Implementing a Broadcast Storm Attack on a Mission-Critical Wireless Sensor Network

. In this work, we emphasize the practical importance of mission-critical wireless sensor networks (WSNs) for structural health monitoring of industrial constructions. Due to its isolated and ad hoc nature, this type of WSN deployments is susceptible to a variety of malicious attacks that may disrupt the underlying crucial systems. Along these lines, we review and implement one such attack, named a broadcast storm, where an attacker is attempting to ﬂood the network by sending numerous broadcast packets. Accordingly, we assemble a live prototype of said scenario with real-world WSN equipment, as well as measure the key operational parameters of the WSN under attack, including packet transmission delays and the corresponding loss ratios. We further develop a simple supportive mathematical model based on widely-adopted meth-ods of queuing theory. It allows for accurate performance assessment as well as for predicting the expected system performance, which has been veriﬁed with statistical methods.


Introduction and Background
The evolution of wireless sensor networks supports increasingly novel and sophisticated applications across various fields [1]. Modern wireless sensor networks (WSNs) find their use in various environments, starting with the marine [2] and vehicular [3] through the forestry [4], and towards the growing industrial Smart Cities [5], [6]. Generally, the main advantage and the limitation of the WSNs is in their ad hoc nature, which makes them easy to deploy but di cult to manage. Most of the practical WSN deployments are utilizing wireless relaying to the remote control center, which brings a variety of potential vulnerabilities to be exploited.
Arguably, the most demanding area of the WSN research may be shaped by urban environmental applications [7]. In this work, we focus on a representative urban WSN application for industrial sensingstructural health monitoring [8]. This consent allows to maintain the appropriate condition of engineering structures by deploying sensors in the essential parts of buildings and other constructions, i.e. bridges, tunnels, skyscrapers, etc. The main purpose of such a WSN is to notify the control center about any significant change of the monitored object due to earthquakes, disasters, explosions, or other accidents. A secondary function is to provide continuous health monitoring. As a characteristic example, we may consider the Golden Gate Bridge in San Francisco Bay (shown in Fig. 1), where a similar network was deployed 10 years ago [9].
Clearly, a bridge of any kind is an object of national importance and therefore the serving WSN should be protected from the malicious attackers. However, due to the lack of relevant standardization activities, di↵erent manufacturing companies are utilizing a variety of dissimilar security solutions across their deployments, thus making them easier to attack. The use of wireless ad hoc sensor networks for critical applications poses novel information security challenges [10], [11], such as: channel sni ng [12]; packet spoofing [13]; physical access to the device [14]; non-standardized communications protocols [15], and many others. We face the fact that development, deployment, and management of such a network is limiting the chance to use conventional information security solutions [16][17][18]. In this work, we focus on one of the most threatening attacks on missioncritical WSNs -the broadcast storm [19]. Broadcasting in any ad hoc network is an elementary operation required for the core system functionality. However, intentional broadcasting by flooding may introduce uncontrollable redundancy, contention, and collisions that would lead to a so-called broadcast storm problem.
The rest of this work is organized as follows. Section 2 introduces the proposed system model for considering a broadcast attack in the network of interest. Further, in Section 3 we prototype the corresponding ad hoc WSN deployment and attack it by following said approach. In Section 4, we propose a simple analytical model validating our proposed framework. Finally, the conclusions are drawn in the last section.

Considered WSN system model
In this work, we consider a system hosting a number of autonomous wireless nodes equipped with a set of measuring modules (sensors), and thus the challenges of e cient data transmission and processing are brought into focus [20]. On the other hand, ad hoc WSNs of this type are susceptible to possible attacks by implosion, blind flooding and, finally, broadcast storm [21][22][23].
Focusing primarily on the most challenging broadcast storm concept, the multicast control messages in a mission-critical WSN may become the main vehicles of this attack. Therefore, a high number of such packets is a↵ecting the QoS for each transmitting node, which results in shorter battery life and lower reliability. The main configuration flaws that may enable such an attack are listed in what follows: 1. No limitations on the packet time-to-live parameter; 2. A possibility to transmit a broadcast packet from any unknown address in the network; 3. A device that could continuously generate packets.
Our research indicates that the easiest and cheapest way for an attacker to a↵ect the operation of the ad hoc network in question is to generate harmful messages, when already residing inside the network. This may cause not only a partial denial-of-service e↵ect for one particular node, but also provoke a fault of the entire wireless network [24]. Another factor a↵ecting the system operation with substantial impact is a lack of continuous management and support, i.e. the network is assumed to be a standalone instance without continuous monitoring exercised. Some of the devices may become disabled due to natural factors, and may not be replaced immediately. However, there should always remain a crucial number of the operational devices available to deliver an alarm message. Summarizing all of the above, in this paper we focus on the problem of probabilistic device availability estimation in cases of a broadcast storm attack.
The most common implementation of said attack may be described as a significant increase in the intensity of broadcast requests in the target WSN or flooding by the attacker device, as it is presented in Figure 2. As each transceiver node has to rebroadcast the messages, it leads to the di culties in serving them over the reliable time. Basically, this scenario would appear when the incoming bu↵er of the device is full and/or the wireless channel is congested [25], and thus the denial-of-service attack is successful [26]. In our target scenario, we employ the widely used WSN technology, IEEE 802.15.4 (ZigBee) [27] under the broadcast storm conditions. The WSN nodes equipped with such a radio module are typically small autonomous devices with limited computational power [28]. They are operating under a predefined configuration and utilize constant set of vendor-specific signaling messages.

Prototyping a Broadcast Storm Attack
In order to verify the feasibility of our above discussion, we have conducted a set of experimental tests utilizing ZigBee-equipped Telegesis ETRX357 devices [29]. The prototype structure is given in Figure 2 and the actual deployment example is presented in Figure 3. Here, the tra c is transmitted from the device A to the device B via the relying node. USB-dongle C is utilized as the attacker device, generating broadcast messages.
The main goal of our installation is to obtain the probabilistic packet loss values. We assume a high-density industrial WSN deployment, where each node may receive data not only from its immediate neighbor, but also from the attacker device, thus escalating the e↵ects of the broadcast storm. Node B as the destination device analyzes the amount of received meaningful data as well as the share of unclassified (attacker's) packets. The key setup parameters and the corresponding notation are given in Table 1.
Further, we analyze the impact produced by the attacker on the packet transmission delay, and the respective results are presented in Figures 4(a) and 4(b). For our test scenario, we utilize two Telegesis command types (i) AT+N and (ii) AT+SN:00 [30]. The first command has as its main purpose to request the node's surrounding network information. The second command AT+SN is generally used to force a particular device to scan the network and "00" causes each  attacked node to search across the entire network for neighbors. As we learn from the test results, by increasing the packet arrival rate one might cause a dramatic surge in the delay of up to 2 times by only introducing 14 additional broadcast messages in our network. Importantly, this extra packet delay has a direct impact on the energy consumption values due to increased packet retransmission cost after a collision in the wireless channel.
We emphasize the fact that prototyping of a large-scale real-world WSN is di cult to implement in the laboratory environment due to the space limitations and thus we decided to support our test deployment with a simple analytical model that can validate and predict the ad hoc WSN behavior under broadcast storm conditions.

Supportive Analytical Modeling of our Prototype
By employing simple methods of the queuing theory in our model [31], we first assume that the packet loss probability is not a↵ected by the attacker. We further consider that the packet generation intensity on the end-device is given as a Poisson process and that the packet service interval is distributed exponentially [32]. We verify this hypothesis at the end of this work. Hence, in the single-relay WSN case the packet loss probability may be calculated as where is the packet arrival rate, µ is the packet service rate, and n is a node's bu↵er size. Further, for the multi-relay case we modify Equation (1) accordingly where k is the number of relaying hops. The majority of the analytical frameworks available today do not take into account the attacker [33][34][35][36] that can initiate an attack by generating the broadcast messages with higher arrival rate.
Every broadcast packet is served by each attacked WSN node and then forwarded to the following hop. Clearly, that number of nodes under attack could be significantly increased if the attacker would modify the radio equipment by utilizing transmission at higher power.
Further, using Equations (1) and (2), we evaluate the packet loss probability for a network a↵ected by the broadcast storm attack as follows 8 > > > > > > > > < > > > > > > > > : where sh is the attacker packet arrival rate. In order to quantitatively characterize the proposed prototype, we first study the impact of the system parameters on the packet losses. To this end, Figure 5(a) shows the influence of the attacker's packet generation rate on the WSN packet loss at a fixed WSN node data generation rate. Clearly, by increasing the number of a↵ected relaying nodes system saturation is achieved faster. This is due to the broadcast message distribution, which has repetitive nature.
In our second scenario presented in Figure 5(b), we fix the attacker's packet generation rate and vary that of the WSN node. As we observe in the plots, the ad hoc network is providing a certain level of QoS even in the situation when the node's packet generation rate is higher than the service rate.
Our third scenario depicted in Figure 6 corresponds to a situation, when both node's and attacker's packet generation rates are fixed and only the service rate is varied. Accordingly, for each number of relaying nodes we can find the corresponding lowest service rate to guarantee the minimal reachable packet loss for a particular attacker's packet generation rate. Furthermore, our simple analytical model is able to probabilistically predict the likely ad hoc WSN conditions taking into account the e↵ects of the broadcast storm attack that alters the underlying packet generation rate.
Finally, we compare the analytical and prototype packet loss performance based on the key system parameters given in Table 1. By focusing on the obtained prototype-driven results and those delivered by our analytical prediction, as summarized in Figure 7, it can be concluded that the analytical and the experimental values agree within acceptable bounds.  To confirm the obtained results, we have additionally verified our prototypebased and analytical data using Pearson's chi-squared test [37] with ↵ = 0.05 by executing the set of 100 independent trials. Therefore, it could be concluded that the resulting di↵erence between the compared distributions of the packet loss values in a realistic WSN under the broadcast storm conditions is statistically insignificant. Thereby, our initial assumption on the Poission packet arrival distribution and the exponential service time distribution are practical.

Conclusions
This paper developed a model and a respective practical prototype of a broadcast storm attack, which may disrupt the desired reliable operation of a missioncritical WSN deployment. To this end, we collected the packet loss probabilities together with the packet transmission delays produced with our testbed, and compared some of those against the corresponding values provided with our simple queuing theoretic model. The obtained results not only evidence the feasibility of this convenient custom-made approximation for predicting the operational parameters of a real-world WSN under attack, but also help identify conditions that become threatening for the intended operation of the industrial monitoring system under consideration.