Vulnerability of Wireless Routing Protocols

Transcription

1 Vulnerability of Wireless Routing Protocols Qifeng Lu Dec 15, 2002 University of Massachusetts Amherst Abstract The existing wireless routing protocols do not accommodate any security and are highly vulnerable to attacks. This paper discusses the weakness of those protocols, and threats and attacks against wireless routing. I also look at some suggested solutions that could be used when secure protocols are designed. The current protocols should not be used in hostile environments unless the applications are especially designed to operate under insecure routing or until protocols with enhanced security are introduced. 1. Introduction Wireless networks consist of a number of nodes which communicate with each other over a wireless channel. Typically there are three kinds of wireless networks: cellular networks, satellite networks and ad hoc mobile networks. Cellular networks have a wired backbone with only the last hop being wireless. Satellite networks are composed of trackpredetermined mobile satellites with the last wireless hop. As the futural position of a satellite can be predicted, it is similar to a fixed base station. An ad hoc mobile network is a collection of mobile nodes that are dynamically and arbitrarily located in such a manner that the interconnections between nodes are capable of changing on a continual basis.

2 Due to the dynamic topology and no support of infrastructure, the ad hoc mobile network is the most vulnerable in wireless networks. Routing is the heart of network infrastructure. It controls and manages the "flow" of messages in the network [1]. To set up connection and maintain updated network topology, routers keep exchanging messages about link state, cost and metric. The main goal of a routing protocol for a wireless network is correct and efficient route establishment between a pair of nodes so that messages may be delivered in a timely manner. This project is a survey on vulnerability of those wireless routing protocols. What s the meaning of vulnerability? Well, in computer security, vulnerability means any weakness or flaw existing in a system, the susceptibility of a system to a specific threat attack or harmful event, or the opportunity available to a threat agent to mount that attack. Basically, the routing protocol sets an upper limit to security in any packet network. If routing can be misdirected, the entire network can be paralyzed. As the ad hoc mobile network is the most vulnerable, by exploiting the vulnerability of routing protocols for ad hoc mobile networks, we can get a whole picture of the vulnerability of routing protocols for all wireless networks. Till now, there are three kinds of ad hoc routing protocols: Proactive (DSDV, WRP), reactive (DSR, AODV) and hybrid (ZRP) [2]. Most of the protocols focus on discovering

3 the shortest path between two nodes as fast as possible, in other words, the length of the routes is the only metric used in these protocols. In some cases, however, security could be the most important metric. For example, in an ad hoc network used by the military, secure and reliable communication is a necessary prerequisite. Safety-critical business operations such as oil drilling platforms or mining operations require maximum security too [3]. The concern on security definitely necessitates the survey on vulnerabilities of these ad hoc routing protocols. 2. Vulnerability of wireless routing protocols 2.1 Weakness of wireless routing Wireless networks are particularly vulnerable due to their nature of open medium, lack of physical protection, and lack of a clear line of defense. Furthermore, ad hoc mobile networks also have dynamic changing topology, use cooperative algorithms, and lack centralized monitoring and management point. Thus Operation in an ad hoc network introduces some new security problems in addition to the ones already present in fixed networks. Some new vulnerability includes the following [4]: Easy theft of nodes: Many nodes are expected to be small in size and thus vulnerable to theft. From a routing perspective this means that a node may easily become compromised. Thus, a previously well-behaving node can unexpectedly become hostile. Vulnerability to tampering: This difficulty is related to the problem of easy theft. It must not be trivial for example to recover private keys from the device. A less stringent version

4 of tamper proof is tamper evidence where it is only required that a tampered node can be distinguished from the rest. Limited computational abilities: Nodes can be devices with limited computing power. This may exclude techniques such as frequent public key cryptography during normal operation. However, symmetric cryptography is likely to be feasible in authenticating or encrypting routing message exchanges. Battery powered operation: Many devices in an ad hoc network are assumed to be battery powered. An attacker may attempt a denial-of-service attack by creating additional transmissions or expensive computations to be carried out by a node in an attempt to exhaust its batteries. Transient nature of services and devices: Because an ad hoc network consists of nodes that may frequently move, the set of nodes that are connected to some particular ad hoc network frequently changes. This can create problems for example with key management if cryptography is used in the routing protocol. 2.2 Susceptibility to attacks Sources of threats There are two sources of threats to routing protocols. The first comes from external attackers. By injecting erroneous routing information, replaying old routing information, or distorting routing information, an attacker could successfully partition a network or

5 introduce excessive traffic load into the network by causing retransmission and inefficient routing [5]. The second and more severe kind of threat comes from compromised nodes, which might advertise incorrect routing information to other nodes. Detection of such incorrect information is difficult: merely requiring routing information to be signed by each node would not work, because compromised nodes are able to generate valid signatures using their private keys Attacks Attacks can be classified based on different criteria. One criterion is that whether attackers disrupt the operation of a routing protocol or not. According to this criterion, attacks can be divided into two classes: passive attacks and active attacks. Some attacks are possible in fixed networks, but the nature of the ad hoc environment magnifies their effects and makes their detection difficult, others are only available in wireless networks Passive Attacks In a passive attack, the attacker does not disrupt the operation of a routing protocol but only attempts to discover valuable information by listening to the routing traffic. The major advantage for the attacker in passive attacks is that in a wireless environment the attack is usually impossible to detect. This also makes defending against such attacks difficult. Furthermore, routing information can reveal relationships between nodes or disclose their IP addresses. If a route to a particular node is requested more often than to other nodes, the attacker might expect that the node is important for the functioning of the network, and disabling it could bring the entire network down.

6 Other interesting information that is disclosed by routing data is the location of nodes. Even when it might not be possible to pinpoint the exact location of a node, one may be able to discover information about the network topology. It is worth noting that in an IP network one cannot defend against these attacks for example by only using IPsec. The packets still have most of their IP headers in plaintext, and it may not even be feasible to have symmetric keys distributed to every node in a network Active Attacks These attacks involve actions performed by adversaries, for instance the replication, modification and deletion of exchanged data. The goal may be to attract packets destined to other nodes to the attacker for analysis or just to disable the network. A major difference in comparison with passive attacks is that an active attack can sometimes be detected. This makes active attacks a less inviting option for most attackers. Yet, it may still be a real alternative when large amounts of money is at stake such as in commercial or military environments. The following is a list of some types of active attacks that can usually be easily performed against an ad hoc network. Black hole: In the black hole attack [6], a malicious node uses the routing protocol to advertise itself as having the shortest path to the node whose packets it wants to intercept.

7 In a flooding based protocol such as AODV the attacker listens to requests for routes. When the attacker receives a request for a route to the target node, the attacker creates a reply where an extremely short route is advertised. If the malicious reply reaches the requesting node before the reply from the actual node, a forged route has been created. Once the malicious device has been able to insert itself between the communicating nodes, it is able to do anything with the packets passing between them. It can choose to drop the packets to perform a denial-of-service attack, or alternatively use its place on the route as the first step in a man-in-the-middle attack. Wormhole: In the wormhole attack [7], an attacker records packets (or bits) at one location in the network, tunnels them to another location, and retransmits them there into the network. The wormhole attack is possible even if the attacker has not compromised any hosts and even if all communication provides authenticity and confidentiality. The wormhole attack can form a serious threat in wireless networks, especially against many ad hoc network routing protocols and location-based wireless security systems. For example, most existing ad hoc network routing protocols, without some mechanism to defend against the wormhole attack, would be unable to find routes longer than one or two hops, severely disrupting communication. The wormhole places the attacker in a very powerful position, able for example to further exploit any of the attacks mentioned above, allowing the attacker to gain unauthorized access, disrupt routing, or perform a permanent denial-of-service attack (DoS) by creating a routing loop.

8 Rushing attack: This kind of attack [7] is a malicious attack that is targeted against ondemand routing protocols that use duplicate suppression at each node, like AODV. An attacker disseminates ROUTE REQUESTs quickly throughout the network, suppressing any later legitimate ROUTE REQUESTs when nodes drop them due to the duplicate suppression. Thus the protocol can not set up a route to the desirable destination. Spoofing: By masquerading as another node, a malicious node can launch many attacks in a network. This is commonly known as spoofing [8]. Spoofing occurs when a node misrepresents its identity in the network, such as by altering its MAC or IP address in outgoing packets. Spoofing combined with packet modification is really a dangerous attack. Routing table overflow: In a routing table overflow attack the attacker attempts to create routes to nonexistent nodes [4]. The goal is to create enough routes to prevent new routes from being created or to overwhelm the protocol implementation. Proactive routing algorithms attempt to discover routing information even before it is needed while a reactive algorithm creates a route only once it is needed. This property appears to make proactive algorithms more vulnerable to table overflow attacks. An attacker can simply send excessive route advertisements to the routers in a network. Reactive protocols, on the other hand, do not collect routing data in advance. For example in AODV, two or more malicious nodes would need to cooperate to create false

9 data efficiently: The other node requests routes and the other one replies with forged addresses. Sleep deprivation: Usually, this attack is practical only in ad hoc networks, where battery life is a critical parameter. Battery powered devices try to conserve energy by transmitting only when absolutely necessary. An attacker can attempt to consume batteries by requesting routes, or by forwarding unnecessary packets to the node using, for example, a black hole attack [9]. This attack is especially suitable against devices that do not offer any services to the network or offer services only to those who have some special credentials. Regardless of the properties of the services, a node must participate in the routing process unless it is willing to risk becoming unreachable to the network. Location disclosure: A location disclosure attack can reveal something about the locations of nodes or the structure of the network. The information gained might reveal which other nodes are adjacent to the target, or the physical location of a node. The attack can be as simple as using an equivalent of the traceroute command on UNIX systems. Routing messages are sent with inadequate hop-limit values and the addresses of the devices sending the ICMP error messages are recorded. In the end, the attacker knows which nodes are situated on the route to the target node. If the locations of some of the intermediary nodes are known, one can gain information about the location of the target as well [4].

10 A broad classification of the attacks might be described in the following way: Denial of Service The denial of service threat either produced by an unintentional failure or malicious action forms a severe security risk in any distributed system. The consequences of such attacks, however, depend on the area of application of the ad hoc network. The denial of service attack has many forms: the classical way is to flood any centralized resource so that it no longer operates correctly or crashes, but in ad hoc networks this may not be an applicable approach due to the distribution of responsibility. Distributed denial of service attack is a more severe threat: if the attackers have enough computing power and bandwidth to operate with, smaller ad hoc networks can be crashed or congested rather easily. There are however more serious threats to ad hoc networks: Compromised nodes may be able to reconfigure the routing protocol or any part of it so that they send routing information very frequently, thus causing congestion or very rarely, thus preventing nodes to gain new information about the changed topology of the network [10]. The Wormhole, The Rushing attack, the Routing Table Overflow and the Sleep Deprivation attack might fall into this category Impersonation Impersonation attacks form a serious security risk in all levels of ad hoc networking. If proper authentication of parties is not supported, compromised nodes may in network layer be able to e.g. join the network undetectably or send false routing information masqueraded as some other, trusted node. Within network management the attacker could gain access to the configuration system as a super user. In service level, a malicious party

11 could have its public key certified even without proper credentials. Thus impersonation attacks concern all critical operations in ad hoc networks [10]. The Black Hole attack, spoofing may fall in this category. The passive attack can be a first step to carry out such an attack Disclosure Any communication must be protected from eavesdropping, whenever confidential information is exchanged. Also critical data the nodes store must be protected from unauthorized access. In ad hoc networks such information can include almost anything e.g. specific status details of a node, the location of nodes, private or secret keys, passwords and phrases and so on. Sometimes the control data is more critical information in respect of the security than the actual exchanged data [10]. Obviously we can place the location disclosure attack and passive attack in this category. 2.3 Vulnerability illustration of current wireless routing protocols The following table lists possible protocol-specific attacks to wireless routing protocols. Protocol attack details used by possible attack methods, their attack targets and attack impact on performance are listed in the table, with the attack possibility in AODV and DSR. The attack target here is classified as connectivity attack and bandwidth attack. Connectivity includes power consumption attack.

12 Table 1: Vulnerability of AODV and DSR Attack Unnecessary route request False distance vector False destination sequence Malicious routing query flooding to nonexist nodes Routing messages with inadequate hoplimit values Fabrication of error messages 3. Criteria Attack methods using those attack Attack target Impact on performance Rushing attack, sleep Connectivity Increasing protocol deprivation, black hole load and drop ratio Wormhole Connectivity Increasing drop ratio Black hole with Connectivity Increasing drop spoofing ratio Routing table overflow, Bandwidth Increasing sleep deprivation bandwidth utilization, end-toend delay and protocol load Location disclosure Connectivity Possible increase in drop ratio Spoofing, black hole Connectivity, bandwidth Increasing bandwidth utilization Fabrication of source route Spoofing, black hole Connectivity Increasing drop ratio Spoofing Spoofing Connectivity, Possible increase in bandwidth protocol load, bandwidth utilization, end-toend delay and drop ratio AODV No DSR n/a n/a This section lists criteria for a secure routing protocol. Some of the obvious requirements for all routing protocols such as loop-freedom have been omitted for brevity. From the standpoint of security, an optimal routing protocol should fulfill the following criteria [4]. Certain discovery: If a route between two points in a network exists, it should always be possible to find it. Also, the node which requested the route should be able to be sure it

13 has found a route to the correct node [4]. It is helpful to attack routing table overflow and rushing attack. Isolation: The protocol should be able to identify misbehaving nodes and make them unable to interfere with routing. Alternatively, the routing protocol should be designed to be immune to malicious nodes [4]. It is helpful to attack wormhole, black hole and spoofing. Lightweight computations : Many devices connected to an ad hoc network are assumed to be battery powered with limited computational abilities. Such a node cannot be expected to be able to carry out expensive computations. If operations such as public key cryptography or shortest path algorithms for large networks prove necessary, they should be confined to the least possible number of nodes; preferably only the route endpoints at route creation time. This requirement is needed to protect against trivial denial-of-service attacks [4]. It can be used against sleep deprivation. Location privacy: Often, the information carried in message headers is just as valuable as the message itself. The routing protocol should protect information about the location of nodes in a network and the network structure [4]. It helps fight against location disclosure and passive attacks. Self-stabilization: The self-stabilization property requires that a routing protocol should be able to automatically recover from any problem in a finite amount of time without human intervention. That is, it must not be possible to permanently disable a network by

14 injecting a small number of malformed packets. If the routing protocol is self stabilizing, an attacker who wishes to inflict continuous damage must remain in the network and continue sending malicious data to the nodes, which makes the attacker easier to locate [4]. It can be used against black hole attack. Byzantine robustness: A routing protocol should be able to function correctly even if some of the nodes participating in routing are intentionally disrupting its operation. Byzantine robustness can be seen as a stricter version of the self stabilization property: the routing protocol must not only automatically recover from an attack, it should not cease from functioning even during the attack. Clearly, if a routing protocol does not have the self stabilization property it cannot have Byzantine robustness either [4]. It helps to fight against impersonation caused by spoofing. 4. Actions taken to prevent wireless routing protocols from attack Till now some measures have been proposed to secure routing and detect intrusion. Papadimitratos et al. [11] proposed a Secure Routing Protocol (SRP) to counter malicious behavior that targets the discovery of topology information. Hu et al. [3] proposed a packet leashes method to attack the wormhole. It includes two types of packet leashes: geographical leashes and temporal leashes. The key intuition is that by authenticating either an extremely precise timestamp or location information

15 combined with a loose timestamp, a receiver can determine if the packet has traversed a distance that is unrealistic for the specific network technology. Hu et al. [7] also proposed Ariadne, a Secure On-Demand Routing Protocol for ad hoc networks. This protocol uses highly efficient symmetric cryptography to withstand node compromise. Sanzgiri et al. [8] proposed a secure routing protocol, Authenticated Routing for Ad Hoc Networks, to prevent modification, impersonation and fabrication attacks through message authentication, integrity and non-repudiation. Castelluccia et al. [12] used the employment of crypto-based identifiers for node and group identification to secure group authorization (including membership). Zhang et al. [13] proposed a new architecture for intrusion detection and response systems. Every node in the wireless ad-hoc network participates in intrusion detection and response. Each node is responsible for detecting signs of intrusion locally and independently, but neighboring nodes can collaboratively investigate in a broader range. Thus Intrusion detection and response systems are both distributed and cooperative to suite the needs of wireless ad-hoc networks. Apparently all of these are not enough to release the security concern. Further efforts must be taken to improve the security of wireless routing protocols.

16 5. Ideas to secure wireless routing Here list several ideas to improve the security of wireless routing protocols. Hierarchy appears to be a desirable property in routing protocols because it can sometimes limit failures to smaller areas in a network. As it also limits the number of routing messages in comparison with flat routing, it may also limit the vulnerability against denial-of-service attacks based on excessive route requests. Redundant information through additional routes can be used for error detection and correction. For example, if there are n available routes, then send data on n-r channels and send redundant info on r channels. Thus even if some routes do not work, the receiver can recover messages from data it receives [14]. Try to find a trusted route to avoid internal attack. Once a secure route is established, data forwarding over that route is a simple matter [15]. For those protocols using destination sequence to carry out route discovery, always validate destination sequence via the destination node. 6. Conclusion In any multi-hop IP network, routing places an upper bound on the security of the entire network. If the security in the routing protocol is nonexistent, the network can have no security against denial-of-service attacks that can disable the entire network. Other

17 serious threats resulting from routing protocols is the disclosure of some information about the network structure and the movement of the nodes within the network. Even though current ad hoc routing protocols are completely insecure, their use is not completely excluded in environments such as home networks where security is usually not an absolute necessity. However, in environments such as law enforcement or the military, new protocols with strong security against, for example, location disclosure and active attacks are needed. Currently, ad hoc routing protocols are vulnerable to several kinds of attacks. Unless protection against routing attacks can be provided by the applications that are used in the network, current routing protocols should not be used in areas of applications where the threats of denial-of-service attacks, forged routes, or location disclosure are of any significant importance.

18 References: 1. Huaizhi Li, Zhenliu Chen and Xiangyang Qin. Secure Routing in Wired Networks and Wireless Ad Hoc Networks Elizabeth M. Royer and C.-K. Toh. A Review of Current Routing Protocols for Ad Hoc Mobile Wireless Networks. IEEE Personal Communications Magazine, April 1999, pp Y.-C. Hu, A. Perrig, and D. B. Johnson. Packet leashes: A defense against wormhole attacks in wireless ad hoc networks. Technical Report TR01-384, Department of Computer Science, Rice University, December S. Yi, P. Naldurg, and R. Kravets. A Security Aware Routing Protocol for Wireless Ad Hoc Networks. The 6th World Multi-Conference on Systemics, Cybernetics and Informatics (SCI 2002), Feiyi Wang, Brian Vetter and Shyhtsun Wu. Secure Routing Protocols: Theory and Practice. North Carolina State University, May Y.-C. Hu, A. Perrig, and D. B. Johnson. Ariadne: A secure on-demand routing protocol for ad hoc networks. In Proceedings of the 8th ACM International Conference on Mobile Computing and Networking. (MobiCom), September K. Sanzgiri, B. Dahill, B. N. Levine, C. Shields, and E. M. Belding-Royer. A secure routing protocol for ad hoc networks. In Proceedings of the 10th IEEE InternationalConference on Network Protocols (ICNP), November Frank Stajano and Ross Anderson. The Resurrecting Duckling: Security Issues for Ad hoc Wireless Networks. In Security Protocols, 7th International Workshop Proceedings, Lecture Notes in Computer Science, N. Ahuja, and A. Menon. Security in Mobile Networks (Infrastructure and Adhoc) P. Papadimitratos and Z. J. Haas. Secure routing for mobile ad hoc networks. In Proceedings of SCS Communication Networks and Distributed Systems Modeling

19 and Simulation (CNDS), January ACM Transactions on Computer Systems, to appear. 12. C. Castelluccia and G. Montenegro. Securing group management in IPv6. Technical report, INRIA, August Y. Zhang and W. Lee. Intrusion detection in wireless ad-hoc networks. In Proceedings of the 6th ACM International Conference on Mobile Computing and Networking (MobiCom), August slides/security-on-adhoc.ppt