Dissertation Phase-II

Neighbor Defense Technique to Mitigate Flood Attack in MANETs

Guided By- Dr. Savita Gandhi & Mr. Nirbhay Chaubey Prepared By- Naren Tada & Srushti Trivedi At

Department of Computer Science, Rollwala Computer Centre, Gujarat University, Ahmedabad-380009

3/31/12 1 1

Overview

Introduction to MANETs Fundamental working of AODV Types of possible attacks in AODV About Flood attack Motivation to prevent Flood attack Algorithm for Neighbor Defense Technique to Mitigate Flood (NDT) Flow chart for NDT Current working status Future work

Attack

3/31/12

2 2

Characteristics and Challenges of MANETs

Characteristics Operating without a central coordinator Multi-hop radio relaying Frequent link breakage due to mobile nodes Constraint resources (bandwidth, computing power) Instant deployment Challenges of Manets Routing Security and Reliability Quality of Service (QoS) Inter-networking Power Consumption Location-aided Routing

3/31/12

3 3

MANETs Routing Protocols

Reactive Protocols (AODV,DSR,TORA)

Finds a route on demand Flooding the network with Route Request packets Maintains fresh lists of destinations and their routes Periodically distribute routing tables Combines the advantages of proactive and of reactive routing Initially established with some proactively prospected routes Then serves the demand from additionally activated nodes through

Proactive Protocols (DSDV,OLSR)

Hybrid Protocols (ZRP)

reactive flooding

3/31/12

4 4

Fundamental working of AODV

Reactive/On demand Main Two Processes:

1.

Route Discovery Route Maintenance

2.

3/31/12

5 5

Merits & Demerits of AODV

Merits Does not need any central administrative system Reduce the control traffic messages overhead Reacts relatively fast to the topological changes Saves storage place as well as energy Demerits Can gather only a very limited amount of routing information A long path is more vulnerable to link breakages and requires high control overhead Has no security measures built in Vulnerable to various kinds of attacks Two main types of uncooperative nodes: malicious and selfish

3/31/12

6 6

Types of possible attacks in AODV

Different ways of malicious node to attack

Sending fake messages several times Fake routing information Advertising fake links to disrupt routing operations

Blackhole attack Flooding attack Link spoofing attack Wormhole attack Colluding misrelay

attack A Review of Current Routing Attacks in Mobile Ad Hoc Networks -Rashid Hafeez Khokhar, Md Asri Ngadi and Satria Mandala
3/31/12 7 7

About Flood Attack

Literature Work
A New Routing Attack in Mobile Ad Hoc Networks -- Ping Yi, Zhoulin Dai, Shiyong Zhang, Yiping Zhong from Department of Computing and Information Technology, Fudan University, Shanghai, China

The attacker selects many IP addresses which are not in No node can answer RREP packets for these RREQ The attacker successively originates mass RREQ

the networks

messages for these void IP addresses

The attacker will resend the RREQ packets without

waiting for the RREP or round-trip time

3/31/12 8 8

Performance Analysis of Flooding Attack Prevention Algorithm in MANE

-- Revathi Venkataraman, M. Pushpalatha, and T. Rama Rao

All the nodes in an ad hoc network are categorized as friends, A trust estimator -- a function of various parameters friends (most trusted), acquaintances (trusted) and strangers Xrs, Xra, Xrf be the RREQ flooding threshold for a stranger, Yrs, Yra, Yrf be the DATA flooding threshold for a stranger,

acquaintances or strangers

(not trusted)

acquaintance and friend node respectively, Xrf > Xra > Xrs

acquaintance and friend node respectively then Yrf > Yra > Yrs

3/31/12

9 9

Flood attack and its consequences

The attacker node-1 and node-8 They flood the RREQ messages at particular time interval Their neighbor nodes dont know the route to that destination so Attacker constantly inject false Due to false generation, attacker

rebroadcast RREQ

RREQ packets into the network

can introduce a new DOS attack to exhaust the communication bandwidth and node resource so that the valid communication cannot be kept
3/31/12 10 10

Motivation to prevent Flood Attack

AODV is very conservative about sending RREQ packet in network After sending request packet there is some waiting time for RREP to There is RREQ_RETRIES = 3 for network wide search - after Malicious node will misuse all these properties and flood its own If attacker is out of control it will flood the entire network and Only very reliable method is - not to rebroadcast this fake RREQ by

come - RREP_WAIT_TIME = 1 second

exceeding this value MAX_RREQ_TIMEOUT = 10 sec

fake request in network.

degrade the performance of manets very high extent.

neighbor.

3/31/12

11 11

Algorithm for Neighbor Defense Technique to Mitigate Flood Attack (NDT)

Two lists are maintained in every node which are neighbor of the requester one is Broody list and RREQ_count table 1. Broody list will keep the record for malicious node which floods the request. Flood Timer has taken for generating Dummy packet by the attackers.
Malicious node 1 id Malicious node 2 id Malicious node 3 id
2.

RREQ_count table will keep track of number of request come from each neighbor in particular interval.
RREQentry 5 1 TimeStamp 0.34566 0.55346

RREQ_ID Requester1 Id Requester2 Id

3/31/12

12 12

Timers used in simulation

FloodTimer

In order to inject FAKE Request packet by malicious node in the MANETs, used flood timer which is continuously send the request as value 0.009 sec

CacheTimer

In order to check Request table entry for the expire time as well as count for the request to check whether to exceed peak or not as the value 0.002

3/31/12

13 13

The Algorithm: if(CacheTimer out) then Erase RREQ_Count table entries if(RREQester is in broodyList) then Drop the packet if ((RREQester is neighbor) && (there is no entry in RREQ_Count table)) then Add the RREQentry for this RREQ in RREQ_Count table if(RREQentry >PickValue) then Put the RREQester in broodyList!
3/31/12 14 14

Flow chart for NDT(While adding entry in table for receive packet)
Stop processing packet In Receive Request process

Drop This packet

BroodyList (Mal icious node entrys)

yes

If the requester is in broody list ?

RREQ_count table

No

End of adding request entry

Yes

Is the requester is in RREQ_count table?

Yes

If the requester is very neighbor ?

Increment the Requesters entry in the RREQ_count list

No

No

Do the rest receive request process

3/31/12

Add the entry of requester in the RREQ_count list and increment the count value of request

15 15

While flushing the Entry in request_count table

Start

If the Cache Timer time out

In Waiting state for event to trigger

Yes Request count table Check the Request count entrys expiry time Yes Flush the entry of the request count table

No

Check the entrys exceed the peakValue?

Yes

Proceed further

3/31/12

Put the requester in the BroodyList

16 16

Prerequisite for NDT & Current working status

Prerequisite for NDT 1. As the detection only done by very neighbor of the attacker, it can not be possible without enabling the HELLO packet of nodes. 2.

Peak_value, Cache interval and Flood interval should be

synchronize with each other according to MANETs nature Current working status and application . 1. Implemented flood attack
2.

Tested the proposed algorithm(NDT) for small network 4-nodes and 1-node as malicious node .tcl 25-nodes with 1 malicious node and 3 malicious nodes .tcl Reading taken with attack and without attack .awk and .sh
3/31/12 17 17

3.

4.

5.

Simulation Setup
No. 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 Simulation Parameter Parameter Parameter Value Simulator NS-2.33 Simulation Area 1000m X 1000m MAC Protocol IEEE 802.11 Mobile Nodes 25 Antenna Type Omni antenna Propagation Model Two Ray Ground Number of Connections 5 Packet Size Routing Protocols Data Traffic Simulation Time Number of Malicious Node Pausetime Flood Interval Cache Interval Peak Value Entry Expiry time 512 byte AODV CBR (UDP) 100 Sec 1,3 0,5,10,15,20 ms 0.009 sec 0.002 sec 7(no of request) CURRENT_TIME + 0.05

3/31/12

18 18

Simulation Setup - 25 nodes with 1 malicious node and 5 connections 10 Different scenarios with pause time 0, 5, 10, 15 and 20 ms
12 10 8 6 4 2 0 12 10 8 6 4 2 0

12 12 10 8 6 4 2 0 10 8 6 4 2

3/31/12

Result_with1_5_25.xls

19 19

Simulation Setup - 25 nodes with 3 malicious nodes and 5 connections 10 Different scenarios with pause time 0, 5, 10, 15 and 20 ms
12 10 8 6 4 2 0 12 12 10 8 6 4 2 0 10 8 6 4 2 12 10 8 6 4 2 0

3/31/12

Result_with3_5_25.xls

20 20

Simple AODV and NDT without attack

12 10 8 6 4 2 0 12 12 10 8 6 4 2 0 10 8 6 4 2 0 12 10 8 6 4 2 0

Result_without_5_25.xls 3/31/12

21 21

Further Improvements
In order to give complete isolation Broody list should be broadcast by defense node as early as possible(Raising alarm technique). Packet should be queue for some time in order to prevent early flow by attacker.(Before detection with early flow detection method) QoS (quality of services)

Future work
Still require to simulate NDT for more number of nodes and different number of malicious nodes Will add RREP and RERR flooding attack Will prevent RREP and RERR flooding

Conclusion derived from graphs

Without attack and low mobility NDT and Plain works similar. Performance improved in all parameter in NDT with attack. Drastic change in graph can be seen due to flow leak in NDT because of overhead.

3/31/12

22 22

Advantage of NDT
1.

The attack is defended by very neighbour of attacker The list and cache is only maintained by neighbour of attacker for only some periodic time, after the cache timer out record will be flush.

2.

Node will not be isolated completely from network Disadvantage of NDT after detection, perhaps it will still be part of the
3. 1.

4.

According to Peak_valuecooperation maintain by network and can do some of network each furthersloppy attack stillcan possible if attacker No node, impersonation be be made as the has chosenmaintains the list malicious node with neighbour flooding interval little bit large but effective. neighbour list. help of its

2.

As the MANETs is very dynamic in nature, topology

3/31/12 can still be vary and neighbour of attacker will be 23 23

Files changed for proposed algorithm

ns-2.33/aodv/aodv.cc ns-2.33/aodv/aodv.h Changed .tcl file Generated different scenario files for different pause time

3/31/12

24 24

References
1.

2.

3.

4.

5.

C. Perkins, E. Belding-Royer, S. Das, RFC3561 of ad hoc on-demand distance vector (aodv) routing University of Cincinnati, July 2003 A Review of Current Routing Attacks in Mobile Ad Hoc Networks -- Rashid Hafeez Khokhar, Md Asri Ngadi and Satria Mandala from International Journal of Computer Science and Security, volume (2) issue (3) A New Routing Attack in Mobile Ad Hoc Networks -Ping Yi, Zhoulin Dai, Shiyong Zhang, Yiping Zhong, Department of Computing and Information Technology, Fudan University, Shanghai, China, International Journal of Information Technology Vol. 11 No. 2 Performance Analysis of Flooding Attack Prevention Algorithm in MANETs -- Revathi Venkataraman, M. Pushpalatha, and T. Rama Rao from World Academy of Science, Engineering and Technology, 56, 2009 3/31/12 http://elmurod.net/?p=196 Adding Malicious Node to

25 25

Thank you ! Questions??

3/31/12

26 26