v

Table of Contents

Certificate i

Abstract ii

Acknowledgements iv

Table of Contents v

1 Introduction 1
1.1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1
1.2 Challenges in the Internet of Things . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2
1.2.1 Device challenges . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2
1.2.2 Network challenges . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
1.2.3 Architectural challenges . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
1.2.4 Security as a Challenge . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4
1.2.5 Gaps in Existing Research . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
1.3 Objectives of the Dissertation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8
1.4 Problem Definition and Scope of Work . . . . . . . . . . . . . . . . . . . . . . . . . . . 8
1.5 Major Contributions of the Thesis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10
1.6 Thesis Organization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10
1.7 Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11

2 Background and Related Work 12

2.1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12
2.2 Routing in IoT-LLNs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13
2.2.1 The RPL Routing Process . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13
2.2.2 RPL and Routing Requirements of IoT-LLNs . . . . . . . . . . . . . . . . . . 15
2.2.3 Insider Attacks in RPL-based IoT-LLNs . . . . . . . . . . . . . . . . . . . . . . 18
2.3 RPL Attack Analysis and Detection Mechanisms . . . . . . . . . . . . . . . . . . . . . 19
2.3.1 Attacks Instigated through False Advertisement . . . . . . . . . . . . . . . . . 19
2.3.2 Attacks Instigated by Dropping Packet . . . . . . . . . . . . . . . . . . . . . . . 21
2.3.3 Attacks Instigated by Flooding Control Messages . . . . . . . . . . . . . . . . . 22
2.3.4 Attacks Instigated by Violating Protocol Functions . . . . . . . . . . . . . . . . 23
2.4 Enhanced RPL versions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24
2.4.1 RPL Enhancements to Improve Performance . . . . . . . . . . . . . . . . . . . 24
2.4.2 RPL Enhancement for Security . . . . . . . . . . . . . . . . . . . . . . . . . . . 24
2.5 Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25
 vi

3 Vulnerability Assessment of RPL in IoT-LLNs 26

3.1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26
3.2 Proposed Classification of Vulnerability Assessment Models . . . . . . . . . . . . . . . 27
3.3 Attack Graph based Vulnerability Assessment of Rank Property in RPL-based IoT . . 28
3.3.1 Proposed Attack Graph based Vulnerability Assessment Model . . . . . . . . . 29
3.4 Validation of the Proposed Attack Graph based Vulnerability Assessment Model . . . 32
3.4.1 Increased Rank Attack . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33
3.4.2 Decreased Rank Attack with Selective Forwarding Attack . . . . . . . . . . . . 33
3.4.3 Worst Parent Attack . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35
3.4.4 Summary of Results . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36
3.5 Mind Map based Vulnerability Assessment of RPL in IoT Environment . . . . . . . . 36
3.6 Metrics for Vulnerability Analysis of IoT-LLNs . . . . . . . . . . . . . . . . . . . . . . 39
3.7 Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41

4 Detection of Routing Attacks in RPL supported IoT-LLNs 43

4.1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43
4.2 Design of Routing Attack Detection Mechanisms for IoT . . . . . . . . . . . . . . . . . 44
4.3 Detection of Traffic Attacks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46
4.3.1 Types of Traffic Attacks in RPL-based IoT-LLNs . . . . . . . . . . . . . . . . . 46
4.3.2 Attack Instigation and Analysis . . . . . . . . . . . . . . . . . . . . . . . . . . 46
4.3.3 Threat Model of Misappropriation Attack . . . . . . . . . . . . . . . . . . . . . 46
4.3.4 Proposed Mechanism for Detection of Misappropriation Attack in IoT . . . . . 48
4.3.5 Attack Detection based on Multilayer Perceptron . . . . . . . . . . . . . . . . 49
4.3.6 Performance of the Proposed Attack Detection Mechanism . . . . . . . . . . . 50
4.3.7 Identifying the Malicious Node . . . . . . . . . . . . . . . . . . . . . . . . . . . 52
4.4 Detection of Topological Isolation Attacks . . . . . . . . . . . . . . . . . . . . . . . . . 53
4.4.1 Analyzing Topological Isolation in IoT . . . . . . . . . . . . . . . . . . . . . . . 53
4.4.2 Threat Model of Packet Dropping Attacks . . . . . . . . . . . . . . . . . . . . . 54
4.4.3 Proposed Model to Identify Packet Dropping Nodes . . . . . . . . . . . . . . . 55
4.4.4 Proposed Exponential Smoothing based Approach for Detection of Blackhole
Attacks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 56
4.4.5 Predicting τ using Exponential Smoothing . . . . . . . . . . . . . . . . . . . . . 58
4.4.6 Algorithm for Blackhole Detection in IoT-LLNs . . . . . . . . . . . . . . . . . . 58
4.4.7 Performance of the Proposed Blackhole Attack Detection Algorithm . . . . . . 60
4.4.8 Proof of Concept . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 62
4.5 Detection of Topological Sub-optimization Attacks . . . . . . . . . . . . . . . . . . . . 63
4.5.1 Analyzing the IoT-LLN Performance under WPA . . . . . . . . . . . . . . . . . 64
4.5.2 Threat Model of Worst Parent Attack . . . . . . . . . . . . . . . . . . . . . . . 66
4.5.3 Proposed FNN based Model for Prediction of Worst Parent Attack . . . . . . . 67
4.5.4 Data Preprocessing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 67
4.5.5 Model Description . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 68
4.5.6 Performance Evaluation of the FNN based Model . . . . . . . . . . . . . . . . . 70
4.5.7 Assessing the Effect of Hyperparameters Batch Size and Epochs . . . . . . . . 72
4.5.8 Identification of malicious nodes . . . . . . . . . . . . . . . . . . . . . . . . . . 72
4.6 Detection of Resource Attacks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 74
4.6.1 Analyzing the impact of Version Number Attack . . . . . . . . . . . . . . . . . 74
 vii

4.6.2 VNA Threat Model . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 74

4.6.3 Proposed Framework for Detection of
Version Number Attacks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 75
4.6.4 Mechanism for Detection of VNA . . . . . . . . . . . . . . . . . . . . . . . . . . 76
4.6.5 Identification of Malicious Nodes . . . . . . . . . . . . . . . . . . . . . . . . . . 77
4.6.6 Results and Discussion . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 78
4.7 Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 79

5 Holistic Framework for Securing IoT Environment against Routing Attacks 82

5.1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 82
5.2 Role of Blockchain in Enhancing Routing Security . . . . . . . . . . . . . . . . . . . . 83
5.2.1 Proposed Layered Model of Routing Security in IoT-LLNs and the Role of
Blockchain . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 84
5.3 Blockchain Based Framework for Secure Routing in IoT-LLNs . . . . . . . . . . . . . . 88
5.3.1 Proposed Smart Contract for Routing Security in IoT-LLNs . . . . . . . . . . . 89
5.3.2 Alert Generation through Smart Contract . . . . . . . . . . . . . . . . . . . . . 90
5.3.3 Application of Alert Messages in Enhancing Routing Security . . . . . . . . . . 92
5.4 Holistic Framework for Routing Security in IoT-LLN . . . . . . . . . . . . . . . . . . . 95
5.4.1 Role of Network Embedding in Routing Security . . . . . . . . . . . . . . . . . 96
5.4.2 Data Visualization and Analysis . . . . . . . . . . . . . . . . . . . . . . . . . . 98
5.4.3 Routing Attack Prediction by the FNN model in the Framework . . . . . . . . 99
5.4.4 Performance Evaluation of the Proposed Holistic Framework . . . . . . . . . . 99
5.4.5 Analysis of the Predictions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 101
5.5 Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 102

6 A Novel Network Partitioning Attack Scenario in IoT-LLNs 104

6.1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 104
6.2 Proposed Taxonomy of Topological Attacks in RPL-based IoT-LLNs . . . . . . . . . . 105
6.3 Proposed Network Partitioning Attack Model in RPL-based IoT-LLN . . . . . . . . . 106
6.3.1 Analytical Model to Demonstrate the Impact of the Attack . . . . . . . . . . . 109
6.3.2 Attack Signature and Threat Model . . . . . . . . . . . . . . . . . . . . . . . . 112
6.4 Validating the Proposed Network Partitioning Attack Scenario . . . . . . . . . . . . . 113
6.5 Detection of the Network Partitioning Attack in RPL-based IoT-LLNs . . . . . . . . . 118
6.6 Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 120

7 Novel RPL Enhancements to Mitigate Routing Attacks in IoT-LLNs 122

7.1 Mitigating Network Partitioning Attack . . . . . . . . . . . . . . . . . . . . . . . . . . 123
7.1.1 Experimental Results of the Proposed Mitigation
Strategy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 123
7.2 Mitigation of Worst Parent Attack (WPA) . . . . . . . . . . . . . . . . . . . . . . . . . 125
7.2.1 ERPL: Proposed WPA Secured RPL . . . . . . . . . . . . . . . . . . . . . . . 125
7.2.2 Performance of the Proposed ERPL . . . . . . . . . . . . . . . . . . . . . . . . 126
7.2.3 Analytical Discussion of the Proposed ERPL . . . . . . . . . . . . . . . . . . . 134
7.3 Embedding Node (Subtree) Isolation and Blacklisting in RPL . . . . . . . . . . . . . . 136
7.3.1 Working of the Isolation and Blacklisting Mechanism . . . . . . . . . . . . . . 137
7.4 Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 140
 viii

8 Conclusion and Future Scope 142

8.1 Summary of Contributions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 143
8.2 Future Scope of Work . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 145
8.3 Concluding Remarks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 146

Bibliography 147

List of Publications 158

Biography 160
 ix

List of Tables

3.1 Observations from Increased Rank Attack . . . . . . . . . . . . . . . . . . . . . . . . . 33

3.2 Impact of Rank Attacks on Network Performance . . . . . . . . . . . . . . . . . . . . . 36

4.1 Evaluation of Feature Performance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51

4.2 Evaluation of Time stamps for Selecting Training Data . . . . . . . . . . . . . . . . . 52
4.3 Performance of Reduced Feature Set . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52
4.4 Batch Mean of Transactions over Simulation time . . . . . . . . . . . . . . . . . . . . 52
4.5 Label of Nodes over simulation time . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53
4.6 Description of the Dataset used for Training and Validation . . . . . . . . . . . . . . . 68
4.7 Performance of the FNN based Model in WPA Prediction . . . . . . . . . . . . . . . . 72
4.8 Results of Identification Module . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 73
4.9 Experimental Results of Version Number Attack Analysis . . . . . . . . . . . . . . . . 74
4.10 Sample Output of Filter Input Feature Module . . . . . . . . . . . . . . . . . . . . . . 77
4.11 Performance of Classification Algorithms . . . . . . . . . . . . . . . . . . . . . . . . . . 79
4.12 Results of Malicious Nodes Identification Algorithm . . . . . . . . . . . . . . . . . . . 79

5.1 Dataset Description . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 93

5.2 Results Comparing the Performance of ML Algorithm with and without Alert Messages 94
5.3 Statistics of the Worst Parent Attack Dataset . . . . . . . . . . . . . . . . . . . . . . . 98
5.4 Prediction of Normal and Attacks Scenario by the Proposed Framework . . . . . . . . 101

6.1 A comparison of Various Topological Attacks with the Proposed Network Partitioning
Attack . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 114
6.2 Observations Made During Network Partitioning Attack Detection . . . . . . . . . . . 121

7.1 Performance Comparison of the Proposed Mitigation Strategy under Attack with RPL
under Normal Scenario . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 124
7.2 Task Specified by Variable cust msg Values . . . . . . . . . . . . . . . . . . . . . . . . 137
 x

List of Figures

1.1 Taxonomy of Security Attacks in the IoT Environment . . . . . . . . . . . . . . . . . . 6

1.2 Depiction of the Problem Definition . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9

2.1 Flow of Control Messages for DODAG Maintenance and Formation . . . . . . . . . . . 14

2.2 DIO Control Message in RPL . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15
2.3 Routing Requirements of LLNs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16

3.1 Proposed Classification of Vulnerability Assessment Models . . . . . . . . . . . . . . . 27

3.2 Classification of RPL Attacks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28
3.3 Proposed Attack Graph based Vulnerability Assessment Model . . . . . . . . . . . . . 30
3.4 Experimental Setup of Increased Rank Attack . . . . . . . . . . . . . . . . . . . . . . . 33
3.5 Experimental Setup of Decreased Rank Attack . . . . . . . . . . . . . . . . . . . . . . 34
3.6 Packet Loss after DRA followed by SFA . . . . . . . . . . . . . . . . . . . . . . . . . . 35
3.7 Experimental Setup of Worst Parent Attack . . . . . . . . . . . . . . . . . . . . . . . . 35
3.8 Path Metric of Node 29 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36
3.9 Mind Map based Vulnerability Assessment of Node Joining and DODAG Maintenance
Process . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37
3.10 Diagrammatic representation of TG and EED . . . . . . . . . . . . . . . . . . . . . . . 40

4.1 Description of Design Methodology for RPL Attack Detection . . . . . . . . . . . . . . 44

4.2 Simulation setup of DRA . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47
4.4 Segregation of Data Plane for Feature Extraction . . . . . . . . . . . . . . . . . . . . . 48
4.5 Attack Detection Unit . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49
4.6 Changed Topology due to DRA (convergence at Node 5) . . . . . . . . . . . . . . . . . 51
4.7 Data packets received over simulation time . . . . . . . . . . . . . . . . . . . . . . . . 54
4.8 Proposed Model for Identification of Packet Dropping Nodes . . . . . . . . . . . . . . 55
4.10 Delay in Identification of Malicious Node . . . . . . . . . . . . . . . . . . . . . . . . . 61
4.11 Simulation Setup with Three Malicious Nodes . . . . . . . . . . . . . . . . . . . . . . . 61
4.12 Delay in Identification of Malicious Node . . . . . . . . . . . . . . . . . . . . . . . . . 62
4.13 Blackhole detection in DODAG with depth 4 . . . . . . . . . . . . . . . . . . . . . . . 62
4.14 The Worst Parent Attack . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 63
4.15 Setup for 20-node mesh LLN . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 64
4.16 Consequence of WPA on Packet Arrival and Power Consumption . . . . . . . . . . . . 65
4.17 Consequence of WPA on Routing Metric and Hops . . . . . . . . . . . . . . . . . . . 66
4.18 Avg. Beacon Interval . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 66
 xi

4.19 Proposed FNN based model for prediction of WPA . . . . . . . . . . . . . . . . . . . . 69

4.20 Lag plot of features in the dataset . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 70
4.21 Time Series Plot of Features in the Dataset . . . . . . . . . . . . . . . . . . . . . . . . 70
4.22 Performance of FNN in the Prediction of WPA when IoT Sensor Nodes are Placed in
form of a Mesh . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 71
4.23 Performance of FNN in Prediction of WPA when IoT Sensor Nodes are Placed Randomly 71
4.24 Performance of the Optimized FNN Model in Prediction of WPA . . . . . . . . . . . . 72
4.25 Proposed Framework for VNA Detection in IoT-LLNs . . . . . . . . . . . . . . . . . . 76

5.1 Proposed Model of IoT Routing Security and Role of Blockchain . . . . . . . . . . . . 85

5.2 Proposed Blockchain-based Framework for Secure Routing in IoT-LLNs . . . . . . . . 88
5.3 Design of Smart Contract based Routing Attack Detection in IoT-LLNs . . . . . . . . 89
5.4 DODAG under Normal Scenario . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 90
5.5 Density Distribution of Normalized Features in the Dataset . . . . . . . . . . . . . . . 94
5.6 Proposed Holistic Framework for Detection of Routing Attacks . . . . . . . . . . . . . 95
5.7 Density Distribution of normalized features in the dataset . . . . . . . . . . . . . . . . 98
5.8 Performance of the Proposed Framework in Detecting Routing Attacks in IoT-LLNs . 100

6.1 Grounded and Floating DODAGs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 105

6.2 Proposed Taxonomy of Topological Attacks against RPL in IoT-LLNs . . . . . . . . . 107
6.3 Depiction of Network Partitioning Attack . . . . . . . . . . . . . . . . . . . . . . . . . 108
6.4 Unit Disk Graph Radio Model . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 110
6.5 Segregation of Nodes due to NPA . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 115
6.6 Loss of Data Packets due to Drop in Nodes Connected to Sink . . . . . . . . . . . . . 116
6.7 Drop in Average Power Consumed due to NPA . . . . . . . . . . . . . . . . . . . . . . 116
6.8 Drop in ETX and Routing Metric due to NPA . . . . . . . . . . . . . . . . . . . . . . 117
6.9 Increase in Inter Packet Time and Beacon Interval due to NPA . . . . . . . . . . . . . 117
6.10 Normal Scenario . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 120

7.1 Performance Comparison of Enhanced RPL and RPL . . . . . . . . . . . . . . . . . . 124

7.2 DODAG under normal and WPA scenario for RPL and ERPL . . . . . . . . . . . . . 127
7.3 Comparing ERPL with RPL under normal and WPA scenario . . . . . . . . . . . . . 128
7.4 Network Convergence Time (NCT) Comparison . . . . . . . . . . . . . . . . . . . . . . 130
7.5 Comparing NCT in case of node failure . . . . . . . . . . . . . . . . . . . . . . . . . . 131
7.6 Comparing network overhead in RPL and ERPL . . . . . . . . . . . . . . . . . . . . . 132
7.7 Network Overhead under WPA with Varying Traffic Load . . . . . . . . . . . . . . . . 132
7.8 Analysis of Packet Delivery Ratio . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 133
7.9 PDR in WPA scenario with increasing traffic load in each node . . . . . . . . . . . . . 133
7.10 Disabling Subtree Rooted at Node 3 . . . . . . . . . . . . . . . . . . . . . . . . . . . . 138
7.11 Manifestation of Node Isolation and Blacklisting . . . . . . . . . . . . . . . . . . . . . 140
 xii

List of Abbreviations
ATG - Average Time Gap
BCN - Blockchain Network
CNN - Convolution Neural Network
DAG - Directed Acyclic Graph
DAO - DODAG Advertisement Object
DDoS - Distributed Denial of Service
DIO - DODAG Information Object
DIS - DODAG Information Solicitation
DoS - Denial of Service
DODAG - Destination Oriented Directed Acyclic Graph
DRA - Decreased Rank Attack
EED - End to End Delay
ERPL - Enhanced RPL
ETX - Expected Transmission Count
FNN - Feedforward Neural Network
GCN - Graph Convolution Network
HPC - High Performance Computing
IDS - Intrusion Detection System
IETF - Internet Engineering Task Force
IID - Independently and Identically Distributed
IoT - Internet of Things
IRA - Increased Rank Attack
LLN - Low Power and Lossy Network
6LBR - 6LoWPAN Border Router
6LoWPAN - IPv6 over Low Power Wireless Personal Area Network
LSTM - Long Short Term Memory
MOP - Mode of Operation
NPA - Network Partitioning Attack
NCT - Network Convergence Time
NETSTACK - Network Stack
PCAP - Packet Capture
PKI - Public Key Infrastructure
RPL - IPv6 Routing Protocol over Low Power and Lossy Network
ROLL - Routing over Low Power and Lossy Networks
RNN - Recurrent Neural Network
 xiii

SFA - Selective Forwarding Attack

WPA - Worst Parent Attack
UDGM - Unit Disk Graph Model
VNA - Version Number Attack
WSN - Wireless Sensor Networks
 1

Chapter 1

Introduction

“The recent security attacks on the Internet of Things (IoT) environment have raised
concerns over the underlying routing protocols. Securing the IoT environment against
routing attacks is an important security requirement. The solution to this problem lies
in the efficient routing attack vulnerability analysis, devising mechanisms for the
early detection of these attacks, and robust mitigation schemes.”

1.1 Introduction
Kevin Ashton first coined the term Internet of Things in his presentation on automating the supply
chain processes using RFIDs. His idea of the Internet of Things (IoT) was to empower computing
devices and make the human intervention redundant. The two critical behavioral characteristics
achieved by the Internet of Things are interaction with the physical world and the possibility of
communication and analysis of the collected data to drive business processes. The term “Things”
refers to smart objects equipped with one or more sensors or actuators, a limited capacity micropro-
cessor, a communication device, and a power source. The sensor in the smart object is what gives
it the ability to interact with the physical world. The microprocessor enables the transformation of
the captured data from the sensors at a limited speed and complexity. The communication device
enables the smart object to communicate the sensor reading to the outside world and take input from
other smart objects. As smart objects can be placed in remote locations, constant energy supply is
not always possible, so they require battery power sources for functioning. In the last decade, the
Internet of Things has been interpreted in diverse ways and used in multiple applications ranging
from home automation, building automation, industrial IoT to the smart city.
The Internet of Things is developed based on similar technologies like the machine to machine
communication, telemetry, and Wireless Sensor Networks (WSNs). IoT draws its closest similarity
to WSNs because both these environments focus on data gathering and communication through wire-
less radios. The difference lies in the frequency and scale of data gathering and communication and
the fact that the IoT devices perform other tasks like actuating and control. Further, the constant
Internet connectivity of the IoT devices helps in the retention of the data gathered at the data cen-
ters, which provides an option for intelligent data analysis using Artificial Intelligence and Machine
 2

Learning.
Though IoT has numerous benefits and applications, the constrained nature of embedded de-
vices in the IoT environment creates many challenges. The presence of heterogeneous devices, the
enormous volume of data generated, multiple layers of application interfaces, etc. leads to various
infrastructural and security challenges. In particular, security is a major concern in the IoT envi-
ronment. Managing identities of a larger volume of IoT devices, identifying compromised devices,
designing lightweight security solutions for various layers of the IoT infrastructure, and incorporating
security solutions in the constrained environment is challenging. In this dissertation, we focus on
securing the IoT environment from the threats stemming from the vulnerabilities of the underlying
routing protocol. The rest of the chapter is organized as follows. In Section 1.2, we present various
challenges posed by IoT environment and discuss the gap in the existing research. In Section 1.3,
we present the objective of the dissertation and discuss the problem definition in Section 1.4. In
Section 1.5, we present the major contributions of the dissertation and in Section 1.6, we present the
organization of the thesis.

1.2 Challenges in the Internet of Things

The vision of IoT is to bring intelligence to all physical devices implanted with sensors by connecting
them to the Internet or any High-Performance Computing platform. IoT brings insights into product
usage, remote monitoring and control, real-time and proactive maintenance and repair, and customer
experience. Developing IoT application platform involves interaction among various heterogeneous
devices across heterogeneous platforms. The crux lies in interconnecting such large-scale heteroge-
neous network elements and exchanging data effectively. To this end, the challenges in IoT are as
follows:

1.2.1 Device challenges

Embedded devices present numerous challenges primarily related to power consumption, physical
size, and cost, which impose design implications for the underlying hardware, software, protocols,
and even the architecture [1], [2].

• Power Consumption: The battery-powered embedded devices should have low duty cycles,
whereas the Internet Protocol requires continuously active devices. While wireless embedded
radio technologies, such as IEEE 802.15.4, do not inherently support multicasting, broadcast-
ing or flooding increases the wastage of battery power.

• Bandwidth and Frame size: Wireless embedded devices have a bandwidth of the order
of 20–250 kbit/s and a frame size of 40–200 bytes. The minimum frame size for standard
IPv6 is 1280 bytes, whereas the IEEE 802.15.4 standard defines a frame size of 127 bytes.
Further, mesh topology is more suitable for wireless embedded devices in achieving the required
efficiency and coverage. In a mesh topology, the bandwidth also suffers as the channel is shared
by multihop forwarding nodes, thus requiring fragmentation.
 3

• Physical Size and Cost: The size of the embedded device governs the potential application.
For example, wearable devices, smart appliances devices, smart home devices, etc. need to
be small. Since most IoT applications are large scale, minimizing cost also becomes essential.
The requirement of small-sized and low-cost hardware can put constraints on software design
that can run on a resource-constrained environment and be power-efficient.

1.2.2 Network challenges

The large scale deployment of heterogeneous smart objects in the IoT application involves the fol-
lowing challenges [3]:

• Scale: The large scale of data generated by the considerably constrained nodes have implica-
tions on the network performance in terms of the volume and speed at which the network can
carry and transport the data packets without loss. This imposes several design constraints on
the underlying routing protocol. Further, the routing protocol must be aware of the illusive
property of lossyness as packet loss may result from the lossy characteristics of the embedded
devices or external environmental factors like temperature and humidity.

• Standardization of technologies for improved interoperability: Lack of standardiza-

tion in IoT can lead to challenges in interoperability [2], [4]. The constrained nature of IoT
poses lots of restrictions in making use of the Internet Protocols and devising protocols for
the IoT environments. It poses challenges at every phase of deployment, connectivity, and
data analysis in IoT [2]. The IoT environment should also seamlessly blend with the legacy
Internet network.

• Flood of data from billions of actors: Data will be gathered, transported and stored
in massive quantity. The challenge will be to provide the required bandwidth, giving data
identification and providing the appropriate storage media [1],[2],[4].

1.2.3 Architectural challenges

Early architectural challenges of the IoT network were the following:

• Construction of the core IoT network: The core network consists of sensors and actuators
which gather data and trigger events. These low power devices have limited computational
capabilities on which traditional algorithms though robust and secure, cannot run. The chal-
lenge is to tap the full potential of the underlying hardware and yet to keep the operations
lightweight [1].

• Construction of the access network: The core network of sensors and RFIDs is not IP
configurable, and efficient means have to be devised to make the sensors accessible from a
remote location.

To make the core IoT network accessible to IP devices, the IETF proposed IPv6 over Low power and
Lossy Network (6LoWPAN) [5]. It is the adaptation layer between the link layer and the network
layer of the devices. It is a network protocol for the Internet of Things that aims at providing wireless
 4

internet connectivity at low data rates and with a low duty cycle. The protocol stack of 6LoWPAN
is explained by the authors in [6]. Though 6LoWPAN can solve the problem of the construction of
the access network, it introduces the following challenge:

• According to the IEEE 802.15.4 standard, the frame size handled by low power devices is 127
bytes, which was much smaller than the frame size of 1280 bytes of an IPv6 packet [7]. The
6LoWPAN adaptation layer takes care of this situation by fragmenting packets, making the
IoT network vulnerable to various fragmentation attacks [8].

The challenge is to build a secure and strong 6LoWPAN-based IoT infrastructure devoid of any
vulnerabilities, which can withstand possible security attacks.
Among all the significant challenges, security is of utmost importance and a momentous problem
in the Internet of Things environment. Like any other network of computing systems, IoT is sus-
ceptible to attacks. The fact that IoT involves devices used in personal space, critical machinery,
critical operations, etc. and the enormous scale of the connected devices make security particularly
challenging. In the following subsection, we elaborately discuss the issue of security in IoT networks.

1.2.4 Security as a Challenge

The ample scope for the usage of IoT in industrial, corporate, manufacturing, and home automation
to enhance the manufacturing or user experience process also makes it a challenge to device security
solutions. Unlike the SCADA systems, which are closed environments, IoT always endorses access
from anywhere by anyone at any time [9]. The security of IoT applications and devices is, therefore, of
utmost importance. The absence of security may lead to theft, loss of life, and a complete shutdown
of operations. Traditional Internet security is robust but too heavyweight to be applied in its native
form in IoT. Thus, security and access control become a big challenge in IoT [10]. As IoT entails
pervasive interconnection, ubiquitous data collection and tracking, privacy management of personal
data in IoT is a big concern [11]. The following are a few reported cases of security breaches in the
IoT environment in recent years.

• October 2016’s infamous Mirai botnet attack caused massive Internet outage through hacking
devices like CCTV cameras in the Internet of Things. Trend Micro, a global leader in cyberse-
curity solution, reported in the first quarter of 2020 that Mirai botnets and its newer variants
continue to intrude into the IoT environment and deliver malicious payloads.

• According to the Threatpost report of 2020, a security news portal, retail IoT devices like
smart deadbolts, smart cameras, smart toys, baby monitors, security systems, etc. from
various manufacturers like U-tech, i-Home, TP-link, etc. are used as bots and ransomware by
the attackers.

• In the past couple of years, several incidents of intrusion of personal space in hotels and
Airbnbs using connected security cameras have been reported.

• The news agency CNN reported at the beginning of 2020 that Japanese officials found around
200 million IoT devices in the country with poor or little security were sniffing out data.
 5

• A survey conducted by researchers from Northeastern University and Imperial College of

London stated that 72 devices out of every 81 IoT devices surveyed had vulnerabilities [12].

• F-Secure, a cybersecurity company, reported a 12 fold increase in the number of attacks

perpetrated by exploiting protocols used in IoT devices and IoT environments.

IoT is vulnerable to attacks for several reasons. IoT devices are constrained, which makes it difficult
to implement complex security solutions on them. Communication is wireless, with devices placed in
locations that cannot be frequently accessed. These characteristics of IoT itself makes it vulnerable
to breaches in privacy and security. The authors in [11], [13] have divided the flow of data in IoT into
five phases, namely, Interaction phase, Information collection phase, Processing phase, Presentation
phase, and Information dissemination phase. Security attacks and threats to privacy may occur at
any of the five phases of IoT [11], [13]. The authors in [10], have stated that according to a study by
Hewlett Placard, 80% of the IoT deployment violates personal information privacy, 80% failed the
requirement for a strong password, 70% had un-encrypted communication and 60% had vulnerabilities
at the user interface. Eyal Ronen et al. in [14] established how a simple IoT device like an LED
can launch attacks and cause harmful effects. In [15], the authors stated the inability of various
Public Key Infrastructure (PKI) to meet all security and privacy aspects of IoT. In [16], the authors
proposed a security framework based on the three-layer model of IoT architecture. For analyzing all
aspects of IoT security, the elements and protocols used at each layer of the IoT architecture must be
examined against security challenges. This becomes even more complex and challenging as there is
a lack of consensus among stakeholders towards the technical definition, the standards and the user
policies [17].
Manufacturing organizations, oil and gas companies, the aviation industry, and the military have
been using concepts similar to IoT like Cyber Physical Systems and Supervisory Control and Data
Acquisition systems for years to connect things. While IoT is inclusive of these systems and adds
new dimensions and ability to them, IoT is also vulnerable to the added threats, as suggested by
the authors in [18]. Bonnie et al. in [19] suggest that threats to supply chain security have emerged
from connecting machines to the Internet and introducing complex IoT-based systems controlling
manufacturing processes. These attacks may alter system configuration files, remote access devices,
etc., which in turn may affect the quality and cost of manufacturing or disabling the manufacturing
process. IoT in the healthcare domain helps in the continuous monitoring and health analysis of
patients. However, IoT devices pose challenges as they are open to security and privacy breaches
through their wireless interfaces [20]. An attack may update the device parameter, firmware, or
status, which may have a critical effect on the patients’ health.
Large-scale deployment of LLN having strong resource constraints and constrained transmission
links with diverse traffic pattern in IoT, poses several challenges with regard to using an appropriate
routing protocol. Existing routing protocols are not suitable to deal with these requirements [23].
At the routing layer, the Routing Over Low power and Lossy networks (ROLL) working group has
proposed a protocol called the Ipv6 Routing Protocol for Low power and Lossy Networks (RPL) [22].
RPL, despite its various advantages, has several security issues and is vulnerable to several attacks
[21]. Hence, an IoT network needs to have a holistic system to address RPL attacks. Based on the
 6

existing literature, we present a consolidated picture of the complete taxonomy of attacks on the
Internet of Things in Figure 1.1. We have classified attacks in IoT based on the following categories:

1. Operational Phases in IoT

2. Architecture of IoT
3. Components of IoT

Figure 1.1: Taxonomy of Security Attacks in the IoT Environment

 7

1.2.5 Gaps in Existing Research

The extensive study on the current work in IoT in general and IoT security has led us to understand
that there are several security attacks possible on IoT networks. These attacks can be classified based
on (a) IoT data life cycle (Phases in IoT), (b) architecture (c) topology, and (d) components. The
following are some of the significant gaps in the existing research on the Internet of Things.

• Deficiency of data ownership and its implications for security and privacy [1], [4].
• Insufficient security and threat analysis [4], [6], [23], [24].
• Inadequate Preventive Measures against security attacks [4], [6].
• Need for an adaptive mechanism for the quick recovery of IoT network under attack [4], [9].
• Lack of mechanisms to address protocol vulnerabilities [6], [21].
• Dearth of lightweight protocols to address security concerns of LLN in IoT [23], [24].
• Essential holistic security framework [16].

Based on the research gaps identified as above and the security challenges presented in Subsection
1.2.4, we understand that the security attacks in IoT are of major concern. It has been observed that
the attackers use network devices like routers and leverage the routing protocols’ vulnerabilities. It
has been also seen that attacks on routing protocols have led to several DoS attacks in recent times.
In IoT, the Low power and Lossy Networks (LLNs) are most susceptible to attacks because of their
constrained nature. As mentioned in Subsection 1.2.3, 6LoWPAN is used as an adaptation layer in
IoT to make non IP devices IP-enabled. 6LoWPAN also helps in integrating the traditional WSN in
IoT [25]. RPL has become the de-facto standard routing protocol used in IoT-LLNs. It supports all
the traffic flow requirements and routing requirements of LLNs in various applications like industrial
automation, home automation, building automation, etc. [22]. However, since the inception of RPL,
it has been under scrutiny for being susceptible to several routing attacks. Recently researchers have
raised concerns regarding RPL supported IoT-LLNs being susceptible to performance degradation,
traffic disruption, resource exhaustion, etc., due to the vulnerability of the RPL routing protocol to
security attacks [26], [27], [28]. In order to secure the IoT environment, routing security should be in-
corporated into the framework of IoT security [29]. Routing attacks have implications at the network
layer and over higher layers of the IoT stack. The existing literature on RPL attacks attempts to
provide countermeasures for various routing attacks in isolation. However, the following three major
aspects are not well explored in the existing literature. First, it is essential to find the correlation
between different attack scenarios and analyze the behavior of collaborative routing attack scenarios.
Second, existing taxonomies on RPL attacks have ignored the network partitioning attack scenarios
[21], [30]. IoT devices connect to IoT applications via the edge routers (root nodes) in the IoT-LLNs.
Malicious IoT devices may instigate attacks to partition fair IoT devices from the root node. Thus,
making the sensed information by the fair IoT devices unavailable to the IoT application. Third,
IoT necessitates constant connectivity to the Internet, which gives scope for data analytics. Thus,
we can use advanced technologies like Machine Learning, Deep Learning, Blockchain, etc. to detect
the routing attacks early. Keeping in mind these aspects, we aim to develop a holistic system that
can identify various RPL attack scenarios and take measures to counter them.
 8

To summarize, security, privacy, and trust management are critical to the success of IoT and
to reap the benefits which IoT brings to organizations, businesses, enterprises in particular, and our
day to day life in general. With recent reports of IoT attacks using simple home routers and IoT
devices, it is evident that vulnerabilities of routing protocols in IoT are alarming [31]. Based on these
observations, we present the problem of routing security in the following section.

1.3 Objectives of the Dissertation

Based on our understanding of the problem of routing security and the research gaps we identified,
we present the following objectives of our research:

• Objective 1: Perform analysis of the RPL routing process to develop vulnerability assessment
models in order to analyze collaborative attack scenarios and deduce uncovered attack surface.

• Objective 2: Develop a framework incorporating deep learning and smart contract fortified
blockchain to detect routing attacks in RPL-based IoT-LLNs.

• Objective 3: Devise strategies to enhance the RPL routing process to restrict routing attacks
in the IoT environment.

1.4 Problem Definition and Scope of Work

The Internet of Things environment can be broadly viewed as a network of three major components.
First, the High-Performance Computing (HPC) environment, like the cloud and data centers, that
serves as the platform for creating IoT data-driven applications and analytics. Second, the Edge
network, which connects the Low Power and Lossy Networks to the HPC environment. Third, the
LLNs, which are the most critical segments of the IoT environment as they enable the IoT vision
of connecting all physical devices to the Internet. RPL is the standard routing protocol used in
IoT-LLNs, which is susceptible to many attacks that target the LLN topology, resources, and traffic.
Thus, the security threat associated with the RPL routing protocol’s vulnerabilities poses a serious
issue regarding the security of the IoT-LLNs, as depicted in Figure 1.2.

Our work focuses on securing the IoT-LLNs from the attacks resulting from the vulnerabilities
of the RPL routing protocol. Routing constitutes the backbone of the communication stack. Attacks
exploiting the weaknesses of the RPL routing process have implications for constrained network
resources and network performance in the IoT [32]. Thus, it is highly desirable that the IoT ecosystem
quickly identifies an attack and take appropriate countermeasures. An intelligent analysis of the
state of the IoT-LLNs by using machine learning and statistical algorithms can help in the early
detection of routing attacks. Such computationally intensive attack detection can be done on cloud
platforms. However, cloud-based solutions will have limitations like increased latency, high bandwidth
cost, connectivity issues, etc. [33]. Recent research suggests using the edge network to overcome
 9

Figure 1.2: Depiction of the Problem Definition

the limitation of cloud platforms [33] [34] [35]. The edge network can facilitate a platform for
statistical, machine learning, or deep learning-based intelligent analysis of the state of the IoT-LLN,
ensuring stable computing, power, and memory resources [36]. Edge network reduces latency, and
IoT ecosystem can quickly respond to routing attacks. Securing the routing process in IoT-LLNs
entails the understanding of various factors explained as follows:

• Protocol vulnerabilities: The vulnerabilities of the routing protocol can be examined by

assessing the actions involved in the routing process and the routing parameters that govern
those actions. Protocol vulnerabilities can be modeled in the form of a sequence diagram, vul-
nerability database, ontology, or graphs representing the unaddressed vulnerabilities, possible
exploits, and the associated risks [37]. Such representations help in the following assessments:

1. Sequence of possible exploits an attacker device may pursue to achieve its target.

2. The expected behavior of a vulnerability and the resultant change in the state of IoT
network.

3. The risks involved in terms of resource consumption, resource damage, and performance.

Vulnerability models also help in the preparedness of zero-day attacks.

• Attack instigation and symptoms: The method of instigation of various routing attacks
and the analysis of their consequences helps in the behavioral analysis of the attacks and their
effect on the IoT network. The behavioral analysis helps in the design and testing of efficient
attack detection mechanisms.

• Detection of attack symptoms and source: As IoT ensures constant Internet connectivity,
IoT-LLN data can be pulled to the edge network or cloud. In such HPC environments,
advanced technologies like Artificial Intelligence and Deep Learning can be applied for the
behavioral analysis of IoT-LLNs for attack detection and attack source identification.
 10

• Risk and threat reduction: A detailed study of the RPL routing process through the
prism of vulnerability models may help uncover hidden attack surfaces and recognize unre-
ported attack scenarios. A careful analysis based on vulnerability assessment models may
help enhance the existing RPL routing process to reduce security risks and threats. However,
such enhancements should not compromise the RPL routing process and should never increase
energy consumption or communication overhead.

• Secure access of routing communication and IoT data: Behavioral analysis of the IoT-
LLNs for attack detection using Artificial Intelligence and Deep Learning at the edge network
or the cloud will be fruitful only when we have secure access to the IoT data.

1.5 Major Contributions of the Thesis

The problem of securing the routing process in the RPL-based Internet of Things environment can
be broken into three sub-problems. First, we need to devise models to represent the vulnerabilities
of the RPL-based routing process. The use of attack graphs to represent security vulnerabilities
and possible exploits has been popularly used in various networked environments. In our work, we
propose two different models to represent the vulnerabilities of the RPL protocol. First, an Attack
Graph-based model that analyzes the vulnerability associated with the “Rank Property” of RPL,
which leads to several attacks in IoT-LLNs. Second, a Mind Map-based model to elucidate the weak-
nesses of the actions involved in the RPL routing process.
The recent security trends in IoT suggest frequent attacks in the IoT environment. We have ex-
tensively worked on designing different attack detection mechanisms to detect all known categories
of routing attacks and identify their sources. We analyze the impact of various routing attacks and
define their threat models for efficient design of mechanisms to detect the attack on IoT-LLNs.
We also explore advanced technologies like blockchain for strengthening routing security in IoT. We
propose a layered model for routing security defining the security requirements at the various layers
of the routing process and the role blockchain can play in enhancing security at various layers. We
propose smart contract to automate security checks and generate alert signals in case of anomalies.
Further, we propose a blockchain-based holistic framework involving advanced Deep Learning algo-
rithms for detecting different categories of routing attacks in IoT-LLNs.
We propose enhancements in the RPL routing process to efficiently reduce the impact of two cru-
cial attack scenarios, namely, the Network Partitioning Attack and the Sub-Optimal Path Attack.
An essential step in securing the routing process is to segregate the identified malicious entities, which
also helps in restricting the spread of the attacks. We propose enhancements in RPL that will allow
the fair nodes to isolate or blacklist the malicious nodes collaboratively.

1.6 Thesis Organization

The organization of the rest of the thesis is as follows:

• In Chapter 2, we discuss various routing requirements of the IoT network and the rationale
 11

behind the suitability of RPL as the de facto routing protocol in the IoT environment. We
briefly explain the working of the RPL routing process and present an in-depth study on
the existing literature of routing attacks in the RPL-based IoT network. We also study the
existing attack detection mechanisms.

• In Chapter 3, we present an Attack Graph-based model to assess the vulnerabilities of the

rank property in RPL-based IoT-LLNs. We also present a Mind Map-based model to assess
the vulnerabilities of the RPL routing process.

• In Chapter 4, we propose mechanisms to detect routing attacks against IoT-LLN topology,

resources, and traffic using statistical techniques and machine learning algorithms.

• In Chapter 5, we present a layered representation of routing security in RPL-based IoT-LLNs

and analyze how advanced technologies like blockchain and Deep Learning can help in devising
robust routing attack detection mechanisms in the IoT-LLNs.

• In Chapter 6, we introduce a novel Network Partitioning Attack (NPA) scenario in RPL-based

IoT-LNNs and perform its in-depth impact analysis. We also propose an algorithm to detect
the proposed NPA scenario.

• In Chapter 7, we propose some novel enhancements to the existing RPL to reduce the threat
associated with two crucial routing attack scenarios. We also recommend an enhancement to
RPL to deal with malicious node isolation and blacklisting.

• We give our concluding remarks along with the future scope of work in Chapter 8.

1.7 Summary
The constrained nature of the devices that constitute the IoT-LLNs poses various infrastructural and
operational challenges. Security is a major challenge in the IoT environment. The recent series of
attacks targeting the IoT environment emphasizes the fact that routing security is challenging and
crucial. In this Chapter we gave an introduction to the challenges of securing the Internet of Things
environment and identified routing protocol security in IoT-LLNs as the focus of our work. We gave
a description of the problem definition and the objectives of the research. In the next chapter, we
perform an in-depth study of existing literature on RPL and also the attacks in RPL-based IoT-LLNs.
 12

Chapter 2

Background and Related Work

“If Internet of Things is the solemnization of the physical world with the digital world,
routing security will keep the union alive, interacting and inviolable.”

2.1 Introduction
The driving force behind the concept of the Internet of Things is the connectivity among physical
devices. Networking and specifically routing is the key enabler of connectivity. The large scale of
IoT networks, the constrained and the heterogeneous nature of the constituent devices pose specific
requirements on the underlying routing protocol. The proliferation of the IoT devices in day-to-day
usage in platforms like healthcare, finance, and retail involves the communication of private data.
Therefore, the secure exchange of data among the IoT nodes should be an intrinsic feature of any IoT
network. In Chapter 1, we discussed various challenges present in the IoT environment and observed
that security is a major concern.
In the past, as well, routing protocols were known to be susceptible to multiple threats and attacks.
Additionally, the constrained nature of the IoT devices make the implementation of complex security
solutions challenging. Moreover, the rush of IoT vendors to push their products in the IoT market
space has resulted in the security features getting compromised in the already constrained IoT devices.
The network of such minimal IoT devices termed as Low power and Lossy Network (LLN) easily
becomes a soft target for attackers, enabling them to exploit the vulnerabilities of various aspects
of IoT-LLN. Secure routing in IoT-LLN is a vital requirement and major challenge in enabling the
vision of IoT. Numerous researchers have expressed concern about the routing issues in IoT-LLNs and
stated routing security in IoT-LLNs as an open research problem [26], [27], [28]. In this chapter, we
focus on exploring the various threats posed by routing protocol vulnerabilities in IoT environment
and study the existing work on them.
The rest of the chapter is organized as follows. In Section 2.2, we briefly present the routing
requirements of IoT-LLNs and the working of the RPL routing process. We illustrate how RPL
satisfies the routing requirements of IoT-LLN and discuss the vulnerabilities of RPL to insider attacks.
In Section 2.3, we present the related work on routing attacks in RPL-based IoT-LLNs. In Section
2.4, we discuss the research related to the enhanced versions of RPL that aim to overcome some of
 13

the performance and security issues existing in RPL.

2.2 Routing in IoT-LLNs

The first and foremost requirement of IoT was to devise an Internet Protocol that can bring Internet
connectivity to the constrained physical devices. The Internet Engineering Task Force (IETF) formed
the IPv6 over Low Power Wireless Personal Area Networks (6LoWPAN) working group, which for-
mulated header compression and encapsulation mechanisms to enable IPv6 packets to be sent and
received over networks of minimal devices [5]. The authors in [38] explored the characteristics of IoT
infrastructures, which will inadvertently comprise devices with varied features and computational
capabilities on a large scale network. A large part of the IoT infrastructure is the network com-
prising heterogeneous low power and lossy devices, often termed as the LLNs. For such constrained
environments where seamless connectivity and interoperability are mandatory for the realization of
the IoT vision, routing plays a crucial role. To meet the idea of ubiquitous connectivity over minimal
devices, the Routing Over Low Power and Lossy Networks (ROLL) working group of the IETF pro-
posed IPv6 Routing Protocol for Low Power and Lossy Networks (RPL). Before the origin of RPL,
a variety of routing protocols used in WSNs, MANETs, Internet Autonomous Systems, etc. did not
meet the complete ROLL requirements [39]. The authors in [40], [41], [42], compared various routing
protocols for LLNs, and their work establish the suitability of RPL in the IoT-LLN environment. We
next discuss the RPL routing process.

2.2.1 The RPL Routing Process

RPL is a distance vector routing protocol proposed by IETF to facilitate information collection and
dissemination in networks comprising of resource constrained devices in order to realize the vision of
Internet of Things. RPL organizes the Low Power and Lossy Networks as Directed Acyclic Graphs
(DAG), which comprise one or more Destination Oriented Directed Acyclic Graphs (DODAGs). The
term Destination Oriented specifies that all the nodes in LLNs must forward their data packets to the
root (sink) node directly or through intermediary nodes. The root nodes are usually Low-Power and
Lossy Network Border Routers (6LBRs), which connect the IoT-LLNs to the IoT application residing
on Internet, Cloud, Grid, or any wider High-Performance Computing environment via a backbone
network. A single DODAG has three types of nodes as listed below:

1. Sink or root node: It connects the IoT-LLN with the rest of the IoT network. It is usually
a gateway or a border router which is also responsible for the topological formation and
maintenance of the IoT-LLN.

2. Routers: Nodes which are sensors or actuators with routing capabilities

3. Hosts: Leaf nodes which are only sensors or actuators

The goal of the sensor and actuator devices in the IoT-LLN is to transmit data or receive command
from an IoT application. The sensor devices fail to achieve this goal, if they are not connected to the
sink node either directly or via the intermediate nodes.
 14

To organize the nodes in the form of DODAGs, RPL makes use of three types of control
messages namely, DODAG Information Object (DIO), DODAG Information Solicitation (DIS) and
DODAG Advertisement Object (DAO). The sequence diagram shown in Figure 2.1 depicts how and in
which order the control messages are used by RPL to organize the nodes in the form of a DODAG. As

(a) DODAG Maintenance (b) Node Joining DODAG

Figure 2.1: Flow of Control Messages for DODAG Maintenance and Formation

observed from Figure 2.1a, the sink node broadcasts the DIO messages at regular intervals determined
by the trickle timer algorithm and the nodes respond with a DAO message. DIO messages carry
DODAG configuration parameters which are used by the nodes to construct DODAGs and join them.
The trickle timer algorithm enables the nodes in the LLN to exchange messages in an energy efficient
manner. The trickle timer periodically checks for new information available within the LLN, checks
for inconsistency and enables the control of traffic timing, route discovery and multicast propagation
[46]. The DAO message sent by the sensor nodes provides the destination information to the sink
node. Using the DAO message, the sink updates its topological view of the DODAG as represented
in Figure 2.1b. A new node multicasts a DIS message to its neighboring nodes in order to obtain the
network configuration parameters. In response, the neighboring nodes send the DIO messages which
include their specific rank along with the network configuration parameters. Rank is a value which is
estimated in terms of an Objective Function, which governs the structure of the DAG. The objective
function comprises the routing metric and constraints, which are advertised by the sink node in the
DIO message [47]. The rank of a node represents the quality of the path to the sink that the node
offers to its child node. Hence, rank facilitates the selection of the best route to the sink node. A
low rank implies a better route to the sink in terms of the routing metrics and constraints defined
by the goal of the LLN. A new node chooses a parent node with the best rank by responding with a
DAO message. The parent node is supposed to forward this DAO message to the sink node in order
to allow the sink to have the view of this new node. Hence, we can infer that a sink node can reach
or have the view of a specific node only if it receives a DAO message from that node. The message
exchange scenario involved in this process is depicted in Figure 2.1b. A new node computes its rank
based on the rank of its parent node as represented by Equation 2.1.

N odeRank = P arentRank + Rankincrease (2.1)

 15

where Rankincrease is estimated based on the property of the link between a node and its parent node.
Hence, the rank of a node is always greater than its parent node. Thus, RPL enables efficient tree
topology formation in the form of a DODAG. RPL has a well defined mechanism to maintain a loop
free spanning tree topology. It facilitates local repair mechanism without affecting the entire network.
It also ensures optimized LLN performance against various requirements like energy conservation,
minimum latency and load balancing by using different routing metrics and constraints like Remaining
Node Energy, Expected Transmission Count, Hop count, Throughput and Latency. RPL achieves
these requirements by broadcasting the suitable objective function and parameter information in the
DIO message as shown in Figure 2.2.
The sink node is responsible for updating the configuration information in the DIO message. The

Figure 2.2: DIO Control Message in RPL

nodes in the LLN which join as sensors with routing capability also multicast the DIO messages after
updating the rank field in the DIO message with their own rank. However, such nodes should not
update any other parametric value like the version number, Mode of Operation (MOP) and the values
of various flag variables in the DIO messages. Also, the nodes should not advertise false information
like false identity or false rank in their DIO messages.
In the following subsection, we discuss various routing requirements of LLNs in the IoT environment
and illustrate the properties of RPL that help satisfy those requirements.

2.2.2 RPL and Routing Requirements of IoT-LLNs

IoT-LLNs find application in domains like industrial automation, home automation, building au-
tomation, smart city, etc. In such applications, traffic patterns are diverse, and devices may be
intermittently active or in sleep state. The authors in [39], [43], [44], [45] present the routing require-
ments in urban-LLNs, industrial automation, building automation and home automation respectively.
The summary of the routing requirements of IoT-LLNs are depicted in Figure 2.3. We elucidate the
routing requirements and state the properties of RPL that help in achieving them.

1. Scalability: Most of the IoT applications like Connected Health, Smart Campus, Smart City,
etc. require the deployment of IoT-LLN nodes in a large and diversified scale. The routing protocol
should have the ability to organize such large numbers of IoT-LLN nodes and must allow scaling
the network without compromising the behavior of the selected performance parameters. In RPL,
a node interacts with all the nodes in its radio (communication) range. RPL adopts the Unit Disk
Graph Model, where a circular disk with the co-ordinates of the embedded device as the center of
the circle represents the radio range of the device. Nodes disseminate configuration information at
 16

Figure 2.3: Routing Requirements of LLNs

regular intervals determined by the trickle algorithm [46]. Thus, RPL allows flexible scaling of the
network.

2. Parametric Constrained Routing: The constrained characteristics of the IoT-LLN nodes

require the routing protocol to provide support for parametric constrained routing. In such a routing
process, the nodes advertise their performance strength in terms of parameters like processing power,
memory size, transmission count, remaining battery power, etc. Based on the requirements of the
IoT application, nodes may advertise their performance strength in terms of a single parameter or
an aggregation of multiple parameters. For example, in a scenario where a single routing node must
provide paths to many nodes, it should have a larger memory to store neighborhood information.
Another example can be the scenario where the battery life is of importance and nodes with recharge-
able batteries are more preferable. This specification is of particular importance as it provides nodes
in the IoT-LLNs an opportunity to make efficient selection of the path to destination. RPL supports
parametric routing by allowing the use of appropriate objective functions [48]

3. Support for Autonomous Configuration: The requirement of scalability necessitates the

routing protocol enabled networks to self organize and configure according to a predefined set of
rules. In IoT-LLNs, nodes may frequently move in and out of the network or maybe in a sleep state.
Therefore, the network topology must be able to dynamically reorganize and reconfigure itself to
the changing network traffic, node mobility, changing the quality of service requirement. A suitable
routing metric must be used by the routing protocol to appropriately represent the current configu-
ration of the network and enable the dynamic selection of suitable paths to the destination. In RPL,
the sink node disseminates the LLN configuration information to its neighboring nodes through DIO
messages. Nodes with routing capability also multicast the DIO messages to disseminate the updated
 17

configuration information. Thus, all the nodes in the LLN receive the notification of the configuration
update.

4. Support for Directed Information Flow: IoT applications require the collection of infor-
mation sensed by sensor nodes at specific servers. This necessitates the routing protocol to facilitate
a highly directed information flow through suitable addressing schemes. In RPL, all the sensor
nodes must forward their data to the sink node. The traffic close to the sink node, i.e., a 6LBR is
high and may result in load imbalance. To this end, RPL allows the LLNs to have multiple sink nodes.

5. Optimized Network Performance: As IoT-LLNs comprises constrained devices, various op-

erations of the IoT network should be optimized to make the most efficient use of the device and
network resources. Hence the routing protocol must ensure the optimal convergence of IoT-LLNs,
i.e., the LLNs should comprise of the most optimal path from the source to destination nodes. RPL
ensures optimal paths in the LLNs by virtue of its rank property.

6. Energy Efficient Routing: The constrained IoT nodes often rely on battery power and lack
continuous power supply. Therefore, the routing process must be energy efficient. RPL ensures en-
ergy efficient routing by the use of trickle algorithm, which governs the frequency of dissemination
of control messages within an interval [Imin , Imax ]. When nodes agree with the neighboring nodes in
terms of configuration information, they reduce their frequency of information dissemination. Such
a scenario also reflects that the topology is stable.

7. Network Dynamicity: There is frequent association and disassociation among the nodes in
IoT-LLNs. Hence, the routing protocol must facilitate mechanisms to ensure the existing nodes in
the LLN are informed of the changing association, disassociation and disappearance of the neigh-
boring nodes. To this end, the sink node broadcasts DIO messages at intervals governed by trickle
algorithm.

8. Latency: Numerous IoT applications require the IoT-LLNs to be designed as a type of de-
lay tolerant network with an exception to alert and queried reporting [49]. However, RPL allows the
latency object to be used as path metric or constraint to minimize the latency from the source to
the destination

9. Diverse Traffic Patterns: Devices in the LLNs may require to establish a point to point,
multipoint to point or point to multipoint communication. RPL supports anycast, unicast, and mul-
ticast communications.

10. Security: IoT-LLNs are exposed to threats like any other network. The wireless, distributed,
large scale and constrained nature of the LLNs increases the spectrum of potential risks. Nodes with
routing capability participate in the topological organization, can self configure, self organize and are
 18

capable of violating the protocol rules by disabling, manipulating or hijacking the routing process.
Therefore, a new node must be authenticated by the routing protocol before it can act as a router.
Further, the routing process should support mechanisms to defend Denial of Service (DoS) attacks,
Distributed DoS (DDoS) attacks and energy depletion attacks.
RPL supports three security modes namely, unsecured mode, pre-installed mode and authenticated
mode. In the unsecured mode, the control messages are unencrypted and security is taken care of by
the link layer security feature. In the pre-installed mode, the nodes joining a network must obtain
a pre-installed encryption key. Using this key, a node can join the network as a host or as a router.
In the authenticated mode, a node can join a network as a host using the pre-installed key. To
become a router, the node should obtain an authentication key from an authentication server. The
pre-installed mode and the authenticated mode prevent unauthorized devices to become a part of the
IoT-LLNs or participate in the routing process. This ensures the security of the IoT-LLNs against
external attacks but poses additional requirement of protocols defining the process of obtaining the
key, and this places additional computational overhead on the constrained nodes.
Also, the concept of RPL instances introduces access restrictions among the nodes belonging to
different DODAGs within an RPL instance. The nodes belonging to different DODAGs within an
RPL instance cannot establish communication. However, nodes belonging to separate RPL instances
can establish communication. The notion of RPL instances also allows the flexibility to choose dif-
ferent route selection metrics of different DODAGs within an RPL instance.
All the security features mentioned above restrict external attacks in RPL-based IoT-LLNs. How-
ever, RPL-based IoT-LLNs are vulnerable to insider attacks, which we elaborate in the following
subsection.

2.2.3 Insider Attacks in RPL-based IoT-LLNs

The authenticated security mode of RPL secures the IoT-LLNs from external attacks. However, a
malicious node may acquire the pre-installed and authentication keys and become part of the IoT-
LLN. In that case, malicious nodes that become part of the DODAG can instigate several attacks
against the RPL routing process. The primary reason for attacks in IoT networks is the weak
credentials of the IoT devices. Users who are unaware of the IoT environment, do not change the
factory settings and default passwords. There are numerous tools available to monitor and scan for
unprotected IoT devices [50]. The Mirai and other similar botnets apply a brute force mechanism
to guess the default passwords of the targeted IoT devices [51]. Therefore, rogue nodes becoming a
part of the IoT network is inevitable. Such rogue nodes may instigate attacks by not adhering to the
routing policies or exploiting the weak aspects of the routing process. Therefore, routing security in
IoT-LLNs is a significant problem and has gained much attention from researchers. Following are
the vital areas of research in securing the IoT environment against RPL attacks:

1. Analyzing the impact of known routing attacks on the IoT environment

2. Exposing the vulnerabilities of the routing protocol to check the possibility of new attack
scenarios
 19

3. Mechanisms to detect the state of the IoT-LLNs to ensure that the network is not under attack

4. Improving the routing process and functions involved to mitigate the routing attacks

2.3 RPL Attack Analysis and Detection Mecha-

nisms
After the IETF proposed RPL to facilitate routing in the IoT-LLNs, it has drawn attention from
numerous researchers. They focused on the performance of various aspects of the RPL routing
process and their associated vulnerabilities to several security attacks. Kim et al., in their survey
[52], comprehended the repercussions of the optional security requirements. They stated that the
two most popular open-source RPL implementation, namely, ContikiRPL [42] and TinyRPL [53],
do not use the optional security features of RPL. The implementation of complex security features
makes RPL too complicated and challenging to adapt to the IoT-LLNs owing to the constrained
characteristics of the IoT devices. The authors in [21], [30], [54], have presented various taxonomies
of attacks against RPL, and suggested that such attacks result in degradation of network performance
and depletion of the constrained network resources. For the success of IoT, it is crucial to evaluate
the performance of the RPL and its limitation. The authors in [55] presented the limitations and
drawbacks of RPL and various parameters and methods for analyzing RPL’s performance. As most
of the open implementations of RPL lack optional security features. Therefore, the impact analysis
of routing attacks and the design of routing attack detection mechanisms are important areas of IoT
research. We have classified
the existing literature on RPL attack analysis and detection mechanisms based on the method
of attack instigation as follows:

• Attacks instigated by advertising false information in DIO messages.

• Attacks instigated by dropping packets
• Attacks instigated by flooding control messages
• Attacks instigated by violating protocol functions

In the following subsections, we present the existing literate based on the above classification.

2.3.1 Attacks Instigated through False Advertisement

The topological organization and maintenance of RPL based IoT-LLNs are accomplished through the
exchange of control messages. The nodes in the IoT-LLN multicast the control messages to solicit
neighborhood information. Nodes multicast DIO messages to advertise their presence. The DIO
control message carries the network configuration information like rank and version number. The
inherent problem with multicast-based routing protocol is that the fair nodes can be easily victimized
by malicious nodes advertising false information in their DIO messages. False advertisement of
configuration information often results in nodes leaving their parent node to look for a better path
option. This phenomenon is termed as churning. To this end, many researchers are working towards
addressing the problem of false advertisement.
 20

Version Number Attack

Version number is a numeric representation of the state of a DODAG [22]. The topology of a
DODAG may change as nodes join or leave the DODAG. Frequent changes in the topology may
result in discrepancies like loop formation or unbalanced load distribution. In such scenarios, the
sink node broadcasts DIOs with an incremented version number. As nodes in the DODAG receive
fresh DIOs with incremented version number, they re-initiate the process to select a new preferred
parent and the DODAG is reorganized. However, this property of the version number can be exploited
by a malicious node that intentionally increases the version number in its information object (DIO
messages) in order to instigate a version number attack. A non-sink node may also initiate an
increment in version number in the case of a loop formation in its sub-DODAG, termed as self-
healing or local repair mechanism of RPL. A malicious node may exploit the local repair property of
RPL to initiate a version number attack, also termed as a local repair attack [56]. Such attacks result
in increased exchange of control messages, increase in the power consumed by the nodes and also
increase in the packet latency [57], [61]. In order to detect the version number attack, Mayzaud et
al. in [62] suggested the use of multiple monitoring nodes to check for version number inconsistency.
The monitoring nodes on encountering inconsistency in the version number, inform the sink node
along with the ID of the suspected node. However, this mechanism results in the false identification
of the suspect nodes. The authors in [63] have suggested a proactive measure based on the hash
chain and authentication scheme to prevent the nodes from modifying the version number and the
rank in their DIO messages. However, the addition of hash keys and message authentication codes
in the control message place an additional overhead and may lead to the fragmentation of messages.
This poses an additional risk of fragmentation attacks [64] and hash chain attacks [65].
The authors in [66] suggest two mechanisms to mitigate version number attacks. According to
the first mechanism, nodes disregard DIOs with version number update if rank in the DIO is higher
then the self rank. The second mechanism, in addition to the previous restriction, puts a selected
set of nodes close to the root node, based on a trust value, in an exclusive list called Shield List.
Nodes consider a DIO with an updated version number if a majority of nodes in the shield list have
the same version number. Such strict rejections may suppress the local repair process and put the
network in danger in the event of routing attacks, which lead to loops and congestion close to the leaf
nodes in the DODAG. If rogue nodes become part of the shield list, the problem of version number
attack persists.

Decreased Rank Attack

A node should compute its rank based on the rank of its preferred parent [22]. A malicious node
may advertise a lower rank than its actual rank in order to attract more traffic towards itself. This
phenomenon is termed as Decreased Rank Attack. Khan ZA et. al. [67] proposed a trust based
mechanism in which each node computes the trust value of the neighboring nodes to check the rank
inconsistency. The authors in [68] have proposed an Intrusion Detection System (IDS) to detect
the sinkhole attack which is essentially a decreased rank attack followed by the packet dropping
attack. However, their proposed IDS suffers from high false alarm rate. In [69], [70], the authors
 21

have studied sinkhole attack, which is a combination of decreased rank attack and packet dropping
attack. Decreased rank attack can also act as a precursor to wormhole attack where a malicious node
after gaining access to the maximum possible traffic, establishes a tunnel connection with a node
outside the DODAG in order to pass on the DODAG configuration and traffic information [71], [72].
Therefore, timely detection of the decreased rank attack is vital for safeguarding the IoT-LLNs.

Increased Rank Attack

A malicious node may advertise a rank higher than its actual rank to gain access to an increased
number of nodes in the DODAG. This may lead to loop formation which in turn can result in local
repairs in the DODAG. The authors in [92] have studied the impact of various types of rank attacks
in IoT-LLNs and stated several serious consequences of false rank advertisement like an increased end
to end delay, increased packet collision, and increase in the number of routing messages exchanged.
Rank attacks can often lead to Denial of Service. Trust based authentication schemes suggested by
authors in [73] and [74] for rank and version number authentication suffer from several issues like
lacking feasibility of realistic implementation, computational and message header overheads [66].

2.3.2 Attacks Instigated by Dropping Packet

In IoT-LLNs, all the nodes forward data packets to the sink node either directly or via a parent
node. A malicious node may drop data packets of nodes in its subtree instead of forwarding it to the
sink. The victim nodes remain unaware that their data packets are not reaching the sink node. The
different types of packet dropping attacks in IoT-LLNs are as follows:

Blackhole Attack
When a node drops all the received packets, it is said to be instigating a blackhole attack. In such
scenarios, when the sink node does not receive data packets from the victim node, such victim nodes
are said to be topologically isolated from the sink node.
Blackhole attacks have major impact on all types of sensor networks which include MANETS, delay
tolerant networks and wireless sensor networks [75], [76], [77]. Blackhole attacks against RPL in the
low power and lossy sensor networks cause major denial of services in IoT environment. The study
of the consequences of blackhole attack by the authors in [21], [78] suggests that blackhole attacks
reduce the overall network packet delivery ratio and increases the exchange of control messages. It
also states that the attacked network behaves similar to a normal network. Topological isolation in
IoT may be caused by obstructing the upward traffic or downward traffic. Downward traffic obstruc-
tion is possible only if the RPL operates in storing mode [22]. Upward traffic obstruction caused by
blackhole attacks can be executed in both storing and non-storing modes. Various researchers have
suggested a trust based defense mechanism against blackhole attacks in different types of wireless
sensor networks [77].
The authors in [79], [80] have also applied a trust based mechanism to defend RPL against
blackhole attacks. The trust based mechanism works in two levels, first at the local level where a
sensor node observes the behavior of the neighboring nodes. At the global level, i.e., at the sink level,
 22

a trust value is estimated for all the nodes in the network. Most of the IoT devices are constrained
and have low memory and processing capabilities. The limited memory and processing power are
used for maintaining the routing information and queuing the data packets to be forwarded. De-
tection of the blackhole attack can be done at the global level without putting additional load on
the constrained node by learning the packet delivery trends of various nodes in the LLN. In [81],
the authors have compared trust based, agent based, multihop and check-sum based mechanisms
to counter the blackhole attack. They have suggested that these mechanisms work only in specific
cases. They also stated that cryptographic solutions cannot be applied on constrained nodes.

Selective Forwarding Attack

When a malicious node drops selected packets, either at a gap of some interval or from the selected
nodes in its subtree, it is said to be instigating the Selective Forwarding Attack (SFA). Hung-Min
Sun et al. [82] proposed a multi-dataflow topology for WSNs to defend SFA. However, the paper
does not propose techniques for SFA identification or mitigation. Also in the case of IoT, the network
comprises of large numbers of sensors. Provision of multi-dataflow paths will result in huge network
overhead. The authors in [83] have proposed an attack classification schema for smart cities. The
classification states that the Selective Forwarding Attack is a major threat in the network layer of
the Smart City architecture. SFA may even lead to loss of critical data. In [84], Shahid Raza et
al. have proposed IDS for Sinkhole and Selective Forwarding Attacks. This IDS makes use of a
6Mapper component which reconstructs the RPL topology at the border router. The IDS analyzes
the reconstructed topology for attack detection. However, if the attacker node can identify the traffic
used by 6Mapper, it can still perform SFA by forwarding only those packets which are used by
6Mapper. Hence, it is difficult to identify the Selective Forwarding Attack.
Sabah et al. [85] proposed a two-level data provenance mechanism to trace the path of data
traffic. In their work, a system level data provenance uses node level provenance to detect packet
drop. Their mechanism requires accessing the node’s storage space and also requires storage space
for packet sequence entries at the node level. Such mechanisms may pose a risk for false routing
table entry attacks by malicious nodes.

2.3.3 Attacks Instigated by Flooding Control Messages

As mentioned earlier, the RPL protocol uses three control messages for the topological formation and
maintenance of the IoT-LLNs. When nodes process a control message received from a neighboring
node, they suspend their data forwarding. A malicious node may intentionally flood the network with
a massive burst of control messages. Following, we discuss various attacks in IoT-LLNs instigated
by flooding the three different control messages.

DIS Flooding
When a node broadcasts a frequent burst of DIS messages, it is said to have instigated a flooding
attack [21]. The neighboring nodes suspend their data forwarding activity to respond to the frequent
 23

DIS request. Consequently, the victim nodes not only become unavailable but also suffer from
depletion of battery power, and the network experiences congestion and a drop in packet delivery
ratio [86], [87]. A suggested workaround is to discard the DIS from nodes that exceed predefined
thresholds of the number of DIS bursts and the interval between the consecutive DIS messages, and
blacklist all non-adhering nodes [86], [88]. Such mechanisms reduce the impact of the attack but may
end up blacklisting nodes that genuinely suffer from weak links and cannot connect to the IoT-LNN.

DAO Flooding
A malicious node may flood DAO messages to advertise false routes and overload the routing table
of its parent node [21]. RPL generally operates in non storing and storing modes. In the storing
mode, each node in the DODAG maintains a routing table of the downward routes where as in the
non storing mode, all the nodes in the DODAG send traffic to the sink and the sink uses the source
routes to send traffic to the leaf node. In the storing mode, the RPL provides an optional header
field, forwarding error flag in the DAO, to clean up the stale roots. A malicious node can manipulate
this flag which results in the valid downward routes being discarded [107].

DIO Flooding
Frequent replay of DIO messages can also impact the network. Pericle et al. in [89], have explored
the DIO suppression attacks in which a malicious node intercepts an old DIO and keeps replaying
it, which makes the victim nodes suppress their DIOs as they believe there is no new information
to share. As a result, nodes in the subtree of the victim nodes are unable to receive the updated
DODAG configuration which results in the sub-optimized performance of the LLN. Although Pericle
et al. also stated that DIO suppression attack may lead to network partitioning, they did not explore
the partitioning phenomenon. Authors in [90], have studied that RPL does not behave as expected
under partitioning. This happens because, the sensor nodes do not maintain the list of unreachable
nodes and no neighboring node is marked as unreachable even after it is discarded as a preferred
parent. This means, a node which is in the neighborhood but should not be a preferred parent may
be later chosen as a parent node. This situation may lead to formation of loops in the DODAG
which mostly results in partitioning [91]. The scenarios which lead to partitioning of the IoT-LLN
need further exploration.

2.3.4 Attacks Instigated by Violating Protocol Functions

The RPL maintains optimal paths in the topology by use of a parent selection function. The function
enforces nodes in the DODAG to choose the best parent node in terms of the predefined objective
function. A malicious node may violate the parent selection function and choose the worst parent
to sub optimize the paths in the DODAG [21]. A malicious node instigating the worst parent
attack, systematically chooses the worst parent among the available candidate set of parent nodes.
As a result, the path chosen to the root is a sub-optimal path that causes sub-optimized network
performance, and in certain scenarios, may lead to network isolation [92]. There is not much research
done in this category of RPL attacks.
 24

2.4 Enhanced RPL versions

In the past few years, researchers have analyzed various aspects of the RPL routing process that may
be remodeled to improve some performance or security measures. The RPL specification also sets out
many optional features that the implementation may include as per requirement. For example, there
are optional header fields in the control message that may be utilized to disseminate the information
required to implement additional functionalities and features.
We have classified the existing literature on RPL enhancement as follows:

• RPL enhancement that aims to improve some performance aspect of the routing process.
• RPL enhancement that aims to improve some security aspect of the routing process.

In the following subsections, we present the existing literature based on the above classification.

2.4.1 RPL Enhancements to Improve Performance

Since the IoT nodes have constrained characteristics, a lot of research has been done on enhancing
the routing process to optimize the node resources. Baraq et al. in [93] studied the storing mode of
RPL in which a DAO sent by a node may get dropped by the preferred parent owing to lack of space
in the routing table due to limited memory. In such events, the parent node should signal a negative
acknowledgment that indicates the child node to choose an alternative parent. The authors in [94]
also suggest a multiparent scheme to overcome memory limitations. Such a multiparent method can
also overcome the problem of traffic congestion [95]. The authors in [96] incorporated a mechanism
in RPL that allows nodes with different MOP in a network to cooperate and connect to overcome
the memory limitations caused by the storing mode approach. Farooq et al. in [97], proposed the
inclusion of Bloom Filters in the RPL P2MP communication to reduce the source routing overhead in
non-storing mode. In [98], the authors proposed a Bidirectional Multicast RPL Forwarding (BMRF),
that offers nodes in the DODAG a choice between Link Layer broadcast and Link Layer unicast to
reduce the radio transmissions and energy consumption at the cost of more memory usage. Ming
et al. [99] proposed a novel routing metric that captures the loss rate of communication links to
optimally select the best parent set with the goal of minimizing end-to-end energy consumption. The
authors in [100], proposed a novel routing metric that delays the parent selection to achieve a balanced
DODAG instead of all nodes trying to connect to the available parent with minimum rank. Despite
these efforts to improve RPL in terms of resource utilization, most of the enhancements inherit some
drawbacks like slow convergence, unrealistic implementation, energy inefficient, increased latency,
etc. [101], [102]. Hammed et al. in their work [103] presented strategies to save energy in the various
stages of networking in the IoT environment. They suggest to shift all computationally heavy duty
services outside the purview of the resource constrained network.

2.4.2 RPL Enhancement for Security

The false advertisement attacks are specific to IoT-LLNs. As mentioned earlier, the malicious nodes
often advertise false rank in the DIO messages to instigate attacks. Glissa et al., in their work
 25

[104], proposed a threshold-based mechanism to overcome the vulnerability of RPL to increased

and decreased rank attacks. A node may change its rank within the limits specified by the two
thresholds, an increased rank threshold, and a decreased rank threshold. The proposed mechanism
showed increase in the average power consumption and the control message overhead. In [105], the
authors proposed that nodes may work in promiscuous mode to find abnormal traffic routes to guess
about the neighboring nodes involved in Rank or Sybil attack. Zaminkar et al., in their paper [106],
added a detection mechanism in the RPL to identify the nodes instigating Sybil attack. However,
they consider only the case where the malicious node advertises their rank as zero, which may not
always be the case.
Often, the malicious nodes try to poison the downward root through false information or by flooding
the DAO messages. Ghaleb et al. [107] addressed this problem by incorporating an upper limit on
the number of DAO messages of a child node, which can be processed by the parent node. A similar
mechanism was used to mitigate the DAO attacks in [108]. The authors in [109], [110] proposed a
mechanism for remote attestation of the nodes to ensure their software integrity and make use of the
DIO messages to disseminate the attestation report to improve the overall security of the DODAG.

2.5 Summary
The properties of RPL like provision for diverse traffic patterns, scalability and parametric con-
strained routing make it the de facto routing protocol for the low power and lossy networks in the IoT
environment. However, the vulnerabilities of RPL against routing attacks require attention. Though
most of the attacks find mention in the existing literature, partitioning attacks in the IoT-LLNs have
more scope for research. In particular, representation of attack instigation and consequences in the
form of robust models are missing.
The existing analysis and detection mechanisms provide solutions for a particular type of routing
attack. Nevertheless, the IoT-LLNs may suffer from multiple attacks, which requires a holistic tool
for detecting the state of the network. IoT has evolved from similar technologies like the Machine to
Machine environment and the SCADA systems. The additional features that IoT brings to the table
are scale, heterogeneity, and analytics. The power of technologies like machine learning, AI, and
Blockchain has remained untapped for enhancing routing security in IoT-LLNs. These technologies
can be precise in identifying the state of the network and the presence of malicious actors.
Further, what is required is to incorporate isolation mechanisms in the routing process to weed
out the identified malicious actors. The rank property is specific to RPL. Existing literature suggests
some mitigation mechanisms for increased rank attack and decreased rank attack. However, there
is scope for research in designing a robust detection and mitigation mechanism for worst parent
attacks. In Chapter 3, we propose an Attack Graph-based model to assess the vulnerability of the
rank property of RPL in IoT-LLNs. We also present a Mind Map model to assess the vulnerability
of the RPL routing process.
 26

Chapter 3

Vulnerability Assessment of RPL

in IoT-LLNs

“Only when we are brave enough to explore the darkness will we discover the infinite
power of our light.” -Brene Brown

3.1 Introduction
The study of the related literature, as discussed in Chapter 2, leads to the understanding that
routing security in IoT-LLNs is an open research problem. Also, IPv6 Routing Protocol for Low
Power and Lossy Networks (RPL) is the most popular and apt routing protocol for IoT-LLNs as
it suffices all routing requirements. Securing the RPL routing process in the Internet of Things
(IoT) environment encompasses three significant activities. First, to assess the vulnerabilities of
the underlying routing protocol. Second, devise efficient mechanisms to detect anomalies resulting
from the routing protocol’s weaknesses and third, to devise proactive measures for reducing the risk
associated with routing attacks. In this chapter, we focus on building vulnerability assessment models
to estimate the risk associated with the routing process in IoT-LLNs. Vulnerability assessment is the
process of defining, identifying, classifying, and prioritizing vulnerabilities in a system, application,
network protocol or infrastructure. It is the process of providing an assessment to understand the
risks existing in the environment in order to react appropriately [111]. Network protocol vulnerability
assessment helps to assess the security strengths and weaknesses of the network protocols. The
primary objective is to find the vulnerabilities of the IPV6 Routing Protocol for Low Power and
Lossy Networks (RPL) that can compromise the overall security and operations of the IoT network.
The assessment furnishes inputs to the design of security policies and mechanisms. Vulnerability
assessment may be performed using automated scanning tools or models. An assessment using
formal models is a good precursor for a good security framework. We propose two robust models
based on the concept of Attack Graph and Mind Map for assessing the vulnerabilities associated with
RPL routing protocol in the Internet of Things.
The rest of the chapter is organized as follows. In Section 3.2, we present the proposed classification
of vulnerability assessment models. In Section 3.3, we describe the proposed Attack Graph-based
 27

vulnerability assessment model and validate the model in Section 3.4. In Section 3.5, we present the
Mind Map-based vulnerability assessment model, and in Section 3.6, we enumerate the metrics for
vulnerability analysis of RPL-based IoT networks.

3.2 Proposed Classification of Vulnerability Assess-

ment Models
RPL, like any other routing protocol is inherently vulnerable to attacks as the routing process requires
trusted co-operation among the entities involved. Weak authentication is majorly responsible for
attacks against the routing protocols. The constrained characteristics of the Low Power and Lossy
networks restrict the use of complex authentication mechanisms and leave it vulnerable to several
insider attacks [112]. A node which participates in the routing process may exploit features or
configuration parameters involved in establishing the routes. In other words, a node may tamper
with the parameters required in the topological formation and maintenance of the network in order
to degrade the network performance. Alternatively, a node may also instigate an attack by skipping
or falsely executing a routing instruction. Therefore, vulnerabilities associated with the routing
parameters and the steps involved in the routing process should be carefully examined. To this
end, we classify our proposed vulnerability assessment models depicted in Figure 3.1 based on the
following criteria.

Figure 3.1: Proposed Classification of Vulnerability Assessment Models

• Based on RPL Features: As mentioned in Chapter 2, RPL performs the topological organi-
zation and maintenance of IoT-LLNs by exchanging control messages among the IoT devices.
The DIO control message carries values of parameters like rank, version number, and other
flag variables that govern the optimal topological organization of IoT-LLNs. A category of
vulnerability assessment models could be those that analyze how these parameters can be
exploited to instigate attacks. In our work, we propose an Attack Graph based vulnerability
assessment model to examine the vulnerabilities of the RPL rank property.
• Based on the Routing Steps: A malicious actor can also exploit the vulnerabilities of the
routing process, i.e., the steps involved in the topology formation. To this end, we examine
 28

the RPL routing process’s vulnerabilities through the proposed Mind Map-based model.

As Low Power and Lossy Networks (LLNs) in IoT have evolved from Wireless Sensor Networks,
they have also inherited several routing attacks prevalent in WSNs. Thus, RPL attacks may be
classified into two categories: a) Attacks specific to RPL features, and b) Attacks inherited from
WSN as depicted in Figure 3.2 [113]. The first proposed model based on Attack Graphs analyzes
the impact of RPL specific attacks and how these attacks worsen the WSN inherited attacks in
collaborative attack scenarios. The objective of the proposed second approach, called Mind Map
model, is to scrutinize the RPL routing process and create a list of vulnerabilities associated with
each routing instruction. The Mind Map model will help in anticipating novel attack scenarios and
assist in better preparedness for zero day attacks.

Figure 3.2: Classification of RPL Attacks

3.3 Attack Graph based Vulnerability Assessment

of Rank Property in RPL-based IoT
Large scale IoT applications require multiple data collection points federated through a backbone
network. To satisfy the requirement of multiple data collection points, the RPL organizes IoT-LLNs
as multiple RPL instances with single or multiple DODAGs. In each DODAG, the sensor data from
the various constituent nodes are collected at the root (sink) node. A DODAG can be identified by
the following parameter set:
 29

• RPL instance ID: It identifies an RPL Instance in a Low power and Lossy Network. An
RPL instance may comprise one or more DODAGs where each DODAG makes use of the same
objective function.

• DODAG ID: [RPL instance, DODAG ID] identifies a unique DODAG in an RPL instance.

• Version Number: [RPL instance, DODAG ID, DODAG Version Number] identifies a unique
DODAG in a network.

• Rank: Represents the location of a node within the DODAG.

The rank plays a vital role in the construction of the DODAGs. The rank property governs the
Neighborhood Discovery, Data Path Validation, and Loop Detection mechanisms in RPL. A node
within a DODAG estimates its rank based on the objective function, which is a function of the parent
node’s rank and a routing metric as given by Equation 3.1.

Rnode = Rparent + Rincrease (3.1)

where,

• Rnode is the rank of the node.

• Rparent is rank of the parent node.

• Rincrease is an estimated value based on one or more routing metrics and constraints as
advertised by the root node.

Equation 3.1 also brings forth the following notions associated with the rank property in RPL:

1. The rank of a child node must always be greater than the rank of its parent node.

2. Ranks strictly increase in the downward direction in a DODAG , i.e., the root of the DODAG
has minimum rank and leaf nodes have the maximum rank.

3. From a given set of candidate parent nodes, a child node selects a node with the minimum
rank as its parent.

Adhering to the above notions of rank property ensures the loop free construction of the DODAG,
a stable topology as well as an optimized network performance. Non adherence of the above notions
leads to several attacks.

3.3.1 Proposed Attack Graph based Vulnerability Assessment

Model
The authors in [114] have defined Attack Graph as an efficient model of security vulnerabilities and
possible sequence of actions undertaken by a malicious entity to instigate the attacks. The proposed
vulnerability assessment model depicted in Figure 3.3 uses an Attack Graph to represent various
ways an attacker node may exploit the rank property of RPL to successfully compromise a network.
The attack graph also reinforces the fact that when a malicious entity instigates an RPL-specific rank
 30

attack, it can further gain the potential to strengthen the WSN inherited routing attacks as well.
States T1-T4 and state R in Figure 3.3 represent various goals of an attacker node. States S1-S9
are the states of the IoT-LLN, which may undergo changes as a result of the exploitation of the rank
property. Once a malicious node intrudes the network by compromising the node authentication
defense mechanism, it can instigate several internal attacks by exploiting the weaknesses of RPL.

Figure 3.3: Proposed Attack Graph based Vulnerability Assessment Model

As depicted in Figure 3.3, routing attacks in RPL-based IoT-LLNs can be RPL specific attacks or
attacks inherited from characteristics of WSNs. The following are the RPL specific attacks explored
by the proposed Attack Graph model.

Rank Attacks (RPL Specific Attacks)

1. Decreased Rank Attack: A new node joining the IoT-LLN is depicted by the state S1 in
Figure 3.3. As nodes join the IoT-LLN, they advertise their presence by multicasting DIO
messages. A malicious node may intentionally advertise a rank much lower than its actual rank
in order to attract the neighboring nodes to select it as their preferred parent. In other words,
the malicious node over-claims its proximity to the sink node. As a result, the neighboring
nodes which select the malicious node as their preferred parent may actually end up selecting
an inferior path to the sink node. Thus, the malicious node instigates a Decreased Rank
 31

Attack (DRA) as shown by the state S2 in Figure 3.3 and disrupts the optimal traffic paths
in the IoT-LLN. The malicious node successfully achieves its goal of traffic misappropriation
as depicted by the final state T1 in Figure 3.3.

2. Worst Parent Attack: A malicious node may violate notion 3 of the rank property by
selecting a parent with a higher rank instead of a parent with the minimum rank. In order to
introduce a delay in the sensor data reaching the root node, the malicious node selects a sub
optimized path to the root node. Thus, the malicious node instigates a Worst Parent Attack
(WPA) depicted by state S3. The malicious node keeps selecting sub optimized paths to the
root, thus resulting in network sub optimization as depicted by state T3 in Figure 3.3.

3. Increased Rank Attack: In constrained networks like IoT-LLNs, resource is a premium

element. A malicious node may target to deplete the network resources by instigating an In-
creased Rank Attack (IRA). When a malicious node increases its rank voluntarily by falsifying
the DIO messages, it results in an Increased Rank Attack as represented by state S4. As a
consequence of the IRA, a child node in the sub DODAG of the malicious node may have a
rank lower than its parent which violates notions 1 and 2 of the rank property. To overcome
this, the child also increases its rank and initiates neighborhood discovery in order to select
a new parent node. This process incurs increase in the dissemination of the control messages
leading to huge consumption of battery power. Thus, the malicious node successfully compro-
mises precious node resources as depicted by the final state R in Figure 3.3. IRA may result
in isolation of the child node or the sub DODAG in case of non-availability of an alternate
parent node.

We next explain the attacks explored in the proposed Attack Graph model inherited in the IoT-LLN
environment from the characteristics of the WSNs. The following are the WSN inherited attacks
that are intensified by the RPL specific attacks in IoT-LLNs.

Attacks Intensified by Rank attacks

1. Decreased Rank Attack can act as a precursor to several other internal attacks as depicted
by the proposed Attack Graph in Figure 3.3. A node instigating the Decreased Rank Attack
attracts huge traffic from the neighboring nodes. Further, it can choose to gain topological
information from packets, drop packets or modify packets leading to the following attacks:

(a) Sniffing Attack: A malicious node instigating DRA attracts significant network traffic
and thus gains the potential to instigate a potent sniffing attack as represented by state
S5. Through the information gained from sniffed packets, a malicious node can achieve
insight about the neighboring topology and identity information of the neighboring nodes
which can lead to Traffic Misappropriation (T1) as shown in Figure 3.3.

(b) Identity Attack: Using the information gained from sniffed packets, a malicious node
can instigate an Identity attack as shown by the state S9 in Figure 3.3. If the malicious
node clones the sink node, it can gain control over the entire network topology thus
compromising the traffic (T1) as shown in Figure 3.3.
 32

(c) Blackhole Attack: A node instigating a blackhole attack drops all the received packets.
A malicious node instigating a Decreased Rank Attack (S2) may further drop all the
received packets to create a blackhole represented by the state S6. A blackhole attack
preceded by DRA results in huge loss of data packets leading to Network Isolation as
depicted by the final state T2.

(d) Sinkhole Attack: A malicious node can create a sink by attracting maximum data
as well as control packets towards itself and then it modifies or drops these packets. A
sinkhole attack can be easily executed by instigating a DRA. A sinkhole attack depicted
by state S7 leads to topological modifications and degraded network performance as
shown in Figure 3.3.

2. DAG Inconsistency Attack: A malicious node instigating an IRA may easily create a DAG
Inconsistency Attack scenario by setting the rank error flag (R) and direction flag (O) in its
DIO message. This scenario is depicted by state S8 in Figure 3.3. The DIO messages carry
flags R and O for data path validation. The R flag is set by the forwarding node when it
receives a packet from a node with higher rank with set flag O. A set flag O indicates that
the packet should be forwarded to a child node. The receiving node interprets this as DAG
inconsistency and resets the trickle timer. This leads to increased dissemination of DIO and
DIS messages.

3.4 Validation of the Proposed Attack Graph based

Vulnerability Assessment Model
In order to validate the proposed Attack Graph based vulnerability assessment model, we simulate
the various rank attacks in the cooja simulator available in Contiki Operating System [115]. The
simulations use the Sky Mote available in Contiki OS. Each node has a communication range in the
span of 50m. Expected Transmission Count (ETX) is used as the routing metric as it represents the
effect of both the path length as well as the packet loss [116]. To emulate the Worst Parent Attack, we
altered the best-parent(rpl-parent p1, rpl-parent p2) function of rpl-mrhof.c to choose the worst of the
two input arguments. The output of the best parent function rpl-mrof.c is used by rpl-select-parent
(rpl-dag-t *dag) and best-parent (rpl-dag-t *dag) functions in rpl-dag.c to set the preferred parent.
To implement the Increased Rank Attack and the Decreased Rank Attack we altered the function
used for evaluating the routing path metric present in the rpl-mrof.c file. We also implemented a
combination of the Decreased Rank Attack and the Selective Forwarding Attack (SFA) to emulate
Sinkhole attack. On a node executing the Decreased Rank Attack, we altered the RPL-udp client
function to implement the Selective Forwarding Attack. During the attack interval, while the attacker
mote drops all the data packets it receives from the neighboring nodes, it continues to broadcast all
the RPL control packets comprising DIS, DIO and DAO messages and its own generated data packets.
 33

3.4.1 Increased Rank Attack

The experimental setup of the Increased Rank Attack scenario consisting of 29 fair nodes and 1
malicious node is depicted in Figure 3.4. Node 1 is the sink node and Node 10 is the malicious node.
The DODAG formed before the attack instigation is as depicted in Figure 3.4. On the 10th minute
of the simulation, Node 10 instigates IRA. Thereafter, the attacker node keeps increasing its rank
value. As a result, nodes in the sub-DODAG of Node 10 are forced to increase their rank to maintain
their connectivity to the sink node. Following are the observations from the simulation of IRA:

Figure 3.4: Experimental Setup of Increased Rank Attack

• IRA increases the average number of control messages multicasted by nodes in the DODAG.

• The sink node receives 3 to 4 times more number of data packets from the malicious node in
comparison to the other nodes.

• The malicious node, its parent and all the nodes in its sub-DODAG consumes an increased
amount of listen and transmit power. As a result, the average power consumption of the
network increases.

• Average Inter Packet time of the malicious node and all the nodes in its sub-DODAG reduces.

• Beacon interval of the malicious node and all the nodes in its sub-DODAG reduces and is
much less in comparison to the Beacon interval of other nodes present in the DODAG.

Table 3.1: Observations from Increased Rank Attack

Increase in Average Power Consumption Drop in Avg. Drop in Avg.
Malicious Nodes Nodes in Subtree of the Malicious Nodes Other Nodes Beacon Interval Inter Packet Time
254.16% 179.67% 40% 68.46% 64%

From the observations depicted in Table 3.1, it may be concluded that Increased Rank Attack results
in unwarranted resource consumption as depicted in the Attack graph of Figure 3.3. Also, these
observations can be used in designing a detection mechanism for the Increased Rank Attack.

3.4.2 Decreased Rank Attack with Selective Forwarding At-

tack
The experimental setup of Decreased Rank Attack consisting of 29 fair nodes and 1 malicious node
is shown in Figure 3.5. Node 1 is the sink node and Node 30 is the attacker node. The attack is
 34

initiated on the 4th minute of simulation. Prior to the attack, the attacker node (Node 30) has no
child node as shown in Figure 3.5a. After the attack is initiated, the topology changes and Node 30
has 22 nodes in its sub-DODAG as shown in Figure 3.5b. Following are the observations made from

(a) Topology before of DRA (b) Changed Topology after DRA

Figure 3.5: Experimental Setup of Decreased Rank Attack

the attack simulation:

• The topology changes due to DRA which results in increase of Expected Transmission Count
(ETX) of the affected nodes. For example, the ETX of Node 9 increases by 20 after the attack
as observed in Figure 3.5b, leading to network sub optimization.

• The convergence of traffic towards the attacker node , i.e. Node 30, as shown in Figure 3.5b,
results in traffic disruption.

• Though there is not much change in the network’s average power consumption, the attacker
node’s power consumption increases as it handles more traffic.

• Listen and Transmit duty cycle of the attacker node is twice that of most of the nodes in the
DODAG.

• Beacon interval of the attacker node is also less.

On instigating DRA, Node 30 attracts a huge chunk of traffic towards itself. Thus, Node 30 acquires
the potential to cause a huge disruption of the network traffic. Further, if Node 30 instigates a
Selective Forwarding Attack, it results in huge packet loss, as shown in Figure 3.6. When the
Decreased Rank Attack is activated at the 4th minute of the simulation, there is a loss of a few data
packets. On the 7th minute, when the Selective Forwarding Attack is instigated, the number of lost
data packets increases drastically. The attacker node can use the header information to instigate
sniffing and identity attack.
Thus, we can conclude that Decreased Rank Attack results in traffic compromise, network sub-
optimization and network isolation as depicted in the Attack Graph.
 35

Figure 3.6: Packet Loss after DRA followed by SFA

3.4.3 Worst Parent Attack
The experimental setup for WPA consisting of 28 fair nodes and 2 malicious nodes is shown in Figure
3.7. Node 1 is the sink node and Nodes 29 and 30 are the attacker nodes. Nodes 29 and 30 instigate
the attack on the 6th minute of the simulation. As the attacker node changes its preferred parent,
the expected transmission count of the attacker node and the nodes in its sub-DODAGs increase. It
may be observed from Figure 3.7 that as Node 30 changes its preferred parent from Node 3 to Node
9, the expected transmission count of Node 30 increase by 112. The other attacker node (Node 29)
attempts to make Node 2 as its preferred parent. In this scenario, Node 2 is forced to increase its
rank as it has no other node apart from Node 29 in its radio range to choose as its preferred parent.
It may be observed from Figure 3.8 that rank of Node 29 becomes -1 in the process. This results in
a loop comprising of Node 29 and Node 2. Thus we can conclude that Worst Parent Attack results

(a) Topology before WPA (b) Topology after WPA

Figure 3.7: Experimental Setup of Worst Parent Attack

in network sub-optimization and in specific scenarios may also lead to network isolation as shown in
the attack graph.
 36

Figure 3.8: Path Metric of Node 29

3.4.4 Summary of Results
Table 3.2 summarizes the impact of various rank attacks. Based on the simulation of various rank
attacks, we can say that these attacks hugely affect the performance of the IoT network. For seamless
Table 3.2: Impact of Rank Attacks on Network Performance
Attack Type No. of Average Avg. Bea- ETX Packet Instigate
Control Mes- Power Con- con Interval Loss Other
sages sumption Attacks
Increased Rank Increases Increases Decreases Increases Minimal Yes
Attack
Decreased Increases Negligible Decreases Increases Minimal Yes
Rank Attack Increase
Decreased Increases Negligible Decreases Increases Huge Yes
Rank Attack Increase
with SFA
Worst Parent Minimal Negligible Minimal Increases No No
Attack Increase Drop

integration of LLNs in the IoT environment it is important to secure notions related to rank property
and keep track of nodes changing their rank or preferred parent.

3.5 Mind Map based Vulnerability Assessment of

RPL in IoT Environment
A Mind Map is a graphical representation of concepts and ideas that help in structuring and com-
prehending information. Mind Map facilitates better analysis and recall of information as well as
the generation of new ideas. The motivation behind our proposed Mind Map-based Vulnerability
Assessment of RPL is two-fold. First, the existing literature does not focus on partitioning attacks
in RPL-based IoT-LLNs. Second, we need to explore the vulnerabilities associated with each step of
the RPL routing process as it may aid in better preparedness for unknown or Zero-day attacks. To
accomplish this, we present a Mind Map representation of the vulnerability assessment of DODAG
node joining and maintenance process. The Mind Map shown in Figure 3.9 depicts various actions
involved in the node joining and maintenance process in RPL-based IoT-LLN and the associated
vulnerabilities of each action. In general, DAG formation and maintenance involve the following
processes:

• DODAG Advertisement: The DODAG root advertises the configuration of the DODAG
by broadcasting DIOs governed by a trickle timer. DIOs carry information like, the supported
 37

Figure 3.9: Mind Map based Vulnerability Assessment of Node Joining and DODAG
Maintenance Process
 38

objective functions used for rank estimation of the nodes, trickle timer’s maximum and mini-
mum interval values, trickle redundancy constant and the version number.

• Nodes Joining: A new node that is ready to join a DODAG undertakes tasks (depicted in
Figure 3.9) as follows:

1. Transmit DIS: The new node multicasts DIS messages periodically to trigger Step1-
Action1 i.e., to reset the trickle timer of the neighboring nodes as shown in Figure 3.9.
The neighboring nodes, on receiving a DIS message from the new node, respond with
a unicast DIO message (Step1-Action2). There are two vulnerabilities associated with
Step1-Action1. A new node may overwhelm the DODAG by transmitting excessive
DIS messages which increases the processing, listen and transmit power consumed by
neighboring nodes leading to Step 1-Action 1-Vulnerability 1, i.e., exhaustion of power
and also these nodes have to suspend their data packet transmission (Step1-Action1-
Vulnerability2) in order to process the incoming DIS request. Step1-Action2 also poses
the risk of not allowing a new node to join the DODAG if the neighboring nodes do
not respond to DIS requests (Step1-Action2-Vulnerability1). Moreover, the neighboring
nodes may respond with false DIOs forcing the new nodes to take sub-optimized paths
to the sink (Step1-Action2-Vulnerability2). On receiving DIOs, the new node performs
a quality estimation of the neighbor’s link. To do so, the RPL makes use of a neighbor-
hood discovery mechanism named link probing. In the current context, we refrain from
discussing about link probing since it is beyond the scope of this work.

2. Parent Selection: On hearing DIOs from the neighboring nodes and after performing
link estimation, the new nodes prepare a list of preferred parents which comprises the
same neighboring nodes. The new node then selects the nodes with minimum rank.
At this step, a node may select an inferior parent to degrade the performance of the
DODAG (Step2-Action2-Vulnerability1).

3. Route Registration: On selecting the parent node, the new node joins the DODAG
by unicasting a DAO message to the root node via the selected parent node. On receiv-
ing the DAO, the root node will add the new node to its routing table and may send
an optional DAO acknowledgment to the new node. In this way, the new node regis-
ters itself with the root node. A malicious node may never perform route registration
after obtaining the DODAG configuration through the received DIOs (Step3-Action1-
Vulnerability1). The configuration information can be used by the node to accomplish
malicious objectives like an identity attack.
 39

4. Node Advertisement: Once the node is registered with the root, it can advertise its
presence to allow more nodes to join the DODAG. To realize this, the node performs
the following sub-tasks:

– DIO Computation: The node estimates its own rank based on the rank of its se-
lected parent and the specified objective function. The node makes use of the parent
DIO to compute its own DIO by replacing the parent’s rank and address with its
own rank and address. A rogue node may not compute its rank and instead may use
the rank of its parent in order to overclaim it proximity to the sink (Step4-Action2-
Action2.1-Vulnerability1) or may even impersonate its parent node by using the
link address of the parent node (Step4-Action2-Action2.2-Vulnerability2).

– DIO Output: The node now multicasts its own DIO and allows a newer node to
join the DODAG through it. At this juncture, a node may multicast the false DIO
information or replay an old DIO (Step5-Action1-Vulnerability1) or may block the
DIO output in order to restrict the neighboring nodes from joining the DODAG
(Step5-Action1-Vulnerability2).

• DAG Maintenance: This involves Steps 1� - 5 as depicted in Figure 3.9. Nodes which are
already part of the DODAG, constantly maintain the link estimates via probing. Similarly at
regular intervals, governed by the trickle algorithm, the root node broadcasts the DIO messages
to update the configuration information to the nodes in the DODAG. As nodes listen to the
fresh DIO, they perform the link estimation. If new links are available, they again perform
the parent selection, route registration and node advertisement. Through fresh DAOs received
from the nodes, the sink updates its routing table and its view of the DODAG.

Based on the understanding of various possible vulnerabilities, we found that RPL is indeed suscepti-
ble to Network Partitioning Attack. A malicious node can exploit the vulnerabilities Step3-Action1-
Vulnerability1, Step4-Action2-Action2.1-Vulnerability1 and Step4-Action2-Action2.2-Vulnerability2
to instigate a Network Partitioning Attack. The vulnerabilities are highlighted in red color in Fig-
ure 3.9. We further explore the novel Network Partitioning Attack scenario in Chapter 5.

3.6 Metrics for Vulnerability Analysis of IoT-LLNs

The observation from the two proposed vulnerability assessment models bring home the fact that
RPL is susceptible to numerous insider attacks. Therefore, likely symptoms of the attack scenario
should be timely predicted for safeguarding the IoT-LLNs from routing attacks. The vulnerability
assessment gives us the insight that the various routing attacks affect either all or a subset of the
parameters like the average power consumed by the LLNs, circulation of control messages, inter
packet time, beacon interval, etc. Following is the list of metrics used in our work for the vulnerability
 40

analysis of IoT-LLNs with the goal of detection and mitigation of various routing attacks.

1. Power Consumption: Energy of a node is spent in processing data packets and control
messages (CPU Power, PCP U ), listening to messages from neighboring radios (Listen Power
PListen ), while in sleep mode (Low Power Mode energy, PLM P ) and forwarding self-generated
and received data packets and control messages (Transmit power, PT rans ).
N
�
P ower Consumption = (PCP U + PListen + PLM P + PT rans ) (3.2)
i=1

where N is the number of nodes connected to the sink.

2. Beacon Interval: A beacon frame comprises DIO message in its payload. Nodes in the
DODAG multicast beacon frames at regular intervals governed by the trickle algorithm to
advertise their presence. Beacon interval of a node is the time gap between two consecutive
beacon frames multicasted by the node. The beacon interval varies between values Imin and
Imax depending on the state of the DODAG. It attains the maximum value Imax when the
DODAG is organized and stable.

3. Routing Metric: Routing metric is a path cost estimation metric used by nodes in the
DODAG to select the best possible path to the sink. Routing metric can be a single or a
combination of predefined link or node metric [52].

4. Expected Transmission Count (ETX): Expected Transmission Count is a link metric

which represents the number of transmissions required by a node to successfully deliver a
packet.

5. Average time gap between consecutive packet arrival (ATG): It is the average of
time gap between the arrival of two consecutive packets of any non sink node i in the DODAG
at the sink node over the operational time. The upward latency given by End-to-End Delay
(EED) and latency between two consecutive packets sent by any node i is captured by the
metric “time gap between two consecutive packet arrival (TG)” of node i at the sink node as
can be observed from Figure 3.10.

Figure 3.10: Diagrammatic representation of TG and EED

6. Number of Neighbors: The number of neighbors for any node is equal to the sum of its
immediate child nodes and the parent node.
 41

7. Inter-packet Time: The time gap between two successive transmissions by a node is termed
as its inter-packet time.

8. Hops: It is the count of the number of intermediate nodes from the source node which a
packet has to traverse before it reaches the sink node.

9. Network Convergence Time (NCT): It is the measure of the time taken by a group of
routers in a network to reach the state of convergence. A network is said to have achieved the
state of convergence when the routing protocol specific configuration information is available
to all the routers in the network that participate in the topological formation of the network.

10. Network Overhead: It the number of control messages exchanged among the nodes for
topological formation and maintenance of the DODAG.

The power consumption measured in units of milliwatts (mW) and beacon interval, NTC, and ATG
measured in units of milliseconds (ms) as well as timestamps.

3.7 Summary
In this Chapter, we analyzed the vulnerabilities associated with the RPL routing protocol. We
proposed two different models to represent the vulnerabilities related to the RPL routing process.
The proposed Attack Graph-based model gives the insight that the rank property of RPL can be
exploited by a malicious node to instigate several attacks in RPL-based IoT-LLNs. Further, the
proposed Mind Map model helps build an in-depth understanding of the vulnerabilities associated
with each instruction of the RPL routing process. Based on the vulnerability assessments model and
experiments conducted to validate the proposed Attack Graph-based model, we prepared a list of
metrics to analyze the state of the IoT-LLNs, which we use in Chapters 6-7.
In [92], the authors performed an impact analysis of the rank attack. Semedo et al. in [117] per-
formed the vulnerability assessment of RPL’s Minimum Rank Hysteresis Objective, which culminates
to DRA. However, the impact of rank attacks, coupled with other routing attacks, was not analyzed
by them. We observed that the Decreased Rank Attack could be a precursor to routing attacks like
sinkhole attacks, wormhole attacks, and packet sniffing attacks through the proposed attack graph
analysis of the rank property. Recently, authors have proposed taxonomies to study the impact of
routing attacks in RPL-based IoT LLNs [21] [30]. However, such taxonomies do not help in uncover-
ing unreported vulnerabilities of the routing process. The insights gained from the Mind Map model
led to an unreported network partitioning vulnerability in the RPL-based IoT environment that is
further discussed in Chapter 6.
In the proposed Attack Graph model, we have focused on the rank property of RPL as IoT-LLNs
under rank attacks suffer from topological sub-optimization and isolation of victim nodes. Specifi-
cally, Increased Rank Attacks exhaust node resources by accelerating the exchange of control messages
among the nodes in the IoT-LLNs. The Attack Graph-based model does not analyze vulnerabilities
that may stem from exploiting other RPL properties like parent set size and parent switch threshold.
Similarly, the Mind Map model can be made exhaustive by including parent set size and parent
 42

switch threshold parameters.

Having observed the impact of routing attacks in IoT-LLNs, we understand that the timely de-
tection of routing attacks in IoT-LLNs is highly desirable. In Chapters 4 and 5, we will devise
mechanisms for efficient detection of various routing attacks in RPL-based IoT-LLNs.