be secure. Launching this attack, an at- tacker rapidly spreads routing messages all through the network, disabling authorized routing messages with the consequence that other nodes delete them as multiple copies. Obviously, also computational routes to a destination
Applying Trust in Mobile and Wireless Networks 45
can be canceled by constructing routing error messages, asserting that the neighbor can not be reached. For this reason, since flooding is the fa- mous mechanism used by on-demand routing protocols to establish paths, disturbing flooding is an effective attack against these kinds of protocols.
Considering the routing strategy of an on-demand ad-hoc network pro- tocol, where node A wishes to obtain a route to a destination node B. Node A floods the mobile ad-hoc network with ROUTE REQUEST packets. In order to limit the network traffic, each intermediate node C forwards only one ROUTE REQUEST packet from any Route Discovery phase or even only the ROUTE REQUEST packet reaching C at first will be forwarded by C. If the attacker launches falsified ROUTE DISCOVERY sessions for non-existing destination nodes and if the attacker’s ROUTE REQUEST packet reaches the intermediate node C prior to the ROUTE REQUEST packet from node A, then the legitimate REQUEST will be discarded by C and the attacker’s REQUEST will be forwarded accordingly. With this technique the attacker is able to isolate certain nodes in the MANET or can even partition the network. Otherwise, if the attacker’s rushed ROUTE REQUEST packets are the first to reach every neighbor of the target node B, then any route discovered by this ROUTE DISCOVERY process will include a hop through the attacker. Hence, node A will be unable to dis- cover any trusted route, without the attacker’s influence, to the target node B. In order to speed-up the broadcast of falsified ROUTE REQUEST packets the attacker can combine the Rushing attack with the Byzantine Wormhole attack to create a tunnel for his ROUTE REQUEST packets.
Actually, the fact that only the first ROUTE REQUEST packet is for- warded by an intermediate node C is not necessary for the attacker to be able to launch this kind of attack. The Rushing Attack can be extended to compromise the functionality of any protocol that forwards any particular ROUTE REQUEST packet for each ROUTE DISCOVERY process.