Study of RPL DODAG Version Attacks Anthéa Mayzaud anthea.mayzaud@inria.fr Rémi Badonnel Isabelle Chrisment Anuj Sehgal s.anuj@jacobs-university.de Jürgen Schönwälder IFIP AIMS 2014 Brno, Czech Republik 7/1/2014 A Study of RPL DODAG Version Attacks 1
Motivations Currently, no study of the consequences of these attacks targeting Internet-of-Things (IoT) networks Existing security strategies based on cryptographic operations VeRa, Version Number and Rank Authentication in RPL [1] TRAIL, Topology Authentication in RPL [2] Supporting the creation of a baseline to better develop mitigation strategies Observing attack-related patterns in order to improve counter-measures What is the impact of such an attack in an IoT network and does it make sense to mitigate it? 7/1/2014 A Study of RPL DODAG Version Attacks 2
Background Internet of Things RPL Protocol Outline Analysis of Version Number Attacks Attack Description Experimental Setup Analysis Metrics Impact Evaluation Results Control Packet Overhead Delivery Ratio End-to-end Delay Number of Loops and Inconsistencies Conclusions 7/1/2014 A Study of RPL DODAG Version Attacks 3
Background Internet of Things RPL Protocol Outline Analysis of Version Number Attacks Attack Description Experimental Setup Analysis Metrics Impact Evaluation Results Control Packet Overhead Delivery Ratio End-to-end Delay Number of Loops and Inconsistencies Conclusions 7/1/2014 A Study of RPL DODAG Version Attacks 4
Background Internet of Things Illustration solarfeeds.com Large-scale deployment of connected objects Sensors (wired or wireless) RFID chips Actuators Interactions and cooperations among objects Various application domains Logistics, transport Smart environments E-health 7/1/2014 A Study of RPL DODAG Version Attacks 5
Background LLN Networks and RPL Nodes with strong constraints Energy Memory Processing Lossy links Low throughputs TCP/UDP IPv6 RPL 6LoWPAN 802.15.4 MAC 802.15.4 PHY Existing routing protocols are not appropriate Design of a dedicated stack LLN : Low power and Lossy Network RPL : Routing Protocol for LLNs 7/1/2014 A Study of RPL DODAG Version Attacks 6
Background The Routing Protocol for LLNs (RPL) Protocol description RFC 6550 (March 2012) [3] IPv6-based distance vector protocol Building of specific graphs called DODAG (Destination Oriented Directed Acyclic Graph) 3 ICMPv6 control messages (DIS, DIO, DAO) 2 1 3 Traffic patterns Multipoint-to-point (MP2P) Point-to-multipoint (P2MP) Point-to-point (P2P) 4 5 RPL instance Set of DODAGs Optimized for a given routing objective based on metrics/constraints 8 9 7/1/2014 A Study of RPL DODAG Version Attacks 7
Background RPL DODAG Principle Upward direction Root 1 Downward direction Root: destination node which manages the DODAG graph Upward routes: built with DIO messages to reach the root 2 8 4 3 9 5 Trickle timer: used to define sending frequency of control messages Downward routes: built with DAO messages to reach a node Node rank value: used to indicate node s position with respect to the root ; always increasing in the downward direction Metrics: used to characterize links and select the preferred parent 7/1/2014 A Study of RPL DODAG Version Attacks 8
Background RPL DODAG Principle Upward direction DIO 1 DIO Downward direction Root: destination node which manages the DODAG graph Upward routes: built with DIO messages to reach the root 2 8 4 3 9 5 Trickle timer: used to define sending frequency of control messages Downward routes: built with DAO messages to reach a node Node rank value: used to indicate node s position with respect to the root ; always increasing in the downward direction Metrics: used to characterize links and select the preferred parent 7/1/2014 A Study of RPL DODAG Version Attacks 9
Background RPL DODAG Principle Upward direction DAO 2 DAO 8 1 4 3 9 DAO 5 Downward direction DAO Root: destination node which manages the DODAG graph Upward routes: built with DIO messages to reach the root Trickle timer: used to define sending frequency of control messages Downward routes: built with DAO messages to reach a node Node rank value: used to indicate node s position with respect to the root ; always increasing in the downward direction Metrics: used to characterize links and select the preferred parent 7/1/2014 A Study of RPL DODAG Version Attacks 10
Background RPL DODAG Principle Root Root: destination node which manages the DODAG graph 1 Upward routes: built with DIO messages to reach the root 2 3 Rank = 2 Trickle timer: used to define sending frequency of control messages Rank = 3 8 4 9 5 Rank = 4 Downward routes: built with DAO messages to reach a node Node rank value: used to indicate node s position with respect to the root ; always increasing in the downward direction Metrics: used to characterize links and select the preferred parent 7/1/2014 A Study of RPL DODAG Version Attacks 11
Background RPL DODAG Principle Root Root: destination node which manages the DODAG graph 1 Upward routes: built with DIO messages to reach the root 2 3 Rank = 2 Trickle timer: used to define sending frequency of control messages Rank = 3 8 4 9 5 Rank = 4 Downward routes: built with DAO messages to reach a node Node rank value: used to indicate node s position with respect to the root ; always increasing in the downward direction Metrics: used to characterize links and select the preferred parent 7/1/2014 A Study of RPL DODAG Version Attacks 12
Background Other RPL Mechanisms Datapath Validation [4] Data control mechanism used to detect loops Flags in the Hop-by-Hop option header O flag used to track packet direction R flag used to track rank error (mismatch between O flag and current direction of a packet) Version Number Version of a DODAG graph DIO field supposed to remain unchanged by the other nodes Only incremented by the root Used to rebuild the DODAG (global repair) 7 2 5 1 3 8 6 4 9 Available link Link in Version N Link in Version N+1 10 7/1/2014 A Study of RPL DODAG Version Attacks 13
Background Internet of Things RPL Protocol Outline Analysis of Version Number Attacks Attack Description Experimental Setup Analysis Metrics Impact Evaluation Results Control Packet Overhead Delivery Ratio End-to-end Delay Number of Loops and Inconsistencies Conclusions 7/1/2014 A Study of RPL DODAG Version Attacks 14
Analysis of Version Number Attacks Attack Description Increment of the version number by an attacker 1 5 9 13 17 Propagation of the malicious version number Direct consequences Unnecessary rebuilding Control message overhead Loops generation 2 3 6 7 10 11 14 15 18 19 Indirect consequences Impact on energy reserves Data packets loss Channel availability 4 8 12 Available link 16 20 7/1/2014 A Study of RPL DODAG Version Attacks 15
Analysis of Version Number Attacks Experimental Setup Grid topology of 20 nodes Node 1 is the DODAG root Relocation of the attacker to multiple positions Simulations based on Cooja (Contiki 2.6) 1 simulation without attacker as a baseline Duration of 50 min. 5 times each scenario Attacks start after 5 min. 1 2 3 4 5 9 13 17 6 10 14 18 7 8 11 12 15 16 19 20 Available link Attack Message 7/1/2014 A Study of RPL DODAG Version Attacks 16
Analysis of Version Number Attacks Analysis Metrics Control packet overhead Total number of RPL control packets (DIS, DIO, DAO) transmitted and received Delivery ratio Number of data packets successfully delivered to the sink compared to the number of data packets generated by all nodes Average end-to-end delay Average time spent for all packets from all nodes to be successfully delivered Number of inconsistencies Number of packets when a mismatch between the O flag and the actual direction is detected Number of loops Number of packets when an inconsistency is detected with the R flag 7/1/2014 A Study of RPL DODAG Version Attacks 17
Background Internet of Things RPL Protocol Outline Analysis of Version Number Attacks Attack description Experimental Setup Analysis Metrics Impact Evaluation Results Control Packet Overhead Delivery Ratio End-to-end Delay Number of Loops and Inconsistencies Conclusions 7/1/2014 A Study of RPL DODAG Version Attacks 18
Impact Evaluation Results Control Packet Overhead 1 5 9 13 17 2 6 10 14 18 3 7 11 15 19 4 8 12 16 20 Overhead for every node 1250 control pkts without attacker Up to 18 times in the worst case Per column: maximum for the nodes in the bottom row (4, 8, 12, 16, 20) Similar results for positions 2 and 5 which are minimums Not only the number of neighbors, but also the distance from the root impacts the overhead. 7/1/2014 A Study of RPL DODAG Version Attacks 19
Impact Evaluation Results Per Node Outgoing Packet Overhead 1 5 9 13 17 2 6 10 14 18 3 7 11 15 19 4 8 12 16 20 Overhead not only localized at the neighborhood of the attacker Not only the attacker neighborhood is impacted, but also the entire network. 7/1/2014 A Study of RPL DODAG Version Attacks 20
Impact Evaluation Results Delivery Ratio Reduced by up to 30% Similar pattern than packets overhead Strong correlation between path length and effects on the DR The farther the attacker from the root, the worse the delivery ratio. 7/1/2014 A Study of RPL DODAG Version Attacks 21
Impact Evaluation Results Average end-to-end delay Almost doubled High variation in the results No strong correlation between location of the attacker and the delay. 7/1/2014 A Study of RPL DODAG Version Attacks 22
Impact Evaluation Results Loops and Inconsistencies 1 5 9 13 17 2 6 10 14 18 3 7 11 15 19 4 8 12 16 20 Same pattern Greater distance from root, lesser inconsistencies Proximity to the root and most number of neighbors, highest number of loops Larger number of neighbors and attacker proximity to root lead to higher number of loops and inconsistencies. 7/1/2014 A Study of RPL DODAG Version Attacks 23
Impact Evaluaiton Results Inconsistencies per Node 1 5 9 13 17 2 6 10 14 18 3 7 11 15 19 4 8 12 16 20 Inconsistencies mostly located around the attacker Majority of inconsistencies is detected by parents of the attacker and also by its children. 7/1/2014 A Study of RPL DODAG Version Attacks 24
Background Internet of Things RPL Protocol Outline Analysis of Version Number Attacks Attack Description Experimental Setup Analysis Metrics Impact Evaluation Results Control Packet Overhead Delivery Ratio End-to-end Delay Number of Loops and Inconsistencies Conclusions 7/1/2014 A Study of RPL DODAG Version Attacks 25
Conclusions and Future Work Study of the impact of version number attacks within RPL networks Increase of control packets overhead by up to 18 times Decrease of delivery ratio by up to 30% End-to-end delay nearly doubled Strong correlation between the position of the attacker and the observed effects RPL network lifetime can be drastically shorten Perspectives Extension to more complex topologies Evaluation of existing solutions based on observed baseline Development of lightweight mitigation strategies based on identified attack patterns 7/1/2014 A Study of RPL DODAG Version Attacks 26
References [1] Dvir et al., VeRa Version Number and Rank Authentication in RPL, in Proc. of the IEEE 8th International Conference on Mobile Adhoc and Sensor Systems (MASS), 2011, Hangzou, China. [2] Perrey, H. et al., TRAIL: Topology Authentication in RPL, in CoRR, 2011. [3] Winter, T. et al., RPL, IPv6 Routing Protocol for Low-Power and Lossy Networks. IETF RFC 6550 (March 2012). [4] Hui, J. and Vasseur, J., The Routing Protocol for Low-Power and Lossy Networks (RPL) Option for Carrying RPL Information in Data-Plane Datagrams. IETF RFC 6553 (March 2012). [5] Contiki project: http://www.contiki-os.org [6] Tsao, T. et al., A Security Threat Analysis for Routing Protocol for Low-power and Lossy Networks (RPL). IETF Internet Draft (December 2013). 7/1/2014 A Study of RPL DODAG Version Attacks 27
Thank you for your attention! Questions? 7/1/2014 A Study of RPL DODAG Version Attacks 28