Professional Documents
Culture Documents
Submitted by -:
Abhishek Gupta
703/IT/08
Table of Contents
I.Abstract
II.Introduction
III.Collaborative Attack
III.aCategorization of Coolaborative Attacks
III.a.1Direct Collaborative
III.a.2 Indirect Collabortive
IV. Wormhole Attack
IV.a Severity of a Wormhole Attack
IV.b Simulations
IV.c Analysis
V. Blackhole Attack
V.a Simulations
V.b Analysis
VI. Conclusion
VII. References
3
4
5
5
5
5
6
7
9
11
13
13
18
20
21
I.Abstract
A Mobile Ad hoc Network (MANET) consists of a set of communicating wireless mobile nodes
or devices that do not have any form of fixed infrastructure or centralized authority. The security
in MANET has become a significant and active topic within the research community. This is
because of high demand in sharing streaming video and audio in various applications, one
MANET could be setup quickly to facilitate communications in a hostile environment such as
battlefield or emergency situation likes disaster rescue operation. In spite of the several attacks
aimed at specific nodes in MANET that have been uncovered, some attacks involving multiple
nodes still receive little attention. A reason behind this is because people make use of security
mechanisms applicable to wired networks in MANET and overlook the security measures that
apply to MANET. Furthermore, it may
also have to do with the fact that no survey or taxonomy has been done to clarify the
characteristics of different multiple node attacks. This thesis addresses the aforementioned gap
by providing a proper definition and categorization of collaborative attacks against MANET
from the various multiple node attacks found.
Simulation using GLOMOSIM was used to investigate the performance impact of a collaborative
blackhole and wormhole attack on a mobile ad hoc network. Network throughput, packet
delivery ratio and end-to-end delay are the performance metrics used in our result analysis.
II.Introduction
During the past few decades the world has become a global village by virtue of the technological
revolution. Information Technology (IT) is growing day-by-day. Businesses tend to use more and
more complex network environments. Despite the efforts of network administrators and IT
vendors to secure the computing environments, the threats posed to personal privacy, company
privacy and various assets by attacks upon networks and computers continue unabated. The
Mobile Ad hoc Networks (MANETs) are most certainly a part of this technological revolution. A
MANET is a collection of wireless devices or nodes that communicate by dispatching packets to
one another or on behalf of another device/node, without having any central network authority or
infrastructure controlling data routing. MANET nodes have limitless connectivity and mobility
to other nodes routing, each node acts as a router and network manager to another node [17].
Having a secured transmission and communication in MANET is a challenging and vital issue
due to the fact that there are various types of attacks that the mobile network is open to. In order
to secure communication in such networks, understanding the liable security attacks to MANET
is a great task and concern. MANETs suffer from a variety of security attacks and threats such
as: Denial of Service (DoS), flooding attack, impersonation attack, selfishnode misbehaving,
routing table overflow attack, wormhole attack, blackhole attack, and so forth. MANET is open
to vulnerabilities as a result of its basic characteristics like: no point of network management,
topology changes vigorously, resource restriction, no certificate authority or centralized
authority, to mention a few [1, 2, 4].
Previous studies show that there are different categories of attacks on MANET [1, 2, 8] such as
Passive and Active attacks, Internal and External attacks and the Routing and Packet Forwarding
attacks. Some of these attacks are termed as single attacks while some are referred to as attacks
on multiple nodes and are malicious. In this thesis, we make investigation on the multiple node
attacks against MANET and provide a new categorization of multiple node attacks. In addition,
based on the characteristics of these attacks, we will present a proper definition of such attacks in
MANET. After that, the simulations of different network sizes are performed to see the impact on
MANETs performance with and without collaborative attack. Finally, the various mitigation
plans for collaborative attacks are discussed and highlighted.
III.Collaborative Attack
A collaborative attack in MANET is a homogeneous attack (i.e. blackhole or wormhole attack),
involving two or more colluding nodes; classified as internal active attack that can be processed
using wired or wireless link and triggered by single or multiple attackers. It can also be referred
to as the first level of attack, in which the adversary only interests in disrupting the foundation
mechanism of the ad hoc network, for instance routing protocol, which is crucial for proper
MANET operation.
III.a Categorization of Collaborative attacks
In collaborative attacks, as defined in the previous section, there are numerous nodes involved
during the attack. These nodes can be physically existent or not existing at all. These unique
characteristics can be observed and were distinguished in the section on Multiple Node Attacks.
After the study of different multiple node attacks, and then provided the definition of
collaborative attacks, we are now going to categorize these attacks into two different categories.
III.a.1 Direct Collaborative Attacks
Here, the attacker nodes are already in existence in the original network or a malicious node
joins the network or an internal node is compromised in the network. This kind of collaborative
attacks can be referred to as direct collaborative attacks. Blackhole and Wormhole attacks belong
to this category. The reason for this classification is based on the nature behaviour of these
attacks. In the blackhole attack, one or more malicious nodes try to disrupt the network routing
operation by advertising itself as the shortest path to the destination node. Therefore, there will
be at least three physical nodes must be involved in this attack, namely: the source node,
blackhole node (malicious node) and the destination node.
The second attack belonging to this category is the wormhole attack; there always exists two
colluding malicious nodes, since they can tunnel data packets back and forth even packets not
addressed to them without being known by other nodes. Thus, the wormhole attack involves at
least two physical nodes.
III.a.2 Indirect Collaborative Attacks
The attacks in this category use different non-existent nodes in order to fake other nodes to
redirect data packets to malicious node. This kind of collaborative attacks can be referred to as
indirect collaborative attacks. The attacker nodes are not already in existence in the original
network but created along the line of their attack. Sybil attack belongs to this category of
collaborative attacks. The malicious node in Sybil can generate arbitrary number of additional
identities for itself while using only one physical node. This physical node may be a legitimate
node or an already compromised or malicious node by Sybil attack in the MANET.
Routing table overflow is another attack in this category in which the malicious node tries to
create as much as possible routes to non-existent nodes. It aims to prevent new routes from
being produced or to overpower the routing protocol.
IV.Wormhole attack
Wormhole attack is a type of a collaborative attack in which the attacker provides two chokepoints of malicious nature , that are used to degrade the network or analyze the network traffic.
These two checkpoints constitute the end points of a wormhole .The end points are connected via
a high speed link [Fig 1]of some sort or tunnel. Packets are captured from one end point and are
tunnelled to the other malicious end in some other part of the network, where they are replayed,
typically without modification. The following figure illustrates a network topology affected with
a wormhole:-
Figure 1: X and Y are the end points of the wormhole with a communication link between
them known as the wormhole link. X is in transmission range of a, b and m where as Y is in
transmission range of d, e and c.
Figure 2 : Nodes 1, 2, 3, 4 and 5 are in transmission range of M1. Nodes A, B, C and D are
in transmission range of M2. The network is divided into two partitions A and B. The
wormhole will handle significant amount of routing between partition A and Partition B.
Also nodes 1, 2, 3, 4 and 5 will consider nodes A, b, C and D as their immediate neighbours
due to the presence of wormhole.
routing done between these two partitions is affected by the wormhole. In another situation a
wormhole can directly tunnel a ROUTE REQUEST packet to its destination. When destination
nodes neighbour hear the ROUTE REQUEST packet it will follow normal routing procedure to
rebroadcast it and then discard all other ROUTE REQUEST packets originating from the same
Route Discovery. Any routes other than the wormhole is thus prevented from being discovered.
7
If the wormhole is near the originator of the ROUTE REQUEST packet routes more than two
hops can be prevented from being identified.
After the wormhole has become significant part of the routing the possible ways of exploiting
can be that it may be used to analyse the routing traffic. The critical points of the network such as
the sender node or the destination node may be identified and then the attack may be launched
against these. The adversial nodes of the wormhole may drop the packets instead of forwarding
them all thus creating a permanent Denial of Service Attack. In this case, this attack would be
more detrimental as the wormhole is handling significant routing of the network. The wormhole
may also selectively discard the packets such as the control packets in the on demand routing
mechanisms or modify them.
In the case of pro-active routing mechanisms which employ neighbour discovery procedures
wormhole attack is equally dangerous. These protocols use HELLO PACKETS for neighbour
discovery. If HELLO PACKETS of A are tunnelled across,via a wormhole and are transmitted to
B then A will consider B as its neighbour. The routing will get disrupted when A will try and
communicate with B as its one hop neighbour and wont be able to, as they are not in
transmission range. In Fig 2 nodes 1, 2, 3, 4 and 5 will take nodes A, B, C and D as their
immediate neighbours.
The severity of wormholes is also reflected by the fact that they are not easily detectable .
Cryptographic techniques are not useful in detecting wormhole as in most cases it only relays the
encrypted or authenticated packets. Suppose the attacker places two transceivers at two critical
positions in the network and initiates a fast link between the two. These transceivers will just
pick up packets from the network and tunnel them across. These transceivers need not be part of
the network for performing this task as they will be just sneaking on the packets transmitted by
the neighbour nodes. Cryptographic techniques will be useless in this case. The nature of
wireless communication allows the attacker to design such transceivers. It is also possible for the
attacker to transmit each bit instead of waiting for the whole packet thus decreasing the delay of
transmission. If the attacker does the tunnelling non -maliciously then the wormhole can be very
useful in routing as it provides a fast route with less number of hops .But in most scenarios this is
not the case.
In work done by[9] it has been shown that in shortest path routing protocols, two strategically
located malicious nodes can disrupt on average 32% of all communications across the network ,
when the nodes of the network are distributed uniformly. When the wormhole targets a particular
node in the network, it can disrupt on average 30% to 90%(based on the location of the target) of
all communication between the target node and all other nodes in the network. In a network of
grid topology it has been shown that 40% to 50% of all communication can be disrupted if the
wormhole is placed along the diagonal of the grid. The above study illustrates the severity of
wormhole attacks in wireless ad hoc networks.
0 malicious
0.03
End to End delay(sec) 0.02
2 malicious
0.02
6 malicious
4 malicious
0.01
0.01
0
50 100 150 200
No. of nodes
Fig. 3
0 malicious
30
2 maicious
Hop Counts 25
20
4 malicious
6 malicious
15
10
5
0
80 100 120 140 160 180 200
No.of Nodes
Fig. 4
10
800
No. of packets
2 malicious
600
4 malicious
400
6 malicious
200
0
50
100
150
200
No. of nodes
Fig. 5
In case of mobile nodes, there is a possibility that the malicious node of a wormhole may travel
out of range of the destination node thus not allowing the path containing the wormhole to get
selected.
IV.c Analysis
Average End To End Delay:
This is the average delay between the sending of the data packet by the CBR source and its
receipt at the corresponding CBR receiver.
This includes all the delays caused during route acquisition, buffering and processing at
intermediate nodes, retransmission delays at the MAC layer, etc.
A significant drop in the values of average end to end delay (fig 1) can be observed from the
graph as we increase the number of malicious nodes in the network. Average value of End to End
Delay taken over various no. of nodes in the network with no malicious nodes is 0.0306 sec.
Value for 6 malicious nodes is 0.01774 thus giving a drop of around 42%. This drop can be
explained by the fact that the route through the wormhole is a route with smaller no. of hops.
11
Thus the buffering time, processing at intermediate nodes, retransmission delays etc are reduced
significantly which in turn reduces the end to end delay.
Throughput:
Throughput values show an increase (fig 4) as we introduce wormholes in the network. The
wormholes in the above implementation do not have the packet dropping property. The
throughput, thus increases with the introduction of wormholes as wormholes allows the senders
to find shorter routes to the destination.
12
V. Blackhole Attack
A blackhole attack occurs when a malicious node impersonates the destination node or forging
route reply message that is sent to the source node, with no effective route to the destination. The
malicious node may generate unwanted traffics and usually discards packets received in the
network . When this malicious node (blackhole node) has effects on one or more nodes, making
them malicious as well, then this kind of attack can be referred to as multiple node attack or
collaborative attack.
In a blackhole attack, the malicious node presents itself as having the shortest path to the
node it is impersonating, making it easier to intercept the message. To achieve this, the
malicious node waits and tries to get the replies from nearby nodes in order to discover a safe
and valid route. This route could be forged, illegitimate or an imitation but it appears
genuine to the source node.
V.a Simulations
Simulation Parameters:SIMULATION-TIME 30M
TERRAIN-DIMENSIONS (1200, 1200)
NUMBER-OF-NODES 100, 120, 140, 160 and 180.
NODE-PLACEMENT UNIFORM
MOBILITY RANDOM-WAYPOINT
MOBILITY-WP-PAUSE
20S
MOBILITY-WP-MIN-SPEED 0
MOBILITY-WP-MAX-SPEED 5
RADIO-TX-POWER
4.0
Traffic Generators:CBR 9 90 10000 512 0.05S
70S 100S
The malicious nodes chosen are introduced in the order :- 75,96,33 and 2
Static Nodes
Throughput
250000
200000
0 malicious
1 malicious
150000
Throughput
2 malicious
100000
3 malicious
4 malicious
50000
0
50
100
150
200
No. of Nodes
Fig.7
14
0 malicious
0.8
1 malicious
2 malicious
Pdr 0.6
3 malicious
0.4
4 malicious
0.2
0
80 100 120 140 160 180 200
No. of Nodes
Fig.8
No. of packets
7000
0 malicious
6000
1 malicious
5000
2 malicious
4000
3 malicious
3000
4 malicious
2000
1000
0
50
No. of Nodes
Fig.9
15
Mobile Nodes
Throughput
250000
200000
0 malicious
1 malicious
150000
Throughput
2 malicious
100000
3 malicious
4 malicious
50000
0
80 100 120 140 160 180 200
No. of Nodes
Fig. 10
0.8
1 malicious
Pdr 0.6
2 malicious
0.4
4 malicious
3 malicious
0.2
0
90 100110120130140150160170180190
No. of Nodes
16
Fig.11
6000
1 malicious
5000
2 malicious
3 malicious
3000
4 malicious
2000
1000
0
50
100
150
No. of Nodes
Fig. 12
17
200
V.b Analysis
The simulations have been carried out in GloMoSim Network Simulator.The results for
following metrics have been extracted:a) Throughput
b) Packet Delivery Ratio
c) Data Handled by Malicious nodes
The results were taken for static as well as mobile environments. For each, 25 different
simulations were carried out each time varying the number of nodes for a particular number of
malicious nodes in the network. The analysis is as follows:Throughput:
Throughput can be defined as the average rate of successful message delivery over a
communication channel.
18
The values of PDR (fig 2) range from 0.977 (average value for no malicious nodes) to
0.13136(for 4 malicious nodes) in the case of static nodes and 0.9468(no malicious nodes) to
0.24(4 malicious nodes)in the case of mobile nodes (fig 5) for network with and without attack.
This huge drop in the values can be attributed to the packet dropping mechanism of Blackhole
nodes. This clearly shows the severity of the Blackhole attack. Introduction of just 4 malicious
Blackhole nodes in an active network of 12 traffic generators and over 100 nodes paralyses the
network functioning to an extent of almost killing it.
The observation of no significant difference in the PDR values of the network with 1,2,3 and 4
malicious nodes as compared to the difference between the values of the network without attack
and that of with the attack comprising of 1 malicious node can be made here. Also, in the case of
mobile nodes this difference does increase as it increases in the case of throughput. The reason
for the above is the same as explained in the analysis of throughput behavior.
Introduction of mobility increases the average PDR when the network is under Blackhole Attack
as compared to the case of static nodes. Mobility of nodes allows new routes involving different
set of nodes to be found out from time to time. This reduces the probability of the Blackhole
node to be in the route all the time. The result is increased PDR.
VI.Conclusion
A significant amount of research has been devoted to study security issues as well as
countermeasures to various attacks in MANET. However, we believe that there is still much
research work needed to be done in the area. The underlying rationale is that, existing security
solutions are well-matched with specific attacks, these solutions have proven to be useful to
defend against known attacks, but eventually they fail to counteract unanticipated or combined
attacks. In this thesis, we try to discover multiple node attacks and categorize them as direct or
indirect collaborative attacks but we still have doubts that there could be some other kind of
attacks that can be classified as collaborative attacks. Thus, further research would be carried out
in order to validate the theoretical model: the definition of collaborative attacks and in
identifying other collaborative attacks. Due to time constraints, we only simulate the blackhole
20
attack on MANET to show how this attack impacts the regular operation in MANET. Therefore,
in order to further establish the consequences of collaborative attacks, another direction for
future work would be to simulate other types of collaborative attacks, e.g., wormhole, sybil and
routing table overflow attacks and compare the results. Such studies may result in a more
complete picture of how network performance is affected during a specific collaborative attack
or even combined collaborative attacks. The aforementioned research is quite challenging but
interesting to conduct. Finally, the development of a mitigation plan capable of defending against
various collaborative attacks would be considered as another important direction for future work.
VII. REFERENCES
[1] H. Deng, W. Li, and D. P. Agrawal, "Routing security in wireless ad hoc networks," IEEE
Communications Magazine, vol. 40, pp. 70-75, 2002.
[2] H. Yang, H. Luo, F. Ye, S. Lu, and L. Zhang, "Security in Mobile Ad Hoc Networks:
Challenges and Solutions," IEEE Wireless Communications, vol. 11, pp. 38-47, 2004.
[3] T. Clausen Ed. and P. Jacquet Ed., "Optimized link state routing protocol (OLSR)," IETF
RFC 3626, October 2003.
[4] L. Peters, F. De Turck, I. Moerman, B. Dhoedt, P. Demeester, and A. A. Lazar, "Network
layer solutions for wireless shadow networks," Proceedings of the International Conference
on #etworking, International Conference on Systems andInternational Conference on Mobile
Communications and Learning Technologies, IC#/ICO#S/MCL'06, vol. 2006, p. 1628384,
2006.
[5] L. Peters, I. Moerman, B. Dhoedt, and P. Demeester, "MEHROM: Micromobility support
with efficient handoff and route optimization mechanisms," 16th ITC Specialist Seminar on
Performance Evaluation of Wireless and Mobile Systems (ITCSS16 2004), pp. 269 - 278,
2004.
[6] IEEE Std. 802.11, "Wireless LAN Medium Access Control (MAC) and Physical Layer
(PHY) Specifications," 1997.
[7] A. Mishra, Security and Quality of Service in Ad Hoc Wireless #etworks, 2008.
[8] S. A. Razak, S. M. Furnell, and P. J. Brooke, "Attacks against Mobile Ad Hoc Networks
21
22