1 Detecting and Evading Wormholes in Mobile Ad-hoc Wireless Networks Asad Amir Pirzada and Chris McDonald

2 Outline  Introduction  Previous Work  Dynamic Source Routing (DSR)  Wormhole Creation  Trust Model  Wormhole Detection and Evasion  Conclusion  Comment

3 Introduction– Mobile ad-hoc wireless networks Malicious nodes  Improvised and insecure environments 1.Malicious nodes may participate to snoop or sabotage. Passive attacks: eavesdeop on packet contents Active attacks: imitate, drop or modify legitimate packets 2.Wormhole attacks:Two or more malicious colluding nodes create a higher level virtual tunnel in the network to conduct a variety of attacks.  In this paper present a novel trust-based scheme without engaging any cryptographic means.

4 Introduction—Ad-hoc network  Built by wireless nodes limited transmission range and battery power Seek the assistance of its neighbouring nodes in forwarding packets.  Routing protocol Require persistent cooperative behaviour Each node acts like a mobile router.  Two kinds of routing protocol Reactive: try to save battery power by discovering routes when they are essentially required Proactive: establish and maintain routes to avoid the latency continuously

5 Introduction—Ad-hoc network  Secure routing protocols Managed ad-hoc networks Permit configuration of the nodes with encryption keys and certificates Pure ad-hoc networks No a priori knowledge of their future setup

6 Previous Work Packet Leash, detect and defend against wormhole attacks A Defense against Wormhole Attacks in Wireless Networks(2003) DSR, the Dynamic Source Routing Protocol for Mobile Ad Hoc Networks Visualization of Wormholes in Sensor Networks(2004) MDS-VOW, the Multi-Dimensional Scaling Visualization of Wormhole DSR, the Dynamic Source Routing Protocol for Mobile Ad Hoc Networks Using Directional Antennas to Prevent Wormhole Attacks(2004) Directional Antennas, using directional antennae to detect Wormhole attacks SECTOR, the Secure Tracking of Node Encounters in Multi-hop Wireless Networks SECTOR: Secure Tracking of Node Encounters in Multi-hop Wireless Networks(2003)

7 Previous Work  Packet Leash A mechanism to detect and defend against wormhole attacks.  Two types of leashes: 1.Geographic Leash Each node knows its precise position and all nodes have a loosely synchronized clock. 2.Temporal Leash All nodes are required to maintain a tightly synchronised clock.

8 Previous Work– Geographic Leash 1.Know its precise position 2.All nodes have a loosely synchronized clock. Packets + current position + transmission time 1.Compute the distance and the received packets time 2.Check a wormhole by time and distance All nodes can obtain an authenticated symmetric key of every other node.

9 Previous Work– Temporal Leash 1.All nodes maintain a tightly synchronized clock. Packets + transmission time 1.Compare the time to local time (assume propagation speed is equal to the speed of light) 2.Compute the distance to the sender 3.Able to detect the wormhole All nodes can obtain an authenticated symmetric key of every other node.

10 Previous Work– SECTOR (Secure Tracking of Node Encounters in Multi-hop Wireless Networks)  A set of mechanisms to prevent wormhole attacks without requiring any clock synchronization or location information  Use a distance-bounding protocol (Mutual Authentication with Distance-bounding; MAD) to determine the distance between any two communicating parties. Assume: Each node is equipped with a special hardware transceiver module to perform two bits XOR operation. Use message authentication codes (MAC) secured using pairwise secret keys Provide the receiver with the exact distance to a sender

11 Previous Work– Directoinal Antennas  All nodes share their directional information to prevent wormhole attacks.  Messages from a non-neighbour are discarded.

12 Previous Work– MDS-VOW  MDS-VOW (Multi-Dimensional Scaling Visualisation of Wormhole) To detect wormholes in sensor networks Not require any special hardware such as positioning devices, synchronised clocks or directional antennas Adopt social science, computer graphics, and scientific visualization (1)Estimate the distance (the received signal strength) immediate neighbours Centralized controller (2)sent the distances

13 Dynamic Source Routing(DSR)  DSR A reactive routing protocol IP source routing Route discovery: the source node broadcasts a ROUTE REQUEST packet Broadcast a ROUTE REQUEST packet (unique identification number, the target node address) Recipient node ROUTE REPLY packet (list of nodes) target node

14 Wormhole Creation  A wormhole created by three ways Tunneling of packets above the network layer Long range tunnel using high power transmitters Tunnel creation via external wired infrastructure recipient malicious node target node packets modify all received packets( Encapsulate in a higher layer protocol) collude node Tunneling of packets above the network layer Dispatch to the colluding node

15 Wormhole Creation recipient malicious node target node packets modify all received packets( Encapsulate in a higher layer protocol) collude node Long range tunnel using high power transmitters Tunnel creation via external wired infrastructure Dispatch through the network nodes

16 Wormhole Creation The colluding nodes (M1, M2) are not the immediate neighbors of the source (S) and destination (D) node.

17 Trust Model –an effort-return based trust model T xy = P p P A neighbouring node target node packets Each node executing the trust model  monitor their participation in the packet forwarding mechanism 1.Integrity checks success: trust counter increase  fail: trust counter decrease 2.T xy = P p P A : the direct trust in a node y by node x P p  [0, 1] the existence or absence of a wormhole through node y P A : preserve a count of the number of packets that have been forwarded by a node packets malicious node 1.Each node executing the trust model  monitor their participation in the packet forwarding mechanism 2.Integrity checks success: trust counter increase  fail: trust counter decrease 3.T xy = P p P A : the direct trust in a node y by node x P p  [0, 1] the existence or absence of a wormhole through node y P A : preserve a count of the number of packets that have been forwarded by a node x y

18 Wormhole Detection neighboring node target node packets malicious node 1.Before transmitting the packet  buffers the DSR Source Route header 2.After transmitting the packet  place its wireless interface into the promiscuous mode for the Trust Update Interval (TUI) 3.Check wormhole: (1) retransmission: compare packet’s DSR Source Route header in buffer if the same packet  increase P A for the neighbor (2) integrity check if Salvage field = 0 (not call for a new route discovery)  Pp = false (no wormhole) (3) No retransmission is heard and TUI has exceeded.  reduce P A and clear the DSR Source Route buffer

19 Wormhole Evasion target node (3) Initiating a new route discovery  ROUTE REQUEST packet propagated (unavailability of a route from the cache) destination node (1) Scan cache for routing (2) A route in the cache  execute the Dijakstra algorithm (return the shortest path in terms of number of hops) (4) LINK CACHE scheme  the default cost of each link = 1 (uniform spread of the inter-node trust levels)  wormhole the cost of the link = ∞

20 Conclusions  Wormholes in an ad-hoc network is still a challenging task.  The authors derive trust levels in neighboring nodes based on their sincerity in execution of the routing protocol.

21 Comments  If the neighboring node is broken down failing to forward the packets, this node will be regarded as malicious node permanently.

22 Ad hoc  The meaning of ad hoc In Latin, ad hoc  "for this,"  "for this purpose only,"  temporary. A kind of network where stations or devices communicate directly and not via an access point. Wireless infrastructure does not exist.  A mobile ad-hoc network (MANET) a self-configuring network of mobile routers (and associated hosts) connected by wireless links—the union of which form an arbitrary topology. The routers are free to move randomly and organize themselves arbitrarily; thus, the network's wireless topology may change rapidly and unpredictably. Advantage: rapid deployment and low cost of operation Applications: military or police network, a natural disaster(flood, earthquake …) neighbouring node target node packets malicious node A P

23 Wormholes Solutions: Time-based methods Cryptography Exploiting location information Wormhole link (via a wireline, a long-range wireless transmission, or a optical link)

24 Wormholes Wormhole threat against network protocol: Node s2: update and broadcast its routing table entries (s2, s9) Node s2  Node {s8, s10, s11, s12} only two hops via s9 Neighbors of s2 adjust their routing tables.  {s1, s3, s4, s5, s7} route via s2 to reach nodes {s9, s10, s11, s12}. Attacker Node s2 can redirect and observe a large amount of traffic. Attacker Node s2 can trigger a denial-of-service (DoS) attack.

25 Wormholes Byzantine attacks: Black hole, flood rushing, wormhole and overlay network wormhole Black hole: All packets are dropped.

26 Integrity check In the DSR Source Route option: Salvage field = 0  a new route discovery by the source node Salvage field <> 0  contain a working route to forward (integrity check pass)