ndss 2004hu and evans, uva1 using directional antennas to prevent wormhole attacks lingxuan hu and...

NDSS 2004 Hu and Evans, UVa 1

Using Directional Antennas to Prevent Wormhole AttacksLingxuan Hu and David Evans[lingxuan, evans]@cs.virginia.eduDepartment of Computer ScienceUniversity of Virginia

NDSS 2004 5 February 2004http://www.cs.virginia.edu/evans/


Wormhole Attack

SD

AB

C

Attacker needs a transceivers at two locations in the network, connected by a low latency link

Attacker replays (selectively) packets heard at one location at the other location

X Y

Pirate image by Donald Synstelien


Beacon Routing0

1

2

3 4

Nodes select parentsbased on minimumhops to base station


Wormhole vs. Beacon Routing

0

1

2

X

Y

0

1

2

Wormhole attack disruptsnetwork without needing to break any cryptography!

[Karlof and Wagner, 2003]; [Hu, Perrig, Johnson 2003]


0

0.1

0.2

0.3

0.4

0.5

0.6

0.7

0.8

0.9 1

0 50 100 150 200 250 300 350 400 450 500

Frac

tion

of R

oute

s to

Bas

e S

tatio

n D

isru

pted

Position of Endpoint (x,x)

Base Station at Corner

Base Station at Center

Wormhole Impact

0 500

0 500

A randomly placed wormhole disrupts ~5% of linksA single wormhole can disrupt 40% of links (center)


Possible Solutions• Packet Arrival Time

– Packet Leashes [Hu, Perrig, Johnson 2003]– Signal is transmitted at speed of light– Requires tightly synchronized clocks (tempora

l leashes) or precise location information (geographic leashes)

• Packet Arrival Direction


Directional Antennas

Model based on [Choudhury and Vaidya, 2002]General benefits: power saving, less collisions

1

23

4

5 6

North

Aligned to magnetic North, so zone 1 alwaysfaces East

Omnidirectional TransmissionDirectional Transmission from Zone 4


Assumptions• Legitimate nodes can establish secure node-

node links– All critical messages are encrypted

• Network is fairly dense• Nodes are stationary• Most links are bidirectional (unidirectional links

cannot be established)• Transmissions are perfect wedges• Nodes are aligned perfectly (relaxed in paper)


Protocol Idea• Wormhole attack depends on a node that

is not nearby convincing another node it is

• Verify neighbors are really neighbors• Only accept messages from verified

neighbors


Directional Neighbor Discovery A

1. A Region HELLO | IDA

Sent by all antenna elements (sweeping)2. B A IDB | EKBA (IDA | R | zone (B, A))

Sent by zone (B, A) element, R is nonce3. A B R

Checks zone is opposite, sent by zone (A, B)

B

zone (B, A) = 4is the antennazone in whichB hears A

1

23

4

5 6


A Bzone (B, A[Y]) = 1zone (A, B [X]) =

1False Neighbor: zone (A, B) should be opposite zone (B, A)

Detecting False Neighbors

1

23

4

5 6

X Y


A Bzone (B, A[Y]) = 4

zone (A, B [X]) = 1Undetected False Neighbor: zone (A, B) = opposite of zone (B, A)

Not Detecting False Neighbors

1

23

45 6

X Y

Directional neighbor discovery prevents 1/6 of false direct links…but doesn’t prevent disruption


Observation: Cooperate!

• Wormhole can only trick nodes in particular locations

• Verify neighbors using other nodes• Based on the direction from which you

hear the verifier node, and it hears the announcer, can distinguish legitimate neighbor


Verifier Region v

zone (B, A) = 4zone (V, A) = 3

1

23

45 6

A verifier must satisfy these two properties:1. Be heard by B in a different zone:

zone (B, A) ≠ zone (B, V)

2. B and V hear A in different zones: zone (B, A) ≠ zone (V, A)

zone (B, A) = 4zone (B, V) = 5

(one more constraint will be explained soon)


V

Verified Neighbor Discovery

1. A Region Announcement, done through sequential sweeping2. B A Include nonce and zone information in the message3. A B Check zone information and send back the nonce

A B 4. INQUIRY | IDB | IDA | zone (B, A)

5. IDV | EKBV (IDA | zone (V, B))

Same asbefore

4. B Region Request for verifier to validate A5. V B If V is a valid verifier, sends confirmation6. B A Accept A as its neighbor and notify A


Verifier Analysisv

B A

Region 1

Region 2

X

Y

1

234

5 6

1

23

4

5 6

Wormhole cannot trick a valid verifier:zone (V, A [Y]) = 5zone (A, V [X]) = 1 Not opposites: verification fails


Worawannotai Attackv

B A

Region 1

Region 2

X

1

23

5 6

23

4

5 6

V hearsA and B directly

A and B hear V directly

But, A and B hear each other only through repeated X


Preventing Attack

1. zone (B, A) zone (B, V) 2. zone (B, A) zone (V, A)3. zone (B, V) cannot be both adjacent to zone (B, A)

and adjacent to zone (V, A)


Cost Analysis• Communication Overhead

– Minimal– Establishing link keys typically requires

announcement, challenge and response– Adds messages for inquiry, verification and

acceptance• Connectivity

– How many legitimate links are lost because they cannot be verified?


Lose Some Legitimate Links

0

0.1

0.2

0.3

0.4

0.5

0.6

0.7

0.8

0.9

1

0 0.1 0.2 0.3 0.4 0.5 0.6 0.7 0.8 0.9 1

Link

Dis

conn

ectio

n P

roba

bilit

y

Node Distance (r)

Verified Protocol

Strict Protocol(Preventing

W Attack)

Network Density = 10

0.1 0.2 0.3 0.4 0.5 0.6 0.7 0.8 0.9 1Node Distance (r)

0

Verified Protocol

Strict Protocol(Preventing

W Attack)

Network Density = 3


…but small effect on connectivity and routing

0

1

2

3

4

5

6

7

8

9

10

4 6 8 10 12 14 16 18 20

Ave

rage

Pat

h Le

ngth

Omnidirectional Node Density

Strict Protocol

Trust All

Verified Protocol

Network with density = 10

Verified protocol: 0.5% links are lost no nodes disconnectedStrict protocol: 40% links are lost 0.03% nodes disconnected

(More details and experiments in paper)


Vulnerabilities• Attacker with multiple wormhole endpoints

– Can create packets coming from different directions to appear neighborly

• Magnet Attacks– Protocol depends on compass alignment of

nodes• Antenna, orientation inaccuracies

– Real transmissions are not perfect wedges


Conclusion/Moral• An attacker with few resources and no

crypto keys can substantially disrupt a network with a wormhole attack

• Mr. Rogers was right: “Be a good neighbor”– If you know your neighbors, can detect

wormhole– Need to cooperate with your neighbors to

know who your legitimate neighbors are


http://www.cs.virginia.edu/evans/ndss04

ndss 2004hu and evans, uva1 using directional antennas to prevent wormhole attacks lingxuan hu and...

Documents