Attacks against network availability and service integrity are often referred to as denial-of-service (DoS) attacks: An adversary attempts to disrupt, subvert, or destroy the services provided by the network. DoS attacks can have as a target any layer of the sensor network. Indeed, there are attacks performed on the physical layer, as well as attacks on the data link, the network, and the transport layers. In this section we will analyze existing DoS attacks layer by layer.
4.2.1.1 Physical Layer
Jamming. A jammer is a device that can partially or entirely disrupt the commu- nication of a node by interfering with the radio frequencies that the node is using.
Depending on its transmission power, the jammer may destroy the entire network or a smaller portion of it. If ignored in the initial WSN design, a jamming attack can easily disrupt a network, even if it uses higher level security mechanisms. Jamming can be regarded as the noise created by an attacker with the aim of disrupting a legitimate signal. Indeed, the jamming activity is effective only if the signal-to-noise ratio is less than 1. There are different types of jamming [13]:
Spot Jamming. It is the simplest jamming technique. The attacker directs all its compromising power against a single frequency. It is usually effective, but it may be avoided by changing the frequency used.
Sweep Jamming. The attacker rapidly shifts the target frequency in such a way to jam multiple frequencies in quick succession. Since the activity of the attacker is not continuous, the effectiveness of this type of attack is limited. However, in WSNs it can lead to many retransmissions due to packet loss.
WIRELESS SENSOR NETWORKS 113 Barrage Jamming. In this type of jamming, the adversary jams at the same time a range of frequencies. However, as the attacked range grows, the output power of jamming is reduced proportionally.
Deceptive Jamming. The attacker fabricates or replays valid signals on the channel incessantly, thereby occupying the available bandwidth and trying to destroy the network service. It can be applied to a single frequency or a set of frequencies.
Several countermeasures can be used against the various jamming attacks. Fre- quency-hopping spread spectrum (FHSS), direct sequence spread spectrum (DSSS), hybrid FHSS/DSSS, ultrawide band (UWB) technology, antenna polarization, direc- tional transmission, and regulation of the transmission power are a few examples [14–16]. The previous generation of sensor nodes used single-frequency radios, and therefore they were vulnerable to narrowband noise, whether unintentional or ma- licious. For example, the Chipcon CC1000 transceiver on Mica2 and prior motes operates at 433 or 900 MHz. More recent motes, such as MICAz and Telos motes, use the Chipcon CC2420, which operates at 2.45 GHz and uses direct-sequence spread spectrum to reduce vulnerability to noise. These uses of spread spectrum re- duce the impact of narrowband noise on communication, such as that from microwave ovens and other wireless networks. However, they do not defeat an adversary with knowledge of the spreading codes or hopping sequence. Indeed, these are not secret:
These are either standardized (in IEEE 802.15.4) or derived from node addresses (in Bluetooth).
Existing security schemes that address jamming attacks in WSNs can be classified in:detection techniques,proactive countermeasures,reactive countermeasures, and mobile agent-based countermeasures.Detection techniquesaim at instantly detecting jamming attacks. For example, Xu et al. [17] explore various techniques for detect- ing jamming attacks in WSNs. The key observation is that signal strength, carrier sensing time or packet delivery ratio individually are unable to conclusively detect the presence of a jammer. Therefore, to improve detection, the authors introduce the notion of consistency checking, where the packet delivery ratio is used to classify a radio link as having poor utility, and then a consistency check is performed to clas- sify whether poor link quality is due to jamming.Proactive countermeasuresmake a WSN immune to jamming attacks rather than reactively respond to such incidents.
An example is DEEJAM, a protocol proposed for defending against stealthy jam- mers using IEEE 802.15.4-based hardware [18]. It uses four defensive mechanisms together to defeat or diminish the effectiveness of jamming by adversaries that use hardware with same capabilities as the deployed nodes: frame masking, channel hop- ping, packet fragmentation, and redundant encoding. Each defensive mechanisms addresses a different jamming attack. In particular, frame masking defends against an attack in which the jammer transmits only when its radio captures a multibyte preamble and a start of frame delimiter (SFD) sequence. Channel hopping defends against an attacker that tries to detect radio activity by periodically sampling the radio signal strength indicator (RSSI) and that starts his attack when RSSI is above a programmable threshold. Packet fragmentation is the appropriate countermeasures against an attacker that samples each channel as briefly as possible to determine if
114 SECURITY IN WIRELESS AD HOC NETWORKS
activity is present. Jamming is immediately initiated when he discovers radio activity.
Packet fragmentation allows breaking the transmitted packet into fragments which are transmitted separately on different channels and with different SFDs. When the frag- ments are short enough, the attacker does not have the time to start his attack before the sender has finished its transmission and hopped to another channel. Redundant encoding is proposed as a countermeasure against an attacker that blindly jams a single channel using short pulses. Even if a fragment is corrupted, the receiver is able to recover the packet. However, there is an increased cost in energy and bandwidth usage.Reactive countermeasuresenable reaction only upon the incident of a jamming attack. The JAM algorithm proposed in reference 19 falls within this category. It en- ables the detection and mapping of jammed regions to increase network efficiency.
In practice, nodes near the border of a jammed region notify neighbors outside the region of jamming. The neighbors start mapping the region that is currently jammed by exchanging mapping messages. When the jammer moves or simply stops the attack, the jammed nodes recover and send notifications to their neighbors informing them of this change. Inside the class ofmobile agent-based countermeasureswe find approaches that enable mobile agents (MAs) to enhance the survivability of the WSN.
The term MA refers to an autonomous program that can move from host to host and act on behalf of users towards the completion of an assigned task. JAID is a protocol belonging to this category [20]. Its objectives are to (a) calculate near-optimal routes for MAs that incrementally fuse the data as they visit the nodes and (b) modify the itineraries of the MAs to avoid the jammed area(s) while not harming the efficient data dissemination from working sensors. The first objective is met through the de- sign of a novel algorithm that separates the sensor network into multiple groups of nodes, calculates near-optimal routes through the nodes of each group and assigns these itineraries to individual agent objects. The second objective is achieved by using the JAM algorithm. A comprehensive summary of other works against jamming solutions in WSNs can be found in reference 13.
Tampering. This is an active attack generally carried out by an outsider. The attacker gains physical access to the node and tries to compromise the secrecy of the communication by stealing data stored in memory. The techniques introduced in references 21–23 are only a few examples of possible attacks that an adversary can carry out. The adversary can also steal cryptographic keys that are used to authenticate the transmissions. Furthermore, it can modify the behavior of the nodes, replacing them with malicious sensors under the control of the attacker. The primary defense against physical tampering focuses on building tamper-resistant sensors [24]. The suc- cess of defense mainly depends on three issues: (1) how accurately and completely designers considered potential threats at design time; (2) the resources available for design, construction, and test; and (3) the cleverness and determination of the at- tacker. Although tamper-resistant hardware is becoming cheaper, in most cases it is not a convenient choice. Other possible defense mechanisms are related to the use of special software able to detect tampering attempts. When a possible attack is sensed, sensitive data such as cryptographic keys are deleted, and a self-termination protocol is executed. Tampering with current sensor node hardware has been investigated in
WIRELESS SENSOR NETWORKS 115 reference 25, paying special attention to attacks which can be executed directly in the deployment area. This kind of attack can be executed without interruption of the regular node operation. The authors show that the most serious attacks, which result in full control over a sensor node, require the absence of the node from the network for a substantial amount of time. Therefore, monitoring sensor nodes for periods of long inactivity can be considered a good defense strategy.
4.2.1.2 Link Layer. In WSNs, most energy consumption is due to communication.
For this reason, the most effective DoS attacks have as a target the transceiver and the data-link layer.Link layer collision,link layer exhaustion, andunfairnessare three such attacks.
Link Layer Collision. This attack is very similar to jamming in the physical layer. It occurs when an attacker sends a signal at the same time and frequency of a legitimate message transmission for as little as one octet (or byte) in order to corrupt the entire message [26]. In practice, the attacker uses his radio to listen to the frequency used by the WSN. The attacker starts to send out his signal as soon as he hears the start of a legitimate message. It is not easy to detect this attack because the only evidence is the reception of an incorrect message. Indeed, when a link layer frame fails a cyclic redundancy code (CRC) check, the link layer automatically discards the entire packet, thereby wasting energy and bandwidth. As a countermeasure, it is possible to use forward error-correcting codes (FEC) to recover lost information [27].
Link Layer Exhaustion. This attack occurs when the attacker manipulates protocol efficiency measures and causes nodes to expend additional energy. Providing a rate limitation by allowing nodes to ignore excessive network requests from a node is an effective countermeasure against this attack.
Unfairness. In an unfairness attack, the adversary transmits a large number of packets when the medium is free, hence preventing the legitimate sensors from transmitting their packets. In this way, the attacker can degrade the quality of service, thereby missing real-time deadlines. However, this attack does not completely prevent the access to the service. Usually, it is considered a weak form of a DoS attack that can be limited by using smaller frames, in such a way that the channel is only captured for a small amount of time.
Sleep Deprivation Torture. In WSNs, a sleep mechanism is used by the nodes to adjust their operation mode and extend in such a way the network lifetime. At full power, a sensor can run for only two weeks before exhausting its power resources.
Therefore, it is preferable that nodes remain in sleep mode and that they become active as little as possible (usually around 1% of the time). The sleep deprivation torture attack aims at preventing a sensor from sleeping. The term “sleep deprivation torture” attack was first used in reference 28, where the main security issues that arise in an ad hoc wireless network of mobile devices were taken into account. In some cases, this attack is called also “denial-of-sleep” attack. The main denial-of-sleep
116 SECURITY IN WIRELESS AD HOC NETWORKS
attacks can be classified into three categories [29]:service request power attacks, benign power attacks, andmalignant power attacks. A service request power attack repeats valid service requests with the deliberate intention of draining power; a be- nign service attack initiates a power-intensive operation on the device under attack to quickly drain power resources; and a malignant power attack penetrates the attacked device and alters existing programs to consume more power than required. As ways to lessen the effect of these attacks,strong link-layer authentication,anti-replay pro- tection, andbroadcast attack protectionare proposed in reference 30. In particular, the authors claim thatstrong link-layer authenticationis the first and most important component of denial-of-sleep defense. The network lifetime can be reduced from a year or more to less than a week when an attacker is able to send trusted MAC-layer traffic. Existing options for implementing link-layer authentication in WSN include TinySec, which is incorporated into current releases of TinyOS, and the authentica- tion algorithms built into IEEE 802.15.4-compliant devices.Anti-replay protectionis usually achieved by maintaining a neighbor table of packet sequence numbers. Unfor- tunately, this requirement can become unwieldy even in moderately sized networks.
One way to limit the size of the neighbor table is to use network layer neighbor in- formation to limit the number of neighbors that must be tracked to those from which legitimate traffic is expected. The authors of reference 31 suggest to use a protocol called CARP that bounds the size of the neighbor table according to the maximum node degree and the number of clusters that are previously configured. Broadcast attack protectionis based on a simple principle: Tracking the ratio of legitimate to malicious traffic, along with the percentage of time that the device is able to sleep, is enough to identify a denial-of-sleep broadcast attack.
4.2.1.3 Network and Routing Layer. At the network layer, many attacks can disrupt the network availability:hello flooding, black hole attack, sink hole attack, selective forwarding, andwormhole attackare the main ones. In the following we will describe one by one these attacks and their specific countermeasures. However, it is worth taking into account that security at the network layer highly depends on authentication.
In WSNs, the use of public keys for message authentication is usually considered not affordable. Zhang and Subramanian [32] highlight that symmetric keys and hash functions are effective; but when the sensor node is compromised, the keys become known to the adversary. Therefore, they propose a message authentication approach that adopts a perturbed polynomial-based technique to simultaneously accomplish the goals of lightweight and resilience to a large number of node compromises, immediate authentication, scalability, and non-repudiation.
Direct Attacks on Routing Information. Routing information is the most sensitive data exchanged in a routing protocol. By subverting this information the adversary will be able to change to his favor the normal routing. A direct attack against the routing layer can try to spoof, alter, or replay routing information. An effective coun- termeasure against the first two problems is to use a message authentication code (MAC). The receivers can verify whether the messages have been spoofed or altered
WIRELESS SENSOR NETWORKS 117
Figure 4.1 Hello Flooding.
by checking the MAC. Counters or timestamps can be used to defend against replayed information [33].
Hello Flooding. Hello messages are often used to discover neighboring nodes and automatically create a network. Many protocols that use this mechanism make the naive assumption that the sender is within radio range. However, an adversary with a high-powered transmitter can send these messages to a large area of nodes. When receiving such packets, the nodes will believe that the malicious node is a neighbor and will answer by sending data to it, but because they are far away, the packets will be sent into oblivion [34]. In such a way, sensors can run out of energy very soon. Furthermore, the adversary can subvert the normal routing protocol and try to control the data flow in the WSN, thus leading to the black hole attack or similar. Figure 4.1 illustrates such an attack. Generally, a simple countermeasure to the hello flooding attack is to check for bidirectionality of each transmission link. In reference 35 a method based on signal strength has been proposed to detect and prevent hello flooding attacks.
Black and Sink Hole Attack. The black hole attack works by making a compromised node look especially attractive to surrounding nodes with respect to the routing algo- rithm. The nodes will then route all the traffic through the compromised node, and the adversary will be able to drop all the routed packets. REWARD [36] is a routing algorithm that fights this attack, also when the adversary controls a team of malicious nodes. Black hole attacks can also be detected by listening to and monitoring trans- missions by neighbors. In reference 37, two techniques that mitigate the effects of routing misbehavior are proposed: the watchdog and the pathrater. The first is used to identify misbehaving nodes, while the second helps routing to avoid these nodes.
Black hole attacks can be even more dangerous when the attacker knows the position of the sink. Figure 4.2 depicts such an attack. The adversary (that is, the black node) tries to become the node used by all the other nodes to reach the sink. In this case the attack is called sink hole attack. A simple but unfortunately costly approach to detect sink holes has been introduced in reference 38. In the first phase, the algorithm finds a list of suspect nodes. Then, it identifies the intruder in the list through a network flow graph. The high cost depends on the fact that the sink floods the network with a
118 SECURITY IN WIRELESS AD HOC NETWORKS
Figure 4.2 Sink hole attack.
request message containing the IDs of the affected nodes, and then these nodes have to answer with specific information regarding the correct path. The authors propose to leverage encryption and path redundancy to avoid alteration of the packets dur- ing transmission. In references 39 and 40, two other routing protocols against the sink hole attack have been proposed. However, they are respectively based on the Ad hoc On-demand Distance Vector Protocol (AODV) and the Dynamic Source Routing (DSR) Protocol, which are protocols built for, and usually deployed in, ad hoc net- works. In reference 41, an intrusion detection system that detects sink hole attacks and that can be used with the most widely used routing protocol in sensor network deployments (MintRoute) is proposed.
Wormhole Attack. To run the wormhole attack, an adversary needs to control at least two compromised nodes in two different locations of the network. Figure 4.3 shows this attack. By leveraging a fast and powerful connection (often a wired one), the two compromised nodes (black nodes in the figure) will let the network think that they know the quickest path to reach the other side of the network. In practice, the adversary records packets (or bits) at one location in the network, tunnels them to the other location, and retransmits them there into the network. Most existing ad hoc network routing protocols, without some mechanism to defend against this attack,
Figure 4.3 Wormhole attack.