An Ultimate Approach of Mitigating Attacks in RPL Based Low Power Lossy Networks
AAn Ultimate Approach of Mitigating Attacks in RPL BasedLow Power Lossy Networks
Jaspreet Kaur
PhD Scholar at CSE DepartmentIndian Institute of Technology Jodhpur
Jodhpur, [email protected]
Abstract —The Routing Protocol for Low-Power and LossyNetworks (RPL) is the existing routing protocol for Internet ofThings (IoT). RPL is a proactive,lightweight, Distance Vectorprotocol which offers security against various forms of routingattacks. Still, there are various attacks(as rank, version attacksand many more ) which is possible in this network due to problemof unauthenticated or unencrypted control frames, centralizedroot controller, compromised or unauthenticated devices andmany more ways. There are various solutions present in theliterature but every solution has its pros and cons. There isno appropriate system framework till now which completelysolves these all issues. So, we present an ultimate approach tomitigate these RPL attacks more efficiently and effectively. Weuse IDS based system for internal attacks and a mini-firewallfor removing the external attacks. In IDS based approach, weuse intrusion detection system at multiple locations for analyzingthe behaviour of nodes. The final decision whether the node isattacker or not depends on mainly three things as: trust betweenthe neighbouring nodes, local decision by multiple sink nodesand global decision by root node. We also use some blockchainfeatures in this framework for better internal security. We usesome threshold values and rules in mini-firewall for removingexternal attacks. In this paper, we provide the proposed approachand theoretical analysis of this approach which provide betterprotection from these attacks than any other method.
Index Terms —Internet of Things(IoT), Routing Protocol, RPLAttacks, Low Power Lossy Networks, Multiple Sink Nodes, Trust,Local Decision, Global Decision, Blockchain, Intrusion DetectionSystem(IDS) , Mini-Firewall.
I. I
NTRODUCTION
In todays world, IoT is technical revolutionary area inmobile and wireless communication field which deploy Lowpower and Lossy Networks (LLN). These networks are typ-ically composed of many heterogeneous embedded deviceswith limited power, memory, and processing resources. Now,IoT is applicable in many areas such as industrial monitoring,smart home, health care, environmental monitoring, smartcity, smart grid and many more. Due to the huge number ofapplications of these networks, security become a critical partfor privacy of personal data. RPL is default routing protocol inthese network which is susceptible from various attacks. Now,We briefly describe the related technologies use in this paper.
A. Routing Protocol as RPL and it’s Attacks
RPL is distance based proactive protocol used for routingin IoT network. At beginning, a RPL protocol creates a graph-like structure called the Destination Oriented Directed Acyclic Graph (DODAG). The DODAG consists of paths from thesender nodes(IoT devices) to the sink node(6LBR). Duringrouting, every node maintains its rank relative to its positionin the DODAG tree, and every DODAG is maintained bycontrol and route information . The control frames are used byDODAG are DODAG Information Object (DIO),DestinationAdvertisement Object (DAO) and DODAG Information Solic-itation (DIS) for transmitting the DODAG information. Routepath selection is a key factor for RPL, RPL use the Variousrouting metrics, route constraints and objective functions (OF)such as hop count, energy minimization and latency to com-pute the best route path. The basic framework of RPL networkis shown below.
Fig. 1. RPL Based Low Power Lossy Network
There are various attacks possible in RPL network whichsignificantly impact the network resources and its perfor-mance. These attacks are possible due to the problem ofunauthenticated or unencrypted control frames, centralized a r X i v : . [ c s . CR ] D ec oot controller, compromised and unauthenticated devices andmany more ways. Some of these attacks are shown in figure2 and briefly describe below. Fig. 2. RPL Network Attacks
1) Sinkhole Attack:
In this internal attack, attacker orcompromised node advertises beneficial path to attract manynearby nodes to route traffic through it. This attack disruptthe network topology and can become very stronger whencombined with another attacks[2].
2) Version Number Modification Attack:
This internalattack is occurred by changing version number(lowerto higher) of a DODAG tree. When nodes receive thenew higher version number DIO message they start theformation of new DODAG tree. This results unoptimized orinconsistency of network topology, increases control overheadand higher packet loss[2].
3) Denial of Service Attack:
Denial of service orDistributed denial of service attack is attempt to makeresources unavailable to its valuable user [12-13]. In RPLthis attack can be done by the IPv6 UDP packet flooding[2].
4) Neighbor Attack:
In this attack, intruder broadcastDIO messages that it received without adding information ofhimself.The node who receives this messages may concludethat new neighbor node send this DIO message. The victimnodes select the out range neighbors node for routing purposewhich affects network quality parameters[2].
5) Wormhole Attack:
This attack can occurred by creatingtunnel between the two attackers and transmitting the selectivetraffic through it which Disrupt the network topology andtraffic flow[2].
6) Decreased Rank Attacks:
In a DODAG, rank is used forpositions of nodes relative to the sink node. It means lowerthe rank is close to the root and vice verse. When a maliciousnode advertises a lower rank value, it means, it wants majorityof traffic pass through it. As a result, many legitimate nodesconnect to the attacker. An attacker can change its rankvalue through the falsification of DIO messages. finally, anattacker either drop this messages or selectively forward thesemessages. It becomes more powerful when combined withother attacks[2].
7) Identity Attacks:
Identity attacks contain clone ID andsybil attacks. In a clone ID attack, an attacker copies theidentities of a valid node onto another physical node. Ina sybil attack, which is similar to a clone ID attack, anattacker uses several logical entities on the same physicalnode. These attacks can be used to take control over largeparts of a network without deploying physical nodes[2,12-13].
8) Sniffing Attacks:
A sniffing attack perform by thelistening of the packets transmitted over the network. Thisattack compromises the confidentiality of communications. Italso check the pattern of traffic for major attacks[12-13].
B. Blockchain
Blockchain is fundamentally a decentralized, distributed,shared, and immutable database ledger that stores data acrossa peer-to-peer (P2P) network. It has chained blocks of datathat have been timestamped and validated by miners. Funda-mentally, the block data contains a list of all transactions anda hash to the previous block. The blockchain has a full historyof all transactions and provides a global distributed trust[1].
C. Intrusion Detection System(IDS)
An intrusion detection system (IDS) is a system that mon-itors network traffic for suspicious activity and issues alertswhen such activity is occurred. These can be signature basedor anomaly based and network or host based depending uponthe need of application. These mainly used for the detectionof internal attacks.
D. Firewall
Firewall is used for protection from outsider attacks. Thisuse some threshold values or specific rules to filter unwantedtraffic such as filtering is based on port numbers, ip addressesand many more parameters.
E. Trust
Trust means integrity, strength, ability, confidence of oneperson on the other person or thing. A trust is a relationshipor agreement which one party, known as a trustor, givesnother party, the trustee.The rest of the paper is organized as follows: section 2describes the Related Work and motivation for our work.Section 3 mentions our proposed framework system followedby the theoretical analysis of work in section 4. In Section5, a conclusion of our findings is presented with futureextensions to our work.II. R
ELATED W ORK & M
OTIVATION
For detection and mitigation of RPL attacks, variousmechanisms are presented in the literature. But they havetheir own pros and cons. They are useful for one attack butnot for others. There are no standardized framework systemfor security of RPL network. Specific literature survey forsome of the attacks are present below.In paper[1], They describe various IoT security issues,open challenges and provide blockchain as a solution forthese attacks. They also review the RPL attacks and theirsolutions present in the literature. In paper[2], the detailedsurvey of various RPL attacks and their solutions arepresented. They describe taxonomy of RPL attacks basedon resources, topology and traffic. They also give riskmanagement process for these attacks.In paper[3], They discuss and implement various RPLattacks in cooja simulator. They also present various solutionpresent in the literature and give a new solution as Lightweightheartbeat protocol for RPL network. This new protocol isbased on the successful transmission of ICMPv6 messagesfrom the root node to nodes and vice versa. This new protocolgives less overhead but will work with its full potential ifIPsec with ESP is used.In paper[4], They describe the blackhole attack and presenta solution for this in a 2-step process. In the first step, localdecision is made by a node by observing the behaviour ofneighbouring nodes. If any node is found to be suspicious,then the final decision whether this node is blackhole nodeor not taken by the root node, this process is called as globalverification process. This solution is very effective but in this,every node observes the behaviour of its neighbours whichincreases the memory overload in these constrained devicesand final decision is made by the root node which is a singlepoint of failure(if compromised).In paper[5], They describe the wormhole attack andpresent a solution for this as markle tree authentication. Thissolution is effective but increases the network complexityand control overhead due to the hashing and encryptiontechniques. In paper[6], They describe sinkhole attacks andgive a solution which is the combination of two techniques as:Rank authentication technique(one way hash chaining) andparent fail-over technique(end to end acknowledgement). Thissolution is very promising but sybil attack is not managed by the parent fail-over technique and rank authentication issecure untill a random number given to the root node is nothacked by the attacker.In paper[7], Authors presented SVELTE which is Real-time intrusion detection system for the Internet of Things.This IDS is extensible and also uses the feature of firewall.But at a time implemented only few number of attacksdetection, rest are still waiting to implement. But whatif attackers hacked the security features of SVELTE? Inpaper[8], A hybrid routing protocol which is the combinationof proactive and reactive approach is presented for wirelesssensor networks with mobile sinks. This approach is veryuseful for network life time and maintaining cost of DAGs.In paper[9], authors present a solution for rank andversion number attacks as VeRA-version number and rankauthentication in rpl. This solution is cryptographically secureBut their is some faulty results due to the missing correlationbetween rank hash chain and version number hash chain. Inpaper[10], authors present solutions for mitigating topologicalattacks in RPL such as Vera++ and TRAIL. But bothtechnology uses cryptography which makes these solutionshighly complex and Distributed attackers communicatedout-of-band channel cannot be detected in this model.In paper[11], authors present a solution as SecTrust-RPL for mitigating the rank and sybil attacks. They usetrust(direct or recommended) as a defence mechanism. Thissolution is very powerful but they assume the nodes arestationary and use location as a defence metric. They onlysimulate the direct trust in this model not the indirect one.They also assume only 10% attacking nodes from the totalnodes and what if trust maintenance database is hacked bythe attacker?As shown from the above discussion, we conclude thatevery solution has some limitation. This is the base of mymotivation for doing this research because there is no standardframework or method to providing security in RPL network.Various security modes such as unsecured, preinstalled,authenticated are theoretically presented in standard RPLprotocol. But, the real time IoT products(produced by ciscoand many more) and simulation tools (cooja, RIOT and manymore) are still support only unsecured mode. Security modesare still remains for practical implementation due to theconstrained nature of Iot devices.III. P
ROPOSED F RAMEWORK S YSTEM
We propose an ultimate approach (structure of proposedframework is shown in figure 3) for removing all internal andexternal RPL attacks. For removing internal attacks, we use aIDS or trust based approach and for mitigating external attacks,we have use some threshold values or rules in mini-firewall.We use intrusion detection system(combination of signatureand anomaly based) at multiple locations (global and local)or analyzing the behaviour of nodes. Global IDS must beplaced at 6LBR (sink node of rpl network) node and we takemultiple fixed local sink node (approximately 10-15 % of totalnodes) along with local IDS, finally local sink nodes attach tothe global sink node.
Fig. 3. Proposed Framework
Iot devices or nodes are either mobile or stationary attachto the closest (closeness depends on the objective functionsused as hop count, latency and energy minimization) localsink node. We also include the trust parameter(successfulmessages exchange ratio) between local nodes for bettersecurity. The final decision whether the node is attacker ornot depends on mainly three things as: trust between theneighbouring nodes, local decision by multiple sink nodesand global decision by root node. Mini-firewall is placed onevery node as well as on every sink node and contains thelist of authenticated nodes along with appropriate parameterssuch as ip address and rank for mitigating the external attacks.In figure 3, every node including sink node maintain adatabase. For normal nodes, database contains the trust valuesand list of authenticated nodes (firewall rules) of each of theirneighbour nodes(database is write protected or secure by theprivate key). Trust value is defined by successful packetsexchange ratio such as more than 70 % ratio is treated as bestpath, less than 40% is treated as worst and in between themwe check exactly three times(threshold value) for improvingresult or path. In each of local sink node, their are varioustables or list with different functionalists. First table containall of signature IDS rule, firewall rules and threshold values.Second thing we maintains a singly link list of blocks inwhich each block contains the transactions or packets of their local network according to particular time interval and blocksize which is useful for tracking of real time data(anomalyIDS).For maintain immutability, each block contains the hashof the previous block same as blockchain. These blockhashes and first table calculated hash are saved in secondtable which is write protected or secure by the private key.Both of the table update periodically whenever any newhash or rules are occurred correspondingly. For backupof data, we save the each of local sink link list to theimmediate neighbour(unidirectional) local sink along withtheir hashes(update instantly). For global sink node, Firsttable is same as the local sink node. Secondly, we maintainthe combination of all link lists(update instantly) of each oflocal sink node for global view of the RPL network. Secondtable contains hash of first table along with hashes of all linklists for each of local network and rest is same as local sinknode. Due to the resource constrained nature of devices, aftersome particular time interval we remove particular numberof blocks from starting of link list along with their hashes inboth local as well as global sink nodes while maintaining thesummary of that records in the first table as adding some rules.From the above we also say that, our proposed approachalso follows the blockchain features such as immutability,decentralization, distributed and shared ledger. The moreexplanatory database structure is shown in figure 4:
Fig. 4. Database Structure
V. O
BSERVATIONS & T
HEORETICAL R ESULTS
The above proposed approach is theoretically analyzed inthe smart environment for mitigating the RPL attacks. Someof the important analysis results & observations are as follows: • It Removes the single point of failure(root node). As inthe proposed decentralized approach, The final decisionwhether the node is attacker or not depends on mainlythree things as: trust between the neighbouring nodes,local decision by multiple sink nodes and global decisionby root node. • Due to the multiple local sink, number of transmissionis reduced from entire network to only closest sink andevery local sink node maintains DAG only upto limitednodes in the main RPL network. So, it reduces networkload in terms of control message overhead and increasedthroughput. • Sink discovery by sensor nodes almost eliminate use ofold routes which results in re-transmission of packets.Thus, reduces network overhead. • For removing unauthenticated devices andunauthenticated control packets(external attacks),we use mini-firewall at every node(including sink node)which maintains a database of authenticated devicesusing some parameters as ip address, rank, versionnumber and sequence number. • For mitigating the attacks occur from unencryptedcontrol frames or compromised nodes (internal attacks),we use IDS which check the attacker at three phases.At first phase, we take trust parameter between nodes asmention above for selecting the best path (best parentnode) towards sink. In the second phase, each local sinknode maintain the link list of blocks for tracking thehistory of their network. Finally the global sink nodemaintain the history of DODAG (all local sink node) formitigating any attack. The sink nodes also uses signaturerules(as rank of parent node should be less than childnode and many more rules) for easily detecting of knownattacks. • The link list of blocks is used for unknown attacks. Formaintaining immutability of data, hash of previous blockis contained in the current block same as blockchain bywhich we can detect any changes in that blocks at veryless complexity. If we detect any changes, then from thatblock to the current block in that link list is replaced bythe backup data(stored in the immediate neighbour sinknode). • Signature based rules, threshold values and firewall rulesare periodically updated by which we take less time fordetecting already happened attacks previously. • Due to the resource limitations of sink nodes, after aparticular time interval we remove certain number ofblocks along with their hashes(in second table) fromstarting point of list while maintaining or adding thatblocks important features as rules in the first table. • All of the attacks are mitigated by this proposed approachby seeing behavior of a node up to joining of nodes intothis network. After recognizing of malicious node, it canbe easily removed from the network. Thus reduces DAGinconsistency and improve network performance. • We assume all sink nodes including 6LBR are stationary.So, that we can check their geographical location formore better protection. • Overall, we use semi supervised IDS, Blockchain fea-tures, Trust parameters and mini-Firewall for protectingRPL network from various attacks.V. C
ONCLUSION & F
UTURE WORK