Denial of Service in Sensor Networks

Anthony D. Wood John A. Stanovich Presenter: Todd Fielder

Denial of Service

Any event that diminishes or eliminates a network’s capacity to perform it’s expected function.

– Hardware failure – Software bugs – Resource exhaustion This article is primarily concerned with protocol or design level vulnerabilities.

Complications in Sensor Networks

Harsh environments – Fault tolerant Must be resilient in the presence of failures Subverted nodes which are as powerful as network nodes Potentially more powerful computing capabilities at adversary – i.e. could be wired

Network Architecture

A layered network architecture – Clean Division Increases robustness by defining layer interactions and interfaces – Sensor Networks sacrifice robustness, cross layers, to increase performance Each layer vulnerable to different DOS attacks

Physical Layer

Wireless communication due to large scale ad-hoc network Wired base station rare

Jamming

Interference with the radio frequency the network is using.

Easily detectable due to constant energy Defenses: – Spread Spectrum: frequency hopping based on a predetermined algorithm.

Resource intensive – Jamming rarely affects entire network, route around affected area

Tampering

Attacker can gain access to physical sensor and either analyze device to obtain sensitive information and/or replace sensor.

– Obtain cryptographic keys – Reprogram Nodes Defenses: – Tamper proof physical packaging Node should react in fail-complete manner – Camouflage or hide nodes

Link Layer

Provides channel arbitration for neighbor to neighbor communication Cooperative Schemes, such as carrier sense, are particularly vulnerable to DOS attacks.

Collision (corruption)

Can disrupt an entire packet by introducing a collision in only small portion of packet – Requires only fractional portion of energy Causes heavy expenditure in energy by target (exponential backoff ) Defenses: – Error correcting codes Usually used for small errors (environmental or probabilistic) – Collision detection Still requires communication among nodes…not completely effective

Exhaustion

Communicate in such a way so as to drain battery resources – If retransmission is repeated and collision induced near end of frame, nearby nodes would become exhausted of energy.

– Self-Sacrificing node Interrogation resources – node continually sends RTS to attacker to solicit a CTS, thereby exhausting both nodes battery Defenses: – Rate-limiting Network ignores excessive requests without transmitting additional packets

Unfairness

Intermittent application of previous attacks could degrade service of the network – Cause loss of real-time services Defenses: – Small Frame: Allows individual nodes to capture the channel for a small period of time

Network and Routing Layer

Most nodes will serve as routers – Due to ad-hoc nature of network Causes additional complexities for protocol – Simple enough to scale to large networks – Robust enough to deal with failures several hops from source

Neglect and Greed

Node-as-Router – Neglect: Does not forward other packets – Greed: Gives undue priority to own packets Difficult to detect Defenses: – Multiple routing paths – Redundant message transmission

Homing

Passive adversary observes traffic to determine which nodes are critical to network function, then concentrates attack on that node Defenses: – Encrypt headers at each hop, to prevent source and/or destination from becoming discovered

Misdirection

Forward Packets along wrong paths – Smurf: forge the victim’s address as the source of message, causing all responses to be sent to that address.

Defenses: – Egress Filtering Verify source address and only route legitimate packets.

Black Holes

Nodes advertise zero-cost routes to every other node, causing every other node to route in their direction.

Defenses: – Easy to detect

Defenses

Authorization – Only authorized nodes may exchange routing information Monitoring – Observe neighbors to ensure proper routing behavior Probing – Periodically send probes that cross the network’s diameter Redundancy – Duplicate messages across multiple paths protects against routing failures

Transport Layer

Provides services for end-to-end communication – Tend to be simple to reduce overhead

Flooding

Feasible in state protocols, an adversary sends many connection establishments to an adversary, who must keep these SYN request in a Queue, which eventually fills up Defenses: – Limit number of connections Prevents resource exhaustion Can still Deny Service to legitimate connections – Client Puzzles Requires clients to demonstrate resources they are willing to commit to the connectionby solving a puzzle distributed by the server

De-synchronization

An existing connection is disrupted by an adversary repeatedly forging messages with incorrect timing data (seq. num, control flags) Defenses: – Authenticate each packet

Adaptive Rate Control

Improvements to standard MAC protocols for Wireless Sensor Nets.

– Random transmission delay – Back off that shifts an application’s periodicity phase – Minimization of overhead in contention control mechanisms – Passive adaptation of originating and route through admission control rates – Anticipatory delay for avoiding multi-hop hidden-node problems.

Preference given to route through traffic in admission control protocol (back-off less at distant nodes).

– Preserves networks investment in packets that have been forwarded many hops.

Problem: High bandwidth packet streams generated by an adversary will receive preference during collisions.

– The network must not only bear the malicious traffic, it also gives preference to it.

Real-Time Location-Based Protocols (RAP)

Real-time communication architecture Geographic forwarding with a velocity monotonic scheduling (VMS) policy.

– Based on packet deadline and distance to travel.

Problem: Adversary can inject messages with geographic destinations far away.

– Static Velocity: Intermediate nodes only need to make local forwarding decisions.

– Dynamic Velocity: Intentionally lowering its velocity so that the packet misses its deadline.

Solutions: – Static Velocity: Use cryptographic keys to authenticate velocity – Dynamic Velocity: Clock Synchronization to prioritize packets

Questions???