A cross layer attack against MANET cooperation enforcement tools

Vincent Toubiana and Houda LabiodTelecom ParisTech (ENST) LTCI-UMR 5141 CNRS

GET/ENST/INFRES Department 46 rue Barrault – 75634 Paris Cedex 13 – France

Email : toubiana@enst.fr, labiod@enst.fr

Abstract—Composed of mobile nodes, MANETs rely on the entire collaboration of nodes to provide routing and forwarding functions. Many solutions have been proposed to enforce the collaboration of nodes in MANETs. Most of them rely on monitoring mechanisms to detect selfish or malicious behaviors. These mechanisms have in common the implicit use of MAC layer information in their detection process. This paper presents a new attack scheme against MANET monitoring tools. Our attack scheme takes advantage of MAC layer absence of authentication to spoof the identity of honest nodes and ruin their reputations. Simulations have been carried out to evaluate the potential of the attack on current cooperation mechanisms. Results emphasize the high vulnerability of current monitoring mechanisms and underline the necessity for cooperation enforcement tools to rely only on authenticated information.

I. INTRODUCTION MANETs (Mobile Ad hoc NETworks) are emerging

networks offering the possibility to set-up spontaneous, infrastructureless and affordable deployments. MANET deployment assumes the entire collaboration of client nodes to provide routing and forwarding functions. Such assumption is reasonable in military application scenarios where users act as a team in order to assure the connectivity of the network. However, in commercial application scenarios users may retire more benefits from not sharing their bandwidth and battery and could therefore be encouraged to behave selfishly. Aiming to alleviate this threatening, but yet not malicious, behavior, cooperation enforcement solutions have been proposed to detect and isolate selfish nodes. These mechanisms rely on monitoring tools to evaluate the participation level of nodes especially during routing and forwarding operations. From this evaluation, well behaving nodes are rewarded while selfish nodes are excluded.

Watchdog [1] is often used to monitor the forwarding operation of direct neighbors, deduce their collaboration degrees and assign them a reputation. This monitoring mechanism takes advantage of the omni-directional wireless transmission mode used in MANETs to monitor the retransmission of forwarded packets and detect packet drops. However, this monitoring tool implicitly uses unauthenticated MAC layer information during the

978-1-4244-3805-1/08/$25.00 ⓒ2008IEEE ICON 2008

observation. This unverified and unauthenticated information opens a security breach which can be used by malicious nodes to deceive the monitoring tool and deviate the cooperation enforcement mechanism from its normal behavior, consequently ruining the reputation of honest nodes. Such attack against a cooperation mechanism is highly critical because it results in illegitimate exclusions of cooperative nodes and could severely damage the network functions and potentially results in a denial of services.

Several studies already described severe flaws of Watchdog and proposed improvements and new monitoring mechanisms. However, to the best of our knowledge, no attack specific to a monitoring scheme has been proposed so far. In this study, we present an attack scheme taking advantage of CSMA/CA and the absence of authentication at the MAC layer to usurp the identity of honest node and deceive the monitoring tool. This attack can be performed against Watchdog and other neighbor monitoring mechanisms. The particularity of this attack is that it subsequently allows malicious nodes to deceive the cooperation enforcement tools and therefore, indirectly modify the routing decision.

The reminder of this paper is structured as follows. Section II describes monitoring and cooperation enforcement mechanisms. Section III presents our new attack scheme. Simulation environment is detailed in Section IV. Section V analyzes the simulation results. Section VI discusses the current issues and highlights our future work.

II. BACKGROUND

A.Monitors Watchdog [1] which is the first MANET monitoring tool,

was proposed by Marti et al. to monitor data forwarding operations. Watchdog takes advantage of omni-directional transmissions to monitor the forwarding operation. Before transmitting a packet to its successor, a node saves a copy of the packet into a buffer. After it transmits it successfully to its successor, a node triggers a timer and places itself in promiscuous mode to observe the packet retransmission. Whereas the packet is not transmitted before the timer expires or the transmitted data does not correspond to the buffered data, the forwarding node is reported as misbehaving and its reputation is decreased. Several issues have already been raised about Watchdog. For instance, a

malicious forwarding node could intentionally transmit a packet when another transmission starts, therefore the monitoring node will detect the transmission and report the node as cooperative although the destination is not able to receive the packet. Similarly, a collision could prevent the monitoring node to detect the packet transmission. In such situation, the forwarding node will be reported as misbehaving despite it correctly forwarded the packet.

Major drawbacks of Watchdog design are its excessive memory consumption and the absence of authentication of monitored nodes. SWAN [2] improves Watchdog by considering these issues. A hash optimization is used to reduce the memory consumption. Since only 160 bits per packet are buffered instead of the entire packet, the memory consumption is considerably reduced. In addition, SWAN implements a neighbor authentication mechanism to detect spoofing forwarding nodes. Nevertheless, this mechanism is only applicable to detect spoofing when a packet corruption is reported but can not detect usurpation of the identity of nodes suspected of selfishness.

WatchDog is not compliant with recent energy conservative routing protocols where forwarding nodes decrease their transmission range to only reach the destination and therefore save power. If the monitoring node does not overhear the retransmission because it is out of range, it will illegitimately report the forwarding node as malicious. The authors of [3] investigated this issue and proposed a Two-hop ACK mechanism to detect forwarding nodes. To monitor B’s forwarding operations, A asks to B’s successor C to send an acknowledgement. To prevent B from issuing acknowledgments itself, it is assumed that A and C share a secret key that is used to cipher the acknowledgment. A major drawback of this approach is the overhead generated since for every hop, two additional packets are transmitted. To reduce this overhead, authors propose to piggyback the Two-hop ACK sent by C into the MAC layer ACK reducing by a factor two the packet overhead. In [3] authors reduce the packet overhead by randomizing the ACK transmissions: node A randomly includes a ciphered ACK request in the monitored transmitted packets. Since B is unable to detect ACK requests, it forwards every packet in the same way. Hence A statistically determines if B forwards packets to C. This optimization considerably reduces the overhead with minor impact on the monitoring efficiency. However, this mechanism assumes that C is honest and systematically sends ACK but C could intentionally not cooperate to ruin B’s reputation.

B.Trust model In this section, we describe reactive-routing solutions

based on trust. PathRater [1] comes complementary to Watchdog and selects the most reliable route established by Dynamic Source Routing (DSR) based on monitoring results. Many cooperation enforcement mechanisms are based on Watchdog or similar mechanisms. CORE [5] detects and excludes both malicious and selfish nodes. With CORE, a node N maintains trust values for every neighbour, when the trust of a node M falls below a

threshold; N stops to forward packets emitted by M. To

spread the nodes reputation among the network, recommendations are sent. CONFIDANT [5], proposed by Buchegger and Le Boudec, only allows negative recommendations to advertise that a malicious node is detected. Blackmail is prevented since nodes take in consideration only ALARMs sent by trusted nodes. With OCEAN [5], a node directly bypasses distrusted nodes during route establishment appending their ID in a black-list included in the route request they send.

A B

M

C A

M

CB

D

A

M

CB

a) Packet collision causing retransmission b) M enters in attacker mode c) M and B ACKs collide

Figure 1. WatchDog illustration

III. THE ATTACKER MODEL Every monitoring mechanism mentioned above focuses

on monitoring packet forwarding operation, and is triggered by a node when its successor successfully receives the packet. The packet reception check is handled by the routing protocol using positive acknowledgments. For instance DSR routing protocol describes three types of ACKs: MAC layer ACK, passive ACK (transmission overhearing) and network layer ACK. DSR recommends the first type of acknowledgment when the underlying technology offers it. Being based on CSMA/CA, the 802.11 MAC layer uses positive ACK messages. Since the mentioned monitoring mechanisms are mainly designed for 802.11 based MANETs, they also rely on ACK frame to detect packet receptions.

A.CSMA/CA The Carrier Sense Multiple Access with Collision

Avoidance (CSMA/CA) access mode which is used by 802.11 and 802.15, makes intensive use of channel sensing and BackOff to reduce packet collisions.

A

M

C A

M

C

BB

a) B is out of range, A retransmits a packet b) M usup B’id and send an ACK

M2

B

M1

AC

b) M1 and M2 simultaneously attack A

Figure 2. ACK spoofing attack

Packet collisions may still occur when two nodes in the same area attempt to transmit a frame at the same time. In this situation, every node which is in range of both transmitting nodes can not decode any of the frames. Collision can not be detected by the transmitting node since a node can not sense the channel while it is transmitting a

frame. A node consequently acknowledges the reception of any nonbroadcasted packet. If the transmitting node did not receive a positive ACK, it suspects a collision and retransmits the packet. Retransmissions occur until an ACK frame is received or the retransmission limit is reached. The MAC control header includes a retry field which is set to “1” when the packet is retransmitted.

B.Attack overview Our proposed attack takes advantage of the monitoring

mechanism flaw to send illegitimate ACK frames and reduce the reputation of honest nodes. Because 802.11 MAC layer comes with no authentication mechanism, it is vulnerable to spoofing. Especially, since the monitoring triggering event is the reception of a non-authenticated ACK frame, any node can spoof an ACK frame to trigger the monitor whichever the legitimate successor received the frame or not. When the legitimate destination is not in transmission range (either because it moves or turns it devices off), it will be monitored and reported as malicious despite it never received the packet. We consider that the spoofed node is the attack victim while the monitoring node is the target.

C.Simultaneous attack avoidance When two ACKs are transmitted simultaneously, they

collide, and the monitoring node, ignoring both, will not enter in promiscuous mode. Therefore, a condition to an efficient ACK spoofing is to avoid collision with the ACK emitted by the victim node (see Figure 1). ACK collision avoidance obliges the attacker to be sure that the victim did not receive the frame. Due to channel occupation time optimization, the ACK timeout is very small. If an attacker attempts to spoof ACK simply sending ACK when it does not overhear victim’s ACK, attacker’s ACK will reach the monitoring node too late and will be ignored.

In CSMA/CA, retransmitted packets have their retry field set to “1” and therefore leak information about potential victims (i.e. out of range of successor). This information can be used by malicious nodes to trigger an attack.

Even using this information, an attacker can not be assured that its ACK will not collide with another ACK. First, the victim may hear the retransmission and transmit an ACK that will collide with the attacker’s ACK. This situation occurs when the retransmission is provoked by a hidden node (see Figure 1). In addition, if two attackers target the same node a collision will certainly occur and none will reach its objective (see Figure 2).

D.The attack Model To avoid ACK collisions caused by simultaneous attacks,

the attacker model implements a probabilistic approach which is independent for every attacker. With this model, an attacker has a probability (1-p1) to enter in attack mode once it hears a retransmitted frame sent to a node B. In attacker mode, the attacker spoofs ACK until it detects a frame retransmission. Assuming that another attacker has the same target, the attacker spoofs the ACK and enters in collision detection mode with a probability a probability (1-

p2). If the collision is confirmed by two successive retransmitted frames to the victims, the attacker returns to its initial Listening Mode and waits for other retransmitted frames, otherwise it assumes that the colliding attacker already returned into Listening Mode and therefore goes back to the Attacker Mode. The attacker internal state is determined by the automaton represented in Figure 3. In Collision Detection Mode, the attacker stops sending fake ACK frames to avoid collision and returns in listening mode if a collision is detected during next transmission. An attacker maintains separate automatons for every potential victim and is therefore able to run simultaneously several attacks.

Listening Mode

Attacker Mode

Collision Detection Mode

P > p1

P > p2

Retransmitted packet

Retransmitted packet

Retransmitted packet

Ack

Yes

Yes

No

No

Figure 3. Attacker automaton

IV. SIMULATION ENVIRONMENT In order to fully evaluate our attack model on monitored

pure ad hoc networks, we conduct a set of simulations. In these simulations, every node uses ASMA-DSR [9] a multipath routing protocol that combines multipath routing and trust management. Nodes are monitored with Watchdog. Every ASMA advanced feature (packet signature, packet acknowledgement, route local repair) have been disabled to not interfere in the evaluation of the attack model.

NS-2 [11] simulator is used to run simulations over 200 seconds of simulation time. Since our attack is triggered by node moves, the mobility model plays an important part in the evaluation of our attack scheme. Therefore we consider different network configurations with Random Way Point mobility model with a pause time varying from 50 s to 150s.

The two attack parameters p1 and p2 modify the behavior of the attackers by reducing the collision probability and therefore impact the attack efficiency. In the first subset of simulations, p1 and p2 are equal and in the second p2 is equal to “1- p1”. In both simulation subsets, p1 goes from 0.2 to 0.8.

Simulation parameters and traffic models are respectively resumed in Table 1. Our performance evaluation is a result

of 10 different simulations for each configuration. Two performance metrics are used, which are: Packet loss rate: number of lost packets divided by the

number of transmitted packets. False positive number: total number of packet drops

reported by monitoring nodes.

Network configuration

Topology 1500, 1500

Number of nodes 100

Simulation time 90 s

Pause time 30, 90 s

Node’s speed 10 m /s

Traffic Model Traffic Type CBR

Packet Size 500 B

Inter- Departure 20 ms

Number of sources 10

Routing, MAC protocols Packet Buffer Size 50

Transmission Range 250m

MAC protocol 802.11g

Link Capacity 54 Mbps

Attack scenario Attack types ACK Fake attack

p1 and p2 probability values (0.2, 0.2); (0.4,0.4); (0.8,0.8); (0.2, 0.8); (0.4,0.6); (0.8,0.2)

Attacker ratio 0, 5, 10, 15, 20, 25,30 %

Table 1. Network configuration and simulation parameters

V. PERFORMANCES ANALYSIS Figure 4 depicts the simulation results. In every mobility

configuration, the loss rate increases with the number of

attackers. The attack configuration where attackers have few probability to initiate the attack (i.e.: 1-p1 = 0.2) corresponds to the smallest loss rate in every mobility and attack configuration. The difference is smaller when p1 vary from 0.2 to 0.4. Furthermore, p2 impacts less the performances than p1, especially in low mobility scenario. Since the number of transmission retries is high (seven), if collisions occur less than seven times, link failures will not be detected. Attack collisions have another side effect; since the target detects collisions, it increases the contention period. Consequently, more packets are buffered and packets are dropped due to the limited buffer size. Thus, even if attackers’ ACKs collide, the packet loss increases as packet loss are caused both by packet drops and buffer overflows.

False positive numbers depicted in Figure 4 show a large increase when there are few attackers in the network. Notice that false positives occur even when there are no attackers in the network. These are mainly explained by the causes enumerated in section II. However, these false positives are not very frequent. On the other hand, in presence of attackers the false positives amount quickly increases. In presence of 5 attackers, the number of false positives is comprised between 300 and 600. The highest number of false positives is reached for small values of p1 ( i.e. when ACK spoofing probability is high). In every attack configuration the false positive number rapidly grows as the number of attackers varies from 0 to 10 and then remains almost stable, with the notable exception of the configuration (p1=0.2, p2=0.2) where the number of false positives decreases when the number of attacker goes from 10 to 30 nodes. This decrease is caused by the attacker collisions which increase the link breakage detection probability. Furthermore, as packets are dropped due to buffer overflow, fewer packets are transmitted by

monitoring nodes resulting in fewer observations. As

the number

of observati

on decrease

s the number

of false positives decrease

s as well. Howe

ver, the number

of false positives

alone does not provide valuable indication on the attack‘s

Pause Time = 50

0

0,1

0,2

0,3

0,4

0,5

0,6

0,7

0,8

0,9

1

0 5 10 15 20 25 30

Attacker ratio (%)

Loss

Rat

e

P=(0.2,0,2)P=(0.4,0,4)P=(0.8,0,8)P=(0.2,0,8)P=(0.4,0,6)P=(0.8,0,2)

Pause Time = 100

0

0,1

0,2

0,3

0,4

0,5

0,6

0,7

0,8

0,9

1

0 5 10 15 20 25 30

Attacker ratio (%)

Loss

rate

Pause time = 150

0

0,1

0,2

0,3

0,4

0,5

0,6

0,7

0,8

0,9

1

0 5 10 15 20 25 30

Attacker ratio (%)

Loss

rat

e

0

100

200

300

400

500

600

700

800

900

1000

0 5 10 15 20 25 30

Attacker Ratio (%)

Fals

e Pos

itive

s

0

100

200

300

400

500

600

700

800

900

1000

0 5 10 15 20 25 30

Attacker Ratio (%)

Fals

e Po

sitiv

es

0

100

200

300

400

500

600

700

800

900

1000

0 5 10 15 20 25 30

Attacker Ratio (%)

Fals

e Po

sitiv

es

Figure 4. Simulations results

efficiency. Indeed, the highest number of false positives is 860. It corresponds on average to less than ten false positives per nodes. These average false positives may not reduce trust in a significant way. Therefore, we extended our study to consider the false positive repartition.

Figure 5 shows the victim distribution in the configuration where the false positive number is maximal ( p1=0.2, p2=0.2 with 20 attackers). A majority of false positive victims are subject of less than five false positives. The number of false positives victims decreases rapidly as the number of false positives increases. We observe a peak when the number of false positives is 70. This peak corresponds to the buffer size of monitoring nodes which is 64 packets. Since the timeout is particularly high (30 seconds) nodes full their monitoring buffers and mainly report packet drops when they stop transmitting packets. These buffer overflows also explain the stagnation observed in false positives evaluation. Assuming that 10 false positives are enough to exclude a node, our ACK spoofing attack will result in the exclusion of 16% of nodes.

024

68

101214

161820

1 to 10 11 to 20 21 to 30 31 to 40 41 to 50 51 to 60 61 to 70 71 to 80 81 to 90 91 to 100 101 to 175

Figure 5. Target distribution

Figure 6 represents the false positives distribution. We

observe that more than fifty percents of the false positives concern nodes that are victims of at least 60 false positives while 10% of false positive concerned on average less than two nodes. As the false positive distribution is not uniform, a majority of nodes will not be victim of the attack, but the few concerned nodes will certainly be excluded.

8%

10%

6%

8%

7%

9%

30%

7%

2%

3%

10%

1 to 10

11 to 20

21 to 30

31 to 40

41 to 50

51 to 60

61 to 70

71 to 80

81 to 90

91 to 100

101 to 175

Figure 6. False positives distribution

VI. DISCUSSION AND FUTURE WORK In this paper we present a cross-layer attack against

MANET cooperation enforcements tools. The proposed attack scheme relies on CSMA/CA design which leaks information about potential victims. Without this flaw, an attacker would not be able to avoid ACK collision and effective attacks on reputation could not be run.

This attack is particularly critical as it takes advantage of security enforcement solutions which introduces a new breach in MANET security. The main weakness of monitoring tools comes from the use of unauthenticated information. This use is caused by cross-layer optimization to reduce packet overhead. In order to counter this attack, it is required to secure at least one of these breaches.

Through simulations, we demonstrate the severity of our new attack and its potential impact on trust management systems by analyzing the loss rate and the false positives number. For future work we intend to propose countermeasures against such attack. Also, we will carry out simulations to investigate other critical parameters such as transmission range, buffer size, MAC parameters, etc.

REFERENCES [1] S. Marti et al., “Mitigating Routing Misbehavior in Mobile Ad Hoc

Networks,” Proc. ACM MobiCom 2000, pp. 255–65. [2] X. Xue, J. Leneutre, L. Chen and J. Ben-Othman, “SWAN: A

Secured Watchdog for Ad hoc Networks” ,IJCSNS International Journal of Computer Science and network Security, Vol6, June 2006

[3] D. Djenouri, N. Ouali, A. Mahmoudi, and N. Badache , “Random Feedbacks for Selfish Nodes Detection in Mobile AdHoc Networks”, IPOM 2005, LNCS 3751, pp. 68-75, 2005

[4] D. Gambetta, “Can we trust trust?”, Trust, Making and Breaking Cooperative Relations. basil Blackwell (1990) p. 213-237

[5] K. Mandalas, D. Flitzanis, G.F. Marias, P. Georgiadis, “A Survey of Several Cooperation Enforcement Schemes for MANETs”, IEEE International Symposium on Signal Processing and Information Technology.

[6] F. Kargl, A. Geiß, S. Schlott and M. Weber, “Secure Dynamic Source Routing”, Proc of the 38th Hawaii International Conference on System Sciences, 2005

[7] J. Kim and G. Tsudik, “SRDP: Securing Route Discovery in DSR”, Proceedings of the Second Annual International Conference on Mobile and Ubiquitous Systems: Networking and Services (MobiQuitous’05), 2005

[8] R. Mavropodi, P. Kotzanikolaou, and C. Douligeris, “Performance Analysis of Secure Multipath Routing Protocols for Mobile Ad Hoc Networks”, WWIC 2005, LNCS 3510, pp. 269–278, 2005.

[9] Vincent Toubiana, Houda Labiod, “ASMA : Towards Secure Adaptive Multipath in MANETs”, in Proc of IFIP MWCN 2006

[10] Jøsang and S. Pope. Semantic Constraints for Trust Transitivity. Second Asia-Pacific Conference on Conceptual Modeling (APCCM2005), Newcastle, Australia, January-February 2005

[11] K. Fall and K. Varadhan. “NS Notes and Documentation”. The VINT project, UC Berkeley, LBL, USC/ISI, and Xerox PARC, May 1998. Work in progress.