Intrusion Detection and light weight Firewall for the 6LoWPAN networks

(1)

Intrusion Detection and light weight Firewall for the 6LoWPAN networks

Dharmini Shreenivas Supervisors:

Shahid Raza - SICS Thiemo Voigt - SICS

Examiner:

Jim Dowling

Associate Prof in Distributed Systems KTH - Royal Institute of Technology, Stockholm

TRITA-ICT-EX-2014:175

(2)

List of abbreviations

6LoWPAN IPv6 over Low power Wireless Personal Area Network

AH Authentication Header

BER Bit Error Rate

CoAP Constrained Application Protocol

CoAPs Secure CoAP

DAG Directed Acyclic Graph

DAO Destination Advertisement Object

DIO DODAG Information Object

DODAG Destination Oriented Directed Acyclic Graph DoS Denial of Service

DPI Deep Packet Inspection

DTLS Datagram Transport Layer Security Protocol ETX Estimated Transmission Count

ICMP Internet Control Message Protocol

ICMPv6 Internet Control Message Protocol version 6 IDS Intrusion Detection System

IoT Internet of Things

IP Internet Protocol

IPv6 Internet Protocol version 6 LLN Low-Power Lossy Networks

LPM Low Power Mode

MAC Media Access Control

MAC Message Authentication Code MCU Microcontroler unit

MIC Message Integrity code OCP Objective code point

OF Objective function

RPL The Routing Protocol for Low-Power and Lossy Networks UDP User Datagram Protocol

VPN Virtual Private Networks WSN Wireless Sensor Network

i

(3)

Abstract

IPv6 over Low power WPAN (6loWPAN) is an adaption layer introduced between the link layer and the network layer in the TCP/IP protocol stack to fit the IPv6 datagrams over the IEEE 802.15.4 link layer. 6loWPAN networks comprise of internet enabled resource-constrained smart objects which are interconnected with each other through the Internet Protocol (IPv6). In Internet of Things (IoT), smart devices of the 6loWPAN networks are connected to the unsecured public Internet. RPL (Routing Protocol for Low-Power and Lossy Networks) is the standardized routing protocol defined for routing IP datagrams over the lossy links in LLN (Low-Power and Lossy Networks). In IoT, all devices have a global identity and could be accessed from anywhere in the globe. Hence, security is an important factor in protecting the devices and their informational resources from adversaries. Security solutions must be highly effective for smart objects considering their limited resources. Despite the state of the art crypto solutions providing information security, IPv6 enabled smart objects are vulnerable to attacks from outside and inside the 6LoWPAN networks. This thesis attempts to identify the intrusions aimed to disrupt 6LoWPAN networks and to prevent external adversaries taking advantage of the resource constrained 6LoWPAN environment. We review state of the art security attacks in conventional WSNs and the RPL-based LLNs. In order to improve the security within 6LoWPAN networks, we extend SVELTE (an IDS for the IoT) by adding ETX (Expected Transmissions) parameter in the 6Mapper. In RPL, ETX is a link reliability metric which indicates the number of successful IP datagram transmissions with respect to the Border Router. Monitoring the ETX value could prevent the Border Router and neighboring nodes to engage actively with the malicious intruder. We propose a geographic routing algorithm to identify the malicious node conducting attacks against ETX-based solutions. We also implement a lightweight firewall at the Border Router to prevent 6LoWPAN networks from external attackers. In this firewall we conduct a stateful deep packet inspection on the protocols adhering to the protocol stack for the 6LoWPAN networks. Our evaluation shows that the IDS module with ETX metric consumes negligible energy and very less CPU processing power. Our intrusion detection mechanisms improves the true positive rate of SVELTE.

(4)

(5)

Acknowledgements

I would like to earnestly thank Dr. Shahid Raza and Prof. Thiemo Voigt for offering me a thesis at Swedish Institute of Computer Science (SICS). I am grateful to my supervisor Shahid for all the discussions, reviews and feedback for my work. I would also like to thank the entire Networked Embedded Systems Group (NES) at SICS for providing me all the assistance whenever I needed help. I am extremely thankful to Nicolas Tsiftes, Niclas Finne and Simon Duquennoy for all the guidance that they provided me for completing this thesis. I’d also like to thank Jim Dowling for all the prompt assistance. SICS has been a wonderful place to do my master thesis. I am thankful to my family and friends for their unconditional support.Finally, I’d like to thank Prithvi for helping me in the final stage of my thesis.

(6)

Introduction

The word Internet of things was first coined by Kevin Ashton[4]. Over the years Internet of Things (IoT) became a concept where a network of tiny devices (smartobjects) were equipped to communicate with each other through the Internet Protocol. IoT technology would facilitate people to access information provided by smart objects and build applications incorporating the Internet Protocol. Cisco, the leading provider of network solutions predicts that by the end of 2020 almost 50 billion devices would be connected to the Internet [25]. Hence the infrastructure for hardware and software must be capable enough to accommodate the large scale requirements of networked devices.

IoT was designed to leverage the difficulties of the traditional systems and also to make digital representations of the physical world. Internet of Things would comprise of smart objects which includes a sensor or actuator, a tiny microprocessor, a communication device and a power source connected to the Internet. These tiny nodes transmit sensor readings among each other to ease communication and to form network amongst each other. However this small communication architecture is designed with a cost of limitations. These sensor nodes have resource constraints limiting to memory, power and storage capacity. Therefore an efficient protocol has to be implemented to accommodate the constraints and bring about efficiency in communication among the nodes and with the physical world. Hence the IETF has standardized a special communication architecture to adapt to the needs of the sensor node. This seamless infrastructure allows the nodes to communicate their sensor readings among themselves as well as in the internet making them approachable and robust.

1.1 Problem Statement

In an Internet of Things environment, security needs to be provided to all the participating devices and their informational resources. IoT consists of low power devices with very low capabilities of securing themselves in case of internal and external attacks. There are innumerable number of ways that a node could act maliciously either by itself or on behalf of other nodes despite strong cryptographic protection.

The firewall and the IDS system that is designed should inculcate the following priorities to tackle internal as well as external threats.

• The IDS which is designed for the RPL protocol should not cause an overhead for the participating nodes in the 6LoWPAN network

• The IDS should not alter the functionality of the DAG despite detecting and eliminating the malicious nodes

• The IDS should be robust enough to accommodate new protocols and their parameters to detect various threats and mitigate attacks

• Firewall for an Internet of Things environment should be robust enough to accommodate rules from various protocol on various levels of the Internet of Things protocol stack.

1.2 Motivation

Conventional systems utilize network certificates to provide security. But any network becomes unsecured when the keying material is hijacked by an unauthorized entity and performs authorized functionality.

iii

(9)

There are two instances in which any network could be disrupted or attacked by unauthorized members of the networks, the first being an unauthorized insider, who has the same access control functionality as other authorized members in the 6LoWPAN networks and the other being an unauthorized external entity who attempts to conduct an attack form outside the local 6LoWPAN network environment.

This particular instance, when an unauthorized entity behaves like an authorized entity inside a private network would be termed as intruders. Intrusion detection techniques are built to detect and isolate these intruders from disrupting the entire network. Firewalls are built to prevent the internal 6LoWPAN networks from external attacks by entities who are not a member of the local 6LoWPAN network .

In this thesis we attempt to provide security for the members of the 6LoWPAN networks from internal and external threats. In order to combat internal security we study various intrusion detection techniques to design an intrusion detection mechanism in the 6LoWPAN networks and for external threats we have designed a light weight packet filtering firewall .Both the firewall and the IDS will be designed accordingly as mentioned in section 1.1.

1.3 Research Methodology

Research in intrusion detection was mostly conducted of wireless sensor networks and adhoc networks.

Internet of Things is a new upcoming technology. Since Internet of Things and wireless sensor networks are based on similar technical constructs with the difference being the IP installed onto the devices, research articles on wireless sensor network and adhoc networks was utilized for the design of intrusion detection systems. Attacks on the low power wireless network was also studied in order to build efficient intrusion detection system for the low powered devices. Rule based firewalls for Internet of Things were recently introduced in the research platform, hence we studied deep packet inspection techniques for conventional systems and designed for Internet of Things.

1.4 Scope

The scope of this master thesis is limited to intrusion detection systems and firewalls in Internet of Things. By designing an effective intrusion detection system, with the help of the research space we aim to protect the 6LowPan network form unauthorized attackers. Also we have designed a light weight firewall to protect the 6LowPan network from external adversaries.

1.5 Thesis Outline

This thesis is an attempt to study and design intrusion detection mechanisms for the RPL protocol and light weight firewall for the 6LoWPAN networks.

In chapter 2 we discuss the background of Internet of Things and WSN. In this chapter we also study various attacks that could be executed in an Internet of Things environment. In chapter 3 we conduct a detail study of the RPL protocol for which this thesis aims to deign an intrusion detection mechanism . We also define the security aspects necessary for a secure LLN environment. In chapter 4 we discuss about the security of the RPL protocol and mention various attacks that are possible to disrupt the 6LoWPAN network. These attacks utilize the state of the RPL protocol and its routing functionality to conduct attacks inside the 6LoWPAN networks. To prevent these attacks we introduce certain intrusion detection techniques in chapter 5. In chapter 6 we list necessary background and requirements to build firewalls for Internet of Things. In refch:Firewalldesign, we discuss our design for the light weight packet filter firewall necessary to protect the 6LoWPAN networks from external adversaries.

iv

(10)

Chapter 2

Background

Internet of Things is a technology consisting of many smart objects. Smart objects are devices deployed in the real world which are capable to collect informative data from the real world with the help of their sensors and execute necessary actions with regards to the implementation scenarios. This chapter would consist of a brief introduction about Internet of Things, wireless sensor networks, Intrusion Detection System and various techniques of IDS.

2.1 Internet of Things

The traditional networking architecture [70] constitutes of seven layers namely The Physical layer, The Data-link layer, The Network Layer, The Transport layer, The Session Later, The Presentation layer and the Application layer [55, 16, 56, 54, 26]. Each layer performs its own functionality for end-end data delivery. For implementation feasibility TCP/IP protocol suite [9] was developed in traditional networking systems. However the research community developed an IP based communication architecture [20, 22] to incorporate it into these tiny devices to make them smart and more robust. This enables all the devices to communicate through the Internet Protocol from anywhere unlike the conventional WSN architecture, where the sink node or the base station is the single point of communication for its network controlled devices [35].

The IETF groups such as ROLL and the 6LoWPAN Working Group have standardized architecture and protocols to enable communication among the devices. The adapted architecture would include IEEE 802.15.4, the link layer for carrying the IPv6 packets [1], 6LoWPAN , an adaption layer in the protocol stack for integrating the Ipv6 packets with IEEE 802.15.4 link layer [40, 50]. Routing Protocol for low power lossy networks(RPL) is established as the standardized routing protocol [67] with UDP as the transport protocol [54]. CoAP is the standardized application layer protocol for the IoT [65].

Ethernet/Wireless IEEE 802.15.4

PHY

MAC IEEE 802.15.4

MAC IPSec

LoWPAN IPv6/IPSec ^RPL IPv4

IPv6 TCP UDP ICMP

TRANSPORT

NETWORK

DATA LINK

PHY

UDP/DTLS ICMPv6 APPLICATION

HTTP CoAP/CoAPs

Figure 2.1: Protocol stack of the Internet Of Things

v

(11)

Figure 2.1 explains the general architecture of Internet of Things where every devices communicates with every other devices which has embedded IP protocol within the devices.

2.1.1 802.15.4

IEEE 802.15.4 defines the link layer for the tiny embedded devices. IEEE 802.15.4 consists of the PHY (physical layer) and the MAC layer. The PHY facilitates data transmission between the MAC layer and the radio channel. The MAC layer uses the PHY layer for the transmission of the MAC frames in the network by adding MAC header for every packet that has to be transmitted along the channel. Any system which uses the 802.15.4 link layer will consist of a full-function device (FFD) and a reduced- function device (RFD). The FFD can operate as a (PAN) coordinator, a coordinator, or a device. An FFD can talk to RFDs or other FFDs, while an RFD can only coordinate with a FFD. Since the IEEE 802.15.4 is catered for low-power nodes they cannot adopt the usual link capacity adopted by the IPv6 link level capabilities.

A detailed in depth security analysis of the IEEE 802.15.4 link layer was studied by Sastry et al. [62], they have also proposed further extension to enhance link layer integrity services and key management solutions to avoid DOS and jamming attacks [52, 69]. The IEEE 802.15.4 provides secure link layer services such as access control, confidentiality, message integrity and replay protection. Confidentiality is achieved by using nonce to add variations to the data packets, Replay protection is ensured through the use of sequentially increasing sequence numbers in the communication between entities, message integrity is provided by including MAC with every packet. Security is addressed in the MAC layer by supporting security services for the four different data packets(beacon packets, data packets, control packets and acknowledgment packets)[62].

2.1.2 6LoWPAN

6LoWPAN was formed to ease packet traversal in the IoT protocol stack.In conventional TCP/IP protocol stack the maximum transmission unit(MTU) for ethernet is 1280 bytes where as the MTU for IEEE 802.15.4 is 127 bytes. Hence 6LoWPAN was introduced as the adaption layer between the IP protocol and the IEEE 802.15.4 link layer. This enable effective transmission of IPv6 datagrams over 802.15.4 networks. The 6LoWPAN provides services like Packet fragmentation and reassembly, header compression, link layer forwarding [34].

2.1.3 RPL

RPL is the IETF standardized intranet routing protocol designed for LLN [67]. As mentioned before this LLN network comprises of resource constrained nodes exhibiting lossy characteristics and interconnected by lossy links. The recent addition of ICMPv6 messages are used in node discovery mechanism in LLN and RPL utilizes these control messages to build the DODAG tree by evaluating the metrics of neighbor nodes to a central node(6LBR). The objective function(OF) decides the neighbors through which information flows from the nodes to the root. Unlike the traditional systems equipped with routers having high power processing capabilities and large memory to store routing tables, the LLN is built of routers having resource constrained capabilities. The RPL protocol is interconnected by routers which could forward traffic and several other leaf nodes which remain to participate in the network but cannot forward key control messages that could build the DODAG. RPL protocol is designed to exhibit point-to-point, multipoint-point, point-multipoint traffic patterns. Since its a lossy network, the DODAG offers redundant paths from all participating nodes to the root and many other nodes in the network. The detailed functions would be explained later in this document chapter 3.

The Network layer is considered to be the most critical layer because it renders most important services such as neighbor discovery, routing forwarding, etc. Attackers mostly take advantage of these services to disrupt the internal 6LoWPAN network by conducting various types of denial-of-service attacks [68]. Cryptographic solutions are established by providing end-to-end security with IPSec, custom designed for 6LoWPAN networks [58]. However if the keying material is misused, the entire 6LoWPAN is vulnerable to all kinds of attacks.With no exception 6LoWPAN network is at the most disadvantage, considering its resource constrained devices and their capabilities w.r.t. conventional systems.

vi

(12)

UDP

User Datagram Protocol(UDP) [54] is the standardized transport protocol for the Internet of Things architecture because the sensor data from the sensor has to transported efficiently with less time and light weight. The UDP protocol header consists of source/destination port number, length and checksum.

The UDP protocol is considered as the best service for delivery of datagrams for the Internet. The only disadvantage of the UDP protocol is that, it does not guarantee the delivery of the synchronous delivery of the datagrams. The underlying protocol hosting the UDP protocol does have to make effort for precise sequence for delivery of datagrams.The UDP protocol calculates the checksum for the datagram’s UDP header and the data.

CoAP

CoAP is the application layer protocol for the Internet of Things architecture [65]. The protocol has defined request and response messages for requesting and providing application services for the constrained devices. Unlike HTTP CoAP is configured for asynchronous delivery of messages. CoAP messages are equipped with a message ID for identification purposes. CoAP messages consists of three types namely Confirmable, Non-confirmable and Acknowledgment messages. Messages which need reliability are configures as Confirmable messages with Acknowledgment messages. Transactions which does not need reliability are termed as Non Confirmable messages.

2.2 Security in Internet of Things

In conventional systems, security of a network is defined in terms of Confidentiality, Integrity and Avail- ability. Confidentiality conceals the information only to the authoritative entities. Integrity protects the communicated data from modification and availability ensures authoritative services to the requested devices. With a proliferation of devices in Internet of Things, many devices get interconnected with each other and there would be more traffic inside the 6LoWPAN networks. The challenge of an IoT network is its ability to secure its messages from intruders. Oscar et al. IETF draft for the security of the Internet of Things [27] classifies a number of possible attacks in Internet of Things and mentions the importance of bootstrapping. To achieve end-to-end security researchers have provided IP Security in the networking layer to prevent mishandling of data packets [38].

Considering the limitations of devices, the architecture should include all of the above mentioned security standards to provide end-to-end security. The internal 6LoWPAN networks should be protected from intruders to take advantage from fault tolerance, replay attacks and DOS attacks. Cryptographic solutions like PKI have been implemented in the Internet of Things but the internal network is still vulnerable to attacks conducted by unauthorized adversaries. Intrusion detection systems and firewall are designed to protect the internal network safe from intruders. In conventional systems, the IDS monitor logs the internal errors for the network administrator to act on intruders. The firewall prevents the internal 6LoWPAN network from external attackers.

2.3 Intrusion Detection Systems in constrained environments

Intrusion Detection systems(IDS) or Intrusion Prevention Systems (IPS) 2.2 are techniques designed to protect the local network from attackers. An initial work led by Denning [17] developed an intrusion detection model to detect various intrusion based on monitoring system and user activities. Kendall’s thesis classified a number of attacks based on the IDS evaluation set of DARPA [45]. All the mentioned solutions were viable in the traditional systems as they had huge memory and processing power but the system under consideration is the wireless sensor networks. Wireless sensor networks would consist of nodes which have low processing power, low memory and less storage space. Eventually IDS techniques should be designed considering the strength of these constrained systems.

For any network, firewall is the first line of defense as they prevent attacks from external connections.

IDSs are second line of defense as they react only when internal nodes are compromised by external actors. Intrusion detection in wireless sensor networks should have to detect abnormal activities in 6LoWPAN networks and restrict that device causing further damage by sending an alarm to the network administrator or to the controller controlling the data traffic. Insiders of any network are entities which have access privileges to the resources present inside the local network [8]. Insiders disrupt the 6LoWPAN

vii

(13)

Figure 2.2: System overview of Intrusion Detection System

networks independently from within the networks by masquerading as an authorized node. Insiders can also engage with external entities to exploit the local network. In case of an attack all devices are equally constrained enough to defend comprised node(s) in 6LoWPAN networks. Therefore IDS tools should be capable enough to detect insiders from conducting attacks in 6LoWPAN networks. IDS should continuously monitor the authorized activities in the system and report unauthorized activities and block the concerned entities from participating in the network. Intrusion detection systems built specifically for 6LoWPAN networks should not penalize the devices at the cost of their constrained resources. IDS should not change the normal behavior of the 6LoWPAN networks in terms of routing protocol or user entities etc. IDS should be capable to defend themselves from attackers not letting down the system as a single choke point in case of failures. IDS should be fault tolerant for allowing the system to function even in the case of some intrusions.

2.3.1 Related Work

There has been vast amount of research done on IDS in WSN. In [49], the authors did a review of IDS scenario in low power WSN. They have designed distributed architectures to detect intruders and make classifications for intrusion detection systems in WSN. Initially, watchdog and pathrater were designed for Intrusion detection in WSN [48] used for dynamic source routing protocols. Watchdog monitors all the nodes participating in the network and preserves a buffer for all sent packets. Periodically the watchdog compares its buffered packets with the overheard packets to detect abnormalities. If both the packets match, the watchdog erases the packet details from its memory and allows the node to be a trusted entity in the network. If the overheard packet does not match with the buffered packet then the watchdog would increment the packet’s failure attempt and wait until the threshold limit for corrupted packet to warrant any action against the packet. Pathrater is a system built to measure the path metric from every node to the root and then assign values to these paths.If the pathrater detects misbehaving paths according to to calculate then alarms are sent to the respective authority and signaling fresh protocol messages to maintain the state of the local network. Its difficult to include watchdog like system in 6LoWPAN networks it could cost the entire network in terms of energy and storage. In [37]

the authors have described various potential attacks that could harm the WSN.

Anomaly intrusion was extensively studied by authors of [7, 53], they have introduced various intrusion detection systems at every layer to identify the intruder. They have proposed the usage of forward tables called the anomaly detection table (ADT) generated by the routing protocol. This forward table with the help of another protocol named information authentication for sensor networks (IASN) could detect unauthorized neighbors in the local network [7]. The authors of [7] have introduced a sliding window where they compare the statistical information of last received packets of their neighbors to the precomputed values their authorized neighbors. Anomalies are detected by comparing the corresponding

viii

(14)

information from the received packets from the neighbors. Generic IDS architectures were also proposed involving local agents and global agents [61].Local agents would supervise the activities of individual nodes and the global agents would monitor the neighbor activities present in the network. The authors of [39] have designed an intrusion detection systems where many a number of nodes collaborate together to detect the intruder node. The authors have developed formal methods to utilize the authorized sensor nodes messages to prevent attacker from harassing the network.

In [46], the authors have designed an intrusion detection system to predict insider attacks by implementing a voting scheme which detects neighbors with abnormal behaviors unlike the normal sensor nodes. Their voting scheme consists of four phases collecting local information, filtering the collected data, identifying the abnormal nodes and locating the majority voted abnormal nodes. When all the sensor nodes haven been undergo these four phases, an initial set of outstanding nodes are enlisted and insiders are detected. Ruled based intrusion detection system was earlier introduced by the authors of [14]. They designed rule categories which analyzes sensor data and attempts to detect the intruders.

There are some rule based tools like Snort [60] and Bro citepaxson1999bro which used for conventional high power systems . There can be lightweight extensions of Snort and Bro for Internet of Things. In rule based IDS rules are defined in accordance to the local network, which serve as an access control for the examined packet headers [47]. A detailed survey of IDS mechanisms in WSN are enlisted in [41, 64]

2.3.2 Types of Intrusion Detection System.

There are three kinds of Intrusion detection techniques namely,

• Misuse detection systems

In misuse detection systems, the anomaly rules of the network are written followed by the normal rules of the network.The network administrator must have a prior knowledge of attacks and design rules accordingly for the local network. In conventional systems, this practice is possible considering the unlimited use of power and memory. Despite having high processing capabilities attacks have been on the rise. One example for misuse detection systems is DPI engines. The DPI engines have attack patterns written inside them to recognize abnormal activities inside the local network. DPI engines utilize these attack patterns to recognize an internal attack in the system. In 6LoWPAN networks its difficult to implement misuse detection systems because attacks are not intended on the higher layers of the protocol stack, as conducted in the conventional systems. They are targeted on lower layers of the protocol stack making it difficult to determine anomaly patterns costing the resources of the 6LoWPAN networks. Misuse detection systems are less effective in 6LoWPAN networks because of less storage capacity to store attack patters originating inside/outside the 6LoWPAN networks [5, 49].

• Anomaly detection systems

Anomaly detection systems constitutes on consensus for normal behavior and then reporting unwar- ranted behaviors to the specified authority. Anomaly systems are constructed to detect abnormal activities by defining the normal activities. Anomalous behaviors are collected by the central authority and is provided an empirical functions to adjudge the suspected behavior as an intrusion.

In 6LoWPAN networks anomalous based intrusion system could prove to be effective as they consume less cost of systems available resources. Anomaly detection systems could be helpful to discover new attacks in the 6LoWPAN network. The only disadvantage is that, in anomaly based systems its difficult to distinguish between errors and intrusions. However the false alarm rate could be diminished by collaborating evidences which could help to prevent 6LoWPAN networks from intrusions [5, 49].

• Specification detection systems

Specification based systems are the type of intrusion detection systems that are similar to misuse detection systems except that, rules must contain detailed specifics of the network. So whenever these systems detect abnormalities, it reduces the false alarm rate in compared to the anomaly IDS. We can implement specification detection systems in 6LoWPAN networks implementing rules of explicit functionality and limiting constraints. These rules could exhibit a deviation from the normal behavior if an adversary conducts an attacks in the local system, hence introducing a new behavior to the IDS system. [5, 49].

ix

(15)

In this chapter we discussed the applied technology for Internet of Things and specific background required for intrusion detection in Internet of Things. The above mentioned background helped us to design an anomaly detection system with the help of ETX parameter of the RPL protocol which would be explained in the next chapter. Also a detail background of the specific attacks in wsn, Internet of Things and RPL protocol will be explained in 4.

x

(16)

Chapter 3

RPL Protocol

In this chapter we would discuss in detail about the RPL protocol, the IETF standardized routing protocol for 6LoWPAN networks. Later in the thesis we would discuss on an IDS utilizing the ETX parameter of the RPL protocol.

3.1 RPL Protocol summary

Figure 3.1: RPL Protocol

Figure 3.1 explains the brief overview of RPL protocol with its metrics.

RPL is an acronym for the ”Routing Protocol for Low-Power and Lossy Networks”. RPL 3.1 is a distance vector protocol designed for resource constrained devices to route packets within 6LoWPAN networks.Networks consisting of low power devices along with its physical layer is termed as Low power Lossy Network (LLN). LLN exhibits lossy characteristics due to the lossy behavior of its low power nodes which have very less data rates and unreliable data delivery services. All nodes exhibiting LLN characters are expected to work in real-time without any human interventions with self configurable and self healing capabilities.

The DAG topology is the optimal design chosen for the LLN because it limits loops inside the internal network to avoid data manipulation. In RPL based LLN, traffic from all the edges are converged towards a single destination called the DODAG root or LBR. The DODAG consists of a border router (6LBR), routers and low power nodes or the leaf nodes. As mentioned before, RPL utilizes the newly defined ICMPv6 control messages such as DODAG Information Object(DIO), Destination Advertisement Object (DAO) and DODAG Information Solicitation (DIS) to build the DODAG tree. The DODAG is built as the nodes advertise their DAG information through RPL ICMPv6 control messages. Every single node in the DODAG is identified by its topological information such as RPLInstanceID, DODAGID and DODAGVersionNumber. These identifiers are periodically advertised by the DODAG nodes to build the DODAG tree.

The Objective function(OF) defines the routing path of the datagrams in RPL protocol. The OF

xi

(17)

could be determined by either one or many RPL metrics defined in the the DAG metric container [66].

The DAG metric container would be advertised by all the nodes along with the DIO advertisements.

Based on these advertisements, the routing path is built from the leaf nodes to the Border Router to form a DODAG tree like structure. Trickle timer is used to synchronize communications between the ICMPv6 messages for node-node communications [67].

RPL lists some unique parameters to identify a node in 6LoWPAN network. They are :

DODAGID : DODAGID is the single identifier of any DODAG root. RPLInstanceID : When several DODAG’s share the same RPLInstanceID they belong to the same RPLInstance. RPLInstanceID is a unique identifier of the DODAG along with the DODAGID. All DODAG’s which share the same RPLIn- stanceID will share the same objective function. As explained before objective function defines stature of the DODAG. DODAGVersionNumber : DODAGVersionNumber represents the current state of the DODAG. Whenever a DODAG is reconstructed, it increments the DODAG version number. RPLIn- stanceID, DODAGID, and DODAGVersionNumber together uniquely identify the DODAG Version [67].

Rank : Rank is the 16 bit integer which is present in the DAG metric container. Rank determines the relative position of the node with the Border router. Rank value is a monotonically increasing value from top to bottom. The nodes which are closer to the Border Router will have a lower rank value and farther nodes will have higher rank value. All nodes should advertise a rank value to the least of MinHopRankIncrease. The nodes should not advertise any value greater than the total sum of the least rank in the LLN and DAGMaxRankIncrease. MinHopRankIncrease is the minimum increment of a rank value in each hop between any node and any of its DODAG parents. DAGMaxRankIncrease is the configured upper limit value of all nodes.The DAGMaxRankIncrease is provisioned by the Border Router and is present to avoid loop formation in between all nodes.

3.2 RPL control messages

RPL control messages are the necessary messages that are required by the protocol to construct the DODAG. The newly configured ICMPv6 messages are responsible for building the DODAG tree in RPL enabled networks.

3.2.1 DODAG Information Object (DIO) messages

DIO are utilized to construct and maintain the DODAG . Upward routes,(i.e) DIO carries routing information of every node to learn its state in the RPL domain such as its RPL Instance, node’s parent set and its configuration parameters. When route is forwarded from the leaf node to the root node then that routing is termed as upward routing. DIO ’s are also supported by DIS messages, which would also be used by the nodes along with the DIO messages. The DIO’s are also sent frequently when an inconsistency is detected in the RPL network such as ,if a loop is detected or a new node joining the RPL network. The When LLN learns its stabilized then the frequency of DIO’s that are triggered is reduced to reduce the flow of traffic in the RPL domain [67]. The DIO’s are also sent frequently when an inconsistency is detected in the RPL network such as ,if a loop is detected or a new node joining the RPL network. The redundancy of DIO’s are reduced when the LLN stabilizes to reduce the flow of traffic in the RPL domain [67].

3.2.2 Destination Advertisement Object (DAO)

The Destination Advertisement Object (DAO) are ICMP control messages sent from the node unicast to the parental nodes (Storing mode) or node unicast to the root(Non-Storing mode). The DAO messages could be acknowledged with (DAO-ACK) messages to the originator of the DAO message. They carry vital information about the destination prefixes to support downward routing. In the Storing mode the routing tables with aggregated prefix information are stored in the intermediate nodes towards the border router or the root node. In Non Storing mode, the intermittent node does not store any information. But the nodes deliver all the routing information to the root node. All the packets with downward routing are established as source routes within the RPL domain managed by the root node [13].

3.2.3 DIS (DODAG Information Solicitation)

DIS is similar to the Router Solicitation message. Any node may probe the neighborhood using the DIS message to inquire about the DODAG information of the participating nodes in the 6LoWPAN networks

xii

(18)

[67].

3.3 RPL Routing metrics

This section would list down the routing metrics which determines the routing path dictated by the OF in any DODAG advertised by the Border Router [67]. RPL being a distance vector protocol, paths with low cost would be chosen by the routing protocol for better efficiency [66]. Routing metrics are either aggregated or recorded. An aggregated metric is modified along the path that it traverses with the DIO.

Routing metrics are encoded in a DAG metric container which are in-turn carried by the DIO messages.

On receiving the DIO message from a set of parents, the child node decides its own parent set according to the OF. RPL is a lossy network, hence a group of metrics are necessary to evaluate the condition of every node. Depending upon the implementation environment even a single metric could be chosen to determine the state of RPL nodes.

There are various routing metrics that RPL utilizes for building the DAG and are IETF standardized [66]. For our IDS we utilize the ETX metric to detect the malicious node.

Expected Transmission

Potential research papers have studied the reliability metrics for lossy networks [15]. The most favored reliability metric is the expected transmission (ETX) count metric. The ETX value is the probability of successful number of acknowledgments received for the sent packets by any DAG node [15]. In simple terms ETX defines the number of successful transmissions necessary for a packet to reach the DODAG root. ETX in measured by sending periodical probe packets between the participating neighbors. Hence ETX is considered to indicate the communication quality of the neighbors. ETX is a scalar value, a multiple of 128 which would be encoded as 16 bits in the DAG metric container. The ETX determines the throughput of the routing path, hence when RPL utilizes ETX metric as a OCP then the OF would build routes with nodes having minimum ETX values[28]. Thus ETX is referred to as the link ink quality of the node along with its neighbors. The Collection Tree Protocol (CTP) is an example of a widely popular protocol used in TinyOS [44]that utilizes ETX for network formation. In CTP ETX is broadcasted to the nearest Border Router.

The ETX path metric is a cumulative sum of of its own ETX value and the ETX value advertised by its neighbor, that would indicate the distance of the node from the root. The ETX path metric is calculated whenever ETX link values are updated on its link and by the neighbor. All the nodes in the LLN compute the ETX Path metric for each candidate neighbor reachable on all the interfaces. The ETX path metric for the given node (i.e) the cost of the ETX metric from the given node to the Border Router is broadcasted by the metric container present in those DIO messages. If any node cannot compute the ETX value of its neighboring nodes then the failed node should not be included in the candidate neighbor and parent sets.The rule of thumb while selecting a parent is that, the ETX path values of the parental subset should have relatively lower rank with each other corresponding to its rest of the neighbors [28].

The above section pertains to objective functions which utilizes ETX as its constraint to build the DODAG tree . The formula used to calculate ETX is ETX = 1/ Df*Dr Where Df is the measured probability of the received packets and the Dr is the measured probability of the received acknowledgments for the sent packets.

3.4 RPL DODAG building process

When all the nodes are booted up,the system administrator configures the border router with the necessary configuration associated with the implementation.This would mean that the objective function would also be configured for the LLN. All the ICMP messages are managed by the trickle timer to avoid ambiguity in the network.

The participating nodes advertise their presence and their positions and related routing metrics through the DIO messages to all neighboring RPL nodes.

Initially after neighbor discovery , the DIO messages are sent upon the expiration of the trickle timer [43]. A node could also send DIS messages, to receive DIO messages from its neighbors, if they are configured for sending DIS messages. All DIO messages are advertised via link local multicast advertisements. Always the rank of the root node is configured for root rank value. Then every node starts advertising their DIO messages. Upon every single received DIO messages, all nodes first verify

xiii

(19)

the authenticity of the DIO and also whether do they adhere to local policies, routing metrics, etc.

Primarily each and every node which receives DIO messages checks the incoming DIO messages for two purposes, firstly to adhere to the DODAG policy (i.e) the rank of the sending node should be lower than that of the receiving node, the DIO should have a rank greater than MinHopRankIncrease 3.1 and not greater than DAGMaxRankIncrease. The Mode of Operation (MOP) flag in the DIO is responsible for recording the type of route the node is going to follow in the DODAG (upward or downward). In case if the downward routes are preferred then the children nodes would trigger the DAO messages advertising its reach-ability in the DODAG towards its parents along with DAO lifetime and other parameters. The DIO message could also be configured as according to the OF and the nodes can discard DIO messages based on those OF constraints [67].

3.5 RPL repair mechanisms

Repair mechanisms are the prime most service mechanism for any routing protocol. Repair mechanisms are utilized to reconstruct the entire DODAG. Whenever link or node failures are recorded in the 6LoWPAN networks, it is necessary for the local 6LoWPAN networks to reconfigure the topological changes. The RPL protocol has established two repair mechanisms to rebuild the DODAG whenever it encounters falsified topological changes. Repair mechanisms in DODAG should be carefully implemented considering the lossyness and the cost effectiveness of the participating nodes in the 6LoWPAN networks

Local repair

Local repairs are triggered in a DODAG whenever there are reported unavailability of nodes or parents and preferred routing paths.Local repairs reconstructs the current DODAG with minimal cost to re-adapt to the initial DODAG configured changes.

Global repair

Global repair is a repair mechanism that reboots the entire DODAG.Global repairs are always triggered at the root with the cost of additional control traffic in the network. All the nodes would have to be reconfigured and would have to execute the DODAG building process once again adding up to the initial cost .Hence intrusion detection mechanism should monitor these kind of cost consuming events to detect abnormalities in the 6LoWPAN networks.

In this chapter we explained the RPL protocol and its characteristics. The next chapter 4 would consists of a detail discussion of the possible threats that could disrupt the RPL based 6LoWPAN networks. These threats aim to reconstruct the DODAG utilizing the routing mechanism of the RPL protocol.

xiv

(20)

Chapter 4

Routing attacks in constrained environment

In this chapter we would discuss the potential attacks that could be conducted against the RPL protocol.

Further down we also discuss attacks that was initially experimented with wireless sensor networks, but they could also be reverted against RPL protocol.

4.1 Rank attacks

As mentioned in RPL Protocol summary segment, rank value is considered to be the prime most routing metric which defines the routing tree in the RPL protocol. The nodes which are closer to the root will have a lesser node rank value than the nodes which are farther from the root. The rank value increases in terms of MinHopRankIncrease¹. Hence rank value indicates the relative position of the node from the border router. Rank is considered as the most significant routing metric in the RPL protocol because, the objective function utilizes rank values to build the DODAG tree and hence provisioning routing in LLN. The rank rule was also designed to avoid loops in LLN. The major disadvantage is that, there is no central authority to validate the rank value of the nodes participating in the LLN.

Rank attacks could significantly threaten the information flow in the LLN in-case they advertise false values instead of their exact rank values, the whole DODAG tree could be affected. The objective function computes the rank values, determines parent selection and DODAG tree formation. Falsified rank values will lead to unauthorized DODAG connections, giving space to the adversary conducting attacks on the LLN. Crypto solutions have been introduced in the RPL domain to authorize rank values and version numbers of all nodes participating in the RPL connected LLN [23]. Although crypto solutions prove to be strong enough to defend a network, they cannot defend insider attacks [42, 41]. Insider attacks are attacks conducted by the participants present inside the local 6LowPAN LLN. Unauthorized insiders who claim to authorized identities in the LLN will have same access privileges to all the informational resources as that of authorized nodes in the LLN [8]. This motivates to own a central authority inside the 6LoWPAN network which can monitor the characteristics of the network and collect information all the nodes which generate traffic inside the LLN and detect anomalies [64]. The monitoring entity should detect anomalies and prevent insider attacks. Administrative entities such as 6Mapper [64] which maps the entire LLN by recording the LLN metrics to determine anomalies present in the LLN, could reduce the frequency of attacks in the LLN.

In RPL connected LLN, the attacker could conduct rank attacks by the following methods

• In RPL, DAO messages carry information about the the parental set of every node. The attacker could disrupt the DODAG by dictating the node to escape the Rank rule so that they could choose the worst node as a parent for the current node instead of choosing the best node (node with least rank) as their parental node. The attacker could also indicate to not update the DAO messages. This would trigger inconsistency among the RPL network and border router will trigger more DIO messages.The spurious increase in the control traffic could cause packet collisions further deteriorating the RPL network [41].

1minimum value increase in rank value

xv

(21)

• In RPL based LLN, the border router sets the RPL packet information for all traffic entering inside the RPL domain. All node in the RPL node is expected to check the parent child relationship and the rank rule, before proceeding to establish connection and build the DODAG tree. The malicious node could fail to update or manipulate the rank error bit in the compromised nodes while choosing the worst parent or could automate the valid node to mute the rank update function. The RPL protocol does not have any crypto delimiters to verify this action .This could result in unoptimized DODAG tree with false nodes and loops participating to disrupt the network.

4.2 Root Spoofing attack

In RPL based LLN, the Border Router plays the role of an administrator. Whenever the traffic enters the RPL based LLN, the Border Router manages the network flow by dictating the control plane for all the traffic owned by the LLN. The Border Router is responsible for affixing the RPL packet for every packet that enters the RPL based LLN. Whenever inconsistencies are detected, Border Router triggers the DIO messages to stabilize the LLN. The Border Router is also responsible to maintain the state of the LLN. The Border Router increments the version number of the DODAG to indicate that its will start to build a new DODAG tree. This information is received by all the nodes and thereafter potential parental subset is decided for each node. DODAG realignment happens even when there is a request for local repair or the global repair in the LLN [67].

In any network communication, the effectiveness of communication partly depends on the trust that exists between all the participating entities. If any attacker masquerades as the Border Router it can cause severe problems to the LLN as the compromised Border Router could let down the entire LLN.

The compromised Border Router becomes a single point failure for the entire network. Unlike traditional systems RPL based LLN cannot afford high processing power or memory to equip a certificate authority providing and validating certificates with high end cryptological protocols [67]. To establish trust among the participating nodes, lightweight cryptographic protocols could be established at the root. The authors of [23] discuss that by building hash chains at the Border Router and by passing the signatures along the tree would help to establish trust and version number authentication, rank authentication among Border Router and participating nodes. As previously mentioned if any compromised nodes serving as insiders [8], it would impersonate as a trusted entity thereby significantly increasing the strength of potential attacks inside the LLN. Considering the stringent capabilities Border Router should have huge capabilities serving as a central authority to administer the constrained devices.

4.3 Repair attack

RPL displays two repair mechanisms to optimize the LLN in case of changes in topological arrangement of LLN, the global repair and the local repair. The global repair re-instantiates the entire LLN and the local repair finds optimum changes in the DODAG and dictates the nodes to adapt to the LLN [67].

The topology of an LLN in determined by its link/node metrics involved with the participating node. In RPL based LLN topology changes whenever a new node has to join the LLN, whenever a node poisons itself by advertising Infinite Rank which is a serious threat to the LLN and whenever the DODAG ID is changed in the LLN.

Local repairs are triggered by node in case of the following inconsistencies,

• Local repair in RPL based LLN takes place whenever a link or a node fails inside the LLN.

• Whenever the parent in the present LLN has joined another DODAG with different DODAGID, in these cases nodes should find an optimal alternate path for effective communication between the nodes and maintain the state of the LLN.

• The nodes can poison themselves in trying to optimize each other by changing its rank to infinitive and advertize this rank to all of its neighbors.

When all the above factors take place in an LLN then the DIO message would propagate the necessary indicators controlled by the local policy at the Border Router to optimize the DODAG. The attacker could take advantage of all the three scenarios and attempt to disrupt the network, this could be avoided by recording the statistics of the state of the DODAG such as the number of local repairs undergoing at a periodic interval of time, which could alert the Border Router of the node and the Border Router

xvi

(22)

would prune links to that node internally or externally. Nevertheless the local repairs would the node with extra energy and power.Hence we need strict attack prevention systems to communicate securely in a RPL based LLN.

4.4 Resource Exhaustion attack

Resource exhaustion attack is a type of denial of service attack in which the attacker tries to deplete the energy of the node and attempt to shut down the entire system. RPL based LLN are constrained environment where energy, power and memory are very limited. This resource scarcity invites attackers to establish denial of service attacks over RPL nodes. The RPL mechanism does not have any delimiters to verify the rapid energy consumption of every node and hence they should be recorded and grouped together with other metrics to detect anomalies present in the LLN.

The unauthorized user can manipulate the trickle timer and flood the entire system with DIO messages. This would cause a ripple effect among the entire DODAG tree as all nodes are dependent upon each other on controlling the data flow inside the LLN. The attacker could also sleep deprive the nodes by engaging them constantly in network communication. Resource exhaustion attack could be prevented by enabling nodes to detect inconsistencies by themselves which could cost them less energy and by strengthening the fault tolerance of the LLN.

4.5 Routing attacks in constrained environment

In the above section we described some attacks which were specific to the RPL protocol. Apart from this, there are some attacks which were specific for WSN and Internet of Things. These attacks could also be implemented in a 6LoWPAN environment. Threats do exist to these wireless sensor networks considering their scavenging capabilities and are subjected to many attacks like sinkhole attack, Wormhole attacks, Hello Flood attacks etc. [37].This thesis would concentrate on sinkhole attacks.

Sinkhole Attack

Sinkhole attacks are primarily carried out by by the attacker to attract traffic towards the attacker’s artifact or a compromised node. The attacker’s node can masquerade as the authorized node and lure all the traffic towards its side and can execute several other attacks like wormhole or selective forwarding attacks. Unlike traditional networks which are distributed everywhere, wireless sensor networks forward all their traffic to a single root,hence its easier for an attacker to recognize patterns and to inject malicious behaviors .The attacker could record samples of the network traffic and spoof routing tables and quality of end-end routing paths, hence he could inject fake packets inside the LLN to gain the trust of authorized nodes. The attacker could then establish stronger links between captivated nodes to exercise his intention.

Since RPL is similar to distance vector protocol, whenever any node advertises stronger link, it’s more likely that all the neighboring nodes will connect to the root node through the malicious node which pretends to have the strongest link.

Wormhole attack

Wormhole attacks have severe implication in any adhoc communication protocols. In a wormhole attack, the attacker tunnels the messages from one part of the networks and relays it to another part of the network between two colluding compromised nodes. Wormhole could also create trust between two distant nodes citing that they are closer towards each other by relaying fairly simple messages between them to gain trust with each other. Usually the attackers place their nodes in different part of the network to compute the distance of their nodes by relaying packets in their own defined channel. An attacker attempts to create a wormhole by placing some of his nodes in an high bandwidth area and creates a tunnel to lure other nodes present in the network to pass data traffic through the malicious nodes. The adversary convinces other nodes which are farther away from the Border Router, indicating that the worm hole tunnel are only a few hops to the Border Router by advertising false link quality or false hop counts . The real nodes which are many hops away from the Border Router could get convinced to join the path represented by the wormhole if it has the highest link quality than the rest of alternative routes. When other nodes attempt to build a DODAG tree through these wormholes, there could be severe implication in the LLN as the attacker could mishandle all the information that passes through

xvii

(23)

his compliance. Researches developed packet leashes[33] which gauges the distance between the nodes and restricts packet flow more than the allowed transmission distance. When combined with attacks like sinkhole, selective-forwarding and Sybil attacks, wormhole attacks are quite stronger to disrupt a local network.

Sybil Attack

Sybil attacks are performed by replicating multiple identities of a single node. Sybil attack was first introduced by John R. Douceur[19] in the context of peer to peer networking. He noted that Sybil attacks pose threat on the efficient redundancy mechanisms of distributed storage systems. Then Karlof and Wagner found that Sybil attacks have implications in routing implementations of wireless sensor networks [37], they also point out that Sybil attacks could have adverse effects of the potential capabilities of wireless sensor networks such as routing storage ,etc. Sybil attacks also have implications on the geographic routing protocols because all nodes can have only single pair of coordinates, by cloning identities we have numerous pairs of coordinates and applications implementing these protocols with cloned identities may be vulnerable to several other ripple attacks of the Sybil compromised nodes.

These cloned malicious nodes would be present in numerous places and it could affect the routing paths of the network traffic.

Hello Flood attack

Certain data communication protocols necessitate the participating entities to introduce themselves to each other to establish trust between themselves before they could proceed for message transactions. So whenever any node receives any introduction message such as a ’Hello’ message then means the node is at a viable distance from its neighbor or the neighbor within the transactional distance from the given node [37]. Karlof and Wagner claim that the adversary can convince all the neighboring nodes that its a neighbor, by transmitting high power messages indicating that its within the reach of the node’s transaction limits. This adversarial action could disrupt the entire network because nodes farther away from the adversary could send their packets to a random place in the network as routing path cannot be established between two long distant nodes. Nodes within the reach of the adversary would be transmitting their packets to the routes establish by the adversary which by itself is very harmful to the network. Even when the node realizes that its transmitting packets to the adversary its has reconstruct the entire network which would cost a lot for the nodes and the network.

In RPL based LLN hello flood attacks could be conducted internally or by external requests from another LLN. Internally in RPL intra domain, trust is established by DIO messages. DIO messages broadcast the node’s rank value to the new nodes and can misrepresent values to conduct an attack on the DODAG tree. RPL is designed with sufficient link encryption, link layer acknowledgments and secure DIO schemes where DIO messages are cryptographically protected with sufficient complicated keys[67], to prevent the LLN from unauthorized attackers. The LLN could be prevented from adversaries conducting Hello Flood attacks by verifying the identities which participate in the LLN and the Border Router restricting number of authorized neighbors for every node.This restriction could save the larger part of the LLN from adversaries with configured wormholes and high power transmitters and receivers.

Selective forwarding attacks

In a network consisting of both authorized and unauthorized nodes ,selective forwarding attacks are attacks that are conducted by the unauthorized nodes by filtering data received from the legitimate nodes and deny to route the complete packets.This kind of attack could impact the routing behavior and performance of the network.In a RPL based 6LoWPAN autonomous network selective forwarding attacks could be performed by establishing a routing path between the unauthorized nodes carrying legitimate information.This could be detected by collecting acknowledgments at the lower layers of the protocol stack.Secondly the trust factor is RPL network does not proportionate the confidence factor in the network. Hence the unauthorized node can filter some packets and forward the rest of the packets to gain trust from the rest of the entities. These attacks could be avoided by implementing statistical functions with the help of user data and network data such as ICMP echo requests.

The ideal defense mechanism for the selective forwarding attack is to prevent the attacker from collecting information about the traffic present in the network and its details.For example if in a busy network the attacker could eavesdrop packets or determine their frequency to figure out the routing path of the packets.The attacks could also conduct a passive attack by not generating ICMP traffic but by

xviii

(24)

implementing the statistical knowledge about the local network.However we can reduce the frequency of attempts by encrypting the packet at the application level (IPSec) to prevent data theft.We could also implement intelligent data forwarding schemes at the routing level. Multipath routing with disjoint paths and random routing paths may prove resistant to selective forwarding attacks.However in a constrained environment locating unauthorized nodes needs extra surveillance and intelligent data collection from the nodes participating in the network.

Thus in this chapter we discussed various attacks that could be potentially conducted on an RPL environment and to disrupt the 6LoWPAN networks.The next chapter 5 we would discuss in detail of the various intrusion detection techniques responsible to determine the attacks and the intruders present in the RPL based 6LoWPAN networks.

xix

(25)

Chapter 5

Intrusion Detection in RPL connected LLN

5.1 Introduction

In this chapter we will discuss some intrusion detection techniques in RPL based LLN inculcating RPL metrics to detect anomalies in the RPL system. This thesis concentrates particularly on the routing protocol as it is the target area for adversaries to conduct attacks over the 6LoWPAN networks. The contribution of this thesis is to analyze the RPL protocol and define intrusion detection techniques to defend the 6LoWPAN network from unauthorized people conducting attacks in the system. In chapter 3, we have discussed that the RPL protocol does not only need cryp tological solutions to defend the local network from malicious intruders, we also need a central authority to map the network and log the metrics to detect intrusions inside the LLN and prune routes from/to the attacker.˜reffigure:idssol describes an overview of the IDS necessary for the 6LoWPAN networks to protect its devices for external and internal attackers.

Mapping queues attacker

- 6LoWPAN Border router with centralized IDS network Mapper

-Defense against spoofing ,rank and ETX attacks - Lightweight packet filtering firewall - Defense against external attacks

Mapping queues External attackers

6LoWPAN IEEE 802.15.4 MAC IEEE 802.15.4 PHY

IPv6/

IPSec RPL

TCP/TLS UDP/

DTLS ICMP IDS and firewall module

Network Stack

Internet cloud

Mapping queues

Map ping q

ueues Protected 6LoWPAN Environment

IP enabled Internet of Things

6LoWPAN Border Router Device with TCP/IP Stack

Attacker trying to disrupt the network

Central firewall COAP/COAPs

Figure 5.1: IDS fot Internet of Things

The authors of [64] have designed and implemented SVELTE, IDS for the RPL based 6LoWPAN networks. The design consists of three components 6Mapper, IDS mechanism and a mini firewall. As an extension to the available IDS mechanisms, we have proposed one more IDS module with Expected Transmission(ETX) as the intrusion parameter . We have also introduced one another IDS mechanism with geographic hints, in at attempt to locate the unauthorized node which causes instability inside the 6LoWPAN networks.

xx

(26)

5.2 Design of the IDS

IDS is necessary to defend the 6LoWPAN networks from threats mentioned in 4. The design of the IDS over RPL protocol should firstly not alter the functioning of the 6LoWPAN networks . The IDS should not be an overhead to DAG and alter the routing paths of the 6LoWPAN networks. The IDS should be fault tolerant enough, to not prune the routes between nodes and create false alarms for the legitimate nodes. All the modules that are designed for IDS are placed in the Border Router which is the central authority for the 6LoWPAN networks and is assumed to have more resource capacities than the tiny nodes. The design should be light weight not to occupy too much of the node’s resource which by itself has low capacities in terms of power, memory and capacity. The IDS is designed for RPL networks based on LLN. The IDS is designed to adhere to the Internet of Things protocol stack.

5.2.1 IDS Components

In the following section we would describe SVELTE [64] and its IDS components.

5.2.2 6Mapper

The authors have introduced SVELTE, an intrusion detection technique consisting of three main components [64]. They are 6LoWPAN Mapper(6Mapper), IDS modules and the light weight firewall. 6Mapper is a central mapper structure which maps individual 6LoWPAN networks and logs RPL metrics to detect anomalies. The 6Mapper sends periodic requests for information to the 6Mapper clients in the DODAG.

6Mapper would request for RPL Instance ID, the DODAG ID, and the DODAG Version Number of the participating nodes in the 6LoWPAN networks. The size of a request packet from 6Mapper is 5 bytes.

The active nodes would send corresponding periodic responses along with their rank value, ETX value, and their neighbor’s rank and ETX values. In the response packet we add additional parent information such as the parent rank and parent etx values. The total size of the response packet is 17 bytes. The neighbors packet will have an additional 6 bytes for their information. Details of request and response packets are described in the figures 5.2 and 5.3. The 6Mapper also records the timestamp (Ts) to prevent reception inconsistencies in the LLN.

Although we could optimize the data traffic and packet size by making the nodes respond to mapper in periodic intervals without the mapper sending the requests, in that case the authenticity of the node could not be explained as the mapper would receive random information from random nodes. These nodes could also make the mapper believe that the authorized nodes as the unauthorized ones, hence it is necessary to establish the authenticity of the nodes in the 6LoWPAN networks to the 6Mapper. Quite a few theories have been proposed and implemented to determine the authenticity of the nodes [64]. The authors [64] suggest that for the 6Mapper to verify the nodes authenticity, we could white-list the nodes between the participating nodes in the 6LoWPAN networks and the information from the 6Mapper, however in a lossy network it is difficult to determine the reason for offline nodes. As an addition to the mapper we add 2 bytes of ETX data in the response of the node 5.3.

0 1 2 3 4

RPL ID

DAGID Ver Ts

Figure 5.2: 6Mapper’s packet request format with header in bytes

5.2.3 IDS mechanism

The second component is intrusion detection component which executes a few intrusion detection techniques in the 6Mapper. This IDS techniques will have inputs from 6Mapper clients and will also periodically monitor their data to detect intrusions.The IDS modules are responsible to check for timing inconsistencies from the nodes to the 6Mapper, validate the authenticity of the node in the 6LoWPAN networks and validate child and parent relationships in the 6LoWPAN networks with RPL metrics(rank and ETX). IDS have been designed to protect the nodes from Sinkhole Attack and Selective forwarding attacks attacks. In both these attacks the attacker would deceive the other nodes to pass data through their unauthorized nodes. While performing a denial of service attack, the unauthorized nodes might

xxi

Intrusion Detection and light weight Firewall for the 6LoWPAN networks