Nodes Bearing Grudges: Towards Routing Security,

Fairness, and Robustness in Mobile Ad Hoc Networks

Sonja Buchegger

Jean-Yves Le Boudec

Security Issues

• Cooperation and fairness– Traffic forwarding– Resource saving

• Confidentiality of location– Military– Privacy

• No traffic diversion– Routing– Forwarding

Motivation

• Resource conservation (selfish)

• Better service

• Monetary gains

• Competition

• Stealing

Detection and Reaction

• Want to punish malicious and non-cooperative behavior

• Isolate the problem node

• Implement re-integration into network if possible

Secrets and Lies. Digital Security in a Networked

Worldby Bruce Schneier

• …a prevention-only strategy only works if the prevention mechanisms are perfect; otherwise, someone will find out how to get around them.

• “In theory there is no difference between theory and practice. In practice there is …”

The Selfish Gene

• Suckers

• Cheats

• Grudgers

The Grudger Protocol

• Observe node behavior

• Share information

• Components– Monitor (Neighborhood Watch)– Trust Manager– Reputation System (Node Rating)– Path Manager

Observation

• Ad hoc network• Node A sends packet

destined for E, through B.

• B keeps packet copy.• B snoops D.

A

B

C

D

E

The Monitor

• No forwarding

• Unusual traffic attraction

• Route salvaging

• No error messages during errors

• Unusually frequent route updates

• Silent route changes

The Trust Manager

• Trust function

• Trust level administration

• Forwarding of ALARM messages

• Filtering of incoming ALARM messages

The Reputation System

• Own experience: greatest weight

• Observations: lesser weight

• Reported experience: PGP trust weight

The Path Manager

• Path re-ranking based on security metric

• Deletion of paths containing malicious nodes

• Route request from malicious node

• Request for route containing malicious node

Within the Node

• Monitor checks behavior of neighbors• Events are forwarded to Reputation system• If an event threshold is broken, rating for

offending node is updated• If rating of offending node drops below

acceptable threshold, the Path Manager removes routes containing offending node

• ALARM message is sent by the Trust Manager

ALARM

• Sent by the Trust Manager• Type of protocol violation• Number of occurrences observed• Whether the message was self-originated

by the sender• Address of the reporting node• Address of the observed node• Destination address

Between nodes

• Monitor receives ALARM• Trust Manager checks rating of source• Reputation System updates number of

occurrences and accumulated rating*• Note

– *Either the source is fully trusted, or several partially trusted nodes have added to one completely trusted note

– Authentication is a prerequisite

Dynamic Source Routing (DSR)

A

B

CD

E

Route Request {E (A)}

Route Request {E (A)}

Route Request {E (A,C)}

Route Request {E (A,B)}

Route Request {E (A,B)} Route Request {E (A,B)}

Cache E

Dynamic Source Routing (DSR)

A

B

CD

E

Route Reply {A (E,B,A)}

Route Reply {A (E,D,C,A)}

Route Reply {A (E,D,C,A)}

Route Reply {A (E,B,A)}

Attacking DSR

• Incorrect forwarding• Traffic attraction• Route salvage for unbroken link• Short reply time• Set good metrics for bogus routes• Manipulate flow metrics• No Route Errors sent• Use bogus routes• Promiscuous mode to spy on traffic• DoS route updates at short intervals

Grudging Nodes

A

B

CD

E

Data {(A,C,D,E)}

Data {(A,C,D,E)}

XALARM (D, no forwarding, N) Data {(A,C,D,E)}

Grudging Nodes

A

B

CD

E

Data {(A,B,E)}Data {(A,B,E)}

Testing

• “Performance Analysis of the CONFIDANT Protocol (Cooperation Of Nodes: Fairness In Dynamic Ad-hoc NeTworks)”

• GLOMOSIM

• Malicious nodes (Incorrect forwarding)

• DSR modifications

• Fortified vs. Defenseless networks

Fixed Parameters

• Area: 1000m x 1000m• Speed: uniformly distributed between 0 and 20 m/s• Radio Range: 250m• Placement: uniform• Movement: Random Waypoint• MAC: 802.11• Sending Capacity: 2 Mbps• Application: CBR• Packet Size: 64 B• Simulation Time: 900s

Varied Parameters

• Percent of malicious nodes: 0 – 100%

• Pause time: 0 – 900s

• Number of nodes: 10 – 50

Metrics

• Dropped packets (mean, %)

• Goodput: – Packets Received / Packets Originated

Results

• Every non malicious node was a “friend”

• Defenseless network: 70% packet loss

• Fortified network: >3% packet loss

• Overhead is small (ALARM messages)

• Performance is good even with up to 60% malicious nodes

• Pause time had the least performance influence

Research Pieces

• Event detection– Dropped packets– Mis-routed packets– TCP Syn flood

• Distributed Trust– Friends– No guarantee of connection to authority– Transitive relations

Follow-on

• Distributing reputations

• Authentication

• Immune Networking

• Based on the body’s immune system

• Goals – Learns through observations– Adapts to environment

“Algorithm”

• Ad hoc network• Node A sends packet

destined for E, through B.

• B and C make snoop entry (A,E,Ck,B,D,E).

• B and C check for snoop entry.

• Perform Misroute

A

B

C

D

E