Interlayer Attacks in Mobile Ad Hoc Networks Lei Guang1 , Chadi Assi1 , and Abderrahim Benslimane2 1
Concordia Institute for Information System Engineering, Concordia University, Montr´eal, Qu´ebec, Canada, H3G 1M8 {l guang, assi}@ciise.concordia.ca 2 Laboratoire Informatique d’Avignon, Universit´e d’ Avignon 84911 Avignon Cedex 9, France {Abderrahim.Benslimane}@univ-avignon.fr
Abstract. In this paper, we demonstrate a new class of protocol-compliant exploits that initiates at the MAC layer but targets ad hoc on-demand routing mechanisms. A misbehaved node implementing this type of attacks completely follows the specifications of IEEE802.11 standard and the existing on-demand routing protocols. However, it can cause routing shortcut attacks or detour attacks. We detail the exploits against two on-demand routing protocols: AODV and DSR. We evaluate the impact of such attacks on the network performance and propose Prevention from Shortcut Attack and Detour Attack (PSD) to mitigate their impacts. Key words: ad hoc networks, medium access control, security
1
Introduction
Host misbehavior in mobile ad hoc network (MANET) can be classified into two categories; namely, selfish misbehavior [7] and malicious misbehavior [2]. Selfish hosts typically misbehave to improve their own performance; this includes hosts that refuse to forward packets on behalf of other hosts in order to conserve energy or hosts that manipulate IEEE 802.11 backoff procedure to obtain higher bandwidth share. Alternatively, malicious misbehavior aims primarily at disrupting the normal operation of the network. This includes colluding adversaries that continuously send data to each other in order to deplete the channel capacity in their vicinity. Another example of malicious misbehaviors is the JellyFish (JF) [2] which targets closed-loop flows to decrease the goodput of all traversing flows while dropping a small fraction of packets. Previous attack strategies target either the network layer or the MAC layer. Interlayer attack strategy, however, has not been fully addressed. In this paper, we present attacks initialized at MAC layer but aiming at ad hoc routing mechanisms and also propose the schemes to mitigate such attacks. Lately, significant research efforts have focused on improving the security of ad hoc networks. In mobile ad hoc networks (MANET), nodes are both routers and terminals and due to the lack of a routing infrastructure these nodes have to cooperate to ensure successful communication. Clearly, cooperation means ensuring correct routing establishment mechanisms, the protection of routing information and the security of packet forwarding [14]. One major challenge
2
Lei Guang et al.
that was neglected previously by the research community is that of securing against MAC layer misbehaviors. Alternatively, malicious misbehavior aims primarily at disrupting the normal operation of the network. This includes colluding adversaries that continuously send data to each other in order to deplete the channel capacity in their vicinity. Another example of malicious misbehaviors is the JellyFish (JF) [2] which targets closed-loop flows (such as TCP) to decrease the goodput of all traversing flows to near zero while dropping small fraction of packets. A new class of vulnerabilities was presented in [5] where a host could maliciously modify the protocol timeout mechanism (e.g. by changing SIFS value in 802.11) and cause MAC frames to be dropped at well-behaved nodes. A host exploiting this vulnerability will completely cooperate in forwarding data packets but maliciously forces the forwarding operation to fail. This attack mainly targets the route discovery process in order to cause packets to be routed through longer routes and hence consume more network resources. Moreover, the attack also targets crossing flows (flows that traverse through a malicious node) by disrupting their communication and forcing the routing protocol to reroute packets around the misbehaved node. Detection and prevention systems previously designed to deal with MAC layer misbehaviors, such as DOMINO [11], or network layer misbehaviors, such as Watchdog and path rater [8] , are incapable of coping with this attack. The rest of this paper is organized as follows: Section 2 elaborates two interlayer attack strategies: ShortCut Attack (SCA) and DeTour Attack (DTA). Section 3 illustrates the impacts of SCA and DTA on the ad hoc routing protocols using case studies. Section 4 analyzes the network throughput under such attacks via modeling. Section 5 proposes a method PSD to mitigate SCA and DTA. Section 6 presents the simulation experiments. Finally Section 7 concludes this paper.
2 2.1
Interlayer Attack Strategy Overview of IEEE 802.11DCF
The IEEE 802.11 Distributed Coordination Function (DCF) mode combines Carrier Sense Multiple Access/Collision Avoidance (CSMA/CA) with a Request to Send/Clear to Send (RTS/CTS) handshake to avoid collisions [1]. It works as follows: when a node has a packet to transmit, if the node senses the medium idle for a period of time longer than or equal to a Distributed Inter Frame Space (DIFS), the packet transmission may begin at the beginning of the immediately following time slot. Otherwise, the node should backoff for a certain period based on a value randomly selected from [0, CW ], where CW is the contention window size. Upon successful contention for the channel, the node requests the channel by sending a RTS to the receiver which, in turn, replies with a CTS. The nodes in the vicinity overhearing the RTS or CTS defer their own transmission for a period that is long enough for the subsequent DATA/ACK exchange. When the RTS/CTS handshake is completed, the sender commences data transmission. The receiver acknowledges the data with an ACK. If no CTS or ACK is received, the sender exponentially backs off, and retransmits the RTS or the DATA.
2.2
Overview of AODV and DSR
DSR: Dynamic Source Routing DSR [3] is a source routing protocol; that is the source knows the complete hop-by-hop route to the destination and routes are
Lecture Notes in Computer Science
3
stored in node caches. DSR consists of two basic mechanisms: Route Discovery and Route Maintenance. When a node attempts to send a data packet to a destination for which it does not already know the route, the source node initiates a route discovery process to dynamically determine the route. Route Discovery works by flooding Route Request (RREQ) packets; RREQ packets propagate throughout the network until they are received by a node with a route to the destination in its cache or by the destination itself. Such a node replies to the RREQ with a route reply (RREP) that is routed back to the original source3 . The RREQ builds up the path traversed so far by recording the intermediate nodes and the RREP routes itself back to the source by traversing the path backwards. The source node caches routes received in the RREP messages for future use. Via route caching, the frequency and propagation of the RREQs can be effectively reduced. Now, if any link along a path breaks, Route Maintenance mechanism is invoked by using a Route Error (RERR) packet. The source will remove any route that contains this link. If the route is still needed by the source, a new route discovery process will be issued.
AODV: Ad-hoc On-demand Distance Vector AODV [10] uses traditional table-driven hop-by-hop routing. It applies a similar Route Discovery as DSR. However, unlike route caches of DSR, it uses traditional routing tables to store routing information, one entry per destination. AODV relies on routing table entries to propagate a RREP back to the source and to route data packets to the destination. To avoid RREQ flood, each RREQ is sent out according to a certain rate. Furthermore, AODV uses sequence numbers (carried by all packets) to determine freshness of routing information and to prevent routing loops. One notable feature of AODV is the use of timers regarding utilization of routing table entries. Namely, a routing entry in the table may expire if it is not used recently. Moreover, a set of neighboring nodes that use this entry is also maintained; these nodes are notified through RERR packets when the next hop link breaks. This process is recursively repeated by each node, thereby effectively deleting all routes using the broken link. Upon that, a new Route Discovery process is initialized. 2.3
The Attacks
The security issues in ad hoc routing have been extensively studied. However, attack strategies that target interaction between MAC layer and routing layer have not been fully addressed. In this paper, we present shortcut attack (SCA) and detour attack (DTA) that initialize at MAC layer but aim to disrupt the performance of ad hoc routing mechanisms. Through simple manipulation of IEEE 802.11 backoff procedure, SCA can attract more flows and drop the packets to cause denial of service whereas DTA can help a node to reduce the chance to be selected as a forwarding node thus conserve its device energy. Shortcut Attack: In [6], the authors introduced a new category of routing attack, namely, rushing attack. Generally, the attacker can propagate the routing messages faster than other well-behaved nodes (WN) using a wormhole. Therefore, it effectively increases the probability that any discovered new route contains the mis-behaved nodes (MN). Once selected as a relaying node, the MN can implement other attacks, such as 3
We refer the process of flooding RREQs as probing stage and unicasting RREP as replying stage.
4
Lei Guang et al. Shortcut Attack
Shortcut Attack
M0
M0
M2
M1
S
D
W0
W1
W2
M1
M2
S
D
W0
W1
W2
Detour Attack
Detour Attack
(a) Normal Case
(b) Attack Case
Fig. 1. Route changes - Case (I)
JellyFish and Dropping RTS/DATA, to discard the data packets which leads to denial of service. In this paper, we present a simple technique to implement rushing attack. Recall that, a node with a data packet (either broadcast or unicast) to send out has to set up a backoff timer by randomly choosing a cw from [0, CW ]. However, a MN can intentionally pick up a smaller cw upon reception of a routing packet. Note that, a MN does not need to know the exact packet type, e.g., routing packet. Since RREQ (RREQ is a route request control packet used by reactive routing protocol in order to discover a route between a source and a destination) is a broadcast packet, a MN can start misbehaving only when it receives a broadcast packet, i.,e, address = 255.255.255.255. Therefore, this MN is capable of accessing the channel faster than its neighbors to relay the RREQ. As a result, the route containing the MN will have more opportunity to be selected because the routing protocol “thinks” this route is a short one. In the rest of the paper, we refer to this attack as shortcut attack. Note that, unlike other backoff manipulation misbehavior [7], in this case a MN needs to manipulate cw only for a routing packet. Detour Attack: Contrary to shortcut attack, the objective of detour attack aims at conserving the attacker’s limited device energy by choosing to forward less data packets. A MN implementing DTA forces a flow to detour around itself by delaying the propagation of routing messages, e.g., RREQs, which will allow RREQ forwarded by WN to arrive at the destination sooner. Hence, the attacker will reduce the possibility of being selected as a forwarding node. Here, unlike SCA, a MN chooses a larger cw to backoff for a longer duration than a well-behaved node. If its neighbors also receives the RREQ, they will have more chance to capture the channel and send a packet if they are WNs. Consequently, the RREQs broadcasted by WNs will arrive at the destination faster than those being forwarded by MNs. Hence, a MN could conserve its energy by evading being selected as a router.
3
Case Study
In this section, we use two simple cases to illustrate the procedure of SCA and DTA in both AODV and DSR. Case (I): In Fig. 1(a), Node S originates a data flow addressed to node D. Nodes M0 , · · · , M2 are misbehaving whereas nodes W0 , · · · , W2 are well-behaving. The solid lines in the figure represent the physical connections between each pair of nodes. The
Lecture Notes in Computer Science 42
43
44
45
46
47
48
35
36
37
38
39
40
41
28
29
30
31
32
33
34
21
22
23
24
25
26
27
14
15
16
17
18
19
20
7
8
9
10
11
12
13
0
1
2
3
4
5
6
Original
5
Detour
Fig. 2. Route changes - Case (II)
distance between node Mi (Wi ) and node Mi+1 (Wi+1 ) equals to 100m whereas the distance between node Mi and node Wi is 200m. Moreover, for the following discussions, the transmission range for each node is 250m and the carrier sense range is 550m. Initially, all nodes are well-behaved. The data flow will be routed through S → W0 → M1 → W2 → D4 (denoted by the dashed line). When all the MNs are activated, the route will be disrupted and changed as follows: – SCA: when S broadcasts a RREQ, both M0 and W0 receive this message. Consider each RREQ is transmitted without any delay at the network layer, M0 will send the RREQ to its neighbors. Here, the RREQs broadcasted by M0 will be discarded by S and W0 , i.e., M1 , W1 , faster than W0 because it selects a smaller cw than W0 . Later, when the RREQs sent by W0 arrives at M1 and W1 , they will be dropped because each node has already “seen” a recent RREQ (the one from M0 ). As a consequence, both M1 and W1 will forward the RREQ sent from M0 . Hence, the final discovered route will contain M0 . The same scenario happens for other MNs as well. Finally, for this scenario the new discovered route will always be S → M0 → M1 → M2 → D for any simulation seeds (as shown in Fig. 1(b) denoted by the dotted line). Hence, the MNs succeed in attracting this flow. – DTA: Unlike the previous scenario, here a MN will always choose a larger cw, e.g., from range [0, 3 × CW ] instead of [0, CW ]. This will allow the WNs to flood the RREQs faster than MNs. As a result, the discovered route will have less probability to contain MNs. In this scenario, the MNs conserve energy while causing extra 4
Upon different selection of the simulation seeds, there exists multiple choice of routes from S to D. Here, we only show one specific example.
AODV route length pkt (W ) pkt M (M11 ) Normal 3 hops 985 981(981) Detour 9 hops 5485 1791(0) Table 1. Number of forwarded packets - Case (II)
6
Lei Guang et al. traffic load for other nodes (which might be MN or WN as discussed in Case (II)). The route change is shown in Fig. 1(b), denoted by the thick solid line.
Case (II): As shown from Fig. 2, we see that the route has successfully changed from 3 hops to 9 hops. The setup of this experiment is a grid network of 7×7 nodes. The grid unit is 100 meters. There are 49 (numbered 0 to 48) nodes that are positioned on the grid. The seed for this simulation run is 100 and the data rate is 10 packets/second with the packet size of 512 bytes. The simulation time is 100 seconds. On one side, the MN (M11 ) “evades” from the route discovery and is successful to conserve its energy. On the other side, this route change has caused extra traffic load for other nodes. TABLE 1 shows that M11 relays 0 packet whereas WNs (1, 14, 28, 36, 45, 40) and MNs (27, 12) have extra traffic load. Note that, as long as this route is maintained, the throughput of this flow will not be affected. However, when node mobility is high or the network environment is congested, a longer route is easily broken and therefore shorter routes will be preferred. In this case, when the MNs misbehave the flow will have less chance to traverse through a very long route and successfully maintain the connection.
4
Modeling and Analysis
In this section, we use simple models to explore the impacts of interlayer attacks on the network performance. Throughput Analysis: First, we assume that there is no idle time which means that a source will always have packets to send to a destination during the whole simulations. Next, consider we have N nodes in an ad hoc network, M out of N are misbehaved nodes (MN) (0 ≤ M ≤ N ). The route length for a flow is denoted as l. Let P {i|j} denote the probability that the ith forwarding node is misbehaving given that j MNs have been already selected for the same flow:
0, P {i|j} =
(M − j)/(N − i), 1,
M =0 0
(1)
Assume a relaying node is randomly selected from the N nodes in the network, the probability that a route contains no misbehaved nodes PW N 5 is given by: PW N = (1 − P1 )(1 − P2 ) · · · (1 − Pl ) =
l Y
(2)
(1 − Pk )
k=1 E[T
]
low The normalized throughput is computed by E[Tfsim , where Tf low is the time du] ration to transfer the actual data. Tsim is the total simulation time. Similar to [2, 12], Tsim is given by:
Tsim = Tf low + Trepair 5
We adopt the short notation Pk = P {k | j}.
(3)
Lecture Notes in Computer Science
7
where Trepair is the time for an on-demand routing protocol to repair a route after breakage due to mobility, link failure, etc. Trepair consists of four parts which are given by: Trepair = Tdiag + Terr + Treq + Trep
(4)
First, Tdiag is the time to diagnose a new route breakage. Second, the time to generate a RERR message to the upstream nodes is denoted as Terr . Moreover, the time to initialize a new route discovery by flooding RREQs is denoted as Treq . Finally, the time duration for nodes to receive a RREP is denoted as Trep . The life time of an f existing route is denoted as Tlif e , i.e., route duration. We can see that Tfflow = Tlif e for flow f . Thus, the throughput is computed as:
Snorm =
F X
(
f =1
f E[Tlif e] f f E[Tlif e ] + E[Trepair ]
)
(5)
where F is the total number of flows. In the presence of SCA or DTA, the Trepair will either decrease (SCA) or increase (DTA) a small fraction which is denoted as δ. Therefore, we have the following equation:
SSCA/DT A =
F X
(
f =1
=
F X f =1
(
f ∗ E[Tlif e] f f ∗ ∗ E[Tlif e ] + E[Trepair ]
) (6)
f E[Tlif e] ± γ · δ f f (E[Tlif e ] ± γ · δ) + (E[Trepair ] ∓ γ · δ)
1 0.7
0.8 Normalized Throughput
Normalized Throughput
0.6 0.5 0.4 0.3 Normal − 0.02 + 0.02 − 1.00 + 1.00
0.2 0.1 0
Normal Shortcut Detour
0.9
0
10
0.7 0.6 0.5 0.4 0.3
20 30 40 Percentage of Misbehaved Nods (MN%)
(a) Modeling Throughput
50
0.2
2
4
6
8
10 12 Number of flows
14
16
(b) Simulation Throughput
Fig. 3. Throughput Analysis under SCA/DTA
18
20
8
Lei Guang et al.
where in ∓, “−” refers to SCA, “+” refers to DTA and γ refers to the percentage f of SCA/DTA nodes. From the results shown in [12], we choose E[Tlif e ] as 18 second corresponding to node velocity is 20 meters/second and E[Trepair ] as 5 seconds6 . In the presence of SCA, E[Trepair ] is decreased to E[Trepair ]− by γ · δ due to accelerated propagation of routing messages. On the contrary, in DTA, E[Trepair ]+ represents an increased repair time duration. The delay might be introduced by both MAC layer and routing layer. In our case, we focus on delay incurred by MAC layer contention. Consider a MN that selects a cw = 1023 (which is the CWmax specified by IEEE 802.11) and Tslot = 20us, the maximum delay for one transmission attempt is 20 ms for DTA. Moreover, the minimum delay is 0 ms for SCA. In Fig. 3(a), it is shown that the throughput comparison under SCA (denoted as “-x”, where x is the time subtracted from E[Trepair ]), DTA (denoted as “+x”, where x is the time added to E[Trepair ]) and normal case. Clearly, the throughput are all comparable to the normal case. However, in SCA the throughput slightly increases whereas in DTA the throughput decreases based on the value of the delay. We can also draw the same conclusion from the simulation results as shown in Fig. 3(b)7 . It shows that the throughput for SCA/DTA is similar to the normal case in terms of number of flows. Note that, according to the standard, the maximum delay introduced in MAC is around 20ms. If a DTA node has the ability to completely abuse the standard, it can select a very large cw, e.g., 50000, to sharply reduce the network throughput.
0.8
0.8
0.8
0.7
0.7
0.7
0.6
0.6
0.6
Tlife = 18 Tlife = 12
0.5 0.4 0.3 0.2
0
0
10
0.5 0.4 0.3 0.2
1 − hop 2 − hop 4 − hop 8 − hop
0.1
Normalized Throughput
Normalized Throughput
Normalized Throughput
Tlife = 6
20 30 40 Percentage of Misbehaved Nods (MN%)
50
0
0
10
0.4 0.3 0.2
Normal 1 SCA 2 SCA 3 SCA
0.1
Tlife = 2
0.5
0.1
20 30 Percentage of DoS Nods (DN%)
40
50
0
0
10
20 30 40 Percentage of Misbehaved Nods (MN%)
50
(a) Throughput Comparison under (b) Throughput Comparison under (c) Throughput Comparison under Different Route Length Different Fraction of SCA Nodes Different Life Time Fig. 4. Impacts of SCA combined with DoS Attacks
Furthermore, as we explained in Section 2, SCA has to combine with DoS attacks to degrade the network performance otherwise SCA will only attract flows. We assume M MNs can implement any type of dropping attacks and each single MN can disrupt the whole flow. Hence, PW N is a constant which equals to (1 − M )l . As explained N 6
7
Treq is determined by RREQRatelimit (which is the maximum number of RREQs allowed to originate by a node) and RREQRetries. Trep is determined by the NetTraversalTime [3, 10] In this simulation, there are 49 nodes in the network with 10 flows randomly generated.
Lecture Notes in Computer Science
9
in [2], in the presence of misbehaved nodes, the time to repair a route that contains no misbehaved nodes is given by:
E[Trepair ] =
∞ X
n × (E[Tdiag ] + E[Treq ] + E[Trep ])
n=1
(7)
n−1
× PW N × (1 − PW N )
where n is the number of attempt times for a node to repair a broken route. For simplicity, we suppose that all repairs have the same duration and all flows have the same length. Thus we have: f SSCA−DoS =
f − E[Tlif e] f f −l − − E[Tlif e ] + E[Trepair ] × PW N
(8)
As Fig. 4(a) shows, in SCA-DoS attack, the throughput of longer routes will drop to zero quickly as the M N % increases. This is due to the facts that: 1)longer routes have more probability to contain MNs; and 2) it requires longer duration to repair the broken links. For example, throughput for 2-hop is higher than 8-hop by almost 100% when M N % of both cases equals to 20%. Fig. 4(b) indicates that collisions between SCA and DoS can cause severe performance degradation if SCA nodes can successfully attract more flows than normal cases. It is clear that the more data flows attracted to the SCA nodes, the worse the network throughput is (“n-SCA” in the figure represents n flows have been attracted to the SCA nodes). Furthermore, Fig. 4(c) depicts the total network throughput when varying the route life time under 3-hop case. Different value of life time corresponds to different mobility, e.g., the lower the life time the higher the node mobility. Clearly, the throughput decreases as M N % increases. Higher mobility results shorter route duration, thus it will cause degradation of network throughput due to frequently broken routes and repairing procedure.
5
Proposed Scheme
In this section, we describe our scheme Prevention from Shortcut Attack and Detour Attack (PSD) to defend against interlayer attacks.
5.1
PSD - part I: randomized routing messages selection
Upon the reception of a RREQ, a node will check to determine whether this message is a recent RREQ. For AODV, this is determined by receiving a RREQ from the same originator address with the same RREQ ID during a time period greater or equal than PathDiscoveryTime. In DSR, a node considers a RREQ recently seen if it still has information about that Request in its Route Request Table. Both protocols will discard the upcoming RREQ which is considered “recent”. In [6], the authors proposed randomized message forwarding to mitigate rushing attacks under the assumption that each forwarding node is capable of collecting the maximum possible number of RREQs when given “perfect” information, such as network topology. However, such perfect information is usually unavailable in real ad hoc networks since there is no centralized management. Here, we propose a similar approach and specify how to determine the timeout Tto during which RREQs are buffered and
10
Lei Guang et al.
Algorithm 1 PSD 1: if collisions happen then 2: Ncol + + 3: end if 4: for each recv RREQi do 5: if i lb == 1 then 6: Tto i = tRREQ1 ub ubmax 7: Tto i = min(Tto , (tRREQ1 + (2imin +Ncol − 1) × Tslot )) 8: Buf f er (RREQ1 ) 9: else ub 10: if tRREQi > Tto i then 11: Discard (RREQi ) 12: else 13: if Ncol > 0 then lb 14: Tto i = tRREQi ub ubmax Tto i = min(Tto 15: , (tcol + (2imin +Ncol − 1) × Tslot )) 16: Buf f er (RREQi ) else 17: 18: Buf f er (RREQi ) 19: end if 20: end if 21: end if 22: end for 23: if Tto timer expires then 24: f orward(RandomRREQ, jitter8 ) 25: Ncol = 0 26: end if
one is randomly selected. If an intermediate node (IN) receives the first request RREQ1 lb ub destined to node D at time tRREQ1 , it sets Tto (lower bound of Tto ) to tRREQ1 and Tto lb imin imin (upper bound) to Tto + (2 − 1) × Tslot , where 2 − 1 = CWmin is the minimum contention window size. Consequently, it buffers RREQ1 . If the IN senses the channel is busy, the timeout timer is frozen. Otherwise it will continue to count down until lb ub it times out. During this timeout interval (Tto < tRREQi ≤ Tto ), if another RREQ lb arrives, it is buffered. In the presence of a collision at tcol , the IN assigns tcol to Tto ub lb and increases Tto to Tto + (2imin +Ncol − 1)Tslot , where Ncol is the number of all colliubmax sions. To avoid unlimited waiting for the retransmitted packets, the maximum Tto lb1 imax +1 − 1)Tslot . As we explained in Section 4, the delay incurred is defined as Tto + (2 ub at MAC layer is small, the IN can also simply set its Tto to the maximum value. After the expiration of the timeout timer, the IN can randomly choose a RREQi 9 to forward, which reduces (increases) the probability that a SCA (DTA) node is included (excluded) in the routing selection.
5.2
PSD - part II: randomized delay of RREQs
This is a complementary scheme to PSD - part I. Recall that the delay introduced by the backoff manipulation is in terms of milliseconds, therefore we can ignore this fraction of delays at higher layer. For example, rather than forwarding the newly received RREQ immediately, the routing protocol can delay the transmission of this RREQ by a small delay, e.g., a delay uniformly selected from [0, tjit ] milliseconds10 . As shown in Section 4 9
10
An IN can also apply certain policy to randomize the RREQ selection, e.g., randomly select RREQ from N1 slow RREQ and N2 fast RREQs (N1 > N2 ). AODV jitters the sending of broadcast packets by 10ms by default, however, this is not enough to counter the delay introduced by MAC. In our experiments, we jitter
Lecture Notes in Computer Science
11
Fig. 3(a), it is clear that the throughput is close to that of normal case when a smaller delay is introduced. However, this operation is based on the assumption that the MN will not be able to break the routing protocol. Therefore, a secure on-demand routing protocol is required. Several protocols have been already proposed. For more details, readers please refer to [13], [14], [15].
5.3
DSD: Detection of SCA and DTA
If a MN is capable of choosing a very large cw beyond CWmax , it can defeat the PSD scheme and even cause devastating performance degradation as we mentioned in Section 4. Here we presents a simple method to detect such behavior. After the timeout timer for the RREQ buffering expires, the IN continues to record the arrival time of received RREQ for the same destination. If the RREQ is incredable late, e.g., in AODV the RREQ bearing the same sequence number arrives 1 second later than the first received RREQ, the IN can mark the source of the RREQ as a MN. To ensure correct diagnosis ratio, the IN can monitoring for a period to collect more information. Note that, the longer the delay of the RREQ, the higher the correct diagnosis.
6
Simulation and Analysis
4
2.5
10000 Normal: AODV Normal: DSR Attack: AODV Attack: DSR
9000 8000
Number of packets forwarded by WN vs. MN%
x 10
Normal: AODV Normal: DSR Attack: AODV Attack: DSR
2
Number of packets
Number of packets
7000 6000 5000 4000
1.5
1
3000 0.5
2000 1000 0
5
10
15
20 25 30 35 40 45 Percentage of misbehaved nodes (MN%)
(a) Mis-behaved Nodes (MN)
50
55
0
5
10
15
20 25 30 35 40 45 Percentage of misbehaved nodes (MN%)
(b) Well-behaved Nodes (WN)
Fig. 5. Number of packets forwarded by MN (WN) under detour attack
We use NS-2 [4] to evaluate the impacts of interlayer attacks and the efficiency of our proposed scheme PSD. the broadcast messages by 100ms which is sufficient to solve the problem as shown in TABLE 2.
50
55
12
Lei Guang et al. AODV normal DTA SCA PSD I (DT) PSD II (DT) W 7992 11988 0 599411 7992 M 3996 0 11988 5994* 3996 DSR normal DTA SCA PSD I (DT) PSD II (DT) W 7986 11979 0 5994* 7986 M 3993 0 11979 5994* 3993 Table 2. Number of forwarded packets (Case - I)
6.1
Static Networks
Fig. 5 shows the number of packets forwarded by MN (WN) under DTA. The network topology in this experiment is the same as Fig. 2. There are 8 CBR flows in the network and 40% out of 49 nodes are mis-behaved (always selecting cw = 127 for routing messages) which are randomly positioned in the network. Fig. 5(a) indicates that the MNs in DTA always forward less packets than WNs in both AODV and DSR. However, when the fraction of the MNs is large, the MNs can not successfully detour the traffic, e.g., when M N % = 50 the number of forwarded packets is comparable for attack and normal cases in AODV. This is because the neighbors of the MNs might be also misbehaving. Similar results can be seen from Fig. 5(b) as well. TABLE 2 shows the efficiency of PSD when applied to the Case I (see Fig. 1(a)). The results show that PSD can partially mitigate the impacts caused by DTA/SCA.
6.2
Mobile Ad Hoc Networks
100
0.18 Normal Attack PSD − I PSD − II
0.16 Average Packet Delay (second)
Packet Delivery Ratio (%)
90
80
70
60 Normal DTA PSD − I PSD − II
50
40
0
50
0.14 0.12 0.1 0.08 0.06 0.04 0.02
100 150 200 Pause Time (second)
250
(a) Packet Delivery Ratio
300
0 1 10
2
10 Pause Time (second)
(b) Average Packet Delay
Fig. 6. Overall Network Performance
Our protocol evaluations are based on the simulation of 50 wireless nodes forming an ad hoc network, moving over a rectangular 1500m × 300m area. Random way-point
3
10
Lecture Notes in Computer Science
13
model is used for generating the mobility pattern. The transmission range for each node is 250m and the carrier sense range is 550m. 10 flows are randomly generated between a source-destination pair. The traffic type is constant bit rate (CBR). The packet size is 512 bytes/packet and the data rate is 4 packets/second for each flow which is a relatively low load. The channel bit rate is 2Mbps. The total time for each simulation run is 300 seconds. For brevity, only DSR is discussed in the following section. Similar results can be also obtained from AODV. To model the interlayer attacks, we consider only detour attack where a misbehaved node will always select cw = 31 for the routing packets.
4
6500
3
Number of forwarded packets (M)
5500
Number of forwarded packets (W)
Normal Attack PSD − I PSD − II
6000
5000 4500 4000 3500 3000 2500
x 10
Normal Attack PSD − I PSD − II
2.5
2
1.5
1
2000 1500
0
50
100 150 200 Pause Time (second)
250
(a) Mis-behaved Nodes (MN)
300
0.5
0
50
100 150 200 Pause Time (second)
250
(b) Well-behaved Nodes (WN)
Fig. 7. Number of packets forwarded by MN (WN) under detour attack
Fig. 6(a) shows the network packet delivery ratio when varying the pause time under normal case (depicted as “Normal”), attack case (depicted as “Attack”) and PSD (depicted as “PSD - I” and “PSD - II”). Lower node pause time corresponds to higher mobility, e.g., 0 second pause time means that a node will continue to move around during the whole simulation. It is clear that, there is no significant difference between these cases, however, delivery ratio of DTA is smaller than the PSD and normal case when the mobility is higher. Furthermore, as shown in Fig. 6(b), the average delay in DTA is much higher normal case even in a less congested environment which reflects the fact as we discussed in Section 3, that is a flow might traverse longer routes than normal case in the presence of DTA resulting an increased delay. Clearly, both PSD - I and PSD - II can mitigate this negative impact when the node mobility is high. Also, the delay of PSD - I and PSD - II are comparable to the normal case. The largest average delay difference between the normal case and PSD is around 0.03 second. Moreover, PSD - II incurs more delay than PSD - I because it always jitters routing packets by 20ms where the delay caused by PSD - I is between the range [0, 20ms]. Fig. 7 depicts the number of packets forwarded under normal case, attack case and PSD when the percentage of misbehaved nodes M N % is fixed at 10% and the misbehaved node IDs are the same for each simulation run. Fig. 7(a) clearly shows that
300
14
Lei Guang et al.
DTA nodes forward much less packets than the normal case indicating they succeed in avoiding to be selected by the routing protocol as a router. This will also cause an extra traffic load for well-behaved nodes as shown in Fig. 7(b) where in DTA the misbehaved nodes forward more packets than the normal case. Furthermore, both PSD - I and PSD - II can mitigate such behavior efficiently. PSD - II has better performance than PSD - I, however, at the cost of a higher delay compared with PSD - I and a secure routing protocol.
7
Conclusion
We presented two simple attacks implemented at MAC layer, however, affecting ad hoc on-demand routing mechanisms. A misbehaved node can use shortcut attack to increase the probability to be selected as a relaying node. After attracting flows traversing through itself, the MN can carry out DoS attacks to degrade the overall network performance. Alternatively, a node using detour attack can reduce the probability to be discovered by the routing discovery process therefore saving its limited device energy. Via simulation, we showed that SCA/DTA can affect both AODV and DSR and we proposed PSD scheme which could successfully mitigate the impacts of SCA/DTA. For future work, we plan to further study and analyze our scheme PSD - II at the network layer under the consideration of a secure protocol.
References 1. IEEE802.11 wireless LAN media access control (MAC) and physical layer (PHY) specifications. 1999. 2. I. Aad, J. P. Hubaux, and E. W. Knightly. Denial of service resilience in ad hoc networks. In Proc. of ACM MobiCom, September 2004. 3. J. Broch, D. B. Johnson, D. A. Maltz, Y.-C. Hu, and G. Jetcheva. The dynamic source routing protocol for mobile ad hoc networks. Internet-Draft, draft-ietfmanet-dsr-05.txt, 2001. 4. K. Fall and K. Varadhan. NS notes and documentation. Technical report, UC Berkley, LBL, USC/ISI. In Xerox PARC, 2002. 5. L. Guang and C. Assi. On the resiliency of ad hoc networks to MAC layer misbehavior. In Workshop on PE-WASUN, ACM MsWiM, October 2005. 6. Y.-C. Hu, A. Perrig, and D. Johnson. Rushing attacks and defense in wireless ad hoc network routing protocols. In Proc. ACM WiSe, 2003. 7. P. Kyasanur and N. Vaidya. Selfish MAC layer misbehavior in wireless networks. IEEE Transactions on Mobile Computing., September 2005. 8. S. Marti, T. J. Giuli, K. Lai, and M. Baker. Mitigating routing misbehavior in mobile ad hoc networks. In Mobile Computing and Networking, 2000. 9. P. Papadimitratos and Z. Haas. Secure routing for mobile ad hoc networks. In Proc. of CNDS, 2002. 10. C. E. Perkins, E. M. Belding-Royer, and I. D. Chakeres. Ad hoc On-Demand Distance Vector (AODV) Routing. IETF Internet Draft, draft-perkins-manet-aodvbis01.txt, January 2004. (Work in Progress). 11. M. Raya, J. P. Hubaux, and I. Aad. DOMINO: A system to detect greedy behavior in ieee 802.11 hotspots. In Proc. of ACM MobiSys, June 2004.
Lecture Notes in Computer Science
15
12. N. Sadagopan, F. Bai, B. Krishnamachari, and A. Helmy. PATHS: analysis of path duration statistics and their impact on reactive manet routing protocols. In Proc. of ACM MobiHoc, 2003. Secure Ad Hoc on-demand distance vector (SAODV) rout13. M. Zapata. ing. Technical report, http://www.ietf.org/internet-drafts/draft-guerrero-manetsaodv-00.txt, Internet Draft, 2001. 14. P. Papadimitratos and Z. Haas. Secure routing for mobile ad hoc networks. In Proc. of CNDS, 2002. 15. Y.-C. Hu, A. Perrig, and D. Johnson. Ariadne: A secure on-demand routing protocol for adhoc networks. In Proc. of MobiCom, September 2002.
