Packet Leashes: A Defense Against Wormhole Attacks in Wireless Ad Hoc Networks Yih-Chun Hu Carnegie Mellon University Adrian Perrig Carnegie Mellon University David B. Johnson Rice University Presenter: Josh Van Buren
Overview This paper introduces the wormhole attack, which effects the routing protocols of ad hoc networks. To detect and defend against these attacks, the authors introduce the concept of packet leashes and the TIK(TESLA with instant key disclosure) protocol, which implements it.
Outline Background introduction Detecting wormhole attacks Routing protocols Detecting wormhole attacks Packet leashes Geographic Temporal TIK Protocol Related Work Strengths & Weaknesses Future Work
Background Ad hoc or wireless networks are steadily increasing in number and application. Low cost Easily Deployable Previous Research Routing Communication Assumes secure environment However, many applications may run in unsecured environments.
Background In many situations, ad hoc networks require secure communications. Police Networks Military Networks Emergency Response Oil Drilling and Mining Operations Disaster Areas Ad hoc networks may be the only communication available
What are Wormhole Attacks? In a wormhole attack, an attacker receives packets from one location in the network and “tunnels” them to another location in the network. The packets are then forwarded from that location in the network. This attacks the routing protocols of networks.
Wormhole Attacks For routes longer than one hop an attacker can easily make a packet sent through the wormhole link arrive faster than the legitimate packet. An attacker may also send the packet bit by bit to reduce the delay time. Why is this important?
Wormhole Attacks Why those attacks are dangerous? Even in networks that provide confidentiality and security, routing protocols are still vulnerable. Eavesdropping Networks with on demand routing protocols DSR AODV
Dynamic Source Routing DSR consists of two parts: route discovery and route maintenance. How does route discovery work? Node A sends out a Route Request. If node B has recently seen another Route Request from the same target or if its address is already listed in the route record, then the request is ignored. If B is the target of the Route Discovery, it returns a Route Reply to the initiator. The Route Reply contains a list of the “best” path from the initiator to the target. When the initiator receives this Route Reply, it caches this route in its Route Cache for use in sending subsequent packets to this destination. Otherwise neighbor nodes forward the request.
Dynamic Source Routing How does route maintenance work? If node C does not receive an acknowledgement from node D after some number of requests, it returns a RouteError to the original source A. As soon as node receives the RouteError message, it deletes the old route from its cache. If A has another route to E, it sends the packet immediately using this new route. Otherwise the initiator A is starting the Route Discovery process again.
Ad Hoc On-Demand Distance Vector Routing AODV is an on demand routing protocol. Does not store entire path Uses routing tables to store the next hop Set up by forwarding route requests Why is AODV more popular?
Vulnerability of DSR and AODV DSR and AODV are extremely vulnerable to wormhole attacks. An attacker may directly send Route Request packets to their destination through the wormhole. When neighbors of the destination node hear the request, they will forward it and discard all other Route Request packets from that node.
Vulnerability of DSR and AODV What happens as a result? The result of this is that no other paths except those through the wormhole can be found. An attacker close enough to the sender can prevent any routes larger than two hops from being discovered. What other kind of attack does this allow? An attacker in this position can implement a permanent DoS attack by discarding all packets except for Route Request packets.
Proactive Routing Vulnerabilities Proactive routing protocols calculate routes before they are needed and periodically broadcast routing table updates throughout the network. Examples include DSDV, OLSR, and TBRPF. Their vulnerability arises from detecting neighbors through the use of broadcast packets. HELLO messages to determine neighbors
Detecting Wormhole Attacks The authors of the paper use the concept of a packet leash to detect wormhole attacks. A packet leash is anything designed to restrict the maximum transmittable distance of the packet. Geographic and temporal leashes are used.
Packet Leashes Geographic Leashes Temporal Leashes Designed to make sure that a receiver is within a certain distance of the sender Temporal Leashes Places an upper bound on the lifetime of a packet. Receivers know an attack is underway when a packet travels farther than the leash allows.
Geographic Leashes To use geographic leashes, each node must know its own location and have loose time synchronization with other nodes. Each sender sends its own location and a timestamp with each packet. Comparing these values with its own, a receiver may bound the distance between itself and the sender with the following formula: Variables: pr : Position of the receiver ps : Position of the sender tr : Time of the receiver ts : Time of the sender v : Upper bound on the velocity of any node δ : Relative Location error Δ : Bound on time synchronization
Geographic Leashes This approach will not work in situations exists where physical obstacles prevent communication between nodes. In this situation, a network would use location information to create geographic leashes. To accomplish this each node would use a radio propagation model. A receiver would verify that every possible location of the sender could reach every possible location of the sender by calculating a radius around each node.
Temporal Leashes To use temporal leashes, all nodes must be time synchronized to within a few microseconds or even nanoseconds. A sender includes the time in a packet. A receiver determines if the packet has traveled too far based on that time and the speed of light. Another way of implementing temporal leashes is for the sender to include a expiration time in the packet. These times may be verified by digital signature.
Leashes Geographical leashes have some advantages over temporal leashes. Time synchronization can be loose. Using geographic leashes with digital signatures can also identify attackers that claim to reside at multiple locations by comparing their movement velocity with the upper bound on node velocity. δ’(t) represents the bound on the maximum relative position error.
Leashes When a node discovers, an attacker they broadcast the two packets from the attacker to alert other nodes. To aid in duplicate suppression, each node contains a list of blacklisted locations. When a attacker node is discovered, the list is checked and updated.
TIK Protocol The TIK Protocol uses temporal leashes with packet expiration dates. The expiration time of the packet is calculated by the following formula where L is the maximum distance the packet should travel and c is the constant speed of light. Δ represents the maximum time synchronization error.
TIK Protocol Expiration time authentication MAC codes Digital signatures Digital signatures are more efficient for two reasons. A key pair for each sender receiver pair. The key for each receiver that a packet must go through would have to be attached to the packet. Still computationally expensive What should we do?
TIK Protocol Hash tree instead of one-way chain Values would be rarely used. Verification is computationally expensive. So, what is a hash tree? P2P Networks Other uses Optimizing storage
Hash Tree To authenticate a sequence of values, they are placed as leaves in a balanced, binary tree. These values are binded with a one way hash function to keep from disclosing additional values. Each internal node of the tree is derived from its two child nodes. The levels of the tree are computed recursively from the leaf nodes to the root. To authenticate a certain node, a sender would disclose, i, vi, and all of the nodes necessary to verify the path to the root.
Validating a Node Let’s go through an example
TIK Protocol Stages Sender Setup Receiver Bootstrapping Sending and Verifying Packets All stages of protocol setup are extremely similar to those described in the previous article presented on TESLA.
TIK Evaluation To evaluate whether or not this protocol is practical the authors tested computational power and memory in mobile devices. There results showed that a Pentium III with 1 GhZ can perform 10 million hash function evaluations in 7.544 seconds. A Compaq iPaq 3870 running Linux took 45 seconds to perform the same amount of evaluations. The authors also tested the abilities of certain commodity LAN products.
Comparing the Types of Leashes Comparing the two types of leashes, the authors state that temporal leashes should be used when: Geographic leashes should be used when:
Related Work A related article on the TESLA protocol was presented in this class. RF watermarking Directional antennas Graph Theory Multi-dimensional Scaling with Interactive Visualization of Wormholes
Related Work
Strengths If this approach were able to be practically implemented, it would successfully defend against wormhole attacks.
Weaknesses The time synchronization required by temporal leashes is completely unpractical. The time synchronization required by geographic leashes is most likely unpractical. The use of a radio propagation model with geographic leashes would be extremely expensive. A clever attacker could defeat the entire premise of geographic leashes by cleverly choosing their false locations. Clock drift would most likely be larger than the time synchronization required for temporal leashes.
Weaknesses There a great deal of other factors that could destroy the time synchronization requirements of temporal leashes. Encryption time A sender not knowing exactly when a packet will be sent. Also, the upper bound on the velocity of a node would be difficult to define. It may be vastly different depending on the type of ad-hoc network.
Future Work Possible future studies include actually implementing this on a network and observing the results to determine if time synchronization is actually possible. If this protocol is ever implemented using geographic leashes, an interesting experiment would be to attempt to perform wormhole attacks where the claimed locations of the attacker are reasonably chosen.