Denial of Service Resilience in Ad Hoc NetworksImad Aad,†Jean-Pierre Hubaux,†and Edward W. Knightly‡∗†School of Computer and Communication Sciences‡ECE/CS DepartmentsSwiss Federal Institute of Technology (EPFL) Rice UniversityLausanne, Switzerland Houston, TX{imad.aad,jean-pierre.hubaux}@epfl.ch [email protected] progress has been made towards making ad hoc net-works secure and DoS resilient. However, little attention has beenfocused on quantifying DoS resilience: Do ad hoc networks havesufficiently redundant paths and counter-DoS mechanisms to makeDoS attacks largely ineffective? Or are there attack and system fac-tors that can lead to devastating effects? In this paper, we designand study DoS attacks in order to assess the damage that difficult-to-detect attackers can cause. The first attack we study, called theJellyFish attack, is targeted against closed-loop flows such as TCP;although protocol compliant, it has devastating effects. The secondis the Black Hole attack, which has effects similar to the JellyFish,but on open-loop flows. We quantify via simulations and analyticalmodeling the scalability of DoS attacks as a function of key perfor-mance parameters such as mobility, system size, node density, andcounter-DoS strategy. One perhaps surprising result is that suchDoS attacks can increase the capacity of ad hoc networks, as theystarve multi-hop flows and only allow one-hop communication, acapacity-maximizing, yet clearly undesirable situation.Categories and Subject DescriptorsC.2.0 [Computer Communication Networks]: General—Secu-rity andProtection; C.2.2 [Computer CommunicationNetworks]:Network Protocols—Routing protocols; C.2.6 [Computer Com-munication Networks]: Internetworking—StandardsGeneral TermsPerformance, Security∗The research of E. Knightly is supported by NSF ITR grants ANI-0331620 and ANI-0325971, by a Sloan Fellowship, and by In-tel Corporation. The research of I. Aad was partially supportedby a postdoctoral fellowship from INRIA. The research of J.P.Hubaux and I. Aad is partially supported by the National Com-petence Center in Research on Mobile Information and Com-munication Systems (NCCR-MICS), a center supported by theSwiss National Science Foundation under grant number 5005-67322 (http://www.terminodes.org).Permission to make digital or hard copies of all or part of this work forpersonal or classroom use is granted without fee provided that copies arenot made or distributed for profit or commercial advantage and that copiesbear this notice and the full citation on the first page. To copy otherwise, torepublish, to post on servers or to redistribute to lists, requires prior specificpermission and/or a fee.MobiCom’04, Sept. 26-Oct. 1, 2004, Philadelphia, Pennsylvania, USA.Copyright 2004 ACM 1-58113-868-7/04/0009 ...$5.00.KeywordsDoS attacks, TCP, UDP, ad hoc networks1. INTRODUCTIONSignificant progress has been made in securing ad hoc networksvia the development of secure routing protocols [2, 11, 16, 17,34]. Moreover, ensuring resilience to misbehavior and denial-of-service attacks has also been the focus of significant research ef-forts as such resilience is a critical component of a secure system:examples include “watch-dog” mechanisms designed to detect andcircumvent misbehaving nodes [27]; rate-limiting of route-requestmessages to prevent route query-flood attacks [17]; and “rushingattack prevention” that seeks to inhibit malicious nodes from at-tracting an excessive number of routes, which would increase theirability to inflict damage [20].Yet, there remains an indefinite “arms race” in system and pro-tocol design: attackers (or researchers anticipating the moves ofattackers) will continually introduce increasingly sophisticated at-tacks, and protocol designers will continually design protocol mech-anisms designed to thwart the new attacks.The goal of this paper is to quantify via analytical models andsimulation experiments the damage that a successful attacker canhave on the performance of an ad hoc network. In particular, werecognize that successful attacks are inevitable (at least until thecorresponding counter-DoS protocol modification is deployed), andour objective is to characterize the relationship between the re-sources that must be commandeered by the attacker (the percentageof nodes in an ad hoc network used in the attack) and the impact onperformance of non-attacking nodes, where performance refers toper-flow goodput and system-wide fairness. In this way, we studythe scalability of DoS attacks and identify the key mechanisms andfactors of both attacks and protocols that affect a system’s DoS re-silience.Our methodology is to study DoS resilience via a new and gen-eral class of protocol compliant denial-of-service attacks, which werefer to as JellyFish (JF). Although previously studied attackers dis-obey protocol rules, JellyFish conform to all routing and forwardingprotocol specifications, and moreover, as implied by the name, arepassive and difficult to detect until after the “sting.” JellyFish targetclosed-loop flows that are responsive to network conditions suchas delay and loss. Examples include TCP flows and congestion-controlled UDP flows employing a TFRC-like algorithm [13].The goal of JF nodes is to reduce the goodput of all traversingflows to near-zero while dropping zero or a small fraction of pack-ets. In particular, JF nodes employ one of three mechanisms. Thefirst JF variant is a packet misordering attack. TCP has a well-known vulnerability to misordered packets due to factors such asroute changes or the use of multi-path routing, and a number ofTCP modifications have been proposed to improve robustness tomisordering [3, 4, 33, 35]. However, no TCP variant is robust tomalicious and persistent reordering as employed by the JF mis-ordering attack. The second JF mechanism is periodic droppingaccording to a maliciously chosen period. This attack is inspiredby the Shrew attack [25] in which an endpoint sends maliciouslyspaced periodic pulses in order to force flows into repeated timeoutphases [25]. The JF periodic dropping attack utilizes the same prin-ciples but realizes the attack via periodic dropping at relay nodes.In particular, suppose that congestion losses force a node to dropx% of packets. As shown in [25], if these losses occur periodicallyat the retransmission-time-out timescale (approximately 1 second),TCP throughput is reduced to near zero even for small values