IEEE COMMUNICATIONS LETTERS, VOL. XX, NO.

X, MONTH 201X 1

Addressing the DAO Insider Attack in RPL’s Internet

of Things Networks
Baraq Ghaleb, Student Member, IEEE, Ahmed Al-Dubai, Senior Member, IEEE, Elias Ekonomou,
Mamoun Qasem, Student Member, IEEE, Imed Romdhani, and Lewis Mackenzie, Member, IEEE
Abstract—In RPL routing protocol, the DAO (Destination Ad- experiments have demonstrated the capacity of the proposed
vertisement Object) control messages are announced by the child solution in mitigating the attack and almost restoring back the
nodes to their parents to build downward routes. A malicious insider perceived efficiency of RPL in terms latency, overhead, energy
node can exploit this feature to send fake DAOs to its parents
periodically, triggering those parents, in turn, to forward the fake consumption and packet delivery ratio.
messages upward to the root node. In this study, we show how this The remainder of this paper is organized as follows. Section II
behavior can have a detrimental side effect on the performance of gives a brief overview of the RPL protocol highlighting its routing
the network, increasing power consumption, latency and reducing mechanism to build downward routes. Section III introduces a
reliability. To address this problem, a new scheme is introduced description of the DAO attack, analyzing its effect on the network.
to mitigate significantly the effect of the DAO attack on network
performance. The proposed mitigation mechanism is introduced in Section IV.
The detail of the protocol evaluation and discussion is in Section
Index Terms—Internet of Things, Low-power and Lossy Net- V, while Section VI concludes the paper and discusses future
works, RPL Security, DAO Attack.
work.
I. I NTRODUCTION II. RPL ROUTING P ROTOCOL OVERVIEW

R ECENTLY the Low-power and Lossy Networks (LLNs), a

collection of interconnected tiny sensor nodes, have been
considered one of the key enabling blocks of the ever-growing
A. RPL Topology and Operations
RPL organizes its physical network into a form of Directed
Acyclic Graphs (DAGs) where each DAG is rooted at a single
Internet of Things paradigm [1] [2]. Due to their scarce resources,
destination and is referred to as a Destination-Oriented DAG
the Internet Engineering Task Force (IETF) has specified the
(DODAG) in RPL’s terms [3][4][5]. RPL uses the term upward
IPv6 Routing Protocol for LLN (RPL) [3] as the routing standard
routes to refer to routes that carry the traffic from normal nodes
for such networks [3][4][5]. Since it was a proposal, the RPL’s
to the LBR whereas routes that carry the traffic from the DODAG
security aspects have been analyzed by several research efforts
root to other nodes are called the downward routes [3].
reporting the existence of multiple security concerns that need to
To facilitate the upward traffic pattern, a DODAG topology
be addressed in order to facilitate the adoption of the protocol in a
centered at the network root must be constructed. In such a
wide range of applications [6][7][8][9][10][11][12][13][14]. One
topology, each non-root node willing to participate in upward
of such security concerns is the DAO (Destination Advertisement
communication must select one of its neighbors to act as that
Object) attack, where a compromised node sends periodic DAO
nodes default route (DODAG parent) towards the root [3]. The
messages to its parent nodes forcing them, in turn, to flood the
construction of the DODAG starts with the root multicasting
network with DAO messages, an action that can severely harm
control messages called DODAG Information Objects (DIOs)
energy efficiency, latency and reliability of the entire network.
to its RPLs neighbors. The DIOs carry the necessary routing
In fact, unlike other control-based attacks, DAO messages are
information and configuration parameters required to build the
transmitted in end-to-end fashion, from the sensor node toward
DODAG [3][4]. An RPL node receiving a multicast DIO message
the root (the details of the exact mechanisms are explained in
will: (1) add the sender address to its candidate parent set; (2)
Section II), so the level of damage is not restricted to the local
calculate its distance (rank) with respect to the DODAG root
scope of the attacker. Indeed, a DAO message sent by a child leaf
based on the rank of that candidate parent, routing information
node located on the edge of the network will trigger network-
advertised; (3) setup its default route (preferred parent); and (4)
wide DAO transmissions because the DAO must be forwarded
update the received DIO with its own rank and multicast it to
by every intermediate parent between that child and the network
other neighboring nodes, enabling them, in turn, to perform the
root affecting network performance and consuming its resources
previous operations [3][4].
[3][15]. To address this issue, a new simple, yet effective solution
To enable bi-directional communication, downward routes also
has been proposed in this article with the goal to mitigate the
need to be constructed. This is achieved by deploying another
effect of DAO insider attack on the performance of RPL’s IoT
type of ICMPv6 control messages, namely, the Destination Ad-
networks. The acquired results carried out by means of simulation
vertisement Object (DAO). An RPL node willing to announce
itself as a reachable destination from the root point of view,
Manuscript received March 30, 2018; revised August 30, 2018; accepted
October 12, 2018. Date of publication Month xx, xxxx; date of current version unicasts a DAO to its preferred parent advertising its own
October 17, 2018. The associate editor coordinating the review of this paper destination prefix. The processing of the received DAO by the
and approving it for publication was B. Shihada. (Corresponding author: Ahmed parent relies on the current mode of operation advertised in
Al-Dubai.)
B. Ghaleb, A. Al-Dubai, E. Ekonomou, M. Qasem and I. Romdhani are the DIO messages. To this end, RPL has specified two modes
with the School of Computing, Edinburgh Napier University, Edinburgh, EH10 for creating and maintaining downward routes, namely, storing
5DT, UK,(e-mail:[email protected]; [email protected]; e.ekonomou@ (table-driven) and non-storing (source routing) [3][4].
napier.ac.uk; [email protected] ; [email protected]).
L. Mackenzie is with the School of Computing Science, Glasgow, G12 8QQ In the storing mode, when a parent receives a DAO from one of
UK. (e-mail: [email protected]). its children, it: (a) stores the announced destination prefix locally
IEEE COMMUNICATIONS LETTERS, VOL. XX, NO. X, MONTH 201X 2

in its routing table along with the DAO sender address, as the next Algorithm 1 : DAO Insider Attack Countermeasure
hop to reach that destination; and (b) forwards the received DAO, 1: procedure I NITIALIZATION
in turn, to its own preferred parent to ensure the propagation of 2: set DAO F or M AX
the advertised destination upward to the DODAG root [3][4]. This 3: end procedure
process is repeated by each intermediate node until the DAO is
finally received by the DODAG root. 4: procedure DIO T RANSMITTED
In the non-storing mode of RPL, the same procedure is 5: for each child in Children list do
followed but a parent receiving a DAO does not store any routing 6: child DAO Counter = 0
state. Instead, it simply forwards the message to its own preferred 7: end for
parent until it is finally received by the DODAG root. Once the 8: end procedure
DODAG root receives the transmitted DAO, it records the source
route of the intended destination for later use by the data-plane 9: procedure C HILD ’ S DAO R ECEIVED
[3][4]. 10: if child DAO Counter < DAO F or M AX then
III. T HE DAO ATTACK 11: forward the child DAO
12: child DAO Counter++
RPL uses DAO messages to build downward routes enabling
13: else
bi-directional communication. The specification of RPL does
14: discard the child DAO
not stipulate when and how often DAOs are transmitted. Thus,
15: end if
different implementations may opt to use different mechanisms
16: end procedure
to achieve this process. For instance, the study in [15] has
opted to transmit periodically DAOs whereas the Contiki RPL V. T HE P ERFORMANCE E VALUATION
implementation [16] transmits the DAO based on the Trickle
timers of DIOs. In Contiki RPL, a child node should unicast a
To evaluate the effect of the DAO attack on the efficiency of
DAO to its preferred parent on three occasions: 1) upon receiving
the network and the performance of our proposed mechanism
a DIO from that parent; 2) upon changing its preferred parent;
in mitigating that attack, we have conducted a set of experi-
and 3) upon detecting some specific errors.
ments using Contiki (Contiki3.0), a lightweight and open-source
An interesting point in this context is that the transmission of
operating system designed specifically for low-power resource-
a DAO message by a child node will trigger the transmission of
constrained IoT devices [17]. Contiki features a highly optimized
multiple DAOs proportional to the number of intermediate parent
networking stack including several IoT standards such as CoAP,
nodes between that child and the DODAG root. An adversary can
UDP, 6LoWPAN and IPv6. It also features implementations for
exploit this fact to harm the network by repeatedly and judiciously
RPL standard fundamental mechanisms. Cooja [18], a cross-
(to go undetected) transmitting DAOs to its parent node. A simple
level simulator for Contiki, was used to carry out the simulation
way to mount this attack is to replay an eavesdropped DAO from a
experiments, to emulate the exact binary code that runs on
legitimate node by an outsider triggering DAO forwarding upward
real sensor devices. Cooja incorporates an internal hardware
by the nodes parents [14]. This kind of attack can be mitigated
emulator called MSPsim [19], which is used in our simulations,
using security services provided by the underlying layers or
to emulate accurately (i.e. impose hardware constraints) the
RPL itself such as MAC-layer encryption and the cryptographic
Tmote Sky platform, an MSP430-based board with an ultra-low
challenge-response handshake [14]. However, these mechanisms
power IEEE 802.15.4 compliant CC2420 radio chip. We used
will not be sufficient to counter an attack where the attacker is
the Unit Disk Graph Radio Medium (UDGM) radio protocol, the
an insider or compromised node [14].
CSMA/CA protocol at the MAC layer and the ContikiMAC as
IV. T HE P ROPOSED S OLUTION a radio duty cycling (RDC) protocol. The ContikiRPL library
In order to address a DAO insider attack in RPL, a new mecha- was altered to implement the DAO attack on some nodes. In
nism has been proposed, named SecRPL that restricts the number particular, we implemented the attack by means of malicious
of forwarded DAOs by a parent. In fact, there are two options insider nodes programmed to transmit DAO messages to their
for how this restriction can be applied: the first is to restrict the preferred parents periodically at preconfigured fixed periods. A
entire number of forwarded DAOs regardless of the source node set of three malicious nodes running the DAO attack were used.
(i.e. the node who initiated the DAO); the second is to restrict the At the application layer, we simulated a periodic data collection
number of forwarded DAO per destination.Here we opt to use the application where each node sends one packet to the sink every
second option, as the first option would result in blocking some 60 seconds (the time of sending is randomly chosen within the
DAOs coming from non-attacker nodes effecting negatively the 60 seconds period). The sink also sends a reply for each received
quality of the downward paths. It may also result in DAOs of packet to simulate the downward traffic. We have considered in
some nodes being blocked more than DAOs of some others. In our simulations a uniform distribution where 50 nodes are spread
particular, each parent node associates a counter with every child in a square area of 100m x100m. All nodes are static including
node in its sub-DODAG. When the number of forwarded DAOs the DODAG root, which is located outside the square area by a
for a child exceeds a pre-specified threshold, the parent discards distance of 10 meters. We have selected three nodes at the farthest
any DAO message carrying the prefix of the respective child. edge from the root to act as malicious nodes to cover the majority
To ensure that no node will be blocked due to the time of forwarding paths; this is what attacker might think of to harm
factor, the counter is reset between each two consecutive DIOs. the network widely. The number of allowed DAOs forwarded
Specifically, when the parent node sends out a DIO message, the by a parent per child (DAOMax threshold) is set 10 for our
counters for all of its children are reset. proposed mechanism. The rate in seconds at which the attacker
IEEE COMMUNICATIONS LETTERS, VOL. XX, NO. X, MONTH 201X 3

sends DAO messages (attack interval) is varied between 0.25 under this topology, in fact, the effect of attack may differ under
and 10 seconds. For each scenario, five simulation experiments different topologies or under different data traffic rates). This can
with different seeds were run in order to get statistically valid be attributed mainly to the congestion incurred by the increase
results. The graphs below show the mean values of the results in the number of forwarded DAOs. This has been mitigated in
and the error bars at the 95% confidence interval of the mean. The the proposed solution, which registers PDRs comparable to that
simulation time was selected to be 1800 virtual seconds for each of the reference model.
experiment. The performance evaluation was based the following
metrics
Number of DAOs Forwarded: is the average number of for- RPL
InsecRPL
700

SecRPL
warded DAOs sent by the parent nodes in the network.

Number of DAO Forwarded

600

Power Consumption (mW): is the average power consumption 500

at the networks nodes. 400

Packet Delivery Ratio in the upward direction (Upward PDR): 300

is the average ratio between the number of data packets sent 200

out by the network nodes and the total number of data packets 100

received at the root node. 0

0.25 1 4 8 10

Frequency of attack(seconds)
Packet Delivery Ratio in the downward direction (Downward Fig. 1: DAOs forwarding overhead under various attack intervals
PDR): is the average ratio between the number of packets
received at the nodes and the total number of replies sent out 7

RPL
by the root node. InsecRPL
SecRPL

Average Power Consumption(mW)

6

The Upward Latency (seconds): is the average end-to-end delay 5

of all packets sent by the nodes and received successfully at the 4

root. 3

The Downward Latency (seconds): is the average end-to-end 2

delay of all replies sent by the root and received at the nodes 1

We have evaluated the performance of RPL, InsecRPL (i.e. 0

RPL under DAO attack), and SecRPL (i.e. RPL under attack 0.25 1 4 8

Frequency of attack(seconds)
10

with our proposed mitigation mechanism) in terms of previous Fig. 2: Average power consumption under different attack intervals
mentioned metrics. Fig. 1 shows the average number of forwarded
DAO messages per node under various attack intervals. The 3.5

RPL
InsecRPL
SecRPL
DAOMax threshold is set to 10 per destination. As can be 3.0
Upward Latency (seconds)

observed in Fig. 1, both InsecRPL and SecRPL have registered 2.5

a higher overhead in terms of forwarded DAOs compared to 2.0

the reference model (RPL) which is proportional to the attack 1.5

interval. However, Fig.1 also shows that SecRPL has registered 1.0

much less overhead compared to the insecure version especially 0.5

under heavy attack (attack interval of 250 milliseconds). This 0.0

0.25 1 4 8 10

Frequency of attack(seconds)
also holds true within the case of energy consumption as shown
Fig. 3: The upward latency under various attack intervals
in Fig. 2, which can be attributed to the mechanism of restricting
the number of DAOs that can be forwarded by a parent per 3.0

destination. Indeed, Fig. 2 shows that the InsecRPL has experi- RPL
InsecRPL
2.5
SecRPL
Downward Latency (seconds)

enced a relatively high power consumption profile, which is much

related to the increase in the DAO overhead. In fact, the power 2.0

consumption profile in ContikiOS is calculated by adding up 1.5

four components, the idle, listening, transmission and receiving. 1.0

Hence, the increase in the number of DAOs forwarded increases 0.5

the power consumed by the forwarder nodes (transmission and

receiving components). In addition, it affects the listening time 0.0

0.25 1 4 8

Frequency of attack(seconds)
10

of a forwarders children nodes, though they are not forwarders Fig. 4: The downward latency under various attack intervals
themselves, (listening component) by forcing them to listen for
longer periods due to the congestion at that forwarder node. A. The Effect of the Threshold Parameter (DAOMax)
The upward and downward latencies of compared protocols Another point we study here is the effect of our mitigation
are illustrated in Fig. 3 and Fig. 4 respectively. Similarly, it is mechanism on the reliability of networks in terms of packet
clear that the DAO attack has an adverse effect on the latency in delivery ratio. It is clear that setting the threshold value to a
both directions, which can be attributed again to the congestion small number will minimize the energy consumption and control
induced by the attack at the forwarder nodes. In Fig. 5 and 6, overhead but at the cost of reliability. This is illustrated in Figs.
we show the performance of the three protocols in terms of 5 and 6. Fig. 5 shows that setting the DAO threshold Max to a
upward PDR and downward PDR respectively. The figures show very small value reduces both the energy consumption and control
that mounting the attack with a high attacking interval, affects traffic overhead. However, as illustrated in Fig. 6, this results in
negatively both the upward and downward traffic patterns (i.e. a lower downward PDR for any threshold less than four while
IEEE COMMUNICATIONS LETTERS, VOL. XX, NO. X, MONTH 201X 4

DAO transmissions since DAO messages are forwarded by every

1.4

RPL
InsecRPL
intermediate parent between that child and the DODAG root. In
1.2 SecRPL
addition, this kind of attack can be mounted simply without the
1.0

need to compromise security keys from legitimate nodes. We have

Upward PDR 0.8

shown how this attack may significantly harm the performance of

0.6

the network especially in terms of power consumption and reli-

0.4

ability. Our experiments illustrate that DAO attacks significantly

0.2
increase the control traffic overhead and power consumption
0.0

0.25 1 4 8 10
while moderately affecting downward traffic reliability under the
Frequency of attack(seconds)
Fig. 5: The upward PDR under different attack rates chosen assumptions. We have, further, proposed and assessed a
mechanism to mitigate the effect of such an attack.
1.4 R EFERENCES
RPL
InsecRPL
1.2 SecRPL [1] J. Hui and D. E. Culler, ”Extending IP to Low-Power, Wireless Personal Area
1.0
Networks, ” in IEEE Internet Computing, vol. 12, no. 4, pp. 37-45, 2008.
Downward PDR

[2] J. Hui, P. Thubert, ”Compression Format for IPv6 Datagrams over IEEE
0.8

802.15.4-Based Networks,” RFC 6282, September 2011.

0.6 [3] T. Winter, P. Thubert, A. Brandt, J. Hui, R. Kelsey, K. Pister, R. Struik, J.P.
0.4
Vasseur, R. Alexander, ”RPL: IPv6 routing protocol for low-power and lossy
networks,” RFC6550, March 2012.
0.2
[4] T. Clausen, U. Herberg and M. Philipp, ”A critical evaluation of the IPv6
0.0
Routing Protocol for Low Power and Lossy Networks (RPL),” in the
0.25 1 4

Frequency of attack(seconds)
8 10

7the IEEE International Conference on Wireless and Mobile Computing,

Fig. 6: The downward PDR under different attack rates Networking and Communications (WiMob), Wuhan, 2011, pp. 365-372.
[5] IETF ROLL Working Group, ”Charter for Working Group,” [Online]. Avail-
the upward PDR is not affected. This indicates that setting the able: https://datatracker.ietf.org/wg/roll/charter. [Accessed: 23- April- 2018].
[6] A. Dvir, T. Holczer and L. Buttyan, ”VeRA - Version Number and Rank
DAOMax to a small value negatively affects only the downward Authentication in RPL,” in the 8th IEEE International Conference on Mobile
traffic. In fact, setting the DAOMax to a small value will prevent Ad-Hoc and Sensor Systems, Valencia, 2011, pp. 709-714.
the intermediate parent nodes from forwarding some critical DAO [7] L. Wallgren, S. Raza, and T. Voigt, ”Routing Attacks and Countermeasures
in the RPL-Based Internet of Things,” in International Journal of Distributed
messages necessary to build downward routes, thus explaining the Sensor Networks, vol. 9, no. 8, 2013.
lower downward PDR. [8] M. Landsmann, M. Wahlisch and T. C. Schmidt, ”Topology Authentication
in RPL,” in the IEEE Conference on Computer Communications Workshops
(INFOCOM WKSHPS), Turin, 2013, pp. 73-7.
80 2.2
[9] A. Mayzaud, A. Sehgal, R. Badonnel, I. Chrisment, and J. Schnwlder,
DAO
Mitigation of topological inconsistency attacks in RPL-based lowpower lossy
Power
Power Consumption(mW)

60 networks,” in the International Journal of Network Management, vol. 25, no.

2.0
DAO Forwarded

5, pp. 320-339, 2015.

40 [10] A. Mayzaud, R. Badonnel and I. Chrisment, ”Detecting version number
attacks in RPL-based networks using a distributed monitoring architecture,”
1.8
in the 12th International Conference on Network and Service Management
20
(CNSM), Montreal, QC, 2016, pp. 127-135.
[11] F. Ahmed, and Y.-B Ko, ”Mitigation of black hole attacks in Routing Pro-
0 1.6
0 2 4 6 8 10 12
tocol for Low Power and Lossy Networks”, in Security and Communication
DAO Threshold Max Networks, 9: 5143-5154, 2016.
[12] A. Aris, S. F. Oktug and S. Berna Ors Yalcin, ”RPL version number attacks:
Fig. 7: Power consumption and control overhead under various thresholds In-depth study,” in the IEEE/IFIP Network Operations and Management
Symposium (NOMS), Istanbul, 2016, pp. 776-779.
[13] D. Airehrour, J. Gutierrez, and S. K. Ray, ”Secure routing for Internet of
1.0
1.0 Things: A survey,” in Journal of Network and Computer Applications, vol.
66, pp. 198-213, May 2016.
0.8 0.8
Upward PDR
[14] P. Perazzo, C. Vallati, G. Anastasi and G. Dini, ”DIO Suppression Attack
0.6
Against Routing in the Internet of Things,” in IEEE Communications Letters,
Down PDR

0.6 Downward PDR

Up PDR

vol. 21, no. 11, pp. 2524-2527, November 2017.

0.4 0.4 [15] U. Herberg and T. Clausen, ”A comparative performance study of the
routing protocols LOAD and RPL with bi-directional traffic in lowpower
0.2 0.2 and lossy networks (LLN),” in Proceedings of the 8th ACM Symposium on
Performance evaluation of wireless ad hoc, sensor, and ubiquitous networks,
0.0 0.0 2011, pp. 73-80.
0 2 4 6 8 10 12
DAO Threshold Max
[16] A. Dunkels et al., ”Contiki: The Open Source OS for the Internet of Things,”
[Online]. Available: http://www.contiki-os.org. [Accessed: 17- May- 2018]
Fig. 8: Downward and upward PDRs under various thresholds [17] A. Dunkels, B. Gronvall and T. Voigt, ”Contiki - a lightweight and flexible
operating system for tiny networked sensors,” in the 29th Annual IEEE
VI. C ONCLUSION International Conference on Local Computer Networks, Tampa, FL, USA,
2004, pp. 455-462.
In this article, we have presented the DAO attack, which is [18] F. Osterlind, A. Dunkels, J. Eriksson, N. Finne and T. Voigt, ”Cross-Level
triggered by having a malicious node send DAO control messages Sensor Network Simulation with COOJA,” in Proceedings of the 31st IEEE
to its parent. This attack differs from other hello-based exploits Conference on Local Computer Networks, Tampa, FL, USA, 2006, pp. 641-
648.
(such as DIS and DIO attacks) since DAO messages are transmit- [19] J. Eriksson, A. Dunkels, N. Finne, F. Osterlind, and T. Voigt, ”Mspsim an
ted in end-to-end fashion (i.e. from the sensor node to the root). extensible simulator for msp430-equipped sensor boards,” in Proceedings of
Thus, the level of damage is not restricted to the local scope the European Conference on Wireless Sensor Networks (EWSN), Delft, The
Netherlands, Poster/Demo Session, January 2007.
of the attacker. In fact, a DAO message sent by a child node
located on the edge of the network will trigger network-wide