Vulnerabllitiles in Epildemlc Forward-ing

Alaeddine El Fawal Jean-Yves Le Boudec Kave SalamatianEPFL, I&C EPFL, I&C EPFL, I&C

1015 Lausanne, Switzerland 1015 Lausanne, Switzerland 1015 Lausanne, Switzerlandalaeddine.elfawal@ epfl .ch jean-yves.leboudec@ epfl.ch kave.salamatian epfl.ch

Abstract We evaluate the vulnerabilities by simulations. We showthat a malicious attacker does not have much effect in highly

Wedrentvralnerablicatiesin eprwidem frwarding. We mobile networks, but it might be very harmful in static net-

address brodca icfrwatdions loyverrle mechadhnet- works. In contrast, independently of mobility, the ratio-worksas Epidemicit forwspadi emplos eveal mchanthsmins nal attacker increases dramatically its througbput. Attackssach asimp nhibitin a spregatconmtrol ao each of them caxn that are otherwise very harmful lose their efficiency in the

tenceim lneda sin a ive method tha thexs presence of some epidemic forwarding mechanisms such astsenceoverabilitieslinkshighlybdependthent one methoyv adaptive spread control and adaptive inhibition. Moreover,

nerased.Weseineothocaegolinksbetweectm We classio al- many elements such as the attacker position and the nodeexrmailitie int o cate smis a nd tional. We density influence the malicious attacker's impact.extackersamne theefc oifferenthneattk ordingsto the nambdersiof The simulations are carried out on networks with upattackers and thesdioeent network stati salichos densit to 1000 nodes using a JAVA implementation of the epi-

hemic lorwarilng system in JIST-SWANS [I]. Beside statc

.Itout, ion*I@thi setin we exli th ifrn ehnssue

thar tpacev,e adndthif eractisae scenriodep n- sceinaros, we applied the epieemic forwardir dig system todent. In~~~~~~~~~~cotrsrtinlatckralwyobanasgf- te vehilcular network using an extension of JIST-SWANSicnbeei.Teeaato scridotaigdtie called STRAW [2], wbich providtes a mnobility mnodel basedk

rea6listic simaltio|ns ovelr ntwotAlrks wAilfth7ap to Q1"vovvz1tFldFlfCs 100 nodesv . on the operation of real vehicular traffi.

r ar r * li* * w f * g f~ ~~~a iliies

We/ consie71Drstatic scenriosa wllas/vehicla ntworo/mfnks,2. Epidemic Forwarding Mechalnismns

1,[ Introducitiona In this se tion:, we explainl the differenlt mnechanismls usedinL epidemic forwarding, iln order: to ulndelrstalnd their vulnler-

warding over ad-hoc networks. We are interested in broad- 2.1. Inhibition Mechanismscast applications such as chatting in a traffic jam or couponIadvertisements [5]. The principle of epidemic forwarding Inhibitionvmer hanisrsaimvatepreventing nodes from for-is that nodes repeat with some probability the information warding over-sentdor over-received packets in orderto rmi-they hear from others, thus propagating fresh information. imize redundancy.W e classify the, into two sets: rigid

Epidemic forwarding employs several mechanisms such and adaptive. With the former set the mechantisms canw -as inhibition, which prevents a node from forwarding over- not adapt themselves to different network settings: whensent or over-received packets in order to minimize redun- the settings change their parameters nreed to change. Thedancy. Each mechanism can be implemented using differ- radte methanis ensur angood performetinaswideent alternative methods. Thus, the existence of vulnerabil- range of settings witouthanging theirparaeters.ities is highly dependent on the mechanisms employed and 2.1.1. Rigid Inhibition. Within this set we find Gossip-on the methods adopted to achieve them. We examine the based epidemic forwarding [7] where a node decides to for-links between these methods and the vulnerabilities. ward a packet with a fixed probability p and drop it withWe classify the vulnerabilities into two categories: mali- (1 - p). The value of p depends on the setting but Gossip

cious and rational. A malicious attacker harms other nodes does not involve any mechanism to adapt p.anLd does lnot look for personal benrefit. It aims at decreasilng 2.1.2. Adaptive Intlhibition.L Withiln this set we distiln-other nodes' throughput anld/or spread. In contrast, a ratio- guish betweenl two methods.nral attacker aimus at inrcreasing its personal profit fromL the 2.].2.a. Coanxter Bazsed Inxhibit on. This mLethod is es-network. It tries to increase its throughput or save power. sentially the onle proposed inl [8]. A packet stored in the

1-4244-0992-6/07/$25.OO ©2007 IEEE

epidemic buffer has a counter called "Receive Count" in- Formally, every packet in the epidemic buffer has an "age"cremented by I when a duplicate of this packet is received. field, which is a fixed decimal positive number less thanInitially, i.e. when the packet is created by the application or 256. When a packet, created by some other node, is re-received for the first time, the counter is set to 0. When the ceived by this node for the first time, its age is set to thecounter reaches a maximum value, the packet is discarded complement to 255 of the received TTL: age= 255- TTL.from the epidemic buffer. When a packet is transmitted, the When a packet is transmitted, its stored age is incrementedvalue of Receive Count is lost. by a fixed amount Ko and then its TTL is set to 255- age.

2.1.2.b. Virtual Rate Based Inhibition.r This method is When a duplicate packet is received, the received TTL isproposed in [4]. With this method a packet in the epidemic ignored but the stored age is incremented by K1: age =buffer is retransmitted with a probability that depends on age+K1. When any packet is received, the stored age of allits "virtual rate"; it is equal to coaRbS where co is a con- packets in the epidemic buffer is incremented by K2: age =stant (inverse of a time), R [resp. S] is the number of age+K2. The node drops packets with age larger than 255.times this packet or a duplicate was received [resp. sent] 2.3. Schedulerand a and b are unit-less constants less than 1. Thus the Epidemic forwarding needs a scheduler for buffer man-virtual rate of a packet decreases exponentially with anylsend/receive~~~~~ ~~~~evn'ftesmakt ceue eie agemnlLlt. To our knowledge, the only scheduler that is ex-send/receiv event ofthesamepacket.A schedulerdecides

plicitly detailed in the literature is in [4]. It is used withwhich packet is selected next for transmission by the MAC the virtual-rate based inhibition (Sect. 2.1 .2.b). It decideslayer- it serves packets with a rates not exceeding their vir- wnbsI ~~~~~~~~~~~~~~whichpacket in the epidemic bufifer is selected for tranLs-tual rates. Hence, a packet in the epidemic buffer, which mission, i.e. to be passed to the MAC layer. In order tohas seen many send/reeive events, is scheduled at a very ensure some level of fairness the scheduler serves packetslow rate and it is more likely that it will be dropped by the 'used~~~~~~ ~bufemangeen mehns beoebig .rnmt per source Id, usilng a processor sharinlg approach. More-

over, every packet should be served at a rate not exceedingted [4]. The constant co is equal to the nominal packet rate its virtual rate computed in Sect. 2.1.2.b.of the MAC layer.2.2. Spread Control Mechanisms 2.4. Control of Injection Rate

Spread control mechanisms are essential for epidemic The only explicitly defined method to achieve control offorwarding, as the broadcast capacity does not scale with injection rate is the one in [4]. It is used together with thethe population. Spread control can be implemented using aforementioned scheduler. The packets generated by the ap-one of the following methods. plication at a given node are placed into the epidemic buffer,

2.2.1. Classic TTL. This is the method that comes by where they compete with the other packets for transmissiondefault with the Internet Protocol (IP). When a packet is (but with a larger virtual rate, having R = S = 0). The

created by a source and placed into the epidemic buffer, application rate is controlled by a windowing system : Theit receives a TTL value equal to some positive constant number of outstanding packets the application is allowed"MaxTTL". When the packet is accepted for transmission to have in the epidemic buffer at this node is limited to -atax~~~ ~ ~ ~ ~ ~ ~~~~~~ot 2

ena paace is delte

acceptthe epidemicbufferby the MAC layer, the TTL field of the transmitted packet is most- 2 [4]; a packet is deleted from the epidemic buffer

equal to the value of the TTL field in the packet in the epi- when a duplicate is received, which serves as implicit ac-

demic buffer, minus 1. The TTL field in the packet stored knowledgment (Ack).in the epidemic buffer is unchanged. 3. Attacks

When a packet created by some other node is receivedforthis section we describe the vulnerabilities that arethe first time at this node, the packet is delivered to the ap- in th ecion, werdibe tev ities thtaeplication, and the value of the TTL is screened. If it is equal specific to epidemic forwarding. We distinlguish betweerto 0, it cannot be retransmitted and the packet is discarded. two types of attackers: nalicious and rational. The fotrerElse (TTL. 1), the pcket is stored inl the eidemic buffer, does not look for a personal benefit but aims to harm otherwith TTL e L t the value pres in the eceivd pafket. nodes. In contrast, the latter seeks to increase its personal

When and if thepalke laer a te retransiso profit from the network. Most of the attacks are describedby the MAC layer, the transmitted TTL field is equal to the by drawing (Figs. 1 and 2) using a generic example wherestored TTL minus 1, and the stored TTL is unchanged. the attacker is M and the victim in malicious case is A.

2.2.2. Aging. This method is proposed in [4] in a differ- 3.1. Malicious Attacksent but essentially equivalent form. We give here a presen- A malicious attacker aims at decreasing the spreadtatioln that combinres differenrt optionrs iln olne silngle frame- alnd/or the ilnjectiolnL rate of the victim by explLoitilng vulknrera-work. The mnethod uses the TTL fielUd lLike ClLassic TTL, but bilLities iln epidemni forwardinlg m[echanisms. In the follLow-the TTL of a packet may be decremented while it is stored in ing we identify five attacks and map them to their corre-the epidemic buffer, depending on receive anLd send evenLts. sponding epidemic forwarding mechanisms.

Inhibit by forwarding tion and node density. The attacker places itself close to theB A M victim. It acts like any node: it has its self packets (pack-

Self:' Self. i ets that are generated at this node) to send and relays others

FiNvd:. Fwvd: i packets. But it does not forward victim packets. By gener-received many ||FWd: I | Fvvd: i ating much traffic in the very close surrounding of the vic-times: drop i tim, the attacker incites the spread-control mechanism at the

Inhibit by TTL victim's good neighbors to react negatively and prevent theA M B C victim packets from going farther.

Self: i. TTL Self: i TTL = 3.1.2. Inhibit by Forwarding (IbF) Attack. With IbFMaxTTIMaxTTL- (Fig. 1), the attacker exploits the adaptive inhibition.F Fwd: i TTL 0 It immediatly forwards the victim packets a number of

i inhibited drop i times (this number is called Attack-Persistency) to in-Inhibit by Forwarding and TTL hibit its neighbrhood from forwarding the same packets

ASef: TTL=Ma r (see Sect. 2.1.2). With the counter based inhibition (seeSelf i. TL TTL-1Self: i, TTL = MaXTTL-1 Sect. 2.1 .2.a), the Attack-Persistency is equal to the max-

FWd:i TTL=I FWd:i TTL=O imum value the counter can reach. With the virtual rateFWd: i. TTL based inhibition, this Attack-Persistency should be largeFvv: i. TTL Fwrvd: i, TTL = o enough to make the corresponding virtual rate close to zero

drop (in practice two times are enough).

Send on behave 3.1.3. Inhibit by TTL (IbTTL) Attack. This attack ex-A M B ploits the spread control using TTL. As the attacker receives

Sel:|s i A a victim packet, it forwards it immediatly with a TTL =fake:j, Id A4 0. In Fig. 1, B and M receives a packet from A with TTLfake:Ikd=A = MaxTTL -1. M forwards it with TTL = 0 instead offake: Id=A E ld:B2 Id:..1 Id..(MaxTTL -2). Hence, the attacker decreases the chance

the packet has to travel beyond C as B is inhibited and C

(D drops the packet. Even if B succeeds in forwarding theMitemiisneaAiDhv W rpacket after M, this will change nothing with C. This ex-

packets generacted t thnodeand trainsmitting We ef bSeto ample considers the use of "classic TT (see Sect. 2.2.1).p With aging", the attack is exactly the same. Note that inforwairded by the node but generalted by others aznd by Falke topowackets bythatharenodegenerated byMbtc nthersvdbmidenti Fig. 1, B applies the first strategy (see Sect. 2.2.1) upon re-palckets thazt alre generalted byM but calrrying the victim identity (Idcevn ulct ftepce n hsi eph l= A). We will explain oily the "Inhibit by forwarding and TTL ceiviLng a duplicate of the packet ad thus it keeps the old

attack as other attacks have similar explanation. In "Inhibit by .Forwarding and TTL " A sends a Selfpacket i with TTL = MaxTTL 3.1.4. Inhibit by Forwarding and TTL (IbFTTL) At--1 that is received byM and B. Mforwards the packet i (Fwd: i) tack. This is a combination of IbF and IbTTL (Fig. 1). In3 times with TTL = 0 the packet (Fwd: i) is received by B and C. this case M forwards the victim packets Attack-PersistencyThus the inhibition mechanism at B will inhibit packet i as it is times with TTL = 0 to insure that the victim packets at Breceived 4 timnes and C will drop the packet as its TTL = 0. are well inhibited and thus the packet loses any chance of

Figure 1. Malicious attacks. travelling beyond C.3.1.5. Send on Behalf of the Victim (SoB) Attack. The

Sybil attacker exploits the scheduler and the aging mechanism. InA M B Fig. 1, M sends fake packets with A's Id. As the scheduler

------------A serves packets per source Id, A's packets are delayed in theSelf:j,Id Idi epidemic buffer and they will be dropped either by the agingSelf: k Id IId2d I Id3 mechanism (they become too old) or by buffer overflow.

L4 Li Li Li 3.2. Rational AttakcsA rational attacker tries to increase its injection rate

(D while maintaining large spread. In the following, we iden-Figure 2. Sybil attack: M1/1 is tlhe rational node. tify two rational attacks.

3.2.1. Do Not Cooperate (DNC) Attack. When a new3.1.1. Alrtificial Hligh DenLsilty (AU1D). In this attack, we packet is injected by the application at a given node, it is

exploit the adaptability of the spread control to the conges- placed in the epidemic buffer, where it competes with pack-

ets received from other nodes. This competition prevents With the static scenarios, we simulate from 200 up to 600the application from injecting at the full rate allowed by nodes uniformly distributed over a square of 500x500 in2the packet injection control mechanism because of the ad- but, in most cases, we show the results only for 400 nodesditional delay in the epidemic buffer. Thus, an attacker as the others are similar. The transmission range is arounddecides to not cooperate and to keep only its self packets 50 m (PDA transmission range).(packets that are generated at this node) in the epidemic In the case of a malicious attack, the victim is in the mid-buffer. Note that, if the attacker tries to go beyond the al- dle of the square and attackers take place around it as it islowed rate, its packets will be accumulated in other nodes, indicated in Fig. 3. We want to evaluate the impact of thewhich are not able to serve them at the same rate. Thus, it distance between attackers and the victim. Therefore, therisks killing its packets for the same reason as in Sect. 3.1.5. radius R in Fig. 3 can have one of two values: 25m and

3.2.2. Sybil Attack. We refer to the Sybil attacker as lOOm. With the former, the attackers of the correspondingthe node that forges multiple identities [3]. This is a well- circle are within the transmission range of the victim andknown attack in networking, but the way it is exploited in they are outside it with the latter.this paper is new and very specific to epidemic forward- In the case of a rational attack, there exists only one at-ing. As the scheduler serves packets per source Id, the at- tacker, which is in the middle.tacker sends its self packets with different Ids and thus it The network can be either congested, where all nodes areincreases their share of the bandwidth. In Fig. 2, we present sources sending at full rate (capacity allowed by the chan-the scheduler as a process sharing approach where queues nel) or non-congested, where the victim is the only sourceare per source Id. In this case M's packets receive larger in the network and it is sending at full rate. Beside the vic-bandwidth share than A's packet at B. tim, only attackers can act as sources in the non-congested

4_Performance Evaluat'ionscenario, based on the attack they want to achieve.

4. PelrformanuLce EvaluLatiRlon In the following we will use the following notations:

Iln this section, we evaluate the imupact of the aforemneln- ; close [resp. far ] to indicate that R is equal to 25m [resp.tIoned attacks by s emulalton. We apply them n stac sce- I m] and one" [resp. "all] to indicate that tbe networknarios, as well as in highly mobile networks. We consider is non-fongested [resp. conrigested].vehicular mobility on the highway. Our metrics are based as fr tboble searo we simulate 1000 vehicle inon tbe spread and the injection rate: a malicious attacker anurban two-lane road. The speed limit is 80 km/h.The caraims at reducing the victim spread and a rational one tries densi yis 1. cars/kmin eachl direction. Te transmissionto increase its rate while maintaining large spread. or veh 1Uar nework.

In our simulation we consider the epidemic forwarding Our simulations are carried out tbrough fIST-SWANSsystem proposed in [4] called SLEF. To our knowledge [1], an open source simulator for ad hoc networks. The

SLEF is the only complete system proposed for a wide MAC layer is a very accurate implementation of 802.1 lbof settings. Furthermore, SLEF implements all epi- in DCF mode with the basic rate of 1 Mbps as we trans-

range mit in broadcast (pseudo-broadcast [4]). As for the radio,demic forwarding mechanisms already discussed in Sect. 2: r sThe virtual rate based inhibition, spread control by TTL and we use the t et to aoacite realeWIFI cardsaging, injection rate control and tbe scheduler discussed in that alclimpleent it [6]. We consider fading channels witbSect. 2.3. The parameter values of the virtual rate based in- fetensp efpath-ls. As fortNS mlleoble network, we use anhibition are a b 0.15, co corresponds to 802.1 lb basic extesioneof fIST-SWANS called STRAW [2], which sim-rate (1Mbps) with a packet length of 1500 bytes. As for the ulates the vehicular traffic and provides a mobility. moaging we use K K 25 and K2 0.5based o the operatio of real vehicular traffic.

4.1. Setti'ngs 4.2. Static Scenarios4.2.1. Malicious Attacks.

1316 4.2..La. AHD. The results are shown in Fig. 4. Let us be-011t 4 +10 gin with the all' scenario (see Sect. 4.1) where the attack-

R d ers are sources and act as any other node, except that they4 853 12 do not forward victim packets. In the close' case, the im-

5 14 pact of the attack is considerable in both scenarios, "all" and"one", and it increases with the number of attackers. In con-

The victim is in the middle the attackers startfilling the positions trast, in the far' + all' scenario, the attackers do not havearoln;d the victim according to their i "ndexin a increasing order:

.. .. ~~~~~~~~amnajor imupact; the reason iS twofolLd: (I1) the attackers areone ttakeritillspostio]. f2 atacersthe fil poitil~ far fromn the victim[ and thus they do lnot ilncrease the densityalnd 2, and so on>. R can7 he either 25m 01 lOOm. d = 25m.

as much as in the close" scenario; (2) the inhibition mech-Figure 3. Ma/llaicious attackers positions. anism is adapted. Indeed, the attackers are nlumerous anld

Malicious Attacks, Static Scenario, 400 nodes received by other attackers even before beginning the for-.close`+`a11` .cose`+`one`

oo400 4O warding process. Thus, all attackers cancel the previous-X-AHD300 lbF r_ 300 packet2 which explains why it is not inhibited.O i bTTL o \

o0 200 SoB 200o

*AHD 4.2. c. IbTTL: Our implementation of IbTTL is similarEGIbF t n100 to the one of IbF with the difference that it modifies the TTL10& 100 {bTTL

IbFTTL0bFTTL 0 before forwarding, as it is explained in Sect. 3.1.3. This at-o A t o ~~~~~~~~~SoB a._..0n 5 10 15 0 5 10 15 tack is more harmful than IbF. The attacker needs to for-

Number of Attackers Number of Attackers

"far`+`a11` "far`+`one` ward the packet only once with TTL = 0. Thus, nodes thatoW400 oW40

X-AHD r r T n-0 ^ n receive the packet from the attacker for the first time are not° IbF o_-300 IbTTL 16 300 able to forward it due to its TTL. This makes the differenceIFTTLo\-0 200 ;G;SoB -0> 200 with IbF, which needs to forward several times to inhibit theE gE d*AHD

- ii - n~~~~~~~~~EIbF ~,......n109 E ;> n 100IbTTL packet in its neighborhood.lA O IbFTTL

_D° ___en_C_SoB 4.2_._.id. IbFTTL: This attack has approximately the sameNumber of Attackers Number of Attackers impact as IbTTL, which is to be expected as IbF has littleeffect on the victim.

Figure 4. Malicious attacks in static scenario. 4.2.1.e. SoB: The attackers send only fake packets at fullrate. Fig. 4 shows a significant decrease in spread and rate.The spread reduction is due to the fact that victim packets

SoB Attack, Static Scenario, 400 nodes are killed in the epidemic buffers before being forwarded,u) 39 "close'""'all" which is due to the delay caused by the fake packets (for

33cIose+one more explanation see Sect. 3.1.5). Moreover, the decreasevu,>~~~~~~~-a `3close`-W'one`__ efar-+-one- in rate is due to the delay of the implicit Ack that controls

the injection rate as explained in Sect. 2.4.From what we have seen in this section, we can conclude

L____________________________________ that the attackers are not able to harm the victim in the pres-Nme5 10 15 eAnce of mobility for two reasons. The first is that the impactNumber of Attackers

Figure 5. Rate of a victim facing SoB attack. of the attackers is very position-dependent. The second isthat, even with the most harmful attack, the attackers couldreduce the spread of the victim, but its packets still reach a

they cooperate in forwarding all packets except the victims, few tens of nodes. If these nodes are mobile, they will carryhence they inhibit their neighbors from forwarding packets the victim packets beyond the barrier imposed by the at-except those of the victim. Thus, the increase in the victim tacker. This conclusion is well verified later in the vehicularspread, which we notice for 8 attackers, is due to the fact network scenario.that victim packets are less inhibited than others. If the in- Rational Attacks in Static Scenario: allhibition were rigid we expect that AHD would have more l o:0 400

im act on the victim. In the "far' + "one" scenario, attack- =fers are still injecting new packets in the network as before. o 300They reduce considerably the victim spread. _6 0

204.2. 1.b. IbF: The attackers do not generate fresh pack- CO

ets: their role is merely to forward victim packets as it is 2iexplained in Sect. 3.1.2. The results are shown in Fig. 4. It DDNC c" &Sybil

* . * * 1 1 * . 43~~~~~~~~~~~C ESybil -E}well-bahavedis clear that IbF does not achieve its goal. This can be ex- Nb f d th 600 00 500 600

plained as follows: When an attacker receives a new victim umero oesin te k

packet it immediately forwards it Attack-Persistency times _*=* E***n-(if the MAC layer allows). If the same attacker receivesanother victim packet, before it finishes forwarding the pre- 4.2.2. Rational Attacks.vious packet, it cancels the previous and it starts anew with 4.2.2.a. DNC: We evaluate the impact of DNC only inthe newest. Thus, let us consider a scenario that happens the "all" scenario, where increasing the injection rate is afrequently. The victim sends a new packet. The attacker challenge. In the "one' scenario, the attacker is the onlyforwards it immrediatelLy. The victim receives a duplicate of source in the network anrd he has the enrtire network ca-its self packet and considers it as aln implicit Ack. HIence, pacity, thus it is mealningless to evaluate its imupa t in thisit injects a new self packet that will be received by the at- case. In Fig. 6, the performance of a DNC attacker is com-tacker before finlishing the forwarding process and it will be pared with a well-behaved node that is very close to it anld

thus they both experience the same network conditions. We the spread control mechanism, this interference is not con-show the spread of both nodes and the rate ratio (DNC over siderable and does not happen frequently.well-behaved). The DNC rate is four times larger than a 4.3.2. Rational Attacks. Contrary to malicious attacks,well-behaved node. But, surprisingly, the DNC spread is rational attacks are still powerful even in highly mobile net-much larger when the network is very dense (600 nodes). work. The results are shown in Fig. 7(b). Sybil still ensuresThe reason is as follows: The attacker does not forward higher gain than DNC.others' packets. Thus, when it receives others' packets, it 5. Conclusionsdrops them without updating the age of its self packets inthe epidemic buffer. Hence, the age of its self packets does We identify vulnerabilities that are specific to epidemicnot increase during their stay in its epidemic buffer by K2 forwarding over wireless ad-hoc networks. We classify(see Sect. 2.2.2), which allows them to travel farther. these vulnerabilities into two categories: malicious and ra-

4.2.2.b. Sybil.' We evaluate the impact of Sybil in only tional. We evaluate their impact according to the number"all" scenario for the same reason as with DNC. The at- of attackers and the different network settings. We find thattacker uses five different identities. In addition, it does not the impact of malicious attacks depends on the position offorward others' packets. So, our implementation is in fact the attacker relative to the victim, the network density, thea combination of both attacks, Sybil and DNC, explained traffic load and mobility. In static scenarios, we identify thein Sect. 3. This implementation gives the attacker a much attacks that reduce dramatically the victim spread, whereaslarger advantage than using DNC alone (up to 10 times the harm of other attacks is reduced due to the adaptive inhi-larger than a well-behaved node and 2.5 larger than the bition and the injection rate control. In highly mobile vehic-DNC attacker), which explains the impact of Sybil alone. ular network, the impact of malicious attacks are minimized4.3. Vehicular Network Scenario due to the spread control.

We have studied the rational case in presence of only one

Malicious Attacks in Vehicular Networks Rational Attacks in Vehicular Networks attacker in the network. The attacker could achieve consid-___________________________________ 10800 60 X g |~>9I erable profit inLall scenrarios.

(D8 (D\ m FSybil Our work can be extended in different directions. We7 ^ ra e0 DNCi

0O40 \ 166 Sybil o 50 plan to examine the impact of the presence of several ratio-E -AHD > 5 p4cWell-Behaved nal attackers on the network. Another extension is to find

&IbF =.4 30_ _

E 20- eIbTTL o3DNC 0 solutions to recover from these vulnerabilities.'a +IbFTTL .0 20Q_

4__ASoB_____10____Referencescn co_

0 20 40 60 80 100 c

Number of Attackers [1] Java in simulation time / scalable wireless ad hoc network(a) (b) simulator, jist/swans, http://jist.ece.cornell.edu/.

[2] Street random waypoint I vehicular mobil-Figure 7. Vehicular Network. Malicious (a) ity model for network simulations strawand Rational (b) attacks, "all" scenario. http:Ilwww.aqualab.cs.northwestern.edu/projects/straw/.

[3] J. R. Douceur. The sybil attack. tn The 1st InternationalIn this snon seWorkshop on Peer-to-Peer Systems (IPTPS'02), March 2002.

In thisscenLario, nodes are highlymoble and the positionL [4] A. El Fawal, J.-Y. Le Boudec, and K. Salamatian. Self-of the victim is not known. Thus, the attackers are chosen Limiting Epidemic Forwarding. Technical Report LCA-randomly. Beside the attackers, the network contains 1000 REPORT-2006-126, EPFL, 2006.well-behaved nodes, all of them are sources ("all' scenario). [5] A. Garyfalos and K. Almeroth. Coupons: Wide scale infor-All nodes cross the same urban road. mation distribution for wireless ad hoc networks. In IEEE

4.3.1. Malicious Attacks. Fig. 7(a) shows the impact of Global Telecommunications Conference (Globecom) Globalmalicious attacks. The spread.of the victim is drawn ac-

Ii ternet and Next Generation Networks Sy'mposium Dallas,malcrdingtonusberattack tackers.Thespradf thict eistwnac-oTexas USA pages 1655-1659 December 2004.cordinglS to nlumberSl of attackers. TheU Attack-Persis3tency of [6] A. Kochut, A. Vasan, A. U. Shankar, and A. Agrawala. Sniff-IbF and IbFTTL is 2. Other values give the same results. ing out the correct physical layer capture model in 802.1lb,As we notice, the effect of the attackers is negligible even berlin, germany. In IEEE International Coiiference on Net-in the presence of 100 attackers. In the most harmful case, work Protocols (ICNP 04), pages 252- 261, October 2004.the IbFTTL attacker reduces the victim spread from 50 to [7] S.-D. Modiano, E. and G. Zussman. Maximizing throughput30 nodes, which is not significant. This can be explained in wireless networks via gossiping. In ACM SIGMETRICS /by the presence of the spread control mechanism; the at- IFIP Performance'06, June 2006.

'[8] S.-Y Ni Y.-C. Tseng, Y.-S. Chen and J.-P. Sheu. The broad-ta ker can affet the victim oly if their speads interfere cast storm problem inl a mobile ad hoc nletwork. Inl Mobicom,i.e. there exist commn or nodes that receive the attacker anldSetlWahnonUidttsAgut1-1999the victim packets. And the amount of harm is proportional pages 15 1-162.to the amount of inlterference. As the spread is limited by