Vulnerability of Wireless Routing Protocols by ayb93601

VIEWS: 0 PAGES: 19

									          Vulnerability of Wireless Routing Protocols

                                       Qifeng Lu

                                  Dec 15, 2002
                      University of Massachusetts Amherst


Abstract
The existing wireless routing protocols do not accommodate any security and are highly

vulnerable to attacks. This paper discusses the weakness of those protocols, and threats

and attacks against wireless routing. I also look at some suggested solutions that could be

used when secure protocols are designed. The current protocols should not be used in

hostile environments unless the applications are especially designed to operate under

insecure routing or until protocols with enhanced security are introduced.




1. Introduction

Wireless networks consist of a number of nodes which communicate with each other over

a wireless channel. Typically there are three kinds of wireless networks: cellular

networks, satellite networks and ad hoc mobile networks. Cellular networks have a wired

backbone with only the last hop being wireless. Satellite networks are composed of track-

predetermined mobile satellites with the last wireless hop. As the futural position of a

satellite can be predicted, it is similar to a fixed base station. An ad hoc mobile network is

a collection of mobile nodes that are dynamically and arbitrarily located in such a manner

that the interconnections between nodes are capable of changing on a continual basis.
Due to the dynamic topology and no support of infrastructure, the ad hoc mobile network

is the most vulnerable in wireless networks.



Routing is the heart of network infrastructure. It controls and manages the "flow" of

messages in the network [1]. To set up connection and maintain updated network

topology, routers keep exchanging messages about link state, cost and metric. The main

goal of a routing protocol for a wireless network is correct and efficient route

establishment between a pair of nodes so that messages may be delivered in a timely

manner.



This project is a survey on vulnerability of those wireless routing protocols. What’s the

meaning of vulnerability? Well, in computer security, vulnerability means any weakness

or flaw existing in a system, the susceptibility of a system to a specific threat attack or

harmful event, or the opportunity available to a threat agent to mount that attack.



Basically, the routing protocol sets an upper limit to security in any packet network. If

routing can be misdirected, the entire network can be paralyzed. As the ad hoc mobile

network is the most vulnerable, by exploiting the vulnerability of routing protocols for ad

hoc mobile networks, we can get a whole picture of the vulnerability of routing protocols

for all wireless networks.



Till now, there are three kinds of ad hoc routing protocols: Proactive (DSDV, WRP),

reactive (DSR, AODV) and hybrid (ZRP) [2]. Most of the protocols focus on discovering
the shortest path between two nodes as fast as possible, in other words, the length of the

routes is the only metric used in these protocols. In some cases, however, security could

be the most important metric. For example, in an ad hoc network used by the military,

secure and reliable communication is a necessary prerequisite. Safety-critical business

operations such as oil drilling platforms or mining operations require maximum security

too [3]. The concern on security definitely necessitates the survey on vulnerabilities of

these ad hoc routing protocols.



2. Vulnerability of wireless routing protocols

2.1 Weakness of wireless routing

Wireless networks are particularly vulnerable due to their nature of open medium, lack of

physical protection, and lack of a clear line of defense. Furthermore, ad hoc mobile

networks also have dynamic changing topology, use cooperative algorithms, and lack

centralized monitoring and management point. Thus Operation in an ad hoc network

introduces some new security problems in addition to the ones already present in fixed

networks. Some new vulnerability includes the following [4]:



Easy theft of nodes: Many nodes are expected to be small in size and thus vulnerable to

theft. From a routing perspective this means that a node may easily become compromised.

Thus, a previously well-behaving node can unexpectedly become hostile.



Vulnerability to tampering: This difficulty is related to the problem of easy theft. It must

not be trivial for example to recover private keys from the device. A less stringent version
of tamper proof is tamper evidence where it is only required that a tampered node can be

distinguished from the rest.



Limited computational abilities: Nodes can be devices with limited computing power.

This may exclude techniques such as frequent public key cryptography during normal

operation. However, symmetric cryptography is likely to be feasible in authenticating or

encrypting routing message exchanges.



Battery powered operation: Many devices in an ad hoc network are assumed to be battery

powered. An attacker may attempt a denial-of-service attack by creating additional

transmissions or expensive computations to be carried out by a node in an attempt to

exhaust its batteries.



Transient nature of services and devices: Because an ad hoc network consists of nodes

that may frequently move, the set of nodes that are connected to some particular ad hoc

network frequently changes. This can create problems for example with key management

if cryptography is used in the routing protocol.



2.2 Susceptibility to attacks

2.2.1 Sources of threats

There are two sources of threats to routing protocols. The first comes from external

attackers. By injecting erroneous routing information, replaying old routing information,

or distorting routing information, an attacker could successfully partition a network or
introduce excessive traffic load into the network by causing retransmission and

inefficient routing [5]. The second and more severe kind of threat comes from

compromised nodes, which might advertise incorrect routing information to other nodes.

Detection of such incorrect information is difficult: merely requiring routing information

to be signed by each node would not work, because compromised nodes are able to

generate valid signatures using their private keys.



2.2.2 Attacks

Attacks can be classified based on different criteria. One criterion is that whether

attackers disrupt the operation of a routing protocol or not. According to this criterion,

attacks can be divided into two classes: passive attacks and active attacks. Some attacks

are possible in fixed networks, but the nature of the ad hoc environment magnifies their

effects and makes their detection difficult, others are only available in wireless networks.



2.2.2.1 Passive Attacks

In a passive attack, the attacker does not disrupt the operation of a routing protocol but

only attempts to discover valuable information by listening to the routing traffic. The

major advantage for the attacker in passive attacks is that in a wireless environment the

attack is usually impossible to detect. This also makes defending against such attacks

difficult. Furthermore, routing information can reveal relationships between nodes or

disclose their IP addresses. If a route to a particular node is requested more often than to

other nodes, the attacker might expect that the node is important for the functioning of the

network, and disabling it could bring the entire network down.
Other interesting information that is disclosed by routing data is the location of nodes.

Even when it might not be possible to pinpoint the exact location of a node, one may be

able to discover information about the network topology. It is worth noting that in an IP

network one cannot defend against these attacks for example by only using IPsec. The

packets still have most of their IP headers in plaintext, and it may not even be feasible to

have symmetric keys distributed to every node in a network.



2.2.2.2 Active Attacks



These attacks involve actions performed by adversaries, for instance the replication,

modification and deletion of exchanged data. The goal may be to attract packets destined

to other nodes to the attacker for analysis or just to disable the network. A major

difference in comparison with passive attacks is that an active attack can sometimes be

detected. This makes active attacks a less inviting option for most attackers. Yet, it may

still be a real alternative when large amounts of money is at stake such as in commercial

or military environments.



The following is a list of some types of active attacks that can usually be easily

performed against an ad hoc network.



Black hole : In the black hole attack [6], a malicious node uses the routing protocol to

advertise itself as having the shortest path to the node whose packets it wants to intercept.
In a flooding based protocol such as AODV the attacker listens to requests for routes.

When the attacker receives a request for a route to the target node, the attacker creates a

reply where an extremely short route is advertised. If the malicious reply reaches the

requesting node before the reply from the actual node, a forged route has been created.

Once the malicious device has been able to insert itself between the communicating

nodes, it is able to do anything with the packets passing between them. It can choose to

drop the packets to perform a denial-of-service attack, or alternatively use its place on the

route as the first step in a man-in- the-middle attack.



Wormhole: In the wormhole attack [7], an attacker records packets (or bits) at one

location in the network, tunnels them to another location, and retransmits them there into

the network. The wormhole attack is possible even if the attacker has not compromised

any hosts and even if all communication provides authenticity and confidentiality. The

wormhole attack can form a serious threat in wireless networks, especially against many

ad hoc network routing protocols and location-based wireless security systems. For

example, most existing ad hoc network routing protocols, without some mechanism to

defend against the wormhole attack, would be unable to find routes longer than one or

two hops, severely disrupting communication. The wormhole places the attacker in a very

powerful position, able for example to further exploit any of the attacks mentioned above,

allowing the attacker to gain unauthorized access, disrupt routing, or perform a

permanent denial-of-service attack (DoS) by creating a routing loop.
Rushing attack: This kind of attack [7] is a malicious attack that is targeted against on-

demand routing protocols that use duplicate suppression at each node, like AODV. An

attacker disseminates ROUTE REQUESTs quickly throughout the network, suppressing

any later legitimate ROUTE REQUESTs when nodes drop them due to the duplicate

suppression. Thus the protocol can not set up a route to the desirable destination.



Spoofing : By masquerading as another node, a malicious node can launch many attacks

in a network. This is commonly known as spoofing [8].



Spoofing occurs when a node misrepresents its identity in the network, such as by

altering its MAC or IP address in outgoing packets. Spoofing combined with packet

modification is really a dangerous attack.



Routing table overflow: In a routing table overflow attack the attacker attempts to create

routes to nonexistent nodes [4]. The goal is to create enough routes to prevent new routes

from being created or to overwhelm the protocol implementation.



Proactive routing algorithms attempt to discover routing information even before it is

needed while a reactive algorithm creates a route only once it is needed. This property

appears to make proactive algorithms more vulnerable to table overflow attacks. An

attacker can simply send excessive route advertisements to the routers in a network.

Reactive protocols, on the other hand, do not collect routing data in advance. For

example in AODV, two or more malicious nodes would need to cooperate to create false
data efficiently: The other node requests routes and the other one replies with forged

addresses.



Sleep deprivation: Usually, this attack is practical only in ad hoc networks, where

battery life is a critical parameter. Battery powered devices try to conserve energy by

transmitting only when absolutely necessary. An attacker can attempt to consume

batteries by requesting routes, or by forwarding unnecessary packets to the node using,

for example, a black hole attack [9].



This attack is especially suitable against devices that do not offer any services to the

network or offer services only to those who have some special credentials. Regardless of

the properties of the services, a node must participate in the routing process unless it is

willing to risk becoming unreachable to the network.



Location disclosure : A location disclosure attack can reveal something about the loca-

tions of nodes or the structure of the network. The information gained might reveal which

other nodes are adjacent to the target, or the physical location of a node. The attack can

be as simple as using an equivalent of the traceroute command on UNIX systems.

Routing messages are sent with inadequate hop-limit values and the addresses of the

devices sending the ICMP error messages are recorded. In the end, the attacker knows

which nodes are situated on the route to the target node. If the locations of some of the

intermediary nodes are known, one can gain information about the location of the target

as well [4].
A broad classification of the attacks might be described in the following way:


2.2.2.3 Denial of Service

The denial of service threat either produced by an unintentional failure or malicious

action forms a severe security risk in any distributed system. The consequences of such

attacks, however, depend on the area of application of the ad hoc network. The denial of

service attack has many forms: the classical way is to flood any centralized resource so

that it no longer operates correctly or crashes, but in ad hoc networks this may not be an

applicable approach due to the distribution of responsibility. Distributed denial of service

attack is a more severe threat: if the attackers have enough computing power and

bandwidth to operate with, smaller ad hoc networks can be crashed or congested rather

easily. There are however more serious threats to ad hoc networks: Compromised nodes

may be able to reconfigure the routing protocol or any part of it so that they send routing

information very frequently, thus caus ing congestion or very rarely, thus preventing

nodes to gain new information about the changed topology of the network [10]. The

Wormhole, The Rushing attack, the Routing Table Overflow and the Sleep Deprivation

attack might fall into this category.



2.2.2.4 Impersonation

Impersonation attacks form a serious security risk in all levels of ad hoc networking. If

proper authentication of parties is not supported, compromised nodes may in network

layer be able to e.g. join the network undetectably or send false routing information

masqueraded as some other, trusted node. Within network management the attacker could

gain access to the configuration system as a super user. In service level, a malicious party
could have its public key certified even without proper credentials. Thus impersonation

attacks concern all critical operations in ad hoc networks [10]. The Black Hole attack,

spoofing may fall in this category. The passive attack can be a first step to carry out such

an attack.



2.2.2.5 Disclosure



Any communication must be protected from eavesdropping, whenever confidential

information is exchanged. Also critical data the nodes store must be protected from

unauthorized access. In ad hoc networks such information can include almost anything

e.g. specific status details of a node, the location of nodes, private or secret keys,

passwords and phrases and so on. Sometimes the control data is more critical information

in respect of the security than the actual exchanged data [10]. Obviously we can place the

location disclosure attack and passive attack in this category.



2.3 Vulnerability illustration of current wireless routing protocols

The following table lists possible protocol-specific attacks to wireless routing protocols.

Protocol attack details used by possible attack methods, their attack targets and attack

impact on performance are listed in the table, with the attack possibility in AODV and

DSR. The attack target here is classified as connectivity attack and bandwidth attack.

Connectivity includes power consumption attack.
                                     Table 1: Vulnerability of AODV and DSR

Attack               Attack methods using        Attack target        Impact on               AODV        DSR
                     those attack                                     performance
Unnecessary          Rushing attack, sleep       Connectivity         Increasing protocol     Yes         Yes
route request        deprivation, black hole                          load and drop ratio
False distance       Wormhole                    Connectivity         Increasing drop         Yes         n/a
vector                                                                ratio
False destination    Black hole with             Connectivity         Increasing drop         Yes         n/a
sequence             spoofing                                         ratio
Malicious            Routing table overflow,     Bandwidth            Increasing              Yes         Yes
routing query        sleep deprivation                                bandwidth
flooding to non-                                                      utilization, end-to-
exist nodes                                                           end delay and
                                                                      protocol load
Routing              Location disclosure         Connectivity         Possible increase in    Yes         Yes
messages with                                                         drop ratio
inadequate hop-
limit values
Fabrication of       Spoofing, black hole        Connectivity,        Increasing              Yes         Yes
error messages                                   bandwidth            bandwidth
                                                                      utilization
Fabrication of       Spoofing, black hole        Connectivity         Increasing drop         No          Yes
source route                                                          ratio
Spoofing             Spoofing                    Connectivity,        Possible increase in    Yes         Yes
                                                 bandwidth            protocol load,
                                                                      bandwidth
                                                                      utilization, end-to-
                                                                      end delay and drop
                                                                      ratio

         3. Criteria

         This section lists criteria for a secure routing protocol. Some of the obvious requirements

         for all routing protocols such as loop-freedom have been omitted for brevity. From the

         standpoint of security, an optimal routing protocol should fulfill the following criteria [4].



         Certain discovery : If a route between two points in a network exists, it should always be

         possible to find it. Also, the node which requested the route should be able to be sure it
has found a route to the correct node [4]. It is helpful to attack routing table overflow and

rushing attack.



Isolation: The protocol should be able to identify misbehaving nodes and make them un-

able to interfere with routing. Alternatively, the routing protocol should be designed to be

immune to malicious nodes [4]. It is helpful to attack wormhole, black hole and spoofing.



Lightweight computations : Many devices connected to an ad hoc network are assumed

to be battery powered with limited computational abilities. Such a node cannot be

expected to be able to carry out expensive computations. If operations such as public key

cryptography or shortest path algorithms for large networks prove necessary, they should

be confined to the least possible number of nodes; preferably only the route endpoints at

route creation time. This requirement is needed to protect against trivial denial-of-service

attacks [4]. It can be used against sleep deprivation.



Location privacy: Often, the information carried in message headers is just as valuable

as the message itself. The routing protocol should protect information about the location

of nodes in a network and the network structure [4]. It helps fight against location

disclosure and passive attacks.



Self-stabilization: The self- stabilization property requires that a routing protocol should

be able to automatically recover from any problem in a finite amount of time without

human intervention. That is, it must not be possible to permanently disable a network by
injecting a small number of malformed packets. If the routing protocol is self stabilizing,

an attacker who wishes to inflict continuous damage must remain in the network and

continue sending malicious data to the nodes, which makes the attacker easier to locate

[4]. It can be used against black hole attack.



Byzantine robustness: A routing protocol should be able to function correctly even if

some of the nodes participating in routing are intentionally disrupting its operation.

Byzantine robustness can be seen as a stricter version of the self stabilization property:

the routing protocol must not only automatically recover from an attack, it should not

cease from functioning even during the attack. Clearly, if a routing protocol does not

have the self stabilization property it cannot have Byzantine robustness either [4]. It helps

to fight against impersonation caused by spoofing.


4. Actions taken to prevent wireless routing protocols from
attack
Till now some measures have been proposed to secure routing and detect intrusion.



Papadimitratos et al. [11] proposed a Secure Routing Protocol (SRP) to counter malicious

behavior that targets the discovery of topology information.



Hu et al. [3] proposed a packet leashes method to attack the wormhole. It includes two

types of packet leashes: geographical leashes and temporal leashes. The key intuition is

that by authenticating either an extremely precise timestamp or location information
combined with a loose timestamp, a receiver can determine if the packet has traversed a

distance that is unrealistic for the specific network technology.



Hu et al. [7] also proposed Ariadne, a Secure On-Demand Routing Protocol for ad hoc

networks. This protocol uses highly efficient symmetric cryptography to withstand node

compromise.



Sanzgiri et al. [8] proposed a secure routing protocol, Authenticated Routing for Ad Hoc

Networks, to prevent modification, impersonation and fabrication attacks through

message authentication, integrity and non-repudiation.



Castelluccia et al. [12] used the employment of crypto-based identifiers for node and

group identification to secure group authorization (including membership).



Zhang et al. [13] proposed a new architecture for intrusion detection and response

systems. Every node in the wireless ad-hoc network participates in intrusion detection

and response. Each node is responsible for detecting signs of intrusion locally and

independently, but neighboring nodes can collaboratively investigate in a broader range.

Thus Intrusion detection and response systems are both distributed and cooperative to

suite the needs of wireless ad-hoc networks.



Apparently all of these are not enough to release the security concern. Further efforts

must be taken to improve the security of wireless routing protocols.
5. Ideas to secure wireless routing
Here list several ideas to improve the security of wireless routing protocols.



Hierarchy appears to be a desirable property in routing protocols because it can

sometimes limit failures to smaller areas in a network. As it also limits the number of

routing messages in comparison with flat routing, it may also limit the vulnerability

against denial-of-service attacks based on excessive route requests.



Redundant information through additional routes can be used for error detection and

correction. For example, if there are n available routes, then send data on n-r channels

and send redundant info on r channels. Thus even if some routes do not work, the

receiver can recover messages from data it receives [14].



Try to find a trusted route to avoid internal attack. Once a secure route is established, data

forwarding over that route is a simple matter [15].



For those protocols using destination sequence to carry out route discovery, always

validate destination sequence via the destination node.


6. Conclusion
In any multi-hop IP network, routing places an upper bound on the security of the entire

network. If the security in the routing protocol is nonexistent, the network can have no

security against denial-of-service attacks that can disable the entire network. Other
serious threats resulting from routing protocols is the disclosure of some information

about the network structure and the movement of the nodes within the network.



Even though current ad hoc routing protocols are completely insecure, their use is not

completely excluded in environments such as home networks where security is usually

not an absolute necessity. However, in environments such as law enforcement or the

military, new protocols with strong security against, for example, location disclosure and

active attacks are needed.



Currently, ad hoc routing protocols are vulnerable to several kinds of attacks. Unless

protection against routing attacks can be provided by the applications that are used in the

network, current routing protocols should not be used in areas of applications where the

threats of denial-of-service attacks, forged routes, or location disclosure are of any

significant importance.
References:

  1. Huaizhi Li, Zhe nliu Chen and Xiangyang Qin. Secure Routing in Wired Networks
     and Wireless Ad Hoc Networks. http://cs.engr.uky.edu/~singhal/term-
     papers/routing.pdf.

  2. Elizabeth M. Royer and C.-K. Toh. A Review of Current Routing Protocols for
     Ad Hoc Mobile Wireless Networks. IEEE Personal Communications Magazine,
     April 1999, pp. 46-55.


  3. Y.-C. Hu, A. Perrig, and D. B. Johnson. Packet leashes: A defense against
     wormhole attacks in wireless ad hoc networks. Technical Report TR01-384,
     Department of Computer Science, Rice University, December 2001.

  4. www.tcm.hut.fi/Opinnot/Tik-110.501/2000/papers/lundberg.ps


  5. S. Yi, P. Naldurg, and R. Kravets. A Security Aware Routing Protocol for
     Wireless Ad Hoc Networks. The 6th World Multi-Conference on Systemics,
     Cybernetics and Informatics (SCI 2002), 2002.

  6. Feiyi Wang, Brian Vetter and Shyhtsun Wu. Secure Routing Protocols: Theory
     and Practice. North Carolina State University, May 1997.


  7. Y.-C. Hu, A. Perrig, and D. B. Johnson. Ariadne: A secure on-demand routing
     protocol for ad hoc networks. In Proceedings of the 8th ACM International
     Conference on Mobile Computing and Networking. (MobiCom), September 2002.

  8. K. Sanzgiri, B. Dahill, B. N. Levine, C. Shields, and E. M. Belding- Royer. A
     secure routing protocol for ad hoc networks. In Proceedings of the 10th IEEE
     InternationalConference on Network Protocols (ICNP), November 2002.


  9. Frank Stajano and Ross Anderson. The Resurrecting Duckling: Security Issues for
     Ad hoc Wireless Networks. In Security Protocols, 7th International Workshop
     Proceedings, Lecture Notes in Computer Science, 1999.

  10. N. Ahuja, and A. Menon. Security in Mobile Networks (Infrastructure and Ad-
      hoc). http://www.cise.ufl.edu/~nahuja/security/wirelesssec.htm


  11. P. Papadimitratos and Z. J. Haas. Secure routing for mobile ad hoc networks. In
      Proceedings of SCS Communication Networks and Distributed Systems Modeling
   and Simulation (CNDS), January 2002. ACM Transactions on Computer Systems,
   to appear.

12. C. Castelluccia and G. Montenegro. Securing group management in IPv6.
    Technical report, INRIA, August 2002.


13. Y. Zhang and W. Lee. Intrusion detection in wireless ad- hoc networks. In
    Proceedings of the 6th ACM International Conference on Mobile Computing and
    Networking (MobiCom), August 2000.

14. http://www.cs.utexas.edu/users/ypraveen/courses/compsec/compsec- litsurvey.ppt


15. http://www.cs.purdue.edu/homes/yilu/ slides/security-on-adhoc.ppt

								
To top