Securing Neighbor Discovery the wormhole attack centralized and decentralized wormhole detection mechanisms Security and Cooperation in Wireless Networks Georg-August University Göttingen
Introduction many wireless networking mechanisms require that the nodes be aware of their neighborhood (i.e. to know which other nodes they can communicate with directly) The procedure used to acquire this knowledge is called neighbor discovery If two nodes are in each other’s radio range (are able to hear each other) they would be considered as neighbors a simple neighbor discovery protocol: – every node broadcasts a neighbor discovery request – each node that hears the request responds with a neighbor discovery reply – messages carry node identifiers neighboring nodes discover each other’s ID an adversary may try to thwart the execution of the protocol – prevent two neighbors to discover each other by jamming – create a neighbor relationship between far-away nodes • by spoofing identity of legitimate nodes and to establish neighbor relationships with other nodes (can be prevented using entity authentication mechanisms) • by installing a wormhole (cannot be prevented by cryptographic techniques alone) Securing Neighbor Discovery Georg-August University Göttingen 2
What is a wormhole? a wormhole is an out-of-band connection, controlled by the adversary, between two physical locations in the network – the adversary installs radio transceivers at both ends of the wormhole – it transfers packets (possibly selectively) received from the network at one end of the wormhole to the other end via the out-of-band connection, and re-injects the packets there into the network wormhole attack: the two wormhole ends (adversarial transceivers) WE1 and WE2 transmit (tunnel) the neighbor discovery messages heard in their radio rage to each other (possibly selectively) result: A and B which are far away from each other will believe to be neighbors (because they actually hear each other through the wormhole) notes: – adversary’s transceivers are not regular nodes (no node is compromised by the adversary) – adversary doesn’t need to understand what it tunnels (e.g., encrypted packets can also be tunneled through the wormhole) – it is easy to mount a wormhole and it may have devastating effects on routing Securing Neighbor Discovery Georg-August University Göttingen 3
Effects of a wormhole at the data link layer: distorted network topology y y y x x x (c) (b) (a) Neighbor relationships Shortest possible path from all other A set of nodes are randomly placed in between the nodes nodes to x the area; the gray disk: radio range of x y x y x y x (f) (e) (d) As the result of the wormhole attack x and The wormhole: black rectangles are Shortest possible path from all other nodes y become neighbors because the attacker the attacker’s transceivers to x after the attack happens: many nodes relays their neighbor discovery messages reach node x through the wormhole at the network layer: – routing protocols may choose routes that contain wormhole links • typically those routes appear to be shorter • flooding based routing protocols (e.g., DSR, Ariadne) may not be able to discover other routes but only through the wormhole – adversary can then monitor traffic or drop packets (DoS) Securing Neighbor Discovery Georg-August University Göttingen 4
Wormholes are not specific to ad hoc networks access control system: contactless gate equipped with smart card contactless smart card reader wormhole contactless smart card fast emulator connection smart card reader emulator user may be far away from the building Securing Neighbor Discovery Georg-August University Göttingen 5
Classification of wormhole detection methods centralized mechanisms – data collected from the local neighborhood of every node are sent to a central entity – based on the received data, a model of the entire network is constructed – the central entity tries to detect inconsistencies (potential indicators of wormholes) in this model – can be used in sensor networks, where the base station can play the role of the central entity decentralized mechanisms – each node constructs a model of its own neighborhood using locally collected data – each node tries to detect inconsistencies on its own – advantage: no need for a central entity (fits well some applications) – disadvantage: nodes need to be more complex Securing Neighbor Discovery Georg-August University Göttingen 6
Statistical wormhole detection in sensor networks each node reports its list of believed neighbors to the base station the base station reconstructs the connectivity graph (model) a wormhole always increases the number of edges in the connectivity graph this increase may change the properties of the connectivity graph in a detectable way detection can be based on statistical hypothesis testing methods Securing Neighbor Discovery Georg-August University Göttingen 7
Examples The gray bars show the expected number of nodes with different node degrees 35 The black bars show the observed node number of nodes 30 degrees in the experiment when there is a 25 wormhole 20 The black histogram shows there are 15 some nodes with an unexpectedly high 10 5 node degree. 0 (node degree: no. of neighbors of a node) 0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 node degree Securing Neighbor Discovery Georg-August University Göttingen 8
Examples a wormhole is usually a shortcut that decreases the length of the shortest paths in the network distribution of the length of the shortest paths will be distorted This experiment shows that when a wormhole is there the shorter paths are more likely than longer ones 5000 number of shortest paths 4500 4000 3500 3000 2500 2000 1500 1000 500 0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 path length Securing Neighbor Discovery Georg-August University Göttingen 9
Multi-dimensional scaling the nodes not only report their lists of neighbors, but they also estimate (inaccurately) their distances to their neighbors connectivity information and estimated distances are input to a multi- dimensional scaling (MDS) algorithm the MDS algorithm tries to determine the possible position of each node in such a way that the constraints induced by the connectivity and the distance estimation data are respected – the algorithm has a certain level of freedom in “stretching” the nodes within the error bounds of the distance estimation let us suppose that an adversary installed a wormhole in the network – if the estimated distances between the affected nodes are much larger than the nodes’ communication range, then the wormhole is detected – hence, the adversary must also falsify the distance estimation distances between far-away nodes become smaller – this will result in a distortion in the virtual layout constructed by the MDS algorithm Securing Neighbor Discovery Georg-August University Göttingen 10
Example 1 in 1D: wormhole g f e d f g d e c a b c a b reconstructed virtual layout Real replacement of the nodes A virtual layout of the network is constructed based on the neighborhood information obtained by the nodes. In the real connectivity graph: the gray disk: the radio range of node b; dashed lines: the neighborhood relationships of the nodes; red line: a fake neighbor relationship created by the wormhole In the virtual layout of the network constructed using MDS from the inaccurate distance measurements of the neighboring nodes. B and f must be neighbors, so the distance between them should be smaller than the communication range This makes it impossible to fit the nodes on a straight line which helps to detect the attack (assuming that we know in advance that the nodes are located on a straight line). Securing Neighbor Discovery Georg-August University Göttingen 11
Example 2 in 2D: wormhole A virtual layout of the network is constructed based on the neighborhood information obtained by the nodes. In the real connectivity graph: Grid lines: the neighborhood relationships of the nodes; red line: a fake neighbor relationship created by the wormhole In the virtual layout of the network constructed using MDS from the inaccurate distance measurements of the neighboring nodes. A and C must be neighbors, so the distance between them should be smaller than the communication range --- > MDS brings them together This makes it impossible to fit the nodes on a flat surface which helps to detect the attack. Securing Neighbor Discovery Georg-August University Göttingen 12
Recommend
More recommend