See discussions, stats, and author profiles for this publication at: https://www.researchgate.

net/publication/363593725

A Study of RPL Attacks and Defense Mechanisms in the Internet of Things

Network

Conference Paper · June 2022

DOI: 10.1109/IC3SIS54991.2022.9885473

CITATIONS READS

0 20

2 authors, including:

Akshaya Dhingra
Maharshi Dayanand University
7 PUBLICATIONS 5 CITATIONS

SEE PROFILE

Some of the authors of this publication are also working on these related projects:

CO-OFDM View project

Fiber Optic Sensors View project

All content following this page was uploaded by Akshaya Dhingra on 21 November 2022.

The user has requested enhancement of the downloaded file.

 A Study of RPL Attacks and Defense
Mechanisms in the Internet of Things Network
2022 International Conference on Computing, Communication, Security and Intelligent Systems (IC3SIS) | 978-1-6654-6883-1/22/$31.00 ©2022 IEEE | DOI: 10.1109/IC3SIS54991.2022.9885473
Akshaya Dhingra
Electronics & Comm. Engineering
UIET, Maharshi Dayanand University,
Rohtak, Haryana, India
akshaya.rs.uiet@mdurohtak.ac.in
Abstract— The Internet of Things (IoT) is a technology that
has evolved to make day-to-day life faster and easier. But with
the increase in the number of users, the IoT network is prone to
various security and privacy issues. And most of these
issues/attacks occur during the routing of the data in the IoT
network. Therefore, for secure routing among resource-
constrained nodes of IoT, the RPL protocol has been
standardized by IETF. But the RPL protocol is also vulnerable
to attacks based on resources, topology formation and traffic
flow between nodes. The attacks like DoS, Blackhole,
eavesdropping, flood attacks and so on cannot be efficiently
defended using RPL protocol for routing data in IoT networks.
So, defense mechanisms are used to protect networks from
routing attacks. And are classified into Secure Routing
Protocols (SRPs) and Intrusion Detection systems (IDs). This
paper gives an overview of the RPL attacks and the defense
mechanisms used to detect or mitigate the RPL routing attacks
in IoT networks.
Keywords—IoT, RPL,6LoWPAN, LLN, SRPs, IDs
I. INTRODUCTION
With the advancement in Information and
Communication Technology (ICT), a new technology named
the Internet of Things (IoT) evolved a few years ago [1]. The
idea of IoT was first taken from an Internet-connected soft
drink vending machine that can count the number (no.) of
dispensed cans with the help of a photosensor placed inside
it [2]. The term "IoT" was first evolved in the 21st century by
Kevin Ashton with the introduction of Radio Frequency
Identification (RFID) labels in supply chain management [3],
[4]. And presently, with the new evolving technologies, there
is a need for digitization means everything being "Smart"
(i.e., every device must be connected to the Internet) [5]. To
have this digital world, we need an IoT network in which all
small and large things, i.e., smartphones, sensor nodes,
refrigerators, fans, heaters, air conditioners, cars, and even a
cloud, can be connected via the Internet [6].
The layered architecture of IoT as per the environment with
different physical things, sensors, mobile devices, and
actuators is shown in Figure 1, consisting of Perception,
Middleware, and Application layers, respectively [7].
Fig. 1. Architecture of IoT Network
978-1-6654-6883-1/22/$31.00 ©2022 IEEE
Authorized licensed use limited to: Deenbandhu Chhotu Ram Univ of Sci & Tech SONEPAT. Downloaded on September 16,2022 at 18:04:20 UTC from IEEE Xplore. Restrictions apply.
Vikas Sindhu
Electronics & Comm. Engineering
UIET, Maharshi Dayanand University,
Rohtak, Haryana, India
vikassindhu.uiet@mdurohtak.ac.in
Security is one of the major issues of concern in IoT networks
as it is a combination of various heterogeneous systems like
Global Positioning System (GPS), RFID, Actuators, Local
Area Networks (LANs), Infrared (IR) scanners, Wireless
Sensor Networks (WSNs) and Zigbee network [8]. And with
this increase in the no. of IoT devices, some being movable
devices, the complexity of the network will further increase,
which may lead to several routing attacks in the IoT network
[9]. In a survey conducted by Cisco, researchers found that
IoT devices will increase up to 75 billion by 2025 [10]. So,
as the no. of IoT devices increases, the main challenge arises
in securing these networks from different threats and attacks.
For secure routing in an IoT network, there are CIA
(confidentiality, integrity, and availability) principles for
information security. At the same time, five principles must
be fulfilled for information assurance, i.e., Integrity, Data
Authentication, Confidentiality, Availability and Non-
Repudiation. IoT is a heterogeneous network of
communication channels and nodes, and the network's
topology changes quickly due to mobile nodes. Therefore,
further research in IoT routing and addressing is required to
have secure communication between the IoT nodes [11]. This
paper aims to provide an overview of Routing Protocol for
Low Power and Lossy Networks (RPL) [12] routing attacks
and defense mechanisms used in IoT to detect and mitigate
these attacks.
II. RELATED WORK
This literature survey presents research related to Secure
Routing Protocols (SRPs) and attacks against RPL based IoT
networks. In [13], authors have developed an Intrusion
Detection System (IDs) to detect routing attacks such as
sinkhole and selective forwarding. Two algorithms, i.e., Key
Match Algorithm (KMA) and Cluster-Based Algorithm
(CBA), are designed to prevent these attacks. The simulation
results show that KMA detects 50-80% of errors while CBA
detects 76-80% of intrusions. In [14], the authors have
discussed various IoT technologies like 6LoWPAN, RPL,
COAP etc. and how attackers or IDs exploit these. They have
also demonstrated that attacks against 6LoWPAN networks
showed the different routing attacks and RPL self-healing
mechanisms against routing attacks. The authors have also
provided a lightweight heartbeat protocol to mitigate
selective forwarding attacks in this paper.
In [15], the authors have discussed various attacks against
RPL protocol and analyzed how these attacks are prevented
in RPL using different techniques. Further, they have
discussed some solutions to the routing attacks and the
research challenges. In [16], the authors have examined the
impact of hello flood, increased version, and decreased rank
 attack on RPL based IoT networks. Authors have simulated
these attacks in 120 different scenarios with different nodes
and scenario types and finally calculated how the attacks
impact the performance of the network. In [17], authors have
studied the function of RPL and 6LoWPAN protocols and
common simulated attacks, i.e., a sinkhole with selective
forwarding, wormhole, and flood attacks. The authors have
done the behavioural analysis of these attacks and observed
the effect of network metrics like resource topology and data
traffic. After the simulation, the authors compared it with the
study of previous researchers. In [18], the authors reviewed
nine attacks, i.e., Rank, Blackhole, selective forwarding,
wormhole, version no., DAO inconsistency, DIO
suppression, sybil, and sinkhole attacks in RPL based IoT
networks. The authors have proposed a primary mitigation
strategy to monitor network performance. In [19], authors
have found challenges arising in the smart city network of
IoT. Authors have proposed a new protocol that detects and
secures the network against Rank and version no. attacks
simultaneously occurring in RPL based IoT networks.
From the literature review mentioned above, we have studied
different architectural protocols, attacks against RPL
protocol and the various defense schemes used to mitigate
these attacks in IoT networks.
The paper organization is as follows: Section I describes IoT
and its architecture. Section II presents the review of previous
research papers related to SRPs and RPL attacks in IoT.
Section III describes protocols used in IoT. Section IV
describes RPL routing attacks in IoT. Section V gives
information about Defense mechanisms used to mitigate or
detect RPL routing attacks. Finally, section VI concludes the
paper.
III. PROTOCOLS USED IN IOT
In an IoT network, we have to mainly deal with constrained
nodes, which are combined to form Low Power and Lossy
Network (LLN). The LLN mainly consists of sensor
nodes/actuators that are resource-constrained but have
routing capabilities. So, when these nodes are connected in a
LAN network, one of the nodes acts as a Border Router (BR)
[20]. The layered architecture of protocols in 6LoWPAN IoT
is as depicted in figure 2 below.
Fig. 2. Protocol Stack for IoT
RPL is a routing protocol designed for LLN-IoT networks to
provide a self-healing mechanism in the node failure case.
This protocol operates at the network layer, efficiently routes
and distributes the information to other nodes. RPL is a
distance-vector-routing protocol that provides support to
6LoWPAN networks. It follows "Destination Oriented
Directed Acyclic Graphs (DODAG)" based topology that
may contain one or more Destination Acyclic Graphs (DAGs)
[14]. The formation of RPL is as shown in figure 3.
Authorized licensed use limited to: Deenbandhu Chhotu Ram Univ of Sci & Tech SONEPAT. Downloaded on September 16,2022 at 18:04:20 UTC from IEEE Xplore. Restrictions apply.
Fig. 3. RPL Formation
In a DODAG, one central node that acts as a gateway
between the Internet and things is a root node or BR. To
deliver a packet in the DODAG network, each node sets its
guardian/parent node that involves nodes with the path
towards the root node. As the parent node, the node with the
best path is chosen. In the RPL protocol, there are three types
of control messages for data routing i.e., DIO (DODAG
Information Object) sets and updates network topology,
DAO (DODAG Advertisement Object) advertises
information when there is any update in route and DIS
(DODAG Information Solicitation) gives information about
a new node that tracks the topology information before it
decides to join the network.
The DIO is also used in RPL to broadcast messages and
change topology. DIO is commonly used to distribute routing
states to other nodes using its rank and Objective Function
(OF). Every node computes its Rank according to the
selected parent or OF [10,11]. Also, in the RPL protocol, the
packets can be forwarded to different nodes based on three
traffic patterns that are Multipoint to Point (MP2P) or upward
route, Point to Multipoint (P2MP) or downward route and
Point to Point (P2P) or bidirectional route respectively.
Further, RPL supports two types of self-healing mechanisms
to detect the vulnerabilities i.e., the Global Repair mechanism
(which occur when there are inconsistencies in the DODAG
formation) and the Local Repair mechanism (for repairing
the sub-DODAG nodes by resetting the Trickle Timer (TT)
or used when the preferred parent is not available to the node)
[21].
IV. RPL ROUTING ATTACKS IN IOT
With the increase in the no. of IoT devices, the no. of attacks
on IoT networks is also increasing. So, there is a need for
secure and energy-efficient routing in IoT based applications.
IoT routing protocol, i.e., RPL mainly influenced by several
attacks. Hence, there is a need to find various vulnerable
attacks in IoT networks and find ways to mitigate these
attacks.RPL attacks in IoT are classified into External attacks
(an external node is responsible for performing attacks in the
network) and Insider Attacks (that occur if the malicious
node is a part of the network itself). Cryptographic
mechanisms are used to prevent external attacks, but these
mechanisms are incapable of preventing insider attacks.
Further, as per the taxonomy of RPL, routing attacks are
categorized based on Resources, Topology formation and
Traffic between nodes, as shown in figure 4 [23].
A. Attacks Against Resources
When a node in the RPL based IoT network consumes more
power, memory, and processing capabilities, it is affected by
resource attacks. If one or multiple nodes are affected by this
 type of attack, then the average lifetime of RPL DODAG will
decrease significantly. The attacks against resources can
happen in two ways, i.e., Direct Attacks and Indirect Attacks.
Fig. 4. Taxonomy of RPL Routing Attacks in IoT
1) Direct Attacks: In this, the malicious node is
responsible for the exhaustion of resources of the RPL
DODAG network. The direct attacker can decrease network
efficiency by performing a flooding attack or overloading the
routing table.
a) Hello-Flood Attack occurs in RPL-IoT network when
in node joins the network it broadcast a hello message that is
considered DIO messages. In this type of attack, the
malicious mode tries to attract traffic towards it by showing
good network metrics and leaving the network afterwards.
This type of attack intimately increases energy consumption
and creates congestion in the network.
b) Routing Table Overload Attack occurs when the
router of the RPL network is maintaining and storing routing
tables. This can be accomplished by creating fraudulent
routes with DAO messages, which saturate the target node's
routing table and cause memory overflow [23].
2) Indirect attacks: The attacker node influences another
node to send traffic over the network to overload resources.
a) Increased Rank Attacks occur when the Rank of
nodes that are part of RPL increases automatically in the
downward direction and disturbs DODAG formation. As in
RPL, each child node has a rank greater than its preferred
parent. If a child node wishes to modify its Rank, it must first
notify its parent. In this attack, the attacker node broadcasts a
higher rank in the DODAG and attracts child nodes to disturb
loop formations in the sub-DAGs of RPL.
b) DAG Inconsistency Attacks occur in the network
when a malicious node manipulates the Down' O' bit and 'R'
Rank error bit flags of the packets (DAG metric container)
before forwarding it to the destination. Due to this node's
energy, E2E delay and packet overheads increase in the
network.
c) Version No. Attacks: The 6BR in RPL is used to
increase version no. using its global repair mechanism. The
BR increases version no. by changing the DIO message's
version no. field and forwarding it to preferred child nodes.
The attacker modifies version no. field of the DIO message,
which updates version no. and changes the DODAG
formation. Due to this type of attack, E2E delays, rank
inconsistencies, overheads, and energy required by the n/w
will increase.
d) Expected Transmission Count (ETX) Manipulation
Attacks: The ETX OF is used for optimal routing between the
nodes in RPL. In the RPL network, the ETX value of the
Authorized licensed use limited to: Deenbandhu Chhotu Ram Univ of Sci & Tech SONEPAT. Downloaded on September 16,2022 at 18:04:20 UTC from IEEE Xplore. Restrictions apply.
parent node must be less than that of the child node. A
malicious node changes the ETX value of nodes to get a
better position in the network and launch other attacks on it
[12,24].
B. Attacks on Topology
The attacks against RPL may disturb the formation
(topology) of DODAG, so these are further divided into sub-
optimization and Isolation attacks.
1) Sub-Optimization Attacks: These attacks occur when
the nodes that are part of the network do not follow optimal
paths.
a) Sinkhole Attack: It is a sucking attack in which the
malicious nodes attract traffic towards it by advertising better
route path metrics. So, the neighboring nodes send the data
traffic as adversaries to the malicious or sink node, which
lastly drops all the traffic. A sinkhole Attack becomes more
harmful when combined with other attacks like blackhole or
wormhole attacks.
b) Wormhole Attacks occur when the attacker nodes
make a link between them to transmit all the traffic primary
or fully through the link instead of the path defined by
DODAG. Even the RPL self-healing property cannot detect
or mitigate this type of assault in the network through packet
encapsulation, packet relay, or out-of-band links to create a
private link. This type of attack increases the network's
energy consumption and E2E delay.
c) Neighbor Attacks occur when a malicious node
advertises fake DIO messages to its neighbouring nodes, due
to which its metrics like Rank, version no. etc., get affected.
These attacks are not very harmful but increase the E2E delay
of the network.
d) Replay Attacks: RPL routing tables are updated when
correct control messages are transmitted/received between
nodes. A malicious node repeatedly shares old routing data in
the network to disturb RPL-DODAG formation. This attack
replaying sends wrong control messages (DAO, DIO and
DIS) in the network, increasing power consumption,
overheads, and E2E delays [23].
2) Isolation Attacks: It occurs when a node or group of
nodes in RPL DODAG isolates from its parent/root node.
a) Blackhole Attack: It is an attack in which the
malicious node drops all the information packets rather than
forwarding them to the destination. This will create a
condition of Denial of Service (DoS) attack. A black hole
attack becomes more dangerous when the malicious node/
attacker modifies the packet before forwarding. Due to the
modification of packets problem of false route advertisement
arises, E2E delay increases and the packet delivery rate
decreases. RPL self-healing mechanism can remove this
attack, but this attack becomes more dangerous when
combined with other attacks like sinkhole attacks.
b) Selective Forwarding Attack: Another form of
Blackhole attack is also known as the "Greyhole Attack". The
attacker/malicious node selectively forwards the packets
while dropping everything else. E.g., the attacker node
forwards RPL control messages and ICMPv6 packets and
drops all other packets. This attack disrupts routing paths as
it cannot be detected or removed with the help of the RPL
self-healing mechanism [25].
 c) DAO Inconsistency Attack: This attack occurs in RPL
storing mode. The control packets that are forwarded to
destination Down' O' (to check packet direction), 'R' flag (to
check Rank error) and 'F' flag (forwarding error flag to check
packets that are not forwarded to destination). DAO
Inconsistency attack occurs when the attacker changes the 'F'
flag bit of control packets which changes the topology of the
DODAG. Due to this attack, E2E delays, topology variation
and isolation between nodes increase.
C. Attacks on Traffic
These attacks influence traffic between the RPL nodes and are
classified into eavesdropping and impersonation attacks.
1) Eavesdropping Attacks: This attack occurs due to
sniffing and traffic analysis attacks.
a) Sniffing Attacks: The attack occurs when the attacker
listens to the packets that are sent over the network. The
attack can occur on the device or directly on packets when the
nodes are connected over the wired or wireless medium. The
attacker copies i.e. sniff the control packet's information like
version no., Rank, identity (ID) no. of DODAG etc., and
drops the packets via the medium used. These attacks cannot
be detected as they are passive in nature.
b) Traffic Analysis: In this type of attack, the attacker
tracks the traffic between the DODAG nodes. The attacker
then collects all the information about the parent/child nodes
and the topology formation of the nodes and then performs
attacks in the network [23].
2) Impersonation Attacks: In this attack, the attacker
copies the ID of a node and claims to be a legitimate node.
These attacks are not harmful to RPL but can access a major
part of the network.
a) Decreased Rank Attacks: These attacks occur when
an attacker node advertises a lower rank in the form of DIO
messages in the network. And the other nodes think it to be a
legitimate node and share traffic in the network via a
malicious node. This type of attack may cause sinkhole or
eavesdropping attacks inside the network by changing the
Rank values of the nodes. These attacks increase the power
consumption of the RPL based network.
b) Clone Identity and Sybil Attacks: The Clone ID attack
occurs when the attacker node copies node information from
the network and pretends to be a legit network node. The root
node of RPL DODAG is spoofed most of the time and attracts
traffic towards it. While in the Sybil attack, the attacker
copies several entities to control the network topology. Sybil
attacks are further classified into SA1, SA2 and SA 3 based
on the nature of nodes used. The Sybil attacks decrease the
packet delivery ratio (PDR) and increase overhead and the
network's energy consumption[12].
V. DEFENSE MECHANISMS USED TO MITIGATE OR
DETECT RPL ROUTING ATTACKS
To protect RPL based IoT networks from insider and outsider
attacks, different authors have proposed solutions to mitigate
and detect attacks. So, the defense mechanisms are divided
into 2 categories, i.e., Routing Protocols (which have been
integrated into the RPL protocol) and IDs (that detect the
abnormalities in RPL function). Figure 5 [12] depicts the
Authorized licensed use limited to: Deenbandhu Chhotu Ram Univ of Sci & Tech SONEPAT. Downloaded on September 16,2022 at 18:04:20 UTC from IEEE Xplore. Restrictions apply.
taxonomy of defense mechanisms used to detect and mitigate
attacks against RPL.
A. Secure Routing Protocols (SRPs)
SRPs are used to defend against different routing attacks
occurring in IoT networks. SRPs are further classified into
cryptographic (use traditional key algorithms to protect the
network against cyber-attacks), Trust (measures the trust
value between nodes) and threshold (that works on RPL TT
reset property) based solutions.
Fig. 5. Defense Mechanism used to mitigate/detect RPL Routing Attacks
1) Cryptographic Solutions:
a) Markle-Tree Authentication: It is a scheme that can
detect wormhole attacks. It identifies the parent node from
the end sensor node with the help of hash calculation of the
node's public key. The error is detected if the node cannot
validate its transmission [11].
b) Version No. and Rank Authentication (VeRA): This
protocol is used to defend version no. and decrease rank
attacks. It uses hash chains to authenticate the malicious
nodes. It generates hashing function using a random no. and
prevents attacks by publishing a false decreased Rank. VeRA
uses the Message Authentication Code (MAuC) of the root
node that contains a maximum rank hash value and next
version no. as a key for authenticating the Rank of nodes.
VeRA is susceptible to Rank Chain Forgery and Rank Replay
attacks, which can be mitigated using the Challenge-
Response Scheme.
c) Trust Anchor Interconnection Loop (TRAIL): It is a
Security Scheme used for detecting and preventing
topological attacks. Without any encryption mechanism, it
may identify rank spoofing attacks. It finds out the rank
irregularity of each parent node to detect and remove
malicious nodes from the network. This protocol also
minimizes network resource consumption [12, 25].
d) Secure RPL (SRPL): It is a security mechanism to
detect rank attacks in the network due to manipulating control
message information. With the help of the Rank Threshold
value, it can detect any change in the Rank value of the node.
SRPL involves three phases to Defend the Attack, i.e.,
Initialization, verification, and Rank updatation phases. In
the initialization phase, all the network nodes calculate their
rank threshold level and hash codes. In the verification
phase, nodes verify their hashed ranks and threshold
levels. In the last Phase, the Rank of a node is confirmed in
case of any change in Rank value. SRPL is used to detect
blackhole, Rank, sinkhole, and selective forward attacks. A
major drawback is that it is expensive and uses more network
resources [12].
 2) Trust-Based Solutions
a) Trusted Computer Architecture (TCA): It uses
Trusted Platform Module (TPM) to establish Trust for
exchanging secure keys among the sensor nodes. This type
of architecture defends against DoS, tampering and even
routing attacks. TPM is the main sub-part of this architecture
that encrypts the correct keys. So, to protect the network
from attacks, we have to protect the TPM module, increasing
network performance using TCA.
b) Minimum Rank Hysteresis Objective Function
(MHROF) RPL: It is an extension of the RPL protocol used
to detect and isolate black hole attacks. It calculates the RPL
trust values of neighbouring nodes and determines the
preferred parent node by monitoring them.
c) Sec-Trust RPL: It's a time based, trusted modification
of the RPL protocol. Using this protocol, we can detect and
isolate Rank and Sybil attacks. This protocol uses Trust
Calculation Module (TCM) to compute the trust value of
neighbouring nodes. It also uses the Trust Monitoring
Module (TMM) to update the Trust values of nodes over time
and in a reactive way. And lastly, the trust rating process sorts
the trust values in decreasing order. Sec-Trust also uses Trust
Backup and Recuperation process to save network resources
from the attacker node. Sec-Trust RPL protocol is much
better than MHROF RPL as it detects attacks, reduces packet
loss, increases efficiency, and reduces the frequency of rank
attacks in the network. The disadvantage of using this scheme
is it requires more energy as it operates in promiscuous mode.
d) Lightweight Trust Aware RPL is a protocol used to
detect Blackhole and Selective forwarding attacks. The
principle of working of this protocol lies on the nature of
nodes. If the nature of a node is malicious, then it drops more
packets than that of a non-malicious node. In this way, the
protocol measures the Trust of a node. It measures the quality
of the node based on the MRHOF RPL function. This
protocol shows better performance than MRHOF RPL and
detects attacks more frequently but consumes more energy in
the promiscuous mode of operation.
e) Metric Based RPL Trustworthiness Scheme (MRTS):
It is a strategy that works on trustworthiness between the
nodes [12]. Based on trust metrics and OFs, this system
proposes new Extended RPL Node Trustworthiness (ERNT)
and Trust Objective Function (TOF) scheme. The ERNT is
combined with the DIO messages that are interchanged with
the neighbouring sensor nodes. And responsible for
producing cost-effective trust-based routes. TOF is used to
compute Rank and gives ways to use ERNT for selecting
parent nodes. MRTS scheme uses TPM for performing
security calculations and protecting RPL control
messages. But this, TPM increases the overall cost of the
MRTS network.
f) 2-Way Acknowledgement (ACK) Trust: This scheme
uses Two-Way ACK for developing Trust between the
neighbouring nodes. In this scheme, the network operates in
a non-promiscuous mode and direct Trust is built between the
nodes. This scheme creates a route to the sink node and
introduces a new node for accomplishing two-hop ACK in
the network. This protocol cannot detect and isolates grey
hole attacks as it is pre-assumed that the malicious node only
drops data packets but not the ACK packets.
Authorized licensed use limited to: Deenbandhu Chhotu Ram Univ of Sci & Tech SONEPAT. Downloaded on September 16,2022 at 18:04:20 UTC from IEEE Xplore. Restrictions apply.
3) Threshold Based Solutions:
a) Adaptive Threshold (AT): It detects RPL-DODAG
inconsistency attacks. This scheme works on the trickle time
threshold value. A fixed value of 20 is preset in the RPL TT
as the threshold. And to limit the attack effect when the timer
reaches this limit, all the packets are dropped and the TT goes
on. The TT will reset after every 1 hour to counter the attacks
using this scheme. This scheme cannot be used to detect
multiple-pattern attacks and doesn't consider mobile nodes
for calculation.
b) Dynamic Threshold (DT): This scheme is an
improvement of the adaptive threshold and mitigates
DODAG inconsistency attacks. To protect the network from
attacks, all the dynamic characteristics of nodes are
considered in the scheme. It only uses network characteristics
to optimize the network performance. DT also uses RPL
convergence time instead of resetting its TT, which
intimately decreases DIO transmissions. DT can also detect
and mitigate Forced Blackhole attacks. This scheme requires
less transmission energy and has lower delays and PDR than
AT.
B. Intrusion Detection system (IDs)
These are used to detect various routing attacks occurring in
IoT networks. Different types of IDs are: Signature-based,
Anomaly-based, Specification-based and Hybrid IDs,
respectively.
1) Signature-Based IDs: It detects DIS flooding and
version no. attacks. This scheme detects multiple attacks with
the help of monitoring modules placed inside the nodes. This
scheme also requires three types of additional modules. The
first module is the IDs router node containing a firewall and
detecting malicious packets. And the second module is the
IDs sensor/detector node that monitors traffic and calculates
the Received Signal Strength Indicator (RSSI), sending rate
and drop speed of packets. And in last the detection module
on 6BR decides whether the node is safe or malicious.
2) Anomaly-Based IDs:
a) SVELTE: It is real-time IDs that contain an anomaly
detection engine to detect RPL spoofing, sinkhole and
selective forwarding attacks. To detect attacks, four modules,
i.e., Mapper, Analyzer, Detector and Firewall, are placed
inside the 6BR. These modules inside the 6BR filter the
legitimate nodes. SVELTE can detect attacks that occur in the
network due to DODAG inconsistency, misbehaviour of
nodes and routing table overloading. But it requires proper
placement of modules inside the 6BR to reduce the False
Positive Rate (FPR). The anomaly IDs need less energy,
memory and computation power from the network.
b) Real time IDs for Wormhole Detection: This scheme
detect wormhole attacks based on RSSI. In this technique IDs
centralized block is placed inside 6BR and distributed blocks
are placed inside resource constrained IoT nodes.
c) Extended- SVELTE: Extension of SVELTE proposed
to detect ETX metric based attack in RPL. In this scheme, an
extra intrusion detection module is incorporated inside 6BR.
This method can detect rank and ETX attacks by using the
location and transmission limits. This scheme achieves a high
 True Positive Rate (TPR) and these IDs require significantly
less power and memory.
3) Specification IDs: It is used to detect RPL topological
attacks. These IDs are made up of an Extended Finite State
Machine (EFSM) that was created using a semi-automated
profiling method. In this scheme, RPL specifications are used
to generate EFSM and specify network states (i.e., transition
and stable conditions) using the "Integer Linear Programming
Technique (ILPT). With the help of EFSM, the IDs can detect
rank, local repair, neighbour, DIS and sinkhole attacks. The
main disadvantage of using the IDs is that it requires more
communication overheads and reduces accuracy of network.
4) Hybrid IDs: It is a scheme that combines two or more
ID schemes. Like RIDES (Robust IDs) is a hybrid of
"Signature-based" and "Anomaly-based" identification
methods. This scheme uses signature codes for matching the
pattern of components. And the Anomaly-based IDs are used
to set threshold limits. RIDES provides delayed intrusion
detection and consumes more energy and cannot be used in
resource-constrained networks. The second hybrid IDs is a
combination of "Anomaly and Specification-based" IDs. This
scheme detects multiple routing attacks like forwarding,
wormhole, and sinkhole attacks. The specification-based IDs
are used in the gateway, which employs the OPFC (Optimum
Path Forest Clustering) algorithm to cluster data packets. This
scheme is highly scalable and detects attacks faster. But
consumes more energy, so it cannot be used in the resource-
constrained network [12].
VI. CONCLUSION
IoT is an evolving technology that connects people with
physical things. Various routing attacks in LLN based IoT
network ruins the functioning of the RPL protocol. It has been
observed that many researchers have found the problems
becoming a barrier in the path of a robust IoT network.
Authors have proposed protocols, algorithms, and trust
management frameworks to protect the network from various
attacks. But all these frameworks are not designed for
resource-constrained IoT nodes. So, in future, there is a need
for solutions that deal with multiple attacks by keeping in
mind the LLN property of IoT nodes. In addition to this, some
schemes need to be proposed that provide security at lower
layers and can mitigate two or more attacks simultaneously.
REFERENCES
[1] R. Ande, B. Adebisi, M. Hammoudeh, and J. Saleem, "Internet of
Things: Evolution and technologies from a security perspective,"
Sustainable Cities and Society, vol. 54, Mar. 2020, doi:
10.1016/j.scs.2019.101728.
[2] C. Maple, "Security and privacy in the internet of things," Journal of
Cyber Policy, vol. 2, no. 2, pp. 155–184, May 2017, doi:
10.1080/23738871.2017.1366536.
[3] L. Wang, L. D. Xu, Z. Bi and Y. Xu, "Data Cleaning for RFID and
WSN Integration," in IEEE Transactions on Industrial Informatics,
vol. 10, no. 1, pp. 408-418, Feb. 2014,
10.1109/TII.2013.2250510.
[4] H. Guo, M. F. Goodchild, and A. Annoni, "Manual of Digital Earth."
[5] S. Nižetić, P. Šolić, D. López-de-Ipiña González-de-Artaza, and L.
Patrono, "Internet of Things (IoT): Opportunities, issues and
challenges towards a smart and sustainable future," Journal of
Cleaner Production, vol. 274, Nov. 2020,
10.1016/j.jclepro.2020.122877.
Authorized licensed use limited to: Deenbandhu Chhotu Ram Univ of Sci & Tech SONEPAT. Downloaded on September 16,2022 at 18:04:20 UTC from IEEE Xplore. Restrictions apply.
View publication stats
[6] B. H. Patel and P. Shah, "RPL routing protocol performance under
sinkhole and selective forwarding attack: Experimental and simulated
evaluation," Telkomnika (Telecommunication Computing Electronics
and Control), vol. 18, no. 4, pp. 1849–1856, 2020, doi:
10.12928/TELKOMNIKA.V18I4.15768.
[7] M. Burhan, R. A. Rehman, B. Khan, and B. S. Kim, "IoT elements,
layered architectures and security issues: A comprehensive survey,"
Sensors (Switzerland), vol. 18, no. 9, Sep. 2018, doi:
10.3390/s18092796.
[8] D. Singh, M. Kumar Mishra, A. Lamba, and S. Swagatika, "Security
Issues in Different Layers of IoT And Their Possible Mitigation",
[Online]. Available: www.ijstr.org
[9] R. Mehta, J. Sahni, and K. Khanna, "Internet of Things: Vision,
Applications and Challenges," in Procedia Computer Science, 2018,
vol. 132, pp. 1263–1269. doi: 10.1016/j.procs.2018.05.042.
[10] D. Airehrour, J. Gutierrez, and S. K. Ray, "Secure routing for internet
of things: A survey," Journal of Network and Computer Applications,
vol. 66, pp. 198–213, May 2016, doi: 10.1016/j.jnca.2016.03.006.
[11] A. Jain and S. Jain, "A survey on miscellaneous attacks and
countermeasures for RPL routing protocol in IoT," in Advances in
Intelligent Systems and Computing, 2019, vol. 814, pp. 611–620. doi:
10.1007/978-981-13-1501-5_54.
[12] A. Verma and V. Ranga, "Security of RPL Based 6LoWPAN
Networks in the Internet of Things: A Review," IEEE Sensors
Journal, vol. 20, no. 11, pp. 5666–5690, Jun. 2020, doi:
10.1109/JSEN.2020.2973677.
[13] S. Choudhary and N. Kesswani, "Detection and Prevention of Routing
Attacks in Internet of Things," in Proceedings - 17th IEEE
International Conference on Trust, Security and Privacy in
Computing and Communications and 12th IEEE International
Conference on Big Data Science and Engineering,
Trustcom/BigDataSE 2018, Sep. 2018, pp. 1537–1540. doi:
10.1109/TrustCom/BigDataSE.2018.00219.
[14] L. Wallgren, S. Raza, and T. Voigt, "Routing attacks and
countermeasures in the RPL-based internet of things," International
Journal of Distributed Sensor Networks, vol. 2013, 2013, doi:
10.1155/2013/794326.
[15] A. Kamble, V. S. Malemath and D. Patil, "Security attacks and secure
routing protocols in RPL-based Internet of Things: Survey," 2017
International Conference on Emerging Trends & Innovation in ICT
(ICEI), 2017, pp. 33-39, doi: 10.1109/ETIICT.2017.7977006.
[16] S. Sharma and V. K. Verma, "Security explorations for routing attacks
in low power networks on internet of things," Journal of
Supercomputing, vol. 77, no. 5, pp. 4778–4812, May 2021, doi:
10.1007/s11227-020-03471-z.
[17] M. Preda and V. Patriciu, "Simulating RPL Attacks in 6lowpan for
Detection Purposes," 2020 13th International Conference on
Communications (COMM), 2020, pp. 239-245, doi:
10.1109/COMM48946.2020.9142026.
[18] K. Avila, D. Jabba, and J. Gomez, "Security Aspects for Rpl-Based
Protocols: A Systematic Review in IoT," Applied Sciences, vol. 10,
no. 18, p. 6472, Sep. 2020, doi: 10.3390/app10186472.
[19] Z. A. Almusaylim, A. Alhumam, and N. Z. Jhanjhi, "Proposing a
Secure RPL based Internet of Things Routing Protocol: A Review,"
Ad Hoc Networks, vol. 101, Apr. 2020, doi:
10.1016/j.adhoc.2020.102096.
[21] T. Tsvetkov and A. Klein, "RPL: IPv6 Routing Protocol for Low
Power and Lossy Networks", doi: 10.2313/NET-2011-07-1_09.
[22] I. Ishaq et al., "IETF Standardization in the Field of the Internet of
Things (IoT): A Survey," Journal of Sensor and Actuator Networks,
vol. 2, no. 2. MDPI AG, pp. 235–287, Jun. 01, 2013. doi:
10.3390/jsan2020235.
[23] A. Mayzaud, R. Badonnel, and I. Chrisment, "A Taxonomy of Attacks
in RPL-based Internet of Things," International Journal of Network
Security, vol. 18, no. 3, pp. 459–473, 2016, doi:
10.6633/IJNS.201605.18(3).07ï.
[24] S. M. Muzammal, R. K. Murugesan, and N. Z. Jhanjhi, "A
Comprehensive Review on Secure Routing in Internet of Things:
Mitigation Methods and Trust-Based Approaches," IEEE Internet of
Things Journal, vol. 8, no. 6. Institute of Electrical and Electronics
doi:
Engineers Inc., pp. 4186–4210, Mar. 15, 2021. doi:
10.1109/JIOT.2020.3031162.
[25] A. Raoof, A. Matrawy, and C. H. Lung, "Routing Attacks and
Mitigation Methods for RPL-Based Internet of Things," IEEE
Communications Surveys and Tutorials, vol. 21, no. 2, pp. 1582–
1606, Apr. 2019, doi: 10.1109/COMST.2018.2885894.
doi: