Peter Kruus

In-Band Wormholes and Countermeasures in OLSR Networks

In a wormhole attack, colluding nodes create the illusion that two remote regions of a MANET are directly connected through nodes that appear to be neighbors, but are actually distant from each other. This undermines shortest-path routing calculations, allowing the attacking nodes to attract traffic, which can then be manipulated. Prior research has concentrated on out-of-band wormholes, which covertly connect the purported neighbors via a separate wireline network or RF channel. We present a detailed description of in-band wormholes in OLSR networks. These connect the purported neighbors via covert, multi-hop tunnels. In-band wormholes are an important threat because they do not require specialized hardware and can be launched by any node in the MANET. Moreover, unlike out-of-band wormholes, in-band wormholes consume network capacity, inherently degrading service. We explain the conditions under which an in-band wormhole will collapse and how it can be made collapse resilient. We identify the self-contained and extended forms of in-band wormholes and present wormhole gravitational analysis, a technique for comparing the effect of wormholes on the network. Finally, we identify potential countermeasures for preventing and detecting in-band wormholes based on packet loss rates, packet delays, and topological characteristics, and we describe the results of initial laboratory experiments to assess their effectiveness

Countering False Accusations and Collusion in the Detection of In-Band Wormholes

Cooperative intrusion detection techniques for MANETs utilize ordinary computing hosts as network intrusion sensors. If compromised, these hosts may inject bogus data into the intrusion detection system to hide their activities or falsely accuse well-behaved nodes. Approaches to Byzantine fault tolerance involving voting are potentially applicable, but must address the fact that only nodes in particular topological locations at particular times are qualified to vote on whether an attack occurred. We examine these issues in the context of a prototype distributed detector for self-contained, in-band wormholes in OLSR networks. We propose an opportunistic voting algorithm and present test results from a 48-node testbed in which colluding attackers generate corroborating false accusations against pairs of innocent nodes. The results indicate that opportunistic voting can instantaneously suppress false accusations when the network topology and routes chosen by OLSR provide a sufficient number of nearby honest observers to outvote the attackers.

Creating and Maintaining a Good Intrusion Detection Hierarchy in Dynamic Ad Hoc Networks

Many insider attacks, such as certain forms of packet dropping, malicious routing updates, and wormholes, can only be detected using distributed and cooperative algorithms. One promising approach for applying these algorithms is using an intrusion detection (ID) hierarchy enabling data aggregation and local decision making whenever possible. A key challenge to this problem is the selection and maintenance of a scalable and robust hierarchy optimizing detection performance (e.g., latency, coverage, and false alarm rate) while incurring minimal cost (e.g., bandwidth and processing). Existing approaches (i.e. flooding for forming a Breadth First Search Tree) to constructing such a hierarchy are simple and distributed; however, their performance and cost can be undesirable. Moreover, mobility can produce constant large scale changes in the hierarchy that degrade performance and increase cost. The main contributions of this paper are to: a) model the performance and costs of ID hierarchies and represent them in formal objective functions and constraints, b) modify an existing versatile, multi-objective hierarchy generation and maintenance tool to create trees, c) give simulation results on the quality and stability of ID hierarchies in a 100-node mobile network