## New lightweight DoS attack mitigation techniques for RPL based IoT networks

2019
Arış, Ahmet
##### Yayınevi
Fen Bilimleri Enstitüsü
Institute of Science and Technology
##### Özet
The information technology is converting every aspect of human life to smart day by day. Currently, the Internet of Things (IoT) is the most promising technology in accordance with Machine Learning, Big Data Analytics, Cloud and Edge Computing to realize such a change. IoT, with its billions of \emph{things}, acting as the primary data source, is and will continue to be playing a crucial role to transform buildings, houses, factories, cities, suburban areas and many places to Internet-connected smart environments. IoT can be defined as a network of \emph{things} with sensing and/or actuating capabilities that can connect to the Internet and exchange information. The elements of the IoT include but not limited to, sensors, actuators, embedded and wearable devices. These devices form networks with different topologies (e.g., star, mesh) using various communication technologies (e.g., IEEE 802.15.4, Bluetooth, WiFi, LoRa, cellular, etc.). IoT is a candidate technology in order to realize the future Internet of Services and Industry $4.0$ revolution. However, there are serious threats for IoT, which aim to degrade the performance of the network, deplete the batteries of the devices and cause packet losses and delays. These attacks are called as Denial of Service (DoS) attacks, which are already notorious for their effects in existing communication systems. Limited power, processing, storage and radio dictate extremely efficient usage of these resources to achieve high reliability and availability in IoT. However, DoS and Distributed DoS (DDoS) attacks aim to misuse the resources and cause interruptions, delays, losses and degrade the offered services in IoT. For highly reliable and available IoT, such attacks have to be prevented, detected or mitigated autonomously. The goal of this thesis is to investigate how IoT networks can be secured against D/DoS attacks. For this aim, we focused on a subclass of IoT, namely the Low Power and Lossy Networks (LLNs). In LLNs, elements of the network are resource-constrained (i.e., limited processing, storage, communication and power sources) and the environment is lossy. The IETF and the IEEE proposed several standards to connect such networks to the Internet and allow various applications to be supported efficiently. The set of protocols are called as the \emph{standardized protocol stack}, which includes the IEEE 802.15.4 for PHY and MAC layer, 6LoWPAN adaptation layer between MAC and network layers, IPv6 Routing Protocol for Low Power and Lossy Networks (RPL) for network layer, UDP for transport layer and CoAP for application layer. We considered to study LLNs, because we believe that majority of the devices in IoT will be within the concept of LLNs. Limited resources, lossy environments and possibly mobility make such networks challenging to incorporate robust security solutions. Considering these devices are capable of connecting to the Internet, the task of protecting such networks against attackers gets more challenging. In this respect, we started our thesis journey with understanding the LLNs with its architectural design, elements and communication protocols. As we study the security of the LLNs, we analyzed the standardization efforts to secure the LLN-based IoT networks. Considering the pros and cons of the security solutions, resource-constraints, QoS requirements, implementation challenges, deployment environments and users, the Internet connectivity and the D/DoS attacks targeting the existing computer networks, we believed that there is a need for the LLNs to be secured against such attacks. Hence, we researched the D/DoS attacks which may target the LLNs. Our research revealed that, the LLNs can be the target of D/DoS attacks which can be either new (due to new protocols and standards) or old (attacks that have been targeting the existing networks). We analyzed the works that investigate the effects of the attacks, cryptography-based security solutions, protocol security studies and intrusion detection and mitigation systems that are specifically designed for the LLNs. We continued our journey with focusing on the network layer of the LLNs and specifically to the IPv6 Routing Protocol for Low Power and Lossy Networks (RPL) that was proposed by the IETF. Among the set of attacks, we targeted the Version Number Attack (VNA). In VNA, an attacker maliciously changes the VN, thus initiates an illegitimate global repair operation in RPL. However, in an ordinary RPL network, global repair operation can be started only by the DODAG root. Our motivation to choose the VNA among the other attacks were manifold. First of all, it was a pretty new DoS attack and it was not studied much in the literature. Since it was new, there was no detection or mitigation study or any in-depth analysis. It was also an interesting attack for us that, it did not need thousands of attackers, but only a single attacker was enough to affect the whole network. In order to analyze the effect of the VNA, we created a realistic topology considering the IETF's routing requirements documents for the LLNs. Using the Contiki Cooja, we simulated a single attacker at several positions within the RPL DODAG. Our topology had mobile nodes and hence, mobile attackers. We employed a probabilistic attacker model to identify the best setting for an attacker, not only in terms of the position, but also the attacking probability. Our analysis with respect to packet delivery ratio, RPL control message overhead, average network delay and average power consumption metrics showed that, control message overhead and packet delivery ratio results are highly correlated to the position of the attacker. Effect of the attack gets stronger as the attacker gets farther from the DODAG root. In terms of the attacking probability and the effect of the attack, we figured out that, performance of the network gets worse as the probability of attacking increases. Simulation results for mobile attackers show that, mobile attackers have nearly the same detrimental effects on the network as the best attacking positions for a static attacker. Our analysis with a single attacker revealed that, the VNA is a very serious threat for the RPL-based LLNs. It misuses the global repair operation of the RPL protocol and forces the complete network to be rebuilt over and over again. During this time, an excess amount of RPL control messages are generated, majority of the application data packets are lost, average network delay and power consumption are severely increased. Based on our observations for the strongest attacking positions and the ordinary global repair operation explained in the RPL specification, we came up with a simple mitigation mechanism for VNA, namely \emph{elimination}, that allows the VN updates coming from the direction of the DODAG root and stops the VN updates coming from the opposite direction (i.e., from the direction of leaf nodes). Elimination technique checks the sender of the incoming DIO (DIO with a greater VN). If the sender has a worse rank than the receiver node, which shows that it is positioned at the lower portions of the DODAG, the DIO is discarded since such an update should not come from that portions of the DODAG. We believed that the elimination technique would be very efficient to mitigate the effect of the VNA consisting of a single attacker. Since it eliminates the VN updates started from the direction of leaf nodes (positions at which VNA is the strongest) towards the DODAG root, the strongest attacking positions could be eliminated by this way. However, if the attacker is not far from the root, in other words, if the attacker is an intermediate node within the DODAG, then it can still affect the lower portions of the DODAG since the elimination technique will allow it. In order to overcome this issue and propose a complete solution, we came up with \emph{shield} mechanism that is based on the elimination technique. In shield, every node works on its own and keeps a list of its neighbors that have a better rank value than itself in a table, which we call as \emph{ShieldList}. If it receives a DIO with a greater VN (which signifies that a VN update is taking place), it firstly checks whether the DIO sender is in its ShieldList or not. If it does not exist within the table, then it discards the DIO. Because, such a DIO can come only from the direction of the DODAG root and possible senders are already listed in the ShieldList table. However, if the DIO sender exists within the table, then comes a trust mechanism, in which the receiving node expects other neighboring nodes (nodes within the ShieldList table) to announce such an update. It waits until majority of the ShieldList entries claim a VN update. Hence, it does not trust a single neighbor claiming a VN update, but trusts more neighbors announcing the same update. Thus, it can provide a solution not only against the attackers at the leaf nodes, but also attackers at the intermediate positions. We analyzed the performance of our new mitigation techniques by means of simulations. Simulation results show that, our novel mitigation techniques can effectively mitigate the effect of the VNA. In the last part of our thesis study, we focused on multiple VN attackers. We performed two sets of comparisons. In the first set of comparisons, we investigated the effect of increasing the number of attackers. In the second set of comparisons, we analyzed the effect of multiple attackers positions. Simulation results showed that, increasing the number of attackers affects only the packet delivery ratios. In terms power consumption per successfully delivered packets, the lowest values were obtained for the positions that are at the edges of the topology. In terms of distance to the DODAG root, closer positions seem to cause more power consumption per successfully delivered packets values than the farther positions. For packet delivery ratio and average network delay results, attackers at the center of the network caused the highest packet losses and longest delays. These results were interesting for us since our earlier study and a predecessor study had not realized such affects. Therefore, we conducted analysis to find out the underlying reasons. We considered topological differences, logging mechanisms and operating system changes. We concluded that, OS updates are the underlying reason for us to obtain different results for an RPL network under the VNA. Finally, we evaluated the performance of our mitigation techniques against multiple attackers based on packet delivery ratio results. We found out that our mitigation techniques successfully mitigate the effect of multiple attackers.