Denial of Service Attacks in Wireless Sensor

INSTITUTE OF TECHNOLOGY, NIRMA UNIVERSITY, AHMEDABAD – 382 481, 09-11 DECEMBER, 2010

1

Denial of Service Attacks in Wireless Sensor Networks 1

Dhara Buch, 2D. C. Jinwala

Abstract-- Wireless Sensor Network (WSN) has wide area of application for real time event detection. The sensing capability of a WSN requires sensor nodes as a part of it. The sensor nodes are with limited resources and power. This makes a WSN vulnerable to many kinds of attacks. Denial of Service (DoS) attack is one of them. Each layer has different type of DoS attack. Tackling this attack requires knowledge of types of DoS as well as various defense mechanisms applied to overcome them. In this report, an introduction to DoS attack along with various countermeasures has been discussed. Although some of the provided defense mechanisms also have some limitations and can be defeated by attacker’s counter attack, further research work can be done to extend their efficiency to make it concrete. Index Terms—Denial of Service Attacks, Jamming, SYN flooding, Wormhole attack I.

I

INTRODUCTION

n this era, the computing devices have been very cheap, mobile and distributive. It is now possible to device small sized embedded package that can have the equivalent capability of that of 80-90 PCs. For some of the areas like military surveillance, fire and flood detection, patient monitoring, habitat exploration of animals etc. where constant monitoring and detection of some specific events is necessary, we require to establish such a network that can handle and report real time issues. These applications do allow normal messages lost but cannot tolerate the loss of numerous packets of critical event messages [1]. This leads to the concept of Wireless Sensor Network (WSN). A wireless sensor network includes sensor nodes for sensing the real time events. They can sense temperature, sound, vibration and pressure. The sensor node is made up of sensing, actuation and power components where they are integrated on a single or multiple boards forming an embedded system. The sensors are low cost small devices with limited energy and transmission capability. The weaknesses of the sensor nodes result into various attacks on WSN. One of such attack is Denial or Service (DoS) attack. Starting from the physical layer to the application layer, different types of DoS attacks may be present. In this paper, an introduction to Denial of Service Attack along with its various types and countermeasures has been presented. In section 2, the background detail of the WSN and DoS characteristics are given. In section 3, different types of attacks on physical, link, network, transport and application layer are explained. Possible countermeasures for them are also presented in the same section. Finally, the problem is

concluded in section 4. Section 5 lists out the research papers published from which the references have been taken. II. BACKGROUND Wireless Sensor Network is made up of small, lightweight wireless nodes with limited storage and limited communication bandwidth. It contains small, battery-powered wireless devices having sensing capabilities and limited processing power. It offers on board processing. It is a network of autonomous devices set to cooperatively monitor physical and environmental conditions. A large WSN consists of thousands of nodes that require shared keys for secure wireless communication. Key distribution must also be employed securely. In addition to sensors, each node is equipped with a radio transceiver, a small microcontroller and an energy source In sensor networks, the centralized control is with Base Stations (also known as sinks). Data flow from all the nodes ends at BS. Through the base station a sensor network can be linked to other network for spreading the sensed data. In this way, they can be considered as a gateway to other network also. BSs are more powerful than sensor nodes. Each node sends a stream of data to Base Station. To reduce the overhead of this transmission and to save the energy, the concept of aggregation points may be helpful. Aggregation point gathers the readings of surrounding nodes and forwards the single message containing the aggregation of them to the Base Station. In this way, it reduces the traffic of the network. An ad-hoc network typically supports communication between any pair of nodes, while the sensor network has more specialized patterns like one-to-many, many-to-one and local communication. 1) Threat Models The first kind of differentiation among various kinds of attack is based on the efficiency of the transmitter and battery power with which the attack takes place. Mote class attacks are having limited power supply, while laptop class devices attack with greater power, capable CPU and sensitive antenna as they are supposed to attack on the powerful devices.

INTERNATIONAL CONFERENCE ON CURRENT TRENDS IN TECHNOLOGY, ‘NUiCONE – 2010’

2

Base Station

legitimate users. The main difference is that, in DDoS, more than one host attacks a system. [4]

Aggregate Nodes

3) Denial of Service Attacks

Nodes

There are so many types of DoS attacks. Each layer is vulnerable to different kind of DoS attack and has different options for its defense. Classification is as follows: TABLE I CLASSIFICATION OF DENIAL-OF-SERVICE ATTACKS

Fig. 1 Topology of a WSN Another way to differentiate the adversary is insider and outsider attacks. Insider attack takes place when some authorized participant of the network is turned into a malicious node. Outsider refers to the third party who is not the part of the network. Insider attacks are more difficult to manage. [15] A Denial of Service attack is an attempt to make a computer system (server or client) or some other resource unavailable to legitimate users. Normally, this attack is considered to be a problem of computer network, but for a single CPU also it can be present among various resources. The motive or target of a DoS may vary from person to person but in general, it aims to prevent some services from functioning efficiently either temporarily or indefinitely. Commonly, a DoS attack saturates the victim by excessive communication requests and due to this the targeted system cannot respond the legitimate users at all or responds very slowly, vanishing its effectiveness. It may reset the victim or occupies almost all of its resources obstructing its communication path. There are some of the symptoms by which the presence of DoS can be identified: • Network performance goes slow • Some of the targeted web sites become unavailable • Increase in spam emails • Loss or delay of packets and their acknowledgement Basically the DoS attack can be classified into the following types according to the type of destruction it does: • Consumption of resources like memory space, processor time, bandwidth etc • Deletion or alteration of routing information • Disruption of state information such as resetting of TCP session • Destruction of physical components • Obstructing the communication media between legitimate devices 2) Distributed Denial of Service Attacks Both DoS and DDoS have the same purpose to render a resource unavailable or degrade their performance for

Sr. No. 1

Layer

Type of DoS

Physical

2

Link

3

Network

4

Transport

5

Application

Jamming Node Tempering Interrogation Denial of Sleep Collision Exhaustion Unfairness IP Spoofing Replaying Homing Altering Routing Tables Black holes Neglect and Greed Sinkhole Sybil Wormhole HELLO Flood Acknowledgement Spoofing SYN flood Desynchronization Overwhelming Sensors Path Based Routing Deluge(Reprogramming)

3.1 Physical Layer Attacks 3.1.1 Jamming Limited resources, is the major weakness of DoS. This may lead to jamming attack where the attacker sends excessive number of packets to the various paths of the network. This jams the routes with garbage packets and prevents the legitimate systems from sending / receiving packets. It may delay the communication or drops the legitimate packets at all. Jamming interferes with the radio frequencies of sensor nodes. Constant energy, not lack of response etc. differentiates jamming attack from the failure of neighbors. [2]


In WSN architecture, the Base Station is the focusing point. Sensor readings are collected by the Base Station. It controls all the tasks, so that is the single point of failure. [3] Jamming can be at the physical layer or may be at the link layer also. [1] Jamming can be classified into four types: Constant, Deceptive, Random or Reactive. Constant jamming continuously emits random bits or generates a sequence of radio signal. This keeps the victim busy and prevents it from sending legitimate packets. Unlike Constant Jamming, Deceptive jamming sends packets of regular format without any gap. Due to the regular format, these packets are taken wrongly as legitimate packets by the communicator. This illusion makes the victim continuously involved in receiving business stopping all other legitimate work. Random jammer, as the name specifies, switches between active and sleep states alternately for random amount of time. After sending packets it goes to sleep mode for some time for the purpose of energy saving. While in active mode, it may send packets like constant or deceptive jammer. Constant, Deceptive and Random jammers are active jammers. They keep on doing the activity for blocking the channels irrespective of its position i.e. channel is idle or busy. Reactive jammer on the other hand, senses the channel and starts sending packets for blocking purpose only when it finds some traffic. If it finds that the channel is idle, it does not do anything. As such, increasing the traffic by an amount may not lead to the jamming problem if the paths are already idle, so by being active during this time, the main objective of the attacker may not get achieved. Reactive jammers follow this concept. They are very difficult to be identified. [5] Thus the objective of the jammer is to deny the reception of communications at the receiver using as little power as possible. [5] An intelligent jammer adjusts the level and frequency of its jammer as well as selects specific type of packets to send so that it can avoid being detected by the victim network. [6]

3

The following diagram represents the active mode scenario:

Jammed Sensor Node Mobile Jammer Sensor Node Jammed Area

Fig. 2 Active mode to re-route the traffic [3] Some of the jammers keep on moving in place of having fixed location. Such jammers with mobility are known as mobile jammer. Compare to a traditional jammer, a mobile jammer affects more part of the WSN network. These jammers know when to jam an area based on a value known as jamming threshold. Defense against mobile jammer is more difficult than against traditional jammer. They keep on sensing the path situation. If it finds that the traffic is decreased, it stops jamming unnecessarily wasting energy. It overhears the traffic position and then restarts transmission when the traffic starts increasing. [1] Nodes at the edge of jammed area can sense the presence of jamming. Then they report the neighboring nodes and collaborate together to establish new path so that legitimate packets can be rerouted through another path. Another way of defense uses alternate modes of communication that is infrared and optical provided they have not been jammed. In some of the cases, by RCCI, signal strength is calculated and the CPU performance is measured accordingly. Some of the nodes collaboratively find and accordingly the presence is identified. [2] 3.2 Attacks on Link Layer

3.1.2 Node Tempering An attacker may damage a sensor or some computational material like cryptographic keys that destroys a system. [2] 3.1.3 Countermeasures The presence of jamming can be detected by the RSSIReceived Signal Strength, average time required to sense the channel and PDR-Packet Delivery ratio. [7] Jamming defense techniques can be classified into two categories: active and passive modes. In active mode, the detection module attached with sensor nodes detects the presence of jamming. Once found, the affected sensor nodes switch themselves into sleep mode, while those nodes that are outside the jammed area, makes the traffic re-routed from the unaffected area. In passive mode, the nodes decrease the number of packets to be sent and in that way it lowers the effect of jamming. [1]

3.2.1 Interrogation An interrogation attack initiates a two-way request-to-send / clear-to-send (RTS/CTS) handshake. It keeps on sending RTS to victim. In response, the victim sends CTS that is not followed by any further action. Only intention of the attacker is to keep the victim engaged in responding continuously putting all other legitimate work aside. [7] 3.2.2 Denial of Sleep Sensor nodes are battery powered devices. For efficient and long time performance, it is very important to save the limited power. To meet this, radios attached with the sensor nodes switch themselves to sleep mode for some time interval. Denial of Sleep attack prevents radios from going to sleep mode. This decreases the battery life resulting into ending the

4


life of sensor nodes. Due to this, the attack is also known as sleep deprival torture attack. Both jamming and denial of sleep can disable the sensor network permanently, but jamming takes considerably more amount of time to meet its goal, while a small decrease in sleep time decreases the network life with a high percentage. [7]

senders are provided wake up token and list of such tokens remains with ultra-low-power radio. [9]

Fig. 4 Schematic diagram of sensor node with wake-up Radio [9] Fig. 3 States of the sensor node [9] 3.2.3 Collision When attacker finds some legitimate packets, it starts sending signal at the same time and with the same frequency of that of legitimate message. This makes the useful messages to get collided with the attacker’s message and pretends as if they are official packets misguiding the victim. This kind of attack is known as collision. [7] 3.2.4 Exhaustion A malicious input or request to a server traps it in a deep or infinite recursion that overflows CPU buffer or stack space, exhausts CPU time and makes it unavailable to legitimate users. This kind of input is known as ‘input to death’. The main reason behind exhaustion does not lie on the way of programming but mainly on the design flow. [8] 3.2.5 Unfairness Unfairness is comparatively weaker form of DoS. Like other types of attacks, it does not crash the system or block the paths entirely but delays the transmission such that the deadlines get missed. [2] 3.2.6 Countermeasures Authentication and Anti-replay protection can mitigate the problems of Interrogation. Denial of Sleep attack cannot be overcome simply by verifying the frame and activating the sensor node only if it is legitimate, because the verification process can be employed only after the sensor node switches to the active state. An ultra-low-power wake up radio can prevent sensor nodes from being continuously in the active mode. Each sensor node is attached with a wake up radio that remains activated always and activates the corresponding sensor node from sleeping mode when some legitimate packet comes that means to it. The sender has to send wake up signal to radio for this purpose. However, the attacker can send wrong wake up signals to wake up radio for preventing the sensor nodes from sleeping. This problem can also be solved by a special wake up token - a secret wake up signal. Only legitimate

To protect from collision, either frequency hopping or code division multiplexing access is employed. Another approach is to use forward error-correcting codes (FEC) to recover the lost information. However the attacker can increase the time duration of collision or jamming to corrupt more bits so that recovery from FEC also becomes difficult. [7] One defense against unfairness is to use short frames that decrease the congestion possibility. Like a typical network, if long frames are transmitted then framing overhead increases that may cause the unfairness problem. [2] 3.3 Attacks on Network Layer 3.3.1 IP Spoofing The attacker sends ping request to one or more than one systems. The source address it contains is some bogus address or the address of an intended victim system. Due to this, all the responses of ping requests get diverted to the victim lowering its performance. [10] 3.3.2 Replaying In replay attack, the adversary copies the message sent by the source and sends it to the destination for more than once. If the targeted system cannot differentiate between the original message and its duplicate copies, then it results into malfunctioning. The adversary may replay messages as if they are authenticated, may alter routing information resulting into routing loop or may keep on replaying regular messages just for saturating sensor node resources. [11] 3.3.3 Homing In this kind of attack, the adversary does traffic analysis and identifies the target nodes with special responsibilities such as cryptographic key managers. It destroys or blocks such important nodes. [7] 3.3.4 Altering Routing Control Traffic Routing tables are maintained by some of the nodes of the network. In some cases, attacker changes the information stored in these tables and that results into misleading the legitimate packets to wrong paths.


3.3.5 Black Hole Some of the malicious nodes make themselves a part of some paths and start dropping the legitimate packets. In this way, such nodes play the role of black hole. [7] 3.3.6 Neglect and Greed

5

they are just neighbors by providing such misleading high quality route. As shown in the following diagram, 2 and 7 are two malicious nodes. They set an out-of-band path and mislead the packets. Through 3-4-5-6 path, they do packet encapsulation also.

The adversary can arbitrarily neglect routing of some of the messages. In some of cases it gives priority to its own messages where it is greedy also. [2] 3.3.8

Sinkhole

Most commonly, tree topology is employed by the WSNs, where base stations are at root. All the nodes route their packets to the base station. This attack makes a compromised node look attractive for all the surrounding nodes with the perspective of routing algorithm, so that all the nodes forward their traffic such that it passes through the compromised node, and gets trapped. This way, it creates a metaphoric sinkhole. Now, the adversary selectively forwards, blocks or alters the packets. Fig. 6 Wormhole Attack 3.3.11 HELLO Flood

Base Station Attacker

In a normal situation, each node sends a Hello packet to its neighbor and informs it about its present. In Hello flood, the adversary broadcasts such a packet to remote nodes also. If the adversary belongs to the laptop class, then even if at far distance, it broadcasts Hello packet with high transmission power and misguides nodes by giving wrong image to them that the adversary is their neighbor. 3.3.12 Acknowledge Spoofing

Fig. 5 Sinkhole Attack 3.3.9

Sybil

A single node gives its multiple identities in the Sybil attack. It hides its actual location also this way. This creates threat where geographical routing protocol is employed. Due to multiple identities, one node seems to be present at more than one place. 3.3.10 Wormhole Two adversary nodes together create a tunnel which is not the part of the network. From one end it tunnels the packets through that create low latency link and on the other hand, those packets are replayed. Here, one of the end is near to the base station, so to those nodes who are located many hops away from the base station, gives the option of a high quality route and makes them feel as if they are just one or two hopes away. Sometimes it convinces two far nodes to believe that

When a node forwards a packet to a weak or disabled link, the packet gets lost. The adversary still sends a wrong acknowledgement to the sender when a packet is not received by the destination. In this way, it shows weak link as a strong link and disabled link as active. [15] 3.3.13 Countermeasures In IP Spoofing, illegal source address is the main objection due to which diversion of the ping result does not become possible to its actual source. One of the defenses is to use either ingress or egress filtering approach. In ingress filtering, the ISP prohibits the packets whose source address does not belong to the connected network space. Egress filtering does such operation at firewall level, filters out such packets. [10] Replaying can be overcome by attaching sequence number with the packets. The sender keeps a counter and its value is attached with the packet. After sending it, the counter value is incremented by one. The receiver stores the sequence number of the incoming packet. When a new packet arrives, its number is compared with the highest sequence number it

6


stores and it receives the packet only if it is greater than the highest number. This is known as freshness proof. [11] Traffic analysis and extracting the important packet information out of it plays the major role in Homing. If the header part is encrypted then it becomes difficult for the adversary to identify the manager nodes. However, just by analyzing the volume of traffic only identification of such nodes becomes possible. [7] To overcome the problem of Black Hole, multipath routing concept can be implemented in which one packet is forwarded to many paths. If a black hole drops the packet from one path, its second copy reaches to the destination through another path. Although, it assures that no packet will be missed, it increases the overhead of the overall transmission. [7] Multipath routing can help against the problem of Neglect and Greed also. Majority of selective forwarding and sinkhole attacks are prevented by authentication. But this is limited to only outsider attacks. For sybil attack also, the same problem exists. Using public key cryptography, authentication can be implemented but it is very expensive and for sensor node it is not possible to check the digital signatures. One solution is to have shared private key for each pair of node and base station. Here, two nodes interested to communicate can establish an authentic connection via their shared key to the base station. As each communication takes place by the intervention of the base station, it restricts the no. of neighbors a node can have. Sinkhole and Wormhole attacks are very difficult to prevent as in wormhole attack, the adversary uses its private band to which the network is not aware of. Through this, hop counts are also totally misinterpreted. Because of the difficulty to defend against wormhole and sinkhole attacks, it is rather easier to design the routing protocol itself in such a way that they do not occur. One of the example is geographical routing protocol. 3.4 Attacks on Transport Layer 3.4.1 SYN Flooding The adversary sends SYN request to the victim. In response, the victim saves the state information of this established connection and responds with SYN/ACK. The attacker then takes no further action, but requests for another connection to the victim. In this way, it starts so many halfopen connections and for all of these the victim has to maintain state information. This occupies considerable amount of memory space of the victim machine and may disable it for further processing. [7]

Destination

Source

SYN Sent SYN SYN Received SYN/ACK

Established ACK Established

Fig. 7 Normal TCP Connection Victim

Attacker

SYN Sent SYN SYN Received SYN/ACK

Fig. 8 Half-Open Connection 3.4.2 Desynchronization For maintaining synchronization, the sender and receiver keep track with the sequence number. The adversary plays the role of man-in-the-middle, captures the packets in between and sends them to the destination after altering their sequence numbers. This breaks synchronization and may force retransmission. [7] 3.4.3 Countermeasures The primary remedy to get protected from SYN flood attack is to use SYN cookies. In this approach, after the getting the connection request from the adversary, the target system transfers the state information back to the adversary and it is saved in cookies stored on that machine. This eliminates the problem of buffer overflow and the target machine can continue its communication with the legitimate nodes. [7] Other remedy for the cases in which three-way handshake is used, sets the firewall to play the role of the victim system’s proxy. In three-way handshake, source sends SYN request to the server. Server responds by SYN/ACK signal to the source and the source, in response, sends ACK signal back to the server if the communication is legitimate. In case of SYN flood, the third signal never arrives. In the first approach with firewall, the firewall sends SYN/ACK to the source when it receives SYN. If it gets ACK, then only it establishes connection of the source to the destination. However, it delays the connection time of legitimate system. In the second approach, it does not respond on behalf of the destination, but as soon as observes that SYN/ACK is


given by the destination, it deallocates all the reserved resources from the destination by sending ACK. If it is malicious attack, then it sends Reset to the source. In the third approach, it just monitors the signals passed between the source and the destination. When a SYN is found, it stores its IP address and blocks any other request coming from the same IP if the previous one has been kept half-open. The attacker can save itself by using different IP each time. One of the approaches to overcome from SYN flooding is to use edge router. This router sends an ARP request to the source when SYN/ACK comes from the destination. If the response is obtained, then the connection is considered to be legal and the SYN/ACK is forwarded. If it does not, then sends Reset signal to the destination and ends the session by deallocating the resources. [11] The defense against desynchronization is to encrypt the header or full packet part or to use hash function so that the receiver, when decrypts the message, can find alteration in the actual information. [7]

7

III. CONCLUSION A Wireless Sensor Network is vulnerable to DoS attack. This threat can cause serious problems and may lead to the total disruption in the entire network. Thus, defense against the various types of Dos and DDoS attacks is mandatory. Majority of the types of threats can be overcome by authentication and anti-replay mechanisms. Other approaches are also available to avoid or to detect and get recovered from these attacks, but these solutions can also be defeated by some counter mechanisms. This is the reason why we need to find some concrete remedies and to do research work on them to get protected from DoS.

IV. REFERENCES 3.5 Attacks on Application Layer 3.5.1 Overwhelming Sensors Attacker attempts to do sensor stimulation by frequently causing some communication triggers that will drain majority of network bandwidth. [7]

3.5.2 Path Based DoS Normally a WSN follows the tree topology. Starting from the aggregate nodes to the base station, the entire path is flooded with replayed or injected spurious packets. This blocks the entire end to end points and gradually the whole network gets down. Mobile agents can detect the presence of this kind of attack. [13] 3.5.3 Deluge (Reprogramming Attack) Through Deluge (Reprogramming), controlling or programming a remote system becomes possible. Having this ability, a new code image can be propagated to all the network nodes. While doing so, if it is not designing properly, then process hijacking may be possible. [14] 3.5.4 Countermeasures Mitigation of overwhelming sensor attack can be employed by tuning the sensors in such a way that only specific events cause them to get triggered. Thus saving them from malicious frequent stimulus and loosing battery power. [7] Authentication and anti-replay are the ways by which the Path Based DoS can be overcome. Probability of remote procedure hijacking is the main threat in Reprogramming attack. In such case, if the message is divided into smaller parts where each part contains a hash value dependent upon the previous packet, then hijacking cannot be effective. [7]

[1] Hung-Min Sun, Shih-Pu Hsu, and Chien-Ming Chen, “Mobile Jamming Attack and its Countermeasure in Wireless Sensor Networks” IEEE/AINAW’07: Asia and Pacific Dalian, China pp.1-6, 2007. [2] Anthony D.Wood, John A.Stankovic,”Denial of Service in Sensor Networks” IEEE/Computer, pp. 49-56, October-2002. [3] Sushil Kumar Jain, Kumkum Garg, “A Hybrid Model of Defense Techniques against Base Station Jamming Attack in Wireless Sensor Networks,” IEEE/First International Conference on Computational Intelligence, Communication Systems and Networks, vol. 2, pp. 102104, 2009. [4] Khusvinder Gill, Shuang-Hua Yang, “A Scheme for Preventing Denial of Service Attacks on Wireless Sensor Networks”, IEEE, pp. 2603-2609, 2009. [5] Wenyuan Xu, Ke Ma, Wade Trappe, and Yanyong Zhang,”Jamming Sensor networks: Attack and Defense Strategies”, IEEE Network, pp. 42-43, May/June 2006. [6] Tae Dempsey, Gokhan Sahin, Y.T. (Jade) Morton, Chahira M. Hopper, “Intelligent Sensing and Classification in Ad Hoc Networks: A Case Study”, IEEE AE SYSTEMS MAGAZINE, pp. 23-25, August2009. [7] David R. Raymond, Scott F. Midkiff,”Denial-of-Service in Wireless Sensor Networks: Attacks and Defenses”, IEEE CS Pervasive Computing pp. 74-79, January/March 2008. [8] Qijun Gu, Peng Liu, and Chao-Hsien Chu, “Tactical Bandwidth Exhaustion in Ad hoc Networks”, Proceedings of 2004 IEE, Workshop on Information Assurance and Security, pp. 257-264, June 2004. [9] Rainer Falk, Hans-Joachim Hof, “Fighting Insomnia: A Secure Wake-up Scheme for Wireless Sensor Networks”, Third International Conference on Emerging Security

8


Information, Systems and Technologies, pp. 191-192, 2009. [10] Anat Bremler-Barr, Hanoch Levy, “Spoofing Prevention Method”, IEEE, pp. 536, 2005. [11] Chin-Tser Huang, “LOFT: Low-Overhead Freshness Transmission in Sensor Networks”, 2008 IEEE International Conference on Sensor Networks, Ubiquitous, and Trustworthy Computing, pp. 241-242, 2008. [12] Mohamad Chouman, Haidar Safa, and Hassan Artail, “A Novel Defense Mechanism against SYN Flooding Attacks in IP Networks”, IEEE CCECE/CCGEI, Saskatoon, pp. 2151-2153, May 2005. [13] Bai Li, Lynn, “Using Mobile Agents to Detect Node Compromise in Path-based DoS Attacks on Wireless Sensor Networks”, IEEE, pp. 2507-2508, 2007. [14] Yu ZHANG, Xing She ZHOU, Yee Wei LAW , Marimuthu PALANISWAMI, “Insider DoS Attacks on Epidemic Propagation Strategies of Network Reprogramming in Wireless Sensor Networks”, IEEE Fifth International Conference on Information Assurance and Security, pp. 263, 2009. [15] Chris Karlof, David Wagnor, “Secure routing in wireless sensor networks: Attacks and Countermeasures” Proceedings of First IEEE workshop on Sensor Network Protocols and Applications, pp.113-127, May 2003