MobiWorp: Mitigation of the wormhole attack in mobile multihop wireless networks

Issa Khalil, Saurabh Bagchi, Ness B. Shroff
2008 Ad hoc networks  
In multihop wireless systems, the need for cooperation among nodes to relay each other's packets exposes them to a wide range of security attacks. A particularly devastating attack is the wormhole attack, where a malicious node records control traffic at one location and tunnels it to a colluding node, possibly far away, which replays it locally. This can have an adverse effect on route establishment by preventing nodes from discovering legitimate routes that are more than two hops away.
more » ... s works on tolerating wormhole attacks have focused only on detection and used specialized hardware, such as directional antennas or extremely accurate clocks. More recent work has addressed the problem of locally isolating the malicious nodes. However, all of this work has been done in the context of static networks due to the difficulty of secure neighbor discovery with mobile nodes. The existing work on secure neighbor discovery has limitations in accuracy, resource requirements, and applicability to ad hoc and sensor networks. In this paper, we present a countermeasure for the wormhole attack, called MOBIWORP, which alleviates these drawbacks and efficiently mitigates the wormhole attack in mobile networks. MOBIWORP uses a secure central authority (CA) for global tracking of node positions. Local monitoring is used to detect and isolate malicious nodes locally. Additionally, when sufficient suspicion builds up at the CA, it enforces a global isolation of the malicious node from the whole network. The effect of MOBIWORP on the data traffic and the fidelity of detection is brought out through extensive simulation using ns-2. The results show that as time progresses, the data packet drop ratio goes to zero with MOBIWORP due the capability of MOBIWORP to detect, diagnose and isolate malicious nodes. With an appropriate choice of design parameters, MOBIWORP is shown to completely eliminate framing of a legitimate node by malicious nodes, at the cost of a slight increase in the drop ratio. The results also show that increasing mobility of the nodes degrades the performance of MOBIWORP. Keywords: Mobile ad hoc networks, neighbor watch, wormhole attack, secure neighbor discovery, node isolation. There is significant interest in the research and development of ad hoc and sensor wireless networks for a variety of emerging applications. These multi-hop wireless networks are especially suited for scenarios where it is infeasible or expensive to deploy significant networking infrastructure. However, the open nature of the wireless communication channels, the lack of infrastructure, and the hostile environments where they may be deployed, make them vulnerable to a wide range of security attacks. These attacks could involve eavesdropping, message tampering, or identity spoofing, which have been addressed by customized cryptographic primitives. Many attacks are targeted directly at the data traffic by dropping all data packets (blackhole attack), selectively dropping data packets (grayhole attack), and performing statistical analysis on the data packets to obtain critical information, such as the location of primary entities in the network. For an attacker to be able to launch damaging data attacks, one option is to have a large number of powerful adversary nodes distributed over the network and possessing cryptographic keys. Alternately, the attacker can achieve such attacks by having a few powerful adversary nodes that need not authenticate themselves to the network (i.e., external nodes). The attacker can achieve this by targeting specific control traffic in the network. Typical examples of control traffic are routing, monitoring liveness of a node, topology discovery, and distributed location determination. A particularly severe control attack on the routing functionality of wireless networks, called the wormhole attack, has been introduced in the context of ad hoc networks [11] [13]- [15] . During the attack, a malicious node captures packets from one location in the network, and "tunnels" them to another malicious node at a distant point, which replays them locally. The tunnel can be established in many different ways, such as through an out-of-band hidden channel (e.g., a wired link), packet encapsulation, or high powered transmission. This tunnel makes the tunneled packet arrive either sooner or with lesser number of hops compared to the packets transmitted over normal multihop routes. This creates the illusion that the two end points of the tunnel are very close to each other. A wormhole tunnel can actually be useful if used for forwarding all the packets. However, in its malicious incarnation, it can be used by the two malicious end points of the tunnel to pass routing traffic to attract routes through them. The malicious end points can then launch a variety of attacks against the data traffic flowing on the wormhole, such as the grayhole attack or statistical flow analysis of the traffic. Also the wormhole attack can affect route establishment by preventing any two nodes in the network that are greater than two hops away from discovering routes to each other. The wormhole attack affects many applications and utilities in ad hoc networks such as, network routing, data aggregation and clustering protocols, and location-based wireless security systems [2]-[12] [17] [18] . Finally, the wormhole attack is considered particularly insidious since it can be launched without having access to any cryptographic keys or compromising any legitimate node in the network. Our primary goal in this paper is to provide primitives that mitigate the wormhole attack in mobile ad hoc networks. Mitigation involves detection of the attack, diagnosis of the adversary nodes, and nullifying their capability for further damage. Previous approaches to handling the wormhole attack have concentrated on detection using specialized hardware [14], highly accurate time measurement [20] , specialized trusted nodes [32] and clock synchronization [13] . However, these may not be feasible for many large scale ad hoc or sensor networks due to the hardware complexity or cost. Also importantly, all of these approaches focus only on detecting and avoiding the attack but do not identify and neutralize malicious nodes. More recent work in a protocol called LITEWORP [15] has provided both detection and local isolation of wormhole nodes. However, it breaks down in mobile scenarios. The limitation arises from the inability to securely determine neighbors at arbitrary points in the lifetime of the network. Existing work on secure neighbor discovery cannot be applied to the problem because it hinges on one or more of the following features: (i) the requirement of extremely accurate clocks, (ii) the assumption of no delay in the network apart from propagation delay [16] , and (iii) the requirement of directional antennas and measurement of exact angle of reception [14] . The large volume of work on location determination relies on inaccurate measures, such as received signal strength, and is distinct from the problem of location verification of a possibly malicious node. A second challenge arises from the possibility of a mobile adversary that may perform malicious actions at one location and move. The LITEWORP protocol only performs local isolation of the adversary and leaves the network open to unbounded amount of damage through the mobile adversary. In this paper, we make the following contributions: • We provide a primitive that prevents a node from claiming to exist at more than one position in the network. This primitive can be used in detecting several different attacks such as the Sybil attack ( [42] [43]). • We develop a protocol called MOBIWORP that can detect and diagnose wormhole attacks in mobile networks. Issa Khalil received the B.
doi:10.1016/j.adhoc.2007.02.001 fatcat:m6twgjhczfbkfcefp4niqxzeni