1

Detecting and Evading Wormholes in Mobile Ad-hoc Wireless Networks

Asad Amir Pirzada and Chris McDonald

2

Outline

Introduction

Previous Work

Dynamic Source Routing (DSR)

Wormhole Creation

Trust Model

Wormhole Detection and Evasion

Conclusion

Comment

3

Introduction–Mobile ad-hoc wireless networks

Malicious nodes

Improvised and insecure environments

1. Malicious nodes may participate to snoop or sabotage.

• Passive attacks: eavesdeop on packet contents

• Active attacks: imitate, drop or modify legitimate packets

2. Wormhole attacks:Two or more malicious colluding nodes create a higher level virtual tunnel in the network to conduct a variety of attacks.

In this paper present a novel trust-based scheme without engaging any cryptographic means.

4

Introduction—Ad-hoc network Built by wireless nodes

limited transmission range and battery power

Seek the assistance of its neighbouring nodes in forwarding packets.

Routing protocol

Require persistent cooperative behaviour

Each node acts like a mobile router.

Two kinds of routing protocol

Reactive: try to save battery power by discovering routes when they are essentially required

Proactive: establish and maintain routes to avoid the latency continuously

5

Introduction—Ad-hoc network Secure routing protocols

Managed ad-hoc networks

Permit configuration of the nodes with encryption keys and certificates

Pure ad-hoc networks

No a priori knowledge of their future setup

6

Previous WorkPacket Leash, detect and defend against wormhole attacks

A Defense against Wormhole Attacks in Wireless Networks(2003)

DSR , the Dynamic Source Routing Protocol for Mobile Ad Hoc Networks

Visualization of Wormholes in Sensor Networks(2004)

MDS-VOW, the Multi-Dimensional Scaling Visualization of Wormhole

DSR , the Dynamic Source Routing Protocol for Mobile Ad Hoc Networks

Using Directional Antennas to Prevent Wormhole Attacks(2004)

Directional Antennas, using directional antennae to detect Wormhole attacks

SECTOR, the Secure Tracking of Node Encounters in Multi-hop Wireless Networks

SECTOR: Secure Tracking of Node Encounters in Multi-hop Wireless Networks(2003)

7

Previous Work

Packet Leash

A mechanism to detect and defend against wormhole attacks.

Two types of leashes:

1. Geographic Leash Each node knows its precise position and all nodes have

a loosely synchronized clock.

2. Temporal Leash All nodes are required to maintain a tightly synchronised

clock.

8

Previous Work– Geographic Leash

1. Know its precise position

2. All nodes have a loosely synchronized clock.

Packets + current position + transmission time

1. Compute the distance and the received packets time

2. Check a wormhole by time and distance

All nodes can obtain an authenticated symmetric key of every other node.

9

Previous Work– Temporal Leash

1. All nodes maintain a tightly synchronized clock.

Packets + transmission time

1. Compare the time to local time (assume propagation speed is equal to the speed of light)

2. Compute the distance to the sender

3. Able to detect the wormholeAll nodes can obtain an authenticated symmetric key of every other node.

10

Previous Work– SECTOR(Secure Tracking of Node Encounters in Multi-hop Wireless Networks)

A set of mechanisms to prevent wormhole attacks without requiring any clock synchronization or location information

Use a distance-bounding protocol (Mutual Authentication with Distance-bounding; MAD) to determine the distance between any two communicating parties.

Assume: Each node is equipped with a special hardware transceiver module to perform two bits XOR operation.

Use message authentication codes (MAC) secured using pairwise secret keys

Provide the receiver with the exact distance to a sender

11

Previous Work– Directoinal Antennas

All nodes share their directional information to prevent wormhole attacks.

Messages from a non-neighbour are discarded.

12

Previous Work– MDS-VOW MDS-VOW (Multi-Dimensional Scaling Visualisation of Wormhole)

To detect wormholes in sensor networks

Not require any special hardware such as positioning devices, synchronised clocks or directional antennas

Adopt social science, computer graphics, and scientific visualization

(1)Estimate the distance (the received signal strength)

immediate neighbours

Centralized controller

(2)sent the distances

13

Dynamic Source Routing(DSR) DSR

A reactive routing protocol

IP source routing

Route discovery: the source node broadcasts a ROUTE REQUEST packet

Broadcast a ROUTE REQUEST packet (unique identification number, the target node address)

Recipient nodeROUTE REPLY packet (list of nodes)

target node

14

Wormhole Creation A wormhole created by three ways

Tunneling of packets above the network layer

Long range tunnel using high power transmitters

Tunnel creation via external wired infrastructure

recipient malicious nodetarget node

packets

modify all received packets( Encapsulate in a higher layer protocol)

collude node

Tunneling of packets above the network layer

•Dispatch to the colluding node

15

Wormhole Creation

recipient malicious nodetarget node

packets

modify all received packets( Encapsulate in a higher layer protocol)

collude node

Long range tunnel using high power transmittersTunnel creation via external wired infrastructure

•Dispatch through the network nodes

16

Wormhole Creation

The colluding nodes (M1, M2) are not the immediate neighbors of the source (S) and destination (D) node.

17

Trust Model–an effort-return based trust model

Txy = Pp PA

neighbouring nodetarget node

packets

Each node executing the trust model monitor their participation in the packet forwarding mechanism

1. Integrity checks success: trust counter increase fail: trust counter decrease

2. Txy = Pp PA: the direct trust in a node y by node x

Pp [0, 1] the existence or absence of a wormhole through node y

PA: preserve a count of the number of packets that have been forwarded by a node

packets

malicious node

1. Each node executing the trust model monitor their participation in the packet forwarding mechanism

2. Integrity checks success: trust counter increase fail: trust counter decrease

3. Txy = Pp PA: the direct trust in a node y by node x

Pp [0, 1] the existence or absence of a wormhole through node y

PA: preserve a count of the number of packets that have been forwarded by a node

x y

18

Wormhole Detection

neighboring nodetarget node

packets packets

malicious node

1. Before transmitting the packet buffers the DSR Source Route header

2. After transmitting the packet place its wireless interface into the promiscuous mode for the Trust Update Interval (TUI)

3. Check wormhole:(1) retransmission: compare packet’s DSR Source Route header in buffer if the same packet increase PA for the neighbor

(2) integrity check

if Salvage field = 0 (not call for a new route discovery) Pp = false (no wormhole) (3) No retransmission is heard and TUI has exceeded. reduce PA and clear the DSR Source Route buffer

19

Wormhole Evasion

target node

(3) Initiating a new route discovery ROUTE REQUEST packet propagated (unavailability of a route from the cache)

destination node

(1) Scan cache for routing

(2) A route in the cache execute the Dijakstra algorithm (return the shortest path in terms of number of hops)

(4) LINK CACHE scheme the default cost of each link = 1 (uniform spread of the inter-node trust levels) wormhole the cost of the link = ∞

20

Conclusions

Wormholes in an ad-hoc network is still a challenging task.

The authors derive trust levels in neighboring nodes based on their sincerity in execution of the routing protocol.

21

Comments

If the neighboring node is broken down failing to forward the packets, this  node will be regarded as malicious node permanently.

22

Ad hoc The meaning of ad hoc

In Latin, ad hoc "for this," "for this purpose only," temporary.

A kind of network where stations or devices communicate directly and not via an access point.

Wireless infrastructure does not exist.

A mobile ad-hoc network (MANET) a self-configuring network of mobile routers (and associated hosts) connected

by wireless links—the union of which form an arbitrary topology.

The routers are free to move randomly and organize themselves arbitrarily; thus, the network's wireless topology may change rapidly and unpredictably.

Advantage: rapid deployment and low cost of operation

Applications: military or police network, a natural disaster(flood, earthquake …)

neighbouring nodetarget node

packets packets

malicious node

A P

23

Wormholes

Solutions:

Time-based methods

Cryptography

Exploiting location information

Wormhole link (via a wireline, a long-range wireless transmission, or a optical link)

24

Wormholes

Wormhole threat against network protocol:

Node s2: update and broadcast its routing table entries (s2, s9)

Node s2 Node {s8, s10, s11, s12} only two hops via s9

Neighbors of s2 adjust their routing tables. {s1, s3, s4, s5, s7} route via s2 to reach nodes {s9, s10, s11, s12}.

Attacker Node s2 can redirect and observe a large amount of traffic.

Attacker Node s2 can trigger a denial-of-service (DoS) attack.

25

Wormholes

Byzantine attacks:

Black hole, flood rushing, wormhole and overlay network wormhole

Black hole: All packets are dropped.

26

Integrity check

In the DSR Source Route option:

Salvage field = 0 a new route discovery by the source node

Salvage field <> 0 contain a working route to forward (integrity check pass)