René Hummen
Jens Hiller
Martin Henze
Klaus Wehrle
ABSTRACT
6LoWPAN is an IPv6 adaptation layer that defines mechanisms to make IP connectivity viable for tightly resource-constrained devices that communicate over low power, lossy links such as IEEE 802.15.4. It is expected to be used in a variety of scenarios ranging from home automation to industrial control systems. To support the transmission of IPv6 packets exceeding the maximum frame size of the link layer, 6LoWPAN defines a packet fragmentation mechanism. However, the best effort semantics for fragment transmissions, the lack of authentication at the 6LoWPAN layer, and the scarce memory resources of the networked devices render the design of the fragmentation mechanism vulnerable.
In this paper, we provide a detailed security analysis of the 6LoWPAN fragmentation mechanism. We identify two attacks at the 6LoWPAN design-level that enable an attacker to (selectively) prevent correct packet reassembly on a target node at considerably low cost. Specifically, an attacker can mount our identified attacks by only sending a single protocol-compliant 6LoWPAN fragment. To counter these attacks, we propose two complementary, lightweight defense mechanisms, the content chaining scheme and the split buffer approach. Our evaluation shows the practicality of the identified attacks as well as the effectiveness of our proposed defense mechanisms at modest trade-offs.
- A. Becher, Z. Benenson, and M. Dornseif. Tampering with motes: real-world physical attacks on wireless sensor networks. In Proc. of SPC, 2006. Google Scholar
Digital Library
- C. Bormann. Guidance for Light-Weight Implementations of the Internet Protocol Suite. draft-ietf-lwig-guidance-02 (WiP), 2012.Google Scholar
- J. W. Bos, O. Özen, and M. Stam. Efficient hashing using the AES instruction set. In Proc. of CHES, 2011. Google ScholarDigital Library
- D. Boyle and T. Newe. Security Protocols for Use with Wireless Sensor Networks: A Survey of Security Architectures. In Proc. of ICWMC, 2007. Google ScholarDigital Library
- P. G. Bradford and O. V. Gavrylyako. Hash chains with diminishing ranges for sensors. International Journal of High Performance Computing and Networking, 2006. Google ScholarDigital Library
- S. Çamtepe and B. Yener. Combinatorial design of key distribution mechanisms for wireless sensor networks. Transactions on Networking, 2007. Google ScholarDigital Library
- CERT. Advisory CA-1996-26 Denial-of-Service Attack via ping. online @ http://www.cert.org/advisories/CA-1996-26.html, 1996.Google Scholar
- CERT. Advisory CA-1997-28 IP Denial-of-Service Attacks. online @ http://www.cert.org/advisories/CA-1997-28.html, 1997.Google Scholar
- S. Chan, E. Wong, and K. Ko. Fair packet discarding for controlling ABR traffic in ATM networks . IEEE Transactions on Communications, 1997.Google Scholar
- I. B. Damgård. A design principle for hash functions. In Proc. of CRYPTO, 1989. Google ScholarDigital Library
- S. Deering and R. Hinden. Internet Protocol, Version 6 (IPv6) Specification. RFC 2460, 1998. Google ScholarDigital Library
- J. Deng, R. Han, and S. Mishra. Secure code distribution in dynamically programmable wireless sensor networks. In Proc. of IPSN, 2006. Google ScholarDigital Library
- A. Dunkels, J. Eriksson, N. Finne, and N. Tsiftes. Powertrace: Network-level power profiling for low-power wireless networks. Technical report, Swedish Institute of Computer Science, 2011.Google Scholar
- A. Dunkels, B. Gronvall, and T. Voigt. Contiki -- a lightweight and flexible operating system for tiny networked sensors. In Proc. of IEEE Local Computer Networks, 2004. Google ScholarDigital Library
- P. K. Dutta, J. W. Hui, D. C. Chu, and D. E. Culler. Securing the deluge Network programming system. In Proc. of IPSN, 2006. Google ScholarDigital Library
- L. Eschenauer and V. D. Gligor. A key-management scheme for distributed sensor networks. In Proc. of ACM CCS, 2002. Google ScholarDigital Library
- R. Gennaro and P. Rohatgi. How to Sign Digital Streams. 1997.Google Scholar
- Y. Gilad and A. Herzberg. Fragmentation considered vulnerable: blindly intercepting and discarding fragments. In Proc. of USENIX Offensive technologies (WOOT), 2011. Google ScholarDigital Library
- K. Hartke and O. Bergmann. Datagram Transport Layer Security in Constrained Environments. draft-hartke-core-codtls-02 (WiP), 2012.Google Scholar
- C. Hartung, J. Balasalle, R. Han, C. Hartung, J. Balasalle, and R. Han. Node compromise in sensor networks: The need for secure systems. Technical report, University of Colorado at Boulder, 2005.Google Scholar
- T. Heer, O. Garcia-Morchon, R. Hummen, S. Keoh, S. Kumar, and K. Wehrle. Security Challenges in the IP-based Internet of Things. Springer Wireless Personal Communications Journal, 2011. Google ScholarDigital Library
- K. Hollis. The Rose Attack. online @ http://seclists.org/bugtraq/2004/Mar/351, 2004.Google Scholar
- J. Hui and D. Culler. Extending IP to Low-Power, Wireless Personal Area Networks. Internet Computing, IEEE, 2008. Google ScholarDigital Library
- R. Hummen, J. H. Ziegeldorf, H. Shafagh, S. Raza, and K. Wehrle. Towards Viable Certificate-based Authentication for the Internet of Things. In Proc. of ACM HotWiSec, 2013. Google ScholarDigital Library
- S. Hyun, P. Ning, A. Liu, and W. Du. Seluge: Secure and dos-resistant code dissemination in wireless sensor networks. In Proc. of IPSN, 2008. Google ScholarDigital Library
- IEEE. Part 15.4: wireless medium access control (MAC) and physical layer (PHY) specifications for low-rate wireless personal area networks (WPANs). IEEE 802.15.4-2006, 2006.Google Scholar
- E. Kim, D. Kaspar, and J. Vasseur. Design and Application Spaces for IPv6 over Low-Power Wireless Personal Area Networks (6LoWPANs). RFC 6568, 2012.Google Scholar
- H. Kim. Protection Against Packet Fragmentation Attacks at 6LoWPAN Adaptation Layer. In Proc. of ICHIT, 2008. Google ScholarDigital Library
- P. E. Lanigan and P. Narasimhan. Sluice: Secure dissemination of code updates in sensor networks. In Proc. of ICDCS, 2006. Google ScholarDigital Library
- A. Le, J. Loo, A. Lasebae, M. Aiash, and Y. Luo. 6LoWPAN: a study on QoS security threats and countermeasures using intrusion detection system approach. International Journal of Communication Systems, 2012. Google ScholarDigital Library
- R. C. Merkle. One way hash functions and DES. In Proc. of CRYPTO, 1989. Google ScholarDigital Library
- G. Montenegro, N. Kushalnagar, J. Hui, and D. Culler. Transmission of IPv6 Packets over IEEE 802.15.4 Networks. RFC 4944, 2007.Google Scholar
- A. Mpitziopoulos, D. Gavalas, C. Konstantopoulos, and G. Pantziou. A survey on jamming attacks and countermeasures in WSNs. Communications Surveys & Tutorials, IEEE, 2009. Google ScholarDigital Library
- A. Perrig, R. Szewczyk, J. D. Tygar, V. Wen, and D. E. Culler. SPINS: security protocols for sensor networks. Wireless Networks, 2002. Google ScholarDigital Library
- T. Ptacek and T. Newsham. Insertion, evasion, and denial of service: Eluding network intrusion detection. Technical report, DTIC Document, 1998.Google Scholar
- A. Romanow and S. Floyd. Dynamics of TCP traffic over ATM networks. In Proc. of SIGCOMM, 1994. Google ScholarDigital Library
- Z. Shelby, K. Hartke, C. Bormann, and B. Frank. Constrained Application Protocol (CoAP). draft-ietf-core-coap-13 (WiP), 2012.Google Scholar
- P. Thubert and J. Hui. LoWPAN Fragment Forwarding and Recovery. draft-thubert-6lowpan-simple-fragment-recovery-07 (WiP), 2010.Google Scholar
- M. Wilhelm, I. Martinovic, J. B. Schmitt, and V. Lenders. Short paper: reactive jamming in wireless networks: how realistic is the threat? In Proc. of ACM WiSec, 2011. Google ScholarDigital Library
- G. Ziemba, D. Reed, and P. Traina. Security Considerations for IP Fragment Filtering. RFC 1858, 1995. Google ScholarDigital Library
Index Terms
- 6LoWPAN fragmentation attacks and mitigation mechanisms
Recommendations
SecuPAN: A Security Scheme to Mitigate Fragmentation-Based Network Attacks in 6LoWPAN
CODASPY '18: Proceedings of the Eighth ACM Conference on Data and Application Security and Privacy6LoWPAN is a widely used protocol for communication over IPV6 Low-power Wireless Personal Area Networks. Unfortunately, the 6LoWPAN packet fragmentation mechanism possesses vulnerabilities that adversaries can exploit to perform network attacks. Lack of ...
Implementing moving target IPv6 defense to secure 6LoWPAN in the internet of things and smart grid
CISR '14: Proceedings of the 9th Annual Cyber and Information Security Research ConferenceThe growing momentum of the Internet of Things (IoT) has shown an increase in attack vectors within the security research community. We propose adapting a recent new approach of frequently changing IPv6 address assignment to add an additional layer of ...
Protection Against Packet Fragmentation Attacks at 6LoWPAN Adaptation Layer
ICHIT '08: Proceedings of the 2008 International Conference on Convergence and Hybrid Information TechnologyThe IPv6 over low-power wireless personal area network (6LoWPAN) typically includes devices that work together to connect the physical environment to real-world applications, e.g., wireless sensors. However, since, in some cases, security may be ...
Comments