Documente Academic
Documente Profesional
Documente Cultură
Qifeng Lu
Dec 15, 2002
University of Massachusetts Amherst
Abstract
The existing wireless routing protocols do not accommodate any security and are highly
vulnerable to attacks. This paper discusses the weakness of those protocols, and threats
and attacks against wireless routing. I also look at some suggested solutions that could be
used when secure protocols are designed. The current protocols should not be used in
hostile environments unless the applications are especially designed to operate under
insecure routing or until protocols with enhanced security are introduced.
1. Introduction
Wireless networks consist of a number of nodes which communicate with each other over
a wireless channel. Typically there are three kinds of wireless networks: cellular
networks, satellite networks and ad hoc mobile networks. Cellular networks have a wired
backbone with only the last hop being wireless. Satellite networks are composed of trackpredetermined mobile satellites with the last wireless hop. As the futural position of a
satellite can be predicted, it is similar to a fixed base station. An ad hoc mobile network is
a collection of mobile nodes that are dynamically and arbitrarily located in such a manner
that the interconnections between nodes are capable of changing on a continual basis.
Due to the dynamic topology and no support of infrastructure, the ad hoc mobile network
is the most vulnerable in wireless networks.
Routing is the heart of network infrastructure. It controls and manages the "flow" of
messages in the network [1]. To set up connection and maintain updated network
topology, routers keep exchanging messages about link state, cost and metric. The main
goal of a routing protocol for a wireless network is correct and efficient route
establishment between a pair of nodes so that messages may be delivered in a timely
manner.
This project is a survey on vulnerability of those wireless routing protocols. Whats the
meaning of vulnerability? Well, in computer security, vulnerability means any weakness
or flaw existing in a system, the susceptibility of a system to a specific threat attack or
harmful event, or the opportunity available to a threat agent to mount that attack.
Basically, the routing protocol sets an upper limit to security in any packet network. If
routing can be misdirected, the entire network can be paralyzed. As the ad hoc mobile
network is the most vulnerable, by exploiting the vulnerability of routing protocols for ad
hoc mobile networks, we can get a whole picture of the vulnerability of routing protocols
for all wireless networks.
Till now, there are three kinds of ad hoc routing protocols: Proactive (DSDV, WRP),
reactive (DSR, AODV) and hybrid (ZRP) [2]. Most of the protocols focus on discovering
the shortest path between two nodes as fast as possible, in other words, the length of the
routes is the only metric used in these protocols. In some cases, however, security could
be the most important metric. For example, in an ad hoc network used by the military,
secure and reliable communication is a necessary prerequisite. Safety-critical business
operations such as oil drilling platforms or mining operations require maximum security
too [3]. The concern on security definitely necessitates the survey on vulnerabilities of
these ad hoc routing protocols.
Easy theft of nodes: Many nodes are expected to be small in size and thus vulnerable to
theft. From a routing perspective this means that a node may easily become compromised.
Thus, a previously well-behaving node can unexpectedly become hostile.
Vulnerability to tampering: This difficulty is related to the problem of easy theft. It must
not be trivial for example to recover private keys from the device. A less stringent version
of tamper proof is tamper evidence where it is only required that a tampered node can be
distinguished from the rest.
Limited computational abilities: Nodes can be devices with limited computing power.
This may exclude techniques such as frequent public key cryptography during normal
operation. However, symmetric cryptography is likely to be feasible in authenticating or
encrypting routing message exchanges.
Battery powered operation: Many devices in an ad hoc network are assumed to be battery
powered. An attacker may attempt a denial-of-service attack by creating additional
transmissions or expensive computations to be carried out by a node in an attempt to
exhaust its batteries.
Transient nature of services and devices: Because an ad hoc network consists of nodes
that may frequently move, the set of nodes that are connected to some particular ad hoc
network frequently changes. This can create problems for example with key management
if cryptography is used in the routing protocol.
introduce excessive traffic load into the network by causing retransmission and
inefficient routing [5]. The second and more severe kind of threat comes from
compromised nodes, which might advertise incorrect routing information to other nodes.
Detection of such incorrect information is difficult: merely requiring routing information
to be signed by each node would not work, because compromised nodes are able to
generate valid signatures using their private keys.
2.2.2 Attacks
Attacks can be classified based on different criteria. One criterion is that whether
attackers disrupt the operation of a routing protocol or not. According to this criterion,
attacks can be divided into two classes: passive attacks and active attacks. Some attacks
are possible in fixed networks, but the nature of the ad hoc environment magnifies their
effects and makes their detection difficult, others are only available in wireless networks.
Other interesting information that is disclosed by routing data is the location of nodes.
Even when it might not be possible to pinpoint the exact location of a node, one may be
able to discover information about the network topology. It is worth noting that in an IP
network one cannot defend against these attacks for example by only using IPsec. The
packets still have most of their IP headers in plaintext, and it may not even be feasible to
have symmetric keys distributed to every node in a network.
These attacks involve actions performed by adversaries, for instance the replication,
modification and deletion of exchanged data. The goal may be to attract packets destined
to other nodes to the attacker for analysis or just to disable the network. A major
difference in comparison with passive attacks is that an active attack can sometimes be
detected. This makes active attacks a less inviting option for most attackers. Yet, it may
still be a real alternative when large amounts of money is at stake such as in commercial
or military environments.
The following is a list of some types of active attacks that can usually be easily
performed against an ad hoc network.
Black hole : In the black hole attack [6], a malicious node uses the routing protocol to
advertise itself as having the shortest path to the node whose packets it wants to intercept.
In a flooding based protocol such as AODV the attacker listens to requests for routes.
When the attacker receives a request for a route to the target node, the attacker creates a
reply where an extremely short route is advertised. If the malicious reply reaches the
requesting node before the reply from the actual node, a forged route has been created.
Once the malicious device has been able to insert itself between the communicating
nodes, it is able to do anything with the packets passing between them. It can choose to
drop the packets to perform a denial-of-service attack, or alternatively use its place on the
route as the first step in a man-in- the-middle attack.
Wormhole: In the wormhole attack [7], an attacker records packets (or bits) at one
location in the network, tunnels them to another location, and retransmits them there into
the network. The wormhole attack is possible even if the attacker has not compromised
any hosts and even if all communication provides authenticity and confidentiality. The
wormhole attack can form a serious threat in wireless networks, especially against many
ad hoc network routing protocols and location-based wireless security systems. For
example, most existing ad hoc network routing protocols, without some mechanism to
defend against the wormhole attack, would be unable to find routes longer than one or
two hops, severely disrupting communication. The wormhole places the attacker in a very
powerful position, able for example to further exploit any of the attacks mentioned above,
allowing the attacker to gain unauthorized access, disrupt routing, or perform a
permanent denial-of-service attack (DoS) by creating a routing loop.
Rushing attack: This kind of attack [7] is a malicious attack that is targeted against ondemand routing protocols that use duplicate suppression at each node, like AODV. An
attacker disseminates ROUTE REQUESTs quickly throughout the network, suppressing
any later legitimate ROUTE REQUESTs when nodes drop them due to the duplicate
suppression. Thus the protocol can not set up a route to the desirable destination.
Spoofing : By masquerading as another node, a malicious node can launch many attacks
in a network. This is commonly known as spoofing [8].
Spoofing occurs when a node misrepresents its identity in the network, such as by
altering its MAC or IP address in outgoing packets. Spoofing combined with packet
modification is really a dangerous attack.
Routing table overflow: In a routing table overflow attack the attacker attempts to create
routes to nonexistent nodes [4]. The goal is to create enough routes to prevent new routes
from being created or to overwhelm the protocol implementation.
data efficiently: The other node requests routes and the other one replies with forged
addresses.
Sleep deprivation: Usually, this attack is practical only in ad hoc networks, where
battery life is a critical parameter. Battery powered devices try to conserve energy by
transmitting only when absolutely necessary. An attacker can attempt to consume
batteries by requesting routes, or by forwarding unnecessary packets to the node using,
for example, a black hole attack [9].
This attack is especially suitable against devices that do not offer any services to the
network or offer services only to those who have some special credentials. Regardless of
the properties of the services, a node must participate in the routing process unless it is
willing to risk becoming unreachable to the network.
Location disclosure : A location disclosure attack can reveal something about the locations of nodes or the structure of the network. The information gained might reveal which
other nodes are adjacent to the target, or the physical location of a node. The attack can
be as simple as using an equivalent of the traceroute command on UNIX systems.
Routing messages are sent with inadequate hop-limit values and the addresses of the
devices sending the ICMP error messages are recorded. In the end, the attacker knows
which nodes are situated on the route to the target node. If the locations of some of the
intermediary nodes are known, one can gain information about the location of the target
as well [4].
2.2.2.4 Impersonation
Impersonation attacks form a serious security risk in all levels of ad hoc networking. If
proper authentication of parties is not supported, compromised nodes may in network
layer be able to e.g. join the network undetectably or send false routing information
masqueraded as some other, trusted node. Within network management the attacker could
gain access to the configuration system as a super user. In service level, a malicious party
could have its public key certified even without proper credentials. Thus impersonation
attacks concern all critical operations in ad hoc networks [10]. The Black Hole attack,
spoofing may fall in this category. The passive attack can be a first step to carry out such
an attack.
2.2.2.5 Disclosure
Attack target
Connectivity
Routing
messages with
inadequate hoplimit values
Fabrication of
error messages
Location disclosure
Connectivity
Connectivity,
bandwidth
Fabrication of
source route
Spoofing
Connectivity
Spoofing
Connectivity,
bandwidth
Unnecessary
route request
False distance
vector
False destination
sequence
Malicious
routing query
flooding to nonexist nodes
Connectivity
Connectivity
Bandwidth
Impact on
performance
Increasing protocol
load and drop ratio
Increasing drop
ratio
Increasing drop
ratio
Increasing
bandwidth
utilization, end-toend delay and
protocol load
Possible increase in
drop ratio
AODV
DSR
Yes
Yes
Yes
n/a
Yes
n/a
Yes
Yes
Yes
Yes
Increasing
bandwidth
utilization
Increasing drop
ratio
Possible increase in
protocol load,
bandwidth
utilization, end-toend delay and drop
ratio
Yes
Yes
No
Yes
Yes
Yes
3. Criteria
This section lists criteria for a secure routing protocol. Some of the obvious requirements
for all routing protocols such as loop-freedom have been omitted for brevity. From the
standpoint of security, an optimal routing protocol should fulfill the following criteria [4].
Certain discovery : If a route between two points in a network exists, it should always be
possible to find it. Also, the node which requested the route should be able to be sure it
has found a route to the correct node [4]. It is helpful to attack routing table overflow and
rushing attack.
Isolation: The protocol should be able to identify misbehaving nodes and make them unable to interfere with routing. Alternatively, the routing protocol should be designed to be
immune to malicious nodes [4]. It is helpful to attack wormhole, black hole and spoofing.
Location privacy: Often, the information carried in message headers is just as valuable
as the message itself. The routing protocol should protect information about the location
of nodes in a network and the network structure [4]. It helps fight against location
disclosure and passive attacks.
Self-stabilization: The self- stabilization property requires that a routing protocol should
be able to automatically recover from any problem in a finite amount of time without
human intervention. That is, it must not be possible to permanently disable a network by
injecting a small number of malformed packets. If the routing protocol is self stabilizing,
an attacker who wishes to inflict continuous damage must remain in the network and
continue sending malicious data to the nodes, which makes the attacker easier to locate
[4]. It can be used against black hole attack.
Papadimitratos et al. [11] proposed a Secure Routing Protocol (SRP) to counter malicious
behavior that targets the discovery of topology information.
Hu et al. [3] proposed a packet leashes method to attack the wormhole. It includes two
types of packet leashes: geographical leashes and temporal leashes. The key intuition is
that by authenticating either an extremely precise timestamp or location information
combined with a loose timestamp, a receiver can determine if the packet has traversed a
distance that is unrealistic for the specific network technology.
Hu et al. [7] also proposed Ariadne, a Secure On-Demand Routing Protocol for ad hoc
networks. This protocol uses highly efficient symmetric cryptography to withstand node
compromise.
Sanzgiri et al. [8] proposed a secure routing protocol, Authenticated Routing for Ad Hoc
Networks, to prevent modification, impersonation and fabrication attacks through
message authentication, integrity and non-repudiation.
Castelluccia et al. [12] used the employment of crypto-based identifiers for node and
group identification to secure group authorization (including membership).
Zhang et al. [13] proposed a new architecture for intrusion detection and response
systems. Every node in the wireless ad-hoc network participates in intrusion detection
and response. Each node is responsible for detecting signs of intrusion locally and
independently, but neighboring nodes can collaboratively investigate in a broader range.
Thus Intrusion detection and response systems are both distributed and cooperative to
suite the needs of wireless ad-hoc networks.
Apparently all of these are not enough to release the security concern. Further efforts
must be taken to improve the security of wireless routing protocols.
Redundant information through additional routes can be used for error detection and
correction. For example, if there are n available routes, then send data on n-r channels
and send redundant info on r channels. Thus even if some routes do not work, the
receiver can recover messages from data it receives [14].
Try to find a trusted route to avoid internal attack. Once a secure route is established, data
forwarding over that route is a simple matter [15].
For those protocols using destination sequence to carry out route discovery, always
validate destination sequence via the destination node.
6. Conclusion
In any multi-hop IP network, routing places an upper bound on the security of the entire
network. If the security in the routing protocol is nonexistent, the network can have no
security against denial-of-service attacks that can disable the entire network. Other
serious threats resulting from routing protocols is the disclosure of some information
about the network structure and the movement of the nodes within the network.
Even though current ad hoc routing protocols are completely insecure, their use is not
completely excluded in environments such as home networks where security is usually
not an absolute necessity. However, in environments such as law enforcement or the
military, new protocols with strong security against, for example, location disclosure and
active attacks are needed.
Currently, ad hoc routing protocols are vulnerable to several kinds of attacks. Unless
protection against routing attacks can be provided by the applications that are used in the
network, current routing protocols should not be used in areas of applications where the
threats of denial-of-service attacks, forged routes, or location disclosure are of any
significant importance.
References:
1. Huaizhi Li, Zhe nliu Chen and Xiangyang Qin. Secure Routing in Wired Networks
and Wireless Ad Hoc Networks. http://cs.engr.uky.edu/~singhal/termpapers/routing.pdf.
2. Elizabeth M. Royer and C.-K. Toh. A Review of Current Routing Protocols for
Ad Hoc Mobile Wireless Networks. IEEE Personal Communications Magazine,
April 1999, pp. 46-55.
9. Frank Stajano and Ross Anderson. The Resurrecting Duckling: Security Issues for
Ad hoc Wireless Networks. In Security Protocols, 7th International Workshop
Proceedings, Lecture Notes in Computer Science, 1999.
10. N. Ahuja, and A. Menon. Security in Mobile Networks (Infrastructure and Adhoc). http://www.cise.ufl.edu/~nahuja/security/wirelesssec.htm
11. P. Papadimitratos and Z. J. Haas. Secure routing for mobile ad hoc networks. In
Proceedings of SCS Communication Networks and Distributed Systems Modeling
13. Y. Zhang and W. Lee. Intrusion detection in wireless ad- hoc networks. In
Proceedings of the 6th ACM International Conference on Mobile Computing and
Networking (MobiCom), August 2000.
14. http://www.cs.utexas.edu/users/ypraveen/courses/compsec/compsec- litsurvey.ppt