Vulnerability of Wireless Routing Protocols

Qifeng Lu
Dec 15, 2002
University of Massachusetts Amherst

Abstract
The existing wireless routing protocols do not accommodate any security and are highly
vulnerable to attacks. This paper discusses the weakness of those protocols, and threats
and attacks against wireless routing. I also look at some suggested solutions that could be
used when secure protocols are designed. The current protocols should not be used in
hostile environments unless the applications are especially designed to operate under
insecure routing or until protocols with enhanced security are introduced.

1. Introduction
Wireless networks consist of a number of nodes which communicate with each other over
a wireless channel. Typically there are three kinds of wireless networks: cellular
networks, satellite networks and ad hoc mobile networks. Cellular networks have a wired
backbone with only the last hop being wireless. Satellite networks are composed of trackpredetermined mobile satellites with the last wireless hop. As the futural position of a
satellite can be predicted, it is similar to a fixed base station. An ad hoc mobile network is
a collection of mobile nodes that are dynamically and arbitrarily located in such a manner
that the interconnections between nodes are capable of changing on a continual basis.

Due to the dynamic topology and no support of infrastructure, the ad hoc mobile network
is the most vulnerable in wireless networks.

Routing is the heart of network infrastructure. It controls and manages the "flow" of
messages in the network [1]. To set up connection and maintain updated network
topology, routers keep exchanging messages about link state, cost and metric. The main
goal of a routing protocol for a wireless network is correct and efficient route
establishment between a pair of nodes so that messages may be delivered in a timely
manner.

This project is a survey on vulnerability of those wireless routing protocols. Whats the
meaning of vulnerability? Well, in computer security, vulnerability means any weakness
or flaw existing in a system, the susceptibility of a system to a specific threat attack or
harmful event, or the opportunity available to a threat agent to mount that attack.

Basically, the routing protocol sets an upper limit to security in any packet network. If
routing can be misdirected, the entire network can be paralyzed. As the ad hoc mobile
network is the most vulnerable, by exploiting the vulnerability of routing protocols for ad
hoc mobile networks, we can get a whole picture of the vulnerability of routing protocols
for all wireless networks.

Till now, there are three kinds of ad hoc routing protocols: Proactive (DSDV, WRP),
reactive (DSR, AODV) and hybrid (ZRP) [2]. Most of the protocols focus on discovering

the shortest path between two nodes as fast as possible, in other words, the length of the
routes is the only metric used in these protocols. In some cases, however, security could
be the most important metric. For example, in an ad hoc network used by the military,
secure and reliable communication is a necessary prerequisite. Safety-critical business
operations such as oil drilling platforms or mining operations require maximum security
too [3]. The concern on security definitely necessitates the survey on vulnerabilities of
these ad hoc routing protocols.

2. Vulnerability of wireless routing protocols

2.1 Weakness of wireless routing
Wireless networks are particularly vulnerable due to their nature of open medium, lack of
physical protection, and lack of a clear line of defense. Furthermore, ad hoc mobile
networks also have dynamic changing topology, use cooperative algorithms, and lack
centralized monitoring and management point. Thus Operation in an ad hoc network
introduces some new security problems in addition to the ones already present in fixed
networks. Some new vulnerability includes the following [4]:

Easy theft of nodes: Many nodes are expected to be small in size and thus vulnerable to
theft. From a routing perspective this means that a node may easily become compromised.
Thus, a previously well-behaving node can unexpectedly become hostile.

Vulnerability to tampering: This difficulty is related to the problem of easy theft. It must
not be trivial for example to recover private keys from the device. A less stringent version

of tamper proof is tamper evidence where it is only required that a tampered node can be
distinguished from the rest.

Limited computational abilities: Nodes can be devices with limited computing power.
This may exclude techniques such as frequent public key cryptography during normal
operation. However, symmetric cryptography is likely to be feasible in authenticating or
encrypting routing message exchanges.

Battery powered operation: Many devices in an ad hoc network are assumed to be battery
powered. An attacker may attempt a denial-of-service attack by creating additional
transmissions or expensive computations to be carried out by a node in an attempt to
exhaust its batteries.

Transient nature of services and devices: Because an ad hoc network consists of nodes
that may frequently move, the set of nodes that are connected to some particular ad hoc
network frequently changes. This can create problems for example with key management
if cryptography is used in the routing protocol.

2.2 Susceptibility to attacks

2.2.1 Sources of threats
There are two sources of threats to routing protocols. The first comes from external
attackers. By injecting erroneous routing information, replaying old routing information,
or distorting routing information, an attacker could successfully partition a network or

introduce excessive traffic load into the network by causing retransmission and
inefficient routing [5]. The second and more severe kind of threat comes from
compromised nodes, which might advertise incorrect routing information to other nodes.
Detection of such incorrect information is difficult: merely requiring routing information
to be signed by each node would not work, because compromised nodes are able to
generate valid signatures using their private keys.

2.2.2 Attacks
Attacks can be classified based on different criteria. One criterion is that whether
attackers disrupt the operation of a routing protocol or not. According to this criterion,
attacks can be divided into two classes: passive attacks and active attacks. Some attacks
are possible in fixed networks, but the nature of the ad hoc environment magnifies their
effects and makes their detection difficult, others are only available in wireless networks.

2.2.2.1 Passive Attacks

In a passive attack, the attacker does not disrupt the operation of a routing protocol but
only attempts to discover valuable information by listening to the routing traffic. The
major advantage for the attacker in passive attacks is that in a wireless environment the
attack is usually impossible to detect. This also makes defending against such attacks
difficult. Furthermore, routing information can reveal relationships between nodes or
disclose their IP addresses. If a route to a particular node is requested more often than to
other nodes, the attacker might expect that the node is important for the functioning of the
network, and disabling it could bring the entire network down.

Other interesting information that is disclosed by routing data is the location of nodes.
Even when it might not be possible to pinpoint the exact location of a node, one may be
able to discover information about the network topology. It is worth noting that in an IP
network one cannot defend against these attacks for example by only using IPsec. The
packets still have most of their IP headers in plaintext, and it may not even be feasible to
have symmetric keys distributed to every node in a network.

2.2.2.2 Active Attacks

These attacks involve actions performed by adversaries, for instance the replication,
modification and deletion of exchanged data. The goal may be to attract packets destined
to other nodes to the attacker for analysis or just to disable the network. A major
difference in comparison with passive attacks is that an active attack can sometimes be
detected. This makes active attacks a less inviting option for most attackers. Yet, it may
still be a real alternative when large amounts of money is at stake such as in commercial
or military environments.

The following is a list of some types of active attacks that can usually be easily
performed against an ad hoc network.

Black hole : In the black hole attack [6], a malicious node uses the routing protocol to
advertise itself as having the shortest path to the node whose packets it wants to intercept.

In a flooding based protocol such as AODV the attacker listens to requests for routes.
When the attacker receives a request for a route to the target node, the attacker creates a
reply where an extremely short route is advertised. If the malicious reply reaches the
requesting node before the reply from the actual node, a forged route has been created.
Once the malicious device has been able to insert itself between the communicating
nodes, it is able to do anything with the packets passing between them. It can choose to
drop the packets to perform a denial-of-service attack, or alternatively use its place on the
route as the first step in a man-in- the-middle attack.

Wormhole: In the wormhole attack [7], an attacker records packets (or bits) at one
location in the network, tunnels them to another location, and retransmits them there into
the network. The wormhole attack is possible even if the attacker has not compromised
any hosts and even if all communication provides authenticity and confidentiality. The
wormhole attack can form a serious threat in wireless networks, especially against many
ad hoc network routing protocols and location-based wireless security systems. For
example, most existing ad hoc network routing protocols, without some mechanism to
defend against the wormhole attack, would be unable to find routes longer than one or
two hops, severely disrupting communication. The wormhole places the attacker in a very
powerful position, able for example to further exploit any of the attacks mentioned above,
allowing the attacker to gain unauthorized access, disrupt routing, or perform a
permanent denial-of-service attack (DoS) by creating a routing loop.

Rushing attack: This kind of attack [7] is a malicious attack that is targeted against ondemand routing protocols that use duplicate suppression at each node, like AODV. An
attacker disseminates ROUTE REQUESTs quickly throughout the network, suppressing
any later legitimate ROUTE REQUESTs when nodes drop them due to the duplicate
suppression. Thus the protocol can not set up a route to the desirable destination.

Spoofing : By masquerading as another node, a malicious node can launch many attacks
in a network. This is commonly known as spoofing [8].

Spoofing occurs when a node misrepresents its identity in the network, such as by
altering its MAC or IP address in outgoing packets. Spoofing combined with packet
modification is really a dangerous attack.

Routing table overflow: In a routing table overflow attack the attacker attempts to create
routes to nonexistent nodes [4]. The goal is to create enough routes to prevent new routes
from being created or to overwhelm the protocol implementation.

Proactive routing algorithms attempt to discover routing information even before it is

needed while a reactive algorithm creates a route only once it is needed. This property
appears to make proactive algorithms more vulnerable to table overflow attacks. An
attacker can simply send excessive route advertisements to the routers in a network.
Reactive protocols, on the other hand, do not collect routing data in advance. For
example in AODV, two or more malicious nodes would need to cooperate to create false

data efficiently: The other node requests routes and the other one replies with forged
addresses.

Sleep deprivation: Usually, this attack is practical only in ad hoc networks, where
battery life is a critical parameter. Battery powered devices try to conserve energy by
transmitting only when absolutely necessary. An attacker can attempt to consume
batteries by requesting routes, or by forwarding unnecessary packets to the node using,
for example, a black hole attack [9].

This attack is especially suitable against devices that do not offer any services to the
network or offer services only to those who have some special credentials. Regardless of
the properties of the services, a node must participate in the routing process unless it is
willing to risk becoming unreachable to the network.

Location disclosure : A location disclosure attack can reveal something about the locations of nodes or the structure of the network. The information gained might reveal which
other nodes are adjacent to the target, or the physical location of a node. The attack can
be as simple as using an equivalent of the traceroute command on UNIX systems.
Routing messages are sent with inadequate hop-limit values and the addresses of the
devices sending the ICMP error messages are recorded. In the end, the attacker knows
which nodes are situated on the route to the target node. If the locations of some of the
intermediary nodes are known, one can gain information about the location of the target
as well [4].

A broad classification of the attacks might be described in the following way:

2.2.2.3 Denial of Service
The denial of service threat either produced by an unintentional failure or malicious
action forms a severe security risk in any distributed system. The consequences of such
attacks, however, depend on the area of application of the ad hoc network. The denial of
service attack has many forms: the classical way is to flood any centralized resource so
that it no longer operates correctly or crashes, but in ad hoc networks this may not be an
applicable approach due to the distribution of responsibility. Distributed denial of service
attack is a more severe threat: if the attackers have enough computing power and
bandwidth to operate with, smaller ad hoc networks can be crashed or congested rather
easily. There are however more serious threats to ad hoc networks: Compromised nodes
may be able to reconfigure the routing protocol or any part of it so that they send routing
information very frequently, thus caus ing congestion or very rarely, thus preventing
nodes to gain new information about the changed topology of the network [10]. The
Wormhole, The Rushing attack, the Routing Table Overflow and the Sleep Deprivation
attack might fall into this category.

2.2.2.4 Impersonation
Impersonation attacks form a serious security risk in all levels of ad hoc networking. If
proper authentication of parties is not supported, compromised nodes may in network
layer be able to e.g. join the network undetectably or send false routing information
masqueraded as some other, trusted node. Within network management the attacker could
gain access to the configuration system as a super user. In service level, a malicious party

could have its public key certified even without proper credentials. Thus impersonation
attacks concern all critical operations in ad hoc networks [10]. The Black Hole attack,
spoofing may fall in this category. The passive attack can be a first step to carry out such
an attack.

2.2.2.5 Disclosure

Any communication must be protected from eavesdropping, whenever confidential

information is exchanged. Also critical data the nodes store must be protected from
unauthorized access. In ad hoc networks such information can include almost anything
e.g. specific status details of a node, the location of nodes, private or secret keys,
passwords and phrases and so on. Sometimes the control data is more critical information
in respect of the security than the actual exchanged data [10]. Obviously we can place the
location disclosure attack and passive attack in this category.

2.3 Vulnerability illustration of current wireless routing protocols

The following table lists possible protocol-specific attacks to wireless routing protocols.
Protocol attack details used by possible attack methods, their attack targets and attack
impact on performance are listed in the table, with the attack possibility in AODV and
DSR. The attack target here is classified as connectivity attack and bandwidth attack.
Connectivity includes power consumption attack.

Table 1: Vulnerability of AODV and DSR

Attack

Attack methods using

those attack
Rushing attack, sleep
deprivation, black hole
Wormhole

Attack target

Black hole with

spoofing
Routing table overflow,
sleep deprivation

Connectivity

Routing
messages with
inadequate hoplimit values
Fabrication of
error messages

Location disclosure

Connectivity

Spoofing, black hole

Connectivity,
bandwidth

Fabrication of
source route
Spoofing

Spoofing, black hole

Connectivity

Spoofing

Connectivity,
bandwidth

Unnecessary
route request
False distance
vector
False destination
sequence
Malicious
routing query
flooding to nonexist nodes

Connectivity
Connectivity

Bandwidth

Impact on
performance
Increasing protocol
load and drop ratio
Increasing drop
ratio
Increasing drop
ratio
Increasing
bandwidth
utilization, end-toend delay and
protocol load
Possible increase in
drop ratio

AODV

DSR

Yes

Yes

Yes

n/a

Yes

n/a

Yes

Yes

Yes

Yes

Increasing
bandwidth
utilization
Increasing drop
ratio
Possible increase in
protocol load,
bandwidth
utilization, end-toend delay and drop
ratio

Yes

Yes

No

Yes

Yes

Yes

3. Criteria
This section lists criteria for a secure routing protocol. Some of the obvious requirements
for all routing protocols such as loop-freedom have been omitted for brevity. From the
standpoint of security, an optimal routing protocol should fulfill the following criteria [4].

Certain discovery : If a route between two points in a network exists, it should always be
possible to find it. Also, the node which requested the route should be able to be sure it

has found a route to the correct node [4]. It is helpful to attack routing table overflow and
rushing attack.

Isolation: The protocol should be able to identify misbehaving nodes and make them unable to interfere with routing. Alternatively, the routing protocol should be designed to be
immune to malicious nodes [4]. It is helpful to attack wormhole, black hole and spoofing.

Lightweight computations : Many devices connected to an ad hoc network are assumed

to be battery powered with limited computational abilities. Such a node cannot be
expected to be able to carry out expensive computations. If operations such as public key
cryptography or shortest path algorithms for large networks prove necessary, they should
be confined to the least possible number of nodes; preferably only the route endpoints at
route creation time. This requirement is needed to protect against trivial denial-of-service
attacks [4]. It can be used against sleep deprivation.

Location privacy: Often, the information carried in message headers is just as valuable
as the message itself. The routing protocol should protect information about the location
of nodes in a network and the network structure [4]. It helps fight against location
disclosure and passive attacks.

Self-stabilization: The self- stabilization property requires that a routing protocol should
be able to automatically recover from any problem in a finite amount of time without
human intervention. That is, it must not be possible to permanently disable a network by

injecting a small number of malformed packets. If the routing protocol is self stabilizing,
an attacker who wishes to inflict continuous damage must remain in the network and
continue sending malicious data to the nodes, which makes the attacker easier to locate
[4]. It can be used against black hole attack.

Byzantine robustness: A routing protocol should be able to function correctly even if

some of the nodes participating in routing are intentionally disrupting its operation.
Byzantine robustness can be seen as a stricter version of the self stabilization property:
the routing protocol must not only automatically recover from an attack, it should not
cease from functioning even during the attack. Clearly, if a routing protocol does not
have the self stabilization property it cannot have Byzantine robustness either [4]. It helps
to fight against impersonation caused by spoofing.

4. Actions taken to prevent wireless routing protocols from

attack
Till now some measures have been proposed to secure routing and detect intrusion.

Papadimitratos et al. [11] proposed a Secure Routing Protocol (SRP) to counter malicious
behavior that targets the discovery of topology information.

Hu et al. [3] proposed a packet leashes method to attack the wormhole. It includes two
types of packet leashes: geographical leashes and temporal leashes. The key intuition is
that by authenticating either an extremely precise timestamp or location information

combined with a loose timestamp, a receiver can determine if the packet has traversed a
distance that is unrealistic for the specific network technology.

Hu et al. [7] also proposed Ariadne, a Secure On-Demand Routing Protocol for ad hoc
networks. This protocol uses highly efficient symmetric cryptography to withstand node
compromise.

Sanzgiri et al. [8] proposed a secure routing protocol, Authenticated Routing for Ad Hoc
Networks, to prevent modification, impersonation and fabrication attacks through
message authentication, integrity and non-repudiation.

Castelluccia et al. [12] used the employment of crypto-based identifiers for node and
group identification to secure group authorization (including membership).

Zhang et al. [13] proposed a new architecture for intrusion detection and response
systems. Every node in the wireless ad-hoc network participates in intrusion detection
and response. Each node is responsible for detecting signs of intrusion locally and
independently, but neighboring nodes can collaboratively investigate in a broader range.
Thus Intrusion detection and response systems are both distributed and cooperative to
suite the needs of wireless ad-hoc networks.

Apparently all of these are not enough to release the security concern. Further efforts
must be taken to improve the security of wireless routing protocols.

5. Ideas to secure wireless routing

Here list several ideas to improve the security of wireless routing protocols.

Hierarchy appears to be a desirable property in routing protocols because it can

sometimes limit failures to smaller areas in a network. As it also limits the number of
routing messages in comparison with flat routing, it may also limit the vulnerability
against denial-of-service attacks based on excessive route requests.

Redundant information through additional routes can be used for error detection and
correction. For example, if there are n available routes, then send data on n-r channels
and send redundant info on r channels. Thus even if some routes do not work, the
receiver can recover messages from data it receives [14].

Try to find a trusted route to avoid internal attack. Once a secure route is established, data
forwarding over that route is a simple matter [15].

For those protocols using destination sequence to carry out route discovery, always
validate destination sequence via the destination node.

6. Conclusion
In any multi-hop IP network, routing places an upper bound on the security of the entire
network. If the security in the routing protocol is nonexistent, the network can have no
security against denial-of-service attacks that can disable the entire network. Other

serious threats resulting from routing protocols is the disclosure of some information
about the network structure and the movement of the nodes within the network.

Even though current ad hoc routing protocols are completely insecure, their use is not
completely excluded in environments such as home networks where security is usually
not an absolute necessity. However, in environments such as law enforcement or the
military, new protocols with strong security against, for example, location disclosure and
active attacks are needed.

Currently, ad hoc routing protocols are vulnerable to several kinds of attacks. Unless
protection against routing attacks can be provided by the applications that are used in the
network, current routing protocols should not be used in areas of applications where the
threats of denial-of-service attacks, forged routes, or location disclosure are of any
significant importance.

References:
1. Huaizhi Li, Zhe nliu Chen and Xiangyang Qin. Secure Routing in Wired Networks
and Wireless Ad Hoc Networks. http://cs.engr.uky.edu/~singhal/termpapers/routing.pdf.
2. Elizabeth M. Royer and C.-K. Toh. A Review of Current Routing Protocols for
Ad Hoc Mobile Wireless Networks. IEEE Personal Communications Magazine,
April 1999, pp. 46-55.

3. Y.-C. Hu, A. Perrig, and D. B. Johnson. Packet leashes: A defense against

wormhole attacks in wireless ad hoc networks. Technical Report TR01-384,
Department of Computer Science, Rice University, December 2001.
4. www.tcm.hut.fi/Opinnot/Tik-110.501/2000/papers/lundberg.ps

5. S. Yi, P. Naldurg, and R. Kravets. A Security Aware Routing Protocol for

Wireless Ad Hoc Networks. The 6th World Multi-Conference on Systemics,
Cybernetics and Informatics (SCI 2002), 2002.
6. Feiyi Wang, Brian Vetter and Shyhtsun Wu. Secure Routing Protocols: Theory
and Practice. North Carolina State University, May 1997.

7. Y.-C. Hu, A. Perrig, and D. B. Johnson. Ariadne: A secure on-demand routing

protocol for ad hoc networks. In Proceedings of the 8th ACM International
Conference on Mobile Computing and Networking. (MobiCom), September 2002.
8. K. Sanzgiri, B. Dahill, B. N. Levine, C. Shields, and E. M. Belding- Royer. A
secure routing protocol for ad hoc networks. In Proceedings of the 10th IEEE
InternationalConference on Network Protocols (ICNP), November 2002.

9. Frank Stajano and Ross Anderson. The Resurrecting Duckling: Security Issues for
Ad hoc Wireless Networks. In Security Protocols, 7th International Workshop
Proceedings, Lecture Notes in Computer Science, 1999.
10. N. Ahuja, and A. Menon. Security in Mobile Networks (Infrastructure and Adhoc). http://www.cise.ufl.edu/~nahuja/security/wirelesssec.htm

11. P. Papadimitratos and Z. J. Haas. Secure routing for mobile ad hoc networks. In
Proceedings of SCS Communication Networks and Distributed Systems Modeling

and Simulation (CNDS), January 2002. ACM Transactions on Computer Systems,

to appear.
12. C. Castelluccia and G. Montenegro. Securing group management in IPv6.
Technical report, INRIA, August 2002.

13. Y. Zhang and W. Lee. Intrusion detection in wireless ad- hoc networks. In
Proceedings of the 6th ACM International Conference on Mobile Computing and
Networking (MobiCom), August 2000.
14. http://www.cs.utexas.edu/users/ypraveen/courses/compsec/compsec- litsurvey.ppt

15. http://www.cs.purdue.edu/homes/yilu/ slides/security-on-adhoc.ppt