See discussions, stats, and author profiles for this publication at: https://www.researchgate.

net/publication/370770401

Resolving the Decreased Rank Attack in RPL’s IoT Networks

Conference Paper · May 2023

DOI: 10.1109/DCOSS-IoT58021.2023.00018

CITATIONS READS
0 64

5 authors, including:

Baraq Ghaleb Ahmed Yassin Al-Dubai

Edinburgh Napier University Edinburgh Napier University
49 PUBLICATIONS 763 CITATIONS 260 PUBLICATIONS 3,808 CITATIONS

SEE PROFILE SEE PROFILE

Amir Hussain Imed Romdhani

Edinburgh Napier University Edinburgh Napier University
694 PUBLICATIONS 19,678 CITATIONS 131 PUBLICATIONS 2,009 CITATIONS

SEE PROFILE SEE PROFILE

All content following this page was uploaded by Imed Romdhani on 12 September 2023.

The user has requested enhancement of the downloaded file.

 Resolving the Decreased Rank Attack in RPL’s
IoT Networks
B. Ghaleb, A. Al-Dubai Fellow, IEEE, A. Hussain, Senior Member, IEEE, J. Ahmad, Senior Member,
IEEE, I. I. Romdhani and Z. Jaroucheh

Abstract—The Routing Protocol for Low power and Lossy networks (RPL) has been developed by the Internet
Engineering Task Force (IETF) standardization body to serve as a part of the 6LoWPAN (IPv6 over Low-Power Wireless
Personal Area Networks) standard, a core communication technology for the Internet of Things (IoT) networks. RPL
organizes its network in the form of a tree-like structure where a node is configured as the root of the tree while others
integrate themselves into that structure based on their relative distance from the root. A value called the Rank is used
in RPL's networks to define each node’s relative position and it is used by other nodes to take their routing decisions.
A malicious node can illegitimately claim a closer position to the root by advertising a lower rank value trapping other
nodes to forward their traffic through that malicious node. In this study, we show how this behavior can have a
detrimental side effect on the network via extensive simulations and propose a new secure objective function to
prevent such an attack.

Index Terms— Internet of Things (IoT), IoT Security, RPL Standard, and Decreased Rank Attack

I. Introduction rank based on a specific objective function and the rank of its
R ECENTLY the Low-power and Lossy Networks (LLNs), a
collection of interconnected tiny sensor nodes, have been
preferred next hop (parent) to the root which is then
communicated to immediate neighbor to calculate in turn their
ranks. A node receiving multiple rank values from multiple
considered one of the key enabling blocks of the ever-growing neighbors should opt to select the neighbors with the lowest
Internet of Things paradigm [1], [2]. Communication between rank value as its preferred parent. Hence, the rank property can
LLNs devices is subject to restrictions on the performance of as be exploited by a malicious actor, internal or external, to
they utilize limited resources in relation to memory footprint, announce a fake lower value of the rank compared to other
processing, and power [1]. To cater for such limited resources, nodes in the network so trapping such nodes into selecting the
the Internet Engineering Task Force (IETF) has specified the attacker as their preferred parent towards the root. Theoretically
IPv6 Routing Protocol for LLNs (RPL) [3] as the routing and as reported in the literature, this attack should not be
standard for such networks. Indeed, and since it was a proposal, damaging as the perceived impact would be limited to building
the RPL’s security aspects have been analyzed by several a partially sub-optimized topology where the traffic is
research efforts reporting the existence of multiple security forwarded via a fake optimal path. However, the Decreased
attacks that need to be addressed to facilitate the adoption of the Rank attack can be combined with other attacks to further
protocol in a wide range of applications [4][5]. damage the network including for instance selective forwarding
RPL proposes optional cryptography modes to secure its or Balckhole attacks which can now be made more effective as
communication aiming to provide communication integrity, the attacker is locating itself in a more strategic position where
confidentiality, and authenticity among other security it receives all traffic from neighboring nodes [8][9].
provisions, however, the LLNs devices are not usually tamper- In this study, the RPL Decreased Rank attack is evaluated,
resistant so malicious actors can still easily get control of them and a Secure Objective Function (Sec-OF) is proposed. Unlike
and extract their security primitives to mount several types of most research studies targeting such an attack, the primary aim
attacks. In addition, implementing security modes of RPL can here is not to detect the existence of the attack or identify the
greatly degrade the network performance as many of these attacker. It is rather to prevent a malicious actor from mounting
security primitives, such as digital signatures and encryption, the attack in the first place.
are power-hungry and require an abundant of processing and The rest of the paper is organized as follows. Section II
storage resources that cannot be met by such resource- briefly reviews the basic operations of RPL protocol and its
constrained devices [6] [7]. While some of the attacks against security issues highlighting the rank attack. An overview of
RPL are already well-studied in the literature as they are related work around the decreased rank attack is provided in
inherited from Wireless Sensor Networks (WSNs) such as the Section III. The analysis of the rank attack and our proposed
blackhole attack which drops received packets or delay them, mechanism is presented in Section IV, followed by the
some others are unique to RPL and have not yet well-studied performance evaluation in Section V. Finally, the conclusion
[8] [9]. and future work are reported in Section VI.
The Decreased Rank Attack is one of these attacks unique to
the RPL standard. The Rank is a property in RPL which II. BASIC RPL CONCEPTS AND OPERATIONS
relatively represents the path quality to the Destination- RPL [3] is an IPv6 proactive distance-vector routing protocol
Oriented Directed Acyclic Graph (DODAG) root based on designed by the IETF community specifically to fulfill the
routing decisions are made. Each RPL's node calculates its own unique requirements of a wide range of Low-power and Lossy

XXXX-XXXX © XXXX IEEE. Personal use is permitted, but republication/redistribution requires IEEE permission.
See http://www.ieee.org/publications_standards/publications/rights/index.html for more information.
Networks IoT (LLNs) applications. It organizes its physical that candidate parent, routing information advertised; (3) setup
network into a form of DODAGs where each DODAG is rooted its default route (preferred parent); and (4) update the received
at a single destination, referred to as the LBR (LLNs Border DIO with its own rank and multicast it to other neighboring
Router) [3][5]. The term “upward routes” is used to refer to nodes, enabling them, in turn, to perform the previous
routes that carry the traffic from normal nodes to the root (i.e., operations [3][4].
LBR) whereas routes that carry the traffic from the DODAG
A. The Rank Decreased Attack
root to other nodes are called the downward routes [3]. The term
Objective Function (OF) is used to describe the set of rules and The RPL routing standard is vulnerable to a wide range of
policies that governs the process of route selection and attacks, which can be roughly categorized into three classes
optimization, in a way that meets the different requirements of [12] [13]. In the first class, the attackers aim to deplete network
various IoT applications [3]. In technical terms, the objective constrained resources such as power, bandwidth, and memory.
function is used for two primary goals: first, it specifies how For instance, an attack targeting the energy resources can be
one or more routing metrics, such as energy or latency, can be particularly damaging as it can greatly shorten the network
converted into a Rank, a value that reflects the node’s relative lifetime and indirectly damage the network's reliability. In the
position in the network; second, it defines how the Rank should second class, the attackers target the network topology usually
be used for selecting the next hop (preferred parent) to the by forcing the protocol to build sub-optimized topology or
DODAG root. Currently, two objective functions have been isolating some nodes from communicating with the rest of the
standardized for RPL namely, the Objective Function Zero network. In the third class, the attackers target the traffic of the
(OF0) [10] and the Minimum Rank with Hysteresis Objective network through traditional traffic analysis or eavesdropping
Function (MRHOF) [11]. attacks with the main aim to gather information that can help in
The OF0 is designed to select the nearest next hop to the launching the previous two classes.
DODAG root with no attempt to perform any load balancing. The Decreased Rank attack belongs to the second class, and
The Rank of a node is calculated by adding a strictly positive it is one of the most serious attacks that could mounted against
scalar value (rank-increase) to the Rank of a selected preferred the RPL protocol within the IoT 6LowPAN communication
parent utilizing a specific routing metric such as hop count or standard [8]. As mentioned earlier, the Rank property plays a
the expected transmission cost (ETX). For the parent selection, crucial role in building and optimizing the routing paths in
a node running OF0 always considers the parent with the least RPL's networks and under both standardised objectives
possible rank as its preferred parent. OF0 considers also functions (i.e., OF0, MRHOF), a node with a lower rank would
selecting another parent as a backup in case the connectivity always be preferred to take upon the next hop role towards the
with its preferred parent is lost. Unlike OF0, the MRHOF is DODAG root. In addition to optimizing the network topology,
designed to prevent excessive churn (i.e., frequent parent the rank property plays a fundamental role in building a loop-
change due to lower rank values) in the network topology and free topology In the Decreased Rank attack, a malicious actor
a node will not always replace change its current preferred illegitimately manipulates the rank property and broadcast to its
parent to a parent with a lower rank value unless a significant neighboring nodes a DIO (DODAG Information Object) with a
change in the cost has been discovered (i.e., the Rank has fake decreased rank value. This may trigger the targeted nodes
changed by more than a pre-defined threshold called the to change their preferred parents and select the attacker as their
Hysteresis value). next hop to the root.
To facilitate the upward traffic pattern, a DODAG topology A successful attack can have a devastating impact on the
network topology with major issues include: (i) non-optimized
centered at the network root must be constructed. In such a
route formation, (ii) and routing loop creation. The immediate
topology, each non-root node willing to participate in upward outcome of that is damaging the reliability of the network as
communication must select one of its neighbors to act as that traffic now is not forwarded through optimal routes so packet
node default route (DODAG parent) towards the root [3]. The delivery ratio may be decreased, and latency is increased which
construction of the DODAG starts with the root multi-casting is worsened by the likely formation of loops. In addition, the
control messages called DODAG Information Objects (DIOs) formation of loops would trigger RPL's repair mechanisms
to its RPLs neighbors. The DIOs carry the necessary routing which requires the protocol to speed up control messages
information and configuration parameters required to build the transmission (i.e., DIOs) in a useless attempt to fix the created
DODAG including the rank property [3] [4]. An RPL node loops. Indeed, this only has the effect of depleting network
receiving a multicast DIO message will: (1) add the sender limited resources with more energy consumption and less
address to its candidate parent set; (2) calculate its distance bandwidth available for the data plane traffic exacerbating
further the issue of decreased reliability and increased latency.
(rank) with respect to the DODAG root based on the rank of
initialization which are then hashed and advertised to the
III. RELATED WORK network for verification at predetermined periods. Each node is
The concepts of rank threshold and hash chain authentication then monitored by its own parent for any deviation from
have been used in [14] to mitigate several IoT attacks including expected values of the rank based on the advertised thresholds.
the rank decreased attack carried out by an internal attacker. The simulation results conducted under a simulated network is
The proposed scheme dictates that each node should calculate shown to have limited the impact of the attack. However,
its own rank, and its decrease rank threshold node upon several parameters are introduced in the calculation of the

XXXX-XXXX © XXXX IEEE. Personal use is permitted, but republication/redistribution requires IEEE permission.
See http://www.ieee.org/publications_standards/publications/rights/index.html for more information.
threshold value requiring some fields to be added into the decreased its rank value. The final phase is used to detect the
control messages exchanged, thus, increasing the overhead. In version number attack. Results conducted by means of
addition, the cryptography primitives used in the proposed may simulations showed that the proposed mechanism can mitigate
adversely affect the limited energy resources of the nodes in the reported attacks. However, the approach requires
such networks. timestamps to be added to the exchanged messages adding
A Machine Learning (ML)-based anomaly rank attack some sort of overhead.
detection solution is proposed in [15] utilizing Support Vector Another framework named SVELTE is proposed in [20] for
Machines (SVMs). The developed Intrusion Detection Systems detecting routing attacks of the RPL protocol under the
(IDS) is chosen to be deployed centrally on the border router as 6LowPAN standard (e.g., as selective-forwarding, and
limited-resources normal nodes cannot tolerate the expensive sinkhole). SVELTE employs a hybrid approach for intrusion
operation of such a system. However, no details are provided detection where some modules are placed on the border router
on how the model is trained. Moreover, the tuning parameters while some others are hosted on the constrained nodes of the
in this study are vague and not clearly outlined. RPL network. The framework was then evaluated by means of
A second ML-based rank attack detection method is Contiki operating system and Cooja with a maximum number
developed in [17] utilizing Multi-Layer Perceptron (MLP) of nodes of 32. The proposed framework was shown to have a
neural network. The operation of the proposed solution is good capacity in detecting the respective attacks while not
divided into three stages. In the first stage, the rank attack is resulting in significant increase in the overhead in terms of
simulated using Cooja with the results saved in pcap file. The energy consumption or memory footprint. One of the noticeable
pcap file is then converted in the second stage to CSV file where issues of SEVELTE is the unclarity regarding how to set the
the data is extracted, filtered, and converted to readable data. threshold value that governs the process of classifying nodes
The MLP algorithm is applied in the third stage to detect the into malicious nodes in addition to that it only detects the
attack. The proposed IDS was showing to be effective in existence of the attack rather than preventing it.
detecting the attack, however, the study aims at detecting the The authors in [21] claimed that the existing IDSs consume
attack rather than to prevent it too much resources, thus, they developed a sink-based intrusion
The study in [16] proposes a new technique to detect and detection system to address the sinkhole attacks in 6LoWPAN
mitigate the impact of the rank decreased attack. The new networks. The process starts by having each node
technique utilizes two parameters to select the best parent; the communicating to the sink some information including its IP
rank value and a newly introduced metric called the path metric address, preferred parent IP address, and rank encrypted with a
which seems to reflect a node's position in terms of number of key. The sink then compares the node's current rank to its
hops. Once a node announces a new decreased rank, the new previous rank and any node with a difference greater than a
method compares it to the multiplication of a pre-determined specific threshold is considered malicious. NS2 was used to
value (e.g., 10) and the path metric and if they are not found evaluate the proposed and is claimed to show better detection
similar, the message is considered malicious. A noticeable issue capacity with less overhead. However, it is unclear why the
with this new method is that a non-malicious node could be messages were encrypted. In addition, the nodes are
classified as malicious. communicating a bunch of information to the sink raising the
A security mechanism for detecting the Rank attack is concern of significant overhead introduced especially if the
introduced in [18] based on the threshold concept. ThRankmin network has a high churn (i.e., continues change of the preferred
and ThRankmax (Minimum and Maximum Ranks thresholds) parent).
are calculated by the proposed mechanism based on the values A hybrid anomaly-based and specification-based IDS was
of ranks advertised by neighboring nodes. For instance, developed in [4] for detecting the selective forwarding and
ThRankmin is calculated by taking the mean of neighboring sinkhole attacks in 6LoWPAN networks. The proposed
ranks and subtracting a fixed value (a value between 0 and 1 framework deploys specification-based agents in the router
multiplied by the mean) from that mean. The authors chose to nodes to analyze the behavior of such nodes and send the results
set the fixed value that is multiplied by the mean. While this a to the sink node. The received results at the sink node are then
technique that aims to prevent the occurrence of the attack, it analyzed further using an anomaly-based agent based on the
might be hard for a specific configuration to accurately find the distributed MapReduce architecture to detect any malicious
optimal settings of the fixed value. nodes. It was shown that the developed model achieved
Another security mechanism called SRPL-RP is presented in promising classification accuracy in comparison to other
[19] to detect and isolate malicious nodes that mount both the approaches in literature. However, such hybrid systems may
rank and version number attacks. The operation of the proposed introduce a significant overhead to the resource constrained
mechanism is divided into five phases. In the first phase, devices and may not suit real-time systems.
timestamps are used to judge the legitimacy and the freshness
of received DIOs. In the second phase, a monitoring table is IV. THE PROPOSED SECURE OBJECTIVE FUNCTION
created to maintain a list of parameters including the nodes' IDs
To address the Rank Decreased attack in RPL, a simple, but
upon creating the DODAG and a node is considered malicious
effective secure-oriented objective function has been proposed,
if it is ID is not in the list. In the third and four phases, the rank
named Secure Objective function (Sec-OF) with the basic idea
values are used to detect whether a node has illegitimately
is to restrict the ability of a node to change to a new parent with
a better rank if that parent did not satisfy some rules. The node has already a preferred parent a, and a better
operation time of the network is divided into two modes; candidate parent a' in terms of Rank becomes
normal and restricted and the network should alternate between available, then the node should switch to the new
the two modes of operations during its lifetime as follows: candidate parent if:
1. Normal Mode: This is a short mode in which the network
assumes that the risk of the rank attack is at its minimum, 𝑅𝑎𝑛𝑘(𝑎′) < 𝑅𝑎𝑛𝑘 (𝑎) − 𝛼 4
for instance, upon the initialization of the network. Hence,
the protocol calculates the rank values and selects preferred Where α is a threshold value to reduce preferred parent
parents as follows: switches in response to small rank changes so enhancing the
o The root node (LBR) initializes the network by stability of the network. Note that this step is similar to the
multicasting DIOs using Trickle timer in which it parent selection method in the RPL standardised Minimum
includes the routing metric to be used (e.g., initial Rank with Hysteresis Objective Function (MRHOF).
ETX and Hop Count), and its own Rank alongside 2. Restricted mode: This is a long mode in which the
other network parameters. network assumes that there is a higher risk of the rank
o A node x receiving the multicast DIO selects the decreased attack. This mode would start immediately after
LBR as its preferred parent p and proceeds into the normal mode, and it carries almost the same steps of
calculating its hop distance from the LBR and its the normal mode when calculating the ranks and selecting
own Rank value based on ETX link metric as in the preferred parent among a set of candidates.
Eq. (1) and (2), and in turns multicasts its own Specifically, the restricted mode implements Eq. (2) to
DIO to its neighboring nodes. calculate the rank of a node, however, it did not update the
hop information. The rationale behind that is the fact that
ℎ(𝑥) = ℎ(𝑝) + 1 1 RPL networks are stationary networks in most
deployments so it is highly likely that a change in the hop
𝑅𝑎𝑛𝑘(𝑥) = 𝑅𝑎𝑛𝑘 (𝑝) + 𝐸𝑇𝑋 (𝑥, 𝑝(𝑥)) 2 count of an already known candidate parent can only be a
result of malicious behavior. It is worth noting that the most
where h(x) is the hop count of node x and h(p) is the hop restrictive implementation of the proposed secure objective
count of the parent node which is initialized to zero for the LBR. function would allow only for one instance of the normal
Similarly, Rank(x) is the rank of node x, and Rank(p) is the rank mode during the lifetime of the network which is at the
of the parent node. ETX (x, p(x)) is the link quality indicator network initialization time. The switch from a current
between node x and its candidate parent p(x) and it represents parent a to a better candidate parent a' in the restricted
the number of transmissions a node expects to send to a parent mode should only occur among nodes located at the same
to successfully deliver a packet as defined in Eq. (3). In Contiki hop distance from the LBR and should satisfy the condition
implementation of RPL, a node assigns a value between 1 and in Eq. (5).
5 to indicate the quality of the link on each packet transmission
where the numbers (i.e., 1 to 5) represent how many 𝑅𝑎𝑛𝑘(𝑎′ ) < 𝑅𝑎𝑛𝑘(𝑎) − α AND ℎ(𝑎′ ) ≤ ℎ(𝑎) 5
transmissions are done before an acknowledgement is received
from a neighbor. For instance, if the node receives an ACK from
V. PERFORMANCE EVALUATION AND DISCUSSION
a neighbor after one transmission, the EXT is assigned a value
of 1 for the link between that node and that neighbor and so on. To evaluate the effect of the rank decreased attack on the
An average value is then calculated, Eq. (3), for all transmitted efficiency of the network and the performance of our proposed
packets using the Exponentially Weighted Moving Average mechanism in mitigating that attack, we have conducted a set
(EWMA) filter, making it robust to abrupt fluctuations in link of experiments using Contiki, a lightweight and open-source
quality. Contiki RPL implementation sets the default values operating system designed specifically for low-power resource-
for the LBR Rank to 256 which is adopted in this study. constrained IoT networks [17]. Contiki features a highly
optimized networking stack including several IoT standards
𝑛𝑒𝑤𝐸𝑇𝑋(𝑥, 𝑝𝑥) = (𝑜𝑙𝑑𝐸𝑇𝑋(𝑥, 𝑝𝑥) ∗ 𝛽
such as Constrained Application Protocol (CoAP), UDP,
+ 𝑝𝑎𝑐𝑘𝑒𝑡𝐸𝑇𝑋(𝑥, 𝑝𝑥) ∗ (𝑆𝑐𝑎𝑙𝑒 3
− 𝛽)) / 𝑆𝑐𝑎𝑙𝑒 6LoWPAN and IPv6 on the top of implementing the RPL
standard fundamental mechanisms. To emulate the exact binary
where oldETX(x, px) is the current value of the ETX, β and code that runs on real sensor devices, Cooja [18], a cross-level
Scale are EWMA constants, and packetETX(x, px) is the ETX simulator for Contiki, was used to carry out the simulation
of the last packet transmitted to the neighbor node p. experiments. Cooja incorporates an internal hardware emulator
o A node receiving DIOs from multiple other nodes called MSPsim [19], which is used in our simulations to impose
should create a parent candidate set Pk from its hardware constraints of the Tmote Sky platform, an MSP430-
neighbors and should consider switching to a better
based board with an ultra-low power IEEE 802.15.4 compliant
parent when available. If it is the first time a node
selects its preferred parent, it should be chosen as CC2420 radio chip. We used the Unit Disk Graph Radio
the parent with the minimum Rank as in Eq. 4. If a Medium (UDGM) radio protocol, the CSMA/CA protocol at
the MAC layer and the ContikiMAC as a radio duty cycling
(RDC) protocol.
The ContikiRPL library was altered to implement the
Decreased Rank attack. In particular, we implemented the
attack by means of a malicious node programmed to launch the
attack by announcing a rank of 257 in the second minute after
initializing the network. At the application layer, we simulated
a periodic data collection application where each node transmits
one packet to the sink every 60 seconds (the actual transmission
time is randomly chosen within the 60 seconds period). We
have considered in our simulations both uniform and random
distribution where nodes are spread in a square area of 100m
x100m. All nodes are static including the attacker and the
DODAG root, which is located within the deployment area.
Fig. 1. Level 1: The attacker node 25 is in the immediate range of the
In the first set of experiments, we compare the performance root (node 1).
of the two standardized objective functions (i.e., OF0 and
MRHOF) in terms of reliability (Packet Delivery ratio - PDR)
and power consumption with the proposed Sec-OF under
various physical loss rates varying the physical link loss rate
between 0% and 50%. The 0% loss rate means that the network
is lossless and as a result does not experience any loss due to
signal fading. However, the loss may still occur due to other
factors such as hidden terminals and collisions. The simulation
conditions under 0% loss will allow us to carry out experiments
under near to prefect scenarios so focusing on the particulars of
the evaluated protocols rather than on how they may be affected
by the presence of loss. A group of 51 nodes, including one sink
(Node 1), one attacker, and other 49 normal nodes is used in the
first set of experiments. To investigate how the location might
affect the severity of the attack, we simulated three different
scenarios for the attacker in relation to the DODOAG root as
Fig. 2. Level 2: The attacker node 7 is not in the immediate range of
follows: the root (node 1), however it is in the range of some of the root
• Level 1: we placed the attacker in the range of the DODAG neighbours.
root (one hop away from the root), depicted in Fig. 2
(attacker node 37).
• Level 2: we placed the attacker two hops away from the
DODAG root, so it is in the range of at least one immediate
neighbor of the root, but not in the range of the root,
depicted in Fig. 3 (attacker node 7).
• Level 3: we placed the attacker three hops away from the
DODAG root, so it is neither in the range of the root nor in
the range of one of its immediate neighbours, depicted in
Fig. 4 (attacker node 7).
In all scenarios, we seek to evaluate three cases: i) whether
the attack is successful (i.e., nodes switched their preferred
parents to the attacker node), ii) whether power consumption
and PDR are affected, and iii) the extent to which performance
Fig. 3. Level 3: The attacker node 22 is neither in the range of the root
metrics affected. Table 1 shows a summary of the results of the nor in the range of one of its immediate neighbours
first two cases under the three OFs.
 TABLE 1. SUMMARY OF THE RESULTS UNDER SIMULATED SCENARIOS IN A 2 Sec-OF MRHOF OF0
LOSSLESS NETWORK. RESULTS IN LOSSY NETWORKS ARE SIMILAR SO 1.8
NOT SHOWN FOR BREVITY 1.6
OF Attack Successful Power Consumption and PDR Affected
1.4

Packet Delivery Ratio (PDR)

OF0 Level 1 Yes, partially NO
OF0 Level 2 Yes NO 1.2

OF0 Level 3 Yes Yes 1

MRHOF Level 1 Yes, partially NO 0.8
MRHOF Level 2 Yes NO 0.6
MRHOF Level 3 Yes Yes 0.4
OF-Sec (all
NO NO 0.2
levels)
0
0 2 4 6 8 10 12 14 16 18 20
Table 1 shows that the attack was not successful under the Time (minutes)

proposed objective function regardless of the position of the Fig. 4. The Power consumption under the three OFs (Level 3) in a
lossless network. Level 1 and Level 2 attacks are not shown as they do
attacker node while it was successful under both standardized not impact the PDR or the power consumption
OFs where the attacker is located at Level 2 or Level 3 and
partially successful where the attacker is located at Level 1. The 110
Sec-OF MRHOF OF0
partially successful attack (some nodes selected the attacker as 100

Packet Delivery Ratio (PDR)

their parents) can be easily explained by the fact that the 90
80
attacker’s announced rank is greater than that of the root so only 70
nodes which are not in the range of the root have been affected. 60
However, it was not obvious from looking at the general 50
results why the attacker has affected the power consumption 40
30
and the PDR when located at Level 3 but not when located at
20
Level 1 or Level 2 under standardized OFs. Further 0 2 4 6 8 10 12 14 16 18 20
investigation into this phenomenon has allowed us to uncover Time (minutes)
the source of the problem. In RPL networks, an extension
Fig. 5. The PDR under the three OFs (Level 3) in a lossless network.
header option “RPL Option” is used to indicate the direction of Level 1 and Level 2 attacks are not shown as they do not impact the
the packet using a flag named the Down ‘O’ flag. Hence, a PDR or the power consumption
packet sent by a child node to its parent should not set the Down Indeed, this was surprising to some extent as it was not
flag indicating that the packet is heading upward and vice versa. expected that the attack would significantly affect the power
DAG inconsistency is detected when a RPL node receives a consumption or the PDR. In fact, the Decreased Rank attack is
packet with the Down ‘O’ bit set from a node with a higher rank supposed to be accompanied by other types of attacks to have
(child node) and vice-versa. This case is controlled by another an effect such as selective forwarding or blackhole attacks.
flag named the Rank-Error ‘R’ bit. When an inconsistency is Although the attack is expected to create some loops, these
detected by a node, two scenarios are possible: i) if the Rank- loops are also expected to be short-lived and the local repair of
Error flag is not set, the forwarder node sets that flag and the RPL should come into effect and resolve such loops. However,
packet is forwarded or, ii) if the ‘R’ bit is already set, the node the reality is different and RPL under both OFs shows no
discards the packet and the timer is reset and, DIO control capacity in resolving the created loops entering a vicious cycle
messages are sent more frequently. that isolated the nodes in the range of the attacker from the rest
In fact, when the attacker is located one or two hops away of the network. This is confirmed by investigating the
from the root (level 1 and or level 2), there is no chance such an individual PDRs of nodes where it was found that such nodes
inconsistency could be marked by a forwarder node. In fact, the did not manage to deliver any data-plane messages to the LBR
first forwarder node that can set the ‘R’ bit is the DODAG root from the moment the attack was launched. Investigating further
itself which would only mark the packet as received this phenomenon, it was found that the created loops have led
successfully. For the level of the impact on power consumption indirectly into a mismatch between the direction of data packets
and PDR (the third case), Fig. 5 and Fig. 6 show the effect of transmitted and child-parent relationships among nodes
the attack under the evaluated OFs (Level 3) in a lossless creating a case named "DODAG inconsistency". As explained
network in terms of power consumption and PDR respectively. earlier, in RPL, a packet should always travel upward if it is
It is clear from the figure that under normal operations of RPL sent from a child to its parent and vice versa otherwise. This is
(the attack has not started) that the three OFs have comparable enforced by setting some flags in the data packet transmitted
power consumption profiles and did not experience any packet and packets violating such rules are dropped according to RPL
losses and the PDR stands at around 100%. However, things specification, a scenario that explains the unexpected data
started to look different after launching the attack (minute 2) packet loss.
where power consumption of both standardised OFs (Level 3) An interesting point is the extent to which nodes have been
started to steadily increase over time and the PDR drops. The affected by the attack in relation to the power consumption.
power consumption and the PDR of the proposed Sec-OF While only nodes in the immediate range of the attacker were
remains stable during the simulation time. affected pertinent to the PDR, the effect pertinent to the power
consumption was more evident with several nodes other than
those immediate neighbours showing significant higher power attack may significantly affect the performance of the network
consumption rates. To clearly demonstrate this case, we have pertaining to power consumption and PDR. The study reveals
rerun the simulation on a smaller network composed of 11 an interesting fact regarding the attack and its effect that were
nodes as depicted in Fig. 7 in which the attacker node has not reported in the literature previously. In particular, the study
communication links with the last level of nodes (i.e., 8, 9 and shows that the attack can be mounted easily without showing
10). any effect by placing the attacker one or two hops away from
the root. This is interesting as it can complicate the attack
detection mechanisms that rely on network profiling so making
the attack undetectable. Considering this fact, we proposed a
new secure objective function, named the Secure Objective
function (Sec-OF) that aims at preventing the attack from being
launched in the first place. The results reported have shown the
feasibility of the proposed solution in addressing the attack. It
is worth noting, however, that the proposed objective function
is only applicable in stationary networks and further research
efforts are needed to address the decreased rank under mobile
scenarios.

ACKNOWLEDGMENT
Fig. 6. A representative RPL topology used for the smaller network
This work was supported by Edinburgh Napier University
Table 2 shows the individual power consumption profiles of Research Starter Grants.
nodes under the evaluated OFs.
REFERENCES
TABLE 2. POWER CONSUMPTION PROFILES OF INDIVIDUAL NODES.
Node ID OF0 MRHOF Sec-OF [1] J. W. Hui and D. E. Culler, "Extending IP to Low-Power, Wireless
Personal Area Networks," in IEEE Internet Computing, vol. 12, no. 4, pp.
2 1.11 1.12 1.13
37-45, July-Aug. 2008.
3 1.15 1.06 1.01 [2] J. Hui, P. Thubert, "RFC 6282 Internet Engineering Task Force RFC
4 1.14 1.05 1.08 6282", Compression Format for IPv6 Datagrams over IEEE 802.15.4-
5 1.92 1.57 1.19 Based Networks, September 2011.
[3] T. Winter, P. Thubert, A. Brandt, J. Hui, R. Kelsey, K. Pister, R. Struik,
6 1.98 1.73 1.03
J. P. Vasseur, R. Alexander, "RPL: IPv6 routing protocol for low-power
7 2.28 1.71 1.05 and lossy networks", RFC6550, Mar. 2012.
8 2.99 3.25 0.99 [4] A. Dvir, T. Holczer and L. Buttyan, "VeRA - Version Number and Rank
9 3.94 3.01 1.01 Authentication in RPL," 2011 IEEE Eighth International Conference on
Mobile Ad-Hoc and Sensor Systems, Valencia, 2011, pp. 709-714.
10 4.12 2.85 0.98 [5] L. Wallgren, S. Raza, and T. Voigt, “Routing attacks and countermeasures
in the rpl-based internet of things,” International Journal of Distributed
Investigating further the source behind the unexpected poor Sensor Networks, vol. 9, 2013.
performance of the network in terms of power consumption, it [6] B. Ghaleb, A. Al-Dubai, E. Ekonomou, M. Qasem, I. Romdhani and L.
Mackenzie, "Addressing the DAO Insider Attack in RPL’s Internet of
was found that three cases have contributed to that. In the first Things Networks," in IEEE Communications Letters, vol. 23, no. 1, pp.
case, the nodes in the range of the attacker were found to reset 68-71, Jan. 2019.
their Trickle timers as a result of changing the parent node [7] P. Perazzo, C. Vallati, G. Anastasi and G. Dini, "DIO Suppression Attack
Against Routing in the Internet of Things," in IEEE Communications
throughout the simulation time. The continues change of parent Letters, vol. 21, no. 11, pp. 2524-2527, Nov. 2017.
nodes indicates that the attack destabilized the network through [8] A. O. Bang and U. P. Rao, “EMBOF-RPL: Improved RPL for early
creating loops. In the second case, the created loops forced detection and isolation of rank attack in RPL-based internet of things,”
Peer-to-Peer Networking and Applications, vol. 15, no. 1. Springer
nodes to announce a rank of infinite in an endless attempt of Science and Business Media LLC, pp. 642–665, Jan. 2022.
detaching from the DAG and then rejoin. Indeed, announcing [9] A. Le, J. Loo, A. Lasebae, A. Vinel, Y. Chen and M. Chai, "The Impact
the infinite rank to detach and to rejoin requires the nodes to of Rank Attack on Network Topology of Routing Protocol for Low-Power
and Lossy Networks," in IEEE Sensors Journal, vol. 13, no. 10, pp. 3685-
reset their Trickle timers to quickly resolve such a case so 3692, Oct. 2013.
further worsening the energy consumption. In the third case, it [10] P. Thubert, “Objective Function Zero for the Routing Protocol for
was found that the decreased rank attack has led indirectly into LowPower and Lossy Networks (RPL),” IETF RFC 6552, Mar. 2012.
some sort of DAG inconsistency in relation to the data-plane [11] O. Gnawali and P. Levis, “The Minimum Rank with Hysteresis Objective
Function”, IETF RFC 6719, Sep. 2012.
traffic as explained early which contributed to both the higher [12] T. A. Al-Amiedy, M. Anbar, B. Belaton, A. H. H. Kabla, I. H. Hasbullah,
energy consummation and the lower delivery ratio of the and Z. R. Alashhab, “A Systematic Literature Review on Machine and
standardized OFs. Deep Learning Approaches for Detecting Attacks in RPL-Based
6LoWPAN of Internet of Things,” Sensors, vol. 22, no. 9. MDPI AG, p.
3400, Apr. 29, 2022.
VI. CONCLUSION [13] A. Raoof, A. Matrawy and C. -H. Lung, "Routing Attacks and Mitigation
Methods for RPL-Based Internet of Things," in IEEE Communications
In this study, an analysis of the Decreased Rank in RPL IoT Surveys & Tutorials, vol. 21, no. 2, pp. 1582-1606, Secondquarter 2019.
networks has been carried out. We have shown how such an
[14] G. Glissa, A. Rachedi and A. Meddeb, "A Secure Routing Protocol Based
on RPL for Internet of Things," 2016 IEEE Global Communications
Conference (GLOBECOM), 2016, pp. 1-7.
[15] A. M. Said, A. Yahyaoui, F. Yaakoubi, and T. Abdellatif, “Machine
Learning Based Rank Attack Detection for Smart Hospital
Infrastructure,” Lecture Notes in Computer Science. Springer
International Publishing, pp. 28–40, 2020.
[16] A. Verma and V. Ranga, "Security of RPL Based 6LoWPAN Networks
in the Internet of Things: A Review," in IEEE Sensors Journal, vol. 20,
no. 11, pp. 5666-5690, 1 June1, 2020.
[17] W. Choukri, H. Lamaazi and N. Benamar, "RPL rank attack detection
using Deep Learning," 2020 International Conference on Innovation and
Intelligence for Informatics, Computing and Technologies (3ICT), 2020.
[18] M. A. Boudouaia, A. Abouaissa, A. Ali‐Pacha, A. Benayache, and P.
Lorenz, “RPL rank based‐attack mitigation scheme in IoT environment,”
International Journal of Communication Systems, vol. 34, no. 13. Wiley,
Jul. 06, 2021.
[19] Z. A. Almusaylim, N. Jhanjhi, and A. Alhumam, “Detection and
Mitigation of RPL Rank and Version Number Attacks in the Internet of
Things: SRPL-RP,” Sensors, vol. 20, no. 21. MDPI AG, p. 5997, Oct. 22,
2020.
[20] S. Raza, L. Wallgren, and T. Voigt, “SVELTE: Real-time intrusion
detection in the Internet of Things,” Ad Hoc Networks, vol. 11, no. 8.
Elsevier BV, pp. 2661–2674, Nov. 2013.
[21] U. Shafique, A. Khan, A. Rehman, F. Bashir, and M. Alam, “Detection of
rank attack in routing protocol for Low Power and Lossy Networks,”
Annals of Telecommunications, vol. 73, no. 7–8. Springer Science and
Business Media LLC, pp. 429–438, May 16, 2018.
[22] H. Bostani and M. Sheikhan, “Hybrid of anomaly-based and
specification-based IDS for Internet of Things using unsupervised OPF
based on MapReduce approach,” Computer Communications, vol. 98.
Elsevier BV, pp. 52–71, Jan. 2017.

View publication stats