Attacks Against Virtual Coordinate System Based Routing in Wireless Sensor Networks

Jing Dong Brett Bavar Cristina Nita-Rotaru Department of Computer Science, Purdue University {dongj,bbavar,crisn}@cs.purdue.edu
I. I NTRODUCTION Wireless sensornet designs have evolved in recent years, from primarily focusing on data collection to more sophisticated tasks such as data centric storage [7]. Likewise, the requirements on the network support have also changed, from the basic many-to-one and one-to-many communications to more sophisticated point-to-point communications. To address the unique challenges for point-to-point routing in the sensornets, virtual coordinate system (VCS) based routing protocols have been developed. Compared to the traditional routing protocols, VCS-based routing protocols are proactive protocols that have the attractive properties of operating via only local interactions and requiring state information that does not grow with the size of the network. Although there have been many proposed VCS-based routing protocols in the literature [1], [2], [3], [6], there has been little work that investigates the security of such protocols. However, as our experimental results have shown, the VCSbased routing protocols are particularly sensitive to attacks. It is possible for a small number of attacker nodes to jeopardize the routing operations of a significant portion of the network. Thus, it is paramount that we provide security mechanisms in these protocols if the target deployment environment is potentially malicious. In this project, we address the problem of securing VCS-routing protocols. As a first step, we focus on the security threats against such protocols. More specifically, we will present the following contributions: • We abstract a common framework for VCS-based routing based on the characteristics of existing protocols • We identify attacks against VCS-based routing protocols based on the common framework • We evaluate experimentally the impact of the attacks to demonstrate the necessity of security mechanisms II. OVERVIEW
OF

beacon nodes among all the nodes in the network. The network coordinates of a node are the vector of the hop counts to each of the beacons, which can be derived from the hop count field in the beacon messages. Depending on the specific VCS, the beacon nodes can be special infrastructure nodes, such as landmarks [1], or regular sensor nodes [2], [3]. The VCSbased routing follows the geographic routing paradigm, in which each node forwards the message to the neighbor that is closest to the destination under some protocol specific distance metric. When the message reaches a node that is closer to the destination than all of its neighbors (i.e. a local minima), a protocol specific fall-back procedure is invoked. For example, in [3], the fall-back procedure re-directs the message to the beacon node closest to the destination. When the message reaches the beacon node, it is then flooded in the network. Typically, the fall-back procedure incurs much more overhead than the greedy forwarding process. III. ATTACKS AGAINST VCS- BASED ROUTING In this section, we present security threats against VCSbased routing protocols. We first describe the adversarial model and then we describe attacks on the establishment of a VCS and on the routing protocol itself separately. A. Adversarial Model We assume that the radio links are insecure. The attacker can mount eavesdropping, packet injection, and replay attacks. We assume “mote-class” attackers [4], that is the attacker nodes have similar capabilities as legitimate nodes. The legitimate nodes may be compromised and the attacker nodes can collude and use wormholes in conducting their attacks. However, we do not consider physical or MAC layer attacks. B. Attacks Against VCSs

VCS AND VCS- BASED ROUTING

Although each specific VCS-based routing protocol differs in the details of the VCS establishment and the specific routing operations, most of these protocols follow a common design. In this section, we give an overview of the common design of the VCS-based routing protocols. We will use the protocol framework described here as our model for the discussion of the attacks in the rest of the paper. Typically, in VCS-based routing, a few beacon nodes are deployed in the network, from which periodic beacon messages are sent out. The flooding of the beacon messages across the network builds the shortest path trees rooted at each of the

The main goal of the attacks against VCSs is to disrupt the normal establishment of the coordinate system in the network, causing incorrect coordinates, instability in the coordinate system, or both. In the following, we classify the attacks on VCS based on their intended effect on the coordinate system. 1) Coordinate Deflation Attack: This attack causes legitimate nodes to obtain smaller coordinates than their actual coordinates. The attacker can mount this attack by having the attacker nodes announcing incorrectly small coordinates in its neighborhood via node spoofing, compromising legitimate nodes, or wormhole tunneling legitimate small coordinate announcements from a distant network region.

S. . [6] K. the attacker first intelligently manipulates the VCS establishment so that a large portion of the routing traffic is diverted to the attacker nodes. and D. A scalable logical coordinates framework for routing in wireless sensor networks. Tossim: accurate and scalable simulation of entire tinyos applications. Culler. and I. Stoica. Hence. Shenker. Besides simple attacks. Beacon vector routing: Scalable point-to-point routing in wireless sensornets. S. 2. 8 of which are randomly selected to be beacon nodes. The attacker can mount this attack by announcing incorrectly large coordinates with the similar approaches as in the coordinate deflation attack.4 0. C. R EFERENCES [1] Q. such as packet dropping. Gps-free coordinate assignment and routing in wireless sensor networks. To mount this attack. Aligned virtual coordinates for greedy routing in wsns. Abu-Ghazaleh. However.8 0. In SenSys ’03. 2003. The attacker can mount this attack by alternatively announcing small and large coordinates. Lee. The average node degree is 12. IV. De. we expect combining the coordinate inflation attack with lying about path quality to have a larger impact. The routing messages with incorrect destination coordinates are typically futilely forwarded in the network over a long path until the TTL expires or cause the expensive fall-back mode to be invoked. percentage of attackers Impact of the attacks on VCS on the routing performance 1 coordinate pollution average success ratio 0. to mount the sinkhole attack. Karp. [4] C. [3] R. Chessa. 2004. In RTSS ’04. Secure routing in wireless sensor networks: Attacks and countermeasures. [7] S. 1. 1) Sinkhole Attack: To mount the sinkhole attack. We randomly select a number of nodes to be the attacker nodes in each experiment. E XPERIMENTAL R ESULTS In this section. the attacker nodes can either selectively or completely drop the traffic passing through to cause routing failures. Levis. Impact of the coordinate pollution attack on the routing performance V. The network consists of 100 randomly distributed nodes. SIGCOMM Comput. the routing protocol in [3] has the tendency of drawing routing traffic to nodes with smaller coordinates. Figure 1 and 2 show the results of the impact of the attacks on the routing performance. The coordinate inflation attack. We demonstrated the significance of the attacks through simulations using a well-known VCSbased routing protocol. 2005. Govindan. and D. In INFOCOM ’05. due to the relative high density of the network. Culler. we focus on attacks that have network wide impact. M. we present our experimental results on the impact of the identified attacks using the BVR protocol [3] and the TOSSIM simulator [5]. [2] A. the attacker can either compromise the coordinate servers which maintain the coordinates of all the nodes in the network. J.average success ratio 2) Coordinate Inflation Attack: This attack causes legitimate nodes to obtain larger coordinates than their actual coordinates. 3) Random Disturbance Attack: This attack causes instability in the VCS. Ratnasamy. Our on-going work includes further quantifying the effect of the attacks. Abdelzaher. In MASS ’06.2 0 0 5 10 15 20 coordinate deflation (sinkhole) coordinate inflation random disturbance Fig. 2003. S.. attracting a large portion of the routing traffic to the attacker nodes. such attacks are particularly dangerous since very few attacker nodes can render the entire VCS virtually useless to the routing protocol. R. Wagner.2 0 0 1 2 3 4 5 6 7 8 number of attackers Fig. Datacentric storage in sensornets. the attacker can mount the coordinate deflation attack to obtain small network coordinates. Zhao. D. In NSDI ’05. A backof-envelope calculation reveals that a single well-positioned attacker node can cause as many as 80% of the nodes to obtain incorrect coordinates in the coordinate deflation attack. [5] P.6 0. C. on the other hand. 2006. Karlof and D. formulating defense mechanisms and evaluating their effectiveness. For example. we identified potential attacks against VCSbased routing protocols. and A. but also increases the routing overhead significantly. Rev.8 0. B. S. Thus the coordinate pollution attack not only causes route failures. Shenker. Attacks Against the Routing Protocol The aim of the attacks on the routing protocol is to cause route failures or to significantly increase the routing overhead. the sinkhole attack has a significant impact on the routing protocol: a mere 5% nodes being malicious can bring the routing success ratio from 90% to only 30%. As can be seen from Figure 1. In First IEEE International Workshop on Sensor Network Protocols and Applications. Estrin. S. Ratnasamy. Ee.6 0. 1 0. C ONCLUSION AND F UTURE W ORK In this paper. Caruso.4 0. Welsh. T. Impact of the attacks: Note that all of the above attacks are “contagious” in the sense that the legitimate nodes once affected by the attack become “attackers” themselves and propagate the effect of the attack further in the network by forwarding their incorrect coordinates to their neighbors. or spoof the coordinate servers in generating bogus replies to coordinate queries. Thus. 2005. such as the sinkhole attack and the coordinate pollution attack. does not have a significant impact. Next. Liu and N. Fonseca. Urpi. 2003. which has only local effect. Commun. 2) Coordinate Pollution Attack: This attack causes incorrect destination coordinates to be used for routing. Cao and T. N.