1. Introduction
One of the emerging technologies that facilitate a broad range of incipient smart applications is the Internet of Things (IoT). It enables the smart provisioning of intelligent and advanced services in different domains such as industry [
1], healthcare [
2], and agriculture [
3]. A revolutionary development of a wide scope of new IoT applications is being witnessed nowadays. Examples are smart cities, smart metering, industrial automation, and environmental monitoring. As a result, the number of IoT-enabled devices has been showing exponential growth in recent years. The forecast in [
4] indicates that more than 30 billion IoT devices will be connected in 2030. As estimated by the McKinsey Global Institute [
5], the IoT industry may generate
$3.9–11.1 trillion a year in revenue by 2025.
An IoT network typically comprises small-sized devices which have limited computation and energy resources. Energy-efficient wireless communication technologies are utilized to enable effective connectivity among these devices. Therefore, the Low-power and Lossy Network (LLN) is widely used for the establishment of efficient IoT infrastructure. It effectively allows network topologies to be built with resource-limited devices connected over unreliable wireless links. Due to these networking characteristics, routing becomes a challenging functionality in LLNs, particularly for IoT applications with strict requirements.
A set of LLN routing requirements have been defined by the IETF ROLL working group considering several IoT applications. These include urban, industrial, building automation, and home automation applications which are specified in RFC 5548 [
6], RFC 5673 [
7], RFC 5867 [
8], and RFC 5826 [
9], respectively. Taking these routing requirements into account, an IETF-standardized and LLN-customized routing protocol is specified in RFC 6550 [
10] and called the IPv6 Routing Protocol for Low-Power and Lossy Networks (RPL). The protocol functionality is based on extending IPv6 networking to IoT devices and establishing a structured network topology. It addresses effective loop-free routing for efficient communication of IoT data packets. The protocol design is flexible and customizable enough to enable effective topology optimization toward addressing the network requirements of certain IoT deployments.
Nevertheless, security requirements were not effectively considered and provisioned in the original RPL specification. Its potential vulnerability to different security attacks is still a major security challenge. There is still no adequate security support provided by the standard RPL against the different types of security attacks [
10]. Only limited resilience to external attacks is provided by the RPL specification [
11] whereas complete security support addressing routing attacks is not provisioned [
12,
13]. Routing attacks are common in RPL networks to target overall network performance and topology stability [
14,
15,
16,
17,
18]. This gives rise to different emerging security challenges for real-life RPL-based IoT deployments. As IoT networks are gradually being deployed in various critical fields, an open security issue such as this would impede the effectiveness of such a trend.
The growing deployment of IoT devices in our vehicles, buildings, mobile devices, and appliances would open the doors for severe security threats compared with the cases of traditional networks. The potential damage that can consequently happen would be critical, causing IoT networks to collapse with complete communication disruption and data loss. As estimated earlier in [
19], cybercrime during 2015 incurred a cost of
$400–500 billion. The figure rose six-fold in 2016 to approximately
$2–3 trillion. All these vital considerations demonstrate the importance of a practical understanding of potential security attacks and the need for intensive experimental analysis of their impacts on RPL network performance. Without such a critical orientation for a standardized IoT protocol such as RPL, it would be hard to effectively realize efficient and practical IoT security solutions.
Therefore, there is a compelling need to investigate the impact of these types of internal routing attacks on the overall performance of RPL networks. A deep understanding of such critical situations is a vital step towards effectively developing efficient IoT attack mitigation solutions. This is more critical in the case of large-scale deployment scenarios which are common in different IoT applications including smart cities, e-healthcare, and industrial automation. In this research work, we carried out an extensive experimental study of a set of critical routing attacks in the context of RPL networks. Addressing the practical investigation of RPL networks during simple-to-complex routing attack scenarios while considering different attack types and varying-scale setups in a multidimensional performance study represents the novelty of this work. The major focus was on analyzing the effects of certain well-known internal routing attacks on RPL networks. These were namely the Version Number (VN), rank, Worst Parent (WP), and replay attacks.
This research work provides a practical contribution toward experimentally studying the effectiveness of internal routing attacks on RPL-based IoT networks. It mainly contributes to the practical understanding of diverse routing attacks in varying-scale IoT network setups and simple-to-complex security attack scenarios. The main objective is to provide future research works with a practical research reference of the security efficiency and overall network performance of RPL networks under routing attacks. Accordingly, a set of critical security research questions were identified for this study to experimentally answer. These are as follows:
- -
What is the most adverse internal routing attack in RPL networks considering the rank, VN, WP, and replay attacks?
- -
What is the impact of composite internal routing attacks on the overall performance and topology stability of RPL networks?
- -
How adverse is it to have hybrid internal routing attacks initiated in RPL networks, compared to single and composite attacks?
- -
Would RPL internal routing attacks be more effective as the scale of the network increases?
Systematic and practical experimentation was carried out to give in-depth answers to these research questions. The results indicate the adverse impacts of routing attacks on the overall performance of RPL networks. Even in simple attack scenarios, the networks experienced noticeable degradation of QoS performance and network stability in addition to noticeable increases in control traffic overhead and energy consumption. This was more evident in large-scale experimental setups and also under composite and hybrid attacks.
The following section presents an overview of the standard RPL.
Section 3 discusses RPL security and describes the RPL internal routing attacks of interest. In
Section 4, the attack model and network assumptions are presented.
Section 5 provides a research overview of the related work. In
Section 6, the experimental methodology followed in this study is detailed.
Section 7 presents the obtained experimental results whereas
Section 8 provides insightful discussion. The conclusion is then provided in
Section 9.
2. RPL Overview
IoT networks are characterized by the interconnectivity of a high number of resource-constrained embedded devices over LLNs. These devices are of small capacity and restricted in terms of computation, storage, and energy resources. Scarce LLN links are typically utilized to establish network connectivity among these devices without any guarantee of high network performance and communication reliability. However, wireless data communications are guaranteed without adding much complexity and incurring high cost and energy consumption. Therefore, the link layer communication technology commonly adopted for LLNs is IEEE 802.15.4. On top of that, header compression and fragmentation are incorporated in LLN architecture as an additional IP adaptation layer for effective integration with IPv6 networks. The IETF in RFC 4944 [
20] and RFC 6282 [
21] specifies that such functionality is provided by the IPv6 over Low-Power Wireless Personal Area Networks (6LowPANs). It enables LLNs to efficiently address end-to-end IP networking.
For effective LLN routing on top of the 6LowPAN layer, the IETF ROLL working group specified RPL in RFC 6550 [
10] to provide a customized networking solution for maintaining the IPv6 routing functionality at the network layer. It enables effective loop-free routing of IoT data traffic over constrained LLN links. RPL is developed as a distance-vector routing protocol that works in a proactive mode of operation. It supports different communication schemes: point-to-point, point-to-multipoint, and multipoint-to-point. RPL is designed with a routing framework adhering to the distinct characteristics of LLNs while providing the flexibility to implement objective-oriented routing optimization. It facilitates the implementation of different routing optimization objectives using one or multiple routing metrics. Therefore, RPL provides the support to meet the varying requirements of a broad range of IoT applications.
A single LLN is structured by RPL as one or a set of distinct RPL instances with each one constructed as a Directed Acyclic Graph (DAG). An RPL instance consists of single or multiple Destination-Oriented DAGs (DODAGs). A DODAG is established as a multihop network topology of a designated root (RPL sink node) and multiple normal RPL nodes.
Figure 1 presents an example RPL network of two RPL instances. Instance 1 contains two different DODAGs and Instance 2 has a single DODAG. Internet connectivity for these DODAGs is maintained through their corresponding sink nodes (SN1–3).
RPL operation is based on four main ICMPv6 messages to enable the construction of a DODAG topology in a multihop fashion. This is achieved in two main stages: upward and downward network path establishment. The first stage starts with the sink node initiating periodic dissemination of DODAG Information Object (DIO) messages. Upon the reception of the message, each recipient node processes and then forwards it to its neighbor nodes. Having this process repeated by each node joining the DODAG enables full network convergence and the successful establishment of upward paths across the network. That is, the DIO messages carry the necessary information to the nodes for successful DODAG discovery and maintenance. The disseminated information in the DIO message includes the Instance ID and DODAG ID which are utilized to identify a DODAG. In addition, each DIO message contains the Version Number (VN) which indicates the current update to the topology of the DODAG. Other indicators including the rank value and IPv6 address of the parent node are also disseminated to enable nodes to successfully join the network.
The DIO messages also contain other important information indicating the Objective Function (OF) being applied in the current RPL instance. DODAG topology formation is dictated by the OF to meet specific routing optimization goals and achieve certain application-specific network requirements. RPL provides a customizable OF that can be implemented for objective-oriented routing toward effective optimization of DODAG construction. Certain optimization objectives can be defined to meet different requirements including network reliability, energy efficiency, and data security. These can then be utilized for the establishment of low-cost upward routing paths. Each RPL node uses the advertised OF in DIO messages for node ranking and parent selection. The rank calculation is performed by the node to specify its virtual distance to the sink node and inhibits any routing loop. This process ensures that rank increases as the node’s position goes deeper in the DODAG. A preferred parent (next hop) is then selected among those of lower-ranked nodes in its neighbor list which consists of all the sources of received DIO messages. Optimal parent selection can then guarantee minimum-cost loop-free routing over lowest-ranked parents.
Different routing metrics and constraints can be utilized for implementing an OF that fulfills specific application requirements. A routing metric is a quantitative value that represents a specific characteristic of the network based on the calculation of certain network parameters. This value indicates the cost of selecting a certain path according to an optimization objective. OFs can be implemented using single or composite routing metrics based on either static or dynamic values. Examples of potential routing metrics and constraints can be found in RFC 6551 [
22] which classifies them into node and link routing metrics and constraints. There are two standardized OFs for RPL: Objective Function Zero (OF0) and Minimum Rank with Hysteresis Objective Function (MRHOF). RFC 6552 [
23] specifies OF0 which is based on the hop count as a routing metric. MRHOF has been developed to address network reliability as specified in RFC 6719 [
24]. It uses the Estimated Transmission Count (ETX) as a routing metric which is based on the calculation of the necessary transmissions/retransmission for successful packet delivery.
The following stage to upward routing is downward network path establishment. It is initiated in response to the process of topology construction. Each node propagates its routing information upward upon the reception of a DIO message via a parent node. This is performed by sending a Destination Advertisement Object (DAO) message over the upward paths already established to the sink node. The message contains routing information such as the node’s IPv6 address. Two modes of downward routing are supported: storing and non-storing modes. The former is fully stateful as the routing information being disseminated in DAO messages is stored by each node. Internal routing across the DODAG network is effectively maintained based on the stored routing information. This enables data packets to be routed from any RPL source to an RPL destination via a common ancestor node. The non-storing mode is based on source routing that allows routing data traffic through the root only. Accordingly, only the sink node has complete access to the network destinations in a DODAG whereas no routing table is maintained by the other nodes. In either of these modes, RPL nodes acknowledge the reception of DAO messages by replying with DAO-ACK messages.
During topology construction and maintenance, RPL utilizes the Trickle algorithm [
25] to manage network overhead and maintain control packets at a minimum level. It provides the ability to control DIO transmissions based on how stable the network is currently. It starts with a small time interval and then applies an exponential increase as long as the DODAG topology stays stable without any inconsistency detected in the network. Otherwise, the algorithm resets the time interval, causing the process to start over. Examples of the events that cause such a reset are VN updates, preferred parent changes, and the reception of any DIS message triggering DIO broadcasting.
In addition, RPL defines two different procedures for addressing node or link failure. The first is the local repair which addresses failures by enabling the immediate selection of an alternative preferred parent node to the current one. The second procedure is the global repair which requires updating the current version of the topology and initiating full DODAG topology reconstruction. The sink node initiates this process by incrementing the currently advertised VN. This results in the exchange of several DIS and DIO messages across the network after resetting the trickle timer. These failure recovery procedures are initiated upon the detection of any routing problem such as routing loops. This provides a reliable guarantee of effective failure recovery but at the cost of much more network overhead, particularly in large deployments.
3. RPL Routing Attacks
The protocol design of the standard RPL incorporates limited security support against external security attacks. It comes in multiple basic security modes, namely the insecure, preinstalled, and authentication modes. The protocol operates without security support in the insecure mode whereas preinstalled security keys are utilized for the establishment of secure data communication in the preinstalled mode. In the authentication mode, a security key needs to be obtained from an authentication authority before joining an RPL network and establishing data communication [
10].
Although RPL ensures limited resilience against external attacks [
11], it lacks sufficient support to defend against internal routing attacks [
12,
13]. RPL has no mechanism to address the common attacks such as sinkhole, wormhole, and blackhole attacks nor the RPL-specific ones including VN, rank, and WP attacks [
14,
15,
16,
17,
18]. This would magnify the vulnerability of the protocol and makes it an attractive target for different routing attacks. Moreover, these attacks can be easily launched by any node in RPL networks. For example, a malicious node can initiate a VN attack by updating the VN value being disseminated in the DIO message without adhering to the standard protocol operation. As a result, a new illegitimate DODAG update is carried out, leading to a full topology reconstruction of the RPL network. Such an attack in addition to other types of attack would cause an adverse impact on network stability and incur a noticeable increase in network overhead and power consumption. The following sub-sections provide a brief overview of four critical routing attacks that can be easily and effectively initiated in RPL networks [
14,
15,
16,
17,
18].
3.1. Rank Attack
One of the main RPL design aspects is the ranking mechanism which utilizes the rank property to ensure loop-free routing. It is based on having the rank values increase in the downward direction from the root to the leaf nodes. Accordingly, preferred parent selection is performed on neighbor nodes of lower ranks and better positions only. However, such a mechanism can be exploited by a malicious node to launch the so-called rank attack. Without strict adherence to the above rule, a node can increase its rank value and deceive its neighbor nodes at some point after joining an RPL network. The target is to create a sub-optimal topology causing data traffic to traverse network paths of lower QoS performance. It also can incur unwanted routing loops and drain available resources, particularly when considering large-scale RPL deployments.
In other cases, the rank attack can be launched by a malicious node, decreasing its advertised rank value. This would attract most of its neighbor nodes as a well-ranked parent candidate. As a result, multiple neighbor nodes would then make changes to their current preferred parents. This then can help in initiating further attacks such as blackhole attacks and cause the situation to be even worse. The main target in both modes of rank attack is undermining network stability.
3.2. Version Number (VP) Attack
RPL defines the version numbering mechanism to enable simple tracking of the frequent updates to a DODAG topology due to global repairs. The version property is used to indicate a new global repair and specify the iteration in which the topology is currently considered. The sink node initiates a DODAG with the default VN which is then associated with the initial setup of the topology. DIO advertisements carry the version information in the version field of the message. Upon the initiation of a global repair, the sink node advertises DIO messages with a new VN. A global repair can be performed under different conditions including the detection of VN inconsistencies and routing loops. Once a node receives the new VN, it recalculates its rank value and repositions within the topology after updating the state of its current VN. Accordingly, a new VN update would result in new positions of the nodes and a complete update to the DODAG topology.
As per the RPL specification [
10], the version field in the DIO message is set by the sink node only without being changed as the messages are propagated across the network. However, RPL comes with no guarantee that this stays unviolated by any malicious activities. Such a security gap can be utilized to launch a VN attack using the version property. This only requires a malicious node to modify the advertised DIO messages with a new VN. This would result in broadcasting a fake VN update and triggering an illegitimate global repair. However, the recipients consider it a legitimate global repair and thus have no option but to participate in the process. The objective of the attack is to cause a serious disruption of network stability by initiating unnecessary global repairs and flooding the RPL network with a high number of control messages. The main target is to exhaust network resources and cause a noticeable reduction in overall performance and network lifetime.
3.3. Worst Parent (WP) Attack
The creation of a sub-optimal topology is one of the main objectives when targeting RPL network security toward overall network performance degradation. This can be achieved by having malicious RPL nodes select the candidate parents of the highest rank as their preferred parents instead of those with the minimum ranks. Although this violates the standard operation of RPL, this behavior can be easily realized to enable the initiation of the WP attack. The attacking nodes then systematically keep changing their preferred parents to the worst possible without the need for changing their current rank. The main objective is to establish the worst available paths for the attacking node’s sub-DODAG. The attack targets the creation of routing sub-optimization which would lead to high transmission delay in addition to occasional routing loops and network isolation.
3.4. Replay Attack
The broadcast messages of RPL such as DIO messages can be eavesdropped by any node joining an RPL network. To initiate a replay attack, the eavesdropper node maliciously resends the eavesdropped message to its neighbor RPL nodes. The message is then perceived as a new one having fresh and relevant information. The attack can be applied using any type of RPL control message. If this is performed to duplicate and multicast the DIO messages of a neighbor node, it is then called a neighbor replay attack. Another possibility is that the attacker sends outdated eavesdropped DIO messages containing old routing information to cause the problem of stale routing information. Moreover, the replay attack can be used to initiate a Denial-of-Service (DoS) attack, referred to as a copycat attack. It is based on frequent multicasting of the eavesdropped control messages with a fixed replay interval after modifying the messages’ source IP addresses to the one of the attacker. In general, the main objective of replay attacks is the formation of non-optimal topology and the degradation of network performance. It is also possible to have the attack result in DODAG disruption and inconsistency, leading the targeted nodes to be unable to communicate and then detach from the DODAG.
4. Related Work
As discussed in the previous section, RPL comes with different basic security modes but has no sufficient security support against internal routing attacks. Although secure access control can be provided using the authentication mode, there is still a great opportunity for a node to be compromised and used for initiating internal routing attacks. The inherent protocol design of RPL makes it easy to initiate common routing attacks such as the sinkhole, blackhole, and wormhole attacks [
13,
26,
27] in addition to the RPL-specific ones such as VN, replay, and WP attacks [
28,
29]. The different potential RPL security attacks have been surveyed and reviewed in different research studies [
14,
15,
16,
17,
18]. In these works, a classification of the RPL attacks into those targeting network topology, network resources, and network traffic was provided. An example of a network topology attack is the WP attack whereas the VN and rank attacks were categorized as network resource attacks.
In addition, there have been various research efforts made to study the performance of RPL networks under a specific routing attack. The overall results showed that these attacks result in considerable overall performance degradation of the targeted RPL networks. The experimental results presented in [
30] demonstrated how RPL networks experienced a high delay, packet loss, and network overhead when being under blackhole attacks. The experimental study in [
31] showed the adverse impact of the wormhole attack on the power consumption and network overhead of RPL networks. The same attack was investigated in [
32] over a real-testbed setup. The results illustrated the ability of the attack to cause high increases in packet loss. The experimental study in [
33] discussed the adverse impact of the sinkhole attack on RPL compared to other protocols such as AODV. The attack led to a degradation of QoS performance and increases in network overhead and energy consumption as indicated by the presented simulation results.
The study presented in [
34,
35] showed that DIS flooding attacks can decrease PDR and increase delay and power consumption, particularly in composite-attack scenarios. Experimenting with RPL networks using real-testbed setups in [
36], similar results showing that DIS flooding attack degraded power consumption in addition to nodes’ joining time were presented. In [
37], the DAO induction attack caused a noticeable degradation of QoS performance and led to high increases in communication delay and packet loss. In [
38], the impact of single and composite replay attacks on RPL networks was experimentally examined. As the results indicated, the attacks led to a high degradation of QoS performance and an increase in energy consumption.
The VN attack was investigated in different research studies for examining its effect on RPL networks. The simulation results in [
39] indicate how the VN attack can result in a noticeable drop in PDR in addition to a high increase in delay and network overhead. High power consumption can also be incurred by VN attacks as demonstrated by the evaluation results in [
40,
41]. Moreover, a more effective VN attack can be launched with multiple nodes performing the attack simultaneously in a distributed manner. The experimental results in [
42] show that increasing the number of attackers amplified the adverse effect of the VN attack. Other studies showed that the RPL network experienced more adverse impacts of VN attacks as the network was flooded by these attacks [
43] and when the network had mobile nodes [
44].
The rank attack was also experimentally studied in [
45] considering different network topology structures. The evaluation results showed that the attack affected the overall performance of RPL networks in all the considered scenarios as the energy consumption and network overhead noticeably increased. In [
46], it was observed that targeting large-scale RPL networks with composite rank attacks can noticeably lead to high degradation of QoS performance.
There have also been other attempts to compare the impact of different RPL routing attacks on RPL networks. In [
47], a comparison of the VN, WP, and DIS flooding attacks was presented considering both single- and composite-attack scenarios in relatively large-scale setups. The simulation results showed that the RPL network was more affected by the VN and DIS flooding attacks than the WP attack in terms of QoS performance, power consumption, and network overhead. Other comparison studies were presented in [
48,
49] to show the impacts of the single and composite VN, rank, and hello flooding attacks. The results indicated noticeable network performance degradation in terms of QoS measures, energy consumption, and network overhead. The impact of certain attacks including hello flooding, selective forwarding, clone ID, sybil, and local repair attacks on network performance was analyzed in [
50]. The experimental results showed RPL networks under these attacks experienced low network throughput. The evaluation study presented in [
51] highlighted the ability of single and composite rank, local repair, neighbor, and DIS flooding attacks to degrade QoS performance and increase network overhead.
However, there are still certain aspects and considerations that have not yet been effectively studied and analyzed as indicated in
Table 1. The focus has been mainly on experimenting with RPL networks under certain routing attacks in relatively simple and small-scale setups. There have been few attempts towards investigating composite RPL attacks in more complex scenarios. Challenging RPL networks with combinations of different attacks in varying-scale hybrid-attack scenarios has not been effectively analyzed yet. Considering all these aspects in a multidimensional study that sheds empirical light on the security performance of RPL networks is the main aim of this research work. It provides a reference study for addressing advanced security support against more complex RPL attack scenarios of large-scale setups and hybrid routing attacks.
5. Routing Attack Model
This section provides a brief discussion of the basic network characteristics and assumptions upon which this study is based. It is assumed that an RPL network always has a single sink node and multiple non-sink RPL nodes. All the nodes run an RPL implementation as specified by the RPL standard in RFC 6550 [
10]. The sink node is the node that initiates the DODAG in a storing mode. It is also assumed that the sink node has no exposure to any form of routing attack.
One or more of the non-sink nodes act as attacking nodes to perform certain attacks during RPL attack scenarios. An attack can be initiated by a single node in the network joining as a legitimate one and establishing direct communications with the legitimate neighbor nodes. In addition, multiple differently positioned nodes can initiate the same attack either independently or in a cooperative manner. It is also possible that these attacking nodes simultaneously perform different types of routing attacks such as the VN and rank attacks.
The assumption was made that each node is a stationary small-sized device that is resource-limited and powered by batteries. Varying-scale deployment of the devices is considered following different positioning strategies such as uniform and random positioning. Wireless connectivity among the nodes is assumed in multihop topological setups. Different types of real IoT devices exist in the market that incorporate an RPL implementation in their networking stacks. Among these are Tmote [
52], Zolertia Z1 [
53], TelosB [
54], and MicaZ [
55].
The deployment of the nodes is assumed to address a specific IoT application. The application-specific IoT data are frequently collected in a periodical manner. The transmission of the IoT data is performed at a predefined time interval over UDP data packets. This is carried out using the established upward routing paths in RPL networks. The sink node acts as an Internet gateway and serves as a central point via which data forwarding to/from the Internet is carried out.
RPL networks initially run under no attack and reach a certain level of topological stability. The initiation of the attacks is assumed after a certain time by which the RPL network topology comes to convergence. The target of the attacker is to cause critical disruption to network stability by establishing unnecessary communications and flooding the network with a high volume of control traffic. The main objective is to incur a considerable degradation of the overall network performance and a noticeable drop in network lifetime.
6. Methodology
IoT devices are commonly characterized by constrained resources and limited capabilities which entail the need for customized Operating Systems (OSs). The common choices in this regard are Contiki OS and TinyOS. These are open-source OSs that implement IPv6-based network stacks to support effective IP connectivity. Both come with practical implementations of 6LowPANs and RPL to provide IP adaptation and IPv6-based network routing, respectively. Additionally, Contiki OS [
56] includes the Cooja network simulator which can be effectively utilized to emulate different IoT scenarios while running the real Contiki OS implementation. It enables building IoT setups using different types of virtual IoT motes that can be configured to effectively emulate real-life IoT deployments. The experimentation of this work was carried out using the Cooja simulator of the most recent version of Contiki OS (Contiki 3.0).
For the implementation of the different routing attacks, modifications were made to the RPL code base in the network stack of the Contiki OS. Most of the code modifications were carried out to two main source files: “rpl-dag.c” and “rpl-icmp6.c”. This was carried out for the RPL implementation of the attacker nodes only for running a specific attack ten minutes after the simulation start time. The source code was modified to decrease the rank by two, increase the VN by one, copy and resend the neighbor’s DIO messages, and select the parent having the highest rank value for implementing the rank, VN, replay, and WP attacks, respectively.
For effective analysis, the experiment was designed with three RPL experimental setups referred to as S1, S2, and S3. It was deemed important to implement different setups of varying-scale network topologies and varying complexity levels for realizing a comprehensive analysis. For each setup, an RPL network of a single RPL instance having one DODAG of a single sink was considered. A total of 25, 40, and 65 nodes were the DODAG sizes of S1, S2, and S3, respectively.
Figure 2 presents the network topology of S2. Each one of the sink and sensor nodes was emulated as a Zolertia Z1 mote which has an MSP430 16 MHz MCU. It also comes with a 92 KB flash memory, 8 KB RAM, and CC2420 transceiver. Random placement of the nodes in the simulated deployment area of 300 × 300 m was considered for all the setups. A multihop network topology was formed among all the nodes in all the setups. In addition, the communication and interference ranges were configured to 25 and 50 m, respectively, for all the nodes.
Table 2 provides a summary of the main simulation parameters.
The adopted implementation of the Contiki OS runs the two standard OFs. In this work, RPL was experimented with the MRHOF which is based on the routing metric of ETX. Additionally, each RPL sensor node was configured to run a UDP client for the frequent transmission of IoT data packets. It regularly sends a UDP packet at a ±5 s data communication interval. This is received by the sink node which also runs a central UDP server. Furthermore, different plugins of Cooja were configured at each node. These included the “collect-view” and “powertrace” modules which simplify the collection of overall performance data and energy consumption indicators, respectively.
The evaluation methodology was designed to incorporate multiple experimentation stages as shown in
Figure 3. The first one was based on running an attack-free scenario for each experimental setup using the original RPL implementation. This assisted in establishing the performance baseline necessary for establishing an overall comparison against the experimental measurements collected in the next stages. The RPL implementation was then examined under different single-attack scenarios in the following evaluation stage. For each setup, multiple attack scenarios were created considering different attack types and attacking nodes. Composite-attack scenarios were then considered in the third stage to run diverse attack scenarios with more than one attacking node. Two different nodes were configured to run the same attack in each scenario considering a different experimental setup at a time. For the final evaluation stage, the same procedure was then repeated except that the two attacking nodes simultaneously run different attack types in each scenario.
During each stage and for each scenario, the attack is performed by different nodes of varying properties, in particular node position and neighbor count. This was deemed important for the effective investigation of the variant forms of potential RPL attacks and diverse security effects on RPL performance. The initiation of the attack was configured to be ten minutes after the simulation start time which was set to 50 min. Each simulation run was repeated ten times and the average of the collected results was obtained.
The evaluation was based on different network measures which provide effective indications of various network performance parameters. These are categorized as follows:
- -
QoS performance: Throughput, Packet Delivery Ratio (PDR), delay, and ETX.
- -
Network stability: Beacon interval and Preferred Parent Change (PPC) rate.
- -
Network overhead: DIO transmission rate and DAO transmission rate.
- -
Energy efficiency: Consumed Energy (CE).
The calculation of the average PDR was based on the ratio of the number of received data packets at the UDP server to the number of transmitted data packets at the UDP clients. The throughput was calculated by obtaining the average of the total number of data bits that were successfully transmitted per second. For the delay calculation, the required time for the transmitted data packets to be successfully received by the UDP server was collected and averaged. The calculation of the ETX was based on obtaining the average of the total number of transmissions and retransmissions required for the successful delivery of data packets.
The DIO and DAO transmission rates were calculated as the average number of DIO and DAO advertisements being transmitted across the network per minute, respectively. For the calculation of the PPC rate, the total number of changes made by all the nodes to their preferred parent during the entire time of the simulation was divided by the number of nodes and then the average was taken. Beacon interval is an important measure of topology stability as a small beacon interval indicates that more topology updates are being performed in the network. It is the average of the time between two consecutive beacons of all the RPL nodes.
The data collected by the “powertrace” module were utilized to obtain the time spent in each mote state (Transmit, Listen, CPU, and Low-power states). These were then multiplied by their corresponding current consumption levels and the power supply voltage as specified in [
52]. The average of the total was then taken for the calculation of energy consumption.
7. Results
Table 3 shows how the standard RPL networks performed well under no attack considering all the setups. It can be seen that a high QoS performance and network stability were achieved in addition to maintaining low traffic overhead and energy consumption. The network was able to keep PDR and throughput to high levels in addition to maintaining low delay and ETX even in large-scale scenarios. The network also limited the DIO and DAO transmissions to only 74 packets per minute at most as well as the PPC rate to only a single change/node on average. The total energy consumption was also maintained at a relatively low value of 5800 joules in the relatively large-scale setup of S3. However, the presented results in
Table 4,
Table 5 and
Table 6 and
Figure 4,
Figure 5,
Figure 6,
Figure 7 and
Figure 8 show how adverse the impact of the different routing attacks is on the overall performance and stability of RPL networks.
In the single-attack scenarios, the QoS performance degraded and the network became less stable while experiencing high increases in control traffic overhead and power consumption.
Table 4 shows that single attacks caused a reduction of up to 13% in the PDR and throughput in S1 and up to 20% in S2 and S3. In addition, high increases in delay and ETX of up to 74% were experienced considering all three experimental setups. Network stability was also significantly affected as shown in
Figure 4a. It can be seen in all the setups that the PPC rate increased by 3–8 changes/node on average. It was also very challenging for the RPL network to maintain high beacon intervals during the different routing attacks as shown in
Figure 5a. In S1, the rates of DIO and DAO transmissions increased by more than 25 packets per minute as shown in
Figure 6a and
Figure 7a. Scaling the network up in S2 and S3 made the situation even worse as more than 100 and 180 control packets were transmitted per minute, respectively. Another increase was also experienced as the consumed energy increased by more than 150% in all three experimental setups as indicated in
Figure 8a.
When the performed RPL routing attacks became composite, more performance degradation and stability difficulty were experienced. Compared to the single-attack results,
Table 5 shows that the QoS measures were adversely affected by the composite attacks with up to 9% additional degradation.
Figure 5b indicates a reduction of more than 20% in beacon interval. Control traffic transmission was increased by more than 17% as shown in
Figure 6b and
Figure 7b. Moreover, the results presented in
Figure 4b and
Figure 8b indicate high increases in the PPC rate by more than 12 changes/node on average and in the total consumed energy by more than 400 joules, respectively.
The overall performance and stability of standard RPL networks became even worse during hybrid RPL routing attacks. This was more apparent for the network overhead as can be noticed in
Figure 6c and
Figure 7c. That is, additional control traffic transmission of more than 40% was experienced during hybrid attacks compared with composite attacks. Another noticeable divergence can be seen when comparing the PPC rates in
Figure 4c. Clearly, the hybrid attacks resulted in more unstable network topologies than the composite attacks. There were more than 4 changes/node on average during the hybrid attacks considering all the experimental setups.
Figure 8c shows that energy consumption also increased by more than 10%. The results presented in
Table 6 indicate that the overall QoS performance degraded by up to 7% considering all three experimental setups. It can be seen from the overall results that hybrid routing attacks are generally more effective in targeting standard RPL networks than other routing attack strategies.
Another important aspect is understanding the most adverse routing attack for standard RPL networks. Considering the single-attack scenarios,
Table 4 shows that the VN attack is the most effective routing attack when compared with the other attacks. Similar observations can be made when examining the results of the composite-attack scenarios in
Table 5. Single and composite VN attacks resulted in additional QoS degradation by 2–9% compared to the other attacks. The results presented in
Figure 4a,b,
Figure 5a,b,
Figure 6a,b,
Figure 7a,b and
Figure 8a,b also indicate the same outcome. Single and composite VN attacks caused additional energy consumption by more than 17%. Higher DIO and DAO transmissions of more than 19 control packets per minute and higher PPC rates of up to 7 changes/node on average were also experienced during the single and composite VN attacks. These observations became more evident as the network scaled up.
The next in the order of effectiveness for single- and composite-attack scenarios was the rank attack. Although it had less overall impact than VN attacks,
Table 4 and
Table 5 show that the rank attacks led to 9–25% less PDR and throughput in addition to 28–90% additional delay and ETX considering all three experimental setups. The rank attacks also led to noticeable increases in the PPC rate and energy consumption as shown in
Figure 4a,b and
Figure 8a,b, respectively. However, the WP attack came next to the VN attacks when it comes to the impact on network overhead. It resulted in higher control packet transmissions than in the cases of rank and replay attacks. Compared to these attacks, 15–53% additional transmissions were incurred by the WP attacks in single- and composite-attack scenarios considering all three setups as presented in
Figure 6a,b and
Figure 7a,b.
The least effective routing attack among those under consideration was the replay attack considering single- and composite-attack scenarios in all the setups. It resulted in a less adverse impact on QoS performance by up to 7% and lower control traffic by up to 22 control packets per minute compared to the other attacks. The replay attacks also had a less adverse effect on network stability and energy consumption but with very close results to those of the WP attacks. Nevertheless, the replay attacks can still be regarded as harmful RPL routing attacks with noticeable adverse impacts on network overhead and stability, particularly in composite-attack scenarios and large-scale setups.
In hybrid-attack scenarios, the results show that the combination of VN–rank attacks had the most significant impact on QoS performance and network stability considering all the setups. These attacks incurred pronounced degradation of the QoS performance with more than 19% reductions in PDR and throughput in addition to more than 48% increases in delay and ETX as indicated in
Table 6. The PPC rate increased to 38 changes/node on average and the consumed energy reached a considerably high figure of almost 20,000 joules during the hybrid VN–rank attacks as shown in
Figure 4c and
Figure 8c, respectively. However, combining the VN and WP attacks led to close results with a higher impact on network overhead. For example,
Figure 6c and
Figure 7c show that this combination incurred 791 control packets per minute in S3, adding more than 16 control packets per minute compared to the results of the hybrid VN–rank attacks. Considering all the setups, it can be seen that combining the VN attack with either rank or WP attacks yields the most effective attack strategies to target standard RPL networks.
Next to these hybrid attacks in the order of effectiveness were the combinations of VN and replay attacks as well as rank and WP attacks. These attacks resulted in degraded QoS performance with more than 13% reductions in PDR and throughput in addition to more than 34% increases in delay and ETX as indicated in
Table 6. They also incurred high network overhead with the transmission of up to 791 control packets per minute as shown in
Figure 6c and
Figure 7c.
Figure 8c shows that they caused high energy consumption of up to 17,262 joules. However, these two combinations of hybrid attacks were less effective than the composite VN attacks, particularly for network overhead and energy consumption.
Figure 6b and
Figure 7b show that composite VN attacks resulted in up to 19 additional control packets per minute and
Figure 8b shows that they led to up to 1191 additional joules. Regarding QoS performance and network stability, composite VN attacks still had a higher impact but with very close results to the aforementioned hybrid attacks.
Similarly, the results also show that the composite rank and composite WP attacks were more effective than some of the hybrid attacks. For example, the composite rank attack resulted in more degraded QoS measurements and higher energy consumption than the hybrid VN–replay, rank–replay, and WP–replay attacks. The composite WP attack also incurred higher network overhead compared to the hybrid WP–replay and rank–replay attacks. In addition, the hybrid attacks with the least effectiveness were the WP–replay and rank–replay attacks. The hybrid WP–replay attacks had the least impact on QoS performance, network stability, and power consumption whereas the hybrid rank–replay attacks were the least effective in targeting network overhead. However, the composite replay attacks yielded less impact on RPL networks than these two combinations and any other hybrid attacks.
Another critical consideration is investigating the effectiveness of routing attacks as the RPL network scales up. In single-attack scenarios, the average degradations in QoS measures and network overhead were very close in S1 and S2 whereas a difference of 5–10% was noticed in S3. Similarly, energy consumption and network stability measures were more affected by increasing the scale of the network. Similar observations can also be made for the composite-attack scenarios as the impact of the routing attacks on the large-scale setup of S3 was more apparent. Although this scalability effect was evident for all the routing attacks, the VN and rank attacks had a slightly higher impact as the network scaled up considering both single- and composite-attack scenarios. For example, the VN and rank attacks caused the QoS measures to degrade by 7–18% in S3 compared to the results of S1 and S2 whereas the QoS degradations were up to 15% in the cases of other routing attacks as indicated in
Table 4 and
Table 5. In hybrid-attack scenarios, the impact of routing attacks was amplified as the size of the network increased. For example, the PPC rate and energy consumption increased by more than 11% as the network scaled up from S1 to S3 as shown in
Figure 4c and
Figure 8c, respectively. This can be noticed for all the hybrid-attack combinations but was a bit more noticeable for the VN–rank and VN–WP attacks.
8. Discussion
A basic IoT network routing solution is provided by the IETF-standardized RPL. The protocol design provides no security support for defending against the diverse types of routing attacks. In fact, the inherent design properties and characteristics of RPL make it easy to initiate a set of routing attacks targeting overall network performance and stability. The RPL topology establishment process enables utilizing the vulnerable ranking mechanism for impairing the protocol functionality and incurring sub-optimal routing. The basic topology maintenance process of RPL also allows the launching of DoS attacks by arbitrarily tampering with the unsecured version numbering mechanism and initiating frequent illegitimate global repairs. In addition, RPL has an intrinsic vulnerability to passive impersonation as it has no mechanism to prevent eavesdropping and manipulation of control data.
Overall QoS performance can be easily and effectively targeted in different routing attack scenarios. In simple attack scenarios of a small-scale network with a single attacker, a reduction of up to 13% in PDR and throughput as well as an increase of more than 35% in delay and ETX were incurred. As the attack scenario becomes more complex with hybrid attacks in large-scale networks, the situation becomes even worse with a reduction of more than 32% in PDR and throughput in addition to an increase of more than 90% in delay and ETX. This makes it extremely challenging to foster the deployment of standard RPL networks in latency-sensitive and real-time IoT applications.
It is also evident that attacked RPL networks suffer from significant degradation in network overhead, energy consumption, and topology stability. The adverse effects are extremely significant in large-scale setups which are common for most IoT applications such as the smart city application. The overhead in the network can noticeably increase by more than 700% in single-attack scenarios whereas the increase can reach more than 900% in the cases of hybrid-attacks scenarios. Increases of more than 200% in energy consumption can also be easily achieved particularly when performing complex routing attacks. In addition, simple routing attack scenarios caused RPL networks to stay unstable with a high increase of more than 1000% in topology changes.
It is apparent that standard RPL networks without additional security support face serious security difficulties. The networks would permanently become at high risk of critical performance degradation as a result of easy-to-initiate routing attacks. Thus, the technical efficiency and practical feasibility of RPL network deployment in critical IoT applications become questionable. As addressing such an issue becomes inevitable, the practical performance understanding established in this paper provides the basis for the development of advanced RPL security support. The presented results can serve as a practical reference for effectively comprehending RPL-based IoT networks under routing attacks. This is an important step towards enriching the security of the protocol and reviving its potential for a broad range of IoT applications.
The lessons learned in this study can be summarized as follows:
RPL networks perform well under no attacks. Even in large-scale scenarios, high QoS performance was achieved and the network stays highly stable while maintaining low control traffic overhead and power consumption.
RPL lacks a standardized security-provisioning functionality against internal routing attacks. In the absence of integrated security support, wide deployments of RPL networks would be highly hindered, particularly for security-critical IoT applications.
RPL networks are inherently prone to a wide range of routing attacks that can be easily initiated by any compromised node. Even in the case of a complex routing attack, multiple attacking nodes can simply perform multiple attacks simultaneously in a composite- or hybrid-attack setup.
QoS performance and topology stability of RPL networks can be effectively targeted by routing attacks, particularly composite and hybrid ones. In addition, these attacks provide an effective method to highly increase network overhead and energy consumption. The damage would be significant in a way that can cause RPL networks to collapse with complete communication disruption and data loss.
RPL networks of a large scale suffer severe side effects from the routing attacks. As most IoT applications would involve a high number of nodes, the use of RPL without protection from such attacks would become a matter of security. Incorporating standard RPL routing into large-scale IoT networking for daily sensitive applications would make networks at permanent security risk of adverse routing attacks.
Targeting RPL networks with hybrid attacks combining different routing attacks at once is a new routing attack approach in the context of RPL networking. The adverse impact of this kind of attack on RPL networks is highly evident. As most of the enhancements to RPL properties have been made at the protocol, topology, and communication levels to alleviate simple security-deteriorated situations, this study provides an intensive investigation of hybrid attacks to stimulate further advanced RPL security solutions.
Experimental simulation testing has been the predominant evaluation methodology that ensures simplicity and reproducibility. This method also enables studying experimental issues such as scalability in an easy and cost-effective manner. Backing up such a method with realistic experimentation over physical testbeds is an important consideration. A shift towards such a viable integrated methodology is feasible to increase evaluation practicality. This study provides the initial major step toward such a strategy.
The functionality of RPL leaves enough room for further improvement toward effective security support. The protocol design of RPL comes with the flexibility to incorporate effective and advanced protection against routing attacks. Security-oriented optimization of different RPL operational aspects can be considered in this regard. For example, RPL can be incorporated with secure OF design, node ranking algorithms, topology update validation methods, and integrity-preserved message exchange. However, the balance between efficiency and complexity should be emphasized as a key security design issue that needs to be effectively addressed before implementing RPL at scale. Security solutions for RPL networks should be effectively developed at minimal computational complexity and resource consumption. Here are some perspectives that can be considered when developing RPL security support:
RPL completely relies on the behavior of parent nodes during topology establishment and updates. Malicious and illegitimate activities affect all the neighbor and child nodes at the lower hierarchical levels of the affected topological zones. By enhancing the interaction and controlling the association among parent and child nodes, the protection of RPL networks from rank attacks can be effectively achieved.
Although it is specified that global repairs are only performed by the sink node, the protocol design provides no guarantee of immunity to VN attacks imitated by compromised nodes. RPL nodes blindly participate in any global repair without verifying the legitimacy of the process. It is important to ensure strict adherence to the RPL specification and prevent any topology updates coming from non-sink nodes and taking a direction other than the downward direction. This requires effective collaboration among RPL nodes to enable efficient verification of global repairs in a distributed manner.
RPL topology establishment and maintenance processes are managed by the exchange of control information transmitted in a systematic and periodical manner. Monitoring abnormal behaviors and validating data integrity are vital to preventing the misuse of routing information and initiation of replay attacks.
Assuming the applicability of a single-attack mitigation solution to defend composite ones would not be a feasible strategy. Composite ones require more collaborative and distributed mechanisms to be effectively detected and mitigated.
It is challenging to mitigate hybrid attacks without addressing the different RPL routing attacks with a one-solution-fits-all approach. Jointly addressing and optimizing multiple network security aspects at different levels need to be achieved in a customizable and efficient manner. The fusion of multiple technological advancements into an RPL security architecture would be a feasible consideration in this regard.
Validating the feasibility of any solution in only small-scale scenarios is not sufficient to ensure its efficiency and avoid scalability issues. More emphasis needs to be placed on large-scale experimentation when validating RPL security solutions.
It is important to emphasize not adding much to the complexity of the RPL design when enhancing RPL functionality to a further security limit. Security solutions need to be effective without imposing additional entities, high computational complexity, and unnecessary communication overhead. This can be approached with effective modifications to certain RPL operational properties, particularly those related to topology establishment and maintenance.
9. Conclusions
It is evident that the RPL routing protocol is still vulnerable to a wide range of security attacks. RPL design has no sufficient security support for network resilience against the different internal routing attacks. The experimental study presented in this paper helps in establishing a firm understanding of the performance of RPL networks under a set of diverse routing attack scenarios. The outcome of this work can serve as a practical reference for deeply comprehending RPL-based IoT networks under routing attacks. This is an important step towards the development of effective security solutions for enriching the security of the protocol and reviving its potential for a wider scope of IoT applications.
The results indicate the adverse impacts of routing attacks on the overall performance of RPL networks. Even in simple attack scenarios, the networks experienced noticeable degradation of QoS performance and network stability in addition to considerable increases in control traffic overhead and energy consumption. This was more evident in large-scale experimental setups and also under composite and hybrid attacks.
Considering these implications of the routing attacks in RPL networks, the development of more secure routing mechanisms becomes vital. Without efficient security support, compromising the integrity of the RPL control messages becomes easy. However, security solutions should be developed based on a lightweight and simple approach. This is crucial given the limited capabilities of typical IoT devices which operate in low-power and lossy networks. Utilizing the outcomes of this study for addressing such considerations in an effective routing security solution is the main target for our future work. The focus will be on the development of an integrated RPL security architecture that provides effective protection from potential RPL routing attacks.