The DAO Induction Attack Against the RPL-based Internet of Things

03/24/2020 ∙ by Ahmad Shabani Baghani, et al. ∙ University of Alberta 0

RPL is the emerging routing standard for low power and lossy networks (LLNs). LLN is a key component of the Internet of Things (IoT), hence its security is imperative for the age of IoT. In this work, we present the DAO induction attack, a novel attack against RPL. In this attack, a malicious insider or a compromised node periodically increments its DTSN number. Each such increment can trigger/induce a large number of control message transmissions in the network. We show that this degrades the network performance in terms of end-to-end latency, packet loss ratio, and power consumption. To mitigate, we propose a lightweight solution to detect the DAO induction attack. Our solution imposes nearly no overhead on IoT devices, which is important as these devices are typically constrained in terms of power, memory and processing.

READ FULL TEXT VIEW PDF
POST COMMENT

Comments

There are no comments yet.

Authors

page 1

page 2

page 3

page 4

This week in AI

Get the week's most popular data science and artificial intelligence research sent straight to your inbox every Saturday.

I Introduction

The Internet of Things (IoT) is an emerging technology which envisions to connect billions of “things” to the Internet. This enables numerous applications in diverse areas such as smart home, e-Health, and smart city. Low-power and Lossy Networks (LLNs) play an indispensable role in realizing IoT. These networks are typically composed of constrained devices with limited power, memory and processing. In addition, LLNs suffer from high packet loss rates and low throughput. These characteristics and limitations make designing routing protocols for LLNs challenging.

ROLL, a working group of the Internet Engineering Task Force (IETF), evaluated the common standard routing protocols of the Internet and concluded that these protocols are not suitable for LLNs because of their heavy overhead. Consequently, the ROLL group designed the IPv6 Routing Protocol for Low-Power and Lossy Networks (RPL) [15] to meet the low overhead requirement of LLNs.

Because of limited resources, nodes in LLNs are unable to run and benefit from complex security solutions such as those that use assymetric cryptography. This makes RPL vulnerable to a range of attacks  [11, 3, 8, 10, 6, 2, 14, 13, 5]. An internal attacker may alter, inject, replay, and generate data or control messages to impact the normal operation of RPL networks. For example, in the version number attack [6], a malicious insider node initiates an unnecessary global network repair process by increasing the version number. Another example, albeit with lower impact, is the DAO insider attack [3] in which the attacker repeatedly sends DAO control messages to the root, causing wasteful transmissions by the nodes on the path from the attacker to the root.

In this work, we present the DAO induction attack, a novel attack in which a malicious insider node induces nodes to transmit unnecessary DAO control messages. Similar to the version number attack, the DAO induction attack can cause a large number of transmissions in the network. Unlike the version number attack, the DAO induction attack may not be detectable by the root of the network, as will be explained later.

The main contributions of our work are as follows:

  • We introduce the DAO induction attack, a novel attack against the RPL protocol.

  • We evaluate the impact of the DAO induction attack on power consumption, communications overhead, latency, and packet loss ratio.

  • We propose a lightweight solution to detect the DAO induction attack. Our solution is fully compatible with the RPL protocol, and imposes nearly no overhead on IoT devices.

The rest of the paper is organized as follows. Section II provides an overview of the RPL routing protocol. The adversary model is given in Section III. Section IV describes the DAO induction attack. Section V evaluates the attack’s impact on the network performance. Section VI briefly overviews the existing mitigation techniques, and proposes a new lightweight solution to detect the DAO induction attack. Finally, Section VII concludes the paper.

Ii Overview of the RPL Protocol

RPL is a distance-vector routing protocol, which can operate on various link layer standards including Bluetooth and IEEE 802.15.4 [4]. RPL builds one or more Destination Oriented Directed Acyclic Graph (DODAG), a loop free topology as shown in Fig. 1. DODAG has a single root as a destination node with no outgoing edges. The root acts as the data sink of DODAG. Each DODAG is specified by an instance ID, a DODAG ID, and a version number.

RPL uses DODAG to support three different traffic patterns: multipoint-to-point (MP2P) from end nodes to the root, point-to-multipoint (P2MP) from root to end nodes, and point-to-point (P2P) traffic. The DODAG structure is built step by step. To this end, nodes periodically transmit a control message called Destination Information Object (DIO). DIO messages contain important information including an objective function to calculate rank, a number that determines a node’s position with respect to the root. Ranks monotonically increase in the downward direction (i.e., towards leaf nodes), and are used to avoid loops.

After receiving a DIO message from a lower rank node, the receiving node adds the address of the DIO sender to its candidate parent set, and calculates its rank with respect to the new candidate parent. The candidate parent that results in the best rank is selected as the node’s preferred parent. At the end of this procedure, each node has upward paths towards the root (through its parents).

DIO messages are periodically sent by nodes according to a trickle timer. If a new node wants to join the network, it should receive a DIO message to obtain DODAG information. If the new node does not receive a DIO message, it can send a DODAG Information Solicitation (DIS) message requesting DODAG information. When an existing node in the network receives a DIS message, it replies by transmitting a DIO message.

To support downward routs (i.e. routs from the root), RPL uses another type of control message called Destination Advertisement Object (DAO). A node that wants to be reachable by the root advertises its address in a DAO message, and sends it to one of its DAO parents. The course of action taken by the node’s DAO parent depends on the RPL mode of operation.

Fig. 1: An example of a RPL DODAG. Solid lines show each node’s preferred parents, and dashed lines show node’s other DAO parents. For instance, is the parent set of , and is the preferred parent of .

RPL supports two modes of operation: storing (table-driven) and non-storing (source routing). In the storing mode, all non-leaf nodes maintain a routing table for destinations, while in the non-storing mode only the root maintains a routing table. In both modes, a node that receives a DAO message forwards it to one of its DAO parents; this ensures that the DAO message is ultimately received by the root. In storing mode, a node updates its routing table before forwarding the DAO message. This update is not required in the non-storing mode as non-root nodes do not maintain any routing table.

In the non-storing mode, P2P packets travel up from the source all the way to the root and then travel down to the destination. In the storing mode, however, a P2P packet can start traveling down towards the destination as soon as it reaches a common ancestor of the source and the destination.

Iii Adversary Model

We assume that RPL is either in no-secure mode, or uses a shared secret key (at the link-layer or by itself) to secure its messages. In either case, nodes cannot authenticate the root’s messages, as every node uses the same secret key. We assume that the adversary controls a single insider node (e.g. a compromised node), hence knows the network’s secret key. We refer to the node controlled by the adversary as the malicious node. The malicious node can be any node in the network except the root. In this work, we limit the malicious node’s misbehaviour to 1) running the DAO induction attack (explained next), and 2) selectively dropping DAO packets to avoid detection by the root. Attacks combining the DAO induction attack with other existing ones can be more powerful, and lie outside the scope of this work.

Iv The DAO induction Attack

In RPL, each node maintains a DAO Trigger Sequence Number (DTSN), and reports it in its DIO messages. If a node receives a DIO message from one of its DAO parents, and realizes that the parent has incremented its DTSN, the node must schedule a DAO transmission. In non-storing mode, the node must in addition increment its own DTSN. Therefore, in this mode, a DTSN increment by a node will cause all its descendants to increment their DTSN in turn, triggering DAO transmissions from the entire sub-DODAG.

In DAO induction attack, a malicious insider node repeatedly increases its DTSN to trigger DAO transmissions. This can cause many transmissions particularly in the non-storing mode (a common mode of operation as many IoT devices are too constrained to operate in the storing mode [15]) as all descendants of the malicious node transmit each time the malicious node increments its DTSN. To avoid detection by the root, the attacker can simply refrain from forwarding DAO message of its descendants to the root.

The DTSN counter is an 8-bit unsigned integer, so it has a limited range. This limitation, however, does not restrict the number of times a malicious node can update DTSN in a DAO induction attack. This is because in RPL, sequence counters operate according to a ‘lollipop’ fashion [9], where an increment of a sequence number with the maximum value will wrap the number back to zero. Therefore, the number of times an attacker can increment DTSN is practically unlimited.

Similar to the version number and DAO insider attacks, the DAO induction attack can be mitigated by enabling security mechanisms at the link-layer or at RPL itself. However, these mechanisms are ineffective when the attacker is an insider or a compromised node.

V Experimental Analysis

To evaluate the impact of the DAO induction attack on the network’s performance, we performed a diverse set of simulations using the Contiki operating system [1]

, a lightweight and open-source operating system designed for IoT.

V-a Simulation settings

 

  Simulation parameters    Value  

 

  Simulation time     

 

  Radio medium    Unit Disk Graph Medium  

 

  Topology dimension     

 

  Number of nodes    , , , and  

 

  Modes of operation    Storing and Non-storing  

 

  Transmission range     

 

  Interference range     

 

  Traffic rate per node    1 packet per minute  

 

  Node type    Tmote Sky  

 

  Number of simulations    10 per each topology  

 

  link layer protocol    IEEE 802.15.4  

 

  MAC protocol    CSMA-CA  

 

    
TABLE I: Simulation parameters settings

We used the Tmote Sky mote, which is an MSP430-based board benefiting from a radio chip compatible with the IEEE 802.15.4 link layer protocol. We employed this mote for all the nodes including the malicious node. To implement the DAO induction attack, we modified the RPL protocol stack of the Contiki OS on the malicious node. Similar to other nodes, the malicious node joins the network and actively participates in the creation and maintenance of the DODAG. The main difference between the malicious node and the others is that it is programmed to periodically increment its DTSN number, and send it in a DIO message to its neighbours. To evaluate the maximum impact of the DAO induction attack in the non-storing mode, we selected the malicious node randomly from the neighbours of the root. Note that these nodes have the maximum number of descendants among all non-root nodes.

We considered a sample scenario in which nodes are distributed randomly in a square area network. Each node is static and transmits one data packet of bytes to the root every seconds. To simulate link failure, we used the Unit DISK Graph Model (UDGM). We evaluated the impacts of the DAO attack on the following metrics.

  • DAO overhead: the total number of DAO transmissions including transmissions of original DAO messages as well as transmissions for forwarding DAO messages towards the root.

  • Average power consumption: the average consumed power by each node in the network.

  • Packet loss ratio: the packet loss ratio averaged over all the node in the network. The packet loss ratio of a node is one minus the ratio of the number of received packets by the DODAG root from that node over the total number of packets sent by the node.

  • Average Latency: the average end-to-end latency of all packets successfully received by the root.

V-B Impact of the DAO induction attack

Fig. 2: The impact of the DAO induction attack on the number of DAO transmissions in the storing and non-storing modes.
Fig. 3: The impact of the DAO induction attack on the average power consumption in the storing and non-storing modes.
Fig. 4: The impact of the DAO induction attack on the average end-to-end latency in the storing and non-storing modes.
Fig. 5: The impact of the DAO induction attack on the packet loss ratio in the storing and non-storing modes.

Fig. 2 shows the total number of DAO transmissions (i.e., the DAO overhead) for both RPL modes of operation. As shown, the DAO induction attack significantly increases the DAO overhead in both storing and non-storing modes. In larger networks, this overhead is higher: When there is no attack, the DAO overhead increases slowly with the number of nodes. Under the DAO induction attack, however, the DAO overhead grows at a significantly higher rate. Note that, the impact of the DAO induction attack is higher in the non-storing mode than the storing mode. This is expected because, in the non-storing mode, a DTSN increment triggers all the nodes in the attacker’s sub-DODAG to transmit DAO messages.

Fig. 3 shows the average power consumption of nodes when the network is under the DAO induction attack. To calculate the average power consumption, we used the collect-view feature available in Contiki. As shown, the power consumption increase because of the DAO induction attack is more noticeable in the non-storing mode than in the storing mode. This is expected because, in the non-storing, the attack engages more nodes and generates more overhead.

Fig. 4 shows the impact of the DAO induction attack on the average end-to-end latency. As shown in the figure, the DAO induction attack significantly increases the average end-to-end delay in the network. This increase is considerably higher in the non-storing mode than the storing mode. Again, the underlying reason is that the DAO induction attack engages more nodes and creates more overhead in the non-storing mode.

Finally, the impact of the DAO attack on the packet loss ratio is shown in Fig. 5. This impact is insignificant in small networks particularly in the storing mode. The impact is, however, considerable in networks with about 40 and more nodes. As in the previous cases, the DAO induction attack is more severe in the non-storing mode than in the storing mode.

Vi Mitigation

Following, we first enumerate the existing mitigation solutions by categorizing them into two classes: proactive and reactive. We then present our solution to detect the DAO induction attack. This solution, unlike the existing ones, imposes nearly no overhead on IoT devices, which is important as these devices typically have limited resources.

Vi-a Proactive solutions

Proactive solutions aim to eliminate the possibility of the attack completely. Recall that the impact of the DAO induction attack is significantly more severe in the non-storing mode than the storing mode. Theretofore, it is more important to mitigate this attack in the non-storing mode.

In the non-storing mode, the DAO induction attack is similar to the version number attack as both the version number and DTSN must be first incremented by the root. Hence both attacks can be prevented if root’s messages can be authenticated. Authentication can be achieved using digital signatures, or hash chains as described below.

Vi-A1 Digital signatures

the conventional way to provide authentication is by digital signatures. Use of digital signatures in IoT networks is challenging. First challenge is to securely distribute the root’s public key. Currently, manual installation is the only feasible method to distribute security keys among constrained devices [12]. Another major challenge is that existing digital signature methods are computationally heavy [7].

Vi-A2 Hash-chain

as used in VeRA [2], hash chains can be used for authentication. Similar to digital signatures, hash chain based solutions impose communication and computation overheads even in normal conditions when network is under no attack. More importantly, for this solutions to work, the root of the hash chain must be securely distributed. In the absence of computationally heavy asymmetric cryptography operations – as constrained nodes have difficulty performing these operations – the daunting manual installation seems to be the only feasible option.

Vi-B Reactive solutions

Reactive solutions, unlike proactive ones, do not eliminate the possibility of the attack. Instead, they aim to detect and mitigate the attack upon detection. A reactive security solution consists of two phases: detection and reaction. The aim of the first phase is to detect the onset of the attack by monitoring the network. When an attack is detected, the solution goes to the reaction phase where the attacking node is isolated/removed.

Monitoring of the network can be performed by either the internal IoT nodes, or external monitoring nodes. Each of these approaches have their own issues. The former approach imposes overheads on IoT devices, which is not desirable if they are power constrained (e.g., when they run on batteries). The latter approach can be costly particularly when multiple external monitoring nodes are needed.

Our proposed monitoring solution, presented next, uses the root node for detecting the DAO attack, and imposes nearly no overhead on IoT devices. In addition, simulation results show that our solution has a high detection rate.

Vi-C Our proposed detection solution

As mentioned earlier, the existing solutions all impose overhead even in normal condition when the network is under no attack. Our detection solution, however, imposes nearly no overhead.

Our solution requires IoT nodes to follow two simple rules, both supported by the RPL protocol. First, each node should select up to two non-preferred parent nodes, whenever such nodes exist. Second, each node should schedule its DAO transmission to be forwarded to its preferred DAO parent when it hears a DTSN increment by a non-preferred parent.

Fig. 6: An example of a DODAG under the DAO induction attack by node . Node “P” is the preferred parent and node “DP” is the DAO parent of node “L” respectively.

Let us use an example to explain why following these rules helps the root to detect the DAO induction attack. Consider the sample network shown in Fig. 6. Node is the attacker, and the network operates in the non-storing mode. Notice that node has two DAO parents: the preferred parent , and the non-preferred parent . When the attacker increments its DTSN, all its descendants including node increment their DTSN in turn, and report this change through DIO messages. When node hears ’s DIO message, it schedules a DAO transmissions through its preferred parent instead of . This DAO message cannot be dropped by the attacker as it does not go through the attacker. The root will then receive the DAO message and detect the DAO induction attack as it did not start the DTSN increment111Note that a single bit in DAO message can indicate that the message was generated as the result of a DTSN increment.. Note that when the DTSN increment is legitimate (i.e., it is started by the root), all the nodes in the network will schedule a DAO transmission. Therefore, following the aforementioned rules does not impose any extra overhead on IoT devices.

To detect the DAO induction attack, the network should have a node (like ) with two DAO parrents; one in the attacker’s sub-DODAG, and the preferred one outside the attacker’s sub-DODAG. An interesting question is how often such a node exists. To answer this question, we run simulations using the Contiki operating system. We changed the RPL setting of Contiki, to allow nodes select more than one DAO parent whenever possible.

Let be the set of non-root IoT nodes, and , , be a binary number, such that it is equal to 1 iff a DAO induction attack by node is detectable. The detection rate is calculated as the weighted average of , where weight of is the number of descendants of (i.e., the number of nodes that are affected by the DAO attack launched by ).

Fig. 7: The detection ratio of the DAO induction attack when RPL nodes have more than one DAO parent. Each RPL node are able to choose extra DAO parents.

For a given network size, the detection rate is calculated for ten different networks of that size. Fig. 7. shows the average of these ten detection rates for network size of 20, 30, 40 and 50. In the figure, indicates the number of non-preferred DAO parents that each RPL node can have. For instances, for , each node selects exactly one non-preferred DAO parent whenever possible. As shown, the detection rate of our solution is close to if nodes select two non-preferred DAO parents whenever possible.

Vii Conclusion

In this paper, we introduced the DAO induction attack, a novel security attack against the RPL protocol in which a malicious insider node increments its DTSN number periodically to flood the network with control messages. Through various simulations, we showed that the attack adversely impacts network performance, and power consumption particularly when the network operates in the non-storing mode. To mitigate, we proposed a lightweight detection solution that imposes nearly no overhead on IoT devices. Simulation results show that our solution can detect the DAO induction attack with high probability.

References

  • [1] A. Dunkels, B. Gronvall, and T. Voigt (2004) Contiki-a lightweight and flexible operating system for tiny networked sensors. In 29th annual IEEE international conference on local computer networks, pp. 455–462. Cited by: §V.
  • [2] A. Dvir, L. Buttyan, et al. (2011) VeRA-version number and rank authentication in RPL. In Mobile Adhoc and Sensor Systems (MASS), IEEE 8th International Conference on, pp. 709–714. Cited by: §I, §VI-A2.
  • [3] B. Ghaleb, A. Al-Dubai, E. Ekonomou, M. Qasem, I. Romdhani, and L. Mackenzie (2019) Addressing the DAO insider attack in RPL’s internet of things networks. IEEE Communications Letters 23 (1), pp. 68–71. Cited by: §I.
  • [4] IEEE (2015) IEEE std. 802.15.4: wireless medium access control and physical layer specifications for low rate wireless personal area networks (lr-wpans). Cited by: §II.
  • [5] M. Khabbazian, H. Mercier, and V. K. Bhargava (2009) Severity analysis and countermeasure for the wormhole attack in wireless ad hoc networks. IEEE Trans. Wireless Communications 8 (2), pp. 736–745. Cited by: §I.
  • [6] A. Mayzaud, A. Sehgal, R. Badonnel, I. Chrisment, and J. Schönwälder (2014) A study of RPL DODAG version attacks. In IFIP international conference on autonomous infrastructure, management and security, pp. 92–104. Cited by: §I.
  • [7] M. Mössinger, B. Petschkuhn, J. Bauer, R. C. Staudemeyer, M. Wójcik, and H. C. Pöhls (2016) Towards quantifying the cost of a secure IoT: overhead and energy consumption of ECC signatures on an ARM-based device. In IEEE 17th International Symposium on A World of Wireless, Mobile and Multimedia Networks (WoWMoM), pp. 1–6. Cited by: §VI-A1.
  • [8] P. Perazzo, C. Vallati, G. Anastasi, and G. Dini (2017) DIO suppression attack against routing in the internet of things. IEEE Communications Letters 21 (11), pp. 2524–2527. Cited by: §I.
  • [9] R. Perlman (1983) Fault-tolerant broadcast of routing information. Computer Networks (1976) 7 (6), pp. 395–405. Cited by: §IV.
  • [10] C. Pu (2019) Energy depletion attack against routing protocol in the internet of things. In 16th IEEE Annual Consumer Communications & Networking Conference (CCNC), pp. 1–4. Cited by: §I.
  • [11] A. Raoof, A. Matrawy, and C. Lung (2019) Routing attacks and mitigation methods for RPL-based internet of things. IEEE Communications Surveys and Tutorials 21 (2), pp. 1582–1606. External Links: Link, Document Cited by: §I.
  • [12] S. Raza, L. Seitz, D. Sitenkov, and G. Selander (2016) S3K: scalable security with symmetric keys—DTLS key establishment for the internet of things. IEEE Transactions on Automation Science and Engineering 13 (3), pp. 1270–1280. Cited by: §VI-A1.
  • [13] L. Wallgren, S. Raza, and T. Voigt (2013) Routing attacks and countermeasures in the RPL-based internet of things. International Journal of Distributed Sensor Networks 9 (8), pp. 314–326. Cited by: §I.
  • [14] K. Weekly and K. Pister (2012) Evaluating sinkhole defense techniques in RPL networks. In Network Protocols (ICNP), 20th IEEE International Conference on, pp. 1–6. Cited by: §I.
  • [15] T. Winter and et. al (2012) RPL: IPv6 routing protocol for low-power and lossy networks. Technical report IETF. Cited by: §I, §IV.