Content uploaded by Kamal Alieyan
Author content
All content in this area was uploaded by Kamal Alieyan on Oct 25, 2017
Content may be subject to copyright.
2017 8th International Conference on Information Technology (ICIT)
978-1-5090-6332-1/17/$31.00 ©2017 IEEE
Review on Mechanisms for Detecting Sinkhole
Attacks on RPLs
Mahmood Alzubaidi
*
1
, Mohammed Anbar
2
, Samer Al-Saleem
3
, Shadi Al-Sarawi
4
, Kamal Alieyan
5
1-5
National Advanced IPv6 Centre (NAV6)
Universiti Sains Malaysia
11800 Gelugor, Penang, Malaysia
*Corresponding author, e-mail: mahmood@nav6.usm.my
2-5
E-mail:
( anbar, samer, Shadi, Kamal_alian)@nav6.usm.my
Abstract— Internet Protocol version 6 (IPv6) over Low
power Wireless Personal Area Networks (6LoWPAN) is
extensively used in wireless sensor networks (WSNs) due to
its ability to transmit IPv6 packet with low bandwidth and
limited resources. 6LoWPAN has several operations in each
layer. Most existing security challenges are focused on the
network layer, which is represented by its routing protocol
for low-power and lossy network (RPL). RPL components
include WSN nodes that have constrained resources.
Therefore, the exposure of RPL to various attacks may lead
to network damage. A sinkhole attack is a routing attack that
could affect the network topology. This paper aims to
investigate the existing detection mechanisms used in
detecting sinkhole attack on RPL-based networks. This work
categorizes and presents each mechanism according to
certain aspects. Then, their advantages and drawbacks with
regard to resource consumption and false positive rate are
discussed and compared.
Keywords-- Internet of things; Sinkhole attack; WSN; RPL;
6LoWPAN.
I.
I
NTRODUCTION
Wireless sensor networks (WSNs) have attracted a fair
amount of research attention during the last decade. Their
limited resources, along with the hostile deployment of the
environment, put severe challenges to the research studies.
Consequently, the phenomenon of the Internet of Things (IoT)
is the rapid deployment of approximately 50 billion things (or
devices) to be connected to the Internet by 2020. Therefore,
the average will be six connected devices for each person on
the planet. The exchangeable data traffic may contain critical
information belonging to various fields, such as home sensors,
medical devices, cars, airplanes, and even nuclear reactors,
which can endanger human life. Thus, a massive number of
devices connected to each other, as well as to the internet,
requires high level of security and authentication.
The use of traditional security mechanisms, such as
firewall, intrusion detection, and prevention systems, which
are deployed at the Internet edge are no longer sufficient to
secure the next generation Internet. Furthermore, the WSNs
architecture in the IoT provides additional concerns and
challenges over network security due to resource constraints,
insufficient infrastructure, limited physical security, dynamic
topology, and unreliable links, thereby making them
particularly vulnerable and difficult to protect against attacks.
Moreover, IoT devices are accessible from anywhere through
trusted networks on the Internet; therefore, IoT networks are
unprotected against an extensive range of malicious attacks.
Hence, if security issues are not addressed, then confidential
information may leak any time. Thus, real deployments in IoT
should be secured, and the following security services [1]
must be considered in the IoT.
• Confidentiality: Exchanging messages between a
source and a destination might be easily objected by an
attacker, and secret contents are exposed.
• Data integrity: Transit nodes between a source and a
destination should not be able to change or alter the
contents of messages.
• Source integrity or authentication: The nodes of the
endpoints should be able to verify the identities of each
other to ensure that they are communicating with the
authentic entities.
• Availability: IoT devices must be smoothly working,
and data should be accessible whenever necessary. The
availability of the services that applications provide is
also important.
• Freshness and non-repudiation: A compromised
intermediate node could store a data packet and replay
it at a later stage. The replayed packet may contain
typical information. Therefore, mechanisms for
detecting replayed or duplicated messages are
important. These mechanisms should be provided by
replay protection or freshness security services, which
369
2017 8th International Conference on Information Technology (ICIT)
can be performed via integrity-protected sequence
numbers, timestamps, etc.
A. 6LoWPAN
The network working group in [2] presented 6LoWPAN,
which is a low throughput wireless network comprising low
cost and low-power devices. The network works together to
connect the physical environment to real-world applications,
such as WSNs. Common topologies are supported, such as a
star, a mesh, and combinations of the two, as shown in Fig. 1.
Furthermore, the physical and MAC layers are compatible
with the IEEE 802.15.4 standard, which enables the IPv6 to
run over the IEEE 802.15.4 network by fragmenting the IPv6
packet into 128 bytes instead of 1280 bytes in a typical
network. 6LoWPAN network supports the following
characteristics: (i) small packet size; (ii) 16-bit short or IEEE
64-bit extended media access control addresses; (iii) low
bandwidth 250/40/20 kbps; (iv) typically battery operated,
relatively low cost, and low power; (v) networks are ad hoc,
and devices have limited accessibility and user interfaces; (vi)
unreliable due to the nature of devices in the wireless medium;
(vii) currently supports only two routing protocols, which are
loading standardized by the ITU, and routing protocol for low-
power and lossy networks (RPL) [3] standardized by the IETF
ROLL working group.
B. RPL
RPL is standardized in RFC 6550 [3]. Low-power and
lossy networks (LLN) have constraints on processing,
memory, and energy. Therefore, typical routing, such as
OSPF, OLSR, RIP, AODV, and DSR cannot be used. LLN
links suffer from high loss rate, low data rate, instability,
expensive bits, and dynamically formed topology. In addition,
LLN covers both wireless and wired networks that require
bidirectional links. RPL topology based on directed acyclic
graph (DAG) is a directed graph with all the edges oriented in
such a way that cycles do not exist, and the DAG root does
not have an outgoing edge, thus failing to fulfill the need for
WSNs. Therefore, destination-oriented DAG (DODAG) is
deployed by introducing a single destination root, wherein up
is toward the root, and down is away from the root. The
position of each node in the DODAG graph is identified using
the rank number, which clarifies the node distance from the
root using a specified objective with respect to other neighbor
nodes. The node could join multiple DODAGs within the
same RPL instance. DODAG ID is the IPv6 address of the
root, and the DODAG version is the current version of the
DODAG. Therefore, when a new DODAG is computed with
the same root, its version increments. RPL has three main
control messages. The first message is the DODAG
information object (DIO), which multicasts downward in the
RPL instance, and allows other nodes to discover the RPL
instance and join it. The second message is the DODAG
information solicitation (DIS), which is considered as the link-
local multicast request for DIO neighbor discovery. The third
message is the destination advertisement object(DAO), which
flows from the child toward the parents or the root, as
presented in Fig. 2.
C. Classification of RPL attacks
According to Mayzaud et al. [4], IoT attacks are classified
into three types based on the goal of the attacker and the final
damages on the DODAG graph in RPL. The first category of
attacks targets the resource of the networks (energy, memory,
and processing). The second category of attacks targets the
topology of RPL, whereas the last category of attacks targets
network traffic. This current review focuses on the attacks that
have affects the topology of the DODAG graph in RPL,
particularly the sinkhole attack that occurs in two steps. First,
the malicious node can attract considerable traffic by
advertising falsified information data for parent preference by
the other nodes. Then, the malicious node may modify or drop
it after receiving the traffic illegally.
Fig. 1. Star and peer-to-peer topology in 6LoWPAN
Fig. 2. Type of RPL messages
370
2017 8th International Conference on Information Technology (ICIT)
Sinkhole attack might be coupled with other attacks and
poses significant damage for RPL. Thus, detection and
mitigation of sinkhole attack can potentially serve the
community of IoT security. Wallgren et al. [5] stated that a
sinkhole attack might be combined with a selective
forwarding attack, which forwards all RPL control messages
and drops the rest of the traffic. Sinkhole attack can also be
combined with hello flood attacks to broadcast messages with
strong signal power and promote a falsified routing metric.
Similarly, combining a sinkhole attack with wormhole attacks
to forward messages using the out-of-band connection
between two nodes is possible; a high throughput is important
in this combination, and the rest of the traffic follows the
normal path. Moreover, a potential sinkhole attack can turn
into a blackhole attack, in which a malicious node drops all
the packets instead of forwarding them. Last, a sinkhole attack
can be a part of the decreased rank attacks, which disrupt the
traffic or targets the LLN resource with the increased rank
attacks as shown in Fig. 3.
RPL contains two rank repair mechanisms, namely, global
repair and local repair. In the global repair, the DODAG root
sends a new DAG sequence number to reconstruct the entire
topology. When the nodes receive new DIO messages, they
can create a new parent relationship and update the link cost
again. If a local node has a broken link to the DODAG root,
then it can use the local repair. The particular node sends a
message to all its children, informing them that they need to
update their table and select new parents, while the node itself
sends a DIS message to obtain the new rank in the topology
[6]. By contrast, when the node is compromised by a sinkhole
attack, the local and global repair mechanisms do not
efficiently work because differentiating failure and malicious
nodes is difficult without a monitor system. Hence, the
attacker can enable the node to alter its DODAG ID or
frequently broadcast rank without any reason.
Cryptography is considered as the first defense
mechanism against denial-of-service attack in WSN by
optimizing confidentiality, authentication, and integrity.
However, cryptography does not sufficiently work against
routing attacks, such as sinkhole, due to the leak of the Quality
of Service (QoS) in securing requirements, such as
availability, robustness, and resilience. Therefore,
cryptography is combined with an intrusion detection system
(IDS) in the network to monitor the abnormal behavior in RPL
and detect malicious sources from the early phase to protect
the network from damage [6].
The paper is organized as follows. Section II provides a
brief explanation for the recent mechanism and the IDS that
are used to detect a sinkhole attack. Section III discusses the
drawbacks of each mechanism. The paper is concluded in
Section IV.
II. R
ELATED
W
ORKS
The existing mechanisms used to detect sinkhole attacks in
RPL can be categorized according to their main focus on
security, as illustrated in Fig. 4. Accordingly, this section
provides an investigation regarding each category.
Fig. 4. Taxonomy of mechanisms against sinkhole attack in RPL
Fig. 3. The effect of sinkhole attack in the RPL network
371
2017 8th International Conference on Information Technology (ICIT)
A. DIO message-based mechanisms
Dvir et al. [7] proposed an encryption mechanism for
version number and rank authentication (VERA). The nodes
should be able to change the rank field of a DIO message as
it passes through the other nodes. The rank field specifies the
favorability of a node that is close to the root and neighbors.
Therefore, this field can be forged by a node executing a
sinkhole attack. In [7], VERA prevents the attacking nodes
from obtaining lower rank than true rank by implementing a
one-way hash chain, which is used to ensure the strict increase
of ranks from the DODAG root to the constrained nodes. Each
node is aware of the hash chain value, because the DODAG
root has sent this value earlier. When a node sends an
encrypted rank in a DIO message, the receiver node checks if
the value is changed by the previous node and considers the
sender as an attacker. Although the VERA approach can
successfully mitigate a version number attack, it is still weak
against two topology attacks. First is rank spoofing, which
allows an attacker to pretend like any rank in the DODAG.
The second is the rank replay attack, which allows a malicious
node to claim one level closer to the root by replaying the rank
of its parents. TRAIL [8] was proposed to fix VERA issues by
analyzing the incompleteness of the message rank
authentication in VERA. Then, TRAIL presents
enhancements to VERA for repair, and finally discovers and
isolates bogus nodes while these nodes attack the RPL routing
hierarchy. TRAIL is derived from first-hand principles and
resolves the issues of topological infringements. However, the
parent node can determine its child node if its child rank is
lower than its own rank. TRAIL also have a problem, in which
a child node chooses an attacking node as its parent since a
child node cannot determine whether its parent node is an
attacking node. Therefore, Iuchi et al. in [9] proposed a secure
parent solution to ensure that child nodes select a legitimate
node as their parent. Each child node can select a legitimate
node as its parent. In addition, each node selects a parent after
excluding the best candidate if multiple parent nodes are
offered. By utilizing the threshold, each node can identify
whether the rank value broadcasted by its neighbor nodes is
extremely low because it can obtain a maximum and average
rank of its neighbor nodes. Consequently, attacking nodes
intend to claim false lower rank than legitimate nodes.
Thereafter, each node chooses its parent node, except for
nodes whose rank are determined to be extremely low.
Parent fail-over primarily adds unheard node set
(UNS) field to a DIO message when the root node
transmits it first. The UNS field is signed by the 6BR root
to prevent modification in transit. The experiment for this
mechanism was implemented in [10] by setting up a
threshold value. Therefore, when the constrained node
transmits sensor data every 10 seconds, the root adds that
node to the UNS if less than 30% of these messages are
received by the 6BR root. Furthermore, the UNS is
populated by node identifiers of nodes whose paths can be
affected by a sinkhole attack. Therefore, a node, will add
its parent to a local blacklist upon receiving a DIO with
itself included in the UNS.
B. Agent distributed-based IDS
Raza et al. proposed an IDS called SVELTE [11], which
uses a hybrid of signature and anomaly-based detections with
regard to balancing the storage costs of the signature-based
detection and the computing cost of the anomaly-based
techniques. Three main modules are placed in the 6BR. The
first module, called 6LoWPAN mapper, collects information
regarding RPL and rebuilds the network in the 6BR. The
second module analyzes the mapped data and detects
intrusion. The third module, which is a distributed mini
firewall, is designed to filter unwanted traffic before it enters
the resource-constrained network, as shown in Fig. 5. By
contrast, the constrained node has two corresponding
lightweight modules each. The first module provides mapping
information to the root (6BR) to detect intrusion, whereas the
second module works with the centralized firewall [11]. If the
routing graph is inconsistent, then the node has a lower rank
than its parent, indicating an occurrence of a sinkhole attack.
Cervantes et al. in [12] proposed an IDS called INTI.
detects intrusion of sinkhole attacks on the routing services of
6LoWPAN in the IoT. INTI aims to mitigate attacker results
discovered in the IDS that disturb its efficiency, such as false
positive and negative attributed to the cost of the high-value
resources. The system combines watchdog, reputation, and
trust approaches for sinkhole attack detection by analyzing
device performance. INTI performance and its efficiency in
the phases of attack detection rate, various false positives, and
false negative [12] are shown in Fig. 6. The nodes in the
network comprise various resources, such as memory and
Fig. 6. Components in INTI IDS
Fig 5. SVELTE IDS modules are placed in 6BR and in individual
nodes
372
2017 8th International Conference on Information Technology (ICIT)
battery. Each node in the network is provided with a unique
address. The nodes are placed to form a virtual cluster and can
move in any direction. The transmission occurs through a
wireless medium. The nodes in the network are distributed as
leader (L), free (F), member (M), and associated (A) nodes,
and base (B) station. F nodes do not belong to any cluster and
can smoothly move within the network. M nodes belong to a
cluster and transfer their information via the L nodes. L nodes
receive information from the M and A nodes and pass it to the
B station. A node forward the information between clusters to
facilitate data transmission toward clusters. The B station
receives the collected data from all clusters.
C. Agent cluster-based IDS
The specification-based IDS was conducted by Le et al.
[13] to fix issues in the SVELTE approach, such as providing
low false positive rate and low resource consumption. The
proposed specification IDS comprises two stages. First, the
RPL using an extended finite-state machine to define all states
that are related to the network topology stability and analyze
those transition states by using a trace file. The second stage
translates the knowledge of the RPL profile using detection
algorithms that are placed in the IDS agent. The hybrid or
clustering architecture has advantages compared to other
approaches. Furthermore, the IDS agent is cluster-based,
which is placed in each cluster head and records the relevant
information from its members, as illustrated in Fig. 7. There
is no resource consumption because of the lack of overhead
processing on each node, while the cluster head can obtain
more resources to deal with the IDS work. The specification
cluster approach solves the synchronization issue that causes
the high false positive during the message exchange between
the nodes in the previous approach by adding the sequence
number information in the DIO and DIS messages. The
reserved bytes in the DIO and DIS message format is used;
thus, the sequence number where the packets of information
belongs are specifically defined, and the agent can cross-
check only the sources that have the same sequence.
III. D
ISCUSSIO N
The mechanisms based on rank encryption, such as
VERA, TRAIL, and secure parent approaches, implement
high-level encryption methods and provide rank check in each
node to prevent decrease rank attacks. However, these
mechanisms are complex in terms of implementation.
Moreover, each approach only works effectively when
combined with the other two approaches. Therefore,
combining mechanisms causes high resource consumption,
daily detection time, and interference, which lead to high false
positive rates [9], [14]. Furthermore, the parent fail-over
approach alone is insufficient in mitigating a sinkhole attack.
Sybil attack can also affect the determination of the parent
fail-over method by providing an infinite supply of candidate
parents for neighbor selection [10].
The agent distributed-based IDS, such as SVELTE and
INTI [12], [11], places an agent on both sides of the RPL. The
first agent in the host node is for reporting, and the second
agent in the DODAG root is for analyzing. These mechanisms
have two drawbacks. First, the false positive detection due to
the DODAG root has to report the information of the attacking
node to each node. However, the information may pass
through malicious nodes, which similarly perform as normal
nodes; thus, the delivered information is ineffective. The
second drawback is high resource consumption due to the
agent overhead processing, which is placed in each node.
Agent cluster-based IDS proposed in [13] adopted
SVELTE and overcame its problems by proposing cluster-
based IDS. However, the cluster-based IDS can fail due to
centralization. By contrast, when the IDS agent in the cluster
head goes down due to power or attack, the IDS will no longer
be functional. The following table provides a comparison
among the mechanisms and IDS that are used to detect
sinkhole attacks, as mentioned in Section II.
Table 1: Summary of mechanisms used to detect sinkhole attack on
RPL
Mechanisms Countermeasure
method Drawbacks
VERA [7]
DIO message rank
encryption using
SHA
Complex,
causes node
overhead,
resource
consumption,
and ineffective
TRAIL [8]
Analysis algorithm
for fixing VERA
issues
Based on
VERA, the
child node may
choose the
sinkhole node
as a parent
Secure
parent [9]
Selection algorithm
presenting a
threshold value to
solve the parent
selection issue in
TRAIL
Only
p
rovides
a symptom
solution for
parent
selection,
wherein other
issues still exist
Fig 7. Specification cluster-based IDS
373
2017 8th International Conference on Information Technology (ICIT)
Parent fail-
over [10]
Adds tag field to a
DIO message
I
n
sufficient fo
r
mitigating a
sinkhole attack;
the Sybil attack
can also affect
the
determination
of the parent
fail-over
method
SVELTE
[11]
IDS agent placed in
the host node and the
main root
High false
positive,
resource
consumption
INTI [12]
IDS classifies the
node to different
categories to report
to the root and
support node
mobility
Reduced
the false
positive and
resource
consumption
for SVELTE;
however, the
limitation of
both works in
which a few
critical QoS
metrics were
overlooked
Specification
cluster-based
[13]
Cluster-based IDS
centralizes the agent
in the middle of the
node graph to reduce
the overhead on the
nodes and the root
Solves the
resource
consumption
issue and the
false positive
issue in
SVELTE and
INTI; however,
it introduces a
high
probability of
IDS failure due
to
centralization
IV. C
ONCLUSION
This review aimed to provide a clear understanding
regarding the type of internal attacks and the influence of
sinkhole attacks on RPL. Moreover, the recently proposed
various mechanisms and IDS were concluded to detect
sinkhole attacks. Furthermore, each mechanism was analyzed
and studied, and their advantages and drawbacks with regard
to false positive rate and resource consumption were
highlighted. Finally, a brief comparison was provided in the
preceding table, which shows the historical deployment of the
detection mechanisms for sinkhole attack, thereby observing
the most recent effective mechanism. The future work will use
one environment (simulation) as a study method to implement
real-time experiments and provide a comparison among
different approaches. Our next work will apply machine
learning algorithms, such as support vector machine,
supported by a decision tree to obtain better results.
Acknowledgment
This research is supported by Short Term Research Grant,
Universiti Sains Malaysia (USM) No: 304/PNAV/6313272.
R
EFERENCES
[1] T. SHERAS IYA, H. UPADHY AY, and H. B. PATE L, “A SURV EY:
INTRUSION DETEC TION SYSTEM FOR INTERNET OF THINGS,”
International Journal of Computer Science and Engineering (IJCSE), vol. 5,
no. 2, 2016.
[2] K. Kim, S. D. Park, G. Montenegro, S. Yoo, and N. Kushalnagar,
“6LoWP AN ad hoc on-de mand dis tance vector routing (LOAD), ” Network
WG Internet Draft (work in progress), vol. 19, 2007.
[3] T. Winter, “RPL: IPv6 routing protocol for low-power and lossy networks,”
IETF RFC 6550, 2012.
[4] A. Mayzaud, R. Badonnel, and I. Chrisment, “A Taxonomy of Attacks in
RPL-based Internet of Things,” International Journal of Network Security,
2016.
[5] L. Wallgren, S. Raza, and T. Voigt, “Routing Attacks and Countermeasures
in the RPL-based Internet of Things,” International Journal of Distributed
Sensor Networks, vol. 2013, 2013.
[6] A. Le, J. Loo, A. Lasebae, M. Aiash, and Y. Luo, “6LoWPAN: a study on
QoS security threats and countermeasures using intrusion detection system
approach,” International Journal of Communication Systems, vol. 25, no. 9,
pp. 1189–1212, 2012.
[7] A. Dvir, L. Buttyan, and others, “VeRA-version number and rank
authentication in RPL,” in 2011 IEEE Eighth International Conference on
Mobile Ad-Hoc and Sensor Systems, 2011, pp. 709–714.
[8] H. Perrey, M. Landsmann, O. Ugus, T. C. Schmidt, and M. Wählisch,
“TRAIL: topology authentication in RPL,” arXiv preprint arXiv:1312.0984,
2013.
[9] I. Kenji, T. Matsunaga, K. Toyoda, and I. Sasase, “Secure parent node
select ion sche me in ro ute construct ion to e xclud e attac king no des fro m RPL
network,” IEICE Communications Express, vol. 4, no. 11, pp. 340–345,
2015.
[10] K. Weekly and K. Pister, “Evaluating sinkhole defense techniques in RPL
networks,” in 2012 20th IEEE International Conference on Network
Protocols (ICNP), 2012, pp. 1–6.
[11] S. Raza, L. Wallgren, and T. Voigt, “SVELTE: Real-time intrusion detection
in the Internet of Things,” Ad hoc networks, vol. 11, no. 8, pp. 2661–2674,
2013.
[12] C. Cervantes, D. Poplade, M. Nogueira, and A. Santos, “Detection of
sinkhole attacks for supporting secure routing on 6lowpan for internet of
things,” in 2015 IFIP/IEEE International Symposium on Integrated Network
Management (IM), 2015, pp. 606–611.
[13] A. Le, J. Loo, K. K. Chai, and M. Aiash, “A Specification-Based IDS for
Detecting Attacks on RPL-Based Network Topology,” Information, vol. 7,
no. 2, p. 25, 2016.
[14] P. Pongle and G. Chavan, “A survey: Attacks on RPL and 6LoWPAN in
IoT,” in Pervasive Computing (ICPC), 2015 International Conference on,
2015, pp. 1–6.
374
