|
|
While a wireless network is more versatile than a wired one, it is also more vulnerable to attacks. This is due to the very nature of radio transmissions, which are made on the air.
On a wired network, an intruder would need to break into a machine of the network or to physically wiretap a cable. On a wireless network, an adversary is able to eavesdrop on all messages within the emission area, by operating in promiscuous mode and using a packet sniffer (and possibly a directional antenna). There is a wide range of tools available to detect, monitor and penetrate an IEEE 802.11 network, such as NetStumbler1, AiroPeek2, Kismet3, AirSnort4, and Ethereal5. Hence, by simply being within radio range, the intruder has access to the network and can easily intercept transmitted data without the sender even knowing (for instance, imagine a laptop computer in a vehicle parked on the street eavesdropping on the communications inside a nearby building). As the intruder is potentially invisible, it can also record, alter, and then retransmit packets as they are emitted by the sender, even pretending that packets come from a legitimate party.
Furthermore, due to the limitations of the medium, communications can easily be perturbed; the intruder can perform this attack by keeping the medium busy sending its own messages, or just by jamming communications with noise.
We now focus on attacks against the routing protocol in ad hoc networks. These attacks may have the aim of modifying the routing protocol so that traffic flows through a specific node controlled by the attacker. An attack may also aim at impeding the formation of the network, making legitimate nodes store incorrect routes, and more generally at perturbing the network topology.
Attacks at the routing level can be classified into two main categories: incorrect traffic generation and incorrect traffic relaying 6. Sometimes these coincide with node misbehaviors that are not due to malice, e.g. node malfunction, battery exhaustion, or radio interference.
This category includes attacks which consist in sending false control messages: i.e. control messages sent on behalf of another node (identity spoofing), or control messages which contain incorrect or outdated routing information. The network may exhibit Byzantine [94] behavior, i.e. conflicting information in different parts of the network. The consequences of this attack are degradation in network communications, unreachable nodes, and possible routing loops.
As an instance of incorrect traffic generation in a distance vector routing protocol, an attacker node can advertise a zero metric for all destinations, which will cause all the nodes around it to route packets toward the attacker node. Then, by dropping these packets (blackhole attack, see Section 3.1.2), the attacker causes a large part of the communications exchanged in the network to be lost. In a link state protocol, the attacker can falsely declare that it has links with distant nodes. This causes incorrect routes to be stored in the routing table of legitimate nodes, also known as cache poisoning.
The attacker can also try to perform Denial of Service on the network layer by
saturating the medium with a storm of broadcast messages (message bombing),
reducing nodes’ goodput and possibly impeding nodes from communicating. (This
is not possible under hybrid routing protocols, where nodes cannot issue
broadcast communications [154].) The attacker can even send invalid messages
just to keep nodes busy, wasting their CPU cycles and draining their battery
power. In this case the attack is not aimed at modifying the network topology in
a certain fashion, but rather at generally perturbing the network functions and
communications.
On the transport layer, Kuzmanovic and Knightly [92] demonstrate the
effectiveness of a low-rate DoS attack performed by sending short bursts repeated
with a slow timescale frequency (shrew attack). In the case of severe network
congestion, TCP operates on timescales of Retransmission Time Out (RTO).
The throughput (composed of legitimate traffic as well as DoS traffic)
triggers the TCP congestion control protocol, so the TCP flow enters a
timeout and awaits a RTO slot before trying to send another packet. If
the attack period is chosen to approximate the RTO of the TCP flow,
the flow repeatedly tries to exit timeout state and fails, producing zero
throughput. If the attack period is chosen to be slightly greater than the
RTO, the throughput is severely reduced. This attack is effective because
the sending rate of DoS traffic is too low to be detected by anti-DoS
countermeasures.
Another DoS performed on the transport layer is the subtle jellyfish attack by Aad et al. [1], that deserves particular attention. Its authors point out that, remarkably, it does not disobey the rules of the routing protocol, even if we may argue that, strictly speaking, this is not always the case. But is indeed true that the jellyfish attack is difficult to distinguish from congestion and packet losses that occur naturally in a network, and therefore is hard and resource-consuming to detect.
This DoS attack can be carried out by employing several mechanisms. One of the mechanisms of the jellyfish attack consists in a node delivering all received packets, but in scrambled order instead of the canonical FIFO order. Duplicate ACKs derive from this malicious behavior, which produces zero goodput although all sent packets are received. This attack cannot be successfully opposed by the actual TCP packet reordering techniques, because such techniques are effective on sporadic and non-systematic reordering.
The second mechanism is the same as that used in the shrew attack, and involves performing a selective blackhole attack by dropping all packets for a very short duration at every RTO. The flow enters timeout at the first packet loss caused by the jellyfish attack, then periodically re-enters the timeout state at every elapsed RTO.
The third mechanism consists in holding a received packet for a random time
before processing it, increasing delay variance. This causes TCP traffic to be
sent in bursts, therefore increasing the odds of collisions and losses; it
increases the RTO value excessively; and it causes an incorrect estimation of
the available bandwidth in congestion control protocols based on packet
delays.
DoS attacks can also be carried over on the physical layer (e.g. jamming or radio interference); in this case, they can be dealt with by using physical techniques e.g. spread spectrum modulation [126].
In sum, Denial of Service can be accomplished over different layers and in several ways, and is quite difficult to counteract, even on a wired medium. The topics regarding a full protection against DoS attacks are beyond the scope of this thesis, and therefore are not discussed in detail.
Network communications coming from legitimate, protocol-compliant nodes may be polluted by misbehaving nodes.
An attacker can drop received routing messages, instead of relaying them as the protocol requires, in order to reduce the quantity of routing information available to the other nodes. This is called blackhole attack by Hu et al. [66], and is a “passive” and a simple way to perform a Denial of Service. The attack can be done selectively (drop routing packets for a specified destination, a packet every n packets, a packet every t seconds, or a randomly selected portion of the packets) or in bulk (drop all packets), and may have the effect of making the destination node unreachable or downgrade communications in the network.7
An attacker can also modify the messages originating from other nodes before relaying them, if a mechanism for message integrity (i.e. a digest of the payload) is not utilized.
As topology changes, old control messages, though valid in the past, describe a topology configuration that no longer exists. An attacker can perform a replay attack by recording old valid control messages and re-sending them, to make other nodes update their routing tables with stale routes. This attack is successful even if control messages bear a digest or a digital signature that does not include a timestamp.
The wormhole attack [67] is quite severe, and consists in recording traffic from one region of the network and replaying it in a different region. It is carried out by an intruder node X located within transmission range of legitimate nodes A and B, where A and B are not themselves within transmission range of each other. Intruder node X merely tunnels control traffic between A and B (and vice versa), without the modification presumed by the routing protocol – e.g. without stating its address as the source in the packets header – so that X is virtually invisible. This results in an extraneous inexistent A - B link which in fact is controlled by X, as shown in Figure 3.4. Node X can afterwards drop tunneled packets or break this link at will. Two intruder nodes X and X′, connected by a wireless or wired private medium, can also collude to create a longer (and more harmful) wormhole, as shown in Figure 3.5.
The severity of the wormhole attack comes from the fact that it is difficult to detect, and is effective even in a network where confidentiality, integrity, authentication, and non-repudiation (via encryption, digesting, and digital signature) are preserved. Furthermore, on a distance vector routing protocol, wormholes are very likely to be chosen as routes because they provide a shorter path – albeit compromised – to the destination. Marshall [103] points out a similar attack, called the invisible node attack by Carter and Yasinsac [24], against the Secure Routing Protocol [116].
An offensive that can be carried out against on-demand routing protocols is the rushing attack [68]. Typically, on-demand routing protocols state that nodes must forward only the first received Route Request from each route discovery; all further received Route requests are ignored. This is done in order to reduce cluttering. The attack consists, for the adversary, in quickly forwarding its Route Request messages when a route discovery is initiated. If the Route Requests that first reach the target’s neighbors are those of the attacker, then any discovered route includes the attacker.
We now discuss various security risks in OLSR [3, 30]. The aim is not to emphasize flaws in OLSR, as it did not include security measures in its design, like several other routing protocols. While these vulnerabilities are specific to OLSR, they can be seen as instances of what other link state routing protocols, such as OSPF, are subject to.
This section illustrates the principal hazards. More ingenious attacks may be carried over against almost any operating function of the protocol.
It is worth noting that a node can force its election as an MPR by setting the Willingness field to the WILL_ALWAYS constant in its HELLOs. According to the protocol, its neighbors will always select it as an MPR. Using this mechanism, a compromised node can easily gain, as an MPR, a privileged position inside the network. It can then exploit its importance to carry out DoS attacks and such like.
Note also that an attacker performing identity spoofing or message replay needs to change the Message Sequence Number field of the spoofed or replayed message. Otherwise, nodes that already have received a message with the same originator and MSN (according to their Duplicate Set) will drop the malicious message. Furthermore, accepting the malicious message causes message loss when a legitimate message having the same originator and MSN is received by the victim nodes, and dropped according to the protocol.
One way in which a node can misbehave is by generating control messages in a way that is not according to the protocol.
A misbehaving node X may send HELLO messages with a spoofed originator address set to that of node C (Figure 3.1). Subsequently, nodes A and B may announce reachability to C through their HELLO and TC messages. Furthermore, node X chooses MPRs from among its neighbors, signaling this selection while pretending to have the identity of node C. Therefore, the chosen MPRs will advertise in their TC messages that they provide a last hop to C. Conflicting routes to node C, with possible connectivity loss, may result from this.
Under identity spoofing, another kind of attack is also possible. A misbehaving node X can set the Willingness field to WILL_NEVER on its HELLO messages sent on behalf of A. According to the protocol, nodes receiving these messages will never choose A as an MPR, which may result in a connectivity loss for some neighbors of A.
We call link spoofing the signalization of an incorrect set of neighbors in a control message, and more precisely the signalization of neighbor relationship with non-neighbor nodes. A misbehaving node X may perform link spoofing in its HELLO messages advertising a link with non-neighbor node A, as in Figure 3.2. This will result in C, and the others neighbors of X, storing an incorrect 2-hop neighborhood and therefore selecting a wrong MPR set. In fact, node C will probably select {X,D} as its MPR set, instead of the correct MPR set {X,B,D}, because the first set is smaller. As a consequence, messages originating from E and relayed through the MPR mechanism will not reach node A.
Node X can also misbehave by signaling an incomplete set of neighbors. Depending on their links with other nodes, the ignored neighbors might experience breakdown in connectivity with the rest of the network.
TC messages with a spoofed originator address cause incorrect neighbor relationship to be advertised in the network. For instance, node X sends a TC message on behalf of node C, advertising A as a neighbor (Figure 3.3). Node D, upon reception of the TC message, will falsely conclude that C and A are neighbors. For this attack to be successful, the TC message must bear an ANSN (Advertised Neighbor Sequence Number) greater than the highest ANSN value referenced to C, as contained in any tuple of D’s Topology Set; otherwise D will discard the TC message, according to the protocol.
TC messages with spoofed links have the same effect, and can severely perturb the network topology as stored by legitimate nodes.
Node X can also simply generate HELLOs, perhaps be selected as an MPR by its neighbors, but refuse to generate TC messages or generate TCs signaling an incomplete set of nodes. The OLSR specifications require that X includes at least its MPR selectors in its TCs; if this requirement is not fulfilled, some nodes may not have their link state information disseminated throughout the network and be disconnected.
Node X, behaving incorrectly, can also send TC messages without being an MPR. The protocol specifications state that only MPRs generate TCs; however, there is no way of detecting whether the originator of a TC message is an MPR of some node or not.
A misbehaving node X can generate wrong MID/HNA messages, declaring interfaces that are not their own (link spoofing), or falsifying the originator address of the message (identity spoofing) so that it apparently declares interfaces that are not their own. In this case, nodes will have problems reaching these interfaces.
The misbehaving node may listen to a TC message from node A and record the ANSN of the message; then it sends a TC with a spoofed originator address of node A, and an ANSN much greater than the value recorded. According to the protocol specifications, nodes will ignore further TC messages from A, because these messages bear a smaller ANSN as that recorded in the Topology Set, and therefore such messages are considered as arrived out of order. We call this an ANSN attack. If no further action is taken by the attacker, the ANSN attack is effective until the ANSN of node A reaches the value of the ANSN in the spoofed TC.
This attack can be spotted as the spoofed TC bears an ANSN which is much higher than that of the latest genuine TC message received from A (the higher the difference between the two ANSNs, the longer TCs from A are ignored). However, the misbehaving node may perform this attack repeatedly, by forging each time spoofed TC messages with a slightly greater ANSN.
If control messages are not properly relayed, network malfunctions are possible.
If a node fails to relay TC messages, the network may experience connectivity problems. In networks where no redundancy exists (e.g. in a strip), connectivity loss will surely result, while other topologies may provide redundant connectivity.
If MID and HNA messages are not properly resent, additional information regarding multiple nodes interfaces and connections with external networks may be lost.
As previously said, replaying old control messages in the network causes nodes to record stale topology information. A control message cannot be replayed “as is” or it will not be accepted by nodes that already received it, because of the MSN. Therefore the attacker needs to increase the MSN of the message, causing possible message loss. For a TC, the attacker must increase the ANSN too, indirectly causing an ANSN attack. Replayed HELLOs may have a lesser impact, because link state advertised in HELLOs must be given in a well-defined order (see Section 9.1).
An extraneous A - B link can be artificially created by an intruder node X by wormholing control messages between A and B (Figure 3.4). A longer wormhole can also be created by two colluding intruders X and X′ (Figure 3.5).
To successfully exploit the wormhole, the attacker must wait until A and B have exchanged sufficient HELLO messages (through the wormhole) to establish a symmetric link. Until that moment, other tunneled control messages would be rejected, because the OLSR protocol specifies that TC/MID/HNA messages should not be processed if the relayer node (the last hop) is not a symmetric neighbor. However, once created, the A - B link is at the mercy of the attacker.
The “first transmit rule”, described in the OLSR specifications, states that a node receiving a message in MPR flooding checks if the sender is its MPR selector. If so, the node retransmits the message. If the sender is not an MPR selector of the node, the latter will never retransmit the message. While this rule is established for performance reasons (to avoid messages traveling on large loops in dense networks) it could be exploited to impede the correct relaying of control messages.
We call the related misbehavior an MPR attack. Consider the following scenario (Figure 3.6): node A sends a message to its neighbors B and X, where B is an MPR of A, X is not an MPR, and C is an MPR of B. The misbehaving node X does not select its MPR set properly, and retransmits the message (even if it is not supposed to) which is received by C. Node B retransmits the message to C. The crucial point is that C, even being an MPR, will not relay the message because C has already received it from X.
All the depicted attacks are possible at a theoretical level; most of them are very easy to implement and require even less energy and effort than running a protocol-compliant node. Table 3.1 summarizes the effect of each attack on each particular function of an OLSR network.
Concerning the realism of these attacks (real attacks that have been observed against existing networks), there is no or very little data available. This is probably due to the fact that ad hoc networks are in practice still used in limited environments such as warfare operations, search and rescue missions, and research centers; while the mainstream architecture for a wireless network is BSS, with “hot spots” offered by various ISPs in airports, train stations, museums, restaurants, and other public places.
It is indeed true that some offensive behavior (e.g. DoS) can also successfully be carried out at the physical or transport layer. However, in our opinion, it is necessary to foresee these routing attacks, otherwise when these attacks are carried out (and certainly they will be) we will be unable to recognize them as such.
