Denial of Service in Sensor Denial of Service in Sensor NetworksNetworks

Anthony D. WoodAnthony D. WoodJohn A. StanovichJohn A. Stanovich

Presenter:Presenter:Todd FielderTodd Fielder

Denial of ServiceDenial of Service

Any event that diminishes or eliminates a Any event that diminishes or eliminates a network’s capacity to perform it’s expected network’s capacity to perform it’s expected function.function.– Hardware failureHardware failure– Software bugsSoftware bugs– Resource exhaustionResource exhaustion

This article is primarily concerned with This article is primarily concerned with protocol or design level vulnerabilities.protocol or design level vulnerabilities.

Complications in Sensor NetworksComplications in Sensor Networks

Harsh environmentsHarsh environments– Fault tolerantFault tolerant

Must be resilient in the presence of failuresMust be resilient in the presence of failures

Subverted nodes which are as powerful as Subverted nodes which are as powerful as network nodesnetwork nodes

Potentially more powerful computing Potentially more powerful computing capabilities at adversarycapabilities at adversary– i.e. could be wiredi.e. could be wired

Network ArchitectureNetwork Architecture

A layered network architectureA layered network architecture– Clean Division Increases robustness by Clean Division Increases robustness by

defining layer interactions and interfaces– Sensor Networks sacrifice robustness, cross Sensor Networks sacrifice robustness, cross

layers, to increase performancelayers, to increase performance

Each layer vulnerable to different DOS Each layer vulnerable to different DOS attacksattacks

Physical LayerPhysical Layer

Wireless communication due to large Wireless communication due to large scale ad-hoc networkscale ad-hoc network

Wired base station rareWired base station rare

JammingJamming

Interference with the radio frequency the Interference with the radio frequency the network is using.network is using.

Easily detectable due to constant energyEasily detectable due to constant energy

Defenses:Defenses:– Spread Spectrum: frequency hopping based on a Spread Spectrum: frequency hopping based on a

predetermined algorithm.predetermined algorithm.Resource intensiveResource intensive

– Jamming rarely affects Jamming rarely affects

entire network, route entire network, route

around affected areaaround affected area

TamperingTampering

Attacker can gain access to physical sensor and Attacker can gain access to physical sensor and either analyze device to obtain sensitive either analyze device to obtain sensitive information and/or replace sensor.information and/or replace sensor.– Obtain cryptographic keysObtain cryptographic keys– Reprogram NodesReprogram Nodes

Defenses:Defenses:– Tamper proof physical packagingTamper proof physical packaging

Node should react in fail-complete mannerNode should react in fail-complete manner

– Camouflage or hide nodesCamouflage or hide nodes

Link LayerLink Layer

Provides channel arbitration for neighbor Provides channel arbitration for neighbor to neighbor communicationto neighbor communication

Cooperative Schemes, such as carrier Cooperative Schemes, such as carrier sense, are particularly vulnerable to DOS sense, are particularly vulnerable to DOS attacks.attacks.

Collision (corruption)Collision (corruption)

Can disrupt an entire packet by introducing a Can disrupt an entire packet by introducing a collision in only small portion of packetcollision in only small portion of packet– Requires only fractional portion of energyRequires only fractional portion of energy

Causes heavy expenditure in energy by target (exponential Causes heavy expenditure in energy by target (exponential backoff )backoff )

Defenses:Defenses:– Error correcting codesError correcting codes

Usually used for small errors (environmental or probabilistic)Usually used for small errors (environmental or probabilistic)

– Collision detectionCollision detectionStill requires communication among nodes…not completely Still requires communication among nodes…not completely effectiveeffective

ExhaustionExhaustion

Communicate in such a way so as to drain Communicate in such a way so as to drain battery resourcesbattery resources– If retransmission is repeated and collision induced If retransmission is repeated and collision induced

near end of frame, nearby nodes would become near end of frame, nearby nodes would become exhausted of energy.exhausted of energy.

– Self-Sacrificing nodeSelf-Sacrificing nodeInterrogation – node continually sends RTS to attacker to Interrogation – node continually sends RTS to attacker to solicit a CTS, thereby exhausting both nodes battery solicit a CTS, thereby exhausting both nodes battery resourcesresources

Defenses:Defenses:– Rate-limitingRate-limiting

Network ignores excessive requests without transmitting Network ignores excessive requests without transmitting additional packetsadditional packets

UnfairnessUnfairness

Intermittent application of previous attacks Intermittent application of previous attacks could degrade service of the networkcould degrade service of the network– Cause loss of real-time servicesCause loss of real-time services

Defenses:Defenses:– Small Frame:Small Frame:

Allows individual nodes to capture the channel for Allows individual nodes to capture the channel for a small period of timea small period of time

Network and Routing LayerNetwork and Routing Layer

Most nodes will serve as routersMost nodes will serve as routers– Due to ad-hoc nature of networkDue to ad-hoc nature of network

Causes additional complexities for Causes additional complexities for protocolprotocol– Simple enough to scale to large networksSimple enough to scale to large networks– Robust enough to deal with failures several Robust enough to deal with failures several

hops from sourcehops from source

Neglect and GreedNeglect and Greed

Node-as-RouterNode-as-Router– Neglect: Does not forward other packetsNeglect: Does not forward other packets– Greed: Gives undue priority to own packetsGreed: Gives undue priority to own packets

Difficult to detectDifficult to detect

Defenses:Defenses:– Multiple routing pathsMultiple routing paths– Redundant message transmissionRedundant message transmission

HomingHoming

Passive adversary observes traffic to Passive adversary observes traffic to determine which nodes are critical to determine which nodes are critical to network function, then concentrates attack network function, then concentrates attack on that nodeon that node

Defenses:Defenses:– Encrypt headers at each hop, to prevent Encrypt headers at each hop, to prevent

source and/or destination from becoming source and/or destination from becoming discovereddiscovered

MisdirectionMisdirection

Forward Packets along wrong pathsForward Packets along wrong paths– Smurf: forge the victim’s address as the Smurf: forge the victim’s address as the

source of message, causing all responses to source of message, causing all responses to be sent to that address.be sent to that address.

Defenses:Defenses:– Egress FilteringEgress Filtering

Verify source address and only route legitimate Verify source address and only route legitimate packets.packets.

Black HolesBlack Holes

Nodes advertise zero-cost routes to every Nodes advertise zero-cost routes to every other node, causing every other node to other node, causing every other node to route in their direction.route in their direction.

Defenses:Defenses:– Easy to detectEasy to detect

DefensesDefenses

AuthorizationAuthorization– Only authorized nodes may exchange routing Only authorized nodes may exchange routing

informationinformation

MonitoringMonitoring– Observe neighbors to ensure proper routing behaviorObserve neighbors to ensure proper routing behavior

ProbingProbing– Periodically send probes that cross the network’s Periodically send probes that cross the network’s

diameterdiameter

RedundancyRedundancy– Duplicate messages across multiple paths protects Duplicate messages across multiple paths protects

against routing failuresagainst routing failures

Transport LayerTransport Layer

Provides services for end-to-end Provides services for end-to-end communicationcommunication– Tend to be simple to reduce overheadTend to be simple to reduce overhead

FloodingFlooding

Feasible in state protocols, an adversary sends Feasible in state protocols, an adversary sends many connection establishments to an many connection establishments to an adversary, who must keep these SYN request in adversary, who must keep these SYN request in a Queue, which eventually fills upa Queue, which eventually fills upDefenses:Defenses:– Limit number of connectionsLimit number of connections

Prevents resource exhaustionPrevents resource exhaustionCan still Deny Service to legitimate connectionsCan still Deny Service to legitimate connections

– Client PuzzlesClient PuzzlesRequires clients to demonstrate resources they are willing to Requires clients to demonstrate resources they are willing to commit to the connectionby solving a puzzle distributed by commit to the connectionby solving a puzzle distributed by the serverthe server

De-synchronizationDe-synchronization

An existing connection is disrupted by an An existing connection is disrupted by an adversary repeatedly forging messages adversary repeatedly forging messages with incorrect timing data (seq. num, with incorrect timing data (seq. num, control flags)control flags)

Defenses:Defenses:– Authenticate each packetAuthenticate each packet

Adaptive Rate ControlAdaptive Rate Control

Improvements to standard MAC protocols for Wireless Sensor Nets.Improvements to standard MAC protocols for Wireless Sensor Nets.– Random transmission delayRandom transmission delay– Back off that shifts an application’s periodicity phase– Minimization of overhead in contention control mechanisms– Passive adaptation of originating and route through admission control

rates– Anticipatory delay for avoiding multi-hop hidden-node problems.

Preference given to route through traffic in admission control Preference given to route through traffic in admission control protocol (back-off less at distant nodes).protocol (back-off less at distant nodes).– Preserves networks investment in packets that have been forwarded Preserves networks investment in packets that have been forwarded

many hops.many hops.Problem: Problem: High bandwidth packet streams generated by an adversary will receive preference during collisions.– The network must not only bear the malicious traffic, it also gives

preference to it.

Real-Time Location-Based Protocols (RAP)

Real-time communication architectureGeographic forwarding with a velocity monotonic scheduling (VMS) policy.– Based on packet deadline and distance to travel.Based on packet deadline and distance to travel.

Problem: Problem: Adversary can inject messages with geographic destinations far away.– Static Velocity: Intermediate nodes only need to make local

forwarding decisions.– Dynamic Velocity: IDynamic Velocity: Intentionally lowering its velocity so that the

packet misses its deadline.

Solutions:– Static Velocity: Use cryptographic keys to authenticate velocity– Dynamic Velocity: Dynamic Velocity: Clock Synchronization to prioritize packets

Questions???Questions???