М Р Karpinski - Security aspects of mobile ad-hoc networks - страница 1
М.Р. Karpinski, A.A. Hominchuk,
SECURITY ASPECTS OF MOBILE AD-HOC NETWORKS
Basic types of attacks on mobile ad-hoc networks are considered in the appendix. Classification of attack is realised, and detailed description of this attack are shown. Methods of mitigation of described attack and ways to improve security of ad-hoc networks are considered.
Keywords: mobile ad-hoc network, attacks on network, dynamic routing.
Introduction. Networks, in which every node executes routing functions, not only data exchanging, are called ad-hoc networks [11, 12]. Specifity of such networks, such as flexibility, exposing, decentralized controlling, nodes mobility, dynamic routing makes ad-hoc networks vulnerable to different attacks.
Threats of security of ad-hoc networks may be divided into a few classes: attacks on auto-configuration, attacks on the environment, attacks on Quality Of Service (QoS).
Let us discuss threats associated with address auto-configuration in MANET (Mobile Ad-hoc NETwork). Other threats, e.g., attacks against the routing protocol, are beyond the scope of our discussion.
1. Address Spooling Attack
Clearly, due to the lack of an authentication mechanism, previous auto-configuration schemes are vulnerable to address spooling attacks, in which an attacker may maliciously configure itself with another node's IP address to either impersonate the victim or hijack the latter's traffic. Figure 1 shows an example of the address spooling attack. Let node A with IP address a communicate with node D via nodes B and C. An attacker X that wants to hijack the traffic from node A configures itself with IP address a. When node C receives a neighbor discovery message, e.g., hello message in AODV protocol , from the attacker X, it may mistakenly believe that node A becomes its direct neighbor. As a result, node С updates its routing table and redirects the traffic to attackerX.
The inter-certification mechanism is used to address such spooling attacks. However, since a node may not be able to verify the initiator's public key, an attacker still can launch the spooling attack. For instance, if node C in figure 3.1 does not know the public key of node A's initiator, node X randomly chooses two public keys, uses one of them to generate a certificate for itself, and declares this certificate was obtained from its initiator. Node C will be fooled as it cannot verify the public key of node A's initiator.
2. False Address Conflict Attack
The assignment of a new address requires an approval of all configured nodes. An attacker can take advantage of this to prevent a newly arrived node from getting an IP address, e.g., by sending negative replies [2, 3]. Since the victim node cannot verify the authenticity of such negative replies, it has to give up the chosen address and try another one. If the victim node continuously receives negative replies, it is prevented from entering the network [4, 5].
An attacker may broadcast some false address conflict messages, i.e., initiating a false merger and publishing a false allocation table which marks the victim node's address as one used by another partition. Since the victim node cannot verify the authenticity of an address conflict, it has to give up its current address and seek for a new one according to the previous auto-configuration schemes. As a result, the victim node's normal communication is interrupted, and a lot of network bandwidth is consumed by the traffic introduced by the unnecessary changing of address.
3. Address Exhaustion Attack
IP ad(!r = a
Figure 1: An example of address spooling attack and traffic hijack.
IP address is one of the most important resources in mobile ad hoc networks. An attacker could maliciously claim as many IP addresses as possible. If all valid IP addresses are occupied/exhausted by the attacker, a newly arrived node will not be able to get an IP address and thus is prevented from entering the network. Figure 2 shows an example of such address exhaustion attacks. The attacker X declares multiple identities, introduces a number of phantom nodes (G1 ; :::;Gv) into the network, and thus exhausts the available address space. Due to the lack of a centralized authority, it is very diffcult to detect these phantom nodes and all previous auto-configuration schemes cannot prevent such an address exhaustion attack. (It is worth noting that if a large address space is deployed, applying and maintaining a large number of IP addresses requires a lot of resources. An attacker may use false address conflict attacks, in stead of the address exhaustion attacks, to prevent a newly arrived node from getting an IP address.)
The buddy system [4, 5] mitigates such an address exhaustion attack by employing a distributed address allocation table. However, an attacker still could exhaust the available address space at a light cost. For instance, suppose the configured node C has an address block with a size of 2r in figure 3.2. An attacker X contacts with node
address assignment using a faked ID G1. As a result, node C loses half of its address blockafter assigning an address to G1. After repeating this procedure r times with different faked IDs, the attacker X deprives all address blocks from node C. Similarly, the attack X can deprive other nodes' address blocks and eventually exhaust all available address space in a mobile ad hoc network. Environmental threats
We adopt following classification  of adversaries based on the following characteristics: Internal-External, Passive-Active, and Local-Global. We define an internal adversary as a node that is compromised and on the routing path. An external adversary is a compromised node not on the path, or an external node not directly participating in the MANET, i.e., it only eavesdrops on traffic between nodes. This thesis only considers passive attacks, i.e., attacks that consist of eavesdropping on communications to collect private data. A local adversary can see and launch attacks in a limited range. A global adversary covers the entire path or the network. A set of colluding local adversaries may form a global adversary by sharing information. We defer the active attacks to future work.
Traffic analysis is often used to subvert anonymity. In this attack, adversaries monitor packet transmission to infer important information such as a source, destination, and source-destination pair. We consider the following traffic analysis attacks in this work:
Packet Tracing Attack: A packet may be traced from source to destination by eavesdropping the transmission of the same packet as it traverses the network. Note that the adversary need not be able to recover the packet content to infer the source and destination of the flow.
Packet Counting Attack: Eavesdropping nodes collaborate to discover a path by overhearing and simply "counting" packets that traverse nodes. In a network with low load, this is a straight-forward way to discern data paths.
Timing Attack: Adversaries may analyze the time correlation between packets passing through nodes to discover a flow . If two adversaries perform this analysis and compare results, they may infer a source-destination pair.
TTL Attack: Adversaries exploit the packet time-to-live (TTL) field to discover the destination. The value of the TTL field in a packet is set by a source to limit the number of hops a packet takes in the network. Every
Figure 2: An example of address exhaustion attack.
intermediate node decreases the TTL by 1 before it forwards the packet. Because this information is sent in the clear, adversaries may determine the relative position of a node on a path, and perhaps the source or destination if they are located near these nodes. Adversaries may also try to discover information about paths of which they are a part.
Many routing protocols expose control information, such as the source and destination or the other nodes on the path, to all nodes on a path. Nodes can also typically overhear the next-hop node on a path as it forwards a packet. Combining this information, adversaries on a path can learn source-destination pairs, next hop nodes, and the entire path of a flow. Mobile nodes may obtain their own location information using global positioning system (GPS) or other similar techniques. If a node knows the identifiers of its neighboring nodes, it also may estimate their locations. An adversary may also use location information to launch various attacks by tracing an object's location. Therefore, dissociation of location and identity is an important issue. Security of QoS
The characteristics of ad hoc networks such as exposure to hostile environment (e.g. battle field, rescue missions) and difficulty of authentication exacerbate the QoS model security problems. Without protection of security mechanisms, a QoS model is vulnerable to both theft of service and denial of service, which inhibits the guarantee of network resource availability. A QoS model specifies an architecture in which some kinds of services could be provided. The objective is to implement a scalable, flexible and secure QoS model. Up to date, Integrated Services (IntServ)  and Differentiated Services (DiffServ)  have been proposed to support QoS in the traditional Internet and are also being studied for MANET environments. The IntServ model provides an end-to-end QoS guarantee on a per-flow basis. It requires that every IntServ-enabled router keep the flow-specific states including bandwidth requirements, delay bound and cost of the flow, and therefore is not scalable for the Internet. DiffServ model is designed to overcome the scalability problem in the IntServ for wired networks. The DiffServ model is based on flow aggregation by classifying packets into a limited number of classes and then applying specific forwarding treatment to each QoS class.
Flexible QoS Model for MANETs (FQMM)  is a model proposed solely for mobile ad hoc networks. The FQMM takes the characteristics of MANETs into account and is a 3 hybrid provisioning scheme of the per-flow service in IntServ and the per-class service in DiffServ. Although Diffserv model provides more scalability and greater flexibility than the Intserv model, several vulnerabilities in DiffServ for MANETs make it a less secure model than the IntServ. Targeting IntServ model in MANETs, adversaries could issue attacks in the following ways:
• A malicious node can tamper QoS provision with falsified data or QoS signaling messages to steal or deplete resources used or reserved by other nodes.
• Attacks on QoS signaling system such as malicious alteration of the QoS parameters in QoS signaling messages. This form of attack could result in incorrect QoS reservation along a path and therefore lead to degradation of network resources utilization or legitimate traffic penalization.
• Advertisement of false network resource information. In MANETs, the network resource information is inaccurate. However, deliberately advertising false information is more dangerous because it will result in incorrect routing and QoS reservation and thus also degradation of network resources utilization or legitimate traffic penalization.
• Maliciously drop, delay or corrupt data packets, resulting in deliberately violating promised QoS. Therefore, security mechanisms are needed to prevent QoS systems from being maliciously attacked.
Attack models for QoS signaling systems in MANETs
We consider four attack models for QoS signaling system.
Attack model 1: Signaling message spoofing. An adversary can spoof signaling messages to request QoS, reserve resources or release resources. Falsified signaling messages can be used by illegitimate entity to steal resources, disrupt QoS services, which would consequently degrade the network performance. For example, a malicious node M spoofs signaling messages using node A's identification to reserve some resources. Node M can use these resources to transmit its own traffic (theft of services); or it can simply leave these resources unused so that the resources will not be available to other nodes (disruption of services).
Attack model 2: Denial of QoS request. An adversary can potentially intercept or drop reservation messages so that the QoS reservation and the channel setup will be failed or tremendously delayed. This attack can prohibit the QoS resources from being available to the victim.
Attack model 3: Malicious alteration of non-mutable parameters in transmission. For example, an attacker can change the requested QoS in RREQ packets. It can also maliciously alter the QoS reservation parameters in RREP which will result in reservation of an incorrect amount of QoS resources.
Figure 3. An example of malicious alteration of non-mutable parameters
Figure 3 is an example of this attack: node A receives a signaling message from originator S to request a reservation of 1.5Mbps bandwidth. Node B is an adversary residing adjacent to A on the route who maliciously alters the request for bandwidth to 2Mbps, which is larger than the original request value. If the attack is successful, the downstream nodes would not be aware of the malicious alteration. Therefore they would reserve 2Mbps bandwidth in case that there is 2Mbps bandwidth available at each downstream node (case 1 in the figure); or some downstream node will drop the request message in case it cannot provide 2Mbps bandwidth (case 2 in the figure), even if it is capable of providing 1.5Mbps. If a malicious node decreases the value of the requested resources, it can result in a reservation of insufficient resources which can also disrupt the quality of the service provided to the flow from originator S.
Attack model 4: Intentional provision of fallacious QoS states information. Although QoS states information is subject to errors due to the rapid topology change and high node mobility, a deliberate distribution of false information will do more harm to QoS provisions. In this type of attacks, an adversary may tamper with the mutable QoS parameters (such as) in signaling messages in order to disrupt the measurement of QoS state and provide false information. The attacks may result in failure of resource reservation, insufficient or excess reservation. Figure 4 is an example of this type of attacks on QoS AODV messages. Originator S sends a QoS request for 60ms delay. The Maximum Permissible Delay (MPD) parameter in the message is used to measure available delay along a candidate route. The original value of MPD is the requested delay and it should be decreasing downstream along the route. When the message reaches node A, whose traversal time is 25ms for example, A changes the value MPD parameter from 60ms to 35ms. Suppose node B is a malicious node adjacent to node A on the route. Node B is supposed to deduct its own value from 35ms, but instead it increases the value of the parameter to 50ms. This may result in successful reservation along the route even if the route can not satisfy the QoS request of 60ms delay. In this case, the request of originator S would not be satisfied and the service is disrupted.
Originator S: requests for SOnis delay
Re; er,"e 60ms delay
Figure 4. An example of intentional provision of fallacious QoS states information
It can be obviously seen that a QoS signaling system is vulnerable to various attacks without protection of security mechanisms.
Basic scheme of the security mechanism for QoS signaling systems
One can use end-to-end authentication for the non-mutable parameters in QoS signaling messages. This approach requires the originator or the destination node to digitally sign the non-mutable parts of the QoS AODV packets, such as the QoS profile of the flow from the originator or the reservation request from the destination.
Before sending a RREQ message, the originator signs the QoS parameters with its private key. Each intermediate node on the path can voluntarily verify the digital signature to assure that the QoS parameters have not been maliciously altered during transmission. After the RREQ reaches the destination node, the destination checks the integrity of the non-mutable QoS objects via MAC (Message Authentication Code) verification. If the objects have been altered during transmission, the destination node will raise an alarm. Otherwise, it generates RREP packet, hashes the QoS parameters and sends it back to the originator of the request. The originator will verify the authentication and integrity of the QoS parameters upon receiving the RREQ packet from the destination. For the mutable parameters, one can use the hop-by-hop authentication protocol as authentication mechanism. Each intermediate node generates MACs with its currently used hash chain key and then relays the RREQ packet to its adjacent downstream node. After the key is disclosed with a delay since the packet has been sent, the downstream node will use the disclosed key to verify authenticity and integrity of the parameters. In case that the authentication fails, the node will raise an intrusion alarm to its downstream node on the path as well as all the other neighbors. This mechanism can prevent spoofing signaling messages and protect legitimate signaling messages from in-the-middle attack. To prevent from intentional provision of fallacious QoS states information as exemplified in Figure 4, a mechanism that works in a similar way to watchdog  can be used, which was proposed to detect routing misbehavior in mobile ad hoc networks. This mechanism requires that each intermediate node on the route send a signaling message not only to its downstream neighbor, but also to all the other neighbors. That is, an intermediate node is required to broadcast the signaling message instead of unicasting to the downstream node. The upstream node will listen to the broadcast signaling message and verify if its neighbor is maliciously distributing false QoS status. Figure 5 is an example of such intrusion detection scheme. Suppose there exists a path between originator S and destination D. Nodes A, B and C are intermediate nodes on the route. S wants to send a flow that requires a delay of less than 10 milliseconds and therefore sends a RREQ message with value of 10 milliseconds for Maximum Permissible Delay parameter. When S initiates the request, it adds the MAC of the Maximum Permissible Delay, which is denoted as Ms in Figure 5. When node A receives the RREQ packet, it calculates the new delay value and appends the value with its MAC of the Maximum Permissible Delay field. Node A will then broadcast the value with its MAC to its neighbors so that node S will be able to receive the message and verify if the value is reasonable. For example, if the NODETRAVERSALTIME at A is 2 milliseconds, the new delay value sent by A should then be 8 milliseconds. If A sends a value that is apparently invalid (such as 10 or larger), node S will raise an intrusion alarm. Both S and B will be able to authenticate the message using the later disclosed key.
Now we assume node B is a malicious node that is seeking chance to disrupt QoS provision. If it raised the delay value from 8 to 12, node A should be able to find out the delay has been increased by overhearing B's signaling message to C. Our mechanism is also applicable to the Maximum Permissible Jitter and the Minimum Available Bandwidth fields.
—» : а +^-в—* с : D
Figure 5. An example of intrusion detection for QoS signaling systems
To reduce the delay that this system may impose on the routing, the authentication and verification of the QoS values can be achieved offline. That is, an intermediate node can forward the RREQ first before it performs the security verification.
Conclusions. Mobile ad-hoc networks uses dynamic routing, which causes problems with authentification and authorizations of users. Such problems dramatically decreases security of ad-hoc networks. In this article improving of security be using electronic digital signature is proposed. Also described security threats, which are linked with a QoS and methods of mitigation of such threars are described.
1. Computer Systems [Electronic Resource]. - http://user.it.uu.se/~henrikl/aodv
2. Nesargi S. MANETconf: Configuration of Hosts in a Mobile Ad Hoc Network / S. Nesargi, R. Prakash // In Proceeding of IEEE INFOCOM, New York, NY, 2002.
3. Perkins C. IP Address Autoconfiguration for Ad Hoc Networks / C. Perkins, E. Royer, S. Das // Internet
Dratf, July 2000.
4. Cavali A. Secure Hosts Auto-Configuration in Mobile Ad Hoc Networks / A. Cavali, J. Orset // In Proceedings of the 24th International Conference on Distributed Computing Systems Workshops, Tokyo, Japan,
5. Perrig A. Efficient Authentication and Signing of Multicast Stream over Lossy Channels / A. Perrig, R. Canetti, J. Tygar, D. Song // In Proceedings of the 21st IEEE Symposium on Security and Privacy, Orkland, CA,
6. MAoller B. Provably Secure Public-Key Encryption for Length-Preserving Chaumian Mixes / B. MAoller // Proceedings of CT-RSA 2003, LNCS 2612:244-262, April 2003.
7. Braden R. Integrated Services in the Internet Architecture: an Overview [Electronic Resource] / R. Braden, D. Clark, S. Shenker // RFC 1633, June 1994. - http://www.ietf.org/rfc/rfc1633.txt
8. Black S. An Architecture for Differentiated Service [Electronic Resource] / S. Blake, D. Black, M. Carlson // RFC 2475, December 1998. - http://www.ietf.org/rfc/rfc2475.txt
9. Xiao H. A Flexible Quality of Service Model for Mobile Ad-Hoc Networks / H. Xiao, W. K. G. Seahand,
A. Lo, K. C. Chua // In Proc. of IEEE Vehicular Technology Conf. (VTC2000), Tokyo, Japan, May 2000. - Pp. 445-449.
10. Marti S. Mitigating Routing Misbehavior in Mobile Ad Hoc Networks / S. Marti, T. Giuli, K. Lai, M. Baker // Proc. of the Sixth Annual International Conf. On Mobile Computing and Networking (MobiCom '00),
Boston, MA, August 2000. - Pp. 255-265.
11. Ilchenko M. Modern telecommunication systems / M. Ilchenko, S. Kravchuk. - K.: Enterprise "Publishing "Naukova Dumka" National Academy of Sciences of Ukraine". - 2008. - 328 p. - ISBN 978-966-000875-9.
12. Alekseeva Y.A. Analysis of routing algorithms in ad-hoc networks / Y. A. Alekseeva, M. Y. Ternovoy // Electronics and Communications (Electronics and Communications, Electronics and Communications) // In the thematic issue of "Problems of Electronics".- 2008. - No 3-4, Part 2. - Pp. 61-65. - ISSN 1811-4512.
В статті розглядаються основні види атак на спонтанні мобільні мережі. Здійснено класифікацію атак та подано їх детальний опис. Показано методи боротьби з описаними атаками та способи підвищення безпеки мереж. Ключові слова: мобільна спонтанна мережа, атака на мережу, динамічна маршрутизація.
В статье рассматриваются основные виды атак на спонтанные мобильные сети. Осуществлена классификация атак и подано их детальное описание. Показано методы борьбы с описанными атаками и способы повышения безопасности сетей.
Ключевые слова: мобильная спонтанная сеть, атаки на сеть, динамическая маршрутизация.
Information about the authos
Mykola Karpinski - Prof. Dr.Sc., University of Bielsko-Biala, Department of Electrical Engineering and Automatic (Bielsko-Biala, Poland, firstname.lastname@example.org)
Arsen Hominchuk - PhD Student of the Computer Engineering Department of Ternopil National Economic University (TNEU). The scientific adviser - Prof. Dr.Sc. M. Karpinski.
Статья подана 20.04.2011