DoS Attacks on Sensor Networks Hossein Nikoonia Department of Computer Engineering Sharif University of Technology
Outline Wireless Sensor Networks False-Endorsement-Based DoS Attacks Broadcast Authentication ◦ Broadcast Authentication Digital Signature µTESLA Containing DoS Attacks in Broadcast Authentication Mitigating DoS Attacks against Broadcast Authentication Other Types of DoS Attack Future Work
WIRELESS SENSOR NETWORKS
Introduction Composed of a large number of sensor nodes and one or more sink Sensor Nodes ◦ Collect data ◦ Route data back to the sink Sink [Akyildiz et. al. 2002]
Applications Military Health ◦ Monitoring patients Monitoring disaster areas [Akyildiz et. al. 2002]
Constraints Sensor Nodes ◦ Energy Usually battery-powered ◦ Processing power Public-key operations are expensive Delay Energy ◦ Cost Tamper-proof hardware is not practical Deployment area ◦ Hostile ◦ Unattended
Mica2 Motes Developed at UC Berkeley TinyOS ATmega128L 128 KB Program flash memory 4KB Configuration E2PROM 2X AA Battery [Crossbow Technology]
Information Security Confidentiality Integrity Availability Denial-of-Service (DoS)
FALSE-ENDORSEMENT- BASED DOS ATTACKS IN WIRELESS SENSOR NETWORKS C. Krau β, M Schneider, C. Eckert WiSec ‘08
False-Endorsement How to verify correctness of an event? ◦ Message Authentication Code (MAC) Problem ◦ Node capture Solution to the problem ◦ Endorsement ◦ XOR of MACs [Krau β et. al. 2008]
False-Endorsement Problem of the solution ◦ False-Endorsement Solution? [Krau β et. al. 2008]
Basic Idea Nodes should prove their endorsement. [Krau β et. al. 2008]
Details Assumptions ◦ Nodes are loosely time-synchronized ◦ Attacker does not have access to nodes for a period of time ◦ Clusters contain One cluster head (CH) Several cluster nodes (CNs) Hash chain ◦ A sequence of n hash values [Krau β et. al. 2008; Ning et. al. 2008]
Details Report Generation Verification [Krau β et. al. 2008]
BROADCAST AUTHENTICATION
Broadcast Authentication Digital signatures µTESLA [Ning et. al. 2008]
Digital Signature 160-bit Elliptic Curve Digital Signature Algorithm (ECDSA) on MICAz ◦ Power consumption Receiving 0.25mJ Signature verification 38.88mJ Alkaline Battery 1200 J/cm3 ◦ Delay 1.62s [Ning et. al. 2008; Karl and Willing 2005]
µTESLA Delayed authentication Use of a one-way hash chain Nodes should be loosely time synchronized MACs are generated with a key which will be disclosed after a certain period of time. [Ning et. al. 2008]
DoS Attack against Broadcast Authentication Digital signature ◦ Power consumption ◦ Delay ◦ It is impractical for the nodes to validate each incoming message before forwarding it. µTESLA ◦ Delayed authentication [Wang et. al. 2007; Ning et. al. 2008]
CONTAINING DOS ATTACKS IN BROADCAST AUTHENTICATION IN SENSOR NETWORKS R. Wang, W. Du, P. Ning MobiHoc ‘07
The Basic Question First to forward or first to verify? [Wang et. al. 2007]
The Ideal Solution ◦ Faked messages Authentication-first ◦ Authentic messages Forwarding-first How? [Wang et. al. 2007]
Proposed Solution Dynamic Windows ◦ Additive increase, Multiplicative Decrease (AIMD) Each node stores a window size W ◦ Initial value: W max Attach a d a to each message ◦ Number of hops message has passed since its last authentication. [Wang et. al. 2007]
Proposed Solution [Wang et. al. 2007]
Simulation Result [Wang et. al. 2007]
MITIGATING DOS ATTACKS AGAINST BROADCAST AUTHENTICATION IN WIRELESS SENSOR NETWORKS P. Ning, A. Liu, W. Du ACM Transactions on Sensor Networks, 2008.
Basic Idea Use of a weak authenticator ◦ Could be verified efficiently by a sensor node. ◦ Cannot be pre-computed. ◦ Takes a reasonable amount of time for sink to compute. ◦ Almost impractical for attacker to forge. Not a replacement of digital signatures [Ning et. al. 2008]
Weak authenticator Message-specific puzzle ◦ Based on one-way key chains ◦ Takes 14.6ms on a MICAz mote to verify this weak authenticator. [Ning et. al. 2008]
Details Consider a hash chain. This chain is generated offline and is stored in sink. Each node knows the last value of the chain. ◦ Hence, they can authenticate next values [Ning et. al. 2008]
Details
Other Types of DoS Attacks Jamming ◦ [Wood and Stankovic 2002] Path-based DoS Attack ◦ [Deng et. al. 2005]
Future Work DoS attack against sink Multistage digital signature Real-time weak authenticator (puzzle)
References I. F. Akyildiz, W. Su, Y. Sankarasubramaniam, E. Cayirci, “A Survey on Sensor Networks”, IEEE Communications Magazine, pp , Aug [Crossbow Technology] J. Deng, R. Han, S. Mishra, “Defending against Path-based DoS Attacks in Wireless Sensor Networks”, In Proceedings of SASN’05, pp , C. Krau β, M. Schneider, C. Eckert, “Defending against False-Endorsement-Based DoS Attacks in Wireless Sensor Networks, In Proceedings of WiSec’08, pp , H. Karl, A. Willing, ”Protocols and Architectures for Wireless Sensor Networks”, John Wiley and Sons, P. Ning, A. Liu, W. Du, “Mitigating DoS Attacks against Broadcast Authentication in Wireless Sensor Networks”, ACM Transactions on Sensor Networks, Vol. 4, No. 1, pp. 1-33, A. D. Wood, J. A. Stankovic, “Denial of Service in Sensor Networks”, Computer, Vol. 35, pp , Oct R. Wang, W. Du, P. Ning, ”Containing Denial-of-Service Attacks in Broadcast Authentication in Sensor Networks”, In Proceedings of MobiHoc’07, pp , 2007.