See discussions, stats, and author profiles for this publication at: https://www.researchgate.

net/publication/342611841

Analysis of the RPL Version Number Attack with Multiple Attackers

Conference Paper · July 2020

DOI: 10.1109/CyberSA49311.2020.9139695

CITATIONS READS

0 217

2 authors:

Ahmet Arış Sema F. Oktug

Florida International University Istanbul Technical University
20 PUBLICATIONS 140 CITATIONS 95 PUBLICATIONS 1,382 CITATIONS

SEE PROFILE SEE PROFILE

Some of the authors of this publication are also working on these related projects:

Underwater Sensor Networks View project

All content following this page was uploaded by Ahmet Arış on 01 July 2020.

The user has requested enhancement of the downloaded file.

 Version Accepted by IEEE Cyber Science 2020 A. Aris and S. F. Oktug FOR EDUCATION PURPOSES ONLY

Analysis of the RPL Version Number Attack with Multiple Attackers

Ahmet Arış and Sema F. Oktuğ
Faculty of Computer and Informatics Engineering, İstanbul Technical University, Turkey.
Emails: {arisahmet, oktug}@itu.edu.tr

Abstract—In this study, we aim to understand the effect of serious DoS attack with detrimental effects. The studies [2]
multiple Version Number Attackers (VNA) in RPL (IPv6 Routing and [3] demonstrated that i) applications can lose nearly half
Protocol for Low Power and Lossy Networks)-based Internet of their packets, ii) delay can get between 2 and 6-times longer,
of Things (IoT) networks. VNA is one of the most detrimental
Denial of Service (DoS) attack that targets the availability of IoT iii) generated control messages can get increased between 18
networks. Almost all of the studies targeting the VNA considered and 75-times more and, iv) nodes consume two times more
a single attacker. However, once an attacker has chance to power in average in comparison to the case with no attack.
compromise a node in the network, it may easily compromise Although RPL VNA has been a topic of research for a few
more devices, thus 1) affect the performance of the network
more and misuse the resources quicker, 2) circumvent the studies, almost all of the works considered a single attacker.
existing security mechanisms and 3) perform other attacks which However, if an adversary has the chance to compromise a node
require more than one malicious node (e.g., wormhole, etc.). in the network, then it is probable that it can compromise more.
Therefore, we have to take multiple attackers into account when Hence, it can affect the performance of the network more
designing security systems. In this work, we analyze the effect of and misuse the resources quicker. It can also circumvent the
multiple attackers from various points of view. Based on extensive
simulations and analysis, we conclude that increasing the number existing security mechanisms that are based on nodes reporting
of attackers affects only the packet delivery ratio and does not monitoring data or voting. This may enable an attacker to
affect average network delay and average power consumption. perform other attacks that require more than one node to attack
Our results also show that attacking positions closer to the (e.g., wormhole, etc.). Therefore, it is very crucial to consider
root cause longer delays and higher power consumption results multiple attackers. Nevertheless, multiple VNAs in RPL was
while central attacking positions are more effective on the packet
delivery ratio. Lastly, we evaluate the performance of a recently accommodated only by [4] in the literature. However, multiple
proposed mitigation technique against multiple attackers. VNAs was not the focus of that study and it did not take the
Index Terms—IoT, RPL, Version Number Attack, DoS findings of previous work (i.e., correlation of attacker position
and success of the attack [2], [3]) into account. Therefore,
I. INTRODUCTION there was a need for understanding the effects of multiple
VNAs in RPL networks which was not performed previously.
Security is one of the most crucial factors for the success
and efficiency of the Internet of Things (IoT) applications. The motivation of this study is to analyze and understand the
Denial of Service (DoS) attacks are major threats for infor- effect of multiple VNAs in RPL-based IoT networks. However,
mation systems that target the availability of applications and studying multiple VNAs is challenging. Since previous work
services by misusing the resources. However, the majority of ( [2], [3]) found out a correlation between the position of the
the devices in IoT are expected to have limited resources attacker and the success of the attack, one has to consider
(i.e., processing, memory, storage, and network), making it positioning and the number of attackers. Considering these
both challenging and costly to employ security mechanisms. challenges, we aim to answer the following questions:
Therefore protecting IoT networks from DoS attacks is very • Is the number of attackers directly proportional to the
vital. This is crucial not only for the security of IoT networks effect of the attack?
but also for preventing IoT devices from being attacking tools • Which performance metrics are affected the most by
against other targets. One of the most notorious examples is multiple attackers?
the Mirai botnet attack [1] in which, digital video recorder • Should attackers be close to each other or far from each
players and cameras were used by the attackers to take down other to affect the performance more?
a well-known Domain Name System provider. • What is the best position combination for the success of
The RPL is the routing protocol standardized by the IETF the attack (e.g., all attackers at the center or at the edges
for the routing of IPv6 packets within the Low Power and of the DODAG, etc.)?
Lossy Networks (LLNs). It constructs a Destination Oriented
Based on our research questions, the contributions of this
Directed Acyclic Graph (DODAG) of nodes by means of con-
study can be listed as follows:
trol messages. Among the set of control messages, DODAG
Information Object (DIO) is the one that carries the essential • We analyze the effect of multiple VNAs in RPL networks
information regarding the nodes’ relative positions in the which has not been done in the literature previously,
DODAG (i.e., rank), DODAG version and identification. In • We develop a novel methodology, namely DODAG lev-
the RPL, version number (VN) is used as a global repair eling, that simplifies the problem of multiple attacker
operation indicator. According to the specification, only the position selection for the analysis,
DODAG root should change it and thus, initiate a network- • Based on the DODAG leveling, we select several attacker
wide global repair. However, a malicious node can change it positions considering the level and position of the at-
and force the network to rebuild over and over again. This tacker(s) in the network (e.g., center, edge), and distance
is called as the Version Number Attack (VNA) and is a very between attackers (e.g., far, close),
 Version Accepted by IEEE Cyber Science 2020 A. Aris and S. F. Oktug FOR EDUCATION PURPOSES ONLY

• To ease the analysis of the results of our extensive nodes, extract the keys, reprogram and leave the malicious
simulations, we employ a coloring scheme that signifies nodes back to the deployment areas. And lastly, implementing
the closure of attacker(s) to the DODAG root, cryptography in the right way and selecting appropriate se-
• We also investigate the performance of a recently pro- curity parameters are not always performed perfectly. Many
posed mitigation technique against multiple VNAs. vulnerabilities regarding with this issue were reported by
In the remaining of the paper, Section II will provide an studies [20]. If we consider all of these and also the outsider
overview of the related work. Section III will give preliminary attackers from the Internet, we can claim that RPL networks
information on RPL security and VNA. In Section IV, we will can be the target of attackers regardless of using cryptography.
analyze the effects of multiple VNAs from various points of B. RPL DODAG, Global Repair and Version Number Attack
view. Section V will provide the performance analysis of a
recently proposed mitigation technique against multiple VNAs. In the RPL, a root node constructs a DODAG of nodes by
Finally, Section VI will conclude the paper. means of control messages. In the beginning of the network
setup, nodes exchange several control messages and establish
II. RELATED WORK parent-child relationships. As the network gets more stable by
time, amount of control messages reduces and a stable, healthy
RPL VNA has been a topic of research for a few studies. In
DODAG (e.g., the DODAG in Figure 2) is established to route
terms of analysis studies, [2] and [3] analyzed the effects of a
the IPv6 packets of the IoT applications within the network.
single attacker. They found a correlation between the position
In an ordinary (i.e., attacker-free) RPL network, only the
of the attacker and success of the attack. As cryptography-
DODAG root can initiate the global repair operation. Although
based schemes to protect the VN in RPL control messages,
no certain rule is defined by the specification on when to do so,
[5] proposed to use Hash chains and Message Authentication
idea is to rebuild the DODAG from scratch for various reasons
Codes, [6] employed digital signatures, and [7] proposed
(e.g., for moving to a more optimized or healthy DODAG).
an identity-based Offline-Online signature scheme. In terms
However, the specification does not explain the details of
of detection studies, a cooperative verification scheme was
global repair. It only says that, nodes are free to choose their
proposed in [4] and a distributed monitoring technique was
new ranks in the new DODAG version independent of their
suggested in [8]. As the mitigation technique, [9] proposed
rank in the previous DODAG version.
the elimination and shield to reduce the effect of the VNA.
In RPL VNA, an attacker can easily misuse the global repair
Considering the related work, none of the studies focused on
operation by maliciously incrementing the VN field within its
multiple VNAs. As we mentioned earlier, only [4] employed
outgoing DIO messages. To understand what happens next,
multiple attackers. Although it accommodates multiple attack-
we have to analyze an RPL implementation. RPL has a
ers for performance evaluation purposes, it does not consider
number of implementations (e.g., Contiki RPL [21], RIOT
the findings of previous work.
RPL [22], TinyOS RPL [23]) and one of most popular one is
III. BACKGROUND the Contiki [24] one. When a malicious node applies the VNA
in ContikiRPL (version 3.0), the neighboring nodes in the
A. RPL Security transmission range receive the DIO with the greater VN. They
The RPL can be a target of several D/DoS attacks [10], soon become part of the global repair operation one by one.
[11], [12], [13], [14]. The specification [15] suggests network During this process, nodes break up parent-child relationships,
administrators to use the secure versions of control messages empty their parent lists and try to select the sender of the
to protect the RPL from attackers. A security threat analysis DIO with the greater VN as their new parent. If the selection
for the RPL was performed by the IETF in [16], which process becomes successful, each node calculates its new rank
advised developers to use a number of techniques, which based on its new parent. Then each node starts sending DIO
include using geographical location of nodes and multiple messages to its neighborhood with the new VN. Nodes do this
paths for routing, selecting the next hop dynamically, creating one by one and thus, VNA causes a ripple effect, spreading
redundant traffic besides control and data plane traffic, accom- all over the DODAG as shown in the left part of the Fig. 1.
modating quota, etc. In terms of standardized cryptography- At the end of the process the DODAG, which was previously
based solutions, IPSec [17] and IEEE 802.15.4 PHY and Link directing towards the root, turns all the way to the direction
Layer Security [18] can be considered for end-to-end and hop- of the malicious node as shown in the right side of the figure.
by-hop security respectively. Confidentiality, authentication, The only way for the DODAG to turn back to normal again is
integrity and availability of RPL networks can be ensured by the root initiating a legitimate global repair when it receives a
other cryptography-based solutions [19]. DIO with the new VN. This is the default behavior of DODAG
Nevertheless, considering cryptography in LLNs has a num- root in ContikiRPL. In this case, starting from the ones in
ber of issues [11]. We can even claim that, IoT without security the vicinity of the root, nodes move to new the VN, obtain
is becoming more and more popular due to several reasons. ordinary rank values and set up the legitimate parent-child
First of all, security is costly. Running security mechanisms, relationships towards the DODAG root again.
like cryptography, in resource-constrained nodes may consume An attacker can perform VNA as often as it wants. Hence, it
most of the resources. Therefore, administrators and vendors can cause nodes to exchange several control messages. Nodes
may not opt for it. Moreover, since authorities are predicting remove and re-establish their routes. Loops, non-existence of
billions of IoT nodes to be deployed world-wide, physical routes, delays and packet drops can occur, which cause nodes
security of the nodes to protect them from tampering may to consume much of their power. The studies [2] and [3]
not be considered to keep the costs low. Hence, although we showed that, position of the attacker plays a crucial role for
employ cryptography-based solutions, attackers can grab the the success of the attack. Attacks applied at positions far from
 Version Accepted by IEEE Cyber Science 2020 A. Aris and S. F. Oktug FOR EDUCATION PURPOSES ONLY

needed for each unique attacking setting to obtain meaningful

results, it would require thousands of simulations. Instead of
this, we came up with a novel strategy, namely DODAG lev-
eling, to ease the selection of attacking position combinations
and reduce the number of simulations.
DODAG leveling is based on the idea that some attacking
position combinations within the brute-force approach may
be logically equal to each other. Such combinations can be
eliminated since they will not provide any new information.
For this reason, the DODAG is logically divided into levels
based on the parent-child relationships of nodes. Since the
Fig. 1: VNA spreads in an RPL network causing a ripple effect. DODAG may have different forms throughout the lifetime of
the network, we consider the form when RPL is stable after
the start of the network.
We applied DODAG leveling on the topology shown in
the root seem to cause more control messages to be generated
Fig. 2 and obtained the leveled DODAG as shown in the
and data packets to be dropped in comparison with positions
Fig. 3. The leveled DODAG has four levels that can be used to
close to the root. These are the observations with a single VN
select position combinations for multiple attacker simulations.
attacker. However, it was a question to research what happens
We selected 48 position combinations for 2 attackers and 54
if multiple attackers perform VNA to an RPL network.
combinations for 3 attackers based on: i) Level of the attacker
IV. EFFECTS OF THE VERSION NUMBER ATTACK (e.g., 1, 2, 3 or 4), ii) Position of the attacker (e.g., center,
WITH MULTIPLE ATTACKERS edge), and iii) Distance between attackers (e.g., far, close).
In order to analyze and understand the effect of multiple
VNAs, we had to consider various points including the simu-
lation topology, attacker model and performance metrics.
A. Topology and Attacker Model
We employed a grid topology with 16 static nodes as the
base case to both explore the number of attackers, and simplify
the analysis. The simulation topology and the form of the
DODAG when the network is stable are shown in the Fig. 2.

Fig. 3: Form of the DODAG divided into levels.

The position combinations selected for simulations are

outlined in Tables I, II and III for one, two and three
attackers respectively. Each table has two columns, one for
unique attacking positions separated by commas and the other
one for the corresponding level combinations. For example,
the first row of Table II outlines that, two unique attacking
positions, 2-5 and 2-6, were selected for two attackers case
in Level-1. It means that, in an attack scenario, we place two
attackers to node positions 2 and 5, and run simulations and
measure the performance. In the other scenario, we place two
Fig. 2: The grid topology and the form of the stable DODAG. attackers to node positions 2 and 6, and run simulations again.
The attacker(s) in our simulations apply the VNA by
In terms of the attacker model, we limited the number of incrementing the VN field in their outgoing DIO messages.
attackers to 3, which corresponds to almost 20% of the nodes. Whenever they have to send a DIO message, they perform the
Since previous studies indicated that, position is important for same operation. Except for this malicious behavior, they act
the success of the attack, we had to consider where to place normal and be part of the network. In our attack scenarios,
the attackers. The simplest form of positioning could be trying each attacker is independent from the other attackers.
every possible position combinations for multiple attackers.
Such an approach would result in performing simulations for B. Simulation Environment, Parameters and Metrics
15 different positions for a single attacking case, 105 position We performed simulations using Contiki Cooja [25]. We
combinations (i.e., C(15,2)) for 2 attackers cases and 455 (i.e., chose Contiki [24] (version 3.0) and its simulator Cooja [25]
C(15,3)) position combinations for 3 attackers cases. In total, because Contiki is open source and it provides implementa-
575 unique attacking positions would need to be tested in tions of the standardized protocol stack [26].
simulations assuming that any non-root node can be chosen In our simulations, nodes are Tmote Sky motes that run
as an attacker. Considering that, at least 10 simulations are RPL-UDP application. In this application, UDP clients running
 Version Accepted by IEEE Cyber Science 2020 A. Aris and S. F. Oktug FOR EDUCATION PURPOSES ONLY

in nodes send temperature readings to the UDP server running the attacker(s) is mapped to the color spectrum between blue
in the root every minute. We used distance-based loss model (close to the root) and cyan (far from the root). For this aim,
as the radio medium with transmission and interference ranges we used levels of the attacker nodes.
of 50 m and 100 m respectively. The simulation topology has We assigned the colors based on the level sum of the
the dimensions of 150mx150m. For each attacking setting, attacker(s) for each position combination. For instance, for
we ran 10-simulations, where each simulation is 50 minutes one attacker cases, we set the color as blue if the attacker is
long. We obtained the results with 95% confidence interval. located in Level 1 and cyan for Level 4. For two attackers,
For the performance metrics, we focused on packet delivery we assigned the blue color if sum of the attacker levels is 2
ratio, average network delay and average power consumption. and cyan if sum of the attacker levels is 7. For three attackers
cases, sum of the levels can change between 3 and 10. We
TABLE I: SINGLE ATTACKER POSITIONS. determined the color mapping accordingly. We used gray for
Level Attacker Position the no attack case (i.e., labeled as NA in the figures).
Level-1 2, 5, 6
Level-2 3, 7, 9, 10, 11
Level-3 4, 8, 12, 13, 15, 16
Level-4 14

TABLE II: TWO ATTACKER POSITIONS.

Level Attackers’ Positions
Level-1 2-5, 2-6
Level-2 3-7, 3-9, 3-10, 3-11, 7-10
Level-3 4-8, 4-12, 4-13, 4-15, 4-16, 12-16, 13-16
Levels (1-2) 2-3, 2-7, 2-10, 2-11, 3-6 Fig. 4: Packet delivery ratio results for single attacker case.
Levels (1-3) 2-12, 2-13, 2-15, 2-16, 6-12, 6-13, 6-16
Levels (1-4) 2-14, 5-14, 6-14
Levels (2-3) 3-4, 3-8, 3-12, 3-13, 3-15, 3-16, 10-16, 11-16 2) Packet delivery ratio results: Figures 4, 5 and 6 show
Levels (2-4) 3-14, 7-14, 9-14, 10-14, 11-14 the packet delivery ratio (PDR) for one, two and three attackers
Levels (3-4) 4-14, 8-14, 12-14, 13-14, 15-14, 16-14
respectively.
Results show that, increasing the number of attackers causes
TABLE III: THREE ATTACKER POSITIONS. more packets to be dropped or lost considering the averages
of results for each attacking class. In the no-attacker case,
Level Attackers’ Positions all of the packets were successfully delivered to the DODAG
Level-1 2-5-6 root, which is not surprising since the topology is simple and
Level-2 3-7-11, 3-10-11, 7-10-11
Level-3 4-8-12, 4-12-13, 4-13-15, 4-13-16, 8-12-15,
there is no external interference. However, when VNA is in
8-12-16, 12-13-15, 12-15-16 place, we can see that the PDR starts to drop down to 36%
Levels (1-2) 2-3-5, 2-3-6, 2-7-10, 2-10-11, 3-5-11, 6-7-11 for one attacker, 27% for two attackers and 22% for three
Levels (1-3) 2-4-12, 2-5-12, 4-6-13, 6-8-15, 6-12-15 attackers in average. When we have a look at the dropped
Levels (1-4) 2-5-14, 2-6-14
Levels (2-3) 3-4-7, 3-7-16, 3-12-13, 3-12-15, 7-10-16, 7- packets, we can see that majority of the packets were dropped
11-12, 7-11-15, 7-11-16 due to non-existence of routes. Rest of the drops were due
Levels (2-4) 3-7-14, 7-10-14, 7-11-14 to MAC layer issues and errors signaled in IPv6 RPL header
Levels (3-4) 4-13-14, 8-12-14, 12-14-15
Levels (1-2-3) 2-8-9, 2-9-15, 5-9-13, 6-11-12
option processing.
Levels (1-2-4) 6-10-14, 6-11-14 If we analyze the results based on the position of attackers,
Levels (1-3-4) 2-3-14, 5-13-14, 5-14-15, 6-14-15 we can say that attackers in the center of the DODAG seems
Levels (2-3-4) 3-12-14, 3-14-16, 11-14-15 to cause the lowest PDRs (i.e., attacking positions of 6, 7, 10
and 11). However, previous studies had observed a different
C. Simulations and Results correlation where, the farthest positions from the root cause
In order to analyze the effect of multiple attackers we ran the lowest PDR results.
the following simulations: 10 simulations without any attacker 3) Average network delay results: Figures 7, 8 and 9
for baseline results, 15 × 10 simulations for one attacker show the average network delay (AND) results for one, two
case, 48 × 10 simulations for two attackers case using the and three attackers simulations respectively.
attack positions tabulated in Table II, 54 × 10 simulations In terms of AND results with respect to number of at-
for three attackers case using the attack positions outlined in tackers, VNA seems to increase the delays between sixteen-
Table III. In total, we ran 10 + 150 + 480 + 540 = 1180 fold and twenty-fold in comparison to the baseline results
simulations. Simulation results based on the number and (i.e., no attackers). Interestingly, we see that three attackers
position of attackers with respect to each performance metric case causes shorter average delay than one and two attackers
will be given in the following subsections. Each figure uses cases. We could not figure out the underlying reason. We
the coloring scheme explained in the following section. would like to note that, only the successfully arriving packets
1) Coloring scheme: As we outlined in Tables I, II and were considered for the calculation of AND. If we consider
III, we have several position combinations for attackers. To the successfully delivered packets analyzed in the previous
ease the analysis, we formulated a coloring scheme to signify section, we see that amount of delivered packets has the
the closure of attacker(s) to the DODAG root. Here, closure of relation of oneattacker > twoattackers > threeattackers.
 Version Accepted by IEEE Cyber Science 2020 A. Aris and S. F. Oktug FOR EDUCATION PURPOSES ONLY

Fig. 5: Packet delivery ratio results for two attackers case.

Fig. 6: Packet delivery ratio results for three attackers case.

For APC, we see similar results for one, two and three at-
tackers cases. The average results do not imply that increasing
the number of attackers cause more power consumption.
Power consumption of a node is related to various param-
eters regarding with different layers of the protocol stack.
It is related to traffic rate that IoT application generates at
the application layer. In this study, it was the same for all
simulations, one packet per minute. Under the application
layer, transport layer can affect the power consumption. In
all simulations only UDP protocol was utilized in this study.
Fig. 7: Average network delay results for single attacker case. Network layer issues can affect power consumption too.
Here, it can be related to the generated control traffic (i.e.,
RPL control messages) and drops due to errors. Errors can
Yet, we cannot relate it with the AND results since it does not be route errors (i.e., packets are dropped before going down
show a similar or opposite pattern. to MAC layer since no route exists) and RPL header options
Considering the position of attackers, we can see that effect processing errors of IPv6 packets. We see that results are close
of the attack has correlation with the position of attacker(s). to each other for one, two and three attackers cases when we
In each figure, the longest AND values were obtained for checked the amount of generated RPL control messages and
bluish colored attacking positions (positions that are close to header processing errors. When we compared the encountered
the root). And the shortest AND values were obtained for route errors, we see that one attacker < two attackers <
cyanish colored attacking positions (positions that are far from three attackers with slight differences. Thus, network layer
the root). We found these results interesting because previous parameters do not show a significant difference between
studies had not found such a correlation between the position attacking cases for power consumption results.
of the attacker and AND. Considering the distance between At the MAC layer, power consumption of a node is affected
attackers, we cannot really say that attackers should be close by transmission attempts for the IEEE 802.15.4 frames. Al-
or distant from each other to affect the average delay more. though we do not have the amount of transmission attempts,
For the placement of attackers, results show that attackers that we have the amounts of MAC layer drops which may provide
are located at the edges of the DODAG seem to cause longer valuable information regarding with the channel conditions.
delays than attackers in the center of the DODAG. Amount of dropped fragments at the MAC layer has the
4) Average power consumption results: We showed the relation of one attacker > two attackers > three attackers
average power consumption (APC) results for one, two and with slight differences again. Therefore, we believe that aver-
three attackers cases in Figures 10, 11 and 12 respectively. age power consumption results to be close to each other for
 Version Accepted by IEEE Cyber Science 2020 A. Aris and S. F. Oktug FOR EDUCATION PURPOSES ONLY

Fig. 8: Average network delay results for two attackers case.

Fig. 9: Average network delay results for three attackers case.

with 44 nodes. Topology had static and mobile nodes. Some

of the static nodes were on the grid and rest were scattered
randomly. All of the nodes were running RPL UDP applica-
tion with Contiki 2.7. Every node was sending temperature
readings to the UDP server running at the DODAG root
periodically. On the other hand, this study is using Contiki
3.0. Topology has 16 static nodes placed on a grid. Nodes are
running the same application with the same traffic rate.
Fig. 10: Average power consumption results for single attacker At the first step, we suspected from the topological dif-
case. ferences between the studies. We set up the same topology
but with different Contiki versions (2.7 and 3.0 versions). We
ran simulations with the same random seeds, same mobility
different number of attackers is acceptable. patterns for the mobile nodes, same attacking positions and
In terms of the position of attackers, the results show that for the same simulation duration. The results showed that, we
closer attacking positions affect the power consumption more. still observe different simulation results. Hence we understood
Again, colors of attacking positions that caused the highest that it is not related to the topological differences.
power consumption are bluish and lowest power consumption As the second attempt, we focused on our performance
results have cyanish colors. Similar to the average delay case, measurement logic. In our earlier study, we were measuring
such an outcome was not observed in the previous studies. fewer metrics, namely control message overhead, average
Considering the distance between attackers, generally lower delay, average power consumption and packet delivery ratio.
power consumption results were obtained for attackers that However now, in addition to these metrics, we also measure
are close to each other. For the placement of attackers, results MAC and routing layer drops and routing layer errors. We
do not imply anything whether attackers should be at the edges checked whether measuring more metrics cause us to obtain
or in the center of the DODAG. different results. We removed the metrics one by one, but still
5) Discussion of simulation results: In this study, our aim we obtained different results. So, the reason was not related
was to analyze the effect of multiple VNAs in RPL networks. to our performance measurement mechanism.
We obtained results that were not observed by the previous Lastly, we considered to check RPL implementations of
studies [2] and [3]. We wanted to investigate the underlying Contiki versions 2.7 and 3.0. We realized that, RPL imple-
reason for it. Since one of them (i.e., [2]) was our earlier mentation in the newer version has several changes related to
study, we decided to compare it with the current study. packet forwarding and dropping logic, DIO timer resets, packet
Our earlier study was considering a factory environment header verification and initiation of global repair, transmission
 Version Accepted by IEEE Cyber Science 2020 A. Aris and S. F. Oktug FOR EDUCATION PURPOSES ONLY

Fig. 11: Average power consumption results for two attackers case.

Fig. 12: Average power consumption results for three attackers case.

of control messages in specific states, etc. RPL specification For the performance evaluations of the mitigation tech-
does not clearly explain everything regarding with the protocol niques, we focused only on the PDR due to space considera-
implementation and leaves low level details to the developers. tions. We selected multiple attacker positions considering the
And these details can be changed between different versions strongest attacking positions in PDR results for two and three
of the implementation according to errors, performance issues, attackers cases in Fig. 5 and 6, positions that are close to the
resource footprints, etc. Since RPL VNA rebuilds the DODAG DODAG root and that are at the edges of the topology. The
maliciously, breaks parent-child relationships, causes timer selected attacking positions are: 2-6, 2-5, 4-13, 7-10, 11-14,
resets and re-calculation of ranks, the updates in these parts of 12-16, 2-5-6, 4-13-16, 7-10-14, 7-10-11 and 12-15-16.
the protocol implementation result in different outcomes for Fig. 13 shows the simulation results for PDR with respect to
RPL networks under VNA. Based on our analysis we conclude the selected multiple attacker positions based on the mitigation
that, obtaining varying results is due to the changes in the technique. Here, RPL Under Attack shown in blue signifies
RPL implementation in different versions of the operating no mitigation technique is present. RPL+Elimination and
system. The RPL implementations in both versions differ RPL+Shield signify Elimination and Shield techniques are
in methodology, and this necessarily affects different results, running on the legitimate nodes.
which makes it difficult to compare with our prior work [2]. The results show that, mitigation techniques are very effec-
tive for the mitigation of multiple VNAs in terms of PDR.
V. M ITIGATION OF M ULTIPLE ATTACKERS WITH Shield achieves better results in comparison to Elimination.
E LIMINATION AND S HIELD T ECHNIQUES The highest PDRs (100%) were obtained by means of Shield
for attacking positions that are at the edges of the topology
In this section, we analyze the effectiveness of the mitiga- (i.e., positions 4-13 and 4-13-16).
tion techniques proposed in [9] against multiple VNAs. The For two attackers cases, the strongest attacking position
mitigation techniques in a nutshell are: for PDR was 7-10 with an 18% of PDR. We can see that,
• Elimination: VN updates received from the nodes with Elimination mitigates the effect of the attack and yields to a
better rank values are accepted and rest (i.e., nodes that PDR of 51% under attack. On the other hand, Shield seems
are at the direction of child nodes) are blocked. to achieve a better result and provide a 72% PDR. For the
• Shield: Each node maintains a table of neighbors that attacking position of 11-14, which is another strong attacking
have better rank than itself. A node accepts the VN update position with a 21% PDR, Elimination and Shield yield to
if majority of its table entries share the same new VN. 61% and 80% delivery ratios respectively.
 Version Accepted by IEEE Cyber Science 2020 A. Aris and S. F. Oktug FOR EDUCATION PURPOSES ONLY

Fig. 13: Multiple attackers mitigation results for packet delivery ratio.

For three attackers cases (7-10-14 - PDR of 15% and 7-10- [7] M. Nikravan, A. Movaghar, and M. Hosseinzadeh, “A lightweight
11 - PDR of 16% ), Elimination yields to 48% for both of defense approach to mitigate version number and rank attacks in
low-power and lossy networks,” Wireless Personal Communications, Jan
the positions. Whereas, Shield achieves 64% for the attacking 2018. [Online]. Available: https://doi.org/10.1007/s11277-017-5165-4
position of 7-10-14 and 71% for 7-10-11. [8] A. Mayzaud, R. Badonnel, and I. Chrisment, “Detecting Version Number
Observing the mitigation results in the Fig. 13, we can Attacks Using a Distributed Monitoring Architecture,” in Proc. of
IEEE/IFIP/In Assoc. with ACM SIGCOMM International Conference on
realize that mitigation techniques seem to fail only for one Network and Service Management (CNSM 2016), 2016, pp. 127–135.
attacking setting, in which three attackers are placed to the [9] A. Aris, S. B. O. Yalcin, and S. F. Oktug, “New lightweight mitigation
positions of 2, 5 and 6. Considering the operation logic of the techniques for rpl version number attacks,” Ad Hoc Networks, vol. 85,
pp. 81 – 91, 2019.
mitigation techniques, this is very reasonable. When we think [10] A. Aris, S. F. Oktug, and S. B. O. Yalcin, “Internet-of-Things security:
of the attacking position combination of 2-5-6 on the topology Denial of service attacks,” in Signal Processing and Communications
(Fig. 2), we can see that these are the closest nodes to the root. Applications Conference (SIU), 2015 23th, May 2015, pp. 903–906.
[11] A. Arış, S. F. Oktuğ, and T. Voigt, Security of Internet of
It implies that, all communication between the root and the rest Things for a Reliable Internet of Services. Cham: Springer
of the nodes has to flow through these malicious nodes. Since International Publishing, 2018, pp. 337–370. [Online]. Available:
they are the closest positions, they have better rank values https://doi.org/10.1007/978-3-319-90415-3 13
[12] L. Wallgren, S. Raza, and T. Voigt, “Routing Attacks and Countermea-
than all of the legitimate nodes. Therefore mitigation effect of sures in the RPL-Based Internet of Things,” International Journal of
Elimination and Shield are disabled for this specific situation. Distributed Sensor Networks, vol. 2013, p. 11, 2013.
[13] P. Pongle and G. Chavan, “A survey: Attacks on rpl and 6lowpan in
VI. CONCLUSION iot,” in 2015 International Conference on Pervasive Computing (ICPC),
Jan 2015, pp. 1–6.
In this study we analyzed the effect of multiple VNA for [14] A. Mayzaud, R. Badonnel, and I. Chrisment, “A Taxonomy of Attacks
RPL networks. We investigated the effect of the attack consid- in RPL-based Internet of Things,” International Journal of Network
ering the number and positions of the attackers. Our simulation Security, vol. 18, no. 3, pp. 459 – 473,, May 2016.
[15] T. Winter, P. Thubert, A. Brandt, J. Hui, R. Kelsey, P. Levis, K. Pister,
results showed that increasing the number of attackers affects R. Struik, J. Vasseur, and R. Alexander, “RPL: IPv6 Routing Protocol
only the PDR results. In terms of positions of the attackers, for Low-Power and Lossy Networks,” RFC 6550 (Proposed Standard),
the effect of the attack gets stronger if attackers are closer to Internet Engineering Task Force, Mar. 2012.
[16] T. Tsao, R. Alexander, M. Dohler, V. Daza, A. Lozano, and M. Richard-
the root for average delay and power consumption. Regarding son, “A Security Threat Analysis for the Routing Protocol for Low-
with the PDR, multiple attackers affect the performance higher Power and Lossy Networks (RPLs),” RFC 7416 (Informational), Internet
than others if attackers are located at the center of the DODAG. Engineering Task Force, Jan. 2015.
[17] S. Kent and K. Seo, “Security Architecture for the Internet Protocol,”
In the last part of the study, we analyzed the effectiveness of RFC 4301 (Proposed Standard), RFC Editor, Fremont, CA, USA, pp.
VNA mitigation techniques for multiple attackers. As future 1–101, Dec. 2005, updated by RFCs 6040, 7619.
work, we intend to analyze how multiple attackers affect the [18] “IEEE Standard for Local and Metropolitan Area Networks - Part
15.4: Low Rate Wireless Personal Area Networks Amendment 1: MAC
performance of the network in more complicated topologies. Sublayer,” IEEE Std. 802.15.4e, 2012.
[19] K. T. Nguyen, M. Laurent, and N. Oualha, “Survey on secure communi-
R EFERENCES cation protocols for the internet of things,” Ad Hoc Networks, vol. 32, pp.
[1] “DDoS on Dyn Impacts Twitter, Spotify, Reddit,” 17 – 31, 2015, internet of Things security and privacy: design methods
https://krebsonsecurity.com/2016/10/ddos-on-dyn-impacts-twitter- and optimization.
spotify-reddit/, 2016, [Online; accessed 7-December-2016]. [20] I. Arce, K. Clark-Fisher, N. Daswani, J. DelGrosso, D. Dhillon, C. Kern,
[2] A. Aris, S. F. Oktug, and S. B. O. Yalcin, “RPL version number attacks: T. Kohno, C. Landwehr, G. McGraw, B. Schoenfield et al., “Avoiding the
In-depth study,” in NOMS 2016 - 2016 IEEE/IFIP Network Operations top 10 software security design flaws,” Technical report, IEEE Computer
and Management Symposium, April 2016, pp. 776–779. Societys Center for Secure Design (CSD), 2014.
[3] A. Mayzaud, A. Sehgal, R. Badonnel, I. Chrisment, and J. Schonwälder, [21] “Contiki rpl,” https://github.com/contiki-os/contiki/blob/release-3-0/
“A Study of RPL DODAG Version Attacks,” in Monitoring and Securing core/net/rpl/rpl-dag.c, accessed: 2017-12-10.
Virtualized Networks and Services, ser. Lecture Notes in Computer [22] “Riot rpl,” https://github.com/RIOT-OS/RIOT/blob/master/sys/net/gnrc/
Science. Springer Berlin Heidelberg, 2014, vol. 8508, pp. 92–104. routing/rpl/gnrc rpl dodag.c, accessed: 2019-04-22.
[4] F. Ahmed and Y.-B. Ko, “A distributed and cooperative verification [23] “Tinyos rpl,” https://github.com/tinyos/tinyos-main/tree/master/tos/lib/
mechanism to defend against dodag version number attack in rpl,” in net/rpl, accessed: 2019-04-22.
Proceedings of the 6th International Joint Conference on Pervasive and [24] “Contiki: The Open Source OS for the Internet of Things,” http://www.
Embedded Computing and Communication Systems - Volume 1: PEC, contiki-os.org/, 2019, [Online; accessed 22-April-2019].
(PECCS 2016), INSTICC. SciTePress, 2016, pp. 55–62. [25] F. Ősterlind, “A Sensor Network Simulator for the Contiki OS,” SICS
[5] A. Dvir, T. Holczer, and L. Buttyan, “VeRA - Version Number and Rank Technical Report, Tech. Rep. T2006:5, May 2006.
Authentication in RPL,” in 2011 IEEE 8th International Conference on [26] M. Palattella, N. Accettura, X. Vilajosana, T. Watteyne, L. Grieco,
Mobile Adhoc and Sensor Systems (MASS), Oct 2011, pp. 709–714. G. Boggia, and M. Dohler, “Standardized Protocol Stack for the In-
[6] H. Perrey, M. Landsmann, O. Ugus, M. Wählisch, and T. C. Schmidt, ternet of (Important) Things,” IEEE Communications Surveys Tutorials,
“TRAIL: Topology Authentication in RPL,” in Proceedings of the 2016 vol. 15, no. 3, pp. 1389–1406, Third 2013.
International Conference on Embedded Wireless Systems and Networks,
ser. EWSN ’16. USA: Junction Publishing, 2016, pp. 59–64.

View publication stats