09-09-2016, 10:19 AM
1453974798-jellyfishattack.pdf (Size: 1.28 MB / Downloads: 4)
abstract
Mobile ad hoc networks (MANETs) are vulnerable to various types of attacks due to
inherently in-secure wireless communication medium and multihop routing communication
process. In this paper, we analyze the behavior and impact of JellyFish attack over
TCP-based MANETs. We have implemented and evaluated all three variants of JellyFish
attack namely JF-reorder, JF-delay and JF-drop through simulation processes. These attacks
exploit the behavior of closed loop protocols such as TCP and disturb the communication
process without disobeying any protocol rules, thus the detection process becomes diffi-
cult. Consequently, traffic is disrupted leading to degradation in network throughput.
Through extensive simulation results that are obtained using an industry standard scalable
network simulator called EXata-Cyber, impact of these attacks in terms of network
throughput, overhead incurred and end-to-end delay is analyzed and used for devising
detection and countermeasure. We have proposed a light-weight direct trust-based
detection (DTD) algorithm which detect and remove a JellyFish node from an active
communication route. In our proposed DTD algorithm, each node uses locally calculated
trust values which are collected over a time period to identify whether its neighbor node is
a JF-attacker or not.
Introduction
In recent years, the technological advancements in hand-held
device and improvements in deployment methods have made
mobile ad hoc networks (MANETs) appealing for a variety of
applications. Due to their inexpensive and on-the-fly deployment
nature, MANETs are useful in rescue and emergency
operations carried out during earthquake and flooding, military
operations, vehicular ad hoc networks (VANETs), sensor
networks, indoor and outdoor conferences, campus networks,
robot networks etc. (Conti and Giordano, 2007). Despite the possible use of MANETs in a variety of applications, its practical
implementation is limited due to its inherently insecure
communication process and non-centralized architecture. As
a result, providing security in MANETs has become a major
concern for researchers.
In MANETs, communication between two nodes that are
outside each other's transmission range requires a multi-hop
process that includes intermediate nodes for data forwarding.
These intermediate nodes are independent and most likely
candidates to become an attacker node. In MANETs, various
attacks caused by malicious intermediate nodes have been
reported in literature. These include worm hole, black hole, gray hole, flooding and impersonation attacks, selfish node
misbehaving etc. (Nadeem and Howarth, 2013). These attacks
are performed on UDP based MANETs and their attack methodology
tampers the original functionality of data communication
process making these attacks visible and, hence, easy
to detect. MANETs are more vulnerable to attacks due to:
lack of central point for authentication, network management
and authorization facility,
requirement of mutual trust based communication (i.e.,
multihop communication),
dynamic topology, and
limited resources i.e., hard to implement a countermeasure
algorithm efficiently due to low processing power and
battery life.
In general, MANET lacks security provisions. It is assumed
that the intermediate nodes are trustworthy and obey the
rules of various protocols at different layers involved in the
transmission of data packets. This trust on intermediate
nodes is a significant issue in networks characterized by dynamic
topology. It is comparatively easy to eavesdrop in
wireless communication and to physically capture and
compromise legal nodes. Without any security provisions,
transport and network layer protocols are highly susceptible
to various kinds of malicious activities that can adversely
affect the network communication.
A significant percentage of MANET applications use UDP as
transport layer protocol. This is because of MANETs errorprone
and unreliable communication process, which is
result of interference, shared bandwidth and dynamic topology.
However, applications that require in-order delivery and
end-to-end reliability such as file transfer protocol (FTP),
secure HTTP and other packet delivery and error sensitive
applications must rely on Transmission Control Protocol (a de
facto standard used to provide reliable and in-order end-toend
services) (Socolofsky and Kale, 1991) for their communication.
In MANETs, TCP performs poorly and its performance
degrades rapidly with increase in network mobility. This is
because TCP has no separate mechanism to identify whether
a packet has been dropped en-route due to wireless mobile
network characteristics or network congestion. TCP's flow and
congestion control mechanism treats every packet loss as a
sign of congestion and decreases its transmission rate leading
to decrease in the network resource utilization and the
network throughput.
The main aim of this paper is to study the effects of a
protocol-compliant DoS (Denial of Service) attack (Abdelaziz
et al., 2013) called JellyFish (Jhaveri et al., 2012) on TCP-based
MANETs and devise a countermeasure. In this paper, we shall
refer to a mobile node launching JellyFish attack as ‘JF-node’.
Attack being a protocol compliant methodology is harder to
detect. A JF-node targets a closed loop protocol such as TCP and
exploits its working mechanism to degrade the communication
performance. We have analyzed the effects of three JF (JellyFish)
attack variants e (1) JF-reorder, (2) JF-delay and (3) JF-drop
over TCP-SACK (Floyd et al., 1996), the most robust TCP as
compared to others such as TCP-Reno, TCP-newReno, TCPTahoe
etc. in terms of handling packet losses and retransmission
timeouts. The simulation results are collected for static as well as mobile ad hoc networks by varying number
of attackers and their positions on active routes. From attack
analysis, it has been observed how a JF-attacker behaves with
the change in flow and congestion control mechanisms of TCP
and vice-versa. To detect the JF-nodes and prevent them from
participating in route discovery processes, we have proposed a
novel detection algorithm that works efficiently for all three
variants of the JellyFish attack. To implement the attacks and
performance analysis, we have simulated MANET scenarios
using network simulator known as EXata-Cyber (ver.2.0) (http://
www.scalable-netwo). To the best of our knowledge, this is the
first work that includes the impact analysis of all the three
variant of JellyFish attack and also proposed a common solution
to identify and countermeasure the JF-attackers in small as
well as large MANET scenarios.
Rest of the paper is organized as follows. In Section 2, we
briefly discuss the reported work on attacks including JellyFish
in MANETs. Comparison of detection mechanisms highlighting
merits and limitations of each is also presented. TCPSACK,
a variant used in our study, is briefly discussed in
Section 3. Details of the JellyFish attack and implementation
of its three variants are presented in the same Section.
Simulation results and their analysis are presented in Section
4. Proposed detection algorithm and its working methodology
with the help of an example is presented in Section 5. This is
followed by conclusions and future work in Section 6.
2. Related work
In a secure wireless network, the main goal is to maintain
secure and successful data transmission between two end
points. For the network to perform efficiently, it is imperative
to devise a security mechanism that can make the network
resilient against various attacks (Nguyen and Nguyen, 2012).
Over the past few years, attacks that exploit MANETs' vulnerabilities
have been proposed in conjunction with possible
countermeasures.
In MANETs, a malicious node in the network can lead to
incorrect network behavior using following methods:
Malicious node generates tremendous amount of junk
packets in the network preventing legitimate nodes from
gaining access to the communication channel for transmission
of data or control messages.
Malicious node generates control packets carrying incorrect
topological information leading to false entries in
other nodes' routing table.
After receiving control messages, a malicious node can
delay the dissemination process. As a result, the information
in these control messages might become incorrect as it
may not correspond to recent change in the network
topology.
A large fraction of the existing MANET attacks uses one or
more of the above three methods. Following is a comprehensive
list of known MANET attacks.
Worm Hole attack (Hu et al., 2006): It is one of the most
sophisticated and rigorous attacks in MANETs. Here, two attackers place themselves strategically in the network.
Once strategically placed, the attacker pair advertises path
through them as the shortest one. This is to ensure traffic
diversion through these nodes. The attackers can eavesdrop
the communication through them and record it for
future use. The Worm Hole attacker creates a tunnel in
order to record the ongoing communication and traffic at
one network position and channels it to another position in
the network.
Black Hole attack (Mishra et al., 2013): A malicious node
(called blackhole) sends fake routing information, claiming
that it has an optimum route and causes other nodes to
route data packets through itself. For example, in AODV
(Ad-hoc On-demand Distance Vector) (Perkins and Royer,
1999), the attacker can send a fake RREP1 (including a
fake destination sequence number equal to or higher than
the one contained in the RREQ2
) to the source node,
claiming that it has a sufficiently fresh route to the destination
node. This causes the source node to select the
route that passes through the attacker. Once paths have
been established, blackhole simply drops all packets leading
to a DoS attack.
Sybil attack: In this attack (Abbas et al., 2013), the attacker
assumes multiple identities and use these identities to
launch a distributed DoS attack, establish non-existent
routes disrupting traffic, fabrication of control/data messages,
etc. Multiple identities help the attacker in evading
detection.
Greyhole attack: The attacker node drops some packets
that pass through it.
Selfish Node Misbehaving: In MANETs, the nodes participate
in a collaborative manner to forward packets to other
nodes. A node refusing to forward packets in order to
conserve its limited resources is termed a ‘selfish node’.
This selfishness causes network and traffic disruptions
(Dasilva and Eltoweissy, 2005).
Attacks such as black-hole, Sybil, worm-hole etc. disrupt
the normal behavior of routing protocol by adding incorrect
information, modifying information, dropping partial/complete
information in control messages during the route discovery
process (Djahel et al., 2011). Such forms of attacks are
easy to detect as the attacker node is not following the protocol.
Other attacks such as greyhole, selfish behavior, jelly-
fish attack etc. comply with the protocol rules and, yet, disrupt
the network communication. Detecting such attacks is a
challenging task.
In Aad et al. (2008), authors proposed three forms of protocol
compliant attacks for closed loop protocols and named
them as JellyFish attack. The authors show how these attacks
identify the loopholes in TCP flow and congestion control algorithm
and exploit them to degrade the network throughput.
The performance, however, has been analyzed on a small
static MANET scenario consisting of few nodes and only one
data flow (Aad et al., 2008). Impact of JellyFish attack(s) on a
mobile MANETs has not been investigated. The detection mechanism proposed by authors (Aad et al., 2008) is not
feasible to implement as per their own admission.
Authors in Wazid et al. (2013) proposed e-TCP, an improved
version of TCP, to mitigate the effects of delay variance JellyFish
attack. However, performance for other attack variants
has not been reported. A brief survey on malicious node
behavior detection is given in Mani and Kamalakkannan
(2013). A reorder density based detection mechanism for
detecting jellyfish reorder attacks has been presented in
Jayasingh and Swathi (2010). Each node calculates the reorder
density by recording the reordering frequency of its neighbor
nodes. Authors, however, did not provide any countermeasure
mechanism and no results, simulations or otherwise,
have been presented to show the efficiency of their proposed
detection method. In Kuzmanovic and Knightly (2006), an
analytical model for detecting packet reordering attack by
adding two new transition states in TCP-NewReno is proposed.
The JellyFish dropping attack along with the blackhole
attack is studied in detail in Purohit et al. (2011) without
providing any solution for its detection or prevention. A
collaborative countermeasure, often used as basis for other
detection methods, is proposed in Marti et al. (2000). Here,
authors present a node misbehavior detection mechanism
called ‘watchdog’ in which a group of nodes monitors other
nodes' behavior and rate them accordingly. Another method
called ‘pathrater’ is used for preventing the misbehaving
node(s) detected by the watchdogs from establishing further
communication routes.
In Aad et al. (2004), authors presented a denial of service
model for blackhole and Jellyfish attacks. To analyze the effects
of these attacks, various simulations along with the analytical
modeling is performed over a large set of MANET scenarios
with varying mobility, system size, node density, and counterDoS
strategies. Although no detection mechanism is provided
for these attacks, the study provided useful insight.
Kuzmanovic and Knightly (2006) demonstrated that the lowrate
DoS attacks are harder to detect than high-rate DoS (for
example, JellyFish) attacks. Authors used simulations, analytical
modeling and Internet experiments to show the impact of
various low-rate DoS attacks on TCP-based MANETs along with
the feasible countermeasures to thwart these attacks.