Upload
ginger-johnson
View
216
Download
0
Embed Size (px)
Citation preview
Secure Routing in Wireless Sensor Networks: Attacks and Countermeasures – C. Karlof and D. Wagner
Dr. Xiuzhen ChengDepartment of Computer ScienceThe George Washington University
[email protected]://www.seas.gwu.edu/~cheng
04/12/2006 Xiuzhen (Susan) Cheng 2
Outline
Introduction Attacks on Sensor Network Routing Attacks on Specific Sensor Network
Protocols Countermeasures
04/12/2006 Xiuzhen (Susan) Cheng 3
Outline
Introduction Attacks on Sensor Network Routing Attacks on Specific Sensor Network
Protocols Countermeasures
04/12/2006 Xiuzhen (Susan) Cheng 4
Background Sensor Network : Heterogeneous system
consisting of tiny sensors and actuators having some computing elements
Base Station : Point of centralized control Gateway to another network, powerful data
processing unit, or point of human interface More processing capability, memory & power
Aggregation points : Node at which the messages are processed before sending to base station
POWER constrained environment
04/12/2006 Xiuzhen (Susan) Cheng 5
Sensor N/w vs. Ad-Hoc N/w Similarity : Support Multi-hop networking Differences :
Ad-hoc : Routing between any two nodes Sensor : Supports Specialized communication patterns
Many-to-One One-to-Many Local Communication
Sensor nodes more resource constrained than Ad-hoc nodes
Trust relationship among sensor nodes In-network processing, aggregation, duplication elimination
Larger Scalability
04/12/2006 Xiuzhen (Susan) Cheng 6
Problem Statement
Network Assumptions Insecure Radio links Malicious node collude to attack the system No tamper resistance on nodes Adversary can access all key material, data,
and code stored on the captured node Trust Requirements
Base stations are trustworthy Aggregation points not necessarily
trustworthy
04/12/2006 Xiuzhen (Susan) Cheng 7
Problem Statement
Threat Models : 2 types Based on device capability
Mote-class attacker access to few sensor nodes Laptop-class attacker Access to more powerful
devices. Have more battery power, better CPU, sensitive antenna, powerful radio Tx, etc
Based on attacker type / attacker location Outside attacks attacker external to the network Inside attacks Authorized node in the network is
malicious/compromised
04/12/2006 Xiuzhen (Susan) Cheng 8
Problem Statement Security Goals
Secure routing protocol should guarantee integrity, authenticity, availability of messages in presence of adversaries
Secrecy of application data is must
04/12/2006 Xiuzhen (Susan) Cheng 9
Outline
Introduction Attacks on Sensor Network Routing Attacks on Specific Sensor Network
Protocols Countermeasures
04/12/2006 Xiuzhen (Susan) Cheng 10
Attacks on Sensor Network Routing
Two types of attacks Manipulate user data directly Affect the underlying routing topology
Six categories of attacks
04/12/2006 Xiuzhen (Susan) Cheng 11
Spoofed, Altered, or Replayed Routing Information
Create routing loops Attract or repel network traffic Extend or shorten source routes Generate false error messages Partition the network Increase end-to-end delay Etc.
04/12/2006 Xiuzhen (Susan) Cheng 12
Selective Forwarding Blackhole: forward no message
Easier to be detected by neighbors Selectively forward traffic
Suppress traffic originates from some sources but reliably forward others
Hard to be detected Most effective when the attacker is the
routing path How to emulate selective forwarding when not in
the routing path? How to overcome this problem?
04/12/2006 Xiuzhen (Susan) Cheng 13
Sinkhole Attacks
Lure nearly all traffic from a particular area through a compromised node Making a compromised node look
especially attractive to surrounding nodes w.r.p.t. the routing algorithm By announcing a high-quality route By a notebook attacker Creates a large “sphere of influence”
Makes selective forwarding attack easier
04/12/2006 Xiuzhen (Susan) Cheng 14
The Sybil attack
A single node presents multiple identities to others Reduce the effectiveness of fault-tolerant
mechanisms Node-disjoint paths
High threat to geographic routing protocols An attacker “can be in more than one place
at once”
04/12/2006 Xiuzhen (Susan) Cheng 15
Wormholes Two colluding nodes understate their
distance from each other by relaying packets along an out-of-bound channel available only to the attackers
Can be used to create a sinkhole Can be used to exploit routing race
conditions Causing a node to receive certain routing
message while ignore others Can be combined with selective forwarding
and eavesdropping
04/12/2006 Xiuzhen (Susan) Cheng 16
Hello Flood Attack
Some protocols require that nodes broadcast ‘hello’ packets to advertise themselves
Laptop-class attacker can convince every node that it is their neighbor by transmitting at high power
Can be thought as a one-way, broadcast wormhole
04/12/2006 Xiuzhen (Susan) Cheng 17
Acknowledgement Spoofing
Some routing algorithms require explicit/implicit link layer ACKs
Adversary can spoof ACKs for control packets and try to convince the sender that a weak link is strong or a dead link is alive; causing packet losses
04/12/2006 Xiuzhen (Susan) Cheng 18
Outline
Introduction Attacks on Sensor Network Routing Attacks on Specific Sensor Network
Protocols Conclusion and Future Research
04/12/2006 Xiuzhen (Susan) Cheng 19
TinyOS Beaconing Protocol Description It constructs a ‘Breadth first’
spanning tree rooted at the base station
Base station periodically broadcast route updates
Immediate nodes parent, base station; other nodes parent, from who they receive the first update
Packets travel through the paths along tree
04/12/2006 Xiuzhen (Susan) Cheng 20
TinyOS Beaconing Attacks Unauthenticated route updates Malicious
node acts as base station Authenticated route updates
Two colluding nodes (laptop-class attacker with one near the base station) form wormhole to direct all traffic through them
Laptop-class attacker use HELLO flood attack every node marks attacker as parent
Mote-class attacker can cause ‘Routing loops’ between two nodes
04/12/2006 Xiuzhen (Susan) Cheng 21
Directed Diffusion Protocol desc.
Data-centric routing algorithm Base station send the ‘named’ data which is
flooded as ‘interests’ throughout the network ‘Gradients’ are set up to ‘draw’ events (data
matching the interests) Base station positively reinforces high data rates
paths Attacks
Cloning i.e. Replay of interest by the adversary Path influence by reinforcing certain paths
passing through the adversary Selective forwarding and data tampering
04/12/2006 Xiuzhen (Susan) Cheng 22
Geographic Routing Two protocols:
GPSR (Greedy Perimeter Stateless Routing) GEAR (Geographic and Energy Aware Routing) GPSR is a greedy algorithm, routing packets to a
neighbor that is closest to the destination When greedy forwarding is impossible, GPSR routes
around the perimeter of the void GPSR utilizes only one route, leading to uneven energy
consumption GEAR takes both distance and residual energy as
routing metric Leverage nodes’ positions & explicit geographic packet
destinations to efficiently disseminate queries and route updates
Require exchange of location information
04/12/2006 Xiuzhen (Susan) Cheng 23
Geographic Routing Attacks Attack : Location information
misrepresented Adversary advertise wrong location info.
so as to place himself in the path Adversary forge location advertisements
creating routing loops In GEAR, energy is also considered
adversary advertise maximum energy (Laptop class attacker again !!)
04/12/2006 Xiuzhen (Susan) Cheng 24
Geographic Routing Attacks Sybil Attack Routing Loops
04/12/2006 Xiuzhen (Susan) Cheng 25
Minimum Cost Forwarding A distributed shortest-paths algorithm
Initially each node has cost infinity except the base station whose cost is 0
Beacon flooding from base station to update the cost CN = CM + LN,M
Attacks Is extremely susceptible to sinkhole attacks – an
attacker announces its cost of 0 at anywhere Hello-flood attack by a laptop-class attacker to
disable the whole network
04/12/2006 Xiuzhen (Susan) Cheng 26
LEACH: Low-Energy Adaptive Clustering Hierarchy
Nodes self-organize into clusters and cluster head can communicate with the base station directly Cluster head rule rotates; its election is
probabilistic-based (residual power and required cluster head percentage)
Cluster head aggregates readings from its cluster members
Node transmission within a cluster is TDMA based
Nodes select its cluster head based on RSSI
04/12/2006 Xiuzhen (Susan) Cheng 27
LEACH: Attacks
Since RSSI is used to select cluster head, a laptop-class attacker can disable the whole network with the HELLO flood attack
Selective forwarding attack Compromised cluster head
04/12/2006 Xiuzhen (Susan) Cheng 28
Outline
Introduction Attacks on Sensor Network Routing Attacks on Specific Sensor Network
Protocols Countermeasures
04/12/2006 Xiuzhen (Susan) Cheng 29
Countermeasures Outsider attacks vs. Insider attacks
The majority of outsider attacks can be prevented by Secret shared key & Link layer encryption.
Prevents Sybil attacks, Selective forwarding, Sinkhole Ineffective against Wormhole, Hello floods attacks.
Completely ineffective in the presence of insider attacks
Bogus routing information Create sinkholes Selectively forward packets Sybil attacks HELLO floods
04/12/2006 Xiuzhen (Susan) Cheng 30
Countermeasures Countermeasure to Insider Sybil attacks
Every node shares a unique symmetric key with the base station
A pair of neighbor nodes use the resulting key to implement an authenticated, encrypted link between them.
Base station limits the number of neighbors a node is allowed to have – prevent an insider attacker establishing shared keys with every node in the network.
Not perfect Malicious nodes can still communicating with its verified
neighbors Two or more colluding nodes may attack the network
more powerfully
04/12/2006 Xiuzhen (Susan) Cheng 31
Countermeasures Countermeasure to
HELLO flood attacks Verify the
bidirectionality of the link between two nodes
How about the adversary have highly sensitive receivers?
04/12/2006 Xiuzhen (Susan) Cheng 32
Countermeasures Countermeasure to Wormhole, SinkHole
attacks Geographical Routing protocols.
Problems: How to get the location information – attackers may disseminate spoofed location information
Solution: Restrict the structure of topology to eliminate the need for location information by the node. Use fixed topology like square, triangular or Hex Grid structure. However, it also restrict its application.
Suggestions: using multipath routing, and design effective evaluation methods to determine the quality of each routes.
04/12/2006 Xiuzhen (Susan) Cheng 33
Countermeasures Countermeasure to Selective forwarding
Multipath routing using completely disjoint paths or Braided paths
Allowing nodes dynamically choose a packet’s next hop from a set of possible candidates.
Not enough: add evaluation method to discriminate different routes
04/12/2006 Xiuzhen (Susan) Cheng 34
Countermeasures Authenticate Broadcast and flooding
Base station is trustworthy. Adversaries must not be able to spoof broadcast
or flooded messages from any base station. HELLO message from neighbor nodes should be
authenticated and impossible to spoof. Attention: authentication should be efficient
– public key cryptography and digital signatures is beyond the capabilities of sensor nodes.