HUANG LAYOUT
10/3/07
2:26 PM
Page 48
SECURITY IN WIRELESS MOBILE AD HOC AND SENSOR NETWORKS
A FLOW-BASED NETWORK MONITORING FRAMEWORK FOR WIRELESS MESH NETWORKS FEIYI HUANG AND YANG YANG, UNIVERSITY COLLEGE LONDON LIWEN HE, SECURITY RESEARCH CENTRE, BRITISH TELECOM GROUP CTO
Router 5
C
The authors review security challenges, attacks, and countermeasures in the physical, MAC, and network layers of wireless mesh backbone and access networks. They then extend the concept of traffic flow from IP networks and define MeshFlow in wireless mesh networks.
48
rds
reco
ABSTRACT
lowAs an extension of wireless ad hoc and senshf Me sor networks, wireless mesh networks recently Router 3were developed as a key solution to provide
Mesh backbone network
D Mesh access network
s
w record
Meshflo
high-quality multimedia services and applications, such as voice, data, and video, over wireless personal area networks, wireless local area networks, and wireless metropolitan area networks. A WMN has a hybrid network infrastructure with a backbone and an access network and usually is operated in both ad hoc and infrastructure modes with self-configuration and self-organization capabilities. In this article, we review security challenges, attacks, and countermeasures in the physical, medium access control (MAC), and network layers of wireless mesh backbone and access networks. We then extend the concept of traffic flow from IP networks and define MeshFlow in wireless mesh networks. Based on this new concept, we propose a comprehensive framework to realize network monitoring, user and router profiling, application and service balancing, and security protection in wireless mesh backbone networks. Practical issues and design trade-offs for implementing the proposed framework in real systems also are discussed.
INTRODUCTION In recent years, wireless mesh networks (WMNs), together with related novel applications and services, received much attention and were actively researched. New applications and services include digital home, broadband, and wireless home Internet access, community and neighborhood networking, enterprise networking, metropolitan area networks, building automation, health and medical systems, public safety and security surveillance systems, intelligent transportation systems, emergency and disaster networking, and so on [1]. A WMN is a group of self-organized and self-configured mesh clients and routers interconnected via wireless links. Mesh clients can be various user devices with wireless network interface cards, such as
1536-1284/07/$20.00 © 2007 IEEE
PCs, laptops, PDAs, and mobile phones. They have limited resources and capability in terms of energy supply, processing ability, radio coverage range, and so on. Wireless mesh routers are usually much more powerful in terms of computation and communication capabilities and have continuous power supply. They normally stay static and act as access points to supply Internet connections for clients. Due to limited radio coverage range and dynamic wireless channel capacity, user traffic from a mesh client usually is transmitted through a multihop, wireless path to its destination, for example, client-to-client (CC), client-to-router (CR), and router-to-router (RR). Ad hoc mode interconnections of mesh routers construct the wireless mesh backbone network. When a new or existing router joins or leaves the backbone, the network self-organizes and self-configures accordingly. In a wireless mesh access network, there is usually one static mesh router and a number of mesh clients that are either static or mobile. They are operated in ad hoc (CC link) or infrastructure (CR link) modes, depending on their logical distance from the mesh router. Based on the license-free 2.4 GHz frequency band, three non-overlapping wireless channels are available in a WMN. Feasibility of multi-channel interconnection generates great research interest in WMN network design, including efficient medium access control and routing protocols plus dynamic channel allocation. One promising WMN structure is illustrated in Fig. 1. On each mesh router, one of the three channels is assigned for access network communication, while the other two channels are assigned for the backbone network interconnection. Adjacent access networks should be set to operate on separated channels to avoid interference with each other. On the other hand, to avoid expensive add-on solutions, pre-active security design should be investigated to eliminate existing and emerging security vulnerabilities and enhance system security. In the wireless mesh backbone networks, when directed traffic travels towards the Internet gateways, network resource consumption is
IEEE Wireless Communications • October 2007
HUANG LAYOUT
10/3/07
2:26 PM
Page 49
Internet
Internet s
w
hflo
Mes
Mesh backbone network
rd reco
Meshflow collector and analyzer Mes hflo w
reco
rds
RR link CR link
CC link
Wi-Fi access network
Mesh access network
Wireless channels
Mesh client
Wireless sensor access network
Mesh router
■ Figure 1. Infrastructure of wireless mesh networks [1]. unbalanced. A network bottleneck appears on each mesh router neighboring an Internet gateway. Internet connections can be damaged by easily jamming the limited radio channel resource, by exhausting computation ability, or simply from a flooding attack. In the access network, disruption on critical links (CR link) would totally disable the access network; MAC abuse reduces the probability of successful transmission; and flooding attacks easily can drain the limited energy supply. All these vulnerabilities and security challenges require a comprehensive network-monitoring framework to achieve realtime awareness, immediate response, and even traceback to malicious users. The concept of network traffic flow has been well researched and implemented by a number of network device providers like Cisco [2] and Juniper in IP networks. Consequently, a great improvement in network performance efficiency, as well as comprehensive network securing, monitoring [10], and accounting can be achieved. Generally speaking, a traffic flow consists of a number of data packets that share common or similar properties, such as source and destination addresses, types of services, port numbers, and so on. In this article, we extend the traffic flow concept to wireless mesh networks and design a comprehensive monitoring framework, including user and router monitoring, application and service profiling, network security analysis, and protection. The rest of this article is organized as follows. Security challenges, attacks, and possible solutions are reviewed. We introduce the concept of MeshFlow and design a network-monitoring framework based on this approach. Some important variations in implementing the MeshFlow framework are discussed. Then we consider an example to demonstrate the entire procedure of MeshFlow monitoring, abnormal reporting, and security protection, followed by conclusions.
IEEE Wireless Communications • October 2007
Good authentication and data encryption algorithms can prevent external attackers from entering the network and stealing valuable information. In addition, we require techniques to address different security challenges and attacks in the physical, MAC, and network layers.
VULNERABILITIES AND CHALLENGES The open network structure and ad hoc operation mode of WMNs make it possible for malicious attackers to sneak in disguised as legitimate users, compromise mesh routers or clients, misbehave with communication protocols, and launch a variety of attacks against wireless functionality, services, and applications. Good authentication and data encryption algorithms [3] can prevent external attackers from entering the network and stealing valuable information. In addition, we require techniques to address different security challenges and attacks in the physical, MAC, and network layers.
RADIO FREQUENCY JAMMING In the physical layer, attackers can make use of the inherent vulnerability of radio frequency (RF) transmission and generate jamming signals to interfere with communications on wireless channels. Compared with mesh routers, wireless mesh clients have many fewer hardware resources (e.g., radio interface, power supply, and data storage), less processing power, and fewer communication capabilities. Hence, they are more vulnerable to RF jamming attacks. To generate strong interference at targeted wireless devices, RF jamming signals are usually narrow-band and have limited radio coverage range. So we can use wideband communication techniques, such as direct sequence spread spectrum (DSSS) and frequencyhopping spread spectrum (FHSS) to combat the interference of jamming signals. In addition, orthogonal frequency division multiplexing (OFDM) and multiple input multiple output (MIMO) techniques can be adapted to further improve the reliability and efficiency of data transmission over dynamic fading radio channels.
MAC LAYER ABUSE Contention-based MAC protocols are usually adopted in WMNs for wireless users to share a
49
HUANG LAYOUT
10/3/07
2:26 PM
Among all of the network security threats, denial of service and its derivative, distributed denial of service, are two classical attacking approaches that are easy to launch and hard to defend against on almost every layer of a WMN.
Page 50
common wireless channel. In the MAC layer, misbehavior and attacks [4] include selfish actions, misuse of access protocols, and transmission of forged packets/signals, so as to unfairly occupy wireless channels and resources. For example, a small back-off interval gives the corresponding user the advantages of gaining access to the wireless channel quickly. The carrier-sensing mechanism in many MAC protocols can be abused by falsely increasing waiting time in the network allocate vector (NAV) or continuously broadcasting busy tone signals. As a result, the neighboring users are kept in the silent/waiting status for a long period and cannot access the network for data transmission and reception. By overhearing the NAV information and busy tone signals, an attacker can deliberately interrupt ongoing packet transmission and resend forged packets to make the intended (victim) users and machines assume that their previous packet transmissions were not successful. In doing so, the victim users are kept in working status, unable to enter the idle/sleep mode to save energy. Forged packets, with a broadcasting address as the source, trigger all the listening users to broadcast these packets throughout the network, thus wasting energy and even jamming normal packet transmissions. Such attacks are particularly damaging in wireless mesh access networks, because they easily can drain a mesh client of its limited battery power and destroy a multihop, wireless path. To prevent MAC-layer abuse, misbehavior, and attacks, one solution is to use sophisticated authentication and encryption algorithms to enhance the handshake process in MAC protocols [5].
ROUTING MISBEHAVIOR In the network layer, typical routing misbehavior and attacks are to interrupt the route discovery and maintenance processes and tamper with routing tables [6]. For reactive on-demand routing protocols, such as Dynamic Source Routing (DSR) and Ad hoc On-demand Distance Vector (AODV), the source route and node list information in the route request (RREQ) and route reply (RREP) packets can be fabricated, replaced, or deleted. An attacker also can advertise an AODV route with a false distance (shorter or longer), causing the routing protocol to fail, reducing its efficiency, or even re-routing important user data elsewhere. For proactive table-based routing protocols, such as Destination Sequenced Distance Vector (DSDV) and Optimized Link State Routing (OLSR), an attacker can advertise a modified routing table to lead all network traffic toward an intended address that might not exist or to generate routing loops. Then, the attacker can steal all of the packets and produce a sinkhole by selectively discarding any packets to disrupt the transmission of the network. Routing loops prevent data packets from being transmitted to their destinations, as well as waste many network resources along the routing path. To address this routing misbehavior and these attacks, we can use the spanning tree protocol (STP) defined in IEEE 802.1D to eliminate routing loops; and geographic routing protocols help solve the routing table abuse problem by broadcasting geographic information. For on-demand routing protocols,
50
unrealistic routes can be identified by a comprehensive routing discovery procedure. Malicious or compromised routers can be identified by router behavior monitoring schemes, for example, the watchdog [7].
DENIAL OF SERVICE Among all of the network security threats, denial of service (DoS) and its derivative, distributed denial of service (DDoS), are two classical attacking approaches that are easy to launch and hard to defend against on almost every layer of a WMN. A DoS attack [8] targets the network resources (e.g., network bandwidth) and router/client resources (e.g., router/client memory, processing capability) to prevent them from providing good service to legitimate users. Handshake messages, or other access control and collision avoidance packets in the MAC layer, routing tables, and route discovery packets in the network layer, easily can be falsified to exclude vital fields, include a non-existent source or destination, or be completely replaced by malformed information. MAC message exchange, route discovery, and maintenance procedures will be suspended by these unreadable packets and tables. As a result, additional requests from other network devices will not be responded to by these terminals, which are struggling to resolve these packets and tables. On the other hand, DoS can be achieved much more easily by the well-known flooding attacks: synchronize packet in transmission control protocol (TCP SYN) flooding, Internet Control Message Protocol (ICMP) flooding, and User Datagram Protocol (UDP) flooding. A flooding attack makes use of overwhelming packet volumes to exhaust the resources on the victim network, such as processing capability on individual devices and connection capability among network terminals. In a WMN, flooding is more damaging because of unstable wireless links, unbalanced usage of network resources, and weaker network devices: mesh clients always have constraints on processing and energy capability; mesh routers next to the gateway and mesh clients close to the access point (mesh router) are normally more heavily loaded; RF transmission cannot supply satisfactory bandwidth. A number of countermeasures [9] have been developed to mitigate harm caused by flooding attacks. SYN cookies optimize the TCP protocol by delaying the allocation of resources until the address of every client sent the request is verified; implementing firewalls, rate-limiting and access control lists (ACLs) on routers can slow down/prevent an ongoing/outgoing flooding attack. End-to-end authentication is suggested as well to make sure every user has certification before using any network resource or accessing the wireless channel. Attacks and abuses on any network layer will damage network functionality, applications, and services. All these performance degradations are mapped to the application layer and reflected in the network traffic change. By monitoring the traffic change situation, misbehavior, abusive activities, and attacks can be actively monitored. In an IP network, traffic-flow monitoring is already well established within Netflow as an international standard. In the following sections,
IEEE Wireless Communications • October 2007
HUANG LAYOUT
10/3/07
2:26 PM
Page 51
User profiling
Meshflow records Meshflow collector and analyzer
Router monitoring
Meshflow collector and analyzer
Application monitoring
Security protection
Aggregation
Export and delete from router Meshflow cache Modifying existing one to include new information
Yes
Create new meshflow records
Match with existing meshflow records
No
Mesh router Packet Packet 1 2 Wireless channels
Mesh client
Mesh router
■ Figure 2. Meshflow framework.
the network traffic flow concept is extended to wireless mesh backbone networks, namely MeshFlow. An innovative MeshFlow-based networkmonitoring framework is proposed.
MESHFLOW FRAMEWORK In a WMN, the concept of network traffic flow is extended and defined as MeshFlow. Based on this new concept, a MeshFlow framework is designed to generate, transmit, and analyze MeshFlow records. Thus, network performance monitoring, such as user monitoring, application and service profiling, security guarantee enforcement, and so on can be achieved efficiently in real time. The framework includes several components: MeshFlow record structure definition, record creation, record management, record exportation, record collection, record aggregation, and analysis.
MESHFLOW DEFINITION A MeshFlow record is a special kind of packet and contains a summary of common properties of data packets passing a mesh router. The fields included in a MeshFlow record are source address, destination address, next-hop address, number of bytes, number of packets, transport protocols, and previous transmission delay summation. These fields can be flexibly extended to include more information in later MeshFlow versions according to specific network requirements. More precise traffic information can be monitored in real time. However, extra performance overhead is introduced at the same time, such as generating longer records and holding/transmitting larger packets. Existing record format also can be dynamically shortened to exclude unnecessary fields.
MESHFLOW CREATION On each mesh router, part of the memory size is separated to construct a MeshFlow cache dedi-
IEEE Wireless Communications • October 2007
On each mesh router, part of the memory size is separated to construct a MeshFlow cache dedicated to MeshFlow record creation and maintenance. The size of a MeshFlow cache is flexibly determined by individual mesh routers.
cated to MeshFlow record creation and maintenance. The size of a MeshFlow cache is flexibly determined by individual mesh routers according to available memory or other limitations and requirements. As shown in Fig. 2, when a packet travels through a mesh router, its transmission information is extracted and comprises a MeshFlow record. If two packets have the same source, destination, next-hop address, and the same transport protocol, their transmission information can be arranged in one MeshFlow record by aggregating the number of packets, bytes, and delay duration.
MESHFLOW MANAGEMENT As soon as a MeshFlow record is created, it is stamped to indicate the starting time of the record. An aging mechanism is then implemented to calculate the overall active duration of the MeshFlow record. No additional processing of MeshFlow records on mesh routers is suggested, because it would occupy a large part of CPU capability and interfere with basic functionality of mesh routers, for example, routing, access control, and so on. MeshFlow records are then exported to a dedicated collector and analyzer and permanently deleted from the MeshFlow cache. Note that there are a number of different methodologies for MeshFlow exportation and collection, that is, dedicated cable lines, distributed antenna, and multihop relaying. Network carriers can choose any one of these according to an implementation scenario and network preference.
MESHFLOW ANALYSIS After MeshFlow records of each router are exported to the collector, an entire network traffic picture can be constructed. By analyzing these records, network application and service performance, bandwidth utilities, and user actions, virus and intrusion can be monitored and discovered without deploying hardware sniffers.
51
HUANG LAYOUT
10/3/07
2:26 PM
When a packet travels through a multihop path that consists of mesh routers, MeshFlow records are created on every one. By aggregating these records, a complete transportation path of a particular packet can be precisely derived.
Page 52
Static parameters
Meshflow structure design
Packet sampling and meshflow generation rate
Meshflow collection methods
Complete Incomplete
Dynamic parameters Meshflow exportation frequency
Mesh router CPU and memory availability
Idle, active or oldest
■ Figure 3. Meshflow implementation issues. User Monitoring — When a packet travels through a multihop path that consists of mesh routers, MeshFlow records are created on every one. By aggregating these records, a complete transportation path of a particular packet can be precisely derived. This path includes the source and destination clients and every intermediate router. Other parameters such as transport protocol and number of bytes also can be reported. As a result, comprehensive investigation of each traffic flow is achieved and concludes where it is from, where it is to go, what kind of traffic it is, and how many packets are transmitted. Router Monitoring — In a WMN, mesh routers are responsible for supplying access to clients and relaying packets for other routers. Therefore, there are three kinds of traffic on a mesh router: traffic that originated from its own access network, incoming traffic from other routers, and outgoing traffic to other routers. This traffic can be transmitted simultaneously if there are three separated channels. When MeshFlow records are aggregated based on mesh routers, traffic transported on each channel can be illustrated clearly. As a result, the access situation of wireless mesh access networks and the bandwidth utilization of mesh routers can be mapped on the MeshFlow collector and reflected in the MeshFlow record fields. With router- and clientbased aggregation mechanisms, a comprehensive traffic structure is constructed for subsequent monitoring and analysis. Security Protection — In WMN, security issues include detecting abnormal traffic, identifying abuse or attack scenarios, and preventing continuous damage to the network. Compared with the usual network traffic pattern, abnormal traffic is defined as any kind of traffic that may interrupt, damage, or disable network functionality. As they are usually very different from the general network traffic pattern, detection and identification can be achieved by matching corresponding abnormal/attack signatures. For example, in a flooding attack, the most obvious characteristic (signature) is burst traffic toward the same destination; a worm virus will let one user send hundreds and thousands of TCP connection requests within a short time period; MAC abuse or RF jamming in an access network will permit no successful transmissions for clients and conse-
52
Time, packet or terminal based
Meshflow exportation bandwidth occupation
quently no traffic generated from that access network. All these abnormal situations can be detected by analyzing the MeshFlow records and matching with signatures. Then network protection can be achieved with further action, for example, letting the flood-generating router block the corresponding attack traffic or finding the attacker and disabling its connectivity. Application and Service Monitoring — Different network applications and services usually are performed by separate and dedicated transport protocols. Based on the aggregated MeshFlow records of each router, performance data of each application on a router can be further fused. Current router resource utilization, such as bandwidth, processing capabilities by individual applications, and services can be seen clearly. Inappropriate resource utilization is reallocated to balance different applications performed on each mesh router. For example, peer-to-peer (P2P) applications usually grab a large share of network bandwidth. If a Voice over Internet Protocol (VoIP, real time transmission protocol) service is deployed as well, which is very sensitive to transmission delay and packet loss, it might be severely affected by the P2P application. The MeshFlow records can clearly reflect this situation: large numbers of packets transmitted with P2P protocol, plus unacceptable transmission delay under real-time transport protocol. Then network resources can be reallocated and balanced by preventing the P2P from taking excessive network bandwidth.
IMPLEMENTATION ISSUES There are many possible ways of implementing the MeshFlow framework in real networks. Unavoidably, the MeshFlow framework induces extra performance overheads and influences several aspects of networks. Carefully designing the implementation details can make MeshFlow much more suitable for specific network scenarios and introduce the least possible additional cost. If MeshFlow is implemented without appropriate original (default) settings and introduces unwanted network damage, self-configuration and self-optimization mechanisms are activated to reset the related parameters. As illustrated in Fig. 3, when deploying the MeshFlow framework in a WMN, two static set-
IEEE Wireless Communications • October 2007
HUANG LAYOUT
10/3/07
Router 5
2:26 PM
Page 53
s
w record
Meshflo
w hflo
Meshflow collector ds and analyzer
r reco
s Me Router 3
C
Victim client
ow rec
shf
low
ords
Router 4
rec
ord
s Router 1
Router 2
Mesh backbone network
D Mesh access network
Meshfl
Me
B
Wireless channels
E
Mesh client
Attacking client A
F
Mesh router
■ Figure 4. An example: flooding attack. tings first must be determined: MeshFlow record structure and MeshFlow collection method. As different fields within a MeshFlow record are used for different monitoring and analysis purposes, it is not necessary to generate a complete record in each scenario. Unnecessary operation overhead can be avoided by carefully investigating the network requirement and defining a compact MeshFlow record structure that includes only mandatory fields. During the MeshFlow exportation process, records are transmitted to the collector by three different methods: Dedicated cable line: each mesh router has a dedicated cable line exclusively for MeshFlow record transmission. Distributed antenna: the MeshFlow collector has antennas deployed around the entire backbone network. Multihop relaying: MeshFlow record exportation is performed as for normal packet transmissions via a multihop router-to-router wireless link, finally reaching the collector. The first two methods guarantee MeshFlow record-transmission reliability but require stricter hardware devices on the MeshFlow collector. If the multihop relaying method is employed, the collection process might interfere with normal network traffic transport. In this situation, resources must be carefully allocated to balance the transmission of normal packets and MeshFlow records. There are another two dynamic parameters of the MeshFlow framework: packet-sampling rate and record-exportation time interval. They have standard settings as original values. On each mesh router, when there is an incoming packet, information required by MeshFlow is either extracted immediately or ignored, depending on a predefined sampling rate. Sampling is originally performed on a complete mode to collect all incoming packet information. The original methodology may not be suitable for each mesh router depending on CPU and memory availability. By analyzing the MeshFlow records generated, the original complete sampling method may be replaced by incomplete sampling
IEEE Wireless Communications • October 2007
on some mesh routers to save limited processing resources: Time-based: extract information from an incoming packet between certain time intervals. Packet-based: sample one packet after ignoring a certain number of them. Terminal-based: capture more frequent or complete packets from a number of particular terminals that have bad or “criminal” histories. After generating more and more MeshFlow records, some of them should be exported and erased from the dynamic MeshFlow cache. By defining three scenarios, MeshFlow records are exported accordingly: Idle: if a MeshFlow record is idle for a certain period Active: if a MeshFlow record is active for too long Oldest: oldest record in the MeshFlow cache when heavily/fully loaded The processing and storage load on each mesh router can be alleviated efficiently by exporting records in a very frequent manner. It can be achieved by setting the Idle, Active, and Oldest time to a small value so as to let the mesh router reconsider records held for too long. However, a large part of the limited wireless bandwidth will be sacrificed to support the over-frequent MeshFlow records exportation. Therefore, it is quite critical to investigate balancing these parameters during the reconfiguration according to the feedback from the MeshFlow records under the original settings.
If the multihop relaying method is employed, the collection process might interfere with normal network traffic transport. In this situation, resources must be carefully allocated to balance the transmission of normal packets and MeshFlow records.
EXAMPLE: FLOODING ATTACK DETECTION AND TRACEBACK As an example shown in Fig. 4, the MeshFlow framework is implemented in a network. Considering a UDP flooding attack (from client A) launched against client B, two mesh routers (1 and 3) are on a three-hop path. The complete procedure for network monitoring, attack detection, and traceback is shown in Fig. 5 and described as follows:
53
HUANG LAYOUT
10/3/07
2:26 PM
Real-time monitoring Normal network operation
Page 54
Attack detection
Flooding attack
Network protection
Attack detected
Traceback
Attack resolved
Attacker found
■ Figure 5. Meshflow working process.
Step 1. Real-time monitoring: Mesh routers 1–5 should export their MeshFlow records to the MeshFlow collector and analyzer with default and standard MeshFlow settings. The MeshFlow collector always aggregates the MeshFlow records on a per router basis. Application-based MeshFlow fusion is further performed according to the different transport protocols. Then, applications and their resource usage on each mesh router are monitored in real time. Step 2. Attack detection: Thresholds and alarms are specified for each application to control its resource utilization. A feasible threshold value should be determined, based on the longterm monitoring of traffic statistics, the capability of a mesh router, and the sensitivity of its local access network to traffic bursts. Abnormal traffic bursts generated by a flooding attack then can be easily detected by comparing their instantaneous traffic statistics against normal operational records and traffic thresholds. This simple method is reliable and also can prevent some selfish users degrading the overall system performance and network functionality by transmitting and receiving a large number of packets within a short period of time. If required, high-level securing devices, such as an intrusion detection system (IDS), can be implemented to distinguish abnormal traffic bursts caused by a flooding attack from those by malicious users. Step 3. Network protection: By detecting and analyzing MeshFlow records of a flooding attack, we can use source and destination addresses in the same MeshFlow records to identify the corresponding mesh access sub-networks of the attacker and victim machine. Then protecting actions can be taken to prevent the network from continuous exposure to a flooding attack. For the example shown in Fig. 4, the MeshFlow collector instructs mesh router 3 to stop delivering packets from the attacker address to the victim, client B. On the attacker side, mesh router 1 is required to stop inserting packets from the attacker address to the mesh backbone network. This can be achieved by executing traffic filtering and rate limiting schemes at the outgoing and the incoming channels of the corresponding routers. Step 4. Traceback: Experienced attackers can use spoofing techniques to place incorrect source addresses in their transmitted packets for a flooding attack. This makes it very difficult to traceback and locate the real attacker. With MeshFlow, we can find out the real source of spoofed attacking packets by aggregating the records based on individual users. When a flooding attack is detected, the MeshFlow collector can determine the victim (client B) address and
54
suspicious (spoofed) addresses without any ambiguity. MeshFlow records on each router that relate to these two addresses and have the same direction (towards the victim) are extracted and fused. Then the entire traffic path is constructed and finally, the original mesh router hiding the attacker is located. This method can be further utilized to construct a comprehensive profile for each user including basic information such as transport path, protocol, and bytes transmitted. By monitoring these profiles, abnormal or selfish actions such as IP spoofing and excessive traffic generation can be detected and eliminated from the very beginning.
CONCLUSIONS As a promising scheme for next generation networks, the wireless mesh network is superior in flexibility and for introducing new revenue. However, the security issues on each layer of the backbone and access networks are still problematic for massive deployment. Simultaneous research on network performance and device behavior monitoring in this rapidly developing network will realize both security and network design. In this article, we reviewed security challenges, attacks, and countermeasures in the physical, MAC, and network layers of wireless mesh backbone and access networks. We defined the new concept of MeshFlow and proposed a flow-based network-monitoring framework to tackle many challenging security issues in wireless mesh networks. The MeshFlow framework can dynamically self-configure and self-optimize its operation parameters to balance network device capability and network monitoring requirements. As an example, a flooding attack with spoofed source addresses was used to illustrate that the proposed framework can achieve remote user and router performance monitoring, attack detection, and instant traceback without interfering with normal functions at mesh routers.
ACKNOWLEDGMENT Thanks to Paul Botham from BT Group and anonymous reviewers for valuable comments in completing the article.
REFERENCES [1] I. F. Akyildiz, X. Wang, and W. Wang, “Wireless Mesh Networks: A Survey,” Computer Networks J. (Elsevier), vol. 47, Mar. 2005, pp. 445C–487. [2] Cisco IOS Netflow, http://www.cisco.com/en/us/products/ ps6601/products_ios_protocol_group_home.html [3] K. Sanzgiri et al., “A Secure Routing Protocol for Ad Hoc Networks,” Proc. IEEE ICNP, 2002, pp. 78–87. [4] P. Kyasanur and N. H. Vaidya, “Selfish MAC Layer Misbehavior in Wireless Networks,” IEEE Trans. Mobile Comp., vol. 4, no. 5, Sept.–Oct. 2005, pp. 502–16. [5] A. Perrig et al., “The TESLA Broadcast Authentication Protocol,” Cryptobytes, vol. 5, no. 2 (RSA Labs.), Summer–Fall 2002, pp. 2–13. [6] C. Karlof and D. Wagner, “Secure Routing in Wireless Sensor Networks: Attacks and Countermeasures,” Elsevier’s Ad Hoc Network J., Special Issue on Sensor Network Applications and Protocols, vol. 1, no. 2–3, Sept. 2003, pp. 293-315. [7] S. Marti et al., “Mitigating Routing Misbehavior in Mobile Ad Hoc Networks,” Proc. ACM/IEEE MOBICOM, Boston, 2000, pp. 255–65. [8] L. Zhou and Z. J. Haas, “Securing Ad Hoc Networks,” IEEE Network, vol. 13, no. 6, Nov.–Dec. 1999, pp. 24–30. [9] B. Wu et al., “A Survey on Attacks and Countermea-
IEEE Wireless Communications • October 2007
HUANG LAYOUT
10/3/07
2:26 PM
Page 55
sures in Mobile Ad Hoc Networks,” Ch. 12, Wireless/Mobile Network Security, Springer, 2006. [10] F. Huang and L. He, “Method and Apparatus for Monitoring a Digital Network,” BT patent A30981, 2006, European patent pending.
BIOGRAPHIES F EIYI H UANG (
[email protected]) received his B.Eng. degree in electronic engineering from Anhui University, P. R. China, in 2003. He started his Ph.D. program in wireless and data communications engineering in September 2003 at Brunel University. He worked at Brunel Information Technology Laboratory from September 2003 to September 2004 and at Brunel Advanced Research Institute of Multimedia and Network Systems from October 2004 to April 2005. He transferred to the Department of Electronic and Electrical Engineering, University College London (UCL) in May 2005. From August t225 to January 2006 he did a research internship with Security Research Centre, British Telecommunications Group CTO. He is currently a Ph.D. candidate at UCL. His general research interests include mobile ad hoc networks, wireless sensor networks, wireless mesh networks, next-generaton (beyond 3G) networks, MAC protocols, network monitoring, intrusion detection, and traceback. YANG YANG [M] (
[email protected]) received B.Eng. anad M.Eng. degrees in radio engineering from Southeast University, P. R. China, in 1996 and 1999, respectively, and a Ph.D. degree in information engineering from the Chinese University of Hong Kong in 2002. He is currently a lecturer with the Department of Electronic and Electrical Engineering, UCL. He has published over 40 refereed journal and
IEEE Wireless Communications • October 2007
conference papers in the areas of wireless communications, covering 3G mobile systems and beyond, MAC and routing protocols, cross-layer performance evaluation and optimization, and wireless ad hoc, sensor, and mesh networks. He received the Outstanding Ph.D. Thesis award from thee Faculty of Engineering, Chinese University of Hong Kong, in 2002, the Young Scientist Award from the Hong Kong Institute of Science in 2003, and a Short-Term Research Fellowship from British Telecom in 2004. LIWEN HE [SM] (
[email protected]) graduated from the University of Sheffield with a Ph.D. degree. In 1999 he joined BT Laboratories, doing research on optimal design, routing, capacity planning, and performance analysis and reslience in IP, optical, and mobile networks. Now he is a principal security researcher at Security Research Centre, BT Group CTO, working on network security research. His research interests are separation of IP control and data planes, securing routing protocols, anomaly detection, IP network simulation and experimental networks, IP traceback, trusted Internet routing infrastructure, and security and performance testing. He has published more than 20 research papers in international conferences and technical journals, and has 10 international patents. He has organized and chaired or served as a Technical Program Committee member for a number of international conferences in network security. He is a member of the IEEE Communications and Information Security Technical Committee. He was recently appointed an Associate Editor for a new Wiley technical journal, Security and Communication Networks He also participates in ITU Study Group 17 on telecommunications security standards representing BT and the United Kingdom.
55
