CHAPTER 4 IMPACT OF ROUTING ATTACKS IN LOCATION BASED ROUTING PROTOCOL

Transcription

1 63 CHAPTER 4 IMPACT OF ROUTING ATTACKS IN LOCATION BASED ROUTING PROTOCOL 4.1 INTRODUCTION This chapter explains the impact of the blackhole, rushing, sybil and wormhole active attacks, in the route discovery of GMR, a location based routing protocol. In the route discovery of GMR, a set of malicious nodes are injected, and the PDR, throughput and energy consumption performance metrics are studied. The data structures and algorithms used in the implementation are discussed in this chapter. 4.2 WORKING OF THE GMR Juan Sanchez et al (2007) proposed an energy efficient routing protocol for WSN called GMR, which is one of the location based routing protocols. The GMR calculates the position of the sensor nodes from the GPS or from the virtual coordinates. Each sensor node communicates its position to its neighbors, using periodic beacons. The GMR routes the message, using a common path to the destination nodes. Then the message is split, using the Gabriel graph at the end of the path, as given in Figure 4.1(a). The GMR multicast algorithm is based on the Cost Over Progress (COP) ratio. In the case of the unicast, COP is the relationship between the cost incurred in the next hop, and the progress achieved by the next hop node. The multicast extension minimizes the number of selected next hop nodes, over the progress

2 64 achieved by the selected set. Progress is measured as the difference between the sum of all the individual distances between the current forwarding node and the destinations, and the sum of the distances of each next hop node and the destinations covered by the node. A node is said to cover a destination, if the destination is closest to that node when compared to all the other next hop nodes. The GMR describes an efficient neighbor set selection strategy. Since the GMR is greedy as well, only the node set providing positive progress is considered. Consequently, a message can get caught in a network, and greedy recovery may become an issue. A plain face recovery strategy applies the traditional unicast face traversal for each destination node individually. In order to save the communication bandwidth, messages traveling in the same direction are aggregated into one single message. The GMR forms a multicast tree to send a data packet from a source to multiple destinations, using a single broadcast transmission. Each forwarding node selects a subset of its neighbors in the direction of the destination as relay nodes based on the COP ratio. The cost is equal to the number of selected neighbors. Progress is the reduction of the remaining distance to the destination. The hop count is assumed to be proportional to the distance. The COP metric is explained with respect to Figure 4.1(b). The remote source node S broadcasts the message M to a set of destinations {D1, D2, D3, D4, and D5}. The forwarding node C receives the message M from the source S and selects its neighbors A 1 and A 2 as the relay nodes, using the Greedy Set Partition Selection (GSPS) algorithm. The multicasting task could be given to one neighbor, or it could be handled by several neighbors. Each neighbor could address a set of destinations.

3 65 Figure 4.1 (a) Gabriel graph D 1 A 1 D 2 C D 3 A 2 D 4 D 5 Figure 4.1(b) GMR neighbor selection From node C the total distance for multicasting is T 1 using Equation (4.1). Then the forwarding node (node C) applies the GSPS algorithm, and selects A 1, as the relay node responsible for destinations D 1, D 2 and D 3. The node A 2 is chosen as the relay node for the destinations D 4 and D 5. For the next level of the multicast tree, a new total distance T 2 is

4 66 calculated according to Equation (4.2). The progress is the difference of T 1 and T 2. The COP ratio for the new relay nodes {A 1, A 2 } is given by Equation (4.3). The node C informs its neighbors A 1 and A 2, that they are selected as the relay nodes, using the header in Figure 4.2. The GMR prefixes this header to the data message. The value 2 in the numerator in Equation (4.3) denotes the number of relay nodes. T 1 = CD 1 + CD 2 + CD 3 + CD 4 + CD 5 (4.1) T 2 = A 1 D 1 + A 1 D 2 + A 1 D 3 + A 2 D 4 + A 2 D 5 (4.2) COP = 2 / (T 1 T 2 ) (4.3) C ID A 1(ID),{D 1(ID), D 2(ID),D 3(ID) } A 2(ID),{D 4(ID), D 5(ID) } Figure 4.2 Header format of the GMR message In Figure 4.2, the first field represents the forwarding node, namely, node C, which applies the GSPS algorithm. The other fields represent the relay nodes. A 1 in Figure 4.2 is the first relay node. The destinations it has to handle, namely {D 1, D 2, D 3 }, are the set in the second field. The third field is the second relay node A 2, and the set of destinations {D 4, D 5 } it handles. Thus, the sender forwards the message to the relay node. It reaches the destination by the selective forwarding algorithm. Hence, the energy and bandwidth consumption are minimized. The next section explains how the rushing attack is introduced in GMR. 4.3 RUSHING ATTACK IN GMR The rushing attack (Hoang et al 2008) is a kind of denial of service attack. When the source node floods the network with route discovery packets to find routes to the destinations, each intermediate node processes only the

5 67 first non-duplicate packet, and discards the other duplicate packets that arrive at a later time. A rushing attacker exploits this duplicate suppression mechanism by quickly forwarding the route discovery packets, in order to gain access to the forwarding nodes. RUSHING ATTACK: Takes a set of [1..M] malicious nodes as the input, and successfully injects it. 1. [Initialize] for all nodes do set bestcop = 1 // Initialize the best COP ratio end for; 2. //M={M 1,M 2,M 3, M n } //M i = Malicious Node i for i=1 to n do set Queuing delay as d 2 for M i // Malicious nodes end for; 3. for i =1 to n do set Queuing delay as d 1 ms for N i // Normal nodes end for; 4. // node C receives a multicast message from source node S if (GMRneighbourID == ID of node C) then G = get the neighbor list (C); call GSPS(G); else drop PKT; end if; 5. end. Figure 4.3 Algorithm for introducing the rushing attack in GMR

6 68 The impact of the rushing attack on GMR has been studied, and the results are presented. GMR is implemented with a source node (C), initiating a data message to 20 destinations. The malicious nodes are uniformly distributed throughout the network, and the COP ratio is calculated. Figure 4.3 is the pseudo code of the rushing attack introduced in GMR. In this simulation, the data packets queuing delay is set as d 1 ms for all the normal nodes in Step 3 of Figure 4.3. For the rushing nodes (M) the queuing delay is set to d 2 ms and the value of d 1 is greater than the value of d 2. Therefore, node M i is chosen as the relay node by the GSPS algorithm of GMR, since it has the best COP ratio. In the pseudo code, the neighbor node with the best COP ratio is taken as the relay node for the routing. For instance, node C in Figure 4.1(b) receives a multicast message from its neighbor node S. Node C reads the header and gets the forwarding node s ID. If node C finds its ID, then it starts calculating the COP ratio, by calling the GSPS algorithm; otherwise, the packets are dropped. The next section explains the algorithm used for introducing the blackhole attack in GMR. 4.4 BLACKHOLE ATTACK IN GMR When all the messages are redirected to a specific node, it is defined as the blackhole attack (Mukesh Tiwari et al 2009). The node could be a malicious node. The traffic migrates into that malicious node. The node would not exist after a blackhole attack. A blackhole attack has two stages. In the first stage, the blackhole exploits the routing protocol to advertise itself as having a valid route to the destination, even though the route is spurious. In the second stage, the node consumes the intercepted packets and suddenly disappears.

7 69 The blackhole attack is introduced in the GMR protocol, using the pseudo code given in Figure 4.4. A set of malicious nodes (M) with d 2 ms queuing delay is launched. The normal nodes are set with a queuing delay of d 1 ms. The blackhole node advertises its ID and location information to its one hop neighbor by a beacon message. Then, the GMR partition algorithm is executed. Since the blackhole nodes have less queuing delay and hence the best COP, they are selected as the relay nodes. In the implementation, initially 6 nodes were selected as the forwarding nodes in the first iteration. So, the loop was repeated until all the 10 malicious nodes were selected as the forwarding nodes in the multicast tree. After 100 ms of simulation time, the malicious nodes dropped the packets. When 200 ms was reached the energy was set to zero. So, the blackhole nodes disappeared from the multicast tree. BLACKHOLE ATTACK: Takes a set of [1..M] malicious nodes as the input, and successfully launches it. 1. repeat RUSHING (M); until all malicious nodes are selected as forwarding nodes. 2. if (SimulationTime >= 100ms) && (SimulationTime < 200 ms) then else M drops the PKT. if (SimulationTime >= 200ms) then end if; 3. Stop. end if; for i = 1 to n do set energy of M i as 0; end for; Figure 4.4 Pseudo code to introduce the blackhole attack in GMR

8 70 The next section explains the algorithm used for introducing the sybil attack in GMR. 4.5 SYBIL ATTACK IN GMR When the malicious node illegitimately takes on multiple identities, it is a sybil attack (Hai Feng Yu et al 2008). A single node duplicates its ID and presents itself in multiple locations. The node, which presents multiple identities to other nodes in the network, could be the malicious node. A sybil attack has two stages. In the first stage, the node exploits the routing protocol to advertise itself as having a valid route to the destination, even though the route is spurious. In the second stage, the node consumes the intercepted packets for a replay, wormhole or sinkhole attack. The sybil attack is introduced in the GMR protocol. During normal operation, the node advertises its ID and location information to its one hop neighbor by a beacon message. Since there is no authentication in the GMR, the duplicate nodes also participate in multicasting. The COP ratio is calculated. The malicious node M exhibits high energy and minimal distance, as compared to the normal node. It starts the attack from the root of the multicast tree. The GSPS algorithm of the GMR selects node M as a relay node, since it has the best COP ratio. Figure 4.5 is the pseudo code for implementing the sybil attack in the GMR protocol. In the pseudo code given in Figure 4.5, the neighbor node with the best COP ratio is taken as the forwarding node for routing. For instance, node C receives a multicast message from source node S shown in Figure 4.1(b). In Step 2, the node C reads the data header and gets the forwarding node s ID. If it finds its ID, then it starts calculating the COP ratio, using the GSPS algorithm. Node C gets the neighbor s ID list N. Initially, the best distance between node C and all its neighbors is set high (i.e. equal to the radius of the communication range of node C).

9 71 The set of malicious nodes (M) and the normal nodes (N) are combined together and a new set MN is generated as in Step 1. The set of all subsets of N forms a set A. In the subset, each node N i which has the same distance from C is retained in the same subset A i. D is a set of all destinations of the multicast message. Set G is equal to the set of all destinations with the same distance from node C. The GSPS algorithm is executed. For each element of A i, the COP ratio for all the subsets of G is calculated. G i and G j are the subsets of G. Set G i is merged with G j if for any subset of A i, the subsets G i and G j provide a higher improvement in the overall COP ratio. This procedure is repeated for all the subsets of A and G. The resultant set A forms the relay node for the set of destinations D, as shown in Figure 4.6. SYBIL ATTACK: Takes a set of M malicious nodes as the input and successfully launches it. // if the second node creates multiple identities, the nodes would be called as A 20 to A 2t depending on the number of duplicates t. 1. // N = set of normal nodes. // M = set of 10 malicious nodes. N = { A 1, A 2,A 3,A 4..A n } M = {A 20, A 21, A 22, A 23, A 24, A 25, A 26, A 27, A 28, A 29 } MN = N union M A = {set of all subsets of N} G = {set of all destinations with the same distance} 2. [ If GMR neighbor ID list has the ID of the CurrentNode, then, find the best forwarding node from the neighbor list of the CurrentNode] if (GMRNeighborID == CurrentNodeID) then G=get NeighborList(CurrentNode) call GSPS(G); end if; 3. End. Figure 4.5 Pseudo code for the sybil attack in GMR

10 72 Algorithm : GSPS(G) The Greedy Set Partitioning Selection algorithm takes a group of nodes and selects one or more neighbors as relay nodes for a set of destination nodes. [Calculation of COP] 1. G={set of all destinations, each destination set has the same advance} for i=1 to M do TotalProgress + = Progress[i]; end for; COP = M/TotalProgress; 2. [Selection of relay nodes] repeat Best_COP =0; for all pairs of {G i,g j } element of G do G ij = {G i } union {G j }; T = count(g); for i = 1 to t do TotalProgress += Progress[i] end for; Figure 4.6 Greedy set partition selection algorithm

11 73 COP = T / TotalProgress; Min_COP=COP(G K ); if (Min_COP > Best_COP) then Best_COP = Min_COP; Best_Dest={M i,m j }; end if; end for; if (Best_COP>0) then G={G 1,G 2,G 3 G k, G m }; end if; until Best_COP = 0; 3. end; Figure 4.6 (Continued)

12 74 The next section explains the method used for establishing the wormhole attack in GMR. 4.6 WORMHOLE ATTACK IN GMR A wormhole attack (Yih Chun Hu et al 2008) is one of the most sophisticated and severe attacks on the WSN. In this attack, a pair of colluding attackers records packets at one location, and replays them at another location using a private high speed network. An attack launcher situated close to a base station may be able to completely disrupt the routing, by creating a well-placed wormhole. An adversary could convince the nodes that would normally be at multiple hops from a base station, that they are only one or two hops away via the wormhole. In this work, a set of normal sensor nodes are uniformly distributed. Based on the communication range of the normal sensor nodes, all the sensor nodes that are within the immediate communication range are identified, and the neighbor list of each node is constructed. At 10 ms, the 20 malicious nodes with 5 times more than the communication range of the normal nodes, were introduced in the network, and these malicious nodes are distributed using normal distribution and the neighbor list is created. The node with NodeID 5, is the wormhole start point. The number of hops between the start point and end point of the wormhole is set; in this implementation, the value is set as 10. The malicious node situated at a 10 hop distance in the routing path is selected as the end point node of the wormhole. The number of hops between the start point and the end point of the wormhole is varied as 10, 15, 20, and 25 respectively. Whenever the start point node receives a message, it transmits it only to the end point node of the wormhole. The end point starts dropping the packet. The next section explains the simulation environment.

13 SIMULATION ENVIRONMENT The routing attacks have been introduced in GMR using NS-2. The size of the data payload is 512 bytes. This simulation considers 200 sensor nodes. The node with NodeID One is the base station, nodes 2 to 26 are the malicious nodes, and nodes are the normal sensor nodes. Table 4.1 represents the parameters used in the simulation. Table 4.1 Simulation parameters for introducing routing attacks in GMR Examined Protocol GMR Transmission range 250 m Simulator NS-2 Movement model Static Simulation time 250 Seconds Initial energy 5J Simulation area 150 m x 150 m RxPower 1.75 mw Number of sensor nodes 200 TxPower 1.75 mw Number of base station 1 SensePower 1.75 mw Number of malicious nodes 25 IdlePower 0.5 W 4.8 PERFORMANCE ANALYSIS Table 4.2 is the performance of GMR under no attack, and the blackhole, rushing, sybil and wormhole attacks, for 10 malicious nodes with 20 destinations. In Table 4.3, the number of malicious nodes was varied from 5 to 25, and the Packet Delivery Ratio (PDR), Network Throughput (NTh) and Energy Consumption (EC) metrics in the presence of the blackhole, rushing, sybil and wormhole attacks were studied Packet Delivery Ratio The PDR is calculated using Equation (3.1). Table 4.2, represents the packet delivery ratio measured for the GMR protocol in the presence of

14 76 ten malicious nodes. The packet delivery ratio decreases in the presence of the malicious nodes in the network. From Table 4.2, it is seen that the mean packet delivery ratio is 78 % when there is no attack. After the blackhole attack is launched, the mean packet delivery ratio decreases to 63 % because the blackhole node drops packets. In the case of the rushing attack, the mean packet delivery ratio decreases to 68% because of fast message forwarding. Due to the sybil attack, the packet delivery ratio is 72 %, because some of the packets are consumed by the duplicate nodes. In case of the wormhole attack the packet delivery ratio decreases to 66 % because of tunneling. Therefore, the packet delivery ratio is minimised in the presence of attacks Network Throughput The Network Throughput (NTh) is calculated using Equation (4.4). The network throughput is 274 Mbps when there is no attack, as seen in Table 4.2. The malicious agent is launched in the case of the blackhole attack. It starts flooding the data packets to all its neighbors. As a result, the mean throughput is reduced to 267 Mbps. In the presence of the rushing attack, the malicious node, starts dropping packets, and hence, the mean throughput is 268 Mbps. Network Throughput (NTh) = No of packets transmitted / Unit time (4.4)

15 NA- No Attack BA-Blackhole Attack RA-Rushing Attack SA-Sybil Attack WA-wormhole Attack 77

16 78 For the wormhole attack, the mean throughput is 265 Mbps, whereas the sybil attack has the mean throughput of 267 Mbps. At 120 ms the sybil attack has the throughput of 265 Mbps, and 256 Mbps at 150 ms. After that, the throughput regularly decreases and ends with 241 Mbps. In the presence of the wormhole attack, the network throughput is 268 Mbps at 120 ms, and it drops further to 256 Mbps at 150 ms. The attacker starts tunneling the packet from 150 ms. So, the network throughput is highly reduced to 225 Mbps at 210 ms, and ends with 214 Mbps at 240 ms. The network throughput is minimised in the presence of attacks Energy Consumption From Table 4.2 it is seen that the total energy consumption is 200 joules in the case of no attack at 150 ms. At 150 ms after introducing the rushing and blackhole attacks the total energy consumption rises to 270 joules and 300 joules respectively. At the end of the simulation at 240 ms the blackhole attack consumes a total energy of 450 joules and the rushing attack consumes a total energy of 350 joules. Because of the sudden disappearance of the blackhole nodes, the total energy consumption increased to 450 joules. The wormhole attack consumes a total energy of 420 joules at 240 ms. Because of the energy consumption, the battery power of the sensor nodes is drained by the malicious nodes in the presence of the wormhole attack. In the case of the sybil attack, the duplicate nodes start troubling the routing. So, it consumes 75 joules to 350 joules at the end of the simulation. Therefore, the energy consumption is maximized in the presence of attacks.

17 79 Table 4.3 shows the performance of the GMR, when the number of malicious nodes was varied from 5 to 25. From Table 4.3 it is seen that when the number of malicious nodes is 5, in the presence of the sybil and wormhole attacks, the packet delivery ratio is 75 % and 69 %, and for the blackhole and rushing attacks the packet delivery ratio is 66 % and 70 % respectively. When the malicious nodes increase from 5 to 25, the packet delivery ratio of the wormhole drops to 42 %. The sybil attack reduces the packet delivery ratio from 75 % to 46 %, and the blackhole reduces the packet delivery ratio from 66 % to 45 %. The network throughput of the blackhole and wormhole attacks is 269 Mbps and 268 Mbps respectively for 5 malicious nodes. The mean network throughput of the sybil and rushing attacks is 270 Mbps in the presence of 5 malicious nodes. When 25 malicious nodes are introduced in the network, the throughput drops to 196 Mbps for the blackhole attack, 199 Mbps for the wormhole attack, 201 Mbps for the sybil and 218 Mbps for the rushing attack. The mean network throughput of the sybil attack is 238 Mbps, and for the rushing attack the throughput is 251 Mbps. Therefore, the attacks cause more damage in the route discovery of the GMR by minimizing the throughput.

18 NA- No Attack BA- Blackhole Attack RA- Rushing Attack SA-Sybil Attack WA- Wormhole Attack 80

19 MN Malicious Node PDR Packet Delivery Ratio NTh Network Throughput EC Energy Consumption

20 82 The energy consumption by 5 malicious nodes in the presence of the blackhole, rushing, sybil and wormhole attacks are 250 joules, 210 joules, 200 joules and 210 joules respectively. When the malicious nodes are increased from 5-25 nodes, the energy consumed by the blackhole attack is 306 joules, rushing attack 288 joules, 305 joules by the sybil attack and 302 joules by the wormhole attack. From the mean value it is observed, that the blackhole drains the battery power more than the other attacks. The value of queuing delay d 1 was varied from 10 to 100 ms and d 2 from 0 to 75 ms, for varying number of malicious nodes. The mean values for the rushing attack are tabulated in Table 4.4. In Table 4.4, the queuing delay of the normal nodes (d 1 ) is varied as 10, 25 and 100 ms. The queuing delay of the malicious nodes (d 2 ) are 0 and 75 ms. The number of malicious nodes was also varied from 5 to 25. From Table 4.4 it is seen that, as the queuing delay of the malicious nodes varies, the packet delivery ratio and network throughput drops gradually. The energy consumption decreased by small units. Varying the queuing delay degrades the packet delivery ratio and network throughput of the GMR, in the presence of the rushing attack. 4.9 CONCLUSION Blackhole, rushing, sybil and wormhole active attacks have been introduced in GMR. The number of malicious nodes was varied from 5 to 25 in a network of 200 sensor nodes. Performance metrics, such as the packet delivery ratio, network throughput and energy consumption have been studied. The active attacks affect the functioning of the GMR, by minimising the packet delivery ratio and throughput. Also, the attacks maximize the energy consumption, and affect the functioning of the GMR. Therefore, routing need to be secure to prevent the impact of active attacks on the GMR. So, the next chapter uses the TESLA based certificate for secure routing in the GMR, to resist the active routing attacks.