Denial of Service in Sensor Networks Anthony D. Wood and John A. Stankovic

Why Security? Battlefield Battlefield Disasters Disasters –Protect the location and status of casualties from unauthorized disclosure, particularly if the disaster relates to ongoing terrorist activities Public safety Public safety –False alarms about chemical, biological, or environmental threats could cause panic or disregard for warning systems. An attack on the system’s availability could precede a real attack on the protected resource. Home healthcare Home healthcare –Because protecting privacy is paramount, only authorized users can query or monitor the network. These networks can also form critical pieces of an accident-notification chain, thus they must be protected from failure.

THE DENIAL OF SERVICE THREAT A DoS attack is any event that diminishes or eliminates a network’s capacity to perform its expected function. Hardware failures, software bugs, resource exhaustion, environmental conditions, or their combination Hardware failures, software bugs, resource exhaustion, environmental conditions, or their combination Intentional Attack Intentional Attack

Adversary Capability Physically damaged or manipulated node Physically damaged or manipulated node –May be less powerful than a normally functioning node. Subverted nodes (or added ones) Subverted nodes (or added ones) –Interact with the network only through software –As powerful as other nodes Immensely more powerful adversaries Immensely more powerful adversaries –Existing wired network with virtually unlimited computational and energy resources possible.

Attacks on Physical Layer Jamming Jamming –Defenses Spread-spectrum Spread-spectrum Region mapping Region mapping –Lower duty cycle Tampering Tampering –Defenses: Tamper-proofing, hiding

Link Layer Attacks Collision Collision –Use error-correcting codes Exhaustion Exhaustion –Rate limitation Unfairness Unfairness –Small frames

Network and Routing Attacks Neglect and greed Neglect and greed –Redundancy, probing Homing/traffic analysis Homing/traffic analysis –Encryption: enough? Misdirection Misdirection –Egress filtering, authorization, monitoring Black holes Black holes –Authorization, monitoring, probing, redundancy

Neglect and Greed Neglect Neglect –Drops packets arbitrarily Greed Greed –Gives undue priority to it’s own messages Use multiple paths and/or redundant messages to mitigate these effects. Use multiple paths and/or redundant messages to mitigate these effects.

Homing Geographic forwarding allows attacker to figure out where important nodes are. Geographic forwarding allows attacker to figure out where important nodes are. Encrypting headers as well as content might alleviate this issue. Encrypting headers as well as content might alleviate this issue.

Misdirection Diverting traffic away from intended destination Diverting traffic away from intended destination – targets the sender Misdirecting many flows in one direction Misdirecting many flows in one direction – targets an arbitrary victim (receiver) Defense Defense –Egress Filtering Verification of source addresses Verification of source addresses Legitimately generated from below? Legitimately generated from below?

Black Holes Distance-vector-based protocol weakness Distance-vector-based protocol weakness Nodes advertise zero-cost routes to every other node. Nodes advertise zero-cost routes to every other node. Fixes: Fixes: –Authorization –Monitoring watchdog the next hop transmission of your packets by neighbors watchdog the next hop transmission of your packets by neighbors –Probing Send periodic messages across topology to test for blackout regions Send periodic messages across topology to test for blackout regions –Redundancy

Transport Layer DoS Flooding Flooding –Client puzzles Make the adversary commit resources Make the adversary commit resources Only useful if the adversary has limited resources Only useful if the adversary has limited resources Desynchronization Desynchronization –Authentication

PROTOCOL VULNERABILITIES Analyzing these vulnerabilities helps show why developers should consider DoS susceptibility at design time.

Adaptive Rate Control – MAC Protocol by Woo & Cull Give preference to route-through traffic Give preference to route-through traffic –This preserves the network’s investment in packets that may have already traversed many hops. Makes flooding attacks more effective. Makes flooding attacks more effective. –High bandwidth packet streams that an adversary generates will receive preference during collisions that can occur at every hop along their route. –Thus, the network gives preference to malicious traffic.

RAP Real-time communication architecture Real-time communication architecture –query-event service API –geographic forwarding –Velocity monotonic scheduling (VMS) policy. Originator of message sets deadline, and destination Originator of message sets deadline, and destination –VMS layer computes velocity based on time to deadline and distance remaining

RAP Vulnerability Flood with high velocity packets Flood with high velocity packets –Set destination at long distance Possibly outside the network Possibly outside the network Intermediate node adversary could lower the velocity of route through traffic Intermediate node adversary could lower the velocity of route through traffic –Causes missed deadline several hops away If relying on a synchronized clock, attacking that mechanism could cause another node to always drop If relying on a synchronized clock, attacking that mechanism could cause another node to always drop –inadvertent black hole