Disruption-Tolerant Networks (DTNs) deliver data in network environments composed of intermittently connected nodes. Just as in traditional networks, malicious nodes within a DTN may attempt to delay or destroy data in transit to its destination. Such attacks include dropping data, flooding the network with extra messages, corrupting routing tables, and counterfeiting network acknowledgments. Many existing methods for securing routing protocols require authentication supported by mechanisms such as a public key infrastructure, which is difficult to deploy and operate in a DTN, where connectivity is sporadic. Furthermore, the complexity of such mechanisms may dissuade node participation so strongly that potential attacker impacts are dwarfed by the loss of contributing participants. In this paper, we use connectivity traces from our UMass Diesel-Net project and the Haggle project to quantify routing attack effectiveness on a DTN that lacks security. We introduce plausible attackers and attack modalities and provide complexity results for the strongest of attackers. We show that the same routing with packet replication used to provide robustness in the face of unpredictable mobility allows the network to gracefully survive attacks. In the case of the most effective attack, acknowledgment counterfeiting, we show a straightforward defense that uses cryptographic hashes but not a central authority. We conclude that disruption-tolerant networks are extremely robust to attack; in our trace-driven evaluations, an attacker that has compromised 30% of all nodes reduces delivery, rates from 70% to 55%, and to 20% with knowledge of future events. By comparison, contemporaneously connected networks are significantly more fragile.
