Most of the IoT nodes we use today form low power and lossy networks(LLN). LLN is specific type of network in which both the routers and their interconnect are constrained. LLN routers typically operate with constraints on processing power, memory, and energy. For these requirements, IETF ROLL working group proposed a routing protocol called “Routing Protocol for Low-Power and Lossy Networks(RPL).RPL is the most widely used routing protocol in mesh networks. In this post, we try to explain:

  • RPL and DODAG formation
  • Loopholes in RPL and how to expose it using DoS attack.

Introduction to RPL and DODAG formation:

The RPL protocol is a distance-vector routing protocol based on IPv6. The RPL devices are interconnected according to a specific topology which combines mesh and tree topologies called Destination Oriented Directed Acyclic Graphs (DODAG). A DODAG graph is built from
a root node which is the data sink of the graph.

The DODAG graph is built in a step by step manner. The root initially broadcasts a DODAG Information Object (DIO) message. This message contains the information required by RPL nodes to discover a RPL instance, get its configuration parameters, select a parent set, and maintain the DODAG graph. Upon receiving a DIO message, a node adds the sender of the message to its parents list and determines its own rank value by taking into account the objective function referred in the DIO message.

The rank value of a node corresponds to its position in the graph with respect to the root and must always be greater than its parent’s rank in order to guarantee the acyclic nature of the graph. It then forwards updated DIO messages to its neighbours.

Based on its parents list, the node selects a preferred parent which becomes the default gateway to be used when data has to be sent toward the DODAG root. At the end of this process, all the nodes participating in the DODAG graph have an upward default route to the DODAG root

A new node may join an existing network by broadcasting a DIS message (DODAG Informa-
tion Solicitation) in order to get DIO messages from its neighbours. The DAO messages (Destination Advertisement Object) are used to build downward routes.

DoS Attack and its implementation:

The motivation behind the implementation of the attack is to find and show the various ways the attacker can access the IoT nodes and how to replicate them in the simulator like Cooja.

DoS attack(otherwise called as “HELLO flood” attack) here refers to attacker(external node or internal node) sending DIS messages continuously to its neighbours, increasing the CPU usage of the its neighbours and finally leading to non functioning of the nodes.

Here in this scenario, we tried to implement this attack using:

  • Simulator: Cooja
  • Operating Systems: Contiki
  • Mote type: sky mote

The assumptions we made to implement this attack are:

  • The attacker node will send the multicast DIS messages to all RPL nodes near to it using ff02::1a IPv6 address.
  • If the existing RPL network accepts a specific prefix for DIS message, then we have to sniff the messages from or to the existing RPL nodes.
  • The RPL network is not using authentication while joining the network like exchanging the symmetric keys etc.,

The following graphs depicts the CPU usage:

  • The CPU utilization of a particular node without attacker:
  • The CPU utilization of node with attacker:

Conclusion:
As most of the operating systems in IoT space has not fully introduced the authentication mechanisms, it becomes easy to implement these type of attacks. And the operating systems has to support for validating each request it receives before processing.