Professional Documents
Culture Documents
Denial-of-Service
in Wireless Sensor
Networks: Attacks
and Defenses
This survey of denial-of-service threats and countermeasures considers
wireless sensor platforms’ resource constraints as well as the denial-of-
sleep attack, which targets a battery-powered device’s energy supply.
C
ontinued research into using wire- their survey with current threats and counter-
less sensor networks (WSNs) for measures. In particular, we more thoroughly
medical monitoring, homeland explore the denial-of-sleep attack, which spe-
security, industrial automation, cifically targets the energy-efficient protocols
and a variety of military applica- unique to sensor network deployments. We start
tions highlights the need to better secure these by exploring such networks’ characteristics and
networks. Just as researchers have developed then discuss how researchers have adapted gen-
new networking protocols to account for the eral security mechanisms to account for these
limited resources available to WSN platforms, characteristics.
we must also tailor security mechanisms to such
resource constraints. In particular, we must Wireless-sensor-network
address the denial-of-service attack, which tar- characteristics
gets service availability. WSN platforms generally have limited pro-
David R. Raymond Computer and network cessing capability and memory. The design
and Scott F. Midkiff security aim to provide confi- of WSN devices usually favors decreased cost
Virginia Tech dentiality, data integrity, and over increased capabilities, so we can’t expect
service availability. Confiden- Moore’s law to lead to enhanced performance.
tiality prevents untrusted third The basic characteristics of sensor networks
parties from accessing secure make them vulnerable to DoS attacks.
data, and data integrity guarantees that data Their primary weakness, shared by all wire-
isn’t modified in transit and that replayed pack- less networking devices, is the inability to secure
ets aren’t accepted as the original. Availabil- the wireless medium. Any adversary in radio
ity ensures that authorized parties can access range can overhear traffic, transmit spurious
data, services, or other computer and network data, or jam the network. Powerful antennas
resources when requested. DoS attacks tar- allow remote access, so close physical proximity
get availability by preventing communication to the network isn’t required.
between network devices or by preventing a Sensors are also vulnerable to physical tam-
single device from sending traffic. pering and destruction if deployed in an unse-
Anthony Wood and John Stankovic pub- cured area. Another vulnerability is the sensor
lished a survey of WSN DoS attacks and pre- devices’ extremely limited and often nonreplen-
vention mechanisms in 2002.1 Here, we update ishable power supplies. Resource-consumption
RAM (Kbytes) 4 10
attacks target nodes’ power supplies by
Program flash memory (Kbytes) 128 48
keeping the radio on when there’s no
legitimate network traffic or by impos- Maximum data rate (Kbps) 76.8 250
ing an unnecessary computational Power draw: Receive (mW) 36.81 57.0
load.
Power draw: Transmit (mW) 87.90 57.0
Furthermore, attackers aren’t always
Power draw: Sleep (mW) 0.048 0.003
limited by the same constraints as the
* Data from www.xbow.com/Products/Product_pdf_files/Wireless_pdf/MICA2_Datasheet.pdf
sensor devices. An adversary might † Data from www.sentilla.com/pdf/eol/Tmote_Mini_Datasheet.pdf
TABLE 2
Denial-of-service attacks and defenses by protocol layer.
that node might transmit multiple pack- efficiency reasons, the layered model won’t prevent a DoS attack, it could
ets with the same nonce and encryption is still useful for categorizing various significantly increase the life of sensor
key. This is because each ACL entry DoS attacks and defenses (see table 2). nodes by reducing power consumption.
maintains its own nonce state. If this Some DoS attacks focus on physical An attacker would then have to jam for
happens, an attacker can xor the two aspects of sensor systems, such as cov- a considerably longer period, possibly
ciphertexts to determine the xor of the ering a node with an acoustic barrier running out of power before the tar-
plaintexts, potentially breaking confi- to reduce sensitivity. We focus primar- geted nodes do.
dentiality.6 Sastry and Wagner detail ily on attacks that exploit weaknesses Wenyuan Xu and his colleagues
how to avoid this same-nonce attack— in network protocols and applications, provide a mechanism for identifying
and present other security weaknesses although we also mention techniques jamming attacks in WSNs, classifying
that should be avoided in future revi- for preventing physical tampering and them as constant, deceptive, random,
sions to the IEEE 802.15.4 standard.6 for mitigating sensor overstimulation. or reactive.7 A constant jamming attack
The security primitives that Spins , corrupts packets as they are transmit-
TinySec, and ZigBee provide, such as The physical layer ted between WSN nodes. However, this
encryption, authentication, and, in Jamming is the primary physical- attack requires a significant amount of
some cases, antireplay, are the building layer attack against WSNs. Spread- energy and thus might not be feasible
blocks of many of the DoS prevention spectrum communication is a common if the attacker is under similar power
techniques we discuss next. defense against physical-layer jamming constraints as the target network.
in wireless networks. Unfortunately, Instead of transmitting a random
DoS attacks and defenses low-power, low-cost sensor nodes are signal, a deceptive jammer sends a con-
For this discussion, we reduce the usually limited to simple radios that stant stream of bytes into the network
Open System Interconnect model’s can’t use these techniques. If WSN to make it look like legitimate traffic.
traditional seven layers to five layers: nodes can identify a jamming attack, For example, in TinyOS, if the device
physical, link, network, transport, and a logical defense is to put sensors into receives a constant stream of preamble
application. Although sensor networks a long-term sleep mode and have them bytes, all nodes within transmission
don’t generally adhere as closely to the wake periodically to test the channel range will remain in receive mode,
OSI model as other network devices for for continued jamming. Although this never transitioning to send mode.
76 P ER VA SI V E computing www.computer.org/pervasive
A random jammer randomly alter- redundant nodes and camouflaging can of this attack, calling it sleep depriva-
nates between sleep and jamming to mitigate this threat. Defenses against tion torture and investigating its impact
save energy. tampering include hiding or camouflag- on battery-powered mobile devices.10
Finally, a reactive jammer only trans- ing nodes, tamper-proofing packages, An attacker might choose to execute
mits a jam signal when it senses traf- or implementing tamper reaction such a denial-of-sleep attack over a simple
fic. Identifying reactive jamming can as erasing all program or cryptographic jamming-based DoS attack on a WSN
be difficult, because it might seem like memory.1 to limit the attack’s duration. To per-
routine packet collisions. manently disable a sensor network, a
Techniques for identifying jamming The link/MAC layer jamming attack might take months to
attacks include statistically analyzing MAC protocols operate at the link deplete the targeted device’s batteries.
the received signal strength indicator layer, and most require cooperation On the other hand, a clever denial-of-
(RSSI) values, the average time required between nodes to arbitrate channel use, sleep attack that keeps the sensor nodes’
to sense an idle channel (carrier sense making them particularly vulnerable to radios on would drain the batteries in
time), and the packet delivery ratio DoS attacks. Link-layer threats include only a few days (at least for the class
(PDR).7 All three techniques require collisions, interrogation, and packet of devices considered here). Also, many
taking baseline measurements, so the replay. A collision attack is synonymous denial-of-sleep attacks don’t require a
network can’t be jammed upon deploy- with the reactive-jamming attack we constant signal, making it more diffi-
ment. None of these techniques alone just described. You can mitigate some cult to identify the traffic as malicious
is sufficient to identify jamming. How- collisions by using error-correcting and to locate the attacking node via its
ever, algorithms that combine these codes. However, ECCs add transmis- emitted transmissions.
techniques can reliably identify all four sion overhead, consuming additional MAC protocols are a natural focus
types of jamming. One such algorithm energy. for denial-of-sleep attacks. This is
first identifies poor link utility through An interrogation attack exploits because they control the functional-
PDR analysis, then uses RSSI analysis the two-way request-to-send/clear- ity of the transceiver, which consumes
as a consistency check to determine to-send (RTS/CTS) handshake that more energy than any other compo-
whether jamming is causing the poor many MAC protocols use to mitigate nent on most wireless-sensor plat-
network performance. the hidden-node problem. An attacker forms. 2 The link layer coordinates
Another strategy for defending can exhaust a node’s resources by access to the physical medium linking
against jamming is to have nodes col- repeatedly sending RTS messages to a network’s nodes. In a WSN, the link
laboratively identify the jammed region elicit CTS responses from a targeted layer dictates when the radio should
and then route traffic around it.1 Such a
mechanism would be redundant in the
face of constant jamming in a multihop A clever denial-of-sleep attack that keeps the
network, because you would expect the
routing protocol to automatically route sensor nodes’ radios on would drain the batteries
around jammed regions. In the case of
intermittent jamming, routes that pass in only a few days.
through jammed portions of the network
would be unreliable. Routing protocols neighbor node. Antireplay protection transmit frames, listen to the channel
such as TinyOS Destination-Sequenced and strong link-layer authentication to receive data, and sleep to conserve
Distance-Vector Routing,8 which asso- can mitigate these attacks. However, a energy. MAC protocols designed for
ciates a link quality estimator with each targeted node receiving the bogus RTS WSNs use various techniques to save
link to form paths using high-quality messages still consumes energy and battery power by placing the radio in
bidirectional links, would route around network bandwidth. low-power modes when the radio isn’t
these portions of the network. Another link-layer threat to WSNs actively sending or receiving data. The
Other physical-layer attacks include is the denial-of-sleep attack, which Crossbow Mica2 consumes 36.81
node tampering or destruction. Al prevents the radio from going into mW in receive mode and 0.048 mW in
though you can’t prevent destruction of sleep mode.9 Frank Stejano and Ross sleep mode (see table 1). Two standard
nodes deployed in an unsecured area, Anderson first introduced the notion 3,000 mAh AA batteries will last over
78 P ER VA SI V E computing www.computer.org/pervasive
Attacker
A
(a) (b)
Figure 2. How an attack can take over large portions of a network: (a) a properly clustered network and (b) a network subverted
by a bogus cluster-head volunteer message from an attacker.
and selective forwarding is implicit nodes verify bidirectional links before broadcast a message, indicating mem-
acknowledgments, which ensure that constructing routes, can combat this bership in the cluster.
packets are forwarded as they were attack. Geographic routing protocols An attacker can subvert this process
sent. Another technique is multipath such as Geographic and Energy-Aware in several ways. By transmitting bogus
routing, which sends the same data Routing15 that let nodes discount hello cluster-head volunteer messages using
over multiple paths to give it a higher messages from nodes not within com- a very strong radio signal, a network
probability of reaching its destination. munication range can also prevent this intruder might trick numerous nodes
However, neither solution is attractive attack. Geographic protocols require into joining a nonexistent cluster. Re
for sensor networks. Implicit acknowl- each node to know its location and be cording and later replaying these cluster
edgments require that the sensor node’s able to communicate that location to volunteer messages can have the same
radio be active (thus increasing power other nodes. effect. Figure 2 shows how this attack
consumption), and they’re unreliable Large-scale sensor deployments use can take control of large portions of a
when bidirectional links aren’t guaran- clustering to route traffic in an energy- network.
teed. Multipath routing wastes power efficient way via data aggregation at The first steps in mitigating such
on redundant paths and consumes cluster heads. By organizing into clus- attacks are traffic authentication and
additional network bandwidth. Also, it ters, nodes can also reduce their trans- antireplay support, which will cause
might not be feasible in sparse networks mit power levels since they need only nodes to ignore counterfeit cluster-
owing to the lack of routing options. reach the nodes in their cluster. This head volunteer messages. Kun Sun
Hello flooding is an attack that reduces energy consumption for trans- and his colleagues propose a secure
doesn’t require the attacker to com- mitters and improves spatial reuse in distributed-clustering protocol, based
promise encryption.14 Many routing the network. Most clustering protocols on cliques in which all nodes use pub-
protocols have nodes broadcast hello further manage energy consumption lic-key encryption to establish trust
messages to inform one-hop neighbors by reclustering often and rotating the relationships with their neighbors.16
of their presence. An attacker mounts cluster-head burden throughout the This mechanism relies on asymmetric
a hello flood by recording hello pack- network’s nodes. cryptography, which sensor networks
ets, sending them from a laptop-class The exact clustering process differs usually avoid, because such protocols
node with high transmit power. These by protocol, but the basic steps are as have high computational complexity
replayed hello packets reach nodes that follows: A certain proportion of nodes and memory requirements.
the originating node can’t communi- volunteer to be cluster heads on the Instead of having nodes volunteer
cate with directly. Any node that uses basis of energy levels, desired cluster to become cluster heads, some cluster-
the originating node as the next hop in size, or some other metric. These nodes ing protocols use cluster-head elections
a route but that isn’t within that node’s advertise their status as a cluster head. based on each nodes’ stated resources,
radio range won’t be able to reliably Other nodes join clusters by selecting a such as current energy supply. A net-
forward traffic. cluster head, usually selecting the one work intruder might lie when providing
Pairwise authentication, which lets with the strongest signal, and then they resource information to ensure it’s elected
overwhelming the target’s half-open nodes along the path to the base sta-
connection buffer. Connectionless tion waste bandwidth and energy
transport protocols are immune to this transmitting the traffic. This attack can
type of attack, but they might not pro- starve the network of legitimate traffic,
vide the necessary transport-layer func- because it consumes resources on the
A
tionality to applications. The primary path to the base station, thus preventing
Attacker
defense against this is SYN cookies, other nodes from sending data to the
which encode information from the cli- base station (see figure 3). Combining
ent’s TCP SYN message and return it to packet authentication and antireplay
as a cluster head. Garth Crosby, Niki the client to avoid maintaining state at protection prevents these attacks.
Pissinou, and James Gadze introduce a the server (see http://cr.yp.to/syncook- Protocols such as TinyOS’s Deluge
trust-based framework for secure clus- ies.html). Yet these techniques’ compu- network-programming system let you
ter-head election in ad hoc networks.17 tational and message overhead makes remotely reprogram nodes in deployed
Their technique, although promising, them undesirable for WSNs. networks. 20 Most of these systems,
relies on a combination of network-wide, In a desynchronization attack, an including Deluge, are designed for use
cluster-wide, and pairwise encryption attacker interrupts an active connec- in a trustworthy environment. If the
keys, which makes it impractical for tion between two nodes by trans- reprogramming process isn’t secure, an
large-scale sensor deployments. mitting forged packets with bogus intruder can hijack this process and take
Homing is a network layer attack that sequence numbers or control flags control of large portions of a network.
uses traffic pattern analysis to identify that desynchronize endpoints so that One security technique uses authen-
and target nodes that have special respon- they’ll retransmit data.1 Header or full- tication streams to secure the repro-
sibilities, such as cluster heads or crypto- packet authentication can defeat such gramming process. 21 This divides a
graphic-key managers. An attacker then an attack. program binary into a series of mes-
achieves DoS by jamming or destroying sages, each of which contains a hash
these key network nodes. Header encryp- The application layer of the next message. This mechanism
tion is a common prevention technique, At the application layer, an attacker ensures that an intruder can’t hijack
but it doesn’t completely prevent traffic might attempt to overwhelm network an ongoing program transmission,
analysis. Simply analyzing the volume of nodes with sensor stimuli, causing the even if he or she knows the hashing
traffic in various portions of the network network to forward large volumes of mechanism. This is because it would be
might be enough to identify the location traffic to a base station. This attack con- almost impossible to construct a mes-
of cluster-head nodes or base stations. sumes network bandwidth and drains sage that matches the hash contained
Jing Deng, Richard Han, and Shivakant node energy. However, it’s effective only in the previous message. A digitally
Mishra suggest using “dummy packets” when particular sensor readings (such signed advertisement, which contains
throughout the network to equalize as motion detection or heat signatures) the program name, version number,
traffic volume and thus prevent traffic trigger communications—not when sen- and hash of the first message, ensures
analysis.18 Unfortunately, this wastes sor readings are sent at fixed intervals. that the process is securely initiated.
significant sensor node energy, so use it You can mitigate this attack by care-
W
only when preventing traffic analysis is fully tuning sensors so that only the
of utmost importance. specifically desired stimulus, such as e can defeat many
vehicular movement, as opposed to any threats using existing
The transport layer movement, triggers them. Rate-limiting encryption and authen-
At the transport layer, which man- and efficient data-aggregation algo- tication mechanisms,
ages end-to-end connections, flooding rithms can also reduce these attacks’ and other techniques (such as identi-
attacks exploit protocols that maintain effects. fying jamming attacks)7 can alert net-
connection information at either end.1 Another application-layer attack work administrators of ongoing attacks
For example, in a TCP SYN (synchro- involves injecting spurious or replayed or trigger techniques to conserve energy
nize) flood attack, an adversary sends packets into the network at leaf nodes on affected devices. However, we need
multiple connection requests without in a path-based DoS attack.19 As the additional research in low-overhead
ever completing the connection, thus packet is forwarded to its destination, antireplay protocols. Such protocols
80 P ER VA SI V E computing www.computer.org/pervasive
the Authors
David R. Raymond is a third-year PhD student in Virginia Tech’s Bradley
Department of Electrical and Computer Engineering. His research interests
include energy-efficient medium-access-control protocols for wireless sensor
networks, mobile and ad hoc networking, and network security. He received
would complement current authentica- his MS in computer science from Duke University. He’s a student member of
tion techniques and would help prevent the IEEE and the ACM. Contact him at the Bradley Dept. of Electrical and Com-
puter Eng., Virginia Tech, 302 Whittemore Hall (0111), Blacksburg, VA 24061;
many of the attacks we’ve described.
raymondd@vt.edu.
Defending against denial-of-sleep
attacks is also crucial to the viability Scott F. Midkiff is a professor in Virginia Tech’s Bradley Department of Electri-
of sensor network deployments. Pro- cal and Computer Engineering. He has been on a temporary assignment as
a program director at the US National Science Foundation since September
viding such security is critical if sensor
2006. His research interests include system issues in wireless and ad hoc net-
networks are to realize the promise of works, network services for pervasive computing, and performance modeling
widespread deployment. of mobile ad hoc networks. He received his PhD in electrical engineering from
Duke University. He’s a senior member of the IEEE. Contact him at the Bradley
Dept. of Electrical and Computer Eng., Virginia Tech, 302 Whittemore Hall
(0111), Blacksburg, VA 24061; midkiff@vt.edu.
References
1. A.D. Wood and J.A. Stankovic, “Denial IEEE Systems, Man, and Cybernetics Applications Conf., IEEE CS Press, 2006,
of Service in Sensor Networks,” Com- (SMC) Information Assurance Workshop pp. 131–140.
puter, vol. 35, no. 10, 2002, pp. 54–62. (IAW), IEEE Press, 2006, pp. 297–304.
17. G.V. Crosby, N. Pissinou, and J. Gadze, “A
2. K. Sohrabi et al., “Protocols for Self- 10. F. Stajano and R. Anderson, “The Resur- Framework for Trust-Based Cluster Head
Organization of a Wireless Sensor Net- recting Duckling: Security Issues for Ad- Election in Wireless Sensor Networks,”
work,” IEEE Personal Comm., vol. 7, Hoc Wireless Networks,” Proc. 7th Int’l Proc. 2nd IEEE Workshop Dependabil-
no. 5, 2000, pp. 16–27. Workshop Security Protocols, Springer, ity and Security in Sensor Networks and
1999, pp. 172–194. Systems, IEEE Press, 2006, pp. 13–22.
3. A. Perrig et al., “Spins: Security Proto-
cols for Sensor Networks,” Wireless 11. W. Ye, J. Heidemann, and D. Estrin, 18. J. Deng, R. Han, and S. Mishra, “Intru-
Networks, vol. 8, no. 55, 2002, pp. 521– “Medium Access Control with Coor- sion Tolerance and Anti-Traffic Analysis
534. dinated Adaptive Sleeping for Wireless Strategies for Wireless Sensor Networks,”
Sensor Networks,” IEEE/ACM Trans. Proc. Int’l Conf. Dependable Systems
4. C. Karlof, N. Sastry, and D. Wagner, Networking, vol. 12, no. 3, 2004, pp. and Networks, IEEE CS Press, 2004, pp.
“TinySec: A Link Layer Security Architec- 493–506. 637–656.
ture for Wireless Sensor Networks,” Proc.
2nd Int’l Conf. Embedded Networked 12. J. Polastre, J. Hill, and D. Culler, “Versa- 19. J. Deng, R. Han, and S. Mishra, “Defend-
Sensor Systems, ACM Press, 2004, pp. tile Low Power Media Access for Wireless ing against Path-Based DoS Attacks in
162–175. Sensor Networks,” Proc. 2nd ACM Int’l Wireless Sensor Networks,” Proc. 3rd
Conf. Embedded Networked Sensor Sys- ACM Workshop Security of Ad Hoc and
5. IEEE Std. 802.15.4, Wireless LAN tems, ACM Press, 2004, pp. 95–107. Sensor Networks, ACM Press, 2005, pp.
Medium Access Control (MAC) and 89–96.
Physical Layer (PHY) Specification for 13. T. VanDam and K. Langendoen, “An
Low-Rate Wireless Personal Area Net- Adaptive Energy-Efficient MAC Protocol 20. J.W. Hui and D. Culler, “The Dynamic
works (LR-WPANs), IEEE, 2003. for Wireless Sensor Networks,” Proc. 1st Behavior of a Data Dissemination Proto-
ACM Int’l Conf. Embedded Networked col for Network Programming at Scale,”
6. N. Sastry and D. Wagner, “Security Con- Sensor Systems, ACM Press, 2003, pp. Proc. 2nd ACM Conf. Embedded Net-
siderations for IEEE 802.15.4 Networks,” 171–180. worked Sensor Systems, ACM Press,
Proc. ACM Workshop Wireless Security, 2004, pp. 81–94.
ACM Press, 2004, pp. 32–42. 14. C. Karlof and D. Wagner, “Secure Rout-
ing in Wireless Sensor Networks: Attacks 21. P.K. Dutta et al., “Securing the Deluge
7. W. Xu et al., “The Feasibility of Launch- and Countermeasures,” Proc. 1st IEEE Network Programming System,” Proc.
ing and Detecting Jamming Attacks in Int’l Workshop Sensor Network Proto- 5th Int’l Conf. Information Processing in
Wireless Networks,” Proc. 11th Ann. cols and Applications, IEEE Press, 2003, Sensor Networks, ACM Press, 2006, pp.
Int’l Conf. Mobile Computing and Net- pp. 113–127. 326–333.
working, ACM Press, 2005, pp. 46–57.
15. Y. Yu, R. Govindan, and D. Estrin,
8. A. Woo, T. Tong, and D. Culler, “Taming Geograhical and Energy Aware Routing:
the Underlying Challenges for Reliable A Recursive Data Dissemination Proto-
Multihop Routing in Sensor Networks,” col for Wireless Sensor Networks, tech.
Proc. 1st ACM Int’l Conf. Embedded report UCLA/CSD-tr-01-0023, Com-
Networked Sensor Systems, ACM Press, puter Science Dept., Univ. of California,
2003, pp. 14–27. Los Angeles, 2001.
9. D. Raymond et al., “Effects of Denial of 16. K. Sun et al., “Secure Distributed Cluster For more information on this or any other com-
Sleep Attacks on Wireless Sensor Net- Formation in Wireless Sensor Networks,” puting topic, please visit our Digital Library at
work MAC Protocols,” Proc. 7th Ann. Proc. 22nd Ann. Computer Security www.computer.org/csdl.