Upload
martin-riley
View
212
Download
0
Tags:
Embed Size (px)
Citation preview
Denial of Service in Sensor Denial of Service in Sensor NetworksNetworks
Anthony D. WoodAnthony D. WoodJohn A. StanovichJohn A. Stanovich
Presenter:Presenter:Todd FielderTodd Fielder
Denial of ServiceDenial of Service
Any event that diminishes or eliminates a Any event that diminishes or eliminates a network’s capacity to perform it’s expected network’s capacity to perform it’s expected function.function.– Hardware failureHardware failure– Software bugsSoftware bugs– Resource exhaustionResource exhaustion
This article is primarily concerned with This article is primarily concerned with protocol or design level vulnerabilities.protocol or design level vulnerabilities.
Complications in Sensor NetworksComplications in Sensor Networks
Harsh environmentsHarsh environments– Fault tolerantFault tolerant
Must be resilient in the presence of failuresMust be resilient in the presence of failures
Subverted nodes which are as powerful as Subverted nodes which are as powerful as network nodesnetwork nodes
Potentially more powerful computing Potentially more powerful computing capabilities at adversarycapabilities at adversary– i.e. could be wiredi.e. could be wired
Network ArchitectureNetwork Architecture
A layered network architectureA layered network architecture– Clean Division Increases robustness by Clean Division Increases robustness by
defining layer interactions and interfaces– Sensor Networks sacrifice robustness, cross Sensor Networks sacrifice robustness, cross
layers, to increase performancelayers, to increase performance
Each layer vulnerable to different DOS Each layer vulnerable to different DOS attacksattacks
Physical LayerPhysical Layer
Wireless communication due to large Wireless communication due to large scale ad-hoc networkscale ad-hoc network
Wired base station rareWired base station rare
JammingJamming
Interference with the radio frequency the Interference with the radio frequency the network is using.network is using.
Easily detectable due to constant energyEasily detectable due to constant energy
Defenses:Defenses:– Spread Spectrum: frequency hopping based on a Spread Spectrum: frequency hopping based on a
predetermined algorithm.predetermined algorithm.Resource intensiveResource intensive
– Jamming rarely affects Jamming rarely affects
entire network, route entire network, route
around affected areaaround affected area
TamperingTampering
Attacker can gain access to physical sensor and Attacker can gain access to physical sensor and either analyze device to obtain sensitive either analyze device to obtain sensitive information and/or replace sensor.information and/or replace sensor.– Obtain cryptographic keysObtain cryptographic keys– Reprogram NodesReprogram Nodes
Defenses:Defenses:– Tamper proof physical packagingTamper proof physical packaging
Node should react in fail-complete mannerNode should react in fail-complete manner
– Camouflage or hide nodesCamouflage or hide nodes
Link LayerLink Layer
Provides channel arbitration for neighbor Provides channel arbitration for neighbor to neighbor communicationto neighbor communication
Cooperative Schemes, such as carrier Cooperative Schemes, such as carrier sense, are particularly vulnerable to DOS sense, are particularly vulnerable to DOS attacks.attacks.
Collision (corruption)Collision (corruption)
Can disrupt an entire packet by introducing a Can disrupt an entire packet by introducing a collision in only small portion of packetcollision in only small portion of packet– Requires only fractional portion of energyRequires only fractional portion of energy
Causes heavy expenditure in energy by target (exponential Causes heavy expenditure in energy by target (exponential backoff )backoff )
Defenses:Defenses:– Error correcting codesError correcting codes
Usually used for small errors (environmental or probabilistic)Usually used for small errors (environmental or probabilistic)
– Collision detectionCollision detectionStill requires communication among nodes…not completely Still requires communication among nodes…not completely effectiveeffective
ExhaustionExhaustion
Communicate in such a way so as to drain Communicate in such a way so as to drain battery resourcesbattery resources– If retransmission is repeated and collision induced If retransmission is repeated and collision induced
near end of frame, nearby nodes would become near end of frame, nearby nodes would become exhausted of energy.exhausted of energy.
– Self-Sacrificing nodeSelf-Sacrificing nodeInterrogation – node continually sends RTS to attacker to Interrogation – node continually sends RTS to attacker to solicit a CTS, thereby exhausting both nodes battery solicit a CTS, thereby exhausting both nodes battery resourcesresources
Defenses:Defenses:– Rate-limitingRate-limiting
Network ignores excessive requests without transmitting Network ignores excessive requests without transmitting additional packetsadditional packets
UnfairnessUnfairness
Intermittent application of previous attacks Intermittent application of previous attacks could degrade service of the networkcould degrade service of the network– Cause loss of real-time servicesCause loss of real-time services
Defenses:Defenses:– Small Frame:Small Frame:
Allows individual nodes to capture the channel for Allows individual nodes to capture the channel for a small period of timea small period of time
Network and Routing LayerNetwork and Routing Layer
Most nodes will serve as routersMost nodes will serve as routers– Due to ad-hoc nature of networkDue to ad-hoc nature of network
Causes additional complexities for Causes additional complexities for protocolprotocol– Simple enough to scale to large networksSimple enough to scale to large networks– Robust enough to deal with failures several Robust enough to deal with failures several
hops from sourcehops from source
Neglect and GreedNeglect and Greed
Node-as-RouterNode-as-Router– Neglect: Does not forward other packetsNeglect: Does not forward other packets– Greed: Gives undue priority to own packetsGreed: Gives undue priority to own packets
Difficult to detectDifficult to detect
Defenses:Defenses:– Multiple routing pathsMultiple routing paths– Redundant message transmissionRedundant message transmission
HomingHoming
Passive adversary observes traffic to Passive adversary observes traffic to determine which nodes are critical to determine which nodes are critical to network function, then concentrates attack network function, then concentrates attack on that nodeon that node
Defenses:Defenses:– Encrypt headers at each hop, to prevent Encrypt headers at each hop, to prevent
source and/or destination from becoming source and/or destination from becoming discovereddiscovered
MisdirectionMisdirection
Forward Packets along wrong pathsForward Packets along wrong paths– Smurf: forge the victim’s address as the Smurf: forge the victim’s address as the
source of message, causing all responses to source of message, causing all responses to be sent to that address.be sent to that address.
Defenses:Defenses:– Egress FilteringEgress Filtering
Verify source address and only route legitimate Verify source address and only route legitimate packets.packets.
Black HolesBlack Holes
Nodes advertise zero-cost routes to every Nodes advertise zero-cost routes to every other node, causing every other node to other node, causing every other node to route in their direction.route in their direction.
Defenses:Defenses:– Easy to detectEasy to detect
DefensesDefenses
AuthorizationAuthorization– Only authorized nodes may exchange routing Only authorized nodes may exchange routing
informationinformation
MonitoringMonitoring– Observe neighbors to ensure proper routing behaviorObserve neighbors to ensure proper routing behavior
ProbingProbing– Periodically send probes that cross the network’s Periodically send probes that cross the network’s
diameterdiameter
RedundancyRedundancy– Duplicate messages across multiple paths protects Duplicate messages across multiple paths protects
against routing failuresagainst routing failures
Transport LayerTransport Layer
Provides services for end-to-end Provides services for end-to-end communicationcommunication– Tend to be simple to reduce overheadTend to be simple to reduce overhead
FloodingFlooding
Feasible in state protocols, an adversary sends Feasible in state protocols, an adversary sends many connection establishments to an many connection establishments to an adversary, who must keep these SYN request in adversary, who must keep these SYN request in a Queue, which eventually fills upa Queue, which eventually fills upDefenses:Defenses:– Limit number of connectionsLimit number of connections
Prevents resource exhaustionPrevents resource exhaustionCan still Deny Service to legitimate connectionsCan still Deny Service to legitimate connections
– Client PuzzlesClient PuzzlesRequires clients to demonstrate resources they are willing to Requires clients to demonstrate resources they are willing to commit to the connectionby solving a puzzle distributed by commit to the connectionby solving a puzzle distributed by the serverthe server
De-synchronizationDe-synchronization
An existing connection is disrupted by an An existing connection is disrupted by an adversary repeatedly forging messages adversary repeatedly forging messages with incorrect timing data (seq. num, with incorrect timing data (seq. num, control flags)control flags)
Defenses:Defenses:– Authenticate each packetAuthenticate each packet
Adaptive Rate ControlAdaptive Rate Control
Improvements to standard MAC protocols for Wireless Sensor Nets.Improvements to standard MAC protocols for Wireless Sensor Nets.– Random transmission delayRandom transmission delay– Back off that shifts an application’s periodicity phase– Minimization of overhead in contention control mechanisms– Passive adaptation of originating and route through admission control
rates– Anticipatory delay for avoiding multi-hop hidden-node problems.
Preference given to route through traffic in admission control Preference given to route through traffic in admission control protocol (back-off less at distant nodes).protocol (back-off less at distant nodes).– Preserves networks investment in packets that have been forwarded Preserves networks investment in packets that have been forwarded
many hops.many hops.Problem: Problem: High bandwidth packet streams generated by an adversary will receive preference during collisions.– The network must not only bear the malicious traffic, it also gives
preference to it.
Real-Time Location-Based Protocols (RAP)
Real-time communication architectureGeographic forwarding with a velocity monotonic scheduling (VMS) policy.– Based on packet deadline and distance to travel.Based on packet deadline and distance to travel.
Problem: Problem: Adversary can inject messages with geographic destinations far away.– Static Velocity: Intermediate nodes only need to make local
forwarding decisions.– Dynamic Velocity: IDynamic Velocity: Intentionally lowering its velocity so that the
packet misses its deadline.
Solutions:– Static Velocity: Use cryptographic keys to authenticate velocity– Dynamic Velocity: Dynamic Velocity: Clock Synchronization to prioritize packets
Questions???Questions???