Surviving Attacks on Disruption-Tolerant Networks without

Authentication

John Burgess, George Dean Bissias,  Mark Corner,  Brian Neil Levine 

University of Massachusetts, Amherst

Goal

• Understand DTN vulnerability• Attack analysis• Experimental evaluation

Disruption Tolerant Networks• Networking for intermittently connected

nodes• Rural Internet• Urban blind spots• Sparse sensor networks

• Connectivity on a spectrum

Unique Vulnerability

• Measured by packet delivery rate

• Nodes physically unsecured

• Traditional defenses are inappropriate:• graph theoretical results are limited • identity management not always

practical

Undisturbed Decimated

Attack strengthWeak Strong

Network impact

Attack Universe

Weak attacks:

•random node selection

•easy to evaluate

Strong attacks:

•optimal node selection

•strong attack NP-hard to evaluate

Outline

• Attack Strategies• Data• Experimental Results• Conclusion

Attacks: Weak

• Nodes chosen at random• Attack defined by enumerating

strategies• Remove Node• Drop all packets• Flood packets• Routing table falsification• ACK counterfeiting

Attacks: Strong

• Intractable to determine optimal attack set • Throughput is difficult metric to analyze• Even simple metrics lead to NP-hard

problem

• Instead, greedily remove vertices that most lower temporal connectivity

Data: DieselNet

• 40 buses • 802.11 protocol• 60 days of

traces• Transmission

events feed a simulator

• Various routing protocols tested

Data: Haggle

• 41 devices in human mobility experiment

• Bluetooth• 3 days of traces• Haggle connections more frequent

than DieselNet• Haggle traces broken down to better

match DieselNet

Experiments: weak attack

• Evaluated delivery rate via given routing protocol subject to given attack strategy

• Used DieselNet data only

Replicative Forwarding

Metric based

MaxProp MaxForw

Random RandProp RandForw

Routing Protocols Attack Strategies•Remove node

•Drop all

•Flooding

•Routing table Falsification

•ACK counterfeiting

Experiments: weak attack

MaxProp• Minimum

delivery rate above 20%

• ACK counterfeiting is most effective attack

Experiments: ACK Counterfeiting• Devise an ACK counterfeiting defense

• ACKs should propagate after packets• Drop ACK if you haven’t seen packet yet

• Defense improves minimum packet delivery rate

• Drop All attack just as effective as ACK counterfeiting

Experiments: strong attack• Seek to establish the validity of greedy

attack• Find best k vertices in terms of temporal

reachability via brute force evaluation for small k

• Compare brute force results to greedy approach

• Evaluate greedy attack for larger values of k

• Evaluate both DieselNet and Haggle

Haggle: Brute vs. Greedy

Experiments: strong attack

• For temporal reachability- best 5 nodes to remove almost always the same as 5 greedy choices

• Results for DieselNet similar

Experiments: strong attack

Haggle: greedy attack• Displays

roughly the same resilience to attack at DieselNet

• Packet delivery rate degrades more slowly as more nodes are

Conclusion

• DTNs have unique susceptibility to attack

• Susceptibility understood with attack analysis

• Experiments on real traces show attack

efficacy