Download Denial-of-Service detection in 6LoWPAN based Internet of Things

2013 IEEE 9th International Conference on Wireless and Mobile Computing, Networking and Communications (WiMob)
Denial-of-Service detection in 6LoWPAN based
Internet of Things
Prabhakaran Kasinathan, Claudio Pastrone, Maurizio A. Spirito
Mark Vinkovits
Pervasive Secure Networks
Istituto Superiore Mario Boella (ISMB)
Torino, Italy
{kasinathan / pastrone / spirito}@ismb.it
User Centered Ubiquitous Computing
Fraunhofer FIT
Sankt Augustin, Germany
mark.vinkovits@fit.fraunhofer.de
Abstract—Smart objects connected to the Internet, constituting the so called Internet of Things (IoT), are revolutionizing
human beings’ interaction with the world. As technology reaches
everywhere, anyone can misuse it, and it is always essential to
secure it. In this work we present a denial-of-service (DoS) detection architecture for 6LoWPAN, the standard protocol designed
by IETF as an adaptation layer for low-power lossy networks
enabling low-power devices to communicate with the Internet.
The proposed architecture integrates an intrusion detection
system (IDS) into the network framework developed within the
EU FP7 project ebbits. The aim is to detect DoS attacks based on
6LoWPAN. In order to evaluate the performance of the proposed
architecture, preliminary implementation was completed and
tested against a real DoS attack using a penetration testing
system. The paper concludes with the related results proving
to be successful in detecting DoS attacks on 6LoWPAN. Further,
extending the IDS could lead to detect more complex attacks on
6LoWPAN.
applications: manufacturing process monitoring, e-health care
services, gas/electric meters, etc. Cisco predicts that by 2020
there will be more than 50 billion devices connected to Internet
[3] creating tera-bytes of data each second.
Keywords—6LoWPAN, Internet of Things, Denial-of-Service
Detection, Intrusion Detection Systems, Penetration Testing.
This paper studies the vulnerabilities present in IP-based
WSNs with a major focus on DoS attacks and analyses the
existing solutions and countermeasures. Finally, it presents
a novel security architecture for detecting DoS attacks in
6LoWPAN-based IoT. The proposed solution is actually integrated within the platform being developed in the ebbits
project [4]. Such project aims to semantically integrate the IoT
into mainstream enterprise systems and support interoperable,
online end-to-end business applications. In fact, the networking
features exposed by the ebbits platform are opportunistically
exploited to improve the performance of the proposed detection
solution.
I.
I NTRODUCTION
For more than a decade wireless sensor networks (WSNs)
research community assumed that Internet architecture was
ill suited for WSNs’ applications. Internet protocol (IP) was
considered impractical for low-power and lossy network (LLN)
devices. Eventually research community came up with a solution to support IP into LLNs, by designing IPv6 over low
power wireless personal area networks (6LoWPAN) [1] protocol. 6LoWPAN enables IPv6 communication between low
power wireless personal area networks (LoWPANs) by compressing IPv6 headers. In addition, specific working groups
within the internet engineering task force (IETF) are defining
new protocols to support routing and to exchange application
messages resulting in the IPv6-enabled LLNs.
The evolution of WSN technologies is thus leading to the
integration into the Internet of smart objects with heterogeneous functions and characteristics. Such smart objects have
self-configuring capabilities and can interact among themselves
with or without human intervention. In this scenario, the
Internet of the future is further evolving by allowing the
convergence of the Internet of Things (IoT) with Internet of
Services and People [2]. With more than 10 billion microcontrollers being flooded into the market each year, potentially all objects could become smarter and be connected
through the Internet to create various consumer and industrial
978-1-4799-0428-0/13/$31.00 ©2013 IEEE
600
As wireless devices become increasingly pervasive and
essential in our daily life, security becomes a critical issue.
These inchoate devices and technologies are prone to more
threats in future, if not governed adequately. 6LoWPAN-based
IoT has inherited deficiencies: limited resources in terms of
power, processing, memory, space and unreliable communication with respect to packet loss rate, collisions. An adversary
can take advantage of these weaknesses to initiate different
kinds of attacks. More specifically, denial-of-service (DoS)
attacks are considered to have adverse effects in disrupting
WSNs’ communication; still, effective security mechanisms
against DoS attacks are yet to be addressed.
The paper is structured as follows: Section II discusses
security in IoT which includes State-of-the-Art (SotA) threats
and countermeasures; Section III presents a brief introduction
about our proposed DoS detection architecture; Section IV
describes the system development of the proposed architecture;
Section V demonstrates the effectiveness of the intrusion
detection system (IDS) by evaluating the performance when
solicited by a penetration testing system with results; Conclusion and future work are discussed in section VI.
II.
S ECURITY IN I OT
Since IoT fuses IP and low-power radio technologies like
WSNs, it inherits vulnerabilities from both the technologies.
Lots of researches are being carried out in the field of WSNs
security. A survey about WSNs DoS attacks and defenses is
illustrated in [5], [6]. Garcia, et. al., [7], [8] presented the SotA
about the threats and possible countermeasures for IP-based
WSNs. This section describes a survey of SoTA attacks/threats
and their respective countermeasures on 6LoWPAN network,
which was useful to design the detection architecture.
The life-cycle of an object or ‘thing’ is depicted in Figure
1 and can be classified into three major phases: manufacturing,
installing/bootstrapping, and operational. During each of these
phases, each ‘thing’ is prone to one or more attacks. Traditional
security solutions already existing in IP and IETF world such
as cryptographic encryption mechanisms are not applicable to
resource constrained 6LoWPAN devices. However, research
community is involved in developing light-weight security
solutions such as light-weight public-key cryptography [9] and
end-to-end transport layer security [10], [11]. Most of the security mechanisms try to guarantee basic security requirements:
confidentiality, integration, and authentication. But they are not
powerful enough to relinquish the DoS attacks of WSNs. The
following subsections describe the SotA regarding threats and
countermeasures.
For any information network, ‘device availability’ is the most
important factor, and DoS attacks target ‘network availability’ by preventing communication between network devices
from accessing the services provided. Thus, DoS attacks are
considered to be an important security issue. These attacks
can be initialized from remote places with mere commands,
combined with advanced tools; attackers could even perform
distributed DoS attacks, which are efficient in taking down big
networks. It’s rather difficult to find a DoS attack before the
service becomes unavailable. DoS attacks range from simple
jamming attack to sophisticated attacks as mentioned below.
Jamming: Jamming simply means to exploit the transmission of a radio signal to interfere with the radio frequencies
being used by the sensor network. Jamming can be performed
either continuously or in an intermittent way [15]; in both the
cases, network will suffer from considerable damage. Jamming
attack is usually carried out during the ‘operational phase’.
Jamming takes place at link-level by sending forged packets
to create collisions; thereby, dropping legitimate packets [12].
Cloning of things: This exploit is open during the ‘manufacturing process’, as well as in the ‘operational phase’.
In the first circumstance, an internal attacker can substitute
a genuine thing with a similar preprogrammed thing for
unauthorized purposes. During ‘operational phase’, a node can
be captured and replicated, and these are commonly known as
node-replications attacks. Node capture could lead to further
attacks such as: extraction of the security parameters, firmware
replacement attacks [8].
Eavesdropping: This vulnerability is evident in ‘operational phase’ of all wireless communications; if security
parameters like key materials and configurations are exchanged
as clear messages, an attacker could retrieve these messages
just by passively listening to the operating channel; later using
them, the attacker can join the network as a legitimate node
and perform further attacks. Later, this could lead to a manin-the-middle attack [6].
Fig. 1: IoT life-cycle
Source: [8]
A. Threat Analysis
Sensor networks are particularly susceptible to attacks
related to privacy, traffic analysis, physical attacks and most
notably DoS attacks [5]. Raymond, et. al., studied MAC layer
denial-of-sleep attacks on WSNs, where a sensor node’s power
supply is targeted. Such type of attacks can reduce the sensor
lifetime from years to days and have a devastating impact on
sensor network’s life [12]. In [7] the authors analyzed IoT
threats starting from a thing’s life-cycle. 6LoWPAN is still
evolving with its related technologies: Constrained Application
Layer Protocol (CoAP) [13] and Routing over low power lossy
networks (RPL) [14]. By design, IoT devices are not only
passive, they are active too. They can be used to remotely tag,
track, locate, and monitor target locations of its users, thus
intruding into theirs privacy, and collect sensitive information.
This piece of information could be exploited by an attacker
for various purposes [7]. 6LoWPAN related protocols should
be carefully analyzed for potential vulnerabilities. In the following, we list and describe threats associated with 6LoWPAN
smart objects.
Denial-of-Service attacks
Any event that reduces, disrupts or completely eliminates
the network’s communication is categorized as DoS attack.
601
Routing attack: Routing information in IoT can be spoofed,
altered or replayed in order to create routing loops, attract or
repel network traffic, extend or shorten source routes and so
on. Other possible routing attacks include: flooding, sinkhole
attack, selective forwarding, wormhole attack, and sybil attack
[6]. Further analyzing, attacks based on 6LoWPAN such as
packet fragmentation attacks [16], [17] and RPL protocol such
as rank attacks, local-repair attacks [18] are possible.
Application Layer attack: CoAP is being standardized
as the application layer protocol for 6LoWPAN. Since it is
still evolving, many security issues could arise in future.
Some possible vulnerabilities are SYN flood, protocol parsing,
processing URI, proxying and caching, risk of amplification,
IP address spoofing attack, cross-protocol attacks [13].
B. Security Countermeasures
In [6] Raymond et al, discuss various DoS attack defense
mechanisms and countermeasures in WSN context. A study
about the overall QoS threats related to IP-based WSNs is
described in [19]. Other IoT threats and defense strategies are
discussed in [7], [8]. However, there are no countermeasures
or defense mechanisms able to completely overcome all DoS
attacks right now.
Matured research in WSNs suggests various techniques
to defend WSNs’ attacks. They correspond to heterogeneous
approaches: centralized, distributed, co-operative, clustered.
Overall, centralized solutions are not scalable; distributed and
co-operative approaches could be more efficient and robust, but
prolonged consistency and stability are serious issues. Securing
the system from all DoS threats becomes necessary. Recent
works related to IoT suggest the following classes of security
countermeasures:
•
Secure Bootstrapping: Bootstrapping is a process in
which one device is associated or connected with
a part of network or similar devices. During the
bootstrapping phase, a unique identity and other security parameters are associated with each device/thing.
Secure bootstrapping ensures that only authenticated
devices access the network. The simplest mechanism
for carrying out the initial setup (security parameters,
node identity) is via physical interface (USB, wire,
chip contact, etc.). Wireless bootstrapping may lead
to eavesdropping although it can be avoided by using
advanced cryptographic mechanisms which provide
confidentiality [7], [20]. To optimize the key distribution mechanism, several key management schemes
have been proposed in literature for WSNs [21],
to support secure communication and authentication
among WSNs devices.
•
Application Layer Security: Transport Layer Security
(TLS) is considered to be a security function of utmost
importance in IoT [7]. In fact, the present and foreseen
IoT applications are handling more sensitive data;
securing all those data is then a major requirement for
IoT. Securing them alone may provide basic security
requirements for IoT. The work by Heer et al. [8]
focuses on the application layer security with the following technologies: IKEv2/IPsec, TLS/SSL, DTLS,
HIP, PANA, and EAP.
•
IDS solutions: IDSs provide the first line of defense
for any security system. Implicitly, detecting an attack
is considered to be an important security countermeasure. IDSs can be classified based on the detection
methods, resulting of two major types: misuse or
signature based detection and anomaly detection. In
the former, a set of predefined rules are loaded into
IDS and matched with the events of the network; when
a suspicious event is detected, an alert is triggered.
Whereas in anomaly based detection normal network
behavior is recorded and compared with the current
network status, triggering an event when the network
behaves abnormally. Misuse detection is prone to new
attacks whereas, anomaly detection method produces
more false positive events. These two techniques can
be combined together to increase the detection accuracy by reducing false positive events: the resulting
approach is called Hybrid Detection. In literature
various IDS solutions for WSNs have been proposed
[22], [23], but most of them are not applicable in IPbased WSNs environment. An ID approach for IPbased WSNs was investigated in [18], and recently
the work [24] reported a Host Based IDS specifically
designed for IoT. A comparative study of already
602
existing IDS solutions is described in the following
table I.
TABLE I: Analysis and Comparison of IDS Schemes
Scheme
Simulation
(or) O/S
Detection
Method
Highlights
SVELTE
(IDS for IoT)[24]
Cooja
(Contiki)
Hybrid
RIDES
(IP-Based
WSNs)[25]
Specification Based
IDS for RPL (IPBased WSNs) [18]
Novel Hybrid
IDS (WSNs)[26]
Energy
Efficient
Hybrid-IDS
(WSNs)[27]
An
Experimental
Study
of
Hierarchical
IDS
(WSNs) [28]
ns2
Hybrid
Host based IDS,
6Mapper
(Reconstructs
RPL’s network information)
Bloom Filters, CUSUM
charts
-
Specification
Finite state machine design
to detect RPL based attack.
-
Hybrid
Omnet++
Hybrid
Clustered approach to save
energy
Cluster Based, Energy Efficient
NesC in
TinyOs
Misuse
Hierarchical Model.
In our work, we focus on IDS techniques to detect DoS
attacks during operational phase of a thing. The SoTA analysis
identified the limitations of existing solutions. In the following,
we describe the disadvantages of the already existing IDSs
proposed.
Drawbacks of Existing IDSs: The IDS survey revealed one
major drawback. Most of the proposed strategies contain either
lightweight, efficient algorithms or similar methods which
can be programmed inside one or more resource constrained
WSNs nodes1 . Most of the proposed IDSs were not designed
for IP-based WSNs. These programs are either centralized
or distributed while centralized systems suffer from single
point of failure. The programmed nodes have same limited
capabilities as their neighbors, thus they equally suffer from
most of the DoS attacks. If detecting an attack, these nodes
convey the message through the same ‘wireless channel’ to
their group/cluster head or base station (a more powerful
device) for advanced detection processing (signature matching
or anomaly detection). DoS attacks like flooding and jamming
usually make the wireless channel unusable, thus they fail the
most basic objective of IDS.
III.
T HE P ROPOSED S OLUTION
The motivation of the proposed solution is to detect the
DoS attacks in 6LoWPAN networks before network operations
are disrupted and to trigger the proper execution of countermeasures aiming to increase network availability. Within the
ebbits platform, we have then extended the security framework
to include an Open Source IDS and to be connected with ebbits
networking framework: the final object is to support effective
detection of DoS attacks in 6LoWPANs.
As far as the IDSs are concerned, traditional solutions
have proven to be efficient in detecting wide range of attacks,
especially DoS attacks. In this section, we propose a DoS
detection architecture, describing the main components of
the architecture and finally mentioning the advantages of our
solution, compared to the already existing solutions.
1 constrained
nodes programmed with already existing IDS modules
The current proposed architecture could be capable of
detecting wide range of attacks. However, the provision of
defense mechanisms to counteract the attacks, i.e, intrusion
prevention systems (IPS) is out of scope of this paper and will
be the next step of this work.
A. DoS Detection Architecture
To detect DoS attacks in IoT, the detection system itself
needs to be immune to DoS attacks. In addition it should
be scalable, and applicable to most of the real-world IoT
scenarios. These design criteria are considered while developing the DoS detection architecture for IoT. Our DoS
detection architecture has been designed to detect DoS attacks
in ebbits networks. The DoS detection architecture as reported
in Figure 2 represents the 6LoWPAN network integrated with
the network manager of ebbits. IDS probe (IDS_P) helps the
IDS to listen 6LoWPAN network traffic. The most relevant
contributions of this paper are the DoS protection manager
and the IDS, which are integrated with the ebbits network
manager as the security manager. In the following, firstly ebbits
network manager and its components are briefly explained;
later the proposed DoS protection manager and its components
are explained in detail.
!
&'(
#
$%
&.
, !
ebbits Network Manager:
The network manager integrates three major subcomponents:
network management; opportunistic manager; and security
manager.
Network management provides network monitoring and
configuration services. By monitoring the network it provides
performance information: interference level, latency, outrage
probability, and collisions. The role of network management
is to make the opportunistic manager and the security manager
interoperable by providing the network information available
at any specific time.
Opportunistic manager provides communication resilience
and optimization for the ebbits framework. It enables the system to operate with the best available network communication
at all times. It provides delay tolerant networking (DTN) and
frequency agility (FA) capabilities to WSNs/6LoWPANs [29].
FA is a mechanism allowing the network to become aware of
the interference level by analyzing channel occupancy states in
real-time. The aim is to determine the best available channel.
When the system detects the interference level exceeding a
certain threshold, the FA mechanism starts a procedure to
switch the operating channel to the best available channel [29].
Security manager provides security mechanisms in the
network, for instance encryption and policy enforcement. It
enables secure communication between ebbits network manager and middleware by providing cryptographic and trust
mechanisms. In this work, we introduce the DoS protection
manager within security manager of ebbits.
!
"
component of ebbits and it enables the low level interaction
between physical devices/smart objects and the ebbits network
manager. In this way, physical world capabilities can be
abstracted and exposed into the ebbits middleware as web
services.
•
DoS protection manager: The DoS protection manager receives alerts from IDS when intrusion attempts
occur. Later, it extracts the pieces of information
(interference rate, packet dropping rate, etc.) from
other ebbits managers (network management and opportunistic manager) and analyzes them to confirm
an actual attack. The main component for the DoS
protection manager is the IDS involved in detecting
the attack. This hybrid approach, by leveraging on
additional data related to the same network collected
by other ebbits managers, decreases the false alarm
rate of the IDS warnings.
•
IDS: The IDS proposed is a network-based IDS
(NIDS): it usually works by capturing and examining
the network packet. It is in charge of monitoring the
6LoWPAN traffic and raising alerts in case of any
misbehavior in the network. This IDS agent is in
charge of processing the network-related information
captured from multiple IDS_Ps spread within the
network as depicted in Figure 2. These IDS_P operate
in promiscuous mode: they can listen to all messages
irrespective of destination addresses. The usage of
multiple probes is actually needed to manage large
scale networks. It is important to mention that such
probes are external to the operating 6LoWPAN and
&-
&-
&
)
*
&'
+
Fig. 2: DoS Detection Architecture
Physical world:
The physical world depicted in Figure 2 represents a simple
6LoWPAN network aimed to collect data from real world
sensors. Several host (H) nodes forms the network along with
their respective cluster nodes (R), the aggregated network data
finally available from cluster nodes are delivered to network
manager through a border router (B). In the real world scenario
of ebbits, many smart objects (RFIDs, Sensors, Smartphones,
etc.) are combined together to form the physical world. The
physical world adaptation layer (PWAL) is a special network
603
Briefly summarizing, the proposed system monitors the
network traffic of 6LoWPAN through one or more IDS_Ps
operating in promiscuous mode and detects attack by using
hybrid IDS detection method. DoS protection manager, on
receiving the alerts, confirms the attack by leveraging the
information available by other network manager components.
This attack detection approach can be implemented with any
network manager in general.
B. Scenario
To elucidate the application of the proposed architecture,
let us consider a simple manufacturing scenario. It requires
monitoring acceleration of the equipment, pressure and temperature of the area involved in the manufacturing setting. In
this scenario, any DoS attack can degrade the quality of the
manufacturing.
The functioning of the DoS detection architecture is described in the following. We assume a Jamming attack is being
performed towards a target 6LoWPAN network (manufacturing). Once the DoS protection manager has received an alert
notification from the IDS about the jamming attack, it can
further validate the detection by:
1)
2)
3)
Checking the level of interference detected in the
current operating channel - info is achieved from the
FA manager.
Verifying the collected information about loss rate in
the monitored network - info available at the network
management manager.
Observing the absence of updated information in the
just mentioned two managers, which would represent
anyway an additional symptom that an attack is being
performed.
The proposed DoS detection architecture contributes to
get the following advantages over the aforementioned works
in section II-A. Wired connectivity between IDS_P and IDS
promises immunity to wireless jamming and other DoS attacks,
thus the IDS can receive reliable network information all
the time. The processing is centralized with a powerful IDS
agent running on a Linux host, thus overcoming the resource
constraints existing in traditional low-power devices. False
positive events of IDS can be reduced by leveraging the information gained from the other network managers. The proposed
architecture suits the real-time industrial environments, where
reliability and availability are the most important security
requirements.
IV.
S YSTEM D EVELOPMENT
This section describes the system development of the DoS
protection manager. At present, the proposed solution is not
604
completely implemented: nonetheless, preliminary development work has been carried out to evaluate the performance
of our system, highlighting promising results. The preliminary
development work is characterized as follows: the presence
of a single IDS_P was considered enough to sniff a small
6LoWPAN network; only signature based detection method
was considered for IDS development; finally, integration with
the network manager of ebbits is ignored. According to the
assumption, just a DoS attack on a 6LoWPAN network could
be detected simply. The most important components are the
IDS and IDS_P attached with DoS protection manager.
A. IDS Probe (IDS_P)
This component, previously developed as part of the work
in [30], operates with a custom firmware and is able to sniff
the packets in promiscuous mode. The IDS_P is connected
with the IDS via a USB interface, thus wired, and is realized
as a virtual interface inside a Linux host. Therefore, the probe
can be realized as any other interface like Ethernet inside the
Linux host.
B. IDS
Suricata, an open source IDS, is adopted for development
[31]. It exhibits the following advantages: complete IPv6
support, automatic protocol detection, multi-threading and
intrusion prevention system. As a standard IDS, Suricata’s
architecture is composed of the three following modules as
depicted in Figure 3: the protocol decoder, the detection engine
and the alert response unit. Suricata IDS uses signature based
detection, thus requiring a predefined set of rules to detect
attacks.
do not participate in network activities. When an
active DoS attack is performed, the wireless channel
is disrupted and the messages received through the
IDS_Ps could not be reliable, thus wired connectivity
is used to connect them and the IDS. In order to
be endowed with the capabilities of detecting known
and unknown attacks with high accuracy, a hybrid
detection model is considered to work better and thus
adopted for development.
Fig. 3: Suricata IDS’ Architecture
Basic information about how such architecture works is
described in the following. After capturing packets through
a virtual interface provided by IDS_P, these packets are
interpreted by means of the Suricata decoder. A packet is
completely decoded and analyzed, looking for any possible
misbehavior with respect to the protocol standards. If some
packet misbehavior is identified, a specific event is recorded
within the IDS engine. The detection engine analyses the
signature database; the rules are loaded into the signature
database before the IDS is started. The IDS detection engine
can be profitably supported if specific events recorded during
the decoding phase are matched, but the detection engine
capabilities are not limited to this only, developing custom
modules can extend them further. When a signature match
occurs, an alert is triggered by the detection engine and is
usually recorded in different user specific formats: unified2
format as the standard IDS alert format; whereas, basic text
logging is done by fast.log format in Suricata.
In our work, major effort was devoted to develop IEEE
802.15.4 (layer 2) and 6LoWPAN (adaptation layer 3) protocol
decoders for Suricata decoder. When a packet is captured,
firstly the decoder identifies the link-type. If it matches IEEE
802.15.4 link-type, then the packet is decoded with respect
to the IEEE 802.15.4 standard. Similarly, the 6LoWPAN
compliant section of the packet is decoded thus obtaining the
complete IPv6 packet which is sent to the Suricata’s default
IPv6 decoder. Decoder development is described in Figure 4.
If a possible match with the signature happens, then an alert
is triggered.
-
0
!"#!$
+
0
1
-&
+
"%#&
2
'()*+
',()*+&
2
+
.
/-
)'
)
0
1
3
)
+
0
0
1
)'
Fig. 4: Decoder development in Suricata
V.
!"
!
$%
()
&'
,
#
,
*"#+
./0
(-)
(-)
Fig. 5: Architecture of Proposed IDS and Evaluation System
IDS_P probe has only sniffing capability. During this work,
an additional module was developed in Metasploit to support
flashing/reprogramming of an attached Mp node with user
defined firmware, thus allowing more flexibility in performing
remote DoS attacks.
The Attack: To validate our IDS, we performed an IPv6
UDP flooding attack against a 6LoWPAN network. Contiki
[32], a prominent open source operating system for IoT,
was used to develop the UDP flooding program, which can
be either self-programmed or remotely programmed (using
Metasploit) in a node. This node attached as the Mp in Figure
5, initiates flooding by sending large amount traffic to a specific
destination network performing a DoS attack against the target
network.
!"#!$
2
S YSTEM E VALUATION
The proposed IDS for the 6LoWPAN network was evaluated by Penetration Testing (PenTest) System which was
developed as part of work in [30]. A test-bed of our proposed
6LoWPAN DoS detection architecture was built with physical
nodes as represented in Figure 5. The PenTest system and
the IDS was connected to the 6LoWPAN through the PenTest
probe (Mp) and the IDS_P probes respectively. A detailed
description of the evaluation is mentioned below.
A. Penetration Testing
PenTest is a method of evaluating the security of a
computer system by simulating actual attacks; it basically
compromises the target network in a controlled environment.
This helps in identifying vulnerabilities present in our network.
Metasploit, an open source PenTest tool, was adopted for
this experiment. Metasploit has the capability to sniff and
inject forged packets into the 6LoWPAN network; whereas
605
The Rule: To detect the previously simulated UDP flooding
attack, Suricata provides threshold option in its rules: a rule
option matches with the packets and when the number of
matches reaches above a threshold, an alert is triggered. The
Rule header contains the information about what action a
rule takes when any packet matches with the rule. Each rule
contains headers as follows: an action (pass, drop, reject, alert);
protocol (UDP, TCP, ICMP etc); source address; source port;
destination address; destination port followed by rule options.
These rule options provide the flexibility to the IDS, novel rule
options could be developed to extend the detection parameters
in rule options. The following rule was developed to detect the
UDP flooding attack.
alert udp any any -> any any (msg:\"My Threshold
rule works \";threshold: type threshold,
track by_dst, count 30, seconds 1; sid:999999;
classtype: misc-activity;rev:1; content:"Hello";
priority:1;)
If UDP packets arrive at the rate of 30 packets per second,
the above rule triggers an event in Suricata. The count and
seconds parameters in the rule define the threshold value
for the alert. The values defined are taken as a reference.
Different levels of flooding can be monitored with different
threshold values. To extend detection capabilities, content
option provides payload matching capability in Suricata. The
flooded packets are loaded with payload content as ‘Hello’
to evaluate the payload matching. The above rule tracks the
flooded packets with content ‘Hello’, towards a destination
address. Thus, Suricata generates as many numbers of alerts
each time, when it matches the above rule. An example of one
such alert has been recorded from fast.log of Suricata is given
below,
increases when more Mp nodes are involved in the same attack.
This is also due to the fact that the flooding was performed
towards a single target node and this increases the number of
matches per time of the rule set in Suricata. The same tests
also confirm that the proposed solution can detect attacks when
one or more nodes flood the network at the same time.
01/01/2013-18:51:58.653658 [**] [1:999999:1]
My Threshold rule works \ [**] [Classification:
Misc activity] [Priority: 1]{UDP}
aaaa:0000: 0000:0000:0212:7400:116c:9af4:8765 ->
aaaa:0000:0000:0000:0000:00ff:fe00:0001:5678
In future, by developing detection modules to detect attacks
mentioned in [24] such as RPL-rank attack, the proposed
detection architecture’s results could be compared to [24].
Furthermore, trusted node addresses could be predefined as
internal-nodes and when an adversary disrupts or joins the
network, that particular suspicious node can be detected.
B. Results
In the considered experiments, a progressively increasing
number of Mp nodes (up to 5) was performing a flooding attack
towards a target 6LoWPAN node. The duration of each test was
1 minute and Suricata IDS triggered alerts when a flooding
attack was detected. Figure 6 represents the number of true
positive events triggered by each Mp flooding node detected
by the IDS versus the number of Mp nodes participating in
each attack. The experiments showed no false negatives as the
detection was based on predefined rules, which are defined to
specifically detect the flooding attack.
Three trials of 1 minute for each attack scenario were
performed to evaluate the standard deviation of the alerts for
each Mp Node: the results are represented in Figure 6. At
first, only 2 flooding nodes (Mp1 and Mp2) are introduced into
the network; in such scenario, Suricata triggered 22 alerts, in
which Mp1 was detected 10 times and Mp2 was detected 12
times. Then, the number of Mp flooding nodes was increased to
find the efficiency of IDS engine and IDS probe in detecting
each rouge node separately. Furthermore, traffic patterns of
normal network behavior have been compared with the patterns
achieved by performing flooding attacks. More specifically, the
number of packets transmitted per second has been monitored
and represented in Figure 7.
3 Nodes Flooding
Network Traffic
120
100
80
60
40
20
0
0
5
10 15 20 25 30 35 40 45 50 55 60
Time (s)
Fig. 7: DoS Network Traffic
VI.
C ONCLUSION & F UTURE W ORK
25
Our DoS detection architecture, built on top of the ebbits
network framework was proved capable of detecting DoS
attacks. It is more applicable to real world scenarios. Integrating information from the network manager components
will increase the accuracy of attack detection. Nevertheless,
in future more complicated attacks can be detected by using
our DoS detection architecture. Since, our IDS runs on a host
computer, it overcomes the resource constraint problems and
provides more power to detect complicated attacks. It showed
promising results and unearthed new ways to detect more
complicated attacks related to 6LoWPAN, which could have
not been possible earlier.
20
A. Future Works
15
In future, we expect to complete the implementation of
our proposed architecture and test it against different real
attacks. Apart from this, the proposed architecture can be
further improved by the following:
Mp 1
Number of True Positive Alerts
5 Nodes Flooding
Number of Packets per second
The above alert describes event information: time-stamp,
signature ID, UDP source, destination address when the particular rule is matched.
Mp 2
Mp 3
Mp 4
Mp 5
30
10
5
Distributed Approach: To monitor large networks distributed sniffing, detection mechanisms are required.
0
2
3
4
Number of Nodes
5
Fig. 6: IDS alerts against UDP flooding attack
We can notice that the proposed IDS is able to detect the
flooding attacks and that the detection rate of each Mp node
606
Security Incident and Event management system (SIEM):
Once the IDS detect some alerts, this raw information can be
accessed by certain alert management software. These tools
provide effective statistics and various notifying options to the
administrators via email, sms, etc. In future, extending support
to SIEMs will be considered. Finally, a centralized monitoring
system could be designed such that all network management
information from ebbits network manager and IDS alerts could
be monitored.
DoS Protection: After detecting a DoS attack, specific
mechanisms can be designed to defend the attack i.e., the
intrusion prevention systems (IPS).
[15]
[16]
[17]
ACKNOWLEDGEMENTS
The ebbits project is co-funded by the EC within the
FP7, theme ICT-2009.1.3 Internet of Things and Enterprise
environments, grant agreement No.257852.
[18]
[19]
R EFERENCES
[1]
[2]
[3]
[4]
[5]
[6]
[7]
[8]
[9]
[10]
[11]
[12]
[13]
[14]
J. W. Hui and P. Thubert, “Compression format for ipv6 datagrams
over ieee 802.15.4-based networks.” IETF Proposed Standard, (ISSN:
2070-1721) Available [Online] http://tools.ietf.org/html/rfc6282, Sept.
2011.
O. Vermesan, P. Friess, P. Guillemin, S. Gusmeroli, H. Sundmaeker,
A. Bassi, I. S. Jubert, M. Mazura, M. Harrison, M. Eisenhauer, et al.,
“Internet of things strategic research roadmap,” Internet of ThingsGlobal Technological and Societal Trends, pp. 9–52, 2011.
D. Evans, “The internet of things: How the next evolution of the internet
is changing everything,” CISCO white paper, 2011.
“European project- “enabling the business-based internet of things
and services”.” website [Online] http://www.ebbits-project.eu/news.php,
Accessed May 2013.
J. P. Walters, Z. Liang, W. Shi, and V. Chaudhary, “Wireless sensor
network security: A survey,” Security in distributed, grid, mobile, and
pervasive computing, vol. 1, p. 367, 2007.
D. R. Raymond and S. F. Midkiff, “Denial-of-service in wireless sensor
networks: Attacks and defenses,” Pervasive Computing, IEEE, vol. 7,
no. 1, pp. 74–81, 2008.
O. Garcia-Morchon, S. Kumar, R. Struik, S. Keoh, and R. Hummen,
“Security considerations in the ip-based internet of things.” IETF (work
in progress) Available [Online] http://tools.ietf.org/html/draft-garciacore-security-05, Mar. 2013.
T. Heer, O. Garcia-Morchon, R. Hummen, S. L. Keoh, S. S. Kumar,
and K. Wehrle, “Security challenges in the ip-based internet of things,”
Wireless Personal Communications, vol. 61, no. 3, pp. 527–542, 2011.
A. Liu and P. Ning, “Tinyecc: A configurable library for elliptic curve
cryptography in wireless sensor networks,” in Information Processing in
Sensor Networks, 2008. IPSN’08. International Conference on, pp. 245–
256, IEEE, 2008.
C. Karlof, N. Sastry, and D. Wagner, “Tinysec: a link layer security architecture for wireless sensor networks,” in Proceedings of the
2nd international conference on Embedded networked sensor systems,
pp. 162–175, ACM, 2004.
L. Casado and P. Tsigas, “Contikisec: A secure network layer for
wireless sensor networks under the contiki operating system,” in Identity
and Privacy in the Internet Age, pp. 133–147, Springer, 2009.
D. R. Raymond, R. Marchany, M. Brownfield, and S. Midkiff, “Effects
of denial-of-sleep attacks on wireless sensor network mac protocols,”
Vehicular Technology, IEEE Transactions on, vol. 58, no. 1, pp. 367–
380, 2009.
Z. Shelby, K. Hartke, and C. Bormann, “Constrained application protocol (coap).” IETF (work in progress) Available [Online]
http://tools.ietf.org/html/draft-ietf-core-coap-16, Apr. 2013.
T. Winter, “Rpl: Ipv6 routing protocol for low-power
and lossy networks.” IETF RFC 6550, Available [Online],
http://tools.ietf.org/html/rfc6550, Mar. 2012.
607
[20]
[21]
[22]
[23]
[24]
[25]
[26]
[27]
[28]
[29]
[30]
[31]
[32]
A. Wood and J. Stankovic, “Denial of service in sensor networks,”
Computer, vol. 35, no. 10, pp. 54–62, 2002.
H. Kim, “Protection against packet fragmentation attacks at 6lowpan
adaptation layer,” in Convergence and Hybrid Information Technology,
2008. ICHIT’08. International Conference on, pp. 796–801, IEEE,
2008.
R. Riaz, K.-H. Kim, and H. Ahmed, “Security analysis survey and
framework design for ip connected lowpans,” in Autonomous Decentralized Systems, 2009. ISADS’09. International Symposium on, pp. 1–6,
IEEE, 2009.
A. Le, J. Loo, and Y. Luo, “Specification-based IDS for securing RPL
from topology attacks,” Wireless Days (WD), 2011, pp. 4–6, 2011.
A. Le, J. Loo, A. Lasebae, M. Aiash, and Y. Luo, “6lowpan: a study
on qos security threats and countermeasures using intrusion detection
system approach,” International Journal of Communication Systems,
vol. 25, no. 9, pp. 1189–1212, 2012.
R. Cragie, Y. Ohba, R. Moskowitz, Z. Cao, and B. Sarikaya, “Security
bootstrapping solution for resource-constrained devices.” IETF (work in
progress) Available [Online] http://tools.ietf.org/html/draft-oflynn-corebootstrapping-03, Nov. 2010.
Y. Xiao, V. K. Rayi, B. Sun, X. Du, F. Hu, and M. Galloway, “A survey
of key management schemes in wireless sensor networks,” Computer
communications, vol. 30, no. 11, pp. 2314–2341, 2007.
A. H. Farooqi and F. A. Khan, “Intrusion detection systems for
wireless sensor networks: A survey,” in Communication and networking,
pp. 234–241, Springer, 2009.
A. Mitrokotsa and A. Karygiannis, “Intrusion detection techniques in
sensor networks,” Wireless Sensor Network Security, ed. J. Lopez and
J. Zhou, pp. 251–272, 2008.
S. Raza, L. Wallgren, and T. Voigt, “Svelte: Real-time intrusion
detection in the internet of things.” Ad Hoc Networks ,Available [Online]
http://www.sciencedirect.com/science/article/pii/S1570870513001005,
May 2013.
S. O. Amin, M. S. Siddiqui, C. S. Hong, and S. Lee, “Rides: Robust
intrusion detection system for ip-based ubiquitous sensor networks,”
Sensors, vol. 9, no. 5, pp. 3447–3468, 2009.
H. Sedjelmaci and M. Feham, “Novel, Hybrid Intrusion Detection
System for Clustered Wireless Sensor Network,” International Journal
of Network Security & Its Applications (IJNSA), Vol.3, No.4, July 2011,
vol. 3, no. 4, pp. 1–14, 2011.
A. Abduvaliyev, S. Lee, and Y.-K. Lee, “Energy efficient hybrid intrusion detection system for wireless sensor networks,” 2010 International
Conference on Electronics and Information Engineering, vol. 2, pp. V2–
25–V2–29, Aug. 2010.
Sooyeon Shin, Taekyoung Kwon, Gil-Yong Jo, Youngman Park, and
H. Rhy, “An Experimental Study of Hierarchical Intrusion Detection for
Wireless Industrial Sensor Networks,” IEEE Transactions on Industrial
Informatics, vol. 6, pp. 744–757, Nov. 2010.
R. Tomasi, H. Khaleel, F. Penna, C. Pastrone, R. Garello, and M. Spirito, “Frequency agility in ipv6-based wireless personal area networks
(6lowpan),” in Wired/Wireless Internet Communications (E. Osipov,
A. Kassler, T. Bohnert, and X. Masip-Bruin, eds.), vol. 6074 of Lecture
Notes in Computer Science, pp. 146–157, Springer Berlin Heidelberg,
2010.
R. Tomasi, L. Bruno, C. Pastrone, and M. Spirito, “Meta-exploitation of
ipv6-based wireless sensor networks,” in 3rd international workshop on
Security and Communication Networks - IWSCN, (Gjøvik - Norway),
2011.
“Suricata- The Next Generation Intrusion Detection System.” [Online]
http://www.openinfosecfoundation.org, Accessed May 2013.
“Contiki, the open source os for the internet of things.” [Online]
http://www.contiki-os.org/, Accessed May 2013.