Secure routing in wireless sensor network: attacks and countermeasures Presenter: Haiou Xiang Author: Chris Karlof, David Wagner Appeared at the First IEEE International Workshop on Sensor Network Protocols and Applications, May 11, 2003
Contribution Propose threat models and security goals for secure routing in wireless sensor networks Introduce seven attack techniques, including two novel attacks, sinkhole and HELLO floods. Present the detailed security analysis of all major routing protocols. Discuss countermeasures and design considerations for security routing protocols
Background What is sensor network? Outside Network Base station Sensor node Event Aggregation node
Background The properties of sensor network –Sensor Node: Lower-power, Lower-bandwidth, shorter-range Multihop wireless network –Aggregation node: Eliminate the redundancy, saving energy –Base station (Sink) More powerful than sensor nodes
Background Security limitation: UC berkeley lab: Mica mote –Limit Power Power: Two AA batteries Only two weeks at full power –Limit memory and computational power 4MHz 8-bit CPU, 4KB RAM, 512KB flash memory
Attacks on sensor network routing
Spoofed, altered, or replayed routing information Behavior: –Create routing loops, attract or repel network traffic, extend or shorten source routes Goal: –Generate false error messages, partition the network, increase end-to-end latency
Example
Selective forwarding Behavior: –Malicious nodes may refuse to forward certain messages and simply drop them, ensuring that they are not propagated any further. Goal: –Attempt to include herself on the actual path of the data flow
Example Outside Network Base station Sensor node Event Aggregation node Malicious node Drop
Acknoledgement spoofing Behavior –Spoof link layer acknowledgments for “overheard” packet addressed to neighboring nodes Goal –Convincing the sender that a weak link is strong or that a dead or disabled node is alive –Enable selecting forward attack
Example Outside Network Base station Sensor node Event Aggregation node Malicious node Lost bad node
Sinkhole attacks Behavior –Making a compromised node look especially attractive to surrounding nodes Goal –Lure nearly all the traffic from a particular area through a compromised node, create a metaphorical sinkhole with the adversary at the center –Enable selecting forward attack
Example Sinkhole attack
Wormholes Behavior –Tunnel messages received in one part of network over a low-latency link and replays them in a different part Goal: –May be able to completely disrupt routing if an adversary situated close to a base station –Enable sinkhole attack –Exploit routing race condition
Example
Sybil attack Behavior –A single node presents multiple identities to other nodes in the network Goal: –Significantly reduce the effectiveness of fault- tolerant schemes
Example
HELLO flood attack Behavior –A laptop-class attacker broadcasting routing or other information with large enough transmission power could convince every node in the network that the adversary is its neighbor Goal –Enable wormhole attack by broadcasting wormholes
Example
Summary of attack
Countermeasures
Outsider attacks and link layer security Solution: –Global share key: link layer encryption and authentication Limitation: ineffective –Wormhole and HELLO flood attack –Insider attack or compromised node
Sybil attack Solution –Every node share a unique symmetric key with base station –Two node establish a shared key and verify each other’s identity –Base station limit the number of neighbors around a node –When a node is compromised, it is restricted to communicating only with its verified neighbors Limitation –Adversary can still use a wormhole to create an artificial link between two nodes to convince them
HELLO flood attacks Solution: –Verify the bidirectionality of a link before taking meaningful action –Every node authenticate each of its neighbors with an identity verification protocol using a trusted base station
Wormhole and sinkhole attacks Solution –Design routing protocols which avoid routing race conditions and make these attacks less meaningful Geographic routing protocols: construct a topology on demand using only localized interactions and information
Selective forwarding Solution: –Multipath routing: message routed over n paths whose nodes are completely disjoint –Nodes dynamically choose a packet’s next hop probabilistically from a set of possible candidates Limitation: –Completely disjoint paths is difficult to create
Countermeasure summary AttacksCountermeasure Outersiders, Sybil, HELLO floods, ACKs spoofing Link-layer encryption and authentication, multipath routing, identity verification, bidirectional link verification, authenticated broadcast Sinkhole attack wormhole attack Geographic routing protocols
Strength Demonstrate current routing protocols for wireless sensor networks are insecure Provide several countermeasures to against attacks: link layer encryption and authentication and so on
Questions?