Selective Forwarding Attack: Detecting Colluding Nodes in
Wireless Mesh NetworksShankar Karuppayah
Network Security Workshop, February 14, 2012
National Advanced IPv6 Centre (NAv6)Universiti Sains Malaysia
2/15Shankar Karuppayah
Contents
Introduction Problem StatementRelated WorkOur Proposed MechanismResult and AnalysisConclusion and Future Work
3/15Shankar Karuppayah
Introduction
Wireless mesh networks (WMNs) Self-organized Self-configured Self-healing Low up front costs Scalable
Internet
IEEE 802.11 Wireless LAN IEEE 802.16 WiMAX
IEEE 802.3 Ethernet LAN
Mesh Router with Gateway/BridgeMesh Router
Wi-Fi Access Point
WiMAX Base Station
Ethernet Switch
Wireless Mesh Backbone
4/15Shankar Karuppayah
Introduction (cont.)
Overcome last-mile Internet access problems Advantages:
Adapts to dynamic topology changes Distributed cooperation routing
WMN applications: Community networking Disaster relief Surveillance and monitoring
Vulnerabilities exist in WMNs Shared wireless medium Distributed architecture
5/15Shankar Karuppayah
Problem Statement
Two type of attacks Passive attack Active attack
Denial of service (DoS) attacks Preventing legitimate users from accessing information, services or
resources
Gray Hole attack Also known as selective forwarding attack A variation from Black Hole attack
Motivation of the attacks: Rational intentions Malicious intentions
Network Performance Deteriorates!!!
6/15Shankar Karuppayah
Problem Statement (cont.)
Existing security solutions Cryptographic mechanisms
Public/private key exchange
Not entirely applicable in WMNs Decentralized network architecture Routers physically tampered or software vulnerabilities exploited
The need for non-cryptographic security mechanism arises
7/15Shankar Karuppayah
Related Work
Marti et al. introduce watchdog Monitoring principle in “promiscuous” mode
S. Banerjee propose an algorithm to detect and remove Black/Gray Hole attackers Splits transmission data into several blocks Introduction of prelude and postlude message
Shila et al. introduce Channel Aware Detection (CAD) algorithm to detect Gray Hole attackers Consider normal losses
medium access collisions bad channel quality
8/15Shankar Karuppayah
Data transmission:Split into several blocks (Ws)
CAD (Channel Aware Detection) Algorithm
Dv2v1v0 v3
WMN Router Node (Forwarding Path)
S
Malicious Node
Methodology:• Channel estimation
(Dynamic detection threshold)• Hop-by-hop packet loss monitoring
WMN router nodes:Maintain packets count history with corresponding packet sequence number
When node forwards a packet:• Buffer link layer acknowledgement
(MAC-ACK)• Overhears downstream traffic
0 0 0 0 01 1 1 1 12 2 2
S|2|0 0|V0|2|0 0|V1|2|1 0|V2|2|0 1|V3|1
However…
CAD algorithm will not be able to detect an attack in the event of colluding nodesNew packet types :• PROBE
Packet marking with opinion and behavior parameter
• PROBE-ACK PROBE replies
9/15Shankar Karuppayah
Assumptions
Routers have no energy constraints and have buffer of infinite size
Packet drop due to: Bad channel quality Medium access collision Presence of attackers
Free from general wireless attacks: Sybil attacks Jamming (signal) attacks
Colluding nodes are located next to each otherRoute caching to mitigate overheadNodes have authentication methods implemented
10/15Shankar Karuppayah
*MNx is not colluding but may not be reliable
CAD+ Algorithm
Dv3v2v1v0
MN2
MN1
S
MN0 MN3
WMN Router Node (Forwarding Path)
Monitoring Node (MNX)
Malicious Node
WMN Router Node(Non Forwarding Path) Overhearing
• Destination compares the reported irregularities with the list of received packets and then replies to Source with a modified PROBE-ACK(including filtered irregularities)
• Introduction of three new packet types:• Prelude• Prelude-Notify• Prelude-Ack
• When MN overhears a PROBE packet sent to Destination, it forwards the list
of irregularities (if applicable) towards Destination.
• Retains existing features of CAD• Source and Destination perform hashing on sent
and received data packets respectively
• MN monitors data packets received and forwarded by the node being monitored based on the monitoring parameters
• MN maintains irregularities history
• Destination keeps a list of monitoring nodes (MN) vs monitored nodes
Packet Seq. No. Hash Value
12……14
2443……46
15 33
16……
69……
Hashed Sent Packets
Packet Seq. No. Hash Value
12……14
2443……46
15 33
16……
69……
Hashed Received Packets
MNID Monitored Node
MN0 v0
MN1 v1
MN2 v2
MN3 v3
Monitoring Node Vs Monitored Node Pair
Packet Seq. No. Hash Value
…14
…46
15 50
… …
34 47
35………
33………
45 null
46……
38……
60 17
61 35
Hashed Received PacketsMonitored
NodePacket Seq.
No.Hash Value
Timestamp Irregularity Type
v2 15 50 14.9 Alteration
v2 34 47 22.8 Alteration
v2 45 31 35.0 Dropping
v2 61 35 44.2 Injection
Irregularities which are monitored by MN2
Packet Seq. No. Hash Value
…14
…46
15 33
… …
34 24
35………
33……...
45 31
46……
38……
60 17
Hashed Sent Packets
Intermediate Node Count Interval Irregularity Type
v0 3 2 Alteration
v0 6 1 Injection
v2 1 1 Dropping
v3 1 4 Dropping
Verified Irregularities List
• Source compares the filtered irregularities with the list of sent packets • Source refers the verified irregularities list to conduct final confirmation
Source Monitored Node
Next Hop IncomingCounter
OutgoingCounter
Next Monitoring (time)
S v2 v3 5 10 34.30
Monitoring Parameters
Monitored Node
Packet Seq. No.
Hash Value Irregularity Type
Timestamp
v2 15 50 Alteration 14.9
v2 34 47 Injection 22.8
v2 55 35 Dropping 35.6
Irregularities which are monitored by MN2
Count > COUNT_THRESH ?Interval > INTERVAL_THRESH?
11/15Shankar Karuppayah
Detection of Threats
Threats detected (colluding nodes): Gray Hole attack
Selectively drops packet
Packet Injection Fabricates packet towards Destination node
Packet Alteration Node alters a received packet (bit or data manipulation)
Bad Mouthing Attack Framing an innocent node
Stealthy attacks by colluding nodes!!!
12/15Shankar Karuppayah
Result and Analysis
Packet delivery ratio comparison with colluding selective dropping rate. (no channel loss)
Parameters Value
Simulator Ns
Nodes 60
Simulation Time (seconds)
500
Warm Up Period (seconds)
50
Attacker Nodes (random)
30%
Source Pairs 2
13/15Shankar Karuppayah
Result and Analysis (cont.)
Packet delivery ratio comparison with channel loss rate. Colluding selective dropping attacks present.
Parameters Value
Simulator Ns
Nodes 60
Simulation Time (seconds)
500
Warm Up Period (seconds)
50
Channel Error Nodes (random)
30%
Attacker Nodes (random)
30%
Source Pairs 2
14/15Shankar Karuppayah
Result and Analysis (cont.)
Average detection rate of Gray Hole attackers with respect to simulation time.
Parameters Value
Simulator Ns
Nodes 60
Simulation Time (seconds)
500
Warm Up Period (seconds)
50
Normal Channel Loss Rate
10%
Channel Error Nodes (random)
30%
Source Pairs 2
15/15Shankar Karuppayah
Conclusion and Future Work
Developed a detection algorithm CAD+ which: Integrates CAD with neighborhood monitoring feature Enables detection and isolation of colluding Gray Hole attackers Detects other variation of colluding attacks:
Packet alteration Packet injection Packet dropping
Future Work: Investigate possibilities of mobile MN Incentives for MN to encourage cooperation Extend CAD+ to detect other network layer attacks
16/15Shankar Karuppayah
References
Sergio Marti, T. J. Giuli, Kevin Lai, and Mary Baker. Mitigating routing misbehavior in mobile ad hoc networks. In Proceedings of the 6th annual international conference on Mobile computing and networking, MobiCom ’00, pages 255–265, New York, NY, USA, 2000.
Sukla Banerjee. Detection/Removal of Cooperative Black and Gray Hole Attack in Mobile Ad-Hoc Networks. In Proceedings of the World Congress on Engineering and Computer Science 2008, WCECS ’08, October 22 - 24, 2008, San Francisco, USA, Lecture Notes in Engineering and Computer Science, pages 337–342. Newswood Limited, 2008.
D.M. Shila, Yu Cheng, and T. Anjali. Mitigating selective forwarding attacks with a channel-aware approach in WMNS. Wireless Communications, IEEE Transactions on, 9(5):1661 –1675, May 2010.
