Transcript A Flow-Based Network Monitoring Framework for Wireless Mesh

A Flow-Based Network Monitoring
Framework for Wireless Mesh
Networks
Authors
Feiyi Huang, Yang Yang, University College London
Liwen He, British Telecom Group CTO
Presented by
Sheetal Gupta
CMSC 681 Fall 2007
Agenda



Wireless Mesh Networks
Vulnerabilities and Security Challenges
Proposed MeshFlow Framework






MeshFlow Record Structure
Record Creation
Record Management
Record Analysis
Implementation Issues
Conclusion
Wireless Mesh Networks (WMN)




Are an extension of
wireless ad hoc and
sensor networks.
Has a hybrid network
infrastructure with a
backbone and an access
network.
It is a group of selforganized and selfconfigured mesh clients
and routers
interconnected via
wireless links.
Applications – digital
home, community and
neighborhood networking,
enterprise networking,
emergency and disaster
networking.
Wireless Mesh Networks (WMN)




Mesh clients can be user devices with wireless
network card, like PCs laptop, PDAs and mobile
phones. They have limited energy, computing
power and radio range.
Mesh routers are usually more powerful in terms
of computation and communication capabilities
and have continuous power supply.
They normally are static and provide access
points to supply internet connections for clients.
User traffic from client is transmitted through a
multihop, wireless path to its destination – clientto-client (CC), client-to-router (CR) and router-torouter(RR).
Wireless Mesh Networks (WMN)



Wireless mesh backbone network is
formed by ad hoc mode interconnections
of mesh routers.
When new or existing router joins or
leaves the backbone, the network selforganizes and self-configures accordingly.
In WMN, usually there is one static mesh
router and a number of mesh clients that
are either static or mobile.
Vulnerabilities and Challenges




Security attacks can be in the physical, MAC and network
layers.
Physical layer – Radio frequency jamming: Attackers can
generate jamming signals to interfere with
communications on wireless channels.
MAC layer attack – In contention based MAC protocols, a
small back-off interval gives the user the advantage of
gaining access to the wireless channel quickly. Another
attack is continuously broadcasting busy tone signals
causing other users to be in waiting status for a long
period.
Network layer – For reactive routing protocols like
AODV, the node list in the route request (RREQ) and route
reply (RREP) can be fabricated, replaced or deleted. For
proactive routing protocols like OLSR, attacker can
advertise a modified routing table, leading all traffic
towards an intended address or to generate loops.
Attacker can steal all packets, produce a sink-hole by
selectively discarding packets.
Vulnerabilities and Challenges(cont.)




Denial of Service (DoS) attack – Handshake
messages, other access control packets in the MAC
layer, routing tables and route discovery packets in
the network layer can be easily falsified to exclude
vital fields, include a non-existing source or
destination or replace by malformed information.
MAC message exchange and route discovery
procedures will be suspended by these unreadable
packets and tables.
As a result, additional requests from other devices
will not be responded to by these terminals which
are struggling to resolve these packets and tables.
DoS attack can be achieved more easily by flooding
attacks – ICMP flooding, synchronize packet in TCP
flooding and UDP flooding. In WMN flooding is more
damaging because of weaker network devices.
MeshFlow Framework




All these performance degradations will
be reflected in the network traffic change.
By monitoring the traffic change situation,
an attack can be actively monitored.
In a WMN the concept of network traffic
flow is extended and defined as
MeshFlow.
The MeshFlow framework is designed to
generate, transmit and analyze MeshFlow
records.
MeshFlow Framework(cont.)





MeshFlow record is a special kind of packet and
contains a summary of the properties of packets
passing through a mesh router.
Fields included are source and destination addresses,
next-hop address, number of bytes, packets, transport
protocols and previous transmission delay summation.
MeshFlow Creation - On each mesh router, part of
the memory is separated to construct a MeshFlow
cache dedicated to MeshFlow record creation and
maintenance.
When a packet travels through the router, its
transmission information is extracted and comprises a
MeshFlow record.
If 2 packets have the same source, destination, nexthop address and the same transport protocol, their
transmission information is aggregated into one record
by aggregating the number of packets, bytes and delay
duration.
MeshFlow Framework (cont.)



MeshFlow Management When a MeshFlow record is
created it is stamped to
indicate starting time of the
record.
An aging mechanism is
implemented to calculate
the overall active duration
of the record.
The records are then
exported to a dedicated
collector and analyzer and
permanently deleted from
the MeshFlow cache.
MeshFlow Framework (cont.)

MeshFlow analysis – After exporting the
records from all routers to the collector, an entire
network picture can be constructed.


User monitoring – When a packet travels through
a multi-hop path consisting of mesh routers,
records are created on each router. On aggregating
records, the complete transportation path of a
packet can be derived, including source, destination
and all intermediate routers. So a comprehensive
investigation of each traffic flow is achieved.
Router monitoring – When records are
aggregated based on mesh routers, traffic
transported on each of its channels can be
illustrated clearly.
MeshFlow Framework (cont.)
MeshFlow analysis (cont.)
 Security Protection – An attack scenario leads to
abnormal traffic. These can be detected by analyzing
the MeshFlow records and matching with attack
signatures. For example, in a flooding attack there is
burst traffic toward the same destination. In MAC
abuse there will be no successful transmissions for that
access network. Protection can be achieved by further
action like letting the flood-generating router block the
corresponding attack traffic.
 Application and Service Monitoring – Different
network applications usually are performed by
separate transport protocols. MeshFlow records can be
aggregated for each application at each router.
Inappropriate resource utilization is reallocated to
balance different applications performed on each
router.
Implementation Issues



Unavoidably the MeshFlow framework induces extra
overhead on the network.
Careful designing to suit specific network scenarios is
required.
Two static parameters must be determined.
 MeshFlow record structure – Different fields are used
for different monitoring and analysis. It is not necessary
to generate a complete record for every scenario.
 Collection method – Three methods possible.
 Dedicated cable line – Each router had a dedicated
cable line
 Distributed antenna – The MeshFlow collector has
antennas deployed around the entire backbone
network.
 Multi-hop relaying – Records are exported as normal
packet transmissions via multi-hop router-to-router
wireless links, finally reaching the collector.
Implementation Issues (cont.)

Two dynamic parameters must be determined
 Packet sampling rate – For each incoming packet at
a router, information is either extracted immediately or
ignored, depending on sampling rate.
 Time-based – Extract information from packets at
some time intervals
 Packet-based – Sample one packet after ignoring a
certain number
 Terminal-based – More frequent sampling for
packets from terminals having a bad history.
 Exportation time interval –
 Idle – Export if a record is idle for a certain period.
 Active – if a record if active for too long
 Oldest –record exported when Mesh cache is
heavily loaded.
Conclusion


We reviewed security challenges,
attacks in the physical, MAC and
network layers of Wireless Mesh
backbone and access Networks.
We defined a new concept of
MeshFlow and proposed a flowbased network monitoring
framework to tackle the security
issues in WMNs.
Reference

“A Flow-Based Network Monitoring
Framework For Wireless Mesh
Networks”, Feiyi Huang, Yang Yang,
University College London, Liwen
He, British Telecom Group CTO
Thank you!
Questions?