9.2 Attacks on Opportunistic Coordination Protocols

In addition to bluffing on the link quality to degrade the performance of opportunistic routing, an attacker can attack the candidate coordination protocols. We can basically classify the opportunistic routing MAC coordination protocols discussed in Chapter 6 into two categories: implicitly prioritized and explicitly prioritized. The implicitly prioritized ones include GeRaF MAC and the contention-based forwarding, where the transmitter does not include a candidate list in the header of the data packets, and the forwarding candidates contend for the right of the packet relay. On the opposite side, the explicitly prioritized ones include ExOR batch-based forwarding, slotted ACK, compressed slotted ACK, and fast slotted ACK (FSA), where the transmitter explicitly includes the candidate list information in the data packet header and the forwarding candidates follow an order to forward the packets. In the following discussion we assume the goal of the attacker is to claim the relay responsibility for as many as packets it can whether it correctly received the packets or not. After the attacker obtains the relay responsibility of the packets, if it indeed received the packets, it can either drop them (black hole attack), selectively relay them, or forward them normally (but this may lead to suboptimal routing). If it does not correctly receive the packets, those packets are implicitly dropped.

9.2.1 Attack on Implicit-Prioritized Coordination Protocol

9.2.1.1 Attack on GeRaF MAC

We first discuss possible attacks on GeRaF MAC. Recall that in GeRaf, when a node has a packet to send, it broadcasts an RTS frame. Forwarding candidate nodes that are geographically closer to the destination will contend for the relay responsibility by sending back CTSs. If a clear CTS is received by the transmitter, it will select the node that sent this CTS as the forwarder. Other neighbors will suppress their forwarding. The attacker can therefore send a CTS whenever it overhears a RTS to claim the forwarding responsibility.

This vulnerability comes from the inherent fact that neither the sender nor other neighbors can identify the location of the attacker. If the sender and neighbors can identify the location of the attacker, this attack can be substantially limited. For example, GeRaF MAC only allows neighbors that are closer to the destination than the transmitter to participate in the opportunistic forwarding. If the sender can verify the location information of the node that sends the CTS, it can detect the attack if the attacker is actually further away from the destination. It is possible that the attacker is actually closer to the destination than the transmitter but gives little advancement. In this case, if other legitimate neighbors can overhear the attacker's CTS and can identify the location the attacker, this attack can also be flagged.

9.2.1.2 Attack on CBF

For CBF, similar vulnerability exists in all the three suppression schemes.

In the basic suppression scheme, a forwarding candidate that receives the packet will suppress itself if it overhears any other node that forwarded the packet. An attacker that receives the packet but gives little or even negative advancement can rebroadcast the packets with very short delay, thus suppressing other nodes that may advance the packet further toward the destination. In this case, the CBF is operated in a suboptimal status. Although the location information should be included in the packet header, which may give the transmitter or other neighbor nodes opportunity to detect this attack, the attacker can lie on the location information easily to indicate a large advancement to the destination.

In the area-based suppression scheme, only the forwarding candidates who are in a particular area are supposed to participate in the packet forwarding. However, the attacker can still lie on its location information to fool other nodes.

The active selection scheme is very similar to the GeRaF MAC that the transmitter broadcasts a ready-to-forward (RTF), and forwarding candidates send a clear-to-forward (CTF) frame with nodes closer to the destination shorter delay. Whenever a forwarding candidate overhears a CTF, it suppress itself from forwarding. It is possible that, some nodes may not overhear the CTF sent by other nodes and the transmitter may receive multiple CTF frames. Then it unicasts the data packet to one of the senders of the CTF frames to finally forward the packet. Although the multiple CTF frames can somehow alleviate the attacking possibility, the attacker can raise its transmission power to suppress a large area to increase its chance of being selected as the final forwarder.

In summary, the vulnerability in CBF is also rooted from the fact that the transmitter and other legitimate neighbors cannot verify the location of the attacker. If the attacker's location can be verified, the above attack can be largely prevented or detected out.

9.2.2 Attack on Explicit-Prioritized Coordination Protocol

The ExOR MAC, slotted ACK, compressed slotted ACK and fast slotted ACK described in Chapter 6 belong to the explicitly prioritized coordination protocol. We discuss the possible attacks on these protocols as follows.

9.2.2.1 Attack on ExOR MAC

In ExOR MAC, the sender broadcasts a batch of packets. When a forwarding candidate receives the packets, it waits for its turn to rebroadcast the packets according the priority assigned by the sender. This priority information is included in each data packet header. An attacker may not therefore be able to disturb the forwarding order, otherwise it can be easily detected, for example, if an attacker has a lower forwarding priority but it rebroadcasts the packets instantly after the completion of the batch transmission from the sender. Either the sender or other forwarding candidates should be able to overhear the rebroadcast packets, then detect this abnormal behavior.

When it comes to the attacker's turn to forward the packet, the attacker can bluff that it receives all the packets by manipulating its batch map. However, this attack may be easily detected, since the sender knows the packet reception ratio from itself to the attacker. If this packet reception ratio is correct, which can be ensured by our secure link quality measurement mechanism, the sender can estimate how many new packets (those have not been received by the higher priority forwarding candidates) the attacker should be able to receive. If the number of the received packets claimed by the attacker is much larger than the expected one, the sender is able to detect this attack.

The attacker may try to rebroadcast false packets that it does not receive by modifying its batch map but only rebroadcast a certain number of the packets. In this way, these packets are implicitly dropped at this hop, which may introduce large retransmission overheads at the transport layer if TCP is applied. However, if the sender can overhear those packets and check their integrity, this attack can be detected out.

In short, although the attacker can launch the attacks discussed above, it is not too difficult to modify the protocol in order to detect these attacks with reasonable overhead.

9.2.3 Attack on Slotted ACK

In the slotted ACK, the sender broadcasts the packet to its forwarding candidates. Each forwarding candidate that receives the packet correctly will send an ACK back to the sender at different slots. That is, the ith candidate sends an ACK at the ith slot if it receives the data packet. Each ACK contains the ID of the highest priority successful recipient known to the ACK's sender. Finally, only the highest priority successful recipient is supposed to forward the data packet; other forwarding candidate should suppress themselves from forwarding. The sender will retransmit the packet if no clear ACK is received.

If an attacker is not in the forwarding candidate set, it may try to send the ACK at the first slot to claim the forwarding responsibility. The attacker can also send the ACK at later slots but in order to maximize the attacking gain it should try from the first slot. There are two possible situations: 1. The ACK collides with the legitimate one, then a legitimate lower priority candidate may also consider itself as a forwarder because it does not receive a clear ACK from the higher priority candidate. So both the forwarding candidates will forward the packet, which introduces duplication and leads to suboptimal operation of the opportunistic forwarding. 2. The first-priority candidate does not send an ACK, then the attacker may be able to obtain the forwarding authority. However, in the second situation, the legitimate first-priority candidate may be able to overhear this ACK, thus can raise an alarm since only itself is supposed to send an ACK in this slot. Furthermore, the sender may also apply the advanced physical layer identification techniques (Brik et al. 2008; Demirbas and Song 2006; Faria and Cheriton 2006; Sheng et al. 2008; Xiao et al. 2008ab, 2007, 2008c; Yang et al. 2009; Zeng et al. 2010, 2011) to detect this impersonation attack.

If an attacker is in the forwarding candidate set, but does not receive the packet correctly, it can still send an ACK to claim the forwarding responsibility at its slot. It can achieve this only when no higher priority candidate received the packet. To detect if an attacker indeed receives the packet, the sender can ask the attacker to provide evidence of the packet reception, such as a keyed hash of the data packet. It is similar to the philosophy in our secure link quality-measurement mechanism.

9.2.4 Attack on Compressed Slotted ACK

Unlike the situation with the slotted ACK, in the compressed slotted ACK, when a lower priority candidate does not sense the ACK transmission from the higher priority candidate, it will send out an ACK without waiting for the entire ACK transmission slot of the higher priority candidate. The attack on the slotted ACK can also be applied to the compressed slotted ACK. The possible solutions are also the same.

9.2.5 Attack on Fast Slotted ACK

In the fast-slotted ACK, a forwarding candidate will sense the channel to see if there is any possible ACK sent from higher priority nodes. If it senses that there is an energy increase in channel during a specific time window, it will assume there is a higher priority candidate sending the ACK, even if it does not clearly receive the ACK. The attack on this coordination scheme is also similar to the attack on slotted ACK. Since the lower priority candidate will not forward the packet if it senses an ACK transmission, the packet duplication will be avoided when the first priority candidate sends an ACK but this collides with the attacker's one. Similarly, if the first-priority node does not send an ACK, then it may be able to detect this attack if it senses an energy change in the time window during which it alone is supposed to send an ACK.