Evaluation of Rushing Attack on Secured Message Transmission (SMT/SRP)

protocol for Mobile Ad-Hoc Networks

Ani1 Rawat P. D. Vyavahare A. K Ramani
Head, Computer Centre Professor and Head Professor
Centre for Advanced Technology Dept. of Elx. & Telecom . School of Computer Science
Government of India Shri G.S.Inst. of Tech. & Sci Devi Ahilya Vishwavidyalaya
lndore - 452 01 3 I NDI A Indore - 452 001 I NDI A Indore - 452 017 INDIA
Ph. +91 731 2488936 vyavahare@ cat.ernet. in ramani.iips@dauniv.ac.in
Fax+917312488988
rawat@cat.emet .in
ABSTRACT
Mobile Ad-hoc NETworks (MANET) consist of
mobile platforms, which are free to move arbitrarily. These
platforms could be routers with multiple hosts, wireless
communication devices etc. MANET is an autonomous
system of mobile nodes and its majar characteristics include
dynamic topology, limited and varying link bandwidths,
energy constrained operation and limited physical security [l].
The communication in mobile adhoc networks
comprises of two phases, the route discovery and the data
transmission. In a hostile environment, adversarial nodes can
try to disrupt communication in both the two phases. To
emure comprehensive security, both phases of MANET
communication should be safeguarded.
Many protocol$ are devised to meet the routing needs
for MANETs. Attempts have been made to develop peer-to-
peer mobile routing capability in a purely mobile wireless
domain. The one-hop fringe of the fixed network protocols is
to be overcome. There are two broad categories for MANET
protocol operations, namely, demand-based operation
(reactive) and table driven (proactive) operation. It has been
shown that on-demand protocols have lower overheads and
are better suited for most of the applications 123.
Whenever a route is to be discovered, the source
node initiates a route discovery process wi thi n the network.
This.process is completed when either a route is found or all
possible permutations have been examined. Once a route i s
discovered, it is maintained in some form of route
maintenance procedure until either the route is lost or is no
more desired. Some of the examples of routing protocols are
DSR, SAQDVetc.[2].
Physical security in MANET setups is very limited
and possibility o f spoofing, replay transmission, header
modification etc. always exists. Link level security, using
encryption does reduce the threats, but the most pressing issue
remains with' inter-router authentication prior to the exchange
of network control information. MANET routing protocols
have been enhanced to address the security needs.
Hu, Pemg and J ohnson presented a new type of
attack and named it as Rushing Attack [3]. It prevents
discovery of routes beyond two hops by all the previously
published protocols. They have also presented Rushing Attack
Prevention (RAP), a generic secure Route Discovery
component, which can be applied on any on-demand Route
Discovery mechanism against rushing attack.
Rushing Attack is effectively a denial of service
attack against all currently proposed on-demand ad-hoc
network routing protocols, including the ones that are secured.
In on-demand routing protocols ROUTE REQUEST packet
floods the network in an attempt to find a route to the
destination. To limit the flood, the nodes forward only one
ROUTE REQUEST and typically only the fust arrived packet
is forwarded. This weakness i s exploited by the 'Rushing
Attack" and it results in denial of service for any route
containing at least two hops (three nodes).
In another attempt, Papadimitratos and Haas argued
and discussed in a paper [4] that any node in MANET can
maliciously or selfishly disrupt and deny communication of
other nodes. They have presented Secured Message
Transmission (SMT) protocol, which safeguards the data
transmission against arbitrary malicious behavior of network
nodes. SMT uses Secured routing Protocol (SRP) in the route
discovery phase.
It is proposed to analyze the outcome of Rushing
Attack on SMT/SRP and also evaluate relevance of various
variants of rushing attack as applicable to SMT/SRP. The
paper first discusses the SRP protocol functioning, describe
the vario-w variants of rushing attack and then analyses
behavior of SEWunder rushing attack conditions. The paper
finally concludes the relevance of rushing attack vis-i-vis
SRP.
OVERVIEW OF MANET
What are MANETS?
A mobile ad hoc network is a collection of
autonomous mobile nodes that communicate with each other
0-7803-8964-6/05/$20.M1 Q z IEEE
62
ICPWC'ZOOS
over wireless links. Without using any infi-astructure such as
access points or base stations, mobile nodes cooperate to form
a network, in multirhop wireless ad hoc networks. Such
networks are expected to play an increasingly important role
in future civilian and military settings, being usel l for
providing communication support where no fuced
infrastructure exists or- the deployment of a fixed
infrastructure is not economically profitable and movement of
communicating parties is possible. However, since there is no
stationary infrastructure such as base stations, mobile hosts
need to operate as routers in order to maintain the information
about the network connectivity.
A number of routing protocols have been proposed
for ad hoc wireless networks. Attempts have also been made
to evaluate performance and reaction of various protocols
against variety of attacks. One such protocol, which is
discussed in his paper is Secured Message Transmission
(SMT) I Secured Routing Protocol (SW). SMT deals only
with the data transmission phase of the MANET
communication, while it relies on SW for the first phase of
route discovery for MANET communication.
Yuherabi l i ~ in MANET operation
The topology of MANET is not known and is also
dynamic because of its inherent property. Finding a route
fkom Source to Destination always precedes the data
transmission phase. Both these phases are to be safeguarded
against maIicious attacks for secured communication in
MANET.
The route discovery can be disrupted by an attacker
by impersonating the destination, by responding with stale or
corrupted routing information, or by disseminating forged
control traffic. Thi s way the attacker can block legitimate
route traffic and deprive topological information to benign
nodes.
The attacker can also disrupt the data "ission
phase by fraudulently redirecting or even dropping tmffic or
injecting forged data packets.
Type of routing protocols for MANET
There are a variety of protocols proposed for
MANET routing, broadly they can be divided into two broad
categories:
Table Driven / Proactive Routing Protocols
On-Demand / Reactive Routing Protocols
Networks, using table driven type of protocols
attempts to maintain consistent, up-to-date routing
information from each node to every other node in the
network. A consistent network view is maintained in form of
one or more tables, which store the routing information. These
tables are updated with changes in network topology by
propagating updates throughout the network. Protocols differ
in the way changes in network are broadcasted and the
number of tables used to maintain the routing information.
Some of the table driven routing protocols are DSDV, OLSR,
WRP etc.
The on-demand category of protocals depends on
source-initiated route discovery. Routes are created only when
the source demands a route, i.e. source initiated. Route
discovery phase is instantiated when a source desires a route
to a destination. The route is maintained as long as it is
desired or is available. Some of the popular on-demand
routing protocols are AODV, SAODV, SRP, DSR etc.
ATTACKS ON MANET
Because of the peculiar architecture of ad-hoc
networks, they are more vulnerable to attacks than wired
networks. These attacks can be of two kinds: passive attacks
and active attacks. The passive attacks are aimed for
discovering valuable information by listening to the traffic,
while active attacks try to disrupt the operation of the
MANET protocols. The emphasis here is on active attacks,
which exploits the clear text methodology employed for route
discovery by the on-demand protocols. A good protocol
should be able to safeguard the network particularly in the
route discovery phase from malicious nodes. Various types of
attacks are briefly described in the following subsections:
Attach modfying route request packets
In this type of attack a hacker tries to announce itself
having shorter routes to the destination. The shorter route can
either be identified by number of hops or announcing a better
route metric in the reply packets for the route discovery phase
to the sender.
Similarly an intruder can become a part of the route
and start discarding traffic by employing DOS (Denial of
Service) attack for the packets received from the sender.
Attacks using spoofing techniques
The attacker can just st ar t spoofmg the valid IP
addresses and isolate the nodes from the remainder of the
network. TIUS vulnerability is easily exploitable in AODV and
DSR protocols.
Attach using fabrication
The attacker can intentionally float error messages
on the network thus falsifying existence of valid routes. A
replay attack could be mounted by an attacker by advertising
stale routes and the attacker can even advertise a zero metric
63
for all destinations causing all nodes to route packets to it and
thus creating a black hole.
Attention is drawn here to another ahck named as
Rushing Attack and can be categorized as a denial of service
attack. Currently proposed on-demand protocols flood the
network with Route Request packets and attempt to fiid a
route to the destination. Each protocol typically forwards only
one Route Request, which arrives first at the node. If a route
request from an attacker arrives first at each neighbor of the
target (destination), it will be forwarded first and subsequent
requests will be discarded. Legitimate non-attacking requests
arriving later will not be forwarded by the nodes. As a result
the initiator will not be able to discover any route to the
destination containing at least two hops (three nodes). In
subsequent sections we will describe variants of this type of
attack in more detail,
THE SECURED ROUTING PROTOCOL
( S W
S W is a part of the SMT (Secured Message
Transmission) protocol proposed by Papadimitratos and Hass
and is used forthe route discovery phase of the SMT/SRP
suit. They designed as an extension header to the ROUTE
REQUEST and ROUTE REPLY packets used by all on-
demand routing protocols for mobile ad-hoc networks for the
route discovery phase. SRP assumes a security association
between the two comunicating nodes (KS,T in case of S and
T as the source and destination nodes). Following steps
describe the functioning of the protocol:
Source initiates a rote discovery by constructing a
ROUTE REQUEST packet identified by a query sequence
number and a random query identifier (generated randomly
for each route request query initiated by the source). The
query id is monotonically incremented for each route request
initiated by the source for the destination, four billion such id
are possible and it is reset when the SA is established between
two authenticated nodes to communicate.
Source (S), Destination (T), Query ID wi th is
used to compute MAC, which f o m a part of the SRP header.
IDS of intermediate traversed node gets accumulated in the
route request packet and the ROUTE REQUEST are relayed.
Intermediate nodes discards previously seen route
requests, this is ascertained by the query identifier (generated
randomly by the source for each query sequence number),
which is extracted fiom the SRP header. Intermediate nodes
also measure the frequency of queries received from the
neighbor to regulate query propagation. Highest priority is
given to nodes generating requests at the lowest rates and
lowest priority to nodes generating queries at higher rates.
Malicious nodes can not fabricate requests since the
query identifier is used while computing the MAC and they
are randomly generated.
MAC computation excludes the fields in ROUTE
REQUSEST which are updated as the packet propagates to
destination and it also does not include IP header mutable
fields.
Destination validates the route request packet for its
origin from a node with which it has a security binding. Query
sequence number is compared with S , (maximum sequence
number received from S within life time of SA) and if Qreq <=
S, the request is discarded. If accepted, keyed hash of
request fields is matched for the stored MAC in the SRP
header and authenticity is verified. Destination may receive
multiple ROUTE REQUEST query packets.
Destination node constructs route reply by placing
accumulated route, Qid, Qs,, and computes MAC covering
route reply contents and returns packet to S. Source may
receive multiple replies.
S checks source and destination addresses, Qid and
Qs, and discards the reply if does not match any pending
request. S then compares repry IP source-route with reverse of
the route canied in reply payload and the two match, S
calculates MAC using replied route, SRP header and KS,T and
MAC is matched, if matches the validation is complete.
S validates replies and update its topology view,
multiple routes from source to destination may be obtained by
S, which in turn are used by SMT (Secured Message
Transmission) in the data transmission phase.
INRTfunctioning
Route caching is generally not encouraged and
intermediate nodes are not required to give a route replies. But
route caching can improve effectiveness of the route
discovery process, for example, if an intermediate node V has
an active route to T and a SA exists between S and V. V can
reply to S. This extension is enabled by Intermediate Node
Reply Token (INRT).
Route Maintenance
Route maintenance has been proposed by the authors
of the SFWSMT, but is not being evaluated here since attempt
has been made only to evaluate rushing attack against the SRP
and not to ascertain the full functionality of SRP. This paper
only attempts to ascertain route discovery under rushing
attack conditions.
64
THE RUSHING ATTACK
nodes will be more than the transit time through the wired
nodes.
Rushing attack is a type of denial-of-service attack.
The authors, Hu, Perrig an J ohnson in their paper on Rushing
Attack [3] have based their proposal on a presumption that a11
on-demand routine protocoi are based on a property of
forwarding only the first request for each route discoveq
request query. This 'vulnerability' of the on-demand routing
protocols is exploited to mount therushing attack.
The source initiates a Route Discovery for the
destination and if the attacker is able to reach the neighbor of
the target first, before arrival of the legitimate ROUTE
REQUEST, the attacker can force a route through itself or the
attacker using this attack can prevent thediscovery of routes
from source to destination needing mini" of two hops, i.e.
having at least one intermediate node.
The authors have further infroduced following four types of
variants of rushing attack:
Flooding of fabricated ROUTE REQUST queries
In another scenario, an attacker can flood a node with
fabricated route requests and delay the forwarding of the
legitimate route requests. Protocols using public key
authentication are susceptible to such attacks, since they
require substantial time to compute for validation.
Enforcing collision
In a dense network, if a destination is twa hop away
from the source and there are two common neighboring nodes
to the source and destination, the route request packets may
collide and thus prevent route discovery. This attack can be
mounted by an attacker, if it colludes with one of the two
neighboring nodes to the destination. Further, in a dense
network collision of ROUTE REQUEST packets can prevent
discovery of routes except for the direct link from source to
destination, which makes the condition more severe then the
rushing attack itself.
Packet transmission at higher power
An attacker can achieve faster transit by transmitting
at higher power, thus bypassing intermediate nodes. This
could result in reduced number of haps and can give a latency
advantage to the attacker in mounting a attack.
Wormhole attack
Wormhole attack is yet another variant of the rushing
attack, for which an attacker can use a pair of two nodes (may
be wired) to provide a tunnel between the source and
destination. In such a case the nodes near the attacker will not
be able to discovery routes, since transit time through wireless
Consider the following example topology to understand
how SRP safeguards the route discovery phase of the
SMT/SRP based communication:
T
I
S M2
6
U
Figure 1 : Example MANET topology
In the above example topology, S is the source node
requesting a route to the destination node T. The links
represents the reach of mobile nodes transmission range. MI
and M2 are two malicious nodes.
RUSHING ATTACK vi s - hi s SRF'
In Rushing Attack the attacker tries to rush ROUTE
REQUEST query packets to the neighboring nodes (node 3
and 6 in the example topology) nearest to the destination (the
node T) and if these packets are first to reach the neighbors,
the neighboring nodes will discard subsequent ROTE
REQUEST query packets and thus the route discovery phase
will fail to find valid route. Following features of SRP enables
the protocol to thwart the rushing attack conditions which an
attacker can try to disrupt rote discovery by SRP:
Inability to fabricate f ake ROUTE REQiJESTpackets
The anacker cannot fabricate any false ROUTE
REQUEST query packets and attempt to flood the network
with such packets. The random query number cannot be
predicted and hence malicious nodes cannot generate false
ROUTE REQUEST packets. These packets will be dropped
by the destination while verifylng the MAC. The basic type of
Rushing Attack resulting in Denial-Of-Service by providing
the neighboring node with false ROUTE REQUEST before
arrival of valid ROUTE REQUEST packet can not be
achieved by the attacker and no valid entry in the query table
of the intermediate nodes can be made. The nodes will be able
to forward the legitimate ROUTE REQUEST packets, since
no entry in the query table can be made in advance.
65
Prevention againstflooding of false request packets
Also, if a,&alicious node tries to flood the network
with false ROUTE REQUEST packets in an attempt to
overload the intmediate node and thus forcing delay in
forwarding of the valid ROUTE REQUEST packets by the
intermediate nodes. These packets will be dropped by the
intermediate nodes while employing the traffic regulation
mechanism of SRP. The traffic regulation is based on
frequency dependent packet acceptance kom neighboring
nodes and least priority is given to packets received at higher
ffequency from a node.
Prevention against collision
The t he lag enforced by the protocols between the
receipt of the ROUTE REQUEST packet and its relay to the
neighbor nodes will prevent collision with similar relay by a
malicious node. It is not possible to achieve perfect timing for
relay by a malicious node. Of course in a densely populated
network case collision can disrupt any on-demand routing
protocol.
Prevention against transmission at higher power
If intermediate nodes start transmitting at higher
power in an attempt to bypass some intermediate nodes, the
protocol will not fail to discovery valid routes. The protocol
does not prevent discovery of multiple routes, which anyway
will be found by flow of ROUTE REQUEST query packets
through the bypassed nodes. Also the receiver of these high
power transmitted packets will not be able to transmit at
higher power the ROUTE REPLY packets and thus the
ROUTE REPLY packets will be dropped by the intermediate
nodes.
Prevention against wormhole attack using colluding nodes
The colluding nodes (may be M1 and M2) forming
tunnel between them to forward all packets at one end to the
other end, will only provide one such route to t he source,
while other routes wrll be discovered by SRP by its usual
process. Application of SMT on top of the SRP further
mitigates the impact of an attack mounted by colluding nodes.
Thus the wormhole attack variant of rushing attack can be
tackIed by SRP.
CONCLUSIONS
SFWSMT has been proposed and described by the
authors in their work and they have also discussed various
scenarios in which the attacker can attempt to disrupt the route
discovery process. Authors of the work proposing Rushing
Attack have dwelled upon various variants of Rushing Attack
in addition to the basic DOS attack exploiting the only first
request relay property of on-demand routing protocols.
This paper analyzes various ways and techniques as
applied by SRP for defense against such attacks. It has been
found that Rushing Attack can not disrupt the route discovery
phase of SRP as is claimed in the paper proposing the rushing
attack [3].
Possibility of enhancing SRP to safeguard against
some special conditions exists and leaves some questions to
be answered. For example, if an intermediate node can
maintain some additional information in the route table and
forward ROUTE REQUEDT for already forwarded request
through an altemate path, could help in finding more valid
routes. This may necessitate maintenance of additional
information by each intermediate node for the topology view
of its neighboring nodes.
Rushing Attack, may, only under special
circumstance of malicious node being the only neighbor of the
destination could result in disruption of the route discovery
phase of the protocol and it need to be addressed. Nothmg
much has been discussed by authors of variaus protocols
about the behavior of the protocol if no route is discovered.
In this paper, attempt has been made to evaluate the
possibility of Denial of Service using Rushing Attack on SRP,
which has been found to be ineffective and SRP can withstand
the rushing attack.
FIEFERENCES
S. Corson and J. Macker, Mobile Ad hoc
Networking (MANET) , Routing Protocol
Performance Issues and Evaluation Considerations
Request for Comments 2501 (RFC) of Intemet
Engineering Task Force (XETF), J anuary 1999
Elizabeth Royer and C-K Toh, A Review of Current
Routing Protocols for Ad-Hoc Mobile Wireless
Networks, IEEE Personal Communications
Magazine, pp, 46-55, April 1999.
Yih-Chun Hu, Adrian Perrig and David B. J ohnson
Rushing Attacks and Defense in WirelessAd Hoc
Network Routing Protocols, Proceedings of the
2003 ACM workshop on Wireless security, San
Diego, CA, USA, pp. 3040, September 2003.
P. Papadimitratos and ZJ. Haas. Secure Message
Transmission in Mobile Ad Hoc Networks Elsevier
Ad Hoc Networks J ournal, vol. 1, no. 1, July 2003.
66