Denial of service mitigation approach for IPv6-enabled smart object networks

Denial of service (DoS) attacks can be defined as any third-party action aiming to reduce or eliminate a network's capability to perform its expected functions. Although there are several standard techniques in traditional computing that mitigate the impact of some of the most common DoS attacks, this still remains a very important open problem to the network security community. DoS attacks are even more troublesome in smart object networks because of two main reasons. First, these devices cannot support the computational overhead required to implement many of the typical counterattack strategies. Second, low traffic rates are enough to drain sensors' battery energy making the network inoperable in short times. To realize the Internet of Things vision, it is necessary to integrate the smart objects into the Internet. This integration is considered an exceptional opportunity for Internet growth but, also, a security threat, because more attacks, including DoS, can be conducted. For these reasons, the prevention of DoS attacks is considered a hot topic in the wireless sensor networks scientific community. In this paper, an approach based on 6LowPAN neighbor discovery protocol is proposed to mitigate DoS attacks initiated from the Internet, without adding additional overhead on the 6LoWPAN sensor devices.This work has been partially supported by the Instituto de Telecomunicacoes, Next Generation Networks and Applications Group (NetGNA), Portugal, and by National Funding from the FCT - Fundacao para a Ciencia e Tecnologia through the Pest-OE/EEI/LA0008/2011.Oliveira, LML.; Rodrigues, JJPC.; De Sousa, AF.; Lloret, J. (2013). Denial of service mitigation approach for IPv6-enabled smart object networks. Concurrency and Computation: Practice and Experience. 25(1):129-142. doi:10.1002/cpe.2850S129142251Gershenfeld, N., Krikorian, R., & Cohen, D. (2004). The Internet of Things. Scientific American, 291(4), 76-81. doi:10.1038/scientificamerican1004-76Akyildiz, I. F., Su, W., Sankarasubramaniam, Y., & Cayirci, E. (2002). Wireless sensor networks: a survey. Computer Networks, 38(4), 393-422. doi:10.1016/s1389-1286(01)00302-4Karl, H., & Willig, A. (2005). Protocols and Architectures for Wireless Sensor Networks. doi:10.1002/0470095121IEEE Std 802.15.4-2006 Part 15.4: wireless medium access control (MAC) and physical layer (PHY) specificationsfor low-rate wireless personal area networks (LR-WPANs) 2006ZigBee Alliance ZigBee Specification 2007WirelessHARThomepage 2012 http://www.hartcomm.org/Hui, J. W., & Culler, D. E. (2008). Extending IP to Low-Power, Wireless Personal Area Networks. IEEE Internet Computing, 12(4), 37-45. doi:10.1109/mic.2008.79Kushalnagar N Montenegro G Schumacher C IPv6 over Low-Power Wireless Personal Area Networks (6LoWPANs): Overview, Assumptions, Problem Statement, and Goals 2007Montenegro G Kushalnagar N Hui J Culler D Transmission of IPv6 Packets over IEEE 802.15.4 Networks 2007Shelby Z Thubert P Hui J Chakrabarti S Bormann C Nordmark E 6LoWPAN Neighbor Discovery 2011Zhou, L., Chao, H.-C., & Vasilakos, A. V. (2011). Joint Forensics-Scheduling Strategy for Delay-Sensitive Multimedia Applications over Heterogeneous Networks. IEEE Journal on Selected Areas in Communications, 29(7), 1358-1367. doi:10.1109/jsac.2011.110803Roman, R., & Lopez, J. (2009). Integrating wireless sensor networks and the internet: a security analysis. Internet Research, 19(2), 246-259. doi:10.1108/10662240910952373Wang, Y., Attebury, G., & Ramamurthy, B. (2006). A survey of security issues in wireless sensor networks. IEEE Communications Surveys & Tutorials, 8(2), 2-23. doi:10.1109/comst.2006.315852Xiaojiang Du, & Hsiao-Hwa Chen. (2008). Security in wireless sensor networks. IEEE Wireless Communications, 15(4), 60-66. doi:10.1109/mwc.2008.4599222Pelechrinis, K., Iliofotou, M., & Krishnamurthy, S. V. (2011). Denial of Service Attacks in Wireless Networks: The Case of Jammers. IEEE Communications Surveys & Tutorials, 13(2), 245-257. doi:10.1109/surv.2011.041110.00022Zhou, L., Wang, X., Tu, W., Muntean, G., & Geller, B. (2010). Distributed scheduling scheme for video streaming over multi-channel multi-radio multi-hop wireless networks. IEEE Journal on Selected Areas in Communications, 28(3), 409-419. doi:10.1109/jsac.2010.100412Lin, K., Lai, C.-F., Liu, X., & Guan, X. (2010). Energy Efficiency Routing with Node Compromised Resistance in Wireless Sensor Networks. Mobile Networks and Applications, 17(1), 75-89. doi:10.1007/s11036-010-0287-xLi, H., Lin, K., & Li, K. (2011). Energy-efficient and high-accuracy secure data aggregation in wireless sensor networks. Computer Communications, 34(4), 591-597. doi:10.1016/j.comcom.2010.02.026Oliveira, L. M. L., de Sousa, A. F., & Rodrigues, J. J. P. C. (2011). Routing and mobility approaches in IPv6 over LoWPAN mesh networks. International Journal of Communication Systems, 24(11), 1445-1466. doi:10.1002/dac.1228Narten T Nordmark E Simpson W Soliman H Neighbor Discovery for IP version 6 (IPv6) 2007Singh H Beebee W Nordmark E IPv6 Subnet Model: The Relationship between Links and Subnet Prefixes 2010Roman, R., Lopez, J., & Gritzalis, S. (2008). Situation awareness mechanisms for wireless sensor networks. IEEE Communications Magazine, 46(4), 102-107. doi:10.1109/mcom.2008.4481348Sakarindr, P., & Ansari, N. (2007). Security services in group communications over wireless infrastructure, mobile ad hoc, and wireless sensor networks. IEEE Wireless Communications, 14(5), 8-20. doi:10.1109/mwc.2007.4396938Tsao T Alexander R Dohler M Daza V Lozano A A Security Framework for Routing over Low Power and Lossy Networks 2009Karlof C Wagner D Secure Routing in Wireless Sensor Networks: Attacks and Countermeasures First IEEE International Workshop on Sensor Network Protocols and Applications 2003 113 127 10.1109/SNPA.2003.1203362Hui J Thubert P Compression Format for IPv6 Datagrams in 6LoWPAN Networks 2009Elaine Shi, & Perrig, A. (2004). Designing Secure Sensor Networks. IEEE Wireless Communications, 11(6), 38-43. doi:10.1109/mwc.2004.1368895Akkaya, K., & Younis, M. (2005). A survey on routing protocols for wireless sensor networks. Ad Hoc Networks, 3(3), 325-349. doi:10.1016/j.adhoc.2003.09.01

Security Management for The Internet of Things

The expansion of Internet connected automation provides a number of opportunities and applications that were not imaginable before. A prominent example is the Internet of things (IoT). IoT is a network system that consists of many wired or wireless smart sensors and applications. The development of IoT has been taking decades. However, cyberattacks threat the IoT since the day it was born; different threats and attacks may cause serious disasters to the network system without the essential security protection. Thus, the security and the management of the IoT security system become quite significant. This research work into security management of IoT involves five sections. We first point out the conception and background of the IoT. Then, the security requirements for the IoT have been discussed intensively. Next a proposed layered-security management architecture has been outlined and described. An example of how conveniently this proposed architecture can be used to come up with the security management for a network of the IoT is explained in detail. Finally, summarise the results of implementing the proposed security functions architecture to obtain the efficient and strong security in an IoT environment

Routing and Mobility on IPv6 over LoWPAN

The IoT means a world-wide network of interconnected objects based on standard communication protocols. An object in this context is a quotidian physical device augmented with sensing/actuating, processing, storing and communication capabilities. These objects must be able to interact with the surrounding environment where they are placed and to cooperate with neighbouring objects in order to accomplish a common objective. The IoT objects have also the capabilities of converting the sensed data into automated instructions and communicating them to other objects through the communication networks, avoiding the human intervention in several tasks. Most of IoT deployments are based on small devices with restricted computational resources and energy constraints. For this reason, initially the scientific community did not consider the use of IP protocol suite in this scenarios because there was the perception that it was too heavy to the available resources on such devices. Meanwhile, the scientific community and the industry started to rethink about the use of IP protocol suite in all IoT devices and now it is considered as the solution to provide connectivity between the IoT devices, independently of the Layer 2 protocol in use, and to connect them to the Internet. Despite the use of IP suite protocol in all devices and the amount of solutions proposed, many open issues remain unsolved in order to reach a seamless integration between the IoT and the Internet and to provide the conditions to IoT service widespread. This thesis addressed the challenges associated with the interconnectivity between the Internet and the IoT devices and with the security aspects of the IoT. In the interconnectivity between the IoT devices and the Internet the problem is how to provide valuable information to the Internet connected devices, independently of the supported IP protocol version, without being necessary accessed directly to the IoT nodes. In order to solve this problem, solutions based on Representational state transfer (REST) web services and IPv4 to IPv6 dual stack transition mechanism were proposed and evaluated. The REST web service and the transition mechanism runs only at the border router without penalizing the IoT constrained devices. The mitigation of the effects of internal and external security attacks minimizing the overhead imposed on the IoT devices is the security challenge addressed in this thesis. Three different solutions were proposed. The first is a mechanism to prevent remotely initiated transport level Denial of Service attacks that avoids the use of inefficient and hard to manage traditional firewalls. It is based on filtering at the border router the traffic received from the Internet and destined to the IoT network according to the conditions announced by each IoT device. The second is a network access security framework that can be used to control the nodes that have access to the network, based on administrative approval, and to enforce security compliance to the authorized nodes. The third is a network admission control framework that prevents IoT unauthorized nodes to communicate with IoT authorized nodes or with the Internet, which drastically reduces the number of possible security attacks. The network admission control was also exploited as a management mechanism as it can be used to manage the network size in terms of number of nodes, making the network more manageable, increasing its reliability and extending its lifetime.A IoT (Internet of Things) tem suscitado o interesse tanto da comunidade académica como da indústria, uma vez que os campos de aplicação são inúmeros assim como os potenciais ganhos que podem ser obtidos através do uso deste tipo de tecnologia. A IoT significa uma rede global de objetos ligados entre si através de uma rede de comunicações baseada em protocolos standard. Neste contexto, um objeto é um objeto físico do dia a dia ao qual foi adicionada a capacidade de medir e de atuar sobre variáveis físicas, de processar e armazenar dados e de comunicar. Estes objetos têm a capacidade de interagir com o meio ambiente envolvente e de cooperar com outros objetos vizinhos de forma a atingirem um objetivo comum. Estes objetos também têm a capacidade de converter os dados lidos em instruções e de as comunicar a outros objetos através da rede de comunicações, evitando desta forma a intervenção humana em diversas tarefas. A maior parte das concretizações de sistemas IoT são baseados em pequenos dispositivos autónomos com restrições ao nível dos recursos computacionais e de retenção de energia. Por esta razão, inicialmente a comunidade científica não considerou adequado o uso da pilha protocolar IP neste tipo de dispositivos, uma vez que havia a perceção de que era muito pesada para os recursos computacionais disponíveis. Entretanto, a comunidade científica e a indústria retomaram a discussão acerca dos benefícios do uso da pilha protocolar em todos os dispositivos da IoT e atualmente é considerada a solução para estabelecer a conetividade entre os dispositivos IoT independentemente do protocolo da camada dois em uso e para os ligar à Internet. Apesar do uso da pilha protocolar IP em todos os dispositivos e da quantidade de soluções propostas, são vários os problemas por resolver no que concerne à integração contínua e sem interrupções da IoT na Internet e de criar as condições para a adoção generalizada deste tipo de tecnologias. Esta tese versa sobre os desafios associados à integração da IoT na Internet e dos aspetos de segurança da IoT. Relativamente à integração da IoT na Internet o problema é como fornecer informação válida aos dispositivos ligados à Internet, independentemente da versão do protocolo IP em uso, evitando o acesso direto aos dispositivos IoT. Para a resolução deste problema foram propostas e avaliadas soluções baseadas em web services REST e em mecanismos de transição IPv4 para IPv6 do tipo pilha dupla (dual stack). O web service e o mecanismo de transição são suportados apenas no router de fronteira, sem penalizar os dispositivos IoT. No que concerne à segurança, o problema é mitigar os efeitos dos ataques de segurança internos e externos iniciados local e remotamente. Foram propostas três soluções diferentes, a primeira é um mecanismo que minimiza os efeitos dos ataques de negação de serviço com origem na Internet e que evita o uso de mecanismos de firewalls ineficientes e de gestão complexa. Este mecanismo filtra no router de fronteira o tráfego com origem na Internet é destinado à IoT de acordo com as condições anunciadas por cada um dos dispositivos IoT da rede. A segunda solução, é uma framework de network admission control que controla quais os dispositivos que podem aceder à rede com base na autorização administrativa e que aplica políticas de conformidade relativas à segurança aos dispositivos autorizados. A terceira é um mecanismo de network admission control para redes 6LoWPAN que evita que dispositivos não autorizados comuniquem com outros dispositivos legítimos e com a Internet o que reduz drasticamente o número de ataques à segurança. Este mecanismo também foi explorado como um mecanismo de gestão uma vez que pode ser utilizado a dimensão da rede quanto ao número de dispositivos, tornando-a mais fácil de gerir e aumentando a sua fiabilidade e o seu tempo de vida

DoS and DDoS vulnerability of IoT: A review

Internet of Things (IoT) paradigm became particularly popular in the last couple of years in such a way that the devices are present in almost every home across the globe. Using cheap components one can connect any device to the internet and enable information collecting from the environment, making everyday life a lot easier. Even though it does bring multiple advantages to the table, at the same time it brings certain challenges and vulnerabilities that need to be addressed. In this paper we focus on Distributed Denial of Service (DDoS) and Denial of Service (DoS) attacks and we provide a review of the current architecture of Internet of Things which is prone to these