An Application-Driven Perspective on Wireless Devises
Security
The Case of Distributed Denial-of-Service (DDoS)
George S. Oreku Jiangzhong Li
Department of Computer Science and School of Computer Science and
Engineering Technology
Harbin Institute of Technology, Harbin Institute of Technology, China
A13 Room 601, P.O. Box 773 School of Computer Science and
Technology
92 Xi Dazhi Street
Nangang District, Harbin 150001, Heilongjiang University, China
China lijzh@hit.edu.cn
george.oreku@gmail.com
ABSTRACT
Denial of service attacks, viruses and worms are common tools
for malicious adversarial behavior in networks. With the
increasing ubiquity of personal computing handheld devices, such
as mobile phones and PDAs, together with deployment of sensor
networks, experience shows that over the last few years attacker
who are specializing in disrupting and hijacking these wireless
peripheral devices are gaining widespread access to potentially
lucrative corporate and government information. Several of these
tools have probably been used increasingly as part of hostile
behavior either independently, or in conjunction with other forms
of attack in conventional or asymmetric warfare, as well as in
other forms of malicious behavior. In this paper we concentrate
on Distributed Denial of Service Attacks (DDoS) detections by
applying sensor nodes where one or more attackers generate
flooding traffics and direct it from multiple sources towards a
selected node. The dynamic and wide range of connectivity in
between states (Busy, Idle, Suspend and Off) provides means of
determining thresholds of normal resource usability and activities
in each state within sensor nodes. We then present a technique
that can be used for DDoS detection based on resource usability
of sensor nodes. We measure resource dissipation in different
nodes, make comparison and evaluate their resource usability. We
use Hawk sensor nodes to do experiment on our test-bed to show
the positive outcomes that DDoS attack on sensor nodes can be
detected from the resource usability.
Categories and Subject Descriptors
D.3.3 [Security and Privacy - Mobile / wireless Devices]:
General-Security and protection
General Terms
Security, Experimentation, Performance
Permission to make digital or hard copies of all or part of this work for
personal or classroom use is granted without fee provided that copies are
not made or distributed for profit or commercial advantage and that
copies bear this notice and the full citation on the first page. To copy
otherwise, or republish, to post on servers or to redistribute to lists,
requires prior specific permission and/or a fee.
PM2HW2N’07, October 26, 2007, Chania, Crete Island, Greece.
Copyright 2007 ACM 978-1-59593-805-3/07/0010...$5.00.
80
Tamara Pazynyuk
School of Computer Science and
Technology,
Harbin Institute of Technology
tamara.mymail@gmail.com
Keywords
Wireless Sensor Nodes, handheld devices, Distributed Denial of
Service Attacks (DDoS).
1. INTRODUCTION
Interest in wireless sensor (WSs) continues to build momentum,
with research results and technology beginning to transit to real-
world applications. Expectations goes beyond the research
visions, towards deployment of sensor nodes in real-world
applications that would empower business processes and future
business cases. The application possibilities include sensing and
actuating in many types of environments, from monitoring remote
environmental sites or hostile battlefields to controlling the
modern comfort of indoor health-care facilities [1, 2, 3, 4]. The
methodology applies real sensor nodes as sources for
communications to transfer information as well as the power they
use to operate as means of detecting DDoS attack. To address the
problem we explore distributed denial-of-service vulnerabilities in
wireless peripherals.
1.1 Distributed Denial-of-Service Attacks
A Distributed Denial-of-service attack also, DoS attack is an
attack on a computer system or network that causes a loss of
service to users, typically the loss of network connectivity and
services by consuming the bandwidth of the victim network or
overloading the computational resources of the victim system.
In this case study we concentrate on the analysis of resource and
power usability for DDoS detection in wireless peripheral devices
and mobile networks vulnerability to DoS attack.
2. DIFFERENT STATES IN RESOURCE /
POWER USABILITY
Power states are states of particular devices; as such, they are
generally not visible to the user. These states are defined very
generically in this section to enable applications adopted in our
approach. We define four power states according to advanced
configuration power interface (ACPI) [5]:
Ready- (or busy) is when the system or device is fully powered
up and ready for use.
Idle- is an intermediate system dependent state that attempts
to conserve power. The CPU enters the idle state when
no device activity has occurred within a machine
defined time period. The machine wont return to busy
state until a device raises a hardware interrupt or the
machine accesses a controlled device.
Suspend-is the lowest level of power consumptions available in
which memory preserves all data and operational
parameters. The device won’t perform any computations
until it resumes normal activity, which it does when
signal by an external event such as a button press, timer
alarm, or receipt of request.
When
Off- the device is powered down and inactive. Operational
and data parameters might or might not be preserved in.
3.1 Sensor Nodes Power Consumptions
Comparison
In a concrete comparison, the MCU mode, sensor mode data rate
are evaluated so that CPU architecture, speed, memory sizes,
external I/O and on-board sensors are all to be maximized,
whereas the system size is to be minimized to derive an optimal
architecture. We run some experiment using our data for Hawk
nodes described to compare energy consumptions within all these
three kinds of Sensor nodes and show our results in figures 3 and
4
3.1.1 Hawk nodes: Preliminary evaluation Power
Consumptions and Hawk Characteristics [author]
Processor: Active ≈23 mW, Sleep = 6 mW, Off = 0.02mW
Sensor ≈ 3 mW, Tx= 51mW max, Rx = = 38.4mW, Transmit
Power at 0db = 51(mW) ,Range 80/150,Working voltage (V) 1.0
~ 3.6, Data Rate (kbps) Data Rate (kbps)1000, Frequency channel
switching time 650 us, Transmission power -10 dB~+10 dB,
Receiving Power (mW) 57,Wireless frequency 2.4GHz, Storage
size 512 KB

3 4
1 2

Figure 2: Hawk sensor node

Figure 1: State power distribution (adapted from a Dell Axim)
and battery-based intrusion detections (B-BID) power drain 1. Antenna plug 2.Wireless module 3.Port 4.Power
rate thresholds. The longer a threshold is held high in the module 5.CPU
busy and idle states, the greater the likehood that an
anomalous activity is present
Figure 1 shows the general current ranges for each operating state
as well as the power distribution for a PDA class of devices. The
Cabir worm, for example, attacks cell phones and PDAs by
constantly searching for Bluetooth-enabled devices and then
sending itself to the first device it finds. It hasn’t caused any
damage (yet), apart from vastly shortened battery life [6] due to
constant activity. In a resource constrained environment the
resource usability is a promising tool for security in mobile
devices. Novel is indeed that we have developed a resource-based
detection methodology on sensor nodes that uses a power-based
threshold monitoring to indicate DDoS activity.
Figure 3: Energy Consumption in active regime (Rockwell’s,
3. SENSOR NODES CHARACTERISTICS Medusa II and Hawk nodes)
TO DIFFERENT ATTACKS
To the surrounding nodes, however, the region might appear to
suffer complete or intermittent failure, and they may be unable to
determine that this behavior results from a DoS attack.
Sometimes an attacker can also tamper with nodes physically,
interrogate and compromise them, the threats that are the nature
of sensor networks exacerbates.

81
 Table 1: Sensor aggregated data logged on Wireless Sensor
Network deployed on receiver node under DDoS attack
Aggreg Expecte Actual Amou Percent Percen
ated d data nt of age tage
data amount receive Data Receive lost
Attack of d lost d by
increas data from receive
e transfe Sensor r node
by rred Node
(Mbps)
0 5000 4853 147 97.06 2.94
10 5000 4853 147 97.06 2.94
20 5000 2750 2250 55.0 45.0
30 5000 1169 3631 23.38 72.62
Figure 4: Energy Consumption in sleep and off regimes 40 5000 1041 3959 20.82 79.18
(Rockwell’s, Medusa II and Hawk nodes) 50 5000 980 4020 19.6 80.4
60 5000 779 4221 15.58 84.42
70 5000 638 4362 12.76 87.26
4. DESIGN AND TESTING 80 5000 640 4360 12.8 87.2
We deployed Hawk Dot sensor nodes and programmed our base 90 5000 642 4358 12.82 87.16
station using Tiny Os to send information through programming
100 5000 598 4402 11.96 88.04
board connected to our PC. The sensor nodes were equipped with
sensors for temperature, vibrations, brightness and magnetic force
sound. The base station was physically connected to the Referring to the baseline, i.e. at 0% load we are able to see that
programming board using a RS232 interface, the wireless sensors there is some data loss, and this has been considered as normal
deployed-gateway was a Pentium IV computer running at 1GHz transfer loss due to different influences which might occur in
and loaded with Windows XP; the Wireless Sensors Network sensor nodes. The Expected amount of sensed data is calculated
gateway was equipped with a programming board on parallel port from ten different sensors nodes, during 45 minutes that each
which was used to connect the outside network. For the attack experiment lasts, with data collection at five minutes
experiments, we launched an aggregated data based DDoS attack intervals. Additionally, Table 1 lists data being received at traffic
on the receiver node of the wireless sensor network, and measured loads above 20 Mbps; this collection was possible because at
nodes exhaustion on receiving and processing data as well as its some point nodes exhaustion goes slightly below 100 % allowing
energy / power usability, and observed how the data collection some data to be logged. The last column of the Table 1 shows the
ability was hampered. percent of sensed data that were lost for different loads of the
attack-traffic.
The data aggregation-based DDoS attack was launched against
single sensor node by configuring various sensors in the lab to
send massive aggregations information attack traffic to single
sensor as a receiver. In these experiments, we measured the
increased DDoS attack traffic directed towards the real single
sensor node. The attack traffic of a given sensor was directed
towards receiver node for 45 minutes. For a total of 11 different
massive aggregation information of attack traffic ranging from 0
Mbps to 100 Mbps, the experiment was run for a total of 8 hours.
The parameters corresponding to the absence of any incoming
attack traffic (i.e. 0 Mbps) provided us with the baseline results.
We measured the corresponding receiver exhaustion of the
Wireless Sensors Network deployed, and its ability to collect the
sensed data. For the entire experiment of 8 hours of DDoS attack,
receiver node exhaustion and sensed data were collected. The
collected data for the various sensors aggregated data sent is
shown in Table 1.
The exhaustion measured for the receiver node as a result of the
DDoS attack is shown in Figure 5. The maximum, minimum and Figure 5: Loss of sensor data and high resource consumptions
the average value for the receiver node exhaustion corresponding as DDoS attack is intensified
to different loads percent of the data also is shown Figure 5.
As the attack-traffic load was intensified beyond 30% at least
For example, in Figure 5, the attack-traffic load of 10 Mbps 75% of the sensed data were lost. For the Data aggregate-attack
causes the receiver node to be exhausted to a minimum of 35% of traffic load of more than 60%, more than 90% of the sensed-data
its resource usability, maximum of 100% of its resource. were lost. Experiments showed that as the DDoS attack was
intensified beyond 10 Mbps of the receiver node capacity, the

82
Receiver Sensor’s operation became erratic, and unreliable as
shown in Figure 6. For the DDoS attack traffic loads exceeding 20
Mbps the receiver sensor was unable to perform data collection
very well and recorded only a small percentage of the log data
that were sensed Figure 6. This problem was mainly due to the
receiver’s node not being able to receive the aggregate
information under DDoS attack. Second, receiver sensor resource
went down due to large resource consumptions as the load
increased above normal.
Figure 6: Receiver node exhaustion due to DDoS Attack
4.1 Base Station Scalability
All our experiments have shown that the recourse usability of
wireless sensor nodes can be useful if well applied for security
improvement. An important question is how many sensor nodes
should be deployed on the base stations and amount of resource
usage on sensor node.
Figure 7: Base Stations Scalability
We have performed some experiments to provide an answer to
these questions. Figure 7 shows the number of nodes deployed for
our experiment to send number of aggregated malicious data from
(1-10 nodes) to single receiver node in a wireless sensor network.
We observe that as the number of sender nodes increases, the
83
average number of resource usage increases on receiver node and
become unstable for data collections (loss of information).
However, the increase in resource usage is quite insignificant for
one inactive node sleep and idle mode. This shows that for layout
network with 10 nodes, single receiver node seem to be sufficient
for experiment.
5. CONCLUSIONS
There is a small percentage of detected attacks against wired
system. The number of detected attacks on mobile systems is
likely considerably less without host based IDSs Our proposed
approach gives efficient and effective attack detections, an
awareness techniques that is mobile devices host- based
applicable in variety of resource dependency devices and users
scenarios.
We based our approach on sensor nodes which the problem of
energy constrains is significant. Our work will introduce new idea
to developers and designers of hardware to place an embedded
monitoring unit directly on the NIC, CPU, or SMBus.
However the scope of our work is to demonstrate how resource
usability can help in determine attack in wireless devices as all
tend to have one thing in common which is energy source
dependent. This will encourage the building of smart batteries and
advance power management technologies.
In our experiment the results showed that during attack or
malicious actions there is a loss of certain amount of data and
high energy/resource consumptions.
Comparison, descriptions and all other criteria for sensors nodes
power consumption is one of the most difficult to access. The
reasons being, varying settings, different architectures of the
devices used and the applications which are being compared.
6. REFERENCE
[1] Anthony D. Wood and John A. Stankovic “A Taxonomy for
Denial-of-Service Attacks in Wireless Sensor Networks”
IEEE Computer, 35(10):54-62, October 2002.
[2] F. Akyildiz, W. Su, Y. Sankarasubramaniam, and E.
Cayirci. Wireless sensor networks: A survey.Computer
Networks (Amsterdam, Netherlands: 1999), 38(4):393.422,
March 2002.
[3] Xiping Yang, Keat G. Ong, William R. Dreschel, Kefeng
Zeng, Casey S. Mungle, and Craig A. Grimes, Design of a
wireless sensor network for long-term, in-situ monitoring of
an aqueous environment. Sensors, 2:455.472, 2002.
[4] J. Kahn, R. Katz, and K. Pister, Emerging challenges:
Mobile networking for `smart dust'. J. Comm. Networks,
2(3):188.196, September 2000.
[5] www.acpi.info
[6] http://securityresponse.symantec.com/avcenter/venc/
data/epoc.cabir.html