Keywords

1 Introduction and Background

The evolution of wireless sensor networks supports increasingly novel and sophisticated applications across various fields [1]. Modern wireless sensor networks (WSNs) find their use in diverse environments, starting with the marine [2] and vehicular [3] through the forestry [4], and towards the growing industrial Smart Cities [5, 6]. Generally, the main advantage and the limitation of the WSNs is in their ad hoc nature, which makes them easy to deploy but difficult to manage. Most of the practical WSN deployments are utilizing wireless relaying to the remote control center, which brings a variety of potential vulnerabilities to be exploited.

Arguably, the most demanding areas of the WSN research may be shaped by urban and environmental applications [7]. In this work, we focus on a representative urban WSN application for industrial sensing – structural health monitoring [8]. This concept allows to maintain the appropriate condition of engineering structures by deploying sensors in the essential parts of buildings and other constructions, i.e. bridges, tunnels, skyscrapers, etc. The main purpose of such a WSN is to notify the control center about any significant change of the monitored object due to earthquakes, disasters, explosions, or other accidents. A secondary function is to provide continuous health monitoring. As a characteristic example, we may consider the Golden Gate Bridge in San Francisco Bay (shown in Fig. 1), where a similar network was deployed 10 years ago [9].

Clearly, a bridge of any kind is an object of national importance and therefore the serving WSN should be protected from the malicious attackers. However, due to the lack of relevant standardization activities, different manufacturing companies are utilizing a variety of dissimilar security solutions across their deployments, thus making them easier to attack. The use of wireless ad hoc sensor networks for critical applications poses novel information security challenges [10, 11], such as: channel sniffing [12]; packet spoofing [13]; physical access to the device [14]; non-standardized communications protocols [15], and many others. We face the fact that development, deployment, and management of such a network is limiting the chance to use conventional information security solutions [1618].

Fig. 1.
figure 1

Example ad hoc WSN deployment for structural health monitoring

Full size image

In this work, we focus on one of the most threatening attacks on mission-critical WSNs – the broadcast storm [19]. Broadcasting in any ad hoc network is an elementary operation required for the core system functionality. However, intentional broadcasting by flooding may introduce uncontrollable redundancy, contention, and collisions that would lead to a so-called broadcast storm problem.

The rest of this work is organized as follows. Section 2 introduces the proposed system model for considering a broadcast attack in the network of interest. Further, in Sect. 3 we prototype the corresponding ad hoc WSN deployment and attack it by following said approach. In Sect. 4, we propose a simple analytical model validating our proposed framework. Finally, the conclusions are drawn in the last section.

2 Considered WSN System Model

In this work, we consider a system hosting a number of autonomous wireless nodes equipped with a set of measuring modules (sensors), and thus the challenges of efficient data transmission and processing are brought into focus [20]. On the other hand, ad hoc WSNs of this type are susceptible to possible attacks by implosion, blind flooding and, finally, broadcast storm [2123].

Focusing primarily on the most challenging broadcast storm concept, the multicast control messages in a mission-critical WSN may become the main vehicles of this attack. Therefore, a high number of such packets is affecting the QoS for each transmitting node, which results in shorter battery life and lower reliability. The main configuration flaws that may enable such an attack are listed in what follows:

  1. 1.

    No limitations on the packet time-to-live parameter;

  2. 2.

    A possibility to transmit a broadcast packet from any unknown address in the network;

  3. 3.

    A device that could continuously generate packets.

Our research indicates that the easiest and cheapest way for an attacker to affect the operation of the ad hoc network in question is to generate harmful messages, when already residing inside the network. This may cause not only a partial denial-of-service effect for one particular node, but also provoke a fault of the entire wireless network [24]. Another factor affecting the system operation with substantial impact is a lack of continuous management and support, i.e. the network is assumed to be a standalone instance without continuous monitoring exercised. Some of the devices may become disabled due to natural factors, and may not be replaced immediately. However, there should always remain a crucial number of the operational devices available to deliver an alarm message. Summarizing all of the above, in this paper we focus on the problem of probabilistic device availability estimation in cases of a broadcast storm attack.

The most common implementation of said attack may be described as a significant increase in the intensity of broadcast requests in the target WSN or flooding by the attacker device, as it is presented in Fig. 2. As each transceiver node has to rebroadcast the messages, it leads to the difficulties in serving them over the reliable time. Basically, this scenario would appear when the incoming buffer of the device is full and/or the wireless channel is congested [25], and thus the denial-of-service attack is successful [26].

Fig. 2.
figure 2

Implementing the broadcast storm attack in an ad hoc WSN

Full size image

In our target scenario, we employ the widely used WSN technology, IEEE 802.15.4 (ZigBee) [27], under the broadcast storm conditions. The WSN nodes equipped with such a radio module are typically small autonomous devices with limited computational power [28]. They are operating under a predefined configuration and utilize a constant set of vendor-specific signaling messages.

3 Prototyping a Broadcast Storm Attack

In order to verify the feasibility of our above discussion, we have conducted a set of experimental tests utilizing ZigBee-equipped Telegesis ETRX357 devices [29]. The prototype structure is given in Fig. 2 and the actual deployment example is presented in Fig. 3. Here, the traffic is transmitted from the device A to the device B via the relying node. USB-dongle C is utilized as the attacker device, generating broadcast messages.

Fig. 3.
figure 3

Photo of the practical test deployment

Full size image

The main goal of our installation is to obtain the probabilistic packet loss values. We assume a high-density industrial WSN deployment, where each node may receive data not only from its immediate neighbor, but also from the attacker device, thus escalating the effects of the broadcast storm. Node B as the destination device analyzes the amount of received meaningful data as well as the share of unclassified (attacker’s) packets. The key setup parameters and the corresponding notation are given in Table 1.

Table 1. Main setup parameters
Full size table

Further, we analyze the impact produced by the attacker on the packet transmission delay, and the respective results are presented in Fig. 4(a) and (b). For our test scenario, we utilize two Telegesis command types (i) AT+N and (ii) AT+SN:00 [30]. The first command has as its main purpose to request the node’s surrounding network information. The second command AT+SN is generally used to force a particular device to scan the network and “00” causes each attacked node to search across the entire network for neighbors. As we learn from the test results, by increasing the packet arrival rate one might cause a dramatic surge in the delay for up to 2 times by only introducing 14 additional broadcast messages in our network. Importantly, this extra packet delay has a direct impact on the energy consumption values due to increased packet retransmission cost after a collision in the wireless channel.

Fig. 4.
figure 4

Data transmission delay based on attacker’s packet arrival rate (prototype)

Full size image

We emphasize the fact that prototyping of a large-scale real-world WSN is difficult to implement in the laboratory environment due to the space limitations and thus we decided to support our test deployment with a simple analytical model that can validate and predict the ad hoc WSN behavior under broadcast storm conditions.

4 Supportive Analytical Modeling of Our Prototype

By employing simple methods of the queuing theory in our model [31], we first assume that the packet loss probability is not affected by the attacker. We further consider that the packet generation intensity on the end-device is given as a Poisson process and that the packet service interval is distributed exponentially [32]. We verify this hypothesis at the end of this work. Hence, in the single-relay WSN case the packet loss probability may be calculated as

$$\begin{aligned} P_{l} = \rho ^n \frac{1-\rho }{1-\rho ^{n+1}}, \quad \rho = \frac{\lambda }{\mu }, \end{aligned}$$
(1)

where \(\lambda \) is the packet arrival rate, \(\mu \) is the packet service rate, and n is a node’s buffer size.

Further, for the multi-relay case we modify Eq. (1) accordingly

$$\begin{aligned} P^{k}_{l} = 1-(\rho ^n \frac{1-\rho }{1-\rho ^{n+1}})^k, \end{aligned}$$
(2)

where k is the number of relaying hops.

The majority of the analytical frameworks available today do not take into account the attacker [3336] that can initiate an attack by generating the broadcast messages with higher arrival rate.

Every broadcast packet is served by each attacked WSN node and then forwarded to the following hop. Clearly, the number of nodes under attack could be significantly increased if the attacker would modify the radio equipment to utilize transmission at higher power.

Further, using Eqs. (1) and (2), we evaluate the packet loss probability for a network affected by the broadcast storm attack as follows

$$\begin{aligned} {\left\{ \begin{array}{ll} {\begin{matrix} P^{k=1}_{l} = 1- \Bigg (1-\Big (\frac{\lambda _p+\lambda _{sh}}{\mu } \Big )^n \frac{1-\Big (\frac{\lambda _p+\lambda _{sh}}{\mu } \Big )}{1-\Big (\frac{\lambda _p+\lambda _{sh}}{\mu } \Big )^{n+1}} \Bigg ), k = 1\\ P^{k\ge 2}_{l} = P^{k=1}_{l} \prod _{k=2}^{m} \Bigg (1-\Big (\frac{\lambda _p+k\lambda _{sh}}{\mu } \Big )^n \frac{1-\Big (\frac{\lambda _p+k\lambda _{sh}}{\mu } \Big )}{1-\Big (\frac{\lambda _p+k\lambda _{sh}}{\mu } \Big )^{n+1}} \Bigg ) ,k \ge 2 \\ \end{matrix}} \end{array}\right. } \end{aligned}$$
(3)

where \(\lambda _{sh}\) is the attacker packet arrival rate.

In order to quantitatively characterize the proposed prototype, we first study the impact of the system parameters on the packet loss rates. To this end, Fig. 5(a) shows the influence of the attacker’s packet generation rate on the WSN packet loss at a fixed WSN node data generation rate. Clearly, by increasing the number of affected relaying nodes system saturation is achieved faster. This is due to the broadcast message distribution, which has repetitive nature.

Fig. 5.
figure 5

Impact of packet generation rate on packet loss rate

Full size image

In our second scenario presented in Fig. 5(b), we fix the attacker’s packet generation rate and vary that of the WSN node. As we observe in the plots, the ad hoc network is providing a certain level of QoS even in the situation when the node’s packet generation rate is higher than the service rate.

Our third scenario depicted in Fig. 6 corresponds to a situation, when both node’s and attacker’s packet generation rates are fixed and only the service rate is varied. Accordingly, for each number of relaying nodes we can find the corresponding lowest service rate to guarantee the minimal reachable packet loss for a particular attacker’s packet generation rate.

Furthermore, our simple analytical model is able to probabilistically predict the likely ad hoc WSN conditions taking into account the effects of the broadcast storm attack that alters the underlying packet generation rate.

Fig. 6.
figure 6

Impact of packet service rate on the system packet loss rate under broadcast storm attack \(\lambda _p=\lambda _{sh}\)

Full size image
Fig. 7.
figure 7

Analytical results agreeing with our experimental setup

Full size image

Finally, we compare the analytical and prototype packet loss performance based on the key system parameters given in Table 1. By focusing on the obtained prototype-driven results and those delivered by our analytical prediction, as summarized in Fig. 7, it can be concluded that the analytical and the experimental values agree within acceptable bounds.

To confirm the obtained results, we have additionally verified our prototype-based and analytical data using Pearson’s chi-squared test [37] with \(\alpha =0.05\) by executing a set of 100 independent trials. Therefore, it could be concluded that the resulting difference between the compared distributions of the packet loss values in a realistic WSN under the broadcast storm conditions is statistically insignificant. Thereby, our initial assumption on the Poission packet arrival distribution and the exponential service time distribution are practical.

5 Conclusions

This paper developed a model and the respective practical prototype of a broadcast storm attack, which may disrupt the desired reliable operation of a mission-critical WSN deployment. To this end, we collected the packet loss probabilities together with the packet transmission delays produced with our testbed, and compared some of those against the corresponding values provided with our simple queuing theoretic model. The obtained results not only evidence the feasibility of this convenient custom-made approximation for predicting the operational parameters of a real-world WSN under attack, but also help identify conditions that become threatening for the intended operation of the industrial monitoring system under consideration.