Using Directional Antennas to Prevent Wormhole Attacks Lingxuan HuDavid Evans Department of Computer Science University of Virginia.

Using Directional Antennas to Prevent Wormhole Attacks

Lingxuan Hu David EvansDepartment of Computer Science

University of Virginia

OutlineProblem Statement BackgroundProtocolExperiment

Scenario

Thousands of small, low-powered devices with sensors and actuators, communicating wirelessly

High-power base station

Routing Tree

Adapted from Chris Karlof and David Wagner's WSNPA slides

Routing

Adapted from Chris Karlof and David Wagner's WSNPA slides

Wormhole Attack

• Tunnel packets received in one place of the network and replay them in another place

• The attacker can have no key material. All it requires is two transceivers and one high quality out-of-band channel

Adapted from Chris Karlof and David Wagner's WSNPA slides

Disrupted Routing

• Most packets will be routed to the wormhole

• The wormhole can drop packets or more subtly, selectively forward packets to avoid detection

Adapted from Chris Karlof and David Wagner's WSNPA slides

Impact of Wormhole — Experiment

Base Station at Corner Base Station at Center

How many routing paths are disrupted by a single wormhole?

Impact of Wormhole — Result

0

0.1

0.2

0.3

0.4

0.5

0.6

0.7

0.8

0.9

1

0 50 100 150 200 250 300 350 400 450 500

Fra

ctio

n o

f R

ou

tes

to B

ase

Sta

tion

Dis

rup

ted

Position of Endpoint (x,x)

Base Station at CornerBase Station at Center

Possible Solutions

• Time – Signal is transmitted at speed of light

• Location– Location awareness

• Direction– Directional Antennas

Directional Antennas

Operation Modes: Omni and Directional

In Omni Mode:Nodes send signals with gain Go

In Directional Mode:Capable of sending in specified directionDirectional Gain Gd (Gd > Go)

Antenna Model

/3

1

6 5

4

3 2

The model is comprised of N antenna zones. The N zones may collectively cover the entire plane

The zones are numbered 1 to N oriented clockwise starting with zone 1 facing east

The channel is bidirectional. For, example, if A hears B from zone 1, then B will hear A in zone 4, which is the opposite zone

East

Simple Neighbor Discovery

A Region Announcement, done through sequential sweepingN A Include nonce and zone information in the messageA N Check zone information and send back the nonce

HELLO | IDA

IDN | EKNA (IDA | R | zone (N, A))R

A N

Detecting Wormhole

A B

Hello

zone (A, B) = 4

zone (A, B) = 1 Wrong!

/3

1

6 5

4

3 2

Sophisticated Wormhole

A B

Hello

zone (A, B) = 1

zone (A, B) = 1 Yes!

Simple Neighbor Discovery can reduce the chance of successful wormhole attack to 1/6, but it is still unacceptable since a single wormhole can disrupt most routing paths.

Possible Solution: Neighborhood coordination

/3

1

6 5

4

3 2

V

Verified Neighbor Discovery

A Region Announcement, done through sequential sweepingN A Include nonce and zone information in the messageA N Check zone information and send back the nonceN Region Inquire the validity of neighbor A through verifiersV N   Send confirmation to N if all zone information is correctN A Accept A as its neighbor and notify A

HELLO | IDA

IDN | EKNA (IDA | R | zone (N, A))R

A N

INQUIRY | IDN | IDA | zone (N, A)

IDV | EKNV (IDA | zone (V, N))

IDN | EKAN (IDA | ACCEPT)

Verification Region

1. zone (B, A) ≠ zone (B, V)2. zone (B, A) ≠ zone (V, A)

v

/3

1

6 5

4

3 2

zone (B, A) = 4zone (B, V) = 5

zone (B, A) = 4zone (V, A) = 3

Verifier Analysis

1. zone (B, A) ≠ zone (B, V)2. zone (B, A) ≠ zone (V, A)

2

1

6 5

4

B

3 2

1

6 5

4

3

A

Region I Region II

X Y

vv

zone (B, A) = zone (B, V)zone (B, A) = zone (V, A)

Worawannotai attack

A and B are just beyond the transmission range of each other There does have a valid verifier V in this case X simply retransmits messages between A and B, X doesn’t

need to retransmit the message of V.

Strict Neighbor Discovery

1. zone (B, A) ≠ zone (B, V)2. zone (B, A) ≠ zone (V, A)3. zone (B, V) can not be both adjacent to

zone (B, A) and adjacent to zone (V, A)

Theorem: In strict neighbor discovery, if distance (A, B) > r, the verification region is empty

Strict verification region

Cost AnalysisCommunication Overhead

The typical secure link establishment includes announcement, challenge and responseThis protocol adds inquiry, verification and acceptance

Connectivity Only accept a node as neighbor if it can be

verified by at least one verifier, so may prevent some legitimate links from being established

Impact on Connectivity

0

50

100

150

200

250

300

350

400

450

500

0 50 100 150 200 250 300 350 400 450 500

y (m

eter

s)

x (meters)

0

50

100

150

200

250

300

350

400

450

500

0 50 100 150 200 250 300 350 400 450 500

y (m

eter

s)

x (meters)

For a more typical network with omni density = 10. In verified protocol, 0.5% links are lost and no nodes are disconnected. In strict protocol, 40% links are lost and 0.03% nodes are disconnected.

Verified Protocol, Omni density = 3 Strict Protocol, Omni density = 3

Node Distance vs Connectivity

0

0.1

0.2

0.3

0.4

0.5

0.6

0.7

0.8

0.9

1

0 0.1 0.2 0.3 0.4 0.5 0.6 0.7 0.8 0.9 1

Lin

ks C

onnect

ed R

atio

Node Distance (r)

Verified Protocol (Density=10)Verified Protocol (Density=3)Strict Protocol (Density=10)Strict Protocol (Density=3)

Strict Protocol Verified Protocol

Impact on Routing

0

1

2

3

4

5

6

7

8

9

10

4 6 8 10 12 14 16 18 20

Ave

rage P

ath

Length

Omnidirectional Node Density

Directional TransmissionVerified Protocol

Strict Protocol

For verified protocol, the routing path length is nearly the same

For strict protocol, the routing path length increases around 20%

Directional Errors

0

0.1

0.2

0.3

0.4

0.5

0.6

0.7

0.8

0.9

1

0 10 20 30 40 50 60

Rat

io

Maximum Directional Error Degree

Lost Links, Strict ProtocolLost Links, Verified Protocol

Disconnected Nodes, Strict ProtocolDisconnected Nodes, Verified Protocol

0

0.1

0.2

0.3

0.4

0.5

0.6

0.7

0.8

0.9

1

0 10 20 30 40 50 60R

atio

Maximum Directional Error Degree

Lost Links, Strict ProtocolLost Links, Verified Protocol

Disconnected Nodes, Strict ProtocolDisconnected Nodes, Verified Protocol

Omni density = 3 Omni density = 10

The error is modeled by disorienting nodes by a random angle in [-max, max]

The disconnected nodes is little affected

The lost links will increases as maximum directional error degree increases

Conclusion

Wormhole attack is a powerful attack that can be conducted without any cryptographic breaks Directional antennas offers a promising approach to preventing wormhole attacks through neighborhood coordination

Discussion

Design protocols to prevent more powerful wormhole attacksOr try to prove that some powerful wormhole is unpreventable if no assumption on time synchronization or location awareness is made. Mitigate replay attacks in other layers (routing, application)

References

[1] L. Hu and D. Evans. Using Directional Antennas to Prevent Wormhole Attacks. Network and Distributed System Security Symposium, San Diego, 5-6 February 2004.

[2] R. Ramanathan. On the Performance of Beamforming Antennas in Ad Hoc Network. MobiHoc 2001, October 2001.

[3] Y. Hu, A. Perrig, and D. Johnson. Packet Leashes: A Defense against Wormhole Attacks in Wireless Ad Hoc Networks. INFOCOM 2003, April 2003.

[4] C. Karlof and D. Wagner. Secure Routing in Sensor Networks: Attacks and Countermeasures. First IEEE International Workshop on Sensor Network Protocols and Applications, May, 2003.