Transcript Wormhole attacks

Detecting and Evading Wormholes in
Mobile Ad-hoc Wireless Networks
Asad Amir Pirzada and Chris McDonald
1
Outline
 Introduction
 Previous Work
 Dynamic Source Routing (DSR)
 Wormhole Creation
 Trust Model
 Wormhole Detection and Evasion
 Conclusion
 Comment
2
Introduction–Mobile ad-hoc wireless networks
Malicious nodes
 Improvised and insecure environments
1. Malicious nodes may participate to snoop or sabotage.
•
Passive attacks: eavesdeop on packet contents
•
Active attacks: imitate, drop or modify legitimate packets
2. Wormhole attacks:Two or more malicious colluding nodes create a
higher level virtual tunnel in the network to conduct a variety of
attacks.
 In this paper present a novel trust-based scheme without engaging
any cryptographic means.
3
Introduction—Ad-hoc network
 Built by wireless nodes
 limited transmission range and battery power
 Seek the assistance of its neighbouring nodes in forwarding
packets.
Routing protocol
 Require persistent cooperative behaviour
 Each node acts like a mobile router.
Two kinds of routing protocol
 Reactive:
try to save battery power by discovering routes when they are
essentially required
 Proactive:
establish and maintain routes to avoid the latency continuously
4
Introduction—Ad-hoc network
 Secure routing protocols
 Managed ad-hoc networks
Permit configuration of the nodes with encryption keys and
certificates
 Pure ad-hoc networks
No a priori knowledge of their future setup
5
Previous Work
Packet Leash,
detect and defend against
wormhole attacks
SECTOR,
the Secure Tracking of Node
Encounters in Multi-hop Wireless Networks
MDS-VOW,
DSR ,thethe
Multi-Dimensional
Dynamic SourceScaling
Routing
Visualization
Protocol
of Wormhole
for Mobile Ad Hoc Networks
Directional
DSRAntennas,
, the Dynamic
using
Source
directional
Routing
Protocol
for Mobile
Ad Hoc Networks
antennae
to detect
Wormhole
attacks
A Defense against Wormhole Attacks in
Wireless Networks(2003)
SECTOR: Secure Tracking of Node Encounters
in Multi-hop Wireless Networks(2003)
Visualization of Wormholes in Sensor
Networks(2004)
Using Directional Antennas to Prevent
Wormhole Attacks(2004)
6
Previous Work
 Packet Leash
 A mechanism to detect and defend against wormhole
attacks.
 Two types of leashes:
1. Geographic Leash
 Each node knows its precise position and all nodes have
a loosely synchronized clock.
2. Temporal Leash
 All nodes are required to maintain a tightly synchronised
clock.
7
Previous Work– Geographic Leash
Packets + current position + transmission time
1. Know its precise position
2. All nodes have a loosely
synchronized clock.
1. Compute the distance and
the received packets time
2. Check a wormhole by time
and distance
All nodes can obtain an authenticated
symmetric key of every other node.
8
Previous Work– Temporal Leash
Packets + transmission time
1. All nodes maintain a
tightly synchronized clock.
1. Compare the time to local
time (assume propagation
speed is equal to the speed
of light)
2. Compute the distance to the
sender
All nodes can obtain an authenticated
symmetric key of every other node.
3. Able to detect the wormhole
9
Previous Work– SECTOR
(Secure Tracking of Node Encounters in Multi-hop Wireless Networks)
 A set of mechanisms to prevent wormhole attacks without
requiring any clock synchronization or location information
 Use a distance-bounding protocol (Mutual Authentication with
Distance-bounding; MAD) to determine the distance between any two
communicating parties.
Assume: Each node is equipped with a special hardware
transceiver module to perform two bits XOR operation.
Use message authentication codes (MAC) secured using pairwise
secret keys
Provide the receiver with the exact distance to a sender
10
Previous Work– Directoinal Antennas
 All nodes share their directional
information to prevent wormhole
attacks.
 Messages from a non-neighbour are
discarded.
11
Previous Work– MDS-VOW
 MDS-VOW (Multi-Dimensional Scaling Visualisation of Wormhole)
To detect wormholes in sensor networks
Not require any special hardware such as positioning devices,
synchronised clocks or directional antennas
Adopt social science, computer graphics, and scientific visualization
(1)Estimate the distance (the
received signal strength)
immediate neighbours
Centralized controller
12
Dynamic Source Routing(DSR)
 DSR
A reactive routing protocol
IP source routing
Route discovery: the source node broadcasts a ROUTE REQUEST packet
Broadcast a ROUTE REQUEST packet (unique
identification number, the target node address)
ROUTE REPLY packet (list of nodes)
Recipient node
target node
13
Wormhole Creation
 A wormhole created by three ways
Tunneling of packets above the network layer
Long range tunnel using high power transmitters
Tunnel creation via external wired infrastructure
Tunneling of packets above the network layer
•Dispatch to the colluding node
packets
target node
modify all received
packets( Encapsulate in
a higher layer protocol)
recipient
malicious node
collude node
14
Wormhole Creation
Long range tunnel using high power transmitters
Tunnel creation via external wired infrastructure
•Dispatch through the network nodes
packets
target node
modify all received
packets( Encapsulate in
a higher layer protocol)
recipient
malicious node
collude node
15
Wormhole Creation
The colluding nodes (M1, M2) are not the immediate neighbors of
the source (S) and destination (D) node.
16
Trust Model–an effort-return based trust model
Txy = Pp PA
packets
target node x
packets
neighbouring
node y
malicious node
1.
checks
success:
increase  fail: trust counter decrease
1. Integrity
Each node
executing
thetrust
trustcounter
model
their
participation
in the
packet
2. 
Txy monitor
= Pp PA: the
direct
trust in a node
y by
node xforwarding mechanism
2. Integrity
success:
counter
fail: trust
counter
decrease
Pp  [0, checks
1] the existence
ortrust
absence
of aincrease
wormholethrough
node
y
3. TP
Pp PA: thea direct
a node of
y by
node xthat have been forwarded by a node
xyA=
: preserve
count trust
of theinnumber
packets
Pp  [0, 1] the existence or absence of a wormhole through node y
Each node executing the trust model
17
PA
: preserve
countparticipation
of the numberinofthe
packets
thatforwarding
have been forwarded
by a node
monitora their
packet
mechanism
Wormhole Detection
packets
target node
packets
neighboring node
malicious node
1. Before transmitting the packet
 buffers the DSR Source Route header
2. After transmitting the packet
 place its wireless interface into the promiscuous mode for the Trust
Update Interval (TUI)
3. Check wormhole:
(1) retransmission: compare packet’s DSR Source Route header in buffer
if the same packet  increase PA for the neighbor
(2) integrity check
if Salvage field = 0 (not call for a new route discovery)
 Pp = false (no wormhole)
(3) No retransmission is heard and TUI has exceeded.
 reduce PA and clear the DSR Source Route buffer
18
Wormhole Evasion
(3) Initiating a new route discovery
ROUTE REQUEST packet propagated
(unavailability of a route from the cache)
destination node
target node
(1) Scan cache
for routing
(2) A route in the cache
 execute the Dijakstra algorithm
(return the shortest path in terms of number of hops)
(4) LINK CACHE scheme
 the default cost of each link = 1 (uniform spread of the inter-node trust levels)
 wormhole the cost of the link = ∞
19
Conclusions
 Wormholes in an ad-hoc network is still a challenging task.
The authors derive trust levels in neighboring nodes based
on their sincerity in execution of the routing protocol.
20
Comments
 If the neighboring node is broken down failing to forward
the packets, this node will be regarded as malicious node
permanently.
21
AP
packets
Ad hoc
target node
packets
neighbouring node
malicious node
 The meaning of ad hoc
 In Latin, ad hoc  "for this,"  "for this purpose only,"  temporary.
 A kind of network where stations or devices communicate directly and not via
an access point.
 Wireless infrastructure does not exist.
 A mobile ad-hoc network (MANET)
 a self-configuring network of mobile routers (and associated hosts) connected
by wireless links—the union of which form an arbitrary topology.
 The routers are free to move randomly and organize themselves arbitrarily;
thus, the network's wireless topology may change rapidly and unpredictably.
 Advantage: rapid deployment and low cost of operation
 Applications: military or police network, a natural disaster(flood, earthquake …)
22
Wormholes
Wormhole link
(via a wireline, a long-range wireless
transmission, or a optical link)
Solutions:
Time-based methods
Cryptography
Exploiting location information
23
Wormholes
Wormhole threat against network protocol:
Node s2: update and broadcast its routing table entries (s2, s9)
Node s2  Node {s8, s10, s11, s12} only two hops via s9
Neighbors of s2 adjust their routing tables.
 {s1, s3, s4, s5, s7} route via s2 to reach nodes {s9, s10, s11, s12}.
Attacker Node s2 can redirect and observe a large amount of traffic.
Attacker Node s2 can trigger a denial-of-service (DoS) attack.
24
Wormholes
Byzantine attacks:
Black hole, flood rushing, wormhole and overlay network wormhole
Black hole: All packets are dropped.
25
Integrity check
In the DSR Source Route option:
Salvage field = 0  a new route discovery by the source node
Salvage field <> 0  contain a working route to forward (integrity check pass)
26