Routing Protocols Security in Ah Hoc Networks

Transcription

1 Routing Protocols Security in Ah Hoc Networks Ebrahim Mohammed Louis Dargin Oakland University School of Computer Science and Engineering CSE 681 Information Security Abstract Mobile Ad hoc networks, also known as MANETs, are a new and useful innovation in the field of mobile wireless communication. Due to the various applications that have been and can be developed under this technology including ocean and wildlife monitoring, manufacturing machinery performance monitoring, building safety and earthquake monitoring, and many military applications, MANETs have been attracting many researchers. Unlike other types of networks, MANETs are usually deployed without a centralized control unit; the devices participating in a MANET rely on other units to route information to their destinations. This, along with the fact that MANET nodes are often constrained in power, makes MANETs vulnerable to various malicious attacks and applying the routing techniques that work with wired networks is infeasible here. In this research project we will analyze the routing protocols and security attacks in such networks. We will survey MANET routing protocols and security schema. Finally, we will propose new features to secure Ad hoc on demand Distance Vector routing protocol (AODV) against Denial of Service (DOS) attacks, and to detect malicious nodes, including black and gray holes attacks. Keywords: ad hoc network, black hole, routing protocols, security, AODV Introduction: A mobile ad-hoc network (MANET) consists of wireless devices, commonly called "nodes," that communicate with each other without a central access point. Essentially, each MANET node is a router. They are typically used to quickly set up a network where a wired infrastructure does not exist. Also, through the use other nodes that lie along the path, MANETS allow for nodes to communicate with out-of-range destinations. We will refer to those in-between nodes as "Intermediate Nodes." A common routing protocol (the set of rules defining how routing nodes determine the path that packets follow to reach their destination) is used to route communications through intermediate nodes. In this research paper, we will discuss the types of MANET routing protocols available, and the types of attacks that are possible against them. MANET security should be defined in every layer of the network, in this paper we will focus on the network layer. 1

2 The nodes in ad hoc networks functions as routers that discover and maintain routes to other nodes in the network. The primary goal of a MANET routing protocol is to establish a correct and efficient route between a pair of nodes so that messages may be delivered in a timely manner. If routing can be misdirected, the entire network can be paralyzed. Thus, routing security plays an important role in the security of the whole network. The nature of MANET networks presents a unique set of problems. The vulnerabilities include: Broadcasting wireless channels allow malicious nodes to gain access to the network and then eavesdropping and injection messages easily Nodes are also routers, so MANETs are dynamic change network topology. Computing resources in MANET nodes are quite limited. Attacks can be design to disable nodes by drawing them to exceed their bandwidth, processing power, RAM storage, or battery life limitations. Examples of this are routing table overflow and energy consummation. Unattended wireless nodes can be easily stolen. An attacker can use a stolen node to develop a malicious decoy, and plant it near the original nodes. This can lead to impersonation and information disclosure Wireless MANET nodes are inherently vulnerable to insider attacks. The rest of the paper is organized as follow. In section 2, we introduce types of routing protocols for MANETs. Next, in section 3, we present security challenges and types of attacks. Then, in section4, we introduce the current mechanism to prevent such attacks. After that, in section 5, we describe the way AODV (Ad hoc on demand Distance Vector) protocol works, and we propose a solution to detect malicious nodes like black and gray hole nodes, prevent against external attack to like Dos, and a detection of member malicious nodes. Finally, in section 6, we discuss the future work for this research. 2-Types of routing protocols in MANETs Routing is the most important aspect in ad hoc network since ad hoc network topology frequently changes and multi-hop communication is required. Several routing protocols have been developed, and most of them are designed without security in mind. They generally they can be classified into three types: Proactive (Table Driven), Reactive (on demand routing), and Hybrid. Proactive protocols: Every node in the topology maintains the routing information in a table format; they are also called table driven protocols. The routing table holds a complete set of destination address and the list of intermediate nodes needed to reach each destination. The routing tables are updated whenever the network topology changes (i.e. existing nodes are moved or dropped, or new nodes are introduced). Such changes are announced to every other node. This ensures that each sender knows the route in advance of packet transmissions. Unfortunately, this is one of the disadvantages of this category of protocols; if a malicious node has the routing information before packet data transmission takes place; it will be able to change routes, drop packets, etc. Another problem is that rapid changes in network topology might overwhelm the network with 2

3 control messages (messages for updating the routing table at every node) and the excess messaging overhead will compromise the throughput of actual data transmissions. Examples of proactive protocols are DV (Distance Vector) protocol, DSDV (Destination Sequenced Distance Vector) protocol, WRP (Wireless Routing Protocol), and FSR (Fisheye State Routing) protocol [5]. They are called table-driven protocols since the routing table will be updated for each change in link states in a network and routes are discovered using information stored in routing tables. Reactive protocols: They differ from the proactive protocols in that the node will only discovers a route when it is desired by the source node. When a node wants to send information to another node in a network, a source node will initiates a route-discovery process. Once a route is discovered, it is maintained in the temporary cache at a source node unless it is expired or unless some event happens (e.g., a link failure) that requires another route discovery to start over again. One advantage of Reactive protocols is that they require less storage for routing information compared to proactive protocols, because there is no need to obtain and maintain the routing information for every node in a network. Another advantage is that intermediate nodes do not have to make routing decisions. An obvious disadvantage in reactive protocols is the delay due to route discovery; this is called the "route acquisition delay." Furthermore, since route discoveries require global broadcasts, if routing information changes frequently, which is common in MANETs, and if route discoveries are needed for those changed routes, they may generate a large volume of messaging overhead. Currently popular reactive protocols include DSR (Dynamic Source Routing), AODV (Ad hoc On Demand Distance Vector), and ABR (Associativity Based Routing) [1]. Hybrid (combination of proactive and reactive) Protocols: Because of the disadvantages of the previous protocols such as initial delay due to route discovery and high control overhead in reactive protocols, a pure reactive protocol may not be the best solution for routing in MANETs. On the other hand, a pure proactive protocol used for a large network may not be possible to deploy because of the need to keep a large routing table at all times. A protocol that uses the best features of both reactive and proactive protocol may be a better solution. An example for such an approach is the ZRP (Zone Routing Protocol), Centralized Ad hoc Network Architecture (CANA). 3- Types of Attacks on MANETs: We mentioned earlier that the nature of MANETs make them vulnerable to attacks that are not feasible in wired networks. Attacks on MANETs can be classified into Passive Attack and Active attacks. Passive attacks do not disrupt the operation of the protocol, but try to discover information by listening to traffic or sniffing on packet transmission. On the other hand, active attacks try to disrupt the protocol operation, inject arbitrary packets, and gain authentication. In this research we will introduce a classification on the active attacks on MANETs [8]. Classification of the Active attacks 3

4 Attacks based on modification: One very simple way for a node to disturb the protocol operation is to announce that it has a better route than the existing one. This can be achieved by modifying metric values for a route or by altering control message fields. There are 3 ways in which this can be done: Redirection by Changing the Route Sequence Number: network nodes rely on metrics like hop count; smaller values help indicate the best path to take through network. Hence, a simple way to attack a network is to report a smaller number than the last best value. Redirection by Altering Hop Count: This attack is more specific to the AODV protocol wherein the optimum path is chosen by the hop count metric. A malicious node can disturb the network by announcing the smallest hop count value to reach the compromised node. In general, an attacker would use a value of zero to ensure the smallest hop count. Denial of Service by Altering Routing Information: Consider a scenario wherein node A wants to communicate with node E. At node A, the routing path in the header is A-B-C- D-E. If B is a compromised node, it can alter the routing path to A-B-C-E. Since there exists no direct route from C to E, C will drop the packet. Thus, A will never be able to access any service / information from E. Impersonation Attacks In this attack, the malicious node hides its IP address and uses another IP address in the network, this is known as spoofing. Fabrication Attacks: there are three types that can be classified here. Falsification of Rote Error Messages: The weakness of this architecture is that whenever a node moves, the closest node sends an error message to the other nodes so as to inform them that a route is no longer accessible. If an attacker can cause a DoS attack by spoofing any node and sending error messages to the all other nodes, it can isolate any node quite easily. This is most common in AODV and DSR protocol. Routing table overflow attack: Consider ad-hoc networks that use a proactive protocol i.e. an algorithm which tries to find routing information even before it is needed; this creates vulnerabilities since the attacker can attempt to create routes to non-existent nodes. If enough routes are created, new routes can no longer be added due to an overwhelming pressure on the protocol. Route poisoning: This passive attack occurs when nodes are in the updating mode of their routing tables. Information stored in the routing tables get deleted, changed, and injected with false information. 4- Techniques to secure MANETs: There are two techniques that are the most common approaches today are: Prevention: This is a scenario where the solution is to stop nodes from initiating attack. Prevention mechanisms usually require encryption techniques to provide authentication, 4

5 integrity, etc. Some proposals use symmetric algorithms, some use asymmetric algorithms, and others using one way hashing. Prevention using Asymmetric cryptography: SAODV and ARAN (Authenticated Routing for Ad hoc) are two protocol proposed in this category. SAODV secures the AODV protocol by digitally signing the fields of the routing message, for authentication. ARAN makes use of the cryptographic certificate to offer the routing certificate [3]. Prevention using Symmetric cryptography: SAR (Security aware ad hoc routing) and SRP (Secure routing protocol) are the two protocols in this category that can be applied to most of the commonly used protocol today. SAR attempts to use the traditional shared symmetric key encryption, and involves some sort of key distribution system to distribute the trust level keys to the correct devices. SRP is based on security association via secret key schema to provide routing information Prevention using one-way hash chain: SEAD and Ariadne are two protocols that use this mechanism. SEAD implements one way hash chains to protect modification of routing information like sequence number and source route. Ariadne relies on efficient symmetric cryptography [10]. Detection and Reaction: These are solutions that attempt to identify the malicious activities in the network and take actions against such nodes. Examples include Byzantine, Confidant, DSR, CORE, and using watchdog and pathrater. Wachdog and Pathrater can be deployed to most existing protocols. Wachdog is used to identify the misbehaving nodes while the parthrater avoids routing packets through these nodes [9]. 5- Ad hoc On Demand Distance Vector Routing: Ad-hoc On Demand Distance Vector (AODV) protocol is a reactive routing protocol; however it has a feature of proactive protocol in a sense that a source node stores the valid routes for the next hop node in routing table. AODV uses a distributed approach [1]; meaning that source nodes do not know the routing sequence of the intermediate nodes it has to go through to reach the destination. AODV uses the route discovery and route reply process to create and maintain a route on demand. In the route discovery phase for a source node to send information to a destination node, it first looks up its own routing table to see if a valid route exists. If a valid route does not exist, a source node broadcasts a global route request message (RREQ) that contains the source address, source sequence number, destination address, destination sequence number, broadcast ID, and hop count [5]. The combination of the source address and the broadcast-id is used to uniquely identify each RREQ message. A node that receives the RREQ message which is usually the nearest node to the source node replies immediately with a routing reply (RREP) if it has a fresh route. Otherwise, it forwards the RREQ message to establish the route to the destination. The sender selects the first node to respond with a RREP (Routing Reply) as the intermediate node to send messages through. During the route discovery phase a forward pointer link between source node, destination node, and all the intermediate nodes as the RREQ messages propagate in the routing discovery, Figure [1]. Similarly, backward pointer links between all nodes as the RREP messages propagate back to the source node, Figure [2]. This result in a pair of forward and backward pointers set up between all the intermediate nodes participating in the routing process, Figure [3]. 5

6 SN DS SN DN Figure [1] RREQ Prorogate Figure [2] RREP Prorogate SN DS Figure [3] pair of forward and backward pointers in each node. Figure [1] Traffic from sender Node0 to receiver Node3 Figure [2] forward bytes when Node2 not present. Figure [3] forward bytes when Node2 present We used a network simulation tool (NS-2) to simulate traffic in AODV protocol, the figures above show the corresponding process of route discovery through the closest path in the network. In the arrangement of the simulation, node 2 is close to the source node 0 6

7 so if node2 is present in the network, then traffic sequence will go through If it is not present then traffic will flaw through this route sequence will follow AODV maintains the routing process by having three messages. A route error message that generate when any links in a route fails, a route-error message is generated by an intermediate node to source nodes on the link and this message will propagate to every source node that uses the failed link. Then, source nodes will initiate the route discovery process. A periodic hello messages between immediate neighbor nodes are required to prevent the forward and backward pointers from expiration and make sure the nodes still an available and participating in the routing process. Finally, route time-out message that delete the links between intermediate nodes if there is no activity on a route for a certain amount of time. Security Problems in AODV and possible solutions AODV is vulnerable to a well known malicious node called black hole and gray hole attacks. These nodes are planted by a hacker. They tend to be the first node to respond to a RREQ message broadcast by the source node because they do not check their own routing table to see if there is a route to the destination. These nodes can ignore packets that are routed to them, and as a result they can perform denial of service attack. Grey Hole is a node that can switch from behaving correctly to behaving like a black hole. This is done to avoid detection. Some researchers [4] discussed and proposed a solution to a black hole attack by Disable the ability for intermediate nodes to reply to an RREP; and only allow the destination to reply. Venkatraman [7] presents two models to secure AODV: EAPM (External Attack Prevention Model), and IADM (Internal Attack Detection Model). Previously proposed protocols to secure AODV including SAODV (Secure Ad Hoc Distance Vector) are still vulnerable to some external and internal attacks. SAODV uses Assymetric cryptography mechanism to authenticate the fields of the routing message by using a digital signature, which is quite strong technique. However, when considering external attacks, SAODV still vulnerable to malicious nodes attacks like black hole and Denial of service attack. In our solution to this problem we are introducing a schema that can be implemented to AODV protocol to ensure detecting external malicious nodes like black hole and also ensure authentication between member nodes in network to prevent a against possible denial of service attack. In our research we are not sure how multiple black holes nodes will be detected, but previous researches have proposed a solution to this problem [6].. Solution To detect black and gray hole nodes, we propose having the sender occasionally check through all available routes, whether the destination received all of its messages intact. This must be done after some data has been sent. In order to circumvent any black hole nodes that might interfering with message traffic, the sender broadcast a "check" request message (figure 2), and the destination's response would follow the same route as the 7

8 request (figure 3). To deal with the possibility of a node altering or faking the client response, the sender compares each response with the data that it sent to the destination. If the responses differ from what the sender sent, it may indicate a bad link or a malicious node. If any two client responses differ, that is almost a sure sign of a malicious node. In any case, the sender can choose another intermediate node for sending its data, as shown in figure 4, or send an alarm. Two new control messages can be added to the AODV protocol to facilitate this. One, which we call "RRCS" for "Routing Request Checksum" is broadcast by the sender to reach the destination, like an RREQ when no intermediate nodes hold a route to the destination. Each node through which it passes adds its ID to RRCS. The destination responds to each RREQ it receives with the second control message, RCSR for "Routing Checksum Reply." It contain a checksum or CRC code of the data that the client received from the server, including routing control messages, and the size of the data that it received. It also contains a copy of the list of nodes that its corresponding RREQ passed through; and each node that the RRCS passes through refers to that list, in reverse order, to determine the next node to forward it to. This ensures that the RCSR follows the exact route as the RRCS, in reverse order. As the server receives each RCSR response, it compares its checksum with the checksum of the data that was sent. Figure 1 Figure 2 Figure 3 Figure 4 To prevent denial of service attack on AODV protocol based network from an external malicious node and intruder or from an internal misbehaving node that can flood the network with any kind of control messages, such as RREQ and RREP. A set of two types of keys in the member nodes will be used in this protocol. Secret key shared between all nodes and public-private key pair for each node. Using this approach will provide a 8

9 mechanism to authenticate member nodes in the same group that have the same shared secret key. Therefore, an external malicious node planted physically by external user can be identified and any member nodes receive any messages from a node that does not have the secret shared key will drop that message. This will detect and prevent the external attacks including Dos attack. Also, internal nodes and messages between them will be authenticated by digital signature using their own private key. This will provide internal security to an external node that assumingly got the shares key. This node will not be able to communicate with member nodes since it will not use its private key. Applying the previous mentioned approach of using the digital signature to authenticate all messages between member nodes will provide us with a way to detect the misbehaving nodes in the member community; such node can not deny sending particular information since member nodes send messages authenticated through their own private key. If misbehaving node detected regularly, then neighbors nodes will report to other member nodes in the network. We also propose applying the fingerprint mechanism to authenticate specific users to have access to certain nodes, and also to prevent any non legitimate user to gain access to member nodes in the network. Proposal Risk: We identified some questions that cross the mind concerning our proposed methodology, these questions are: Q1-What if another problem prevented the destination from receiving all of the packets that were sent. Q2- What about the network and power overhead involved in broadcasting a new message. Q3- What if another malicious node, in the path of an alternative route between the sender and the destination, alters the destination s response. Q4- What if another malicious node alters the destination s positive response to say that no data has been sent? A1-As long as the TCP protocol is used to transfer the data, this shouldn t be a problem, since TCP provides reliable delivery. If such a problem still occurred, it would be better for the sender to sent messages through a different route. A2-The interval in which the checksum message is sent can be varied based on the application requirements. In this, there would be a tradeoff between security and network traffic. A3- We are assuming a reliable path between sender and destination since we proposed technique to detect external malicious nodes and a way to authenticate internal nodes. If there are no good paths between the sender and the destination, this may fail to detect a black hole attack. A4-The system would know that a bad node exists anyway and would send an alarm to other nodes. Further action can then be taken to identify and isolate malicious nodes 6- Future Research 9

10 In this paper we have analyzed routing protocols and security issues of MANETs; we also described AODV protocol and proposed methods to solve security issues of the black hole, Dos, and detecting and reporting malicious nodes in AODV protocol. As future work, we are intended to test the performance of our solutions through simulation, and also demonstrate how our solutions can co-exist with other published solutions. References: [1] C. Karlof and D. Wagner., Secure Routing in Wireless Sensor Networks: Attacks and Countermeasures, Sensor Network Protocols and Applications (SNPA'03), May 2003 [2] Anthon Wood, A. D., and Stankovic, J. A. Denial of service in sensor networks. IEEE Computing (2002), [3] Deng, J., Han, R., Mishra, S.: INSENS: Intrusion-tolerant routing in wireless Sensor Networks. Technical Report CU CS , Department of Computer Science, University of Colorado, November [4] H. Deng, W. Li, and D. Agrawal, "Routing Security in Wireless Ad Hoc Networks," IEEE Comm. Magazine, vol. 40, no. 10, 2002, pp [5] P Papadimitratos, Secure Data Communications in Mobile Ad Hoc Networks IEEE Journal On Selected Areas In Communications, vol. 24, No. 2, February 2006 pp [6] S. Ramaswamy, H. Fu, M. Sreekantaradhya, J. Dixon, K. Nygard Prevention of Cooperative Black Hole Attack in Wireless Ad Hoc Networks [7] L. Venkatraman and D.P. Agrawal, Strategies for enhancing routing security in protocols for mobile ad hoc networks, J. Parallel Distrib. Comp., [8] S. Yi, P. Naldurg, and R. Kravets Security-Aware Ad hoc Routing for Wireless Networks The Second ACM Symposium on Mobile Ad Hoc Networking & Computing (MobiHoc'01), 2001.(another version Security-Aware Ad Hoc Routing Protocol for Wireless Networks, Report, August, 2001) [9] Sergio Marti and T. J. Giuli and Kevin Lai and Mary Baker. Mitigating routing misbehavior in mobile ad hoc networks. Mobile Computing and Networking (2000): [10] Yih-Chun Hu, David B. Johnson, and Adrian Perrig. SEAD: Secure Efficient Distance Vector Routing for Mobile Wireless Ad Hoc Networks. Proceedings of the 4th IEEE Workshop on Mobile Computing Systems & Applications (WMCSA 2002), pp. 3-13, IEEE, Calicoon, NY, June