A NEW SET OF PASSIVE ROUTING ATTACKS IN ... - Semantic Scholar

A NEW SET OF PASSIVE ROUTING ATTACKS IN MOBILE AD HOC NETWORKS Jiejun Kong, Xiaoyan Hong, Mario Gerla Computer Science Department University of California, Los Angeles, CA 90095 fjkong,hxy,[email protected] ABSTRACT In hostile environments, adversaries can launch passive attacks against interceptable routing information embedded in routing messages and data packets. Allowing adversaries to trace network routes and infer the motion pattern of nodes at the end of those routes may pose a serious threat to covert operations. In this paper we propose a feasible adversary model of such attacks, then present several instantiations and study the principles of designing corresponding countermeasures. We demonstrate that existing ad hoc routing protocols are vulnerable to passive attacks: in the feasible adversary model, (a) the location and motion patterns of mobile nodes can be traced, while (b) proactive and reactive/on-demand ad hoc routes across multiple mobile nodes can be visualized by the adversary. We conclude that ad hoc networks deployed in hostile environments need new countermeasures to resist such passive attacks.

case the passive enemy will avoid such aggressive schemes, in the attempt to be as “invisible” as possible, until it traces, locates, and then physically destroys our assets. In particular for routing schemes, it is necessary to address following problems to prevent the passive adversaries from tracing where a mobile node is, inferring the motion pattern of the mobile node, or visualizing a multi-hop path between any two legitimate nodes. 

I. I NTRODUCTION Current military technology has already realized precise weapons to destroy distributed entities within several hundred feet at a time, while the area covered by a wireless hop in many ad hoc networking schemes is within this fatal range. Consequently, if the enemy is able to obtain definite (though imprecise) information about a VIP mobile node’s location, then the specific target is exposed to great danger. Ad hoc networking can help legitimate nodes to establish an instant communication structure. Unfortunately, it may also allow passive adversaries to trace network routes and nodes at the end of those routes. Consider for example a battlefield scenario with ad hoc, multi-hop wireless communications support. Suppose a covert mission is launched, which includes swarms of reconnaissance, surveillance, and attack task forces. The ad hoc network must provide routes between various task forces, and meanwhile hide their identities as well as motion patterns. It is clear that providing location privacy and motion privacy supports for the task forces is critical, else the entire mission may be compromised. This poses challenging constraints on secure ad hoc routing and data forwarding. The purpose of this paper is to study the characteristics of passive attacks against ad hoc routing schemes. The goal of such attacks is very different from other related routing security problems such as resistance to route disruption or prevention of “denial-of-service” attacks. In fact, in our  This work is funded by MINUTEMAN project and related STTR project of Office of Naval Research.

1 of 6



Defense against traffic analysis Traffic analysis is a network based attack against distributed systems. An external adversary needs not compromise a legitimate node or break relevant cryptographic designs, yet it can trace a packet flow using timing and other eavesdropped routing information. For example, in timing analysis, two packets transmitted in and out of an explicit forwarding node at time t and t +  are likely from the same packet flow. Defense against passive internal adversary The electronic warfare in the two gulf wars demonstrates that the enemy’s radars and other communication systems are facing immediate elimination once they are detected and targeted. Our likely enemies probably are not able to deploy a battle-ready mobile ad hoc network comparable to our armed forces. However, they may deploy passive attacking nodes like sensors. In addition, during a combat the enemies may be able to capture several legitimate ground nodes. To baffle our intrusion detection systems and followed countermeasures, it is appealing for them to use the captured nodes to launch passive attacks without introducing obvious anomalies into the network.

The contribution of this work is to model such passive (external and internal) adversaries, to instantiate the passive attacks in the context of ad hoc routing, and to study the design principles of corresponding countermeasures. We separate mobile privacy problem from legacy content privacy problem. The term “mobile privacy” refers to the problem of ensuring location privacy and untraceable routing in mobile networks. We show that existing proactive and reactive/on-demand routing schemes are vulnerable to such passive attacks. We also argue that a qualified countermeasure must follow several design rules presented in this work. The rest of the paper is organized as follows. Section II

presents a feasible adversary model. In Section III we show that common proactive and reactive/on-demand ad hoc routing protocols are vulnerable to passive attacks. Section IV studies the basic design principles of corresponding countermeasures. Finally Section V concludes this paper. II. PASSIVE

messages. This means encrypting routing information cannot stop a passive internal adversary who is granted the privilege to decrypt routing messages. III. PASSIVE

ATTACKS AGAINST AD HOC ROUTING

A. A referential scenario

ADVERSARY MODEL

Passive eavesdroppers may be omnipresent in a hostile environment where an ad hoc network is deployed. For example, nowadays technology has implemented wireless interface on low-cost sensor nodes (e.g., Motorola ColdFire, Berkeley Mote) which can in turn be planted in battlefields to monitor ongoing activities. It would be an impractical conjecture if we assume data packets transmitted in wireless broadcast channel are not to be intercepted by eavesdroppers. On the other hand, an adversary with unbounded cryptanalytic and intruding capability is capable of overwhelming any practical security protocol. Thus we study a powerful yet practical adversary with unbounded eavesdropping capability and bounded cryptanalysis and node intrusion capability:  Passive link intrusion capability: An adversarial node at this level is an external adversary that poses threat to wireless link only. (1) The adversary knows and actualizes all network protocols and functions. It can eavesdrop and record wireless packets. (2) The adversary can access its computational resources via a fast network with negligible delay. This implies that collaborative adversaries can also contact each other in short latency. (3) However, their computational resources may be abundant, but not unbounded. They cannot break well-defined cryptosystems with nonnegligible probability. Legitimate network members can employ public key cryptosystems (e.g., RSA, El Gamal) and symmetric key cryptosystems (e.g., 3DES, AES) to protect critical messages. They can also employ efficient message authentication protocols (e.g., TESLA [14]) to get rid of unauthenticated and out-of-date packets injected by the adversary1.  Passive node intrusion capability: An adversarial node at this level is an internal adversary that also poses threat to network members. (1) After the adversary compromises a victim node, it can see the victim’s currently stored records including the private route caches. (2) Intrusion detection is not perfect. A passive internal adversary exhibiting no malicious behavior will stay in the system and intercept all routing 1 The adversary may actively inject packets in a brute-force form known as jamming or denial-of-service attack. However, this active attack is beyond the scope of this paper. Spread spectrum technology is currently a physical layer solution to address such link intrusions

2 of 6

L

A

listening range

Fig. 1.

Passive traffic analysis: a referential scenario

Fig. 1 shows the referential case for collaborative adversaries to trace the motion pattern of a mobile node. A collection of adversarial nodes can be (pre-)deployed to cover a region or even the entire ad hoc network. As depicted in Figure 1, the adversaries can divide the network into cells based on radio receiving range. One or more adversarial nodes can effectively monitor each cell. Any open wireless transmission within one-hop transmission range is thus collected and fed back to adversary’s computing center for further analysis. The examples below demonstrate various passive attacks that can be launched by the adversaries. Example 1: (Motion pattern inference attack) As implied by the name, the goal of this passive attack is to infer (possibly imprecise) motion pattern of mobile nodes. For example, collaborative adversaries can monitor wireless transmissions in and out a specific mobile node (say A), they can combine the intercepted data and trace the motion pattern of node A. In some cases, a mission may require multiple nodes to move towards the same direction or a specific place. Motion pattern inference attack can effectively visualize the outline of the mission. Example 2: (Location privacy attack) Given a specific cell L, the adversary may gather and quantify (approximate) information about active mobile nodes, for example, (a) the set of active nodes in L; (b) related quantification such as the size of the set; (c) traffic analysis against L, e.g., how many and what kind of connections in-and-out the cell. Example 3: (Route tracing attack) Route tracing attacks seek to monitor ad hoc route information against a specific node V . This includes (a) visualizing every ad hoc route in-and-out node V , (b) traffic analysis against node V , e.g., how many and what kind of connections in and out node

V.

The latter one belongs to traditional identity anonymity problem. For example, given the node V , the adversaries want to know (b.1) with whom node V has communicated, and (b.2) the sessions/transactions node V has initiated as sender and responded as recipient. B. Discussion: proactive vs. reactive on-demand routing In proactive ad hoc routing protocols (e.g., DSDV [12], OLSR [1], and TBRPF[11]), nodes constantly exchange routing messages that can be intercepted by passive adversarial nodes. The (internal) adversaries can discover the entire network topology, and can visualize the topology by finding the location of each transmission node at the granularity of cell. Compared to proactive schemes, on-demand schemes are less vulnerable since they just set up routes as needed. Nevertheless, common on-demand ad hoc routing protocol is also traceable. A DSR [9] route is traceable since the protocol explicitly embeds routing information in packet headers. From a single intercepted packet, adversaries can know the identity of all forwarding nodes and can visualize the on-demand route at the granularity of cell. AODV [13] is more untraceable because routing information is stored in routing tables instead of packet headers. Nevertheless, it is traceable by collaborative eavesdroppers:  By inspecting packet header, for example, simply following the forwarding chain in the unprotected link layer header, collaborative eavesdroppers can visualize an AODV route at the granularity of cell. In other words, if a region is covered by multiple collaborative eavesdroppers, then they can visualize all AODV paths intersected with the region. In our adversary model an omnipresent eavesdropper is assumed, thus all AODV routes can be visualized.  Even if routing information is ideally encrypted, the adversary can launch a specific traffic analysis technique called timing analysis. In timing analysis, the adversary can monitor network-wide transmission events with their timing information recorded. The adversary can use temporal dependency between transmissions to trace a victim message’s forwarding path. A technique called mixing [4] can thwart this attack. Such mixing techniques include sending messages in reordered batches, sending dummy packets, and introducing random delays. However, applying such techniques in ad hoc networks may incur significant communication overheads to regular packet forwarding. C. Discussion: external vs. internal adversaries Existing end-to-end security protocols are not valid answers to the passive attacks. In end-to-end security, two 3 of 6

communicating nodes can ensure content privacy by encrypting their application data payload. The cryptographic design cannot stop traffic analysis described previously. In addition, as lower-layer routing information, such as MAC header and IP header, is not encrypted and protected, passive adversaries can simply ignore the cryptographic design and efficiently trace mobile nodes. Encrypting lower-layer routing information seems to be a good solution to defend external adversaries. Basagni et al. [2] propose a scheme to encrypt routing messages using a network-wide symmetric key shared by all legitimate members. However, the simple scheme has several drawbacks:  Simple encryption cannot completely stop traffic analysis, where external adversaries need not to break the encryption scheme as long as packet flows are forwarded without other protection. For example, if the encrypted payload is unchanged along a forwarding path, then external adversaries can simply do bit-string match on encrypted data to trace a flow. In addition, timing analysis is also a useful traffic analysis method to bypass cryptographic protections.  Problems caused by passive internal adversary are not solved. Sharing a network-wide key is vulnerable to a single intrusion of any legitimate node. Data encryption is a good solution to protect secret plaintexts, but it does not necessarily offer protection when the secret key is revealed to internal adversaries.  In a wireless network using broadcast channel, encrypted routing headers may render the cost of data packet forwarding to be potentially very high, as each node has to decrypt and check any data packet before it can forward the packet. If such a scheme is used, one encryption/transmission always causes multiple receptions/decryptions at all local neighbors (though only one of them is the intended forwarder). To address the problem of node intrusion, [2] argues to protect keys using tamper resistance facilities which introduce extra physical cost and offer indeterministic physical warranty. The disadvantage of this solution is the difficulty in evaluating and quantifying its effectiveness. Besides, problems caused by passive internal adversary are not addressed in schemes relying only on tamper-resistance. D. Potential solution: ideal per-hop protection One appealing solution is to change [2]’s network-wide key to hop-based link encryption keys. This means each mobile node is allowed to have acquaintance only with its one-hop neighbors, to establish a shared secret key with every neighbor, and to encrypt all exchanged messages with different keys. Then a node intrusion would ideally only

compromise the transmissions related to the compromised keys cached by the victim. 1) However, it is still an open problem how to efficiently2 establish a web of hop-based link encryption keys in a mobile ad hoc network. Some recently proposed secure ad hoc routing protocols, such as SEAD [7], Ariadne [8], and ARAN [6], are realizable on such a web of keys. But they have not evaluated the key management efficiency of such a web. In addition, these secure routing protocols focus on authentication rather than untraceability. They can be used to stop message injection attacks, but not the passive attacks studied in this work. 2) As usual, the encryption based design does not stop timing analysts and internal adversaries. 3) We will present H-clique attack, a special motion pattern inference attack, to demonstrate that hopbased link encryption web is not a sufficient condition to stop passive internal adversaries—mobile privacy can be compromised by passive internal adversaries even though ideal link encryption web is realized. Hence the problem must be solved by devising new countermeasures where one-hop neighbor information is also protected as privacy.

The attack is passive, and it only requires a set of one-hop neighbors. We name such a one-hop set as H-clique (i.e., Hop-clique) where the central node is a passive internal adversary, and it needs to know the relative position of its one-hop neighbors3. The one-hop neighbors may or may not be adversarial, but fail to detect the intrusion and continue to forward routing messages to the adversary. To make the thing even worse, the passive attack is cumulative. That is, composition of H-clique attacks makes the attack more effective. As shown in Figure 3, a mobile node cutting through two H-cliques is detectable by the adversary if relevant routing messages are intercepted. Figure 4 shows that H-cliques who know their relative positions can combine multiple motion-cuts together to obtain more precise information about mobile nodes’ motion patterns. Therefore, a few passive internal adversaries can effectively launch motion pattern inference attacks against the entire network. Both proactive routing schemes (e.g., distance vector and link state) and on-demand schemes (e.g., DSR and AODV) are vulnerable to such passive attacks. Combined with out-of-band information like geographic positions and battlefield boundaries, such attacks may gradually compromise mobile privacy of active network nodes. F. Illustration through simulations

ad hoc route at time t1

ad hoc route at time t1

Node Y’s at time t1 V1

V1

Node X

Node X forwarding update

node movement

V2

forwarding update

movement Node Y

V2 ad hoc route at time t2 Node Y’s at time t2

ad hoc route at time t2

Fig. 2. Motion pattern inference attacks (left: target movement; right: forwarding node movement. Passive internal adversary is depicted as a solid black node in an H-clique)

E. Cumulative H-clique attack The referential scenario presented earlier requires dense adversarial nodes deployed in the network. It can compromise network nodes’ mobile privacy at the granularity of cell. The H-clique attack only requires sparse adversarial nodes. Even though the information gathered by the adversaries is imprecise, they may be able to infer general motion patterns of mobile nodes from ongoing routing events. Figure 2 depicts possible motion patterns when an internal adversary X finds its next hop towards a node Y is updated. The routing event implies that likely either the target node Y (left figure) or some intermediate forwarding nodes (right figure) have moved along the direction V1 !V2 (clockwisely).

We illustrate the feasibility of the motion pattern inference attacks through simulations on AODV routing protocol [13]. Our simulation runs on the GloMoSim simulation platform [15]. GloMoSim is a packet level simulator for wireless and wired networks. The distributed coordination function (DCF) of IEEE 802.11 is used as the MAC layer in our experiments. It uses Request-To-Send (RTS) and ClearTo-Send (CTS) control packets to provide virtual carrier sensing for unicast data packets to overcome the wellknown hidden terminal problem. Each data transmission is followed by an ACK. Broadcast data packets are sent using CSMA/CA only. The radio uses free-space fading model and has characteristics similar to a commercial radio interface (e.g., Lucent’s WaveLAN). The channel capacity is 2 Mbits/sec. We simulate a scenario where a target node moves straightly across a network with many fixed nodes. While moving, the target node periodically communicates to other nodes. In the meantime, internal adversaries are presented in the network. In our simulation, we study two simple cases to illustrate the attack. In the first case, the target talks to one destination and there is only one adversary. In the second case, more adversaries exist in the networks, and

2

Public key cryptography is an obvious answer. However, public key processing incurs non-trivial computational overheads on mobile devices [3].

4 of 6

3 For each transmission, signal strength and direction are mostly detectable at physical layer.

H−clique 1

H−clique 2

Motion cut

forwarding node update forwarding node update

Node A

H−clique 3

Node B

A’s movement and forwarding changes incurred B’s movement and forwarding changes incurred

Fig. 3. H-clique attack: a motion cutting Fig. 4. Coalesceable H-clique attack: Fig. 5. Illustration on actual simulation animation: through two H-cliques is detectable from More H-cliques can obtain more precise Motion inference with one H-clique (Depicted nodes forwarding node updates motion patterns and ad hoc routes are from actual GloMoSim animation)

the target talks to two destinations. Through the two cases, we demonstrated that with a certain number of adversaries (which are capable of communicating with each other), in a bounded time, motion pattern inference is possible. In the simulation, we use AODV routing protocol to establish paths between the target and the destinations. AODV does not protect its routing information, thus any external adversary can also launch H-clique attack. As an on-demand protocol, AODV searches the destination when communication is needed. The search procedure starts by flooding a Route Request (RREQ) message for the destination. Upon receiving a request message, the destination will reply a Route Reply (RREP) message that traces the reverse path of the request back to the source, establishing a path between the source and the destination. When the path breaks, e.g., a link broken due to mobility, the source will re-issue the search procedure to build a new path between the source and the destination. Figures 5 and 6 are snapshots of our simulations. In the two figures, the target moves from the left of the simulation field to the right. A path between the target and the destination is depicted by linked solid lines. For each communication instance, the path in use is drawn in the figure. While the target is moving, different paths are chosen and the figure shows that the intermediate forwarding nodes have changed for several times in the simulation due to the target mobility. The adversary node and its radio range is also drawn in the figures. In Figure 5, node P1 and P2 are in the radio range of the adversary. During a certain time period, the adversary node hears the path change from P1 to P2 (it can do so either through AODV path setup messages or data packets). Thus the adversary infers that there is a clockwise motion to its north-west. In Figure 6, the same target motion is detected by two adversaries. While the “adversary 1” suggests a clockwise motion to its north-west, the “adversary 2”, hearing the path migration from node Q1 to node Q2, figures out that the target is moving counterclockwise to 5 of 6

Fig. 6. Illustration on actual simulation animation in GloMoSim: Motion-cut attack by 2 H-cliques (Depicted nodes and ad hoc routes are from actual GloMoSim animation)

its south-west. Combining these two pieces of information, the adversaries successfully discover that there is a motion cutting through between them. If more adversaries are presented in the network, more complete and precise motion pattern will be inferred. IV. D ESIGN

PRINCIPLES OF A ROUTING PROTOCOL

RESISTANT TO PASSIVE ADVERSARY

We have designed and simulated a secure routing protocol ANODR [10], which is resistant to the passive routing attacks studied in this paper. From our experience we observe the following design principles are appealing: Ensuring three aspects of mobile privacy support: content privacy, location privacy, and anonymous untraceable routing Privacy in mobile networks have different semantics from the traditional ones for business banking

systems and the Internet. Cooper and Birman [5] identify three kinds of privacy for mobile computing: content, participant location, and participant identity. Content privacy can be easily ensured via traditional mechanisms using symmetric key and public key cryptosystems. To ensure privacy for mobile nodes’ locations and identities, we must build new security mechanisms other than the ones used for content privacy. Intrusion-tolerant ad hoc routing In hostile environments, intrusion is likely inevitable in a long time window. A proposal vulnerable to single point of compromise (e.g., centralized services) is not a proper solution. And a qualified solution should maximize its tolerance to multiple compromises, especially against passive internal adversaries who would exhibit no malicious behavior and stay in the system. One-hop neighbor information must be hidden from these passive internal adversaries. Robust against eavesdropper’s traffic analysis Even if cryptographic schemes can ensure data privacy, networkbased attack such as timing analysis can reveal the routing path according to temporal dependency in consecutive data forwarding. A qualified solution should ensure that timing analysis will be effectively stopped. Fully dynamic routing information Passive adversary can always use static routing information to trace legitimate nodes. To implement an anonymous and untraceable routing scheme, it is appealing to realize fully dynamic routing information. In the ideal case, any routing information is used once and only once, hence the adversary can obtain minimal information from such uniform distributions. Avoiding expensive cryptographic operations Efficiency is a major concern in security design. Cryptographic operations incur processing overheads. Compared to symmetric key operations, public key processing on resource-limited nodes are relatively much more expensive. According to our measurements on low-end mobile devices, symmetric key encryption scheme AES/Rijndael can achieve 2:9107 bps encryption bit-rate on an iPAQ 3670 pocket PC. Other comparable encryption schemes have similar performance on the same platform. However, common public key cryptosystems require 30–100 milliseconds of computation per encryption or per signature verification, 80–900 milliseconds of computation per decryption or per signature generation. These measurements are consistent with previous results generated by other research groups on similar platforms [3]. Therefore, public key cryptosystems should be avoided if symmetric key cryptosystems can provide the needed support. Similarly, symmetric key cryptosystems should be avoided if not indispensable. 6 of 6

V. C ONCLUSIONS

AND FUTURE WORK

In this paper we propose a practical passive attack model against ad hoc routing protocols. We demonstrate that existing ad hoc routing protocols are vulnerable to the passive attacks. The work shows the necessity to devise untraceable ad hoc routing schemes to protect wireless nodes’ mobile privacy in hostile environments. In addition to traditional content privacy concerns, mobile nodes need more support to ensure their location privacy, anonymity/identity privacy, and motion pattern privacy. R EFERENCES [1] C. Adjih, T. Clausen, P. Jacquet, A. Laouiti, P. Minet, P. Muhlethaler, A. Qayyum, and L. Viennot. Optimized Link State Routing Protocol. http://www.ietf.org/ internet-drafts/draft-ietf-manet-olsr-08.txt, March 2003. [2] S. Basagni, K. Herrin, E. Rosti, and D. Bruschi. Secure Pebblenets. In MobiHoc, pages 156–163, 2001. [3] M. Brown, D. Cheung, D. Hankerson, J. L. Hernandez, M. Kurkup, and A. Menezes. PGP in Constrained Wireless Devices. In USENIX Security Symposium (Security ’00), 2000. [4] D. L. Chaum. Untraceable electronic mail, return addresses, and digital pseudonyms. Communications of the ACM, 24(2):84–88, 1981. [5] D. A. Cooper and K. P. Birman. Preserving Privacy in a Network of Mobile Computers. In IEEE Symposium on Research in Security and Privacy, pages 26–38, 1995. [6] B. Dahill, B. N. Levine, E. Royer, and C. Shields. A Secure Routing Protocol for Ad Hoc Networks. In 10th International Conference on Network Protocols (ICNP’02), 2002. [7] Y.-C. Hu, D. B. Johnson, and A. Perrig. SEAD: Secure Efficient Distance Vector Routing in Mobile Wireless Ad Hoc Networks. In Fourth IEEE Workshop on Mobile Computing Systems and Applications (WMCSA’02), 2002. [8] Y.-C. Hu, A. Perrig, and D. B. Johnson. Ariadne: A Secure Ondemand Routing Protocol for Ad Hoc Networks. In MOBICOM, 2002. [9] D. B. Johnson and D. A. Maltz. Dynamic Source Routing in Ad Hoc Wireless Networks. In T. Imielinski and H. Korth, editors, Mobile Computing, volume 353, pages 153–181. Kluwer Academic Publishers, 1996. [10] J. Kong and X. Hong. ANODR: ANonymous On Demand Routing with Untraceable Routes for Mobile Ad-hoc Networks. In MOBIHOC’03, pages 291–302, 2003. [11] R. Ogier, M. Lewis, and F. Templin. Topology Dissemination Based on Reverse-Path Forwarding (TBRPF). http://www.ietf.org/internet-drafts/ draft-ietf-manet-tbrpf-07.txt, March 2003. [12] C. E. Perkins and P. Bhagwat. Highly Dynamic DestinationSequenced Distance-Vector Routing (DSDV) for Mobile Computers. In SIGCOMM, pages 234–244, 1994. [13] C. E. Perkins and E. M. Royer. Ad-Hoc On-Demand Distance Vector Routing. In IEEE WMCSA’99, pages 90–100, 1999. [14] A. Perrig, R. Canetti, D. Tygar, and D. Song. The TESLA Broadcast Authentication Protocol. RSA CryptoBytes, 5(2):2–13, 2002. [15] UCLA Parallel Computing Laboratory and Wireless Adaptive Mobility Laboratory. GloMoSim: A Scalable Simulation Environment for Wireless and Wired Network Systems. http://pcl.cs. ucla.edu/projects/glomosim/.