Upload
others
View
0
Download
0
Embed Size (px)
Citation preview
Security Threats
in
Mobile Ad Hoc Networks
Vulnerabilities of MANETs
o Wireless links
o Dynamic topology
o Cooperativeness
o Lack of a clear line of defense
o Limited resources
Wireless links
o Insecurity of open medium
o Make the network susceptible attacks.
o Eavedropping
o Active interference
o Attackers do not need physical access to the network to carry out these attacks.
Dynamic topology
o Difficult to differentiate normal behaviour ofthe network from anomaly/maliciousbehaviour.
o A node sending disruptive routing information
o A node who does not collaborate
o Cannot assume nodes secured in lockedcabinets.
Cooperativeness
Routing algorithms generally assume thatnodes are
cooperative
non-malicious
A malicious node
o easily become an important routing agent
o disrupt network operations by disobeyingthe protocol specifications.
Lack of a Clear Line of Defense
o Attacks can come from all directions.
o The boundary separating the inside network from the outside is not clear.
o No well-defined place that we can deploy
o Traffic monitoring mechanisms
o Access control mechanisms
Limited Resources
o Resource-constrained nodes
o Laptops, handheld devices such as PDAs and mobile phones.
o Lead to new attacks
o Sleep deprivation torture attacks.
o DoS attacks targeting limited resources.
Security Goals
o Authentication
o Confidentiality
o The sensitivity of information can change rapidly.
o Integrity
o Availability
o modern war-goal.
o Non-Repudiation
Attacks on Network Protocol Stack
Layer Attacks
Application data corruption, viruses, worms
Transport TCP/UDP SYN flood
Network hello flood, blackhole
Data Link monitoring, traffic analysis
Physical eavesdropping, active interference
External & Internal Attackers
External Attacks: by unauthorized nodesInternal Attacks: by internal nodes
Failed Nodes: unable to perform.power failure, environmental factors, etc.
Selfish Nodes: exploit the routing protocol to theiradvantage (not cooperate), for example to savetheir resources
Malicious Nodes: aim to disrupt the network orlisten to confidential information
Misuse Goal of Attackers
Route Disruption: modifying existing routes, creatingrouting loops, and causing the packets to beforwarded along a route that is not optimal, non-existent, or otherwise erroneous
Node Isolation: isolating a node or some nodes(s) fromcommunicating with other nodes in the network,partitioning the network, etc.
Resource Consumption: decreasing networkperformance, consuming network bandwidth or noderesources, etc.
the Performance of an Attack
o Computational power
o Deployment capability
o Location control
o Mobility
o Degree of physical access
Attacks on MANETs
Passive Attacks
o Eavesdropping attacks
o Spread spectrum communication
o Frequency hoping
o Traffic analysis
o The existence and location of nodes
o The communication network topology
o The roles played by nodes
o The current sources & destination of communications
o The current location of specific individuals or functions
In MANETs nodes that are not within each other’s communicationrange must relay on other nodes to forward their packets.
Dropping Attacks
Dropping Attack
Malicious nodes drop data packet not destined
for themselves.
Disrupt network connection.
Difficult to differentiate packet droppings due
to mobility.
mobility (60%)
collusions
transmission link errors
Packet Forwarding Attacks 1/2
o Drop the packets.
o Modify the content of the packets.
o Duplicate the packets.
o Inject a large amount of junk packets into the network (DoS).
Packet Forwarding Attacks 2/2
Multi-hop networks assume that participating
nodes will faithfully forward received messages.
Selective Forwarding Attack: Malicious nodes
refuse to forward some messages and drop
them. (Integrity)
Routing Attacks
o Modify the route.
o Cause the packets to be forwarded along a route that is not optimal or non-existent.
o Create routing loops in the network.
o Prevent the source node from finding any route to the destination.
o Partition the network.
Fabrication Attacks
o Active forge
o Send faked messages without receiving any
related messages.
o Forge reply
o Sends fake route reply messages in response to
related legitimate route request messages.
Atomis Misuses of a RREQ Message
DR: dropMF: modificationAF: active forge
Possible Modifications of Fiels in a
RREQ Message
RREQ_DR
If an attacker drops all the RREQ messages it
receives, this misuse is equivalent to not having
the attacking node.
The attacker
o may also selectively drop RREQ messages.
o may separate the nodes if it is in a critical
position.
RREQ_MF_RD
Suppose node S broadcast a RREQ to establish a route
to node D.
o Replace the RREQ ID of node S with the RREQ ID of
node D, increase it by a small number.
o Interchange the source IP address with the
destination IP address in the RREQ message.
o Increment the dest. sequence number by at least one.
o Fill source IP address in IP header with a non-existent
IP address.
RREQ_MF_RI
o Increase the source node’s RREQ ID by at
least one.
o Increase the source sequence number by
at least one.
o Increase the destination sequence number
by at least one.
(insider attacker is in the transmission range
of the source node).
Node Isolation (RREQ_MF)
o Attacker prevents a victim node from receiving data
packets from other nodes for a short period of time.
1. Increase the RREQ ID by a small number.
2. Replace the destination IP with a non-existent one.
3. Increase the source seq. number (by at least one).
4. Set the source IP address in IP header to a non-
existent one.
5. Broadcast the message.
Node Isolation (RREQ_MF)
o It can prevent a victim node from receiving data
packets for a short period.
o It cannot fully isolate the victim node due to the local
repair mechanism.
o If data packets cannot be delivered successfully, new
route discovert is initiated.
o The victim may still be able to send data packets to
other nodes.
Resource Consumption (RREQ_MF)
o It is difficult to consume too much resources with one
faked RREQ.
o It can still introduce unnecessary broadcast messages
into the network.
o It can make a RREQ message to appear to be fresh
(by increasing the RREQ ID).
o Repeatedly apply RREQ_MF_RC misuse to make a
real impact on the network.
Atomis Misuses of a RREP Message
DR: dropMF: modificationFR: forge replyAF: active forge
RREP_DR
Route Disruption
o If only one RREP message is generated, the route
prevents to be established.
o Otherwise, this misuse has very limited impact.
Node Isolation
o If an attacker is the only neighbour of a victim node, it
can partially isolate the victim node by dropping all the
RREP messages.
RREP_MF
Route Invasion
o If only one RREP message is generated, the attacker
does not have to do anything to invade the route.
o If there are other RREP messages, the attacker could
suppress other RREP messages.
(by increasing the dest. sequence number.)
.
Route Invasion (RREP_AF)
If the attacker has routes to both the source
and the destination nodes.
0
1 2
3
AFaked RREP
Faked RREP
0
1 2
3
A
a Forge Reply Attack
S
D
MA
B
C F
E
I1 I2
faked
RREP
Atomis Misuses of a RERR Message
DR: dropMF: modificationAF: active forge
Possible Modifications of Fiels in a
RERR Message
0
1
2 3
A
4
5
1. Set the source IP address as node 5.2. Set the dest. IP address as node 0.3. Set the source seq. number to a number greater than node 5’s
seq. number.4. Set the source IP in IP header as node A.5. Node A then broadcast the faked RREQ message.
After receiving this message, node 2 & node 3 will set the node A as the next hop to node 5.
Route Invasion by Two Faked RREQs 1 (1/3)
0
1
2 3
A
4
5
1. Set the source IP address as node A.2. Set the dest. IP address as node 5.3. Set the dest seq. number to a number greater than node 5’s seq.
number.4. Set the source IP in IP header as node A.5. Node A then broadcast the faked RREQ message.
Route Invasion by Two Faked RREQs 1 (2/3)
0
1
2 3
A
4
5
Route Invasion by Two Faked RREQs 1 (3/3)
Routing Loop Attack 1 (1/2)
0
1
4
3
A
Faked RREP message1. Set the destination IP address to node 1. 2. Set the dest. seq. number as node 1’s seq.
number plus at least one.3. Set the source IP address to node 0.4. Set the source IP address in the IP header
to node 3.5. Set the dest. IP address in the IP header to
node 4.
Routing Loop Attack 1 (2/2)
0
1
4
3
A
The data packets will be dropped until the TTL fields in
the IP packets decrease to 0.
Routing Loop Attack 2 (1/3)
o Set the souce IP address as node 0.
o Set the destination IP address as node 1.
o Set the destination sequence number to a greater than
node 1’s sequence number.
o Set the source IP address in the IP header as node 3.
o Set the dest. IP address in the IP header as node 5.
0 3
4
6
A
1
5
Faked RREP
Routing Loop Attack 2 (2/3)
o Set the souce IP address as node 0.
o Set the destination IP address as node 1.
o Set the destination sequence number to a greater than
node 1’s sequence number.
o Set the source IP address in the IP header as node 5.
o Set the dest. IP address in the IP header as node 6.
0 3
4
6
A
1
5 Faked RREP
Routing Loop Attack 2 (3/3)
0 3
4
6
A
1
5
Sinkhole, Blackhole Attacks, Grayhole attacks
o Attract nearly all traffic from a particular area through acompromised node by making the compromised nodeattractive.
o Especially effective in routing protocols use advertisedinformation in the routing discovery processs.
o remaining energy
o nearest node to the destination etc.
Modification Attacks
Ad Hoc Flooding Attacks
Broadcast a lot of RREQ messages for randomly selectednodes
Aim to consume the resources of the nodes and thenetwork
Sleep Deprivation Torture Attack
o A DoS attack
o Most mobile nodes are run on battery power.
o Consumes a victim node’s battery power &
disables the node.
o More powerful than the better known DoS
attacks (CPU exhaustion).
Routing Table Overflow Attack
o A DoS attack at the Route Discovery phase.
o Attacker sends a lot of route advertisements
for nodes that do not exist.
o Overflows the victim nodes’ routing tables.
o Prevents new routes from being created.
o More effective in proactive protocols than in
reactive protocols.
Routing Cache Poisoning Attack
o A fabrication attack.
o A node can update its table with overhearing
routing control protocol messages.
o Attacker send spoofed routing information
packets.
o Neighbour nodes update their tables
erroneously.
Timing Attacks
o DoS attacks
o Rushing attacks
o Hello flood attacks
o broadcasts Hello packets with large transmission
power.
o Wormhole attacks
Rushing Attack
Occur during the Route Discovery phase
In reactive routing protocols, each node forwards only the first arriving Route Request in order to limit the overhead of message flooding
If the Route Request forwarded by the attacker arrives first at the destination, routes including the attacker will be discovered instead of valid routes
by ignoring delays at MAC or routing layers,
by wormhole attacks,
by keeping other nodes’ transmission queues full,
by transmitting packets at a higher wireless transmission power.
Route Discovery
Route Req
Route Req
Route Reply
Source
Destination
A B
C
Route Discovery Under Rushing Attack
Route Req
Route Req
Source
Destination
Route Reply
Attacker Attacker
Jellyfish Attack
Attacker
o Introduces delays in the network.
o Delays all packets it receives.
o Once delays are propogated then packets
are released in the network.
o High end-to-end delays.
o High delay jitter.
o Decreasing the network performance.
Wormhole Attack
tunnel
SD
M1 M2
An attacker receives packets at one point in the network,tunnels them to an attacker at another point in the network,and then replays them into the network from this final point.
Packets sent by tunneling forestall packets forwarded by multi-hop routes.
Countermeasures
o Prevention techniques: secure routing
o Authentication techniques
o Detection techniques
o Specification-based
o Anomaly-based
o Signature-based
o Promiscuous monitoring
References
1. S. Sen, J.A. Clark, J.E. Tapiador, ‘Security Threats in
Mobile Ad Hoc Networks’, Security of Self-Organizing
Networks: MANET, WSN, WMN, VANET. Auerbach
Publications, CRC Press, 2011
2. P. Ning, K. Sun, ‘How to Misuse AODV: A Case of
Insider Attacks against Mobile Ad-hoc Routing
Protocols’,2003
http://discovery.csc.ncsu.edu/pubs/TRMisuseAODV.pdf