GENERIC ATTACKS AGAINST ROUTING

We have so far considered specific routing protocols which have several security attri- butes. In this section we focus on some attacks and discuss the impact of these attacks on routing in ad hoc networks. We consider three types of attacks:

. wormhole;

. rushing;

. sybil.

We explain each of these attacks and summarize briefly the various proposals to protect against such attacks.

4.7.1 Wormhole Attacks

A wormhole attack typically requires the presence of at least two colluding nodes in an ad hoc network.10The malicious nodes need to be geographically separated in order for the

Figure 4.28. Anonymous packet forwarding.

10_{We ignore a variant that depends on a single malicious node being a common neighbor of two nonneighboring}

nodes. The malicious node can relay packets between the nonneighboring nodes to convince them that they are neighbors.

attack to be effective. In this attack, a malicious node captures packets from one location and “tunnels” these packets to the other malicious node, which is assumed to be located at some distance. The second malicious node is then expected to replay the “tunneled” packets locally. There are several ways in which this tunnel can be established. We consider two possible methods below.

In the first method for establishing the tunnel shown in Figure 4.29, a malicious node denoted X in the figure, encapsulates a packet received from its neighboring node A. Node X then sends the encapsulated packet to the colluding malicious node Y. Node Y then replays the packet in its neighborhood after decapsulating the packet. Thus, the original packet transmitted by node A in its neighborhood is replayed by node Y in its neighbor- hood, which includes node B. For example, if the original packet transmitted by node A (and tunneled by node X) was a hello packet, then node B on receiving this packet would assume that node A is its neighbor, which is not true. As another example, if node A transmits a route request packet for node B, then node X can “tunnel” such a packet to node Y by encapsulating the packet. As a result, this route request packet will arrive at the destination node B with a lower hop count than the other Route Request packet going through the other route. This happens in spite of using any secure routing protocol such as the ones given earlier. Note that nodes between X and Y that relay the packet cannot interpret the packet as it is encapsulated. Therefore, they cannot increment the hop count.

In the second method for establishing the tunnel shown in Figure 4.30, the two mali- cious nodes X and Y are assumed to have access to an out-of-band high bandwidth channel. This could be achieved for example by having a wired link between the two nodes or by having a long range high bandwidth wireless link operating at a different fre- quency. Thus, this method requires specialized hardware capability and hence is more dif- ficult than the previous method. In this case also, a hello packet transmitted by node A can be retransmitted in the vicinity of node B. As a result node B infers that node A is its neigh- bor. Similarly, a route request packet, from node A for node B, can also reach node B (which is the destination for the route request packets) faster and possibly with fewer hops, since a high-bandwidth direct link is being used between the two malicious nodes. As a result, the two endpoints of the tunnel can appear to be very close to each other. To see this, consider Figure 4.30. Here node B receives three route requests. It is clear that the route request received through the wormhole will have the least hops.

It seems as if the malicious nodes are performing a useful service by tunneling the packets. This would be so if the nodes were performing this service without any malicious

intent, but malicious nodes could use this attack to undermine the correct operation of various protocols in ad hoc networks. The most important protocol that is impacted is the routing protocol, as we can see from the examples given earlier. Data aggregation, pro- tocols that depend on location information, data delivery, and so on, are some other examples of services that can be impacted. Note that the wormhole attack can be success- ful even without access to any cryptographic material on the nodes. For example, in the above figures (Figures 4.29 and 4.30), the wormhole attack can be successful even without knowledge of the keys used by the valid nodes in the system (such as nodes A and B). In addition, nodes in the network do not have to be compromised. Thus, in the same figures, node X and node Y could be outsider nodes which are not part of the regular network.

There have been some proposals recently to protect networks from wormhole attacks by detecting such attacks [71 – 73]. In [71], the authors introduce the concept of leashes to detect wormhole attacks. A leash is any information added to a packet in order to restrict the distance that the packet is allowed to travel. A leash is associated with each hop. Thus, each transmission of a packet requires a new leash. Two types of leashes are considered, namely geographical leashes and temporal leashes. A geographical leash is intended to limit the distance between the transmitter and the receiver of a packet. A temporal leash provides an upper bound on the lifetime of a packet. As a result, the packet can only travel a limited distance. A receiver of the packet can use these leashes to check if the packet has traveled farther than the leash allows and if so can drop the packet.

When using geographic leashes, a node is expected to know its own location. Each node transmitting a packet will include its own location in the packet and also the time at which the packet is transmitted. The node receiving this packet uses this information (about location and time) to calculate if the packet has traveled more than the allowable distance and if so the packet is dropped. With temporal leashes, each node transmitting a packet includes the time at which the packet was sent. The receiving node notes the time at which the packet was received and uses this to infer if the packet has traveled too far. In an alternate formulation, a packet can contain the expiration time after which a receiver should not accept the packet. The transmitter node decides on this expiration time as an offset from the time of transmission. Note that in both these cases, geographical leashes and temporal leashes, the receiver needs to authenticate the information about the location and time included by a transmitter in the packet. This authentication can be achieved by a mechanism such as a digital signature.

Figure 4.30. Wormhole attacks (out-of-band channel).

Geographic leashes require loose time synchronization among the nodes in the network, as opposed to temporal leashes, where the nodes in the network need to have tightly synchronized clocks with nanosecond precision. In addition, temporal leashes might not be practical in networks (such as those based on the use of 802.11) that make use of a contention-based MAC protocol. Temporal leashes will also be effective only against the first and easier mode of tunneling, where a packet is encapsulated. Of course, nodes in systems dependent on geographic leashes need to be able to determine their locations securely (see Chapter 7).

Another approach for detecting wormhole attacks is given in [72]. In this case the authors assume the presence of directional antennae. The approach here is based on the use of packet arrival direction to detect that packets are arriving from the proper neighbors. Such information is possible due to the use of directional antennae. This information about the direction of packet arrival is expected to lead to accurate information about the set of neighbors of a node. As a result, wormhole attacks can be detected since such attacks emanate from false neighbors.

To illustrate this idea consider Figure 4.31. Here we show two nodes, A and B. We show the directional antenna with six zones explicitly for both nodes. Each node is assumed to have knowledge of the zone from where a packet is received. Given this, the basic idea that is used to determine the set of authentic neighbors is that, if a node is in a given direction of another node, then the latter node is in the opposite direction of the former node. For example, in Figure 4.31, node B is in zone 6 of node A while node A is in the opposite zone, which is zone 3 of node B. An implicit assumption here is that the directional antennae on the various nodes are perfectly aligned.

Now consider nodes A, B, C, D, and E as shown in Figure 4.32. Assume that B trans- mits a message (call it a Hello message for simplicity) in its neighborhood which includes C. Then node C replies back to B informing node B of the zone from which node B’s hello message was received. If node B receives this reply in the opposite zone to what zone C reports, then node C can possibly be an authentic neighbor. Thus, in this case node C replies back to node B that the hello message was received in zone 1 of node C. This reply is received by node B in its zone 4, which is the zone opposite to zone 1. Thus, B can infer that node C is an authentic neighbor. Every node can repeat this and form the list of authentic neighbors. Any message that does not emanate from an authentic neighbor is rejected.

We next show how this mechanism can be used to detect wormholes. Assume that nodes D and E are malicious and they intend to form a wormhole between nodes A and B. Consider hello messages being transmitted by node A in order to determine the set of real neighbors. In this case, node D receives the hello message of A and tunnels it to node E, which then retransmits the Hello message in its neighborhood. Node B receives this message and reports back using a reply message that the Hello message of A was received in zone 4 of node B. If this reply of node B is replayed back by node D, then node A receives this reply in its zone 4. Thus, node A can infer that there is an inconsis- tency and reject this reply from node B. Note, though, that the same mechanism does not protect a wormhole from being established between nodes A and C since they are in the opposite zones as compared with the wormhole endpoints.

Thus, we see that the simple mechanism given earlier is not sufficient to detect all wormholes, although it does detect many of them. In order to address this shortcoming of the simple mechanism, the authors enhance the basic scheme. The enhancement requires that nodes cooperate with their neighbors by having other nodes called verifiers validate the legitimacy of the various packets being transmitted. Restrictions are placed on the nodes that can act as verifiers. This prevents the adversary from leveraging the weak- ness earlier whereby nodes that are in opposite directions to the wormhole endpoints are tricked into accepting each other as neighbors. In this case, after the messages of the basic protocol, the verifier is requested to corroborate the zones from which the messages were received by the verifier. As pointed out earlier, however, this approach requires perfectly aligned directional antennae.

In [73], the authors present a graph theoretic framework for modeling the wormhole attack. They provide a necessary and sufficient condition that any solution to the wormhole problem needs to satisfy. In addition, the authors also propose the use of local broadcast keys whereby the keys in different geographic regions are different. As a result, an encrypted message replayed via the wormhole in a different location cannot be decrypted by the receivers in that region.

4.7.2 Rushing Attacks

We next describe the rushing attack [74]. This attack impacts a reactive routing protocol. Note that, in the case of a reactive routing protocol, a node that needs a path to a destina- tion floods the network with route request packets. Such route request packets are flooded in a controlled fashion in the network. Thus, every node only forwards the first route recovery packet that it receives and drops the rest. The adversary can exploit this feature of reactive routing protocols. It does so by “rushing” the route request packets towards the destination. As a result, the nodes that receive this “rushed” request

Figure 4.32. Detecting wormholes using directional antennae.

forward it and discard the other route requests that arrive later. The resulting routes would then include the adversary, which places the adversary in an advantageous position.

We see that this attack is not very difficult to launch. All it requires is that the adversary be able to forward route request packets faster than can be done by valid nodes. The adver- sary can do this by forming wormholes. The adversary can also do this by choosing to ignore the delay between the receipt and forwarding of route request packets. Such delays are specified by the routing protocols to avoid collisions of route request packets. The adversary can also choose to ignore delays specified by the protocols to access the wireless channel. Thus, in all these cases the route request packet can be rushed by the adversary.

A simple way to address the rushing attack is to allow for randomized selection of route request messages. Thus, every node is expected to collect a threshold number of route requests. Following this, the node can randomly choose to forward a route request from among the received requests. Note that a timeout also needs to be associated here so that, if a node does not receive the threshold number of route requests within the timeout, it can choose from among the received route requests. This mechanism does add to the latency of route discovery, though, and hence both the threshold value and the timeout value have to be chosen with care. Note, though, that the mechanism is general enough and can be easily integrated with any reactive routing protocol to protect against rushing attacks.

4.7.3 Sybil Attacks

The Sybil attack [2] consists of a node assuming several node identities while using only one physical device. The additional identities can be obtained either by impersonating other nodes or by making use of false identities. These identities can all be used simul- taneously or over a period of time. This attack can impact several services in ad hoc net- works. For example it can impact multipath routing [75], where a set of supposedly disjoint paths can all be passing through the same malicious node which is using several Sybil identities. This attack can also impact data aggregation where the same node can contribute multiple readings each using a different identity [76]. Fair resource allocation mechanisms will also be affected since a node can claim more than its fair share by using the various Sybil identities. Mechanisms based on trust, voting, and so on, are also affected by this attack.

A simple approach for detecting the Sybil identities could be to issue a public-key cer- tificate to each of the identities. The problem, though, is the need for a central authority that can distribute the certificates. In addition, this solution requires higher computational capabilities than might be available on resource constrained devices such as sensor nodes. Resource testing was suggested as an approach to prevent Sybil attacks in [2]. This approach makes use of the fact that each node is limited in some resources. The test then verifies if each identity has the proper amount of the tested resource. Thus, the implicit assumption here is that every identity has the same quantity of the tested resource. The resources suggested in [2] are computation, storage, and communication, but these resources might not be the right ones to test for in ad hoc and sensor networks because of the heterogeneity possible in such networks due to which different physical devices have different values for the quantity of the tested resource.

Another resource suggested in [76] is the radio. Here the assumption is that every phys- ical device has only one radio that is incapable of simultaneously transmitting and receiv- ing on more than one channel. Thus, a node that desires to verify if any of its neighbors are

Sybil identities will allocate a channel to each of its neighbors. The neighboring node is expected to transmit a message on the allocated channel. The verifier node then picks random channels to listen to. If no message is heard on the channel selected, then the cor- responding node identity is assumed to be a Sybil identity. Another approach [76] to detecting Sybil identities leverages the random key predistribution technique (explained in Chapter 3). When using random key management schemes, a node is loaded with a set of random keys before deployment. This scheme can be leveraged to detect Sybil iden- tities if the set of keys assigned to a node is related to the identity of the node. As a result, a node claiming any identity will have to prove the claimed identity by also demonstrating that it has the keys corresponding to that identity. The node does so by participating in encryption or decryption operations with the key. In this case, an adversary will first have to compromise many nodes, thereby getting access to the keys corresponding to each identity. Following this, the adversary might be able to create fake identities. Some other approaches proposed are based on verifying the location for each of the node identities or on registering the identities with a base station.

Another approach for detecting Sybil attacks is given in [77]. In this scheme each node is provided a unique secret by a central authority. A hash chain is derived from this secret by the node. The node is also provided an identity certificate by the central authority binding the node’s identity to the secret information. A node that claims a given identity