2015 Fifth International Conference on Communication Systems and Network Technologies

Defending Against Wormhole Attack in MANET

Anal Patel1, Nimisha Patel 2, Rajan Patel 3

Dept. of Computer Engineering
Sankalchand Patel College of Engineering,
Visnagar-384315, India
1
[email protected], 2 [email protected],
3
[email protected]

Abstract— In the generation of wireless communication, caused processing capabilities emerges into new horizon
MANET has become an undividable and acceptable part for of different research areas [1].
communication for mobile equipments. Therefore, interest in The rest of the paper is organized as follows: Section
research of MANET has been increasing since last several II describes the background of wormhole attack, Adhoc
years. Security is a very challenging issue in MANET as it is on demand distance vector routing protocol. Section III is
without infrastructure and self-governing. Nodes in MANET the discussion of work done in detection and prevention of
used for real time applications also make it difficult to devise wormhole attack. Section IV presents proposed solutions
the resource demanding security protocols because of their for the detection of wormhole attack. Finally concluded
limited battery, power, memory and processing capabilities. remarks are given in section V.
One of powerful form of such kind of attacks is wormhole
attack that affects on the network layer. In this paper, we
have survey various techniques dealing with detection of II. THE WORMHOLE ATTACK
wormhole attack and an approach for wormhole detection
and prevention is proposed. A proposed approach is based The two malicious end points of tunnel may use it to
on the Hash based Compression Function (HCF) which is pass routing traffic to attract routes through them.
actually using any secure hash function to compute a value Wormhole nodes can disrupt the data packets which
of hash field for RREQ packet. Proposed approach looks results in unnecessary routing activities by turning off the
very promising compared to other possible solutions in wormhole link periodically. The attacker can simply
literature survey. All the simulations will be performed in record the traffic for later analysis. An attacker can also
NS2 simulator using AODV reactive routing protocol. break any protocol that directly or indirectly relies on
geographic proximity [1].
Keywords—Wormhole attack; HCF; AODV; MANET. In wormhole attack, a malicious node receives packets
at one location in the network and tunnels them to another
I. INTRODUCTION location in the network where these packets are resent into
the network. This tunnelling between two colluding
A wireless adhoc network is temporarily set network
attackers is referred to as a wormhole. Wormhole
by wireless mobile computers moving arbitrary in the
establishment is possible through wired link between two
place that have no fixed infrastructure and all of the
colluding attackers. In this form of attack the attacker may
transmission links are established through wireless
create a wormhole even for packets not addressed to itself
medium. MANETs are a kind of wireless adhoc network.
because of broadcast nature of the radio channel [1].
Each node in a MANET is free to move independently in
As show in fig. 1, X and Y are two malicious nodes
any direction leads to changing its links to other nodes
that encapsulate data packets and falsified the route
frequently. Each node operates as an end system and also
lengths. Let node S wishes to form a route to D and
as a router to forward packets. The primary challenge in
initiates route discovery. As X receives a route request
building a MANET is equipping each node to
from S, it encapsulates the route request and tunnels it to
continuously maintain the information required to
Y through an existing data route[X-->A-->B-->C-->Y].
properly route traffic. Wireless adhoc network is
When Y receives the encapsulated route request for D
promising in solving many challenging real-world
then it will show that it had only travelled [S-->X-->Y--
problems like military field operation, communication in
>D]. Neither X nor Y update the packet header. The
emergency response system and oil drilling and mining
destination finds two routes from S of unequal lengths:
operation [1].
one is of 4 and another is of 3. If Y tunnels the route reply
Wireless mobile adhoc networks are vulnerable to
back to X, S would falsely consider the path to D via X is
many security attacks because of shared channel, insecure
better than the path to D via A. Thus, tunnelling can
operating environment, lack of central authority, limited
prevent honest intermediate nodes from correctly
resource availability, dynamically changing network
incrementing the metric used to measure path lengths.
topology, resource constraints. MANET’s open issues are
If a wormhole attacker tunnels all packets through the
like security problem, finite transmission bandwidth,
wormhole honestly and reliably, no harm is done, it
abusive broadcasting messages, reliable data delivery,
actually provides a useful service in connecting the
dynamic link establishment and restricted hardware

978-1-4799-1797-6/15 $31.00 © 2015 IEEE 674

DOI 10.1109/CSNT.2015.253
network more efficiently. It puts the attacker in a powerful unreachable and if source still requires route, it will
position to compromise the security of the network. reinitiate the route discovery [2].
Wormhole attack can be divided into explicit attacks and
implicit attack. In implicit attack, the wormhole node does III. RELATED WORK
not change the packets header while transmitting, so the
wormhole node is invisible in the network. In Explicit Umesh Kumar Chaurasia et al. (2013): In this paper,
attack, this wormhole node does not change the content of the efficient method to detect a wormhole attack called
the date packet, but it will add its own identification to the modified wormhole detection AODV protocol has been
header of packet as legal node does so that other nodes proposed. Detection of wormhole attack is performed
will not know about the existence of wormhole nodes. using number of hops in different paths from source to
Further, wormhole attack can be classified using destination and delay of each node in different path from
encapsulation, out-of-band channel, high power source to destination. The destination is able to detect both
transmission, packet relay and protocol deviations [1]. kinds of wormhole attacks. Modified wormhole detection
method does not work well when all the paths are
wormhole affected [3].
Amarjit Malhotra et al. (2012): In this paper, authors
had proposed novel technique based on clustering and
digital signatures for prevention against wormhole attacks
without use of special hardware, time synchronisation or
dependency on time or hop difference between colluding
nodes to identify attacked routes. Simulation result show
that the method achieved high level of efficiency in
isolating wormhole nodes in the network [4].
Saurabh Gupta et al. (2011): In this paper, authors had
proposed routing protocol WHOP. In which they have
Figure 1. Wormhole Attack seen in simulation is quite well in detecting wormhole
tunnel length without support of any hardware and clock
A. Adhoc On Demand Distance Vector Routing Protocol synchronization. WHOP does not required significant
Adhoc On demand Distance Vector (AODV) routing changes in the working of existing AODV protocol [5].
protocol is on demand reactive routing protocol. Reactive Hiba Sanadiki et al. (2013): In this paper, authors had
means it finds the route when data has to send. It can be proposed approach to improve the watchdogs’ detection
used for unicast and multicast routing. It maintains the by (1) using cooperative watchdog model and (2) adding
routes as long as required by the source. It uses sequence the posterior belief function using Bayes’ rule to the
number to show that the route is new. By using sequence watchdog model. The results show that the use of the
number, it shows that the route is new and it also makes Bayes’ rule function along with the cooperative watchdog
sure that route is loop free. When a node has to send data model improves the detection rate and reduces the false
to the another node and route is not available then it positives [6].
broadcast a RREQ (route request) packet, nodes receiving Fu Cai, Cui YongQuan et al. (2013): In this paper,
this RREQ packet checks that whether they are the authors choose AODV routing protocol based adhoc
destination node to which source node wants to send data network by using ns2. After data collection and through
then it will send received RREQ packet to neighbour to comparing a one-dimensional projection and two
reach the destination. If they are then they will reply with dimensional projections, they found that one-dimensional
RREP (route reply packet) or if they have route to projection has little data loss and high accuracy in
destination with corresponding sequence number greater wormhole detection. Projection pursuit based wormhole
than that present in the RREQ. Otherwise, it will detection gives us new insights into wormhole detection
rebroadcast the RREQ packet. Nodes keep track of the and it is completely based on statistics [7].
route request by storing source IP address and Xiaopei Lu et al. (2013): In this paper, authors had
broadcaster’ ID. If the node again receives the same proposed wormplannar, made a successful attempt to
RREQ then they will discard it, because they have already detect wormholes by capturing the global symptoms of
processed it. Nodes passing the RREQ will mark a wormholes directly in the discrete networks.
backward pointer to the node from which it has receive Wormplannar leverages the network planarization
RREQ message. As RREP propagates back to the source mechanism, and works in a distributed manner with solely
node, nodes mark forward pointers to destination node. relying on the network connectivity information. The
Later if source node receives RREP with greater sequence results demonstrated that wormplannar can accurately
number or same sequence number with smaller hop count identify and isolate wormholes in a large class of network
then source will start using this new route. As long as instances [2].
route is active it is maintained, route is active if messages Mohammad Sadeghi et al. (2012): In this paper,
are send over it periodically by the source node to authors had compared AODV and OLSR protocol with
destination node. Once the source node stop sending the respect to throughput, end-to-end delay, network load and
data on the route, links will automatically time out and traffic received with wormhole and without wormhole in
deleted from intermediate node routing table. If link MANET. The results show that AODV is more vulnerable
failure occurs during route is active then RRER (route to wormhole attack compared to OLSR [8].
error message) to source node that destination is Ravinder Ahuja et al. (2013): In this paper, authors
had compared AODV and DSR protocols with respect to

675
 end-to-end delay, throughput, and packet delivery ratio Yudhvir Singh et al. (2013): This paper contains a
(PDR).The results show that performance of routing proposal for packet leashes technique for wormhole
protocol decreases under wormhole attack [9]. avoidance. Proposed technique has been implemented
Gaurav Garg et al. (2013): In this paper, summary of with NS2 simulator over the DSR protocol. This
various network layer attacks with existing ways of technique for wormhole avoidance addresses the
mitigation i.e. wormhole attack, blackhole attack and malicious nodes and avoids the routes having wormhole
greyhole attack is given. These attacks are still the open nodes without affecting the overall performance of the
area of research in MANETs. This paper is beneficial to network. The performance metrics used for evaluating
more researchers to realize the current status rapidly [1]. network performance are jitter, throughput and end to end
Shiyu Ji et al. (2014): In this paper, authors had delay. The performance of proposed technique is good
quantified wormholes’ devasting harmful impact on [12].
network coding system performance through experiments. Azeem Irshad et al. (2010): In this paper, authors had
Then they proposed DAWN, a distributed detection proposed a hash chain based peer to peer key management
algorithm against wormhole in wireless network coding and establishing the security association, which eliminates
systems, by exploring the change of the flow directions of the need for third party key initializing in all the nodes
the innovative packets caused by wormholes. They found and emphasize on self-organization [13].
that robustness depends on the node density in the Adnan Nadeem et al. (2013): In this paper, authors
network, and proved a necessary condition to achieve had presented a survey of the main type of attack at the
collusion-resistance [10]. network layer in MANET. They had proposed intrusion
Yih-Chun Hu et al. (2006): Authors had presented a detection technique that can deal with a range of attack
general mechanism, called packet leashes for detecting [14].
and defending against wormhole attacks. They also Table I shows the methodology/techniques used for
presented a specific protocol, called TIK that implements wormhole detection mentioned in different research
leashes. They also discussed topology-based wormhole papers surveyed above and also shows the comparison of
detection, and show that it is impossible for these these techniques.
approaches to detect some wormhole topologies [11].
TABLE I. COMPARISON OF EXISTING WORMHOLE DETECTION TECHNIQUES

Wormhole Wormhole
Methodology/Techniques Tools/ Simulator Protocol Both Accuracy
Detection Prevention
MATLAB & C MAODV,
Modified wormhole detection AODV protocol[3] Yes No No -
language AODV
Novel technique based on clustering and digital Prevention rate
Glomosim AODV No Yes No
signature [4] 80%
Detection rate
Comparison of WHOP and DELPHI [5] NS-2 AODV Yes No No
100%
Cooperative watchdog model and adding Detection rate
MATLAB-8.0 OLSR Yes No No
Bayes’rule[6] 88%
Detection rate
Projection pursuit adopt genetic algorithm [7] NS2 AODV Yes No No
100%
Detection rate
Worm planar algorithm [2] - - Yes No No
100%
Comparison of AODV and OLSR with wormhole
OPNET AODV, OLSR No No No -
and without wormhole(PASID-GD) [8]
Performance evaluation and comparison of AODV
and DSR routing protocol under wormhole attack Qualnet 5.0 AODV, DSR No No No -
[9]
Wormhole attack-WHOP, Black hole attack-Hash
based authentication,Grayhole attack-
NS2 AODV No No No -
NNOM(Neighbor node observing model) and
NRTM(Neighbor recommend anon trust model[1]
C based discrete Detection rate
Distributed detection algorithm [10] - Yes No No
event simulator 87.41%
No more than
Compaq
18% load on CPU
iPAQ 3870 Pocket DSR OR
Packet leashes with MD5 algorithm[11] Yes Yes Yes time at time of
pc running Linux AODV
detection &
took 45s
prevention
Packet leashes(Geographical and temporal[12] NS2 DSR Yes Yes Yes Good Throughput
hash chain based peer to peer key management and
- - No Yes No -
establishing the security association [13]
Compaq iPAQ AODV/DSR,
Intrusion Detection Techniques[IDS] [14] Yes Yes Yes -
37600 PDA DSDV,OLSR

676
 1. Destination D detects that RREQ comes from
IV. PROPOSED WORK tunnel and neighbor m2 detected as a wormhole
We have proposed an approach for defending against attacker
wormhole attack in MANET environment using NS2 2. Destination D sets flag = 1 (extra field) in RREP
simulator with AODV routing protocol. Our approach is and replies it via tunnel path
based on the Hash based Compression Function (HCF) 3. Source node S receives RREP with flag = 1 and
which is actually using any hash function to compute a detects neighbor m1 as a wormhole attacker
value of hash field for RREQ packet. }
Fig. 2, illustrate Source node S starts route discovery to
locate destination node D. Source node S initialize Hash
based Compression Function (HCF) e.g. SHA-1. Source
node S also initializes Seed Field and value of Hash Field,
appends it with RREQ and forwards it to its neighbor. If Begin
neighbor equal to destination then destination node D
receives multiple route requests (RREQs) and destination D
applies HCF, no. of hop count times on seed AODV Routing Protocol
value.Otherwise each valid intermediate node will apply
HCF on hash field and appends it with RREQ and forward it Source node S starts route discovery to locate Destination
node D
to its neighbors. If computed hashed value equal to
appended hashed value then destination D replies RREP
(route reply) on path having minimum hop count. Otherwise Source node S initialize Hash based Compression Function (HCF) e.g. SHA-1
if Computed Hashed Value not equal to Appended Hashed
Value then Destination D detects that RREQ comes from Source node S also initializes Seed Field & value of Hash Field, appends it with RREQ and forwards it
to its neighbours
tunnel and neighbor m2 detected as a wormhole attacker.
Destination D sets flag = 1 (extra field) in RREP and replies
it via tunnel path. Source node S receives RREP with flag=1
No Yes
and detects neighbor m1 as a wormhole attacker. Neighbors ==
Destination?
Proposed algorithm
1. Source node S starts route discovery to locate Each valid intermediate node will apply Destination node D receives
destination node D. HCF on Hash Field & appends it with multiple route requests
2. Source node S initialize Hash based Compression RREQ and forwards it to its neighbours (RREQs)
Function (HCF) e.g. SHA-1
3. Source node S also initializes Seed Field & value of Destination D applies HCF,
Hash Field, appends it with RREQ and forwards it to its No. of hop count times on
neighbors. Seed value
4. If ( Neighbor == Destination )
{ Goto step 5.} Not Matches
Else { Compare it with
Each valid intermediate node will apply HCF on appended one?
Hash Field and appends it with RREQ and
Matches
forwards it to its neighbors.
Goto step 4. Destination D replies
Destination D detects that RREQ comes RREP (route reply) on
} from tunnel and neighbour m2 detected path having minimum hop
5. Destination node D receives multiple route requests as a wormhole attacker count
(RREQs).
6. Destination D applies no. of hop count times HCF on
Seed value. Destination D sets flag = 1 (extra field)
7. If (Computed Hashed Value == Appended Hashed in RREP and replies it via tunnel path
Value)
{
Destination D replies RREP (route reply) on path
Source node S receives RREP with flag
having minimum hop count =1 and detects neighbour m1 as a End
} wormhole attacker
Else
{

Figure 2. Flowchart of proposed method

677
 REFERENCES
Fig. 3 shows an example of wormhole attack detection using
[1] Gaurav Garg, Sakshi Kaushal and Akashdeep Sharma
proposed approach. “Comprehensive study on MANETs network layer attacks,”
(1) Consider, Request 1: S-A-B-C-D with seed Computing, Communications and Networking Technologies
value=ABC (ICCCNT),2013 Fourth International Conference on IEEE 2013, pp.
Node A’s hash field 1-8, DOI: 10.1109/ICCCNT.2013.6726853.
=a9993e364706816aba3e25717850c26c9cd0d89d [2] Xiaopei Lu, Dezun Dong and Xiangeke Liao” Wormplannar:
Node B’s hash field Topological planarization based wormhole detection in wireless
=9ef2bdeea2b1bae79b9ddb930427d0b2c880bdac networks,” Parallel Processing (ICPP), 2013 42nd International
Node C’s hash field Conference on IEEE 2013, pp. 498-503,
DOI: 10.1109/ICPP.2013.61.
=86d431a290d3ff6078b5907e6ac1405d7059dcc5
(2) Consider request 2: S-E-F-G-H-D with seed [3] Umesh Kumar Chaurasia and Mrs.Varsha Singh” Modified wormhole
detection AODV protocol,” Contemporary Computing (IC3), 2013
value=ABC Sixth International Conference on IEEE 2013, pp. 239-243,
Node E’s hash field DOI: 10.1109/IC3.2013.6612197.
=a9993e364706816aba3e25717850c26c9cd0d89d [4] Amarjit Malhotra, Deepti Bhardwaj and Ankush Garg “Wormhole
Node F’s hash field attack prevention using clustering and digital signatures in reactive
=9ef2bdeea2b1bae79b9ddb930427d0b2c880bdac routing,” Networking, Sensing and Control (ICNSC), 2012 9th IEEE
Node G’s hash field International Conference on IEEE 2012, pp. 122-126,
=86d431a290d3ff6078b5907e6ac1405d7059dcc5 DOI: 10.1109/ICNSC.2012.6204903.
Node H’s hash field [5] Saurabh Gupta, Subrat Kar and S Dharmaraja “[WHOP] Wormhole
=31058581542f1640dff5defb5c52451c0e86747a attack detection protocol using hound packet,” Innovations in
(3) Consider Request 3: S-I-J-D with seed value=ABC Information Technology (IIT), 2011 International Conference on
IEEE2011,pages226, DOI: 10.1109/INNOVATIONS.2011.5893822.
Destination D applies HCF, No. of hop count times on [6] Hiba Sanadiki, Hadi Otrok, Azzam Mourad and Jean-Marc Robert
“Detecting attacks in QoS-QLSR protocol,” 2013, pp 1126-1131.
Seed value. If Computed Hashed Value not equal to
Appended Hashed Value then Destination D detects that [7] Fu Cai, Cui YongQuan, Han LanSheng and Fang ZhiCun” Projection
pursuit based wormhole detection in adhoc network,” High
RREQ comes from tunnel and neighbor M2 detected as a Performance Computing and Communications & 2013 IEEE
wormhole attacker.Destination D sets flag = 1 (extra field) International Conference on Embedded and Ubiquitous Computing
in RREP and replies it via tunnel path. Source node S (HPCC_EUC), 2013 IEEE 10th International Conference on 2013,
receives RREP with flag =1 and detects neighbor M1 as a pp. 1315-1322, DOI: 10.1109/HPCC.and.EUC.2013.187.
wormhole attacker. [8] Mohammad Sadeghi and Prof.Dr Saadiah Yahya,”Analysis of
Wormhole Attack On MANETs Using Different Manet Routing
Protocols,” Ubiquitous and Future Networks (ICUFN), 2012 Fourth
International Conference on 2012, pp. 301-305,
DOI: 10.1109/ICUFN.2012.6261716.
[9] Ravinder Ahuja, Alisha Banga Ahuja, Pawan Ahuja,”Performance
Evolution and Comparison of AODV and DSR Routing Protocols in
MANETs under Wormhole Attack,” Image Information Processing
(ICIIP), 2013 IEEE Second International Conference on IEEE 2013,
pages 669-701, DOI: 10.1109/ICIIP.2013.6707686.
Figure 3. An example of wormhole attack detection [10] Shiyu Ji, Tingting Chen and Sheng Zhong,”Defending against
Wormhole Attacks in Wireless Network Coding System,”
INFOCOM, 2014 Proceedings IEEE 2014, pp 664-672,
V. CONCLUSION DOI: 10.1109/INFOCOM.2014.6847992.
Security is an essential service for wired and wireless [11] Yih-Chun Hu, Adrian Perrig, and David B. Johnson “Wormhole
Attacks in Wireless Networks,” Selected Areas in Communications,
network communication. Due to security vulnerabilities of IEEE Journal on 2006,pp.370-380,
the routing protocols, MANET is unprotected from attacks DOI: 10.1109/JSAC.2005.861394.
done by malicious nodes. This survey work concerned with [12] Yudhvir Singh, Avni Khatkar, Prabha Rani, Deepika and Dheer
a particularly sever security attack that affects the ad hoc Dhwaj Barak “Wormhole Attack Avoidance Technique in Mobile
networks routing protocols, called “wormhole attack”. Adhoc Networks,” Advanced Computing and Communication
There are many solutions to detect and prevent this attack Technologies (ACCT), 2013 Third International Conference on
IEEE2013, Pp. 283-287, DOI: 10.1109/ACCT.2013.68.
like packet leashes, cluster base, hop count analysis etc., but
none of them is perfect solution. In this work, the techniques [13] Azeem Irshad, Syed Mushhad Gilani, Shahzada Khurram,
Muhammad Shafiq, Abdul Wahab Khan and Muhammad Usman
dealing with wormhole attack are surveyed and an approach “Hash-chain based peer-peer key management and establishment of
for wormhole detection and prevention is proposed. Our Security Associations in MANETS,” Information and Emerging
approach is based on the Hash based Compression Function Technologies (ICIET), 2010 International Conference on
(HCF) which is actually using any secure hash function to IEEE2010,pp. 1-6, DOI: 10.1109/ICIET.2010.5625727.
compute a value of hash field for RREQ packet. Proposed [14] Adnan Nadeem and Michael P. Howarth” Survey of MANET
Intrusion Detection &Prevention Approaches for Network Layer
approach looks very promising compared to other solutions Attacks,” Communications Surveys & Tutorials, IEEE 2013, pp.
proposed in literature. The proposed mechanism will be 2027-2045, DOI: 10.1109/SURV.2013.030713.00201
incorporated in AODV routing protocol and will be
implemented and simulated in NS2.

678