Addressing DAO Insider Attacks in IPv6-Based Low-P
Addressing DAO Insider Attacks in IPv6-Based Low-P
model based on Gated Recurrent Unit network is developed and victim node in order to minimize false positives. The
for identification of “Hello Flooding” attack. Ghaleb et al. proposed solution is based on distributed detection strategy
[14] proposed and addressed the DAO Insider attack. The in which every individual node maintains two tables, i.e.,
authors implemented a defense mechanism named SecRPL a neighbor table for storing information about neighbors,
to secure the LLNs. Verma et al. [15] proposed a lightweight a blacklist table to store information about blacklisted or
security scheme for the defending RPL against DIS flooding attacker nodes. The usage of blacklist table helps in energy
attacks. They analyzed the network and put a safety threshold saving because attack is mitigated quickly without additional
on the RPL protocol. In this [16] paper Farzaneh et al. processing of illegitimate DAO packet. A threshold, i.e.,
proposed an anomaly based IDS based on threshold values DAO recv threshold is used to put a cap on the maximum
for detection of attacks in RPL. Ariehrour et al. [17] proposed allowed DAO transmissions by any child node. The value of
SecTrust-RPL solution to secure RPL against Sybil and rank DAO recv threshold is chosen based on the analysis of mul-
attacks. AN IDS named SIEWE is proposed by Patel et tiple non-attack scenarios. The detection algorithm starts with
al. by Patel et al. [18]. In [19], the authors proposed a the initialization of DAO recv threshold, Neighbor Table,
lightweight mechanism that adjusts thresholds value to detect and Blacklist Table. The parent node, upon receiving a
and mitigate DIS attacks. From the literature, we identified DAO message from a child node or DAO sender checks
that various RPL based attacks have been countered using whether the DAO sender’s address is already present in the
different types of security solutions. As far as the literature Blacklist Table or not. If DAO sender’s address matches with
is concerned there is only one solution for defending DAO any blacklisted node’s address, this means that parent had
Insider attacks [14], this leave a lot of scope. In this paper already detected that DAO sender as an attacker node earlier,
we have addressed DAO Insider attack using Blacklisting and it simply discards received DAO message without any
technique. further processing. This not only saves energy of nodes but
also helps in quick mitigation of attack. In case the DAO
V. P ROPOSED S OLUTION sender’s address is not present in Blacklist Table, then the
The proposed defense solution is based on the idea of algorithm starts checking the Neighbor Table to find out the
analyzing node’s behavior to identify whether it is legitimate DAO sender’s address. If DAO sender’s address is not present
or illegitimate. We performed multiple experiments consid- in the Neighbor Table, then it means that DAO sender is a
ering different non-attack and attack scenarios to analyze new child node which has sent the DAO message first time.
the illegitimate node behavior. The behavior of the node is Then, a new node entry in the Neighbor Table is created and
analyzed in form of the number of DAO messages being DAO sender’s information is added to the Neighbor Table.
transmitted and received by the nodes across the network. In this case the Neighbor Table stores three values:
With a detailed analysis, we come to a conclusion that each
1) DAO sender address(Node[source id])
node in RPL based LLNs receives and transmits similar
2) Child’s Global address or
number of DAOs messages in the network under non-attack
DAO Prefix(Node[global id])
scenarios. Whereas, in case of attack, victim node receives
3) Child’s DAO counter
large amount of DAOs from a malicious node as compared
to neighbor legitimate nodes. To address DAO Insider attack, Based on these entries, the detection algorithm decides
we proposed a defense solution that puts limits on the the whether a DAO sender node is an attacker or not. It is
number of DAOs messages sent by any child node. The important to note that whenever a node generates a DAO
key idea is to distinguish between original attacker node message, it also transfers the global ID in the DAO message.
In RPL, DAO sender’s global ID is represented as the DAO
prefix. In our solution, we use the DAO prefix to increment
the DAO counter value (i.e., DAO count). Whenever any
parent node receives a DAO message from its child node
there are two cases which are handled differently. In first
case, if DAO sender or child is the DAO originator (i.e.,
DAO Prefix equals child’s global id), then DAO count value
corresponding to that child node is incremented, and the DAO
message is forwarded. In second case, when the child is
not the DAO originator (i.e., DAO Prefix not equals child’s
global id), the value of DAO count is not incremented, and
DAO message is forwarded to the preferred parent. With this
approach, the algorithm detects attacker node present in the Fig. 3. Simulation Parameters
network without blacklisting legitimate nodes. If any node
is sending a lot of DAO message, then the parent of that
child node will increment the DAO Counter corresponding tem for resource constrained nodes. The popular ContikiRPL
to that child node. After reaching the DAO recv threshold, is modified and the proposed solution is integrated with it.
the parent blocks the abnormally behaving child and add its The performance of the proposed solution is evaluated on
information in the Blacklist Table (i.e., blacklisting). The Cooja simulator [21]. Further part of this section provides
main benefit of this approach is that it does not involve the details of experimental setup, performance indicators, and
usage of any resource consuming methods like encryption, experimental results.
decryption, hashing, or key management. The detection logic
simply puts thresholds of RPL parameters which makes A. Experimental Setup
it lightweight and suitable for LLNs. Pseudocode of the
proposed solution is depicted in Algorithm 1. The proposed solution is implemented by modifying the
core files of ContikiRPL. We performed the experiments for
Algorithm 1 Pseudocode of proposed solution evaluation of proposed solution on Cooja Simulator. Z1 mote
1: procedure I NITIALIZATION platform is used for running Contiki. The simulation param-
2: set DAO recv threshold eters mentioned in Fig 3 are considered for experiments.
3: create empty Neighbor Table ⊲ To create a neighbor table In all the experiments, the Unit Disk Graph Radio Medium
on node start
4: create empty Blacklist Table ⊲ To create a blacklist table (UDGM) is considered. To mount the DAO insider attack, an
on node start attacker node can compromise the legitimate node and repro-
5: end procedure grammed it to capture the DAO message and then transmit
6: procedure O N DAO R ECEIVE the captured DAO message in a fixed time of interval. The
7: if (DAO sender address is present in Blacklist Table) then DAO attack is launched after receiving a DIO message from
8: return ⊲ In case the sender node was already
blacklisted any parent node. The detection approach of the proposed
9: end if solution is activated upon network initialization. The mean
10: for Each Node in Neighbor Table do values of PDR and AE2ED have been used for analysis
11: if (DAO sender address equals Node.source id) then to eliminate the effect the biased results. We performed 10
12: if (DAO Prefix equals Node.global id) then independent experiments with different random seed values
13: if (Node.DAO count is less than
DAO recv threshold) then and computed the errors at a 95 percent confidence interval.
14: Node.DAO count++
15: Forward DAO to preferred parent B. Performance Indicators
16: else
17: Add DAO sender in Blacklist Table 1) Packet Delivery Ratio (PDR): Represents ratio of the
18: end if total amount of data packets received to the total
19: else
amount of data packets sent by any node to the
20: Forward DAO to preferred parent
21: end if DODAG root node.
22: else 2) Average End-to-End Delay (AE2ED): The average
23: Add new DAO sender’s information in Neigh- time taken to deliver all the data packet from source
bor Table to DODAG node.
24: end if 3) Throughput: It indicates the amount of data moved
25: end for
26: end procedure successfully from sender to receiver in a given period
of time. It is expressed in terms of bits per second
(bps).
VI. P ERFORMANCE E VALUATION 4) Implementation Overhead: It represents total RAM and
We implemented our proposed defense solution in Contiki ROM usage by the proposed solution over resource
[20] which is one of the widely used embedded operating sys- constraints nodes.
C. Simulation Results scenario as compared to RP L. The reason is that the parent
We have considered three cases for making comparisons, node receives a lot of DAO messages from the attacker node
i.e., RP L, RP LUnderAttack , and RP LSecure . Where, RP L and this keeps them busy. Busy parent nodes take a lot of time
represents standard RPL without defense mechanism imple- to process data packets, therefore AE2ED increases. Like,
mented on it, RP LUnderAttack is the scenario in which PDR results in this case also, it can also be analyzed that
standard RP L is under attack, and RP LSecure represents the aggressive DAO attacker have major impact on AE2ED
the secure version of standard RP L which has our defense of the network as compared to non-aggressive attackers .
solution incorporated in it. In this section, the simulation Our proposed solution (RP LSecure ) is able to decrease the
results are discussed. impact of attack and this is clearly visible in Fig. 5. This
is because the proposed solution discards malicious DAOs,
D. Impact on PDR which consequently reduces processing time of data packets.
Fig. 4 represents the impact of PDR on RP L,
RP LUnderAttack , RP LSecure . It has been observed from RPL
RPL
the figure that the attacker lowers the network’s performance. 3.5
RPL
Under Attack
Secure
DAO message a parent must processes all DAOs and sends 1.5
RPL
RPL
Under Attack
1.0
RPLSecure
0.9
0.8
Packet Delivery Ratio
0.7 60
0.6
Throughput (bps)
0.5
0.4
40
0.3
0.2
0.1
0.0 20
1 2 4 8
0
Fig. 4. PDR values obtained in different scenarios 1 2 4 8
Fig. 6. ThroughputReplay
values Interval
obtained(seconds)
in different scenarios
E. Impact on AE2ED
The impact of AE2ED in different scenarios (RP L, G. Implementation Overhead
RP LUnderAttack , RP LSecure ) is indicated in Fig. 5. It can Fig. 7 shows the memory requirements of proposed de-
be observed that AE2ED is severely affected under attack fense solution. The proposed solution requires very little
amount of memory hence it becomes a lightweight defense R EFERENCES
solution. The standard Z1 motes have 92 KB of ROM, and [1] K. Ashton et al., “That ‘internet of things’ thing,” RFID journal,
8 KB of RAM. Fig. 7 shows that Contiki with our proposed vol. 22, no. 7, pp. 97–114, 2009.
solution implemented on it easily fits into Z1 motes without [2] P. Sethi and S. R. Sarangi, “Internet of things: architectures, protocols,
and applications,” Journal of Electrical and Computer Engineering,
imposing significant overhead. Thus, the implementation vol. 2017, 2017.
overhead of proposed solution makes it lightweight solution. [3] J. V. Sobral, J. J. Rodrigues, R. A. Rabêlo, J. Al-Muhtadi, and
V. Korotaev, “Routing protocols for low power and lossy networks
in internet of things applications,” Sensors, vol. 19, no. 9, p. 2144,
2019.
ROM
RAM
[4] R. Alexander, A. Brandt, J. Vasseur, J. Hui, K. Pister, P. Thubert,
100
P. Levis, R. Struik, R. Kelsey, and T. Winter, “RPL: IPv6 Routing
Protocol for Low-Power and Lossy Networks,” RFC 6550, Mar. 2012.
80
[Online]. Available: https://rfc-editor.org/rfc/rfc6550.txt
[5] O. Gaddour and A. Koubâa, “RPL in a nutshell: A survey,” Computer
Memory size in Kilobytes (kB)