Attacksonmobileadhocnetworks 120420092725-phpapp01

21
RUHR -U NIVERSITÄT B OCHUM A RBEITSGRUPPE I NTEGRIERTE I NFORMATIONSSYSTEME S EMINARARBEIT Attacks on Mobile Ad hoc Netwoks Zdravko Danailov

Transcript of Attacksonmobileadhocnetworks 120420092725-phpapp01

Page 1: Attacksonmobileadhocnetworks 120420092725-phpapp01

RUHR-UNIVERSITÄT BOCHUM

ARBEITSGRUPPEINTEGRIERTE INFORMATIONSSYSTEME

SEMINARARBEIT

Attacks on Mobile Ad hoc Netwoks

Zdravko Danailov

Page 2: Attacksonmobileadhocnetworks 120420092725-phpapp01

i

Abstract

Because of the designation of the mobile ad hoc networks (MANet), namely to build up a dynamicwireless network, which has no antecedent and strictly defined infrastructure, within areas withlimited or no available organized infrastructure, is possible for two types of parties to participatein MANet - authentic network users as well as malicious attackers. This fact certainly arises thequestion about the security. In this paperwork we pay attention to the common attacks withinMANet, which differ in their essence such as Blackhole attack, Flooding attack, jamming, Worm-hole attack, traffic monitoring and analysis, DoS etc. and what can be done as countermeasuresagainst them.

Page 3: Attacksonmobileadhocnetworks 120420092725-phpapp01

Contents ii

Contents

1 Introduction 1

2 Preliminaries 22.1 MANet . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22.2 Security layers in MANet . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5

3 Attacks on MANet 73.1 Attacks on MANet physical layer . . . . . . . . . . . . . . . . . . . . . . . . . . . 73.2 Attacks on MANet data link layer . . . . . . . . . . . . . . . . . . . . . . . . . . 83.3 Attacks on MANet network layer . . . . . . . . . . . . . . . . . . . . . . . . . . . 9

3.3.1 Flooding attack . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 93.3.2 Blackhole attack . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 93.3.3 Link Spoofing Attack . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 103.3.4 Wormhole attack . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11

3.4 Attacks on MANet transport layer . . . . . . . . . . . . . . . . . . . . . . . . . . 123.5 Multi-layer attacks on MANet . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14

4 Conclusion 15

Page 4: Attacksonmobileadhocnetworks 120420092725-phpapp01

List of Figures iii

List of Figures

2.1 Structure of MANet . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22.2 Single-Hop Networks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32.3 Multi-Hop Networks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32.4 Common Infrastructure of MANet . . . . . . . . . . . . . . . . . . . . . . . . . . 42.5 Hybrid Infrastructure within MANet . . . . . . . . . . . . . . . . . . . . . . . . . 5

3.1 Jamming/Interception . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 73.2 Processing of Data Signal by DSSS . . . . . . . . . . . . . . . . . . . . . . . . . 83.3 Blackhole Attack . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 103.4 Link Spoofing Attack . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 113.5 Wormhole Attack . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 123.6 TCP Handshake . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13

Page 5: Attacksonmobileadhocnetworks 120420092725-phpapp01

List of Figures iv

List of Abbreviations

AODV Ad hoc On-demand Distance Vector

CTS Clear To Send

DoS Denial of Service

DSSS Direct Sequence Spread Spectrum

e.g. for example

FHSS Frequency Hopping Spread Spectrum

GSM Global System for Mobile Communications

i.e. id est

LAN Local Area Network

MANet Mobile Ad hoc Network

MIMA Man-in-the-middle Attack

MPR Multipoint Relay

OLSR Optimized Link State Routing

OSI Open System Interconnection

PDA Personal Digital Assistant

RREP Route Reply

RREQ Route Request

RTS Request To Send

SSL Secure Socket Layer

TCB Transmission Control Block

TCP Transmission Control Protocol

TLS Transport Layer Security

Page 6: Attacksonmobileadhocnetworks 120420092725-phpapp01

1 Introduction 1

1 Introduction

In a world of fast developing technologies and internet network, accessible for everyone, wherethere are no clear boundaries between the functionality of the "gadgets" and the possibility to com-municate is not an option but necessity, the mobile ad hoc networks (MANet) play significant role.As a dynamic network, which has no antecedent and strictly defined infrastructure (e.g. WirelessAccess Points), MANet makes possible the connection between different types of mediums with-out any additional infrastructure e.g. mobile phones, laptops, personal digital assistants (PDAs),tablets, iPads etc.. Its assembly and configuration costs nothing because every single participantcan play the role of a router, so no preparation or build-up of an infrastructure is needed. In otherwords MANet is a self-configuring and self-organizing network. For these reasons a certain levelof security cannot be established within the network. In this paperwork we will pay attention tothe structure of MANet and the specific security levels within the network. For the better under-standing of the infrastructure of MANet we will make also a comparison to the standard wirelessnetworks. As we present the assembly and the configuration, we will show the vulnerabilities ofthe network and the different types of attacks, which are common for MANet and what can bedone as countermeasures against them.In order to examine the structure and security within MANet, presenting some of the attacks, whichare typical for the network, the structure of this paperwork is build-up as it follows. Chapter 2 fo-cuses on the theoretical fundamentals of the MANet infrastructure and presents some differencesin comparison to the standard WLANs. It also pays attention to the specific security network lay-ers, which can be applied to this network. Prior to introducing the common attacks within MANet,the different types of attacks will be classified in order to make clear, which attack against whichlevel of MANet security can be used. An analysis of the well-known attacks against MANet willbe performed in chapter 3, as well as countermeasures, which can strengthen up the security levelof the network. Chapter 4 will conclude with a summary on the MANet infrastructure and a crit-ical view on the security level of the network, which have already been examined in detail in thispaperwork. Before we start with the examination of the existing attacks against MANet, we willmake clear some of the basic terms which are used in this paper.

Page 7: Attacksonmobileadhocnetworks 120420092725-phpapp01

2 Preliminaries 2

2 Preliminaries

2.1 MANet

What is MANet? A mobile ad hoc network (Figure 2.1) is a dynamic self-configuring wirelessnetwork of mobile devices (nodes), in which every single node can act as router. This router canpossess multiple hosts and wireless devices. The nodes are free to move about arbitrarily [7],but they can interact with each other though there is no strictly defined structure or centralizedadministration, using wireless connections [5]. Moreover they can connect via different typesof wireless connections (e.g. standard Wi-Fi connection, cellular or satellite transmissions) tovarious networks [1]. This collection of mobile nodes "may operate in isolation, or may havegateways to and interface with a fixed network."[7] Because of its properties, MANet finds verygood application within areas, where it is not possible or expensive and completely unprofitable tobuild up a predefined, fixed infrastructure.

Figure 2.1: Structure of MANet

Regarding the way of communication between two nodes within wireless networks, there aretwo types applicable to MANet - single-hop and multiple-hop network. By single-hop network(Figure 2.2), two nodes are in direct transmission range or more exactly they can interact with oneanother directly, without a forwarding of the communication transfer over a third node [4].

Page 8: Attacksonmobileadhocnetworks 120420092725-phpapp01

2.1 MANet 3

Figure 2.2: Single-Hop Networks

In this specific structure, base station plays a significant role. It is involved in the communicationwith every mobile node, by taking care of the channel assignment for RTS (Request To Send) andCTS (Clear To Send) packets. Within the single-hop networks usually are reused 7 frequencies, asthe neighboring cells are using different frequencies.

Figure 2.3: Multi-Hop Networks

By multi-hop network (Figure 2.3), the communication transfer between two nodes is forwardedover a third node [4]. As in the both figures ( 2.3, 2.2) is shown, there can exist base stations withinthe network, but as already mentioned above they are not typical for MANet infrastructure (e.g.standard wireless networks possess base stations or access points and the participants communicatewith one another, using this predefined infrastructure). In order to show what is the most commonstructure of the network (MANet) we will examine Figure 2.4.

In comparison to the typical wireless network, by MANet there is no need of predefined infras-tructure such as access points or base stations. As mentioned, within MANet every participant(node) can play the role of a router and can establish multiple connections to other participating

Page 9: Attacksonmobileadhocnetworks 120420092725-phpapp01

2.1 MANet 4

Figure 2.4: Common Infrastructure of MANet

nodes by partitioning the available bandwidth to multiple channels, if they are in the range ofcoverage. Therefore MANet infrastructure can changes dynamically as e.g.:

• one or more nodes quit the network, because they are not within the range of transmissioncoverage

• one or more nodes quit the network, because they are not within the range of transmissioncoverage and they join another MANet infrastructure

• one or more nodes quit the network, because they just terminate their connection to thenetwork

• one or more nodes join the network, because they are within the range of transmission cov-erage

As there is no strictly defined infrastructure in MANet, it is also possible to exist a hybridnetwork (please see Figure 2.5), where:

1. mobile nodes can establish connection with one another within the network(MANet)

2. mobile nodes(nodes 1 and 2) can establish connection with one another over the base sta-tion(e.g. access point)

3. mobile nodes (node 2) can establish connection to other nodes, which are not participantswithin this particular MANet, but part of other network (node 3), e.g. Wi-Fi, other MANetor cable connection

The application range of MANet spread over areas in which there is no strictly defined infras-tructure and networks with different size has to be configured fast and dynamic. The mobile ad hocnetworks find application in battlefield communications, law enforcement, mobile conferences,

Page 10: Attacksonmobileadhocnetworks 120420092725-phpapp01

2.2 Security layers in MANet 5

Figure 2.5: Hybrid Infrastructure within MANet

home networks, virtual class rooms etc. [5]. Though the variety of application all security solu-tions for MANet have to provide security services such as authenticity, confidentiality, integrity,anonymity and availability to the mobile users.

• Availability - Normal services required by authorized entities has to granted even if con-nection ports are inaccessible or data routing or/and forwarding algorithms are not workingbecause of various attacks.

• Confidentiality - The actual data has to be protected against identifying from unauthorizedentities, so the information exchanged can be analyzed and comprehended only by the com-municating nodes

• Integrity - The data exchanged between two nodes is not falsified (modified) in any wayduring the process of transmission within the network.

• Non-repudiation - A non-repudiation service grants that a receiver cannot deny that a mes-sage had been received, and a sender cannot deny that a message had been sent.

• Authenticity - Grants a confidence that a single node or entity is authentic - confirmation thata node is the same as it claims to be.[10]

2.2 Security layers in MANet

In order to present some of the existing attacks in MANet in chapter 3 we will make clear what arethe different levels of security within the network and then classify them. In a standard network(Local Area Network or LAN) there are 7 OSI layers (Physical, Data link, Network, Transport,Session, Presentation, Application layer). In comparison to LAN or WLAN, the security of MANetcan be divided into 5 OSI layers: Application layer, Transport layer, Network layer, Data link layer

Page 11: Attacksonmobileadhocnetworks 120420092725-phpapp01

2.2 Security layers in MANet 6

and Physical layer [5]. If we consider the security of MANet compared to e.g. WLAN, the attackson application layer of MANet cannot be determined as typical ones, because it depends on whattype of wireless medium the authentic user uses (e.g. laptop, desktop computer with wireless,PDA, GSM etc.). Therefore the type of the applications running on one medium differs from thisrunning on another. So such type of attacks is not common within MANet. According to thespecific layer there are various types of attacks which differ in their essence. For example typicalattacks against the Physical layer are Jamming and Eavesdropping; against the Data link layer -traffic monitoring and analysis; against the Network layer - Blackhole attack, Wormhole attack,Flooding attack, Colluding misrelay attack; against the Transport layer - Session hijacking andSYN flooding. Against the Application layer can be executed the following attacks - repudiationand data corruption, but as we have already mentioned the attacks against the application layer arenot typical for MANet, because of the big variety of involved wireless mediums. Along with theone-level-attacks, which focus on only one security layer, there are attacks which affect more thanone / multiple layers within MANet such as Denial of Service attack or Man-in-the-Middle attack.A classification list of these attacks can be seen in Table 2.1.

MANet security layer AttacksMulti-layer attacks DoS, impersonation, replay, MIMAApplication layer Repudiation, data corruptionTransport layer Session hijacking, SYN floodingNetwork layer Blackhole attack, Wormhole attack, Flooding attack,

Colluding misrelay attack, Byzantine attack, Link Spoofing attackData link layer Traffic monitoring and analysis,

disruption MAC(802.11), WEP weaknessPhysical layer Jamming, interception, eavesdropping

Table 2.1: Classification of Attacks

Because of the wide range of the attacks, which can be applied against MANet, we will stick upto the most common attacks, which can be executed within the network, mentioned in Table 2.2.

MANet security level AttacksSection 3.1: Physical layer Eavesdropping, Jamming/InterceptionSection 3.2: Data link layer Traffic monitoring and analysisSection 3.3: Network layer Flooding attack, Blackhole attack,

Link Spoofing attack, Wormhole attackSection 3.4: Transport layer SYN flooding, Session hijackingSection 3.5: Multiple-layers Denial of Service (DoS) attack

Table 2.2: Common Attacks within MANet

Page 12: Attacksonmobileadhocnetworks 120420092725-phpapp01

3 Attacks on MANet 7

3 Attacks on MANet

3.1 Attacks on MANet physical layer

In this section we will pay attention to the Jamming/Interception attack and the Eavesdropping,attacks which are specifically applied and work against MANet physical layer.

1. Eavesdropping

2. Jamming/Interception

The attacks against the physical layer of MANet such as Jamming, Interception or Eavesdrop-ping are very generic in their essence. Using them an attacker exploits the property that more thanone host within MANet share a single wireless medium, which naturally is dispersing airwavesignals so other participants (or participating nodes) in its range can receive this signals. The at-tackers can easily intercept the transmission, managing to tune up a receiver on the same frequencyused for exchanging of data. The Eavesdropping is a passive attack. The idea is to inject falsifiedmessages into the network as an intruder intercepts and obtains the exchanged data between twoauthorized users. On other hand Jamming and Interception attacks (Figure 3.1) are active attacks.As the Eavesdropping, they are also used to disrupt the communication between two interactingnodes, by decreasing the radio signals to noise ratio. An attacker can achieve an obstruction ofconcrete radio signal, generating another stronger one (using transmitter of his own), so the mes-sages between the interacting nodes to be corrupted or lost [6, 2]. So, by using e.g. Jamming, anattacker can execute a DoS attack, disrupting the communication between two nodes and causingsevere damages.

Figure 3.1: Jamming/Interception

Page 13: Attacksonmobileadhocnetworks 120420092725-phpapp01

3.2 Attacks on MANet data link layer 8

As the approach by Eavesdropping, Jamming/Interception is to interfere the signal between twocommunicating authentic nodes, so the countermeasures against these attacks are oriented at thechanging or "masking" the signal in some way. The first countermeasure, which can deal firmlywith the eavesdropping attack and minimize the risk of interception, is the implementation ofthe so called Frequency Hopping Spread Spectrum (FHSS) technology. FHSS is a method forsending/receiving a signal, using different frequencies, which are changed at fix time intervals.In other words it is a way to encode the signal, and both the receiver and transmitter have to besynchronized, using the same "random" frequency pattern. Though the signal is transmitted over asingle channel, it appears to be an obscure duration impulse noise for eavesdroppers, and the riskof interference is minimized because of the multi-frequency pattern [2].

The second countermeasure is the implementation of Direct Sequence Spread Spectrum (DSSS)technology. The idea weaved into this method is to spread an output signal via a predefined Bit-sequence(please see Figure 3.2). The original Bit-sequence or the data input is concealed usingspreading code in such way, that one original data bit equals to multiple bits in the transmittedsignal [2]. (Spreading code bits XOR Data input bits = Transmitted Signal)

Figure 3.2: Processing of Data Signal by DSSS

3.2 Attacks on MANet data link layer

In this section we will pay attention to the traffic monitoring and analysis, which is applicable onthe MANet data link layer.

1. traffic monitoring and analysis

Traffic monitoring and analysis is not an actual attack, but an instrument to prepare such one.Via traffic monitoring and analysis an attacker can receive information about the participatingusers within the network e.g. who is communicating with whom, how often, for how long, aswell as find out what are their communication functionalities e.g. which applications by particularnode are using bandwidth, for how long etc.. Having such specific information (if an attackerhas already identified a target for his attack or has revealed the relationships of communication),for a malicious node is easier to choose how to attack a victim node, aiming efficiency. For allthese reasons the traffic monitoring and analysis has to be considered as a massive threat to the

Page 14: Attacksonmobileadhocnetworks 120420092725-phpapp01

3.3 Attacks on MANet network layer 9

communication security within MANet [2, 3]. As the traffic monitoring is no actual attack, but agood preparation tool for an attack we won’t present any countermeasures in this section.

3.3 Attacks on MANet network layer

In this section we will pay attention to the attacks, which are specifically applied and work againstMANet network layer: flooding attack, Blackhole attack, link spoofing attack and Wormhole at-tack. They will be presented as it follows:

1. Flooding attack

2. Blackhole attack

3. Link spoofing attack

4. Wormhole attack

3.3.1 Flooding attack

There are different types of flooding attacks, which have the goal to disrupt the routing discovery orthe maintenance phase within MANet. Basically, via flooding attack a malicious node/an attackeraims the exhaustion of the network resources (e.g. network bandwidth) as well as consumingthe resources of an authentic network user (e.g. computational and battery power). Furthermorean attacker can influence the network performance, by hindering the proper execution of routingalgorithm (in routing discovery phase) [5, 2]. By RREQ flooding (or routing table overflow) ispossible for an attacker to send multiple RREQs to non-existing recipient in a very short periodof time, using the AODV protocol of MANet. In other words the malicious node represents false(non-existing) routes to all authentic nodes within the network, preventing the creation of newactual ones and causing routing table overflow by the authentic users. The avalanche of RREQsall over the network leads to consummation of the battery power and the network bandwidth,causing DoS [5, 2]. As a countermeasure against the flooding attack every network participant(actual authentic user or simply node) can compute and monitor the evaluation of all neighbors’RREQ, and in case of outmatching of the RREQs’ limit, which is preliminarily defined, the specificneighbor node comes with its ID in a blacklist. By this way the authentic/actual node "knows",that it should not receive any RREQs from its neighbors, recorded in its blacklist. Furthermore theefficiency of this countermeasure can be enhanced if the RREQ limit is not preliminarily defined(fixed), but is computed on hand of statistical analysis over RREQ, so the risk of attack withvarying flooding rates to be minimized [5].

3.3.2 Blackhole attack

As the flooding attack, the Blackhole attack also concerns the AODV routing protocol in the net-work layer of MANet. The completion of the attack proceeds in two steps: 1. an attacker or

Page 15: Attacksonmobileadhocnetworks 120420092725-phpapp01

3.3 Attacks on MANet network layer 10

malicious node has to modify the network topology in order to create auspicious "environment"for the attack. It presents itself as a legitimate route within the network, aiming to intercept thedata exchange between two authentic nodes. 2. Analog to interception attack in the MANet phys-ical layer, where the attacker obstructs concrete radio signal, generating another stronger one, inthe second step of Blackhole attack the malicious node consumes the intercepted data packages; itsimply receives the information and does not forward it to the end user (destination node) [2].

Figure 3.3: Blackhole Attack

In the following paragraph, we will take a closer look at the Blackhole attack showed in Fig-ure 3.3. The source node sends RREQs all over the network to find out the possible legitimateroutes. As the attacker receives the RREQ sent by the source node he forwards it to the destinationnode and send a RREP back to the source node in order to present him as a legitimate route. Afterhe is picked up by the source node for the transfer of the data as an authentic user within MANet,the attacker only intercepts the data flow, i.e. receives the information and does not forward itto the end user (destination node). Of course, there is always a chance that the neighbors’ nodescould detect the sequence of the falsified RREQ or RREP messages and put the malicious node intheir blacklists, terminating the data flow over it [5, 2]. Aiming more efficiency by the attack, aswell as minimization of the risk of being exposed, the malicious node can intercept not entirely thedata transfer between two interacting nodes, but can selectively forward packets. In addition, theattacker can sufficiently modify some messages sent from particular nodes not from all.

3.3.3 Link Spoofing Attack

Just in the opposite of the Blackhole attack, where the attacker try to intercept the data flow betweentwo of its neighbors, by the link spoofing attack the attacker aims to intercept or terminate therouting operations between two non-neighbor nodes. Using the OLSR protocol the malicious nodesends a fake links to the two-hop neighbors of the target, and as a result the "victim" node selects it

Page 16: Attacksonmobileadhocnetworks 120420092725-phpapp01

3.3 Attacks on MANet network layer 11

as a MPR. After being an approved MPR, the attacker can perform falsifying of data, modificationor dropping of the routing traffic [5].

Figure 3.4: Link Spoofing Attack

In the following paragraph, we will take a closer look at the link spoofing attack showed inFigure 3.4. Before the actual attack the target node has selected both nodes (one-hop neighbors)and the attacker as MPRs. So the attacker has to advertise a fake link with the two-hop neighbor ofthe target node. Because of this the attacker sends a "HALLO"- message to the neighbor (presentedby red line in Figure 3.4) and then sends a message with the fake link to the target (presented byblue arrow in Figure 3.4). As performing the last step, the attacker forces the target node to choosehim as an only MPR, because according to the OLSR protocol specification a node has to selectits neighbor as MPR if it "is the minimum set that reaches node’s two-hop neighbors."[5]

As a countermeasure against the link spoofing attack there is a solution by which every singlenode within the network is driven to notify its two-hop neighbors and doing so all participantscan acquire a view of the complete topology in "three-hop radius". So if a link spoofing attack isexecuted it will be simultaneously detected [5].

3.3.4 Wormhole attack

The wormhole attack is one of the most efficient and merciless attacks, which can be executedwithin MANet. Therefore two collaborating attackers should establish the so called wormhole link(using private high speed network e.g. over Ethernet cable or optical link): connection via a directlow-latency communication link between two separated distant points within MANet. As soon asthis direct bridge (wormhole link) is built up one of the attackers captures data exchange packets,sends them via the wormhole link to the second one and he replays them [5].

Page 17: Attacksonmobileadhocnetworks 120420092725-phpapp01

3.4 Attacks on MANet transport layer 12

Figure 3.5: Wormhole Attack

In the following paragraph, we will take a closer look at the Wormhole attack showed in Fig-ure 3.5. The target node sends RREQs all over the network to find out the possible legitimateroutes. As the attacker 1 receives the RREQ sent by the target node he forwards it to the attacker2 over the wormhole link between them (presented by red line in Figure 3.5). As the colludingattacker 2 receives the RREQ, transmit it to the destination node. The destination node on its partsends a RREP back to the target node over the wormhole link between the colluding attackers. Inorder to present them as a legitimate route, the colluding attackers forward the RREP to the targetnode. After they are picked up by the target node for the transfer of the data as authentic userswithin MANet, the attackers can intercept the data flow, i.e. receive the information and does notforward it to the end user (destination node), or selectively forward data packages in order to notbeing caught. As a countermeasure against the Wormhole attack, there is a cryptography-basedsolution proposed in "Preventing Wormhole Attacks on Wireless Ad Hoc Networks: A GraphTheoretic Approach"[8], for the application of Local Broadcast Keys as well as "a distributedmechanism for establishing them in randomly deployed networks."[8]

3.4 Attacks on MANet transport layer

In this section we will pay attention to the specific attacks, which are applicable on the MANettransport layer: Session hijacking and SYN flooding attacks.

1. SYN flooding

2. Session hijacking

By SYN flooding attack the goal of the attacker (malicious node) is to achieve multiple halfopened TCP connections with an authentic user, and to keep them so without completing the

Page 18: Attacksonmobileadhocnetworks 120420092725-phpapp01

3.4 Attacks on MANet transport layer 13

whole phase of synchronization [2]. During a normal phase of synchronization ( Figure 3.6: TCPHandshake) between two authentic users:

1. "A" sends a packet with flag SYN to "B" (synchronize, sequence number = X). On the sideof "B" the Transmission Control Block (TCB) is initialized to "SYN-RECEIVED" state [9].

2. "B" sends a packet with flags SYN, ACK to "A" (synchronize acknowledge, sequence num-ber = Y, acknowledge number = X+1).

3. "A" sends a packet with flag ACK to "B" (acknowledge, sequence number = X+1, acknowl-edge number = Y+1). As on the side of "B" the TCB transitions to "ESTABLISHED" state[9]. So the phase of TCP Handshake is completed and the connection between "A" and "B"is built up.

Figure 3.6: TCP Handshake

During the attack, both the address of the malicious node and the status of the half openedconnection are in the memory of the network stack, in order to finish the SYN-phase later and toestablish the connection. Because the resources of the authentic user are limited, it is possible toachieve flooding via SYN-messages and exhaust all resources of it. If this is achieved the authenticnode (victim-user) cannot initialize any other connection, and leads to DoS. This type of attack isvery powerful and efficient, because the SYN-messages are very small in size and their generationdoes not demand a long computing time. By this reason the defender needs more resources (e.g.computing and battery power) compared to the resources that the attacker needs for the executionof this attack.

By session hijacking attack the goal of the attacker (malicious node) is to steal the identity of avictim node and to achieve session with a target node. This type of attack is executed in two steps.First, the malicious node takes over the identity of the victim node as it spoofs the IP address ofthe victim and computes the particular sequence number, expected by the target node. Second, theattacker executes a DoS attack on the victim, aiming to continue the session with the target.

Considering the weak security level of the transport layer in MANet the participants within thenetwork are not protected against both SYN flooding and session hijacking attacks. As a counter-measure against these attacks can be used the implementation of the Secure Socket Layer (SSL)and Transport Layer Security (TLS) protocols, which are based on asymmetric crypto algorithms.

Page 19: Attacksonmobileadhocnetworks 120420092725-phpapp01

3.5 Multi-layer attacks on MANet 14

Their property - to secure the connections within networks, can be used to grant security by dataexchange between nodes [2].

As another very efficient countermeasure against the SYN flooding attack can be implementedSYN Cookies. The connection establishment between two authentic nodes within the network willproceed as it follows:

1. "A" sends a packet with flag SYN to "B" (synchronize, sequence number = X). On the sideof "B" the TCB is encoded into Sequence Number and destroyed [9].

2. "B" sends a packet with flags SYN, ACK to "A" (synchronize acknowledge, sequence num-ber = Y, acknowledge number = X+1) as well as cookie [9].

3. "A" sends a packet with flag ACK to "B" (acknowledge, sequence number = X+1, acknowl-edge number = Y+1) and in addition to ACK, "A" has to return the cookie. As on the side of"B" the TCB is recovered from the acknowledged Sequence Number in ACK segment [9].So the connection establishment with SYN cookies between "A" and "B" is completed andthe normal data exchange can proceed [9].

3.5 Multi-layer attacks on MANet

In this section we will pay attention to the multi-layer attacks within MANet (e.g. DoS, imperson-ation, replay, man-in-the-middle attacks), and mainly Denial of Service. A multi-layer attack is anattack which can be executed from more than one layer within a network. As we already mentionedin section 3.1, Denial of Service can be launched, using Jamming attack on the MANet physicallayer. Moreover, it is possible to execute DoS via flooding attack (please, see section 3.3.1) onMANet network layer, via SYN flooding and session hijacking (please, see section 3.4) on MANettransport layer, as well as via malicious applications on the MANet application layer. Consideringthe wide spectrum of possibilities to execute DoS makes this attack very unpredictable, effectiveand powerful one. Furthermore, assuming that one attack can consist of other different attacks,there are many possibilities to execute such combined-attack. For example an attacker can startwith an eavesdropping attack on the Physical layer, afterwards making traffic monitoring and anal-ysis (on MANet Data link layer) he can proceed with SYN flooding attack or Session hijackingattack on the Transport layer as well as with flooding attack on the Network layer causing DoSattack or he can launch link spoofing attack, aiming to intercept or terminate the routing operationsbetween authentic users within the network.

Page 20: Attacksonmobileadhocnetworks 120420092725-phpapp01

4 Conclusion 15

4 Conclusion

This paper pays attention to the complex and fast changing infrastructure of the mobile ad hocnetwork as well as the common attacks, which occur within MANet. The theoretical fundamentalsof its dynamic infrastructure and the different types of security layers are represented to give anoverview on the system. Afterwards it offers an explanation on which specific layer what typeof attack can be executed and also what countermeasures can be taken in order to prevent thisspecific attack. Because MANet is a dynamic network, which has no antecedent and strictly de-fined infrastructure, there is also no clear line of defence. The very big variety of devices (e.g.mobile phones, laptops, personal digital assistants (PDAs), tablets, iPads etc.), which can partic-ipate within the network and the different security level by every single user present obstacles tounify, standardize a security level for MANet. As we presented in chapter 3 of this paper there aremany different types of attacks such as Jamming/Interception and eavesdropping in the Physicallayer, traffic monitoring and analysis in the Data link layer, Blackhole attack, Wormhole attack,Flooding attack and Link spoofing attack in the Network layer, Session hijacking and SYN flood-ing in the Transport layer, which can be executed within MANet. Also there are multiple-layerattacks, which can be started from more than one layer within the network and combined-attacks,i.e. an attack consists of other different attacks. So in order to improve the level of security withinMANet, the weaknesses of each layer should be handled. Therefore it should be implementedFHSS, DSSS technologies in the physical layer. Traffic analysis can be prevented by using trafficpadding and traffic rerouting techniques. The introduction of black and notification lists as well asdynamic computation for the RREQ limit on the Network layer will minimize the risk of floodingattack and link spoofing attack. Besides, the application of Local Broadcast Keys can prevent theexecution of the Wormhole attack. Implementation of modified, for the needs of MANet, SSLand TLS protocols, based on asymmetric crypto algorithms will secure the connections within thenetwork. Furthermore, an introduction of SYN cookies will strengthen up the security level of thetransport layer.

Considering the application of all deployment scenarios on MANet, it is almost impossible toimplement this big variety of countermeasures, because of the limited power within the networkas well as the high complexity by the implementation process. Nevertheless, disregarding theweaknesses, the Mobile Ad hoc Networks have wide range of application, because of their basicproperties - to establish connection between completely different types of mediums without anypredefined infrastructure and to change dynamically their topology. So they will play an enormousrole for the further development of various sectors e.g. health care, automotive, telecommunica-tions and education.

Page 21: Attacksonmobileadhocnetworks 120420092725-phpapp01

Bibliography v

Bibliography

[1] MANET (Mobile Ad Hoc Network), http://www.techterms.com/definition/manet.

[2] Mihaela Cardei; Bing Wu; Jianmin Chen; Jie Wu. A Survey on Attacks and Countermeasures

in Mobile Ad Hoc Networks. Wireless/Mobile Network Security, page 38, 2006.

[3] Srihari Nelakuditi; Chase Gray; Jason Byrnes. Pair-wise resistance to traffic analysis in

MANETs. Mobile Computing and Communications Review, 12:20–22, 2008.

[4] Adrian Heißler. Schwarmintelligenzbasiertes Routing in mobilen Ad-hoc-netzen, volume 1.GRIN, 2008.

[5] Rashid Hafeez Khokhar; Md Asri Ngadi; Satria Mandala. A Review of Current Routing

Attacks in Mobile Ad Hoc Networks. International Journal of Computer Science and Security,2:12, 2008.

[6] Panos Lekkas; Randall Nichols. WIRELESS SECURITY: Models, Threats, and Solutions.McGraw-Hill, 2002.

[7] J. Macker; S. Corson. Mobile Ad hoc Networking (MANET): Routing Protocol Performance

Issues and Evaluation Considerations. page 12, January 1999.

[8] L. Lazos; R. Poovendran; C. Meadows; L. W. Chang; P. Syverson. Preventing Wormhole At-

tacks on Wireless Ad Hoc Networks: A Graph Theoretic Approach. Wireless Communications

and Networking Conference, 2005 IEEE, 2:1193–1199, 2005.

[9] Verizon Federal Network Systems; Wesley M. Eddy. Defenses Against TCP SYN Flooding

Attacks. The Internet Protocol Journal, 9(4), December 2006.

[10] Miao Ma; Yan Zhang; Jun Zheng. Handbook of research on wireless security. Number978-1599048994. 2008.