Ad hoc network specific attacks

Seminar Ad hoc networking: concepts, applications, and security Technische Universitt Mnchen, 2003

written by

Adam Burg

Table of contents

1. Introduction 2. Essentials and vulnerabilities of ad hoc networks 2.1. Availability 2.2. Confidentiality 2.3. Authenticity 2.4. Integrity 2.5. Non-repudiation 3. Classifications of attacks 4. Attack types 4.1. Impersonation 4.2. Sinkhole attacks 4.3. Wormholes 4.4. Sleep deprivation torture 4.5. The Sybil attack 4.6. Rushing attacks 4.7. Denial-of-Service and Flooding 5. Conclusion Appendix. References and Sources

1. Introduction
Nowadays, it is hard to imagine a world without the Internet. The World Wide Web has evolved into an entity intertwined with our lives. What started out as an academic/military network meant to make the exchange of research information easier and then turned into a meeting place for people from all around the world, grew exponentially larger year by year till it became the platform for many commercial applications and services it is today. For a long time though, we could only enjoy its advantages within the confines of our homes or offices. With the rapid development of mobile technologies however, the use of networks is not limited through earthbound cables anymore. The potentials of such wireless networks are not fully explored yet. Mobile telephony is the most basic application making use of them, but the list only starts there. Combining peer-to-peer techniques with the opportunities that mobility offers, so called ad hoc networks have become an important field of research in recent years. An ad hoc network is defined as ... an autonomous system of routers (and associated hosts) connected by wireless links--the union of which form an arbitrary graph. The routers are free to move randomly and organize themselves arbitrarily; thus, the network's wireless topology may change rapidly and unpredictably. Such a network may operate in a standalone fashion, or may be connected to the larger Internet operating as a hybrid fixed/ad hoc network. [9] The areas of application range from school classes over well-known services like chatrooms to online shopping, but they are also used in places that do not come to mind immediately, like in the military. Furthermore, it is not even necessary to have a human interaction factor: ad hoc networks can also be used to link together research computers or moving vehicles that exchange information on the road, unbeknownst to the driver. However, new technologies do not only present new potentials, they usually present new risks as well. The purpose of this paper is to outline the security requirements of ad hoc networks and to describe various ways to attack their nodes or to disrupt their functionality and services.

2. Essentials and vulnerabilities of ad hoc networks

The principle of ad hoc networks sounds like a great idea. A dynamic connection between devices that can be used from anywhere and offers limitless bussiness, recreational and educational opportunities appears to be a promising technological advancement towards making our lives easier. However, as with conventional networks, security and safety considerations have to be taken into account. Ad hoc networks are by nature very open to anyone. Their biggest advantage is also one of their biggest disadvantages: basically anyone with the proper hardware and knowledge of the network topology and protocols can connect to the network. This allows potential attackers to infiltrate the network and carry out attacks on its participants with the purpose of stealing or altering information. Also, depending on the application, certain nodes or network components may be exposed to physical attacks which can disrupt the functionality. In contrary to 3

conventional networks, ad hoc network hosts are more often than not part of an environment that is not maintained professionally. Wireless nodes might be scattered over a large (potentially unsecure) area, where it may pose difficult to supervise all of them. Another specialty of ad hoc networks is their heavy reliance on inter-node communication. Due to the dynamic nature of the link between the single nodes, it may happen that a certain node B is not in range of node A. In these cases, the information can be routed through intermittent nodes. Even though this is of course not a new concept since it is heavily utilized in the infrastructure of the Internet, the fact that ad hoc network nodes are usually mobile and can disappear at any time (both from within the range of a particular node as well as from the entire network), the possiblity that a certain data route becomes unavailable is significantly higher than in fixed-location networks. This makes it easier for attackers to disrupt the network than in conventional networks. To ensure proper operation, several attributes of these networks have to be protected against defects and more importantly against malicious intent. [1, 4] 2.1. Availability

Availability is the most basic requirement of any network. If the networks connection ports are unreachable, or the data routing and forwarding mechanisms are out of order, the network would cease to exist. 2.2. Confidentiality

Confidentiality describes the need to protect the data roaming in the network from being understood by unauthorized parties. Confidentiality can be achieved by encrypting essential information so only the communicating nodes can analyze and understand it. 2.3. Authenticity

Authenticity is cruicial to keep eavesdroppers out of the network. With many services applicable in ad hoc networks (and other kinds of networks too, for that matter), it is important to ensure that when communicating with a certain node, that node is really who/what we expect it to be (node authentication). Message authentication ensures that the contents of a message are valid. 2.4. Integrity

Integrity of communication data is required to ensure that the information passed on between nodes has not been altered in any way. Data can be altered both intentionally and accidentally (for example through hardware glitches, or inteference in the case of wireless connections).

2.5.

Non-repudiation

Non-repudation means that messages can be traced back to their senders, without the sender being able to deny having sent it. This is less a means to prevent attacks, it is rather intended to make it possible to detect intrusions and fake messages. Many routing and authentication algorithms implemented in ad hoc networks rely on trust-based concepts; the fact that a message can be attributed to a specific node helps making these algorithms more secure. It is also necessary to ensure the privacy of nodes. The location privacy of the nodes has to be protected in some applications of ad hoc networks, to ensure their safety. Imagine a battlefield scenario where the nodes are living soldiers. Exposing their location might endanger their lives. Data privacy means no unauthorized entity should be able to access the contents of messages. In some networks (like the battlefield network above) it might be convenient to conceal the existence of nodes (existence privacy). Furthermore, an ad hoc network might have to respect the identity privacy of its participants. Ad hoc networks should also be able to isolate nodes which are identified to be dangerous to the network and function on properly without them and the damage they have done (self-stabilisation and Byzantine robustness [3], about the Byzantine Generals Problem, see [8]) Without a doubt, these attributes are not unique to ad hoc networks. However, the special traits described above make them more prone to old kinds of attacks and make them vulnerable to new ones. Also, the detection of tempering and intrusion becomes harder and yet the more important. The steady flow of information relies heavily on the communication between nodes, thus the security attributes are more closely linked to each other. The fact that hosts can be anywhere physically, and that malicious parties might join the network, carry out their attacks and disappear again without leaving behind significant traces makes it important to analyze and assess the shape of attacks on ad hoc networks, so that appropriate measures can be taken to secure their safety.

3. Classifications of attacks
Attacks on networks come in many varieties and they can be grouped based on different characteristics. One way to diversify attacks is to classify them by their source. External attacks are commited by parties that are not legally part of the network. External attackers are not necessarily disconnected from the network, though. The targeted network might be a self-contained entity, that is linked to other networks using that are using the same infrastructure or communication technology. This would make it possible to initiate attacks without even being authenticated in the targeted network. On the other hand, it would also be possible to jam the communication of the entire ad hoc network of a company from the parking lot in front of the company building. In contrast to this, internal attacks are sourced from inside a particular network. A

compromised node (defined as malicious parties [whose] actions compromise the security of the whole ad hoc network [1]) with access to all other nodes within its range poses a high threat to the functional efficiency of the whole collective. As discussed in [2], attacks can be executed more efficiently, since internal attacks are not as easy to prevent as external ones. Furthermore, a malicious node that is already part of the network might actually be protected by ist own security mechanisms, which assume that nodes on the network can be trusted (and have to be protected against attacks as well). Another diversification of attacks is the distinction between passive and active attacks. Passive attacks do not involve any disruption of the service, they are merely intended to steal information and to eavesdrop on the communication within the network. Active attacks on the other hand actively alter the data, with the intent of overloading the network, obstructing the operation or to cut off certain nodes from their neighbors so they can not use the networks services effectively anymore. To execute active attacks, the attacker must be able to inject packets into the network. Attack might target the physical layer of a network, for example by jamming the transmissions of wireless antennas or phones, or by destroying the hardware of a certain node. Selfish nodes, which act only to their own advantage, without regards to the functionality of the whole network, can be put in either group: they are not actively attacking the network, but they have a negative effect on the communication efficiency. For example, in wireless ad hoc networks, the hosts use medium access control (MAC) protocols to share the wireless channel. Selfish nodes might misbehave and try to obtain an unfair amount of the channels resources [10]. An attacker could also exploit the protocols of the network layer. Intimate knowledge of the routing mechanisms involved can present security risks which are hard to defend against. Finally, it is also possible for someone with bad intentions to abuse the loopholes of the application layer: in the case of an information network for example he could inject false or fake information, thus undermining the integrity of the application. However, it can also be interesting to analyze the severity of the effects of attacks on ad hoc networks. Usually, the threat a certain type of intrusion or attack poses depends on the application. Not all networks have to be protected equally against security risks. In [2], two examples of ad hoc network usage are described: firstly a network of student PDAs which are interconnected, and secondly the battlefield scenario mentioned above where soldiers are connected to each other by wireless communication devices. Obviously, while the student network might be intruded by unauthorized parties, the question arises whether it is necessary to protect it by implementing secret key algorithms and high-security routing protocols etc. The importance of protection is defined by the importance of the information passed on between the students and their teachers. If the privacy and availability of this data is not crucial, it might not be necessary to implement safety precautions. In the case of the military operation supported by an ad hoc network with the soldiers acting as nodes, it is very likely that the creators of such a network would

take every measure possible to prevent its exposure. The lives of the soldiers could depend on the quality of these measures. If one of the soldiers can be located through stolen routing information, the whole network (and so all the soldiers) might run the risk of being terminated. If the enemy can disrupt the networks data flow, the soldiers will not be able to communicate with each other, which would also endanger the operation.

4. Attack types
4.1. Impersonation

Impersonation attacks are also called spoofing attacks. The attacker assumes the identity of another node in the network, thus receiving messages directed to the node it fakes. Usually this would be one of the first steps to intrude a network with the aim of carrying out further attacks to disrupt operation. Depending on the access level of the impersonated node, the intruder may even be able to reconfigure the network so that other attackers can (more) easily join or he could remove security measures to allow subsequent attempts of invasion. A compromised node may also have access to encryption keys and authentification information. In many networks, a malicious node could obstruct proper routing by injecting false routing packets into the network or by modifying routing information. Attackers might see an advantage in selectively forwarding packets that pass them. As described in [5], an intruder with this goal will most likely try to impersonate a node within the path of the data flow of interest. It could achieve this by modifying routing data or implying itself as a trustworthy communication partner to neighboring nodes in parallel. Depending on the layer where the identity faking takes place, it can be difficult to prevent it. Exploiting MAC layer protocol weaknesses, attackers could place their node between two other nodes communicating with each other (man-in-the-middle attack). Since MAC adresses can be faked with little effort, detecting an illegitimate intruder might not be possible in this layer. However, by using good authentication algorithms, strong data encryption and secure routing protocols, the effects of impersonation can be reduced significantly. 4.2. Sinkhole attacks

By carrying out a sinkhole attack, a compromised node tries to attract the data to itself from all neighboring nodes. Since this would give access to all data to this node, the sinkhole attack is the basis for many other attacks likes eavesdropping or data alteration. Sinkhole attacks make use of the loopholes in routing algorithms of ad hoc networks and present themselves to adjacent nodes as the most attractive partner in a multihop route. Even though by definition nodes on the network layer of an ad hoc network are equal, sinkhole attacks might be very effective on application level, where nodes may have different roles. This means, that as stated in [2], the effect of sinkhole attacks on networks with centralized entities can be especially grave, because by impersonating the centralized node or

its neighbors, the adversary can get access to the biggest part of the data flowing through the network. Effective against sinkhole attacks is the use of multipath (SMR [11], derivates of AODV and DSDV) and/or probabilistic (PRB [12]) routing protocols. Multipath protocols send data redundantly, not relying on one path only. Probabilistic protocols measure the trustworthiness of a message based on the probability of the packet arriving from a certain source, which can help detecting sinkholes within the network (if many packets arrive from a rather improbable source). 4.3. Wormholes

Closely related to the sinkhole attack is the wormhole attack. In a wormhole attack, a malicious node uses a path outside the network to route messages to another compromised node at some other location in the net (just like a conventional wormhole presents a shortcut between two normally distant locations in space). Wormholes are hard to detect because the path that is used to pass on information is usually not part of the actual network. Interestingly, a wormhole itself does not have to be harmful, for it usually lowers the time it takes for a package to reach its destination. But even this behaviour could already damage the operation, since wormholes fake a route that is shorter than the according one within the network; this can confuse routing mechanisms which rely on the knowledge about distance between nodes. Wormholes are especially dangerous because they can do damage without even knowing the protocols used or the services offered in the network. In a wireless network it is relatively easy to eavesdrop on the communication and forward the packets to other known nodes before the packet sent within the network arrives. This, for example, might be harmful if the data within the packet is altered to contain different information than the original. Imagine a shopping scenario: if the article list or the adress is contained within a different packet than the authentication information of the buyer, a wormhole attacker could modify that packet only and send it over the faster, off-network route to the recepient before the real packet arrives there. Since the recepient would assume that the first packet is authentic, any subsequent packets with the real information will be dropped. Sure enough, this exploit can also be attributed to flaws in the service application, but the threat remains, and in some cases it might not be possible to prevent the possibility of such modifications on the application side. As outlined in [6], in a network with on-demand routing, the Route Discovery mechanism can be seriously disrupted by bypassing the normal route and forwarding the ROUTE REQUEST packets directly to the destination. The same document proposes the idea of outfitting each packet with timestamps and location stamps in order to detect wormhole intrusions in a system. Each packet is tagged with very precise time information and/or geographic location information of the sender node, which is then compared by the destination node to its own time and location stamps. If the comparison reveals an unrealistic distance the data took within an unrealistic amount of time, it can be assumed that there is a wormhole within the network. Another effective way to minimize wormhole threats is avoiding any race conditions, making the attack close to pointless.

4.4.

Sleep deprivation torture

Best described in [4], these kind of attacks are most specific to wireless ad hoc networks, but may be encountered in conventional or wired networks as well. The idea behind this attack is to request the services a certain node offers, over and over again, so it can not go into an idle or power preserving state, thus depriving it of its sleep (hence the name). This can be very devastating to networks with nodes that have limited resources, for example battery power. It can also lead to constant business of the component, hindering other nodes to (legitimately) request services, data or information from the targeted entity. Measures to prevent such attacks are hard to take, but the effects can be minimized by prioritizing between the functions of the targeted node, so that constant requests of low-priority services do not block other, high-priority requests. Furthermore, resources can be shared unequally between different types of services, or even more: the node could assign more resources to certain requester nodes than to other with lesser priority (for example, clients subscribing to the premium service might be served faster than clients subscribing to the regular service). 4.5. The Sybil attack

Malicious nodes in a network may not only impersonate one node, they could assume the identity of several nodes, by doing so undermining the redundancy of many routing protocols. In [7], this attack is called the Sybil attack. Since ad hoc networks depend on the communication between nodes, many systems apply redundant algorithms to ensure that the data gets from point A to point B. A consequence of this is that attackers have a harder time to destroy the integrity of information. If the same packet is sent over several distinct pathes (in multipath routing protocols like SMR [11]), a change in the packets incoming from one of these pathes can be detected easily, thus isolating a possible intruder in the network becomes possible. Also, if not the same packet but pieces of related information are sent on distinct routes, an eavesdropper might have difficulties putting together the pieces of the information puzzle. However, if a single malicious node is able to represent several other nodes, the effectiveness of these measures is significantly degraded. The attacker may get access to all pieces of the fragmented information or may alter all packets in the same transmission so that the destination node(s) cannot detect tampering anymore. In trust-based routing environments, representing multiple identitities can be abused to deliver fake recommendations about the trustworthiness of a certain party, hereby attracting more traffic to it; in ideal starting point for further attacks. [7] also describes measures to counter such attacks. Using unique symmetric keys, by which each node can verify its neighbors identity, and limiting the number of neighbors a node can have results in the partial isolation of compromised nodes, since they can only communicate with their verified neighbors. 9

4.6.

Rushing attack

This type of attack is mostly directed against on-demand routing protocols based on the Dynamic Source Routing protocol [13]. A malicious node will attempt to tamper with ROUTE REQUEST packets, modifying the node list, and hurrying this packet to the next node. Since in basic DSR only one RREQ packet of each route request is forwarded, the malicious node can route subsequent packets through itself if its RREQ manages to reach the next node in the route before any other neighboring nodes can. Rushing attacks can be detected by evaluating the Route Discovery. 4.7. Denial-of-Service and Flooding

In a conventional sense, denial of service attacks and their opposite counterpart, flooding, are considered attacks of their own. However, as we have seen so far, they are basically the results of most of the kinds of tampering with network integrity, redundancy and availability. As mentioned in 4.4, the sleep deprivation attack can be used to cut off a service node from the rest of the network, rendering it or its resources unavailable for access. Sinkholes are one of the major ways to initiate selective forwarding or non-forwarding of messages. By attracting all packets to itself, a node can decide which packets to forward, if any at all. Sybil attacks can have the side effect of flooding, if the source node of a packet tries to use redundant pathes to send data and the malicious node follows protocol and forwards them all, since even tho physically it is only a single entity, to the network it presents itself as many. Malicious nodes can attempt to impersonate one or more nodes and control all data pathes to a certain destination, thereby seriously reducing its availability. In contrast to this, they may also inject false or replicated packets into the network, or create ghost packets which loop around due to compromised routing information, effectively using up the bandwidth and cpu resources along the way. This has especially serious effects on ad hoc networks, since the nodes of these usually possess only limited resources in terms of battery and computational power. Traffic may also be a monetary factor, depending on the services provided, so any flooding which blows up the traffic statistics of the network or a certain node can lead to considerable damage costs.

5. Conclusion
The safety in ad hoc networks has come a long way, but its journey is not over yet. Several defense mechanisms have been invented to prevent attacks or to reduce their effects, but they create massive overhead which might be unacceptable in some types of networks. The attributes of ad hoc networks make conventional attacks even more dangerous to them than to regular networks. DoS attacks and flooding attempts may never really be fully averted, and so the emphasis has been put on making it as hard as possible to intrude a network. As we have seen, many attacks are only possible or only effective, if the malicious party is a participant of the network, so it is highly important to implement secure

10

mechanisms to authenticate entities entering the network. 100 percent safety can not be provided, but the aim should be to make ad hoc networks as safe as possible.

References
[1] Lidong Zhou, Zygmunt J. Haas: "Securing Ad Hoc Networks", IEEE Network Magazine, 13, 6, pages 24--30, 1999, http://citeseer.nj.nec.com/zhou99securing.html [2] Vesa Karpijoki: Security in Ad Hoc Networks, 2001, http://citeseer.nj.nec.com/karpijoki01security.html [3] Patroklos Argyroudis: Current state of secure routing for mobile ad hoc networks, 06.11.02 http://www.cs.tcd.ie/Jean-Marc.Seigneur/tcdsig/resources/adhoc-secure-routing.ppt [4] Frank Stajano and Ross Anderson: The Resurrecting Duckling: Security Issues for Ad-hoc Wireless Networks, 1999, http://www.uk.research.att.com/fms/ ; http://www.cl.cam.ac.uk/rja14/ [5] Chris Karlof, David Wagner: Secure Routing in Wireless Sensor Networks: Attacks and Countermeasures http://citeseer.nj.nec.com/576488.html [6] Y.-C. Hu, A. Perrig, and D. B. Johnson. Packet leashes: A defense against wormhole attacks in wireless ad hoc networks. Technical Report TR01-384, Department of Computer Science, Rice University, December 2001. http://citeseer.nj.nec.com/hu01packet.html [7] Douceur, John: The Sybil Attack, 2002 http://www.cs.rice.edu/Conferences/IPTPS02/101.pdf [8] Leslie Lamport, Robert Shostak, Marshall Pease: The Byzantine Generals Problem (1982) http://citeseer.nj.nec.com/lamport82byzantine.html [9] IRTF RRG Ad hoc Network Scaling Research Subgroup http://www.flarion.com/ans-research/ [10] Pradeep Kyasanur, Nitin H. Vaidya: Detection and Handling of MAC Layer Misbehavior in Wireless Networks (2002) http://citeseer.nj.nec.com/kyasanur02detection.html [11] Lee, Sung Ju: Split Multipath Routing with Maximally Disjoint Paths in Ad hoc Networks http://www.hpl.hp.com/personal/Sung-Ju_Lee/abstracts/papers/icc2001b.pdf [12] Zhongchao Yu, Tao Jiang, Xue Wu, William A. Arbaugh: Risk Based Probabilistic Routing for Ad-hoc Networks http://www.glue.umd.edu/~tjiang/risk-wise02.ppt [13] David B. Johnson, David A. Maltz, Yih-Chun Hu, and Jorjeta G. Jetcheva. The Dynamic Source Routing Protocol for Mobile Ad Hoc Networks. Internet-Draft, draft-ietf-manet-dsr-07.txt, February 2002. Work in progress.

11

Other sources of information

Other sources of information
N.N.: Anomaly Detection for Wireless Ad-Hoc Routing Protocols http://www.cc.gatech.edu/classes/AY2003/cs6262_fall/adhoc.ppt Viswanath, Kumar: Unicast Routing Protocols for Ad Hoc Networks http://www.cse.ucsc.edu/classes/cmpe293/Spring01/cmpe293_security.ppt Preetida Vinayakray-Jani: Security within Ad hoc Networks; Position Paper, PAMPAS Workshop, Sept. 16/17 2002, London http://www.pampas.eu.org/Position_Papers/Nokia.pdf Pietro Michiardi and Refik Molva: Ad hoc networks security http://www.eurecom.fr/~michiard/pub/michiardi-adhoc.pdf Hannu H. KARI: Military-grade wireless ad hoc networks http://www.cs.helsinki.fi/u/rnikifor/nyt/kalvot/hy_20030305_langattomat_sotilasverkot_r1.pdf

12