See discussions, stats, and author profiles for this publication at: https://www.researchgate.

net/publication/374742953

Rank attack using objective function in RPL for low power and lossy networks

Article · October 2023

CITATIONS

1 author:

Abdul Rehman
Bahria University
3 PUBLICATIONS 1 CITATION

SEE PROFILE

All content following this page was uploaded by Abdul Rehman on 20 October 2023.

The user has requested enhancement of the downloaded file.

 Rank Attack using Objective Function in RPL for Low
Power and Lossy Networks

Abdul Rehman Meer Muhammad khan M. Ali Lodhi Faisal Bashir Hussain
Dept. of Computer Science Dept. of Computer Science Dept. of Computer Science Dept. of Computer Science
Bahria University Bahria University Bahria University Bahria University
Islamabad, Pakistan Islamabad, Pakistan Islamabad, Pakistan Islamabad, Pakistan
Abdul.mul103@gmail.com Meer.khan78@gmail.com Alilodhi30@gmail.com faisalbashir@bahria.edu.pk

topologies for LLNs [1]. RPL provides some solutions for

Abstract—The Routing Protocol for Low power and lossy securing communication between devices however various
network (RPL) is recommended by Internet Engineering Task internal attacks are recently highlighted [2].Rank attack is one
force (IETF) for IPv6 based Low Power Personal Area of the most critical attacks that can be launched over RPL. It is
Network (6LoWPAN). RPL is a proactive routing protocol for a variation of sinkhole attack [3] in ad hoc networks. Rank in
Internet of Things (IoT) that has applications in smart homes, RPL is the relative distance of a node from the DAG root
smart cities and smart world. RPL creates a Directed Acyclic (sink). Rank of node increases downstream and decreases
Graph (DAG) of the network topology. Rank in a primitive upstream. Rank of a node in RPL serves multiple purposes
construct in RPL and it defines the relative position of node apart from distance to the sink, it ensures route optimization,
within the DAG. It is used for topology formation, prevent loops, and manages control overhead. In a rank attack,
maintenance and prevention of loops in routing paths. Few a malicious node advertises false rank information (lower rank
internal attacks are identified in existing literatures which than neighboring nodes) to its possible child nodes. As result,
maliciously use the rank property within RPL networks. In neighboring nodes select the malicious as their next hop node
this paper, we introduce a new rank attack in RPL networks for routing information to the sink node. This attack can have
that modifies Objective Function (OF) along with rank value. very adverse impact on the operation of network if it is
The OF is used by RPL nodes to select forwarding nodes launched near the sink [3].
based on application defined routing metric e. g., expected The Objective Function (OF) in RPL determines how RPL
transmission count, residual energy etc. The proposed rank nodes select the optimal path towards the DODAG root in a
attack is more distractive in nature because the attacking node network. For example, RPL nodes can select the Expected
can easily force its neighboring nodes to route their data Transmission Count (ETX) as a routing metric. In this case, all
through the attacking node. Comprehensive simulation the nodes in the network can select OF that selects next hop
analysis has shown that the proposed rank attack can be used node based on minimum ETX. A RPL node joins DAG finds a
to introduce false routing path for decreasing network set of parents (neighbors) and then selects the preferred parent
throughput and increasing latency of communication. with the help of both rank and the defined OF. Rank attacks
[3, 4, 5] introduced in existing literatures do not exploit the
vulnerabilities available in objective function and have a very
Keywords—IoT, LLNs, RPL, Rank attack, Internal threat.
limited impact on the network performance. In this paper, we
introduce a new rank based attack, in which the adversary
I. INTRODUCTION announces both false rank and routing metric value to increase
the severity of the attack. The proposed attack is termed as
Low power and Lossy Networks (LLNs) are used for data Rank Attack using Objective Function (RAOF) and it is
acquisition in industrial monitoring, health care, home capable of maliciously forcing the neighboring nodes of the
automation, security and military surveillance etc. LLNs are attacker to create routing paths through the attacking node.
categorized as a type of Wireless Personal Area Networks RAOF is a more powerful and successful attack as compared
(WPAN). RPL is the underlying routing protocol for to the existing rank attacks.
6LoWPAN. RPL is recommended by IETF to be used in The rest of the paper is organized as follows. Section II
Internet of Things (IoT). IETF has emphasized the use of RPL describes the basic operation of RPL. Section III discusses the
because it outperforms other wireless and ad hoc routing literature review and Section IV presents the network model
protocols in term of quality of service (device management used for RAOF attack. Section V presents the proposed RAOF
and efficient energy saving performance) for LLNs [1]. RPL attack and Section VI provides the detailed simulation analysis.
creates a directed acyclic graph (DAG) of the network Last section VII concludes this paper.
topology for routing. Research efforts are made to evaluate the
performance of RPL in different network scenarios and

978-1-4673-8743-9/16/$31.00 ©2016 IEEE

 II. RPL OPERATION OF [9] using some routing metrics because otherwise the
RPL is proactive and distance vector routing protocol for topology will be created only on the basis of hop count. If the
LLNs which creates a DAG of the network devices [6]. DAG attack presented in [3] is launched in RPL network that also
topology can be divided into multiple DODAGs (Destination uses OF along with rank then the attack will not be successful
Oriented Acyclic graph) where each DODAG consist of a sink in attracting neighbouring nodes.
and many tiny sensor nodes. DODAG topology formation is In [3] attacking nodes do not change the rank rules and
triggered by the DODAG root node. RPL uses different behaves as a totally legitimate node but it only selects the
control message that are periodically transmitted by network worst forwarding node as its next hop node (preferred parent).
devices using trickle timer [7].DIO (DODAG Information This attack is hard to detect. The worst parent selected can
Object) message transmitted from DODAG sink node to have longer path to the sink. As a result latency increases and
DODAG sensor nodes. DIO messages are responsible for throughput of the network is partially affected. However, the
topology formation and maintenance, DAO (DODAG attack proposed in [3] does not significantly change the
Advertisement Objet) message is forwarded in upwards from network performance and only nodes routing through the
DODAG sensor nodes to DODAG sink node and using these attacking node are affected. For a malicious node to join and
messages the sink updates its view of the network. The DIS launch an attack presented in [3] may not be possible after
(DODAG Information Solicitation) is used by new node to network is established because the attacking nodes does not
join a DODAG topology. change the rank rules, therefore it cannot attract neighbours to
The flow of DIO and DAO messages are shown in Figure 1. select the attacking node as preferred parent node.
Rank of a node in RPL is represented as a scalar number In [5] preferred parent based attack is introduced that is
which depicts the location of that node within the DODAG. similar to [3] only the attacking node selects the next best
The rank property helps to avoid and detect loops formation. preferred parent as its forwarding node. The impact of this
Also, forwarding node selection can be performed only on the attack on network performance is less than worst parent
basis of rank of the nodes. In particularly the rank of the nodes selection attack discussed in [3]. However, it is even harder to
must monotonically increase from sink to leaf nodes in detect this attack as compared to the worst parent attack
downwards direction and it must decrease in the same way in presented in [3].
upwards direction to the sink node.

IV. NETWORK MODEL

In this section, basic network assumption, definition and
network characteristic are discussed. All network nodes
considered are homogeneous in terms of communication
range. Sensor nodes are densely deployed where data is
reported in a multi hop fashion. It is further assumed that the
network is fully connected and all non-bordering nodes (nodes
are at the edge of sensor field) have more than one link
disjoint or node disjoint path to the sink node. The network
devices are non-mobile and the proposed RAOF attack is
launched after the initial network setup. Following are few
Figure 1: Control messages in RPL network terminologies that are used in the design of RAOF attack.

III. RELATED WORKS • Candidate Parent Node (CPN): Any neighbour of a node
Existing rank attack [4] has the objectives of making attacking possessing lesser rank value is termed as CPN. In a
network a node can have number of Candidate Parent
node lucrative to neighbouring nodes for the next hop
Nodes (CPNs) and any CPN can be selected for forwarding
selection. Apart from converging and routing the traffic
data to the sink node in RPL.
through attacking nodes similar attacks [3, 5] are introduced in
• Preferred Parent Node (PPN): It is one of the CPN with
RPL in which the adversary selects suboptimal forwarding lowest rank and best routing metric selected for forwarding
nodes. data to the sink node by a node in RPL network.
To the best of our knowledge the only pure rank attack on • Malicious Node (MN): This node will launch RAOF attack
RPL is introduced in [4]. The attack is similar to sinkhole in the RPL network. The words MN and Attacking Node
attack [8] in ad hoc networks. The work assumes a network (AN) are interchangeably used in this paper.
topology that is created only on the basis of rank metric and
no other routing metric is considered. The attacking node joins
the network and suddenly announces a lower rank value than According to RPL, the rank computation is linked with OF
its neighbouring nodes. As a result, the neighbouring nodes and it must be implemented in a generic method to include
select the attacking node as their preferred parent and they rank of preferred parent, node metrics, link metrics and the
node configuration policies. We consider a simplistic rank
further announce this network change to their child nodes.
calculation as recommended by RPL in RFC [9] based on OF
However, in RPL based networks, it is recommended to use
that uses ETX for path selection. In this case, rank of a node DODAG uses single OF for topology formation and
R(N) is calculated based on the rank of the parent R(P) and is maintenance.
shown in the following equations: Consider, a network topology where an attacking node has a
ܴሺܰሻ ൌ ܴሺܲሻ ൅ ‫݇݊ܽݎ‬௜௡௖௥௘௔௦௘ legitimate rank  ୐୅ and the minimum rank among its
neighbors is  ୒୅ . In this case the attacker will announce a
‫݇݊ܽݎ‬௜௡௖௥௘௔௦௘ ൌ  ሺܴ݂ ൈ ܵ‫ ݌‬൅ ܵ‫ݎ‬ሻ ൈ ‫݁ݏܽ݁ݎܿ݊ܫܴ݇݊ܽ݌݋ܪ݊݅ܯ‬ rank value that is less than  ୒୅ to launch the attack. Hence in
ƒ̴୤ୟୡ୲୭୰ ሺˆሻ defines rank factor which is a configurable order to launch the attack the attacker will decrease it rank
factor that is used to multiply the effect of the link properties below  ୒୅ and the advertised rank for the attacker  ୅ can be
in the rank_increase computation. –‡’̴‘ˆ̴”ƒሺ’ሻ is expressed as  ୅ ൏  ୒୅ . In this case, if the announced rank  ୅
computed for that link (e.g., based on ETX) is multiplied by is very low then the neighbors of the attacker will discard this
the Rf. –”‡– Š̴‘ˆ̴”ƒሺ”ሻthat is less than or equal to the rank value. This is because RPL recommends that rank change
configured stretch_of_rank per hop rank increase computing. should be within some limits otherwise sudden change of rank
‹ ‘’ƒ  ”‡ƒ•‡ is a variable that can be distributed in can result in the creation of very unstable network topologies.
the network with a fixed constant [11]. Hence, in RAOF the attacker announces a rank with the
relation  ୔୔୒̴୅ ൏ ܴ୅ ൏  ୒୅ , where  ୔୔୒̴୅ is the rank of
PPN of the attacker. In this way, the rank change announced
by the attacker is not very drastic but is less than most of the
neighboring nodes.
In order to further elevate the intensity of the attack the
routing metric (ETX) announced in the DIO message is
drastically lowered as compared to the minimum observed
among the neighbors. Since routing metric values can change
very dynamically in real networks as compared to rank value
therefore RPL suggests no measures to monitor the change in
routing metric values.
As illustrated in Figure2, the neighboring nodes of the
attacking node 31 will converge towards the node 31 by
selecting it as their new PPN. The solid lines shows original
connectivity before the launching of RAOF attack and the
dotted lines depicts the new connectivity after the launch of
RAOF. Once the attacking node becomes the PPN in the
Figure 2: RAOF launched by node 31 in an RPL network attacking region it can affect the network performance in the
following ways.
V. RAOF ATTACK VI. SIMULATIONS ANALYSIS
In this section, the RAOF attack is explained in length. An
important factor in parent selection along with rank is To measure the impacts of intruders on network Cooja
objective function (OF). If a node receives a valid rank then simulator [12] is used which runs over Contiki OS, malicious
before changing the PPN it must calculate the OF value based nodes placed on different locations and circle around the
on routing metrics. For example, if the routing metric is based malicious nodes indicate transmission range and data reporting
on ETX and the OF is defined to maintain routing path having nodes as shown in Figure 3. Node 1 is the sink/root node in
lowest ETX value then a node will receive both rank and ETX the network. Network parameters used for simulations
for its PPN. analysis as listed in table 1 and nodes characteristics are
In this scenario to successfully launch a RAOF the mirrored according to mote sky sensor nodes [12].
attacking node must corrupt the routing metric announced by
the parent node so that OF of the neighboring nodes favor the Table 1.Network Parameter used in simulation analysis
attacking node. In this work, we have used ETX as basic
Parameter Value
routing metric. Each node calculates ETX for successful Network Layer RPL
transmission from source to destination using the following MAC Layer IEEE 802.15.4
formula [10]. Simulation runtime 600s
Event reporting 500s
Objective Function (OF) mrhf, ETX
‫ ܺܶܧ‬ൌ ͳȀ‫ݎܦ כ ݂ܦ‬ Number of Sensor nodes 100
Where, ‫ ݂ܦ‬is the measured probability that a packet is DIO minimum interval 4 sec
received by the neighbor and ‫ ݎܦ‬is the measured probability DIO maximum interval 17.5 min
that the acknowledgment packet is successfully received. To Sending rate 1 packet every 10 sec
Number of source nodes 2-40
use ETX as OF it is included in DAG metric container. A Number of attacking nodes 1-30
TX range 20 m
 Interference range 30m packets. The simulation setup is same as shown in Figure 3.
Packet size (excluding header) 50 Bytes All nodes within the event reporting region from R1 to R5 and
sending data at 6 packets/min [3]. During the normal operation
of RPL without any attacking node high throughput is
observed and delivery ratio is above 97%. When the attacking
nodes drop only 10% of the traffic the routing metric ETX
does not change significantly and the source nodes continue to
route data through the attacking node. However, if the
attacking nodes drop more than 20% of the forwarding traffic
the ETX of the source nodes through the attacking nodes
increases and they change their routing path, eliminating
routes through the attacking node.This is visible in Figure 9
Figure 3:Simulation setup for RAOF attack at various that the delivery ratio drops when packet drop ratio is 20 or
places. 30% but then increases source nodes from the event region
change their routing paths.

Figure 4 : RAOF attack near sink

Figure 5 shows the percentage of network nodes converged at Figure 6: Neighbour nodes converged by RAOF at various regions
the attacking due to RAOF attack. Five malicious nodes
launch the attack in the network shown in Figure 3. After the
RAOF attack, when a node selects the attacking node as its
preferred parent then it is termed as affected node or
converged. Also, nodes that are child of affected nodes selects
a route through malicious node are also converged nodes. It is
noticeable that when the attack is launched near to the sink
more network nodes affected by the attack as demonstrate in
Figure 4. Also, by the addition of only five attacking nodes in
random locations almost 30% of the network nodes have
converged towards the attacking nodes. Figure 6 shows the
percentage of one hop nodes or neighbors converged in
different regions by RAOF attack is launched in each region. Figure 7: Impact of RAOF attack on PDR
Up to 60% of neighboring nodes have changed their PPN and
converged towards attacking node.

Figure 8:DIOs generated against RAOF attacking regions

Figure 5: Network nodes converged by RAOF at various regions
In RPL, DIO and DAO messages are periodically
Figure 7 shows the impact of RAOF in packet delivery ratio as
the malicious node drops 10%, 20% and 30% forwarding communicated to create/maintain topology and update the sink
regarding the topology, respectively. Both the aforementioned International Conference on Mechatronics (ICM), pp.767-
messages contribute to the control message overhead. Figure 8 772, Turkey, April 2011.
shows how the control overhead increases with respect to [3] L.Anhtuan, L. Jonathan, and L. Aboubaker,“The Impacts
of Internal Threats towards Routing Protocol for Low power
time. The attack is launched simultaneously using five nodes
and lossy Network Performance”.IEEE Symposium on
after 100 seconds in the simulation time from different Comupters and Communication, Split,July 2013.
regions. Only DIO results are included as number of DAOs [4] L. Wallagren, S. Raza, and T. Voigt, “Routing Attacks
generated is almost similar to DIOs because DAO is generated and Countermeasures in the RPL –Based Internet of Things.”
after receiving DIO message from the PPN node. International Journal of Distributed Sensor Networks, Vol.
2013, pp. 840-851, 2013.
[5] L. Anhtuan, L. Jonathan, and L. Aboubaker, “The Impact
of Rank Attack on Network Topology of Routing Protocol for
Low-Power and LossyNetworks”.IEEE Sensor Journal, Vol.
13, PP. 3685-3692, 2013.
[6] T. Winter, P. Thubert, “RFC 6550: RPL: IPv6 Routing
Protocol for Low-Power and Lossy Networks,” Internet
Engineering Task Force (IETF) Request For Comments,
March 2010.
[7] P. Levis, T. Clausen, J. Hui, O. Gnawali, J. Ko, “RFC
6206: The Trickle Algorithm draft-ietf-roll-trickle-08,”
Internet Engineering Task Force (IETF) Request For
Comments, Jan 2011.
Figure 8: Average end-to-end delay [8] C. Karlof and D. Wagner, “Secure routing in wireless
End to end data delivery time is another important parameter sensor networks: attacks and countermeasures”, International
for the performance evaluation of network protocols. Figure Journal of Ad Hoc Networks, Vol.1, pp. 293–315, 2003.
11 shows the impact on latency of communication as the [9] P. Thubert, “RFC 6552: Objective Function Zero for
malicious nodes adds 10%, 20% and 30% delay in data theRouting Protocol for Low-Power and Lossy Networks
forwarding. During the normal operation of RPL without any (RPL),” Internet Engineering Task Force (IETF) Request For
attacking node the average delay observed is 65sec. When the Comments, March 2012.
malicious nodes add extra delay then latency is increased but [10] J.P. Vasseur, M. Kim, K. Pister, N. Dejean, D. Barthel,
the amount of delay is not significant for RPL to change the “RFC 6551: Routing Metrics Used for Path Calculation in
topology. Therefore, forwarding nodes do not change their Low-Power and Lossy Networks,” Internet Engineering Task
PPN node and topology remains the same. Force (IETF) Request For Comments, March 2012.
[11] O. Gnawali,P. Levis, “RFC 6719: The Minimum Rank
VII CONCLUSION with Hysteresis Objective Function,” Internet Engineering
Task Force (IETF) Request For Comments, Sept 2012.
RPL is the IETF’s recommended routing protocol for LLNs.
In this paper, we have proposed a modified rank attack in
[12] “Contiki: The Open Source OS for the Internet of
which a malicious node advertises not only a false rank but
also a false routing metric value. The proposed attack is more Things,” Contiki OS. [Online]. Available: http://www.contiki-
severe in nature as compared to simple rank attack. Simulation os.org/index.html .
analysis has revealed that the proposed attack can easily forces
neighbors of the attacking node to select the attacker as their
forwarding node and it results in the convergence of data
flows at the attacker. In addition, the results indicated that the
proposed attack can decrease 30% to 57% of the data delivery
ratio depending on the position of the attacking node within
the network.

REFERENCES

[1] T. Winter, P. Thubert, “RFC 6550: RPL: IPv6 Routing

Protocol for Low-Power and Lossy Networks,” Internet
Engineering Task Force (IETF) Request For Comments,
March 2010.
[2]N. Accettura, L. Grieco, G. Boggia, P. Camarda,
“Performance Analysis of the RPL Routing Protocol”, IEEE

View publication stats