A Flow-Based Network Monitoring Framework for Wireless Mesh Networks Authors Feiyi Huang, Yang Yang, University College London Liwen He, British Telecom Group CTO Presented by Sheetal Gupta CMSC 681 Fall 2007
Agenda Wireless Mesh Networks Vulnerabilities and Security Challenges Proposed MeshFlow Framework MeshFlow Record Structure Record Creation Record Management Record Analysis Implementation Issues Conclusion
Wireless Mesh Networks (WMN) Are an extension of wireless ad hoc and sensor networks. Has a hybrid network infrastructure with a backbone and an access network. It is a group of self- organized and self- configured mesh clients and routers interconnected via wireless links. Applications – digital home, community and neighborhood networking, enterprise networking, emergency and disaster networking.
Wireless Mesh Networks (WMN) Mesh clients can be user devices with wireless network card, like PCs laptop, PDAs and mobile phones. They have limited energy, computing power and radio range. Mesh routers are usually more powerful in terms of computation and communication capabilities and have continuous power supply. They normally are static and provide access points to supply internet connections for clients. User traffic from client is transmitted through a multihop, wireless path to its destination – client- to-client (CC), client-to-router (CR) and router-to- router(RR).
Wireless Mesh Networks (WMN) Wireless mesh backbone network is formed by ad hoc mode interconnections of mesh routers. When new or existing router joins or leaves the backbone, the network self- organizes and self-configures accordingly. In WMN, usually there is one static mesh router and a number of mesh clients that are either static or mobile.
Vulnerabilities and Challenges Security attacks can be in the physical, MAC and network layers. Physical layer – Radio frequency jamming: Attackers can generate jamming signals to interfere with communications on wireless channels. MAC layer attack – In contention based MAC protocols, a small back-off interval gives the user the advantage of gaining access to the wireless channel quickly. Another attack is continuously broadcasting busy tone signals causing other users to be in waiting status for a long period. Network layer – For reactive routing protocols like AODV, the node list in the route request (RREQ) and route reply (RREP) can be fabricated, replaced or deleted. For proactive routing protocols like OLSR, attacker can advertise a modified routing table, leading all traffic towards an intended address or to generate loops. Attacker can steal all packets, produce a sink-hole by selectively discarding packets.
Vulnerabilities and Challenges(cont.) Denial of Service (DoS) attack – Handshake messages, other access control packets in the MAC layer, routing tables and route discovery packets in the network layer can be easily falsified to exclude vital fields, include a non-existing source or destination or replace by malformed information. MAC message exchange and route discovery procedures will be suspended by these unreadable packets and tables. As a result, additional requests from other devices will not be responded to by these terminals which are struggling to resolve these packets and tables. DoS attack can be achieved more easily by flooding attacks – ICMP flooding, synchronize packet in TCP flooding and UDP flooding. In WMN flooding is more damaging because of weaker network devices.
MeshFlow Framework All these performance degradations will be reflected in the network traffic change. By monitoring the traffic change situation, an attack can be actively monitored. In a WMN the concept of network traffic flow is extended and defined as MeshFlow. The MeshFlow framework is designed to generate, transmit and analyze MeshFlow records.
MeshFlow Framework(cont.) MeshFlow record is a special kind of packet and contains a summary of the properties of packets passing through a mesh router. Fields included are source and destination addresses, next-hop address, number of bytes, packets, transport protocols and previous transmission delay summation. MeshFlow Creation - On each mesh router, part of the memory is separated to construct a MeshFlow cache dedicated to MeshFlow record creation and maintenance. When a packet travels through the router, its transmission information is extracted and comprises a MeshFlow record. If 2 packets have the same source, destination, next- hop address and the same transport protocol, their transmission information is aggregated into one record by aggregating the number of packets, bytes and delay duration.
MeshFlow Framework (cont.) MeshFlow Management - When a MeshFlow record is created it is stamped to indicate starting time of the record. An aging mechanism is implemented to calculate the overall active duration of the record. The records are then exported to a dedicated collector and analyzer and permanently deleted from the MeshFlow cache.
MeshFlow Framework (cont.) MeshFlow analysis – After exporting the records from all routers to the collector, an entire network picture can be constructed. User monitoring – When a packet travels through a multi-hop path consisting of mesh routers, records are created on each router. On aggregating records, the complete transportation path of a packet can be derived, including source, destination and all intermediate routers. So a comprehensive investigation of each traffic flow is achieved. Router monitoring – When records are aggregated based on mesh routers, traffic transported on each of its channels can be illustrated clearly.
MeshFlow Framework (cont.) MeshFlow analysis (cont.) Security Protection – An attack scenario leads to abnormal traffic. These can be detected by analyzing the MeshFlow records and matching with attack signatures. For example, in a flooding attack there is burst traffic toward the same destination. In MAC abuse there will be no successful transmissions for that access network. Protection can be achieved by further action like letting the flood-generating router block the corresponding attack traffic. Application and Service Monitoring – Different network applications usually are performed by separate transport protocols. MeshFlow records can be aggregated for each application at each router. Inappropriate resource utilization is reallocated to balance different applications performed on each router.
Implementation Issues Unavoidably the MeshFlow framework induces extra overhead on the network. Careful designing to suit specific network scenarios is required. Two static parameters must be determined. MeshFlow record structure – Different fields are used for different monitoring and analysis. It is not necessary to generate a complete record for every scenario. Collection method – Three methods possible. Dedicated cable line – Each router had a dedicated cable line Distributed antenna – The MeshFlow collector has antennas deployed around the entire backbone network. Multi-hop relaying – Records are exported as normal packet transmissions via multi-hop router-to-router wireless links, finally reaching the collector.
Implementation Issues (cont.) Two dynamic parameters must be determined Packet sampling rate – For each incoming packet at a router, information is either extracted immediately or ignored, depending on sampling rate. Time-based – Extract information from packets at some time intervals Packet-based – Sample one packet after ignoring a certain number Terminal-based – More frequent sampling for packets from terminals having a bad history. Exportation time interval – Idle – Export if a record is idle for a certain period. Active – if a record if active for too long Oldest –record exported when Mesh cache is heavily loaded.
Conclusion We reviewed security challenges, attacks in the physical, MAC and network layers of Wireless Mesh backbone and access Networks. We defined a new concept of MeshFlow and proposed a flow- based network monitoring framework to tackle the security issues in WMNs.
Reference “A Flow-Based Network Monitoring Framework For Wireless Mesh Networks”, Feiyi Huang, Yang Yang, University College London, Liwen He, British Telecom Group CTO
Thank you! Questions ?