CS 399: Seminar

Term Paper

Ad-hoc On-Demand Distance Vector Protocol and BlackHole Attack in AODV

By:

Rajkumar Singh∗(09010138)email s.rajkumar[*]iitg.ernet.in

Under the guidance of:

Professor Santosh Biswas

Department of Computer Science and EngineeringIndian Institute of Technology, Guwahati

10th April 2012

1

Abstract

Mobile ad-hoc networks(MANETs) are extensively useful many civilian applica-

tions as well as in Military purposes. One of the very basic and important application

of MANETs is Blue-tooth send the files from one mobile node to another mobile node

using blue-tooth like mobile phones use this a lot. Ad-hoc networks are having a lot use

suppose in IIT guwahati A group of students have a meeting and in the room there is

only one LAN Port and every member in the meeting require the internet connection,

then one of the best and not expensive solution is create an Ad-hoc network and all

the member can join it, like this there are many uses of adhoc networks. Mobile ad-hoc

networks allow the construction of flexible and adaptive networks with no fixed/static

infrastructure. The dynamic topology of mobile ad-hoc networks (MANETs) allows

nodes to join and leave the ad-hoc network at any point of time. Due to this generic

characteristic of Mobile ad-hoc networks it is having lots of vulnerability for security

attacks. In this term paper first i will discuss Ad-hoc on-demand distance vector pro-

tocol in detail and after that a few vulnerabilities in brief after that a attack which is

performed by a group of malicious nodes known as Black hole attack. I will discuss the

technique to identify the multiple black holes cooperating to each other and a solution

to avoid this attack. In short the main focus will be on How AODV routing protocol

works and detecting the black hole attack(Nodes which are contributing to attack) and

removing the attack so that can have a secure efficient routing from one node to an-

other. I will discuss how the malicious nodes that are responsible for BlackHole attack

can be Detected and thus avoid the black-hole attack.

Keywords: AODV (Ad-hoc on-demand Distance vector protocol), Black hole, Routing,

Ad-hock Networks.

1 Introduction

Ad-hoc networks have a large number of important applications. Ad-hoc networks are hav-ing extensive use in daily life as we can connect any mobile node to the network and canperform required tasks like Mobile Phone and Laptop can be connected to Ad-hoc networkand can access the Internet without having the fixed infrastructure. Military also use adhocnetworks for their many of the applications. Sometimes military uses adhoc networks toconnect to soldiers in battlefield or military units connect to each other or sometimes forcreating sensory arrays with thousands of sensors. Ad-hoc networks provides the facilityof creating a networks in the situations where creating infrastructure seems impossible orcreating infrastructure is very expensive means it is impossible to have a network with fixedinfrastructure every where, so on such places Ad-hoc networks are highly useful. Withouthaving the fixed infrastructure we can solve the purpose of network by using Ad-hoc net-works.Unlike a networks with fixed/static infrastructure, mobile nodes in adhoc networksdo not communicate via access points (fixed structures). Here each node acts as a host atthe time of requesting or providing information from or to some other nodes in the network,and act as router when discovering and maintaining routes for other nodes in the network.Means Every node in the adhoc network can act as a Router node or the host node.

2

There are many routing protocols exist out of those main three routing protocols areas follows.

• Destination-Sequenced Distance Vector routing (DSDV).

• Dynamic Source Routing (DSR).

• Ad-hoc on Demand Distance Vector Protocol (AODV).

Details of each protocol are described briefly as follows. Mainly i will discuss Ad-hoc on-demand distance vector protocol in section 2.

As Ad-hoc networks can be used for Military purposes or can also be used for someother Common secure purposes like online Transaction so main requirement is to make itsecure or attack free so that Malicious node can not enter this Network and can not be ableaccess the secure information. As in AODV Protocol sequence numbers and hop countscan be modified so using these options a malicious node can crash the whole network. ByChanging TTL a malicious node can choke the whole network. Or using some other attackslike black hole attack whole secure information can be obtained at the time of transfer fromone node to another node. Due to the generic nature of AODV protocol a malicious nodecan spoof its identity and by doing so malicious node can get the secure information anddo whatever that node want using the information. Either can dump the whole packetsthat malicious node obtained or can forward them depending on the behaviour of maliciousnode.I discussed such attacks in the section 3 in this Term paper. Also i have discussed thedetection of such malicious nodes and removal/avoidance of such attacks so that AODVcan be more secure. Some people have already fixed some of the security issues of AODVprotocol.

2 Different Routing Protocol

2.1 DSDV Details

(Destination-Sequenced Distance vector)DSDV protocol is a table driven protocol. Meansin DSDV protocol every mobile node maintains a routing table with entries for each andevery possible destination node, and required number of hopes to reach those destinations,means if there are n nodes in a network then routing tables corresponding to each nodewill have almost n − 1 entries. Every Routing table is updated periodically for each andevery change in the network (like a new node joins or leaves etc.) to maintain consistency.This updation of Routing tables require frequent route update broadcasts But the problemwith this protocol is the size of table as the network increases so is the routing table size inthe ratio of O(n*n) that makes it inefficient As network size increases, table size will alsoincreases hence any operation (like update, searching) will be very inefficient. Hence ThisProtocol is good for networks having less number of nodes.

3

2.2 DSR Details

Dynamic Source Routing(DSR) is on demand routing protocol and it maintains a routecache, which leads to memory overhead. DSR protocol is similar to AODV protocol interms that it is also the on-demand routing protocol like AODV protocol, means it requestsfor route to a particular node when it is having the need of that route. But DSR doesnot rely on the path information from the intermediate nodes, DSR has a higher overheadas each packet carries the complete route and it does not support multicast. As eachpacket contains the whole route information, this increases its overhead. Hence for smallinformation there will be lot more overhead hence it is inefficient in terms of packet overhead.

2.3 AODV Details

2.3.1 Introduction to AODV

As the name itself suggests that Ad-hoc on demand Distance vector(AODV) protocol is anon demand routing protocol. Means whenever there is something to route to a particularnode then only it request for the route to that particular node. The Ad-hoc On-demandDistance Vector (AODV) algorithm enables dynamic, self-starting, multihop routing be-tween participating mobile nodes wishing to establish and maintain an ad hoc network.AODV allows mobile nodes to obtain routes quickly for new destinations, and does not re-quire nodes to maintain routes to destinations that are not in active communication meansthere is no need to maintain the table for all the destinations, in this protocol the infor-mation of the nodes are stored that are active parts of the communication. AODV allowsmobile nodes to respond to link breakages and changes in network topology in a timelymanner. The operation of AODV is loop-free, and avoiding the Bellman Ford ”Countingto infinity” problem offers quick convergence when the ad hoc network topology changes(typically, when a node moves in the network). When line break, AODV causes the affectedset of nodes to be notified so that they are able to invalidate the routes using the lost link.Means if a node or a group of nodes leave the network then all the remaining nodes inthe network are informed that such nodes are no more in the network so that every nodecan update their table if it having the route information through those nodes. Means allremaining nodes can invalidate the routes having the nodes who left the network. Thehighly Distinguishing feature of Ad-hoc on-demand distance vector protocol is its use of adestination of sequence number for each route entry means here in this protocol for eachroute entry a Destination sequence number is used. The destination sequence number iscreated by the destination to be included along with any route information it sends to re-questing nodes means destination node itself sends a sequence number to a requesting nodealong with some other fields in the packet. Using destination sequence numbers ensuresloop freedom. Means sequence numbers are used to avoid looping problem, Suppose thereis no concept of Destination sequence number in AODV then when a node get a packet thatwas broadcast-ed by the same node will again be broadcast-ed by the same node and thisprocess will go on for almost all nodes until packet’s hop count become zero, but when se-quence number concept is there then the packet received by a node which was broadcast-edby the same node will be dropped, hence no situation of looping can not arise. Given thechoice between two routes to a destination, a requesting node is required to select the one

4

with largest sequence number, means Requesting node will choose the route having largestsequence number out of received packet’s sequence numbers. Choosing greatest sequencenumber’s route ensures the freshness of the route.

2.3.2 Overview of AODV

There are three types of messages are defined in Ad-hoc on-demand distance vector protocolare Route Requests (RREQs), Route Replies (RREPs), and Route Errors(RERRs). Thesemessage types are received via UDP(User Datagram Protocol), and normal IP header pro-cessing applies. So, for instance, the requesting node is expected to use its IP address as theOriginator IP address for the messages, means in the RREQ packet there is a field for origi-nator IP address (IP address of the node who has generated this RREQ packet or requestingfor Route). For broadcast messages, the IP limited broadcast address (255.255.255.255) isused in the destination address field all 1’s are put. This means that such messages are notblindly forwarded. However, Some messages in AODV like Route Request are supposedto forward to the whole ad-hoc network. The range of dissemination of such RREQs isindicated by the TTL or the HopCount in the IP header, when Hop count is a downwardcounter, means when HopCount becomes zero then that packet is not forwarded further orin other way that packet is dropped. To avoid the Looping in the network due to the broad-cast of RREQ messages sequence number’s are used, as shown in packet structure there isone field for sequence number. As long as the endpoints of a communication connectionhave a valid routes to each other means if starting node has the information of the routeto destination node in its routing table then that path is followed for Routing from sourcenode to destination node, Means in that case AODV has no role to play. But when there isrequirement of route from source to a new destination and no information of route exist inthe source node’s routing table then AODV comes into account. The Source node broadcasta RREQ to find a route to the destination. A route can be determined when the RREQreaches either the destination node itself or some intermediate node having the informationof ”fresh enough” route to the desired destination node. As the freshness of the route isensured by the destination sequence number, this is a field in the packet. As in the routingtable Destination sequence number is also stored along with the route information to knowthe freshnesh of the route. A fresh enough route is valid route entry for the destinationwhose associated sequence number is at least as great as that contained in RREQ packetmeans the sequence number in the routing entry corresponding to route to Destinationnode should be grater or equal to the destination sequence number that is contained in theRREQ packet. The route is made available by uni-casting a RREP back to the origina-tor/generator of the request, so that the RREP can be unicast from the destination alonga path to the originator, or likewise from any intermediate node that is able to satisfy therequest. RREP message is send to the node from which that node has received the RREQpacket. Nodes in the ad-hoc network monitor the link status of the next hops in activeroutes. When a link break in an active route is detected, a RERR message is used to notifyother nodes that particular link went down so that node can invalidate the routes that arehaving that particular link. The RERR messages indicates those destinations(possibly sub-nets which are no longer reachable by way of the lost/broken link. In order to enable thiserror/link down reporting mechanism, each node keeps a ”precursor list”(it is implemented

5

using either the link list or the array) containing the IP address for each of its neighboursthat are likely to use it as a next hop towards each destination means in the precursor listthe IP’s of the neighbourhood nodes to a particular nodes are stored. The information inthe precursor list is most easily acquired during the processing for generation of a RREPmessage, which by destination has to be sent to a node in a precursor list. If the RREPhas a nonzero prefix length, then the originator of the RREQ which solicited or sent theRREP information is included among the precursors for the subnet route.AODV is also table driven routing protocol means it deals with route table managementbut this routing table does not store all the possible routes to all destination like DSDVprotocol . Routing table information must be kept even for short lived (Routes that Van-ishes after a little time) time routes, such as are created to temporarily store reverse pathstowards nodes originating RREQs. If a node found some new path then that also has tobe entered into the routing whether that route won’t last for very long time. AODV usesthe following fields with each route table entry :

• Destination IP Address.

• Destination sequence number.

• Other State and routing flags (e.g.: valid, repairable, being repaired).

• Valid Destination Sequence Number flag.

• Network Interface.

• Next Hop.

• List of Precursors.(its kind of group of neighbouring nodes)

• Hop Count (number of hops needed to reach destination)

• Lifetime (Expiry or Deletion time of the route). This states that Route may be validat-most this much time.

With the help of Sequence number we can avoid routing loops and also can invalidate rout-ing entries in some scenarios like when a link is down or deactivated. Managing the sequencenumber is the crucial job to avoiding routing loops, even when link break and node is nolonger reachable to supply its own information about its sequence number. A destinationbecomes unreachable when a link breaks or is deactivated. When these conditions occur,the route is invalidated by operations involving the sequence number and marking the routetable entry state as invalid.The AODV protocol is quite efficient with respect to network, using this protocol we candeal with thousands of nodes in the adhoc network means The AODV routing protocolis designed for mobile networks with populations of tens of thousands of mobile nodes.AODV can handle low, moderate, and relatively high mobility rates, as well as a varietyof data traffic levels means AODV can solve our purpose of routing for a variety of datatraffic and at varying mobility rates. AODV is designed for use in networks where thenodes can all trust each other means AODV will work flawlessly if there is none of the

6

node is malicious in the whole ad-hoc network. AODV has been designed to reduce thedissemination of control traffic and eliminate overhead on data traffic like in case DSRand DSDV, in order to improve scalability and performance. Means AODV is the efficientProtocol with respect to network performance but in security aspect AODV is not Secure,I will address the security issues of the AODV protocol in coming sections in this document.

2.3.3 AODV Message Formats

There are three mainly used messages AODV protocol those are RREQs(Route Requests),RREPs(Route Reply’s), RERRs(Route Errors).I have described structure of each of the messages with its containing fields. The exactstructure of RREQ is as follows.

Figure 1: RREQ Message format

The details of the fields are as follows.

7

Type: 1 Byte long. Type = 1 for RREQ

R: Repair Flag, Reserved for Multicast

G: Gratuitous RREP flag; it indicates whether a gratuitous RREP shouldbe Uni-cast to the node specified in the destination IP Address field

D: Destination only flag; indicates only the destination may respond tothis RREQ.

U: Unknown Sequence number; It indicates the destination sequencenumber is unknown

Reserved: Reserved for future expansion. Sent as 0; ignored on reception

Hop Count: The number of hops from the originator IP Address to the nodehandling the request.

RREQ ID: A sequence number uniquely identifying the particular RREQ whentaken in Conjunction with the originating node’s IP address.

Destination IP Address: The IP address of the destination for which a route is desired.

Destination Sequence Number: The latest sequence number us received in the past by theoriginator for any route towards the destination.

Originator IP Address: The IP address of the node which originated the Route Request.

Originator Sequence Number: The current sequence number to be used in the route entrypointing towards the originator of the route request.

Route Reply (RREP) Message FormatRREP is used to replying a node from which the node has received the RREQ about thevalid route information to the destination node (as in RREQ’s Destiation field). The RREPPacket’s structure with all the details about its fields is shown below.

Figure 2: RREP Message Format

Message containing following fields.

8

Type: Type = 2 for RREP.

R: Repair flag reserved for multicast.

A: Acknowledgement required.

Reserved: Reserved for future expansion.

Prefix Size: If nonzero, the 5-bit Prefix Size specifies that theindicated next hop may be used for any nodes with thesame routing prefix (as defined by the Prefix Size) asthe requested destination.

Hop Count: The number of hops from the Originator IP Address to theDestination IP Address. For Multicast route requests thisindicates the number of hops to the multi-cast tree membersending the RREP.

Destination IP Address: The IP address of the destination for which a route is supplied

Destination Sequence Number: The destination sequence number associated to the route.

Originator IP Address: The IP address of the node which originated the RREQfor which the route is supplied.

Lifetime: The time in the milliseconds for which nodes receivingthe RREP consider the route to be valid

*The Prefix Size allows a subnet router to supply a route for every host in the subnetdefined by the routing prefix, which is determined by the IP address of the subnet routerand the Prefix Size. In order to make use of this feature, the subnet router has to guaranteereach-ability to all the hosts sharing the indicated subnet prefix. When the prefix size isnonzero, any routing information (and precursor data) MUST be kept with respect to thesubnet route, not the individual destination IP address on that subnet.The ’A’ bit is used when the link over which the RREP message is sent may be unreliableor unidirectional. When the RREP message contains the ’A’ bit set, the receiver of theRREP is expected to return a RREP-ACK message.

Route Error (RERR) Message FormatWhen some link terminates or deactivate than all the node supposed to know about thatlink termination. So to tell all the nodes about the Link termination, RREPs are sentto every node in the ad-hoc network so that every node can invalidate their route entrieswhich are having routes through that terminated or deactivated link. Route Error(RERR)Message structure is shown below with full details about its containing fields.

9

Figure 3: RERR Message Format

Message containing following fields.

Type: Type = 3 for RERR Message.

N: No Delete flag; Set when a node has performed a local repair alink, and upstream nodes should not delete the route.

Reserved: Reserved for future expansion.

DestCount: The number of unreachable destinations included in the message.

Unreachable Dest. IP Address: The IP address of the destination that has becomeunreachable due to a link break.

Unreachable Destination Seq No. The sequence number in the route table entry for thedestination listed in the previous unreachable destinationIP Address Field.

Ad-hoc on demand distance vector protocol (AODV) is source initiated on-demandrouting protocol. Every mobile node maintains a routing table that maintains the next hopnode information for a route to the destination node. When a source node wants to routea packet to some destination node then first it will check for the path information to thatcorresponding destination node. If the information about the path is there in the routingtable then source node route the packet to the corresponding path and some boundary casesmay come in picture for that there are some special treatments. But if the source node doesnot find any information about the path to the destination means there does not exist anyfresh enough path to the destination node then it stars a route discovery by broadcastingthe Route Request(RREQ) packet/message to its neighbourhood nodes, which is furtherpropagated until it reaches to an intermediate node which is having a fresh enough routeto the destination node specified in the RREQ packet, or the destination node itself. Everyintermediate node that has received RREQ message will make an entry in its routing tablefor the node that has forwarded the packet and also for the source node. The destinationnode or the intermediate node having the fresh enough route to the destination send, uni-casts Route Response or Route Reply (RREP) to its neighbourhood node from which ithas received the RREQ. An intermediate node makes an entry for the neighbourhood nodefrom which it has received RREP, then forwards the RREP in reverse direction. At the

10

time of receiving the RREP, source node will make an entry for the destination node andalso for its neighbourhood node from which it received the RREP. And then source nodestarts routing the data packets to the destination node through the neighbourhood nodethat first responded with an RREP.Here is the example of AODV routing at a bunch of nodes.

Figure 4: Source to Dest Routing using AODV

In the above network topology node ”Source” want to route the packet to node ”Dest”.For that node ”Source” checks for fresh enough path from Source to Dest in its Routingtable. Node ”Source” could not find any entry for path to node ”Dest” so node ”source”have to discover the route starting from itself to node ”Dest”. For that node Source sendsRREQ to its neighbour nodes having certain fields as discussed in AODV Message format.In the given topology source will send RREQ to its Neighbours. Intermediate nodes nothaving any information about the path from the node ”Source” to node ”Dest” forward theRREQ message to its neighbourhood nodes. This forwarding may cause looping so to avoidlooping we use sequence number in the RREQ message. Every node rejects the messagethat is having sequence number less than its sequence number. And Also Hop count andTTL helps in avoiding the looping. In the given topology node N7 gets the RREQ message

11

from Source but node N7 does not have any information about the fresh enough route toDest. So it forward the RREQ Message to its neighbours. And Then Dest receive theRREQ message (requesting the path to Dest). As Dest itself is the final node so it willsend an RREP to the node from which it received the RREQ i.e node ”Dest” will send theRREP message to node N7 and then node N7 will forward back to the node from whichit has received the RREQ for the path to node ”Dest”. Here node N7 will send RREPmessage to the Source node. All the RREPs are send as uni-cast If Node ”Source” alreadyreceived the information about the path or received some other RREP then Source willdiscard this RREP. But if Source do not get any RREP till now then source will accept theRREP from Node N7. And after that they will start sending the data. And Source willdiscard every RREP about the route to Dest. Hence in the above topology RREP fromthe N2 to Source is Discarded. There may be some other possibilities as well. Here loopingis avoided using sequence number and TTL. To ensure the Freshness of the route we usesequence number.

3 Vulnerabilities in AODV

Ad-hoc on-demand distance vector protocol is very efficient as a network service but it ishaving lots of vulnerabilities means this protocol can easily be attacked. AODV is not sosecure. AODV is designed for an ideal network means for a network having no maliciousnode. For a network having no malicious nodes AODV protocol is the most efficient one.But we all know that nothing is ideal means there are some unsocial nodes everywhere.Some greedy nodes are also there in the node that attack on the network to solve therepurpose. In AODV what we can do during the RREQ messages or RREP messages is asfollows. Possible types of attacks.

• Sequence numbers can be modified.

• Hop Counts can be modified. (main attack is Looping in the network).

• modification of source routes( Black hole attack, wrong information about path).Tunnelling.

• Spoofing.

• Fabrication of Error messages (Error message that Destination is not reachable sodon’t send anything and greedy node capture the media).

• Fabrication of Source routes (Cache Poisoning).

As we have seen there are many types of attack possible in this AODV protocol. But theseattacks can be avoided by taking a little bit of care. Black Hole attack is the serious one.As in this attack the malicious node get whole of the data that source is sending and afterthat it dump the data. So in this paper i will discuss the Black hole attack detection andremoval of this attack.

12

3.1 The Black Hole Attack IN AODV Protocol

AODV is an important on-demand routing protocol that creates routes only when desiredby the source node. When a node requires a route to a destination,(if it is not there inthe routing table) it initiates a route discovery process within the network. It broadcastsa route request (RREQ) packet to its neighbours, which then forward the request to theirneighbours, and so on, until either the destination or an intermediate node with a freshenough route to the destination is located. In this process the intermediate node can replyto the RREQ packet only if it has a fresh enough route to the destination. Once the RREQreaches to destination or to a intermediate node having a fresh enough route to destinationnode, then the destination node or the intermediate node respond by uni casting a routereply(RREP) to the node from which it has received the RREQ packet. After selectingand establishing a route, it is maintained by a route maintenance procedure until either thedestination becomes inaccessible along every path from the source or the route is no longerdesires.

According to the original AODV protocol, any intermediate node may reply to theRREQ by sending a RREP if it is having a fresh enough route to the Destination. Thisdestination route is checked by the Destination sequence number that is contained in RREQpacket/message. This technique is used to decrease the routing delay but it makes thesystem vulnerable to a malicious node. A malicious node easily can disrupt the correctfunctioning of the routing protocol and makes at least part of the network crash. a singleblack hole node does not harm much but a group of black hole nodes can bring the wholenetwork down.

As any intermediate node having fresh enough route can respond to the RREQ. A ma-licious node respond quickly just after receiving the RREQ message from the source node.Malicious node is not having any fresh enough route to destination but still it send RREPstating that i have fresh enough route to the destination as soon as possible. Malicious nodedoesn’t even search for destination sequence number in its routing table because maliciousnode try to send RREP message as soon as possible so that source node will drop all theother original/real RREPs. And source node After receiving the RREP from the maliciousnode update its routing table with the information of the malicious node and also reject allother RREPs from other nodes. And after that Source node start sending data through themalicious node because source node is having the route that goes by that malicious node.And malicious node after receiving the data drop it or can use the secure information. Thusa group of malicious nodes can bring down the hole network. An Example is given belowand the whole process is explained.

13

Figure 5: Black Hole attack

In the above given figure node N1 is the source node and this node wants to route thedata to node N6, Means N6 is the destination node. And in the topology node N4 isthe malicious node. Let us suppose node N1 does not have the fresh enough route to thedestination node N6. So N1 have to discover the route to N6 for that node N1 will send aRREQ packet. Suppose IP of node N1 is ”10.11.11.12” and Destination node (N6)’s IP is”10.11.12.24” then node N1 will send a RREQ packet that look like as follows.

Figure 6: RREQ packet from Source node

14

This RREQ packet is broadcast and nodes will receive this packet and search for the Desti-nation sequence number in their respective routing tables. if they find destination sequencenumber or the destination IP in the routing table then that node will send an RREP to thesource node otherwise forward the RREQ packet to its neighbourhood nodes. Here in thistopology there is one malicious node that will respond to RREQ just after receiving RREQpacket. Because malicious node will send a fake information so it has no need to search itrouting table. Hence the malicious node will send RREP packet as soon as possible afterreceiving the RREQ from the Source node or may be some intermediate node. Before re-ceiving the RREP packet sent by Malicious node if source node receives some other RREPpacket then it will work as usual but if the source node N1 receives the RREP sent byMalicious node N4. Then it rejects all other RREPs from other nodes until this route isdesirable. Malicious node is as near to the source node better are the chances of attackbecause RREP generated by malicious node will reach first. In this way source node willbelieve that it is the route to destination that i require. But in reality there is no path fromN4 to N6 in the given network. Node N4 sends a spoofed RREP packet. Let IP of NodeN4 is ”10.11.11.19”.RREP packet that is sent by Node N4 is shown below.

Figure 7: RREP packet from node N4

As malicious node is nearer to source node so this RREP is supposed to reach first to theSource node. And this will force source node to think that Route Discovery is completeand thus source node will reject all other RREPs that it might have received from othernodes. And after that node N1 will start sending the data through malicious node N4 andN4 will drop that data. Other option is that as Node N4 got the whole data, it can performeverything that is possible with that data, i mean to say is that the data send by sourcenode to destination node is not secure anymore, a third party is having the data. Node N4can also drop the data, Hence data is lost. So a group of malicious nodes can crash thewhole network.

Node N4 has succeeded in attracting the source node to send the data through N4.After this node N4 can perform any type of attack out of the following.

• Eavesdropping messages,

• Selectively dropping data,

15

• Manipulating data, or

• Launching Denial of Service (DoS) attack.

In the above case a a group of malicious node node spoofs the routing path informationsingle handed means one node from the group focus on one part of the network, i mean tosay all the malicious nodes in the group attack exclusively, hence this is comparatively easyto detect using next hop information in the RREPs. but some time a group of cooperativemalicious nodes perform the attack in the adhoc network. In this case a group of maliciousnodes spoof the routing information by cooperation between them and this attack is notdetected by algorithm discussed in [3]. The Figure shown below will discuss everythingabout the attack.

Figure 8: RREQs Broadcasts in The Ad-hoc Network

In the above shown figure The RREQ requests are broadcast to the adhoc networks. RREQflooding in networks is shown in the network. In the next figure shown below i have shownthe propagation of RREP from malicious node as well as from the other normal nodes.As Malicious node is nearer to the source node hence source node will get RREP sent bymalicious node and if after receiving the RREP if source node wants to confirm the nexthop then in RREP packet next hop is node M2 hence source node will check M2.

16

Figure 9: Route Reply(RREPs) Propagation in the network

The attack shown in the above diagram is the example of Cooperative Black hole attackin which a group of malicious nodes such that all nodes are cooperative in nature. Thisattack is not easily detectable like simple black hole attack . Sometimes in modified AODVRREP should also supply the next hop information if the RREP is generated by someintermediate node so that the source node can cross check the route information with thenext hop provided in Received RREP. Hence by cooperation malicious nodes able to spoofthe route information, thus perform the black hole attack. A special case of the blackhole attack is called Gray hole attack in which some of the packets are dropped and someof the packets are forwarded, as sum packets are forwarded so its little hard to detect thatwhether that node is malicious node or normal node and also the source node will keep onsending the data as some of the data is received by the destination. But Gray hole attackis harder to detect.

4 Detection of Black Hole Attack

Many tried to Detect black hole nodes in a network and also try to resolve the black holeattack. Some of the approaches are as follows.Deng et. al. [3] have proposed an algorithm to avoid black hole attacks in ad hoc networks.According to their algorithm, any node on receiving a RREP packet (which is the reply tothe route request in AODV) from a node, cross checks with the next hop on the route tothe destination means the node that is sending an RREP should also send the informationabout its next hop if exist (because in case of Destination node itself will not be able to finda next hop on the same route in that case it sends that i am destination node) The crosschecking is done only for intermediate nodes, because malicious node can not spoof that iam destination, what an intermediate node can spoof is that it can only send a messagethat i am having a route to the required destination. If the next hop either does not have

17

a link to the node that sent the RREP or does not have a route to the destination then thenode that sent the RREP is considered as malicious. This technique does not work whenthe malicious nodes cooperate with each other. Means a group of malicious nodes suchthat all are very cooperative nodes then in that case one malicious node will send RREPand in Next hop field it will send other malicious node which is cooperative and hence bycooperating they can spoof the routing path and thus black hole attack can be incurredin the network. Hence this suggested algorithm will not work, when there is a group ofcooperating black hole nodes.An algorithm presented in [4] claims to prevent the cooperative black hole attacks in ad-hoc network by modifying AODV protocol by introducing Data Routing Information (DRI)Table and Cross Checking. It is a computation intensive algorithm and takes O(n2) time,whenever a node decides to send packets to another node.

Moreover, in case when the network in not under the attack (which will be the usualcase) means no malicious node is there in the whole adhoc network, in this case the algo-rithm takes more time to complete. This algorithm is mainly based on a trust-relationshipbetween the nodes in the adhoc network. But this algorithm discussed in [4] fails in de-tecting Gray hole attack. Gray hole attack is the variant of Black hole attack. In Grayhole attack instead of dropping all the packets like in black hole attack it drops some of thepackets and forwards some of the packets. The algorithm that i about to describe here ispresented in [5] by P.agarwal et. al in which first they created a back bone of the network.The details the algorithm are as follows. This Algorithm also detects Gray hole attack.The main idea behind the algorithm described in [5] is to devise a mechanism for monitoringall the nodes in the network in terms of the traffic being forwarded through them. in thisalgorithm we are assuming that the nodes are in promiscuous mode (means the nodes canlisten to the traffic through their neighbourhood node) so that they can listen to the trafficthrough there respective neighbours. However, it will not be good option to allow all thenodes in the adhoc network to monitor all the other nodes, because doing so increases thechances of black hole attacks considerably (because malicious node will be able to spoofthe traffic management). Hence, In this algorithm, some of the nodes which are powerfulin terms of computing power and radio range are chosen, and making them trustworthymeans those chosen nodes can be trusted. Such chosen nodes are referred as strong nodes,and those chosen nodes will maintain a BackBone Network [6] which operates at a levelabove the ad hoc network of regular nodes. Rubin et. al. [6] proposed the use of backbonenetworks in scalable routing. This idea of back bone network is adapted in this algorithmof detecting malicious nodes and avoiding black hole attack, using backbone at one levelup for monitoring traffic for other nodes in the ad hoc network, detecting the presence thepresence of black or Gray holes and preventing these malicious nodes from interfering withthe routing.

In this algorithm all the nodes in the adhoc network are divided into Three parts/categoriesand these three categories are as follows.

1. RN: These are the low power, low transmission range nodes whose information is nottrustworthy Means such nodes can be Malicious nodes.

2. BN: These are the Backbone nodes which have a higher power, transmission range

18

compared to a RN. These nodes form a core that monitors the network nodes(meansBN nodes monitor the traffic flow for other nodes in the given ad-hoc network).

3. BCN: These are Backbone Capable nodes with similar capabilities like BN nodes,means these nodes are having the almost same strength as BN nodes. BCN nodesdoes not form core, but these nodes can be used to become BN nodes or forming thecore for increasing both the connectivity and coverage of the network. BCN nodescan be included in the core nodes.

The Algorithm to detect malicious nodes and removing black hole attack mainly consistsof two parts.

• Core/Back-Bone Network Formation and Maintenance,

• Detection of Black/malicious Nodes.

4.1 Core/Back-Bone Formation and Maintenance

The core/Back-Bone formation progresses incrementally means core is formed by a groupof nodes joining the core one by one in a incremental fashion. That is a new node entersinto the adhoc network during the core formation and maintenance stage.Suppose there is a BackBone Core Node NBC is there then what task/checks it will performduring the core/backbone formation are described below.Actions by BackBone Core Node (BCN) NBC

Step 1: First of all NBC detects RN nodes in its neighbourhood/vicinity. If somehow itfound any of such node then broadcasts ”Invitation” message or the message to senda joining request to these RN nodes in its neighbourhood and waits to receive a joinrequest from a RN node.

Step 2: NBC on receiving a joining request from a RN node, let say NR. Then NBC checksif NR is reachable in a predefined hop limit from NBC itself, if NR is reachable inthose specified hop limits then it adds NR to the list of its associated nodes, else NR

in the list of its unassociated nodes. As NBC maintains two lists one for associatednodes and another for unassociated nodes in its neighbourhood.

Step 3: If NBC does not receive any other join request within a predefined timeout (a downcounter for timeout timer becomes zero), then NBC checks for BN(BackBone Nodes)nodes in the its neighbourhood, if not a single BN node is found in its neighbourhood,then NBC checks for node in its associated list. If the associated list is empty thenmove to adjacent grid location and repeats from step 1.

Step 4: If somehow NBC detects a BN node in its neighbourhood or vicinity, then NBC

sends a coordination message to those BN nodes or to the single BN node and waits forreply from that BN node until a time timeout. The coordination message is handledby a separate coordination protocol executed by BN nodes discussed in [6].

19

Step 5: NBC on receiving reply from the BN node to the coordination message that it hadsent before to that BN node, and then NBC executes the required actions as specifiedin the reply that it has received from the BN node. The action will be like whetherNBC should promote itself to a BN node or move to a new grid location for promotionNBC also performs some other respective tasks. Coordination protocol description indetail can be found in [5].

Actions by a regular node N:We can uniformly view the actions of a new node entering for the first time in the adhocnetwork whether its type is BCN or RN, but that will look little clumsy.Hence to keep thedescription simple, the actions by different nodes are presented separately so that actionsby different types of nodes can be easily understood.

Step 1 N Checks if this node is already associated with some BN or BCN node. If thisnode is already associated to BN or BCN node, then terminates its actions.

Step 2 N on receiving an invitation message from BN or BCN node then it sends a joinrequest message to that BN or BCN node from which it had received the Invitationrequest, and wait for reply from that node.

Step 3 N on receiving a reply from corresponding node to its join request that it had sentto either BN or BCN node, N sends accept message(that i am joining you) to thenode with lowest id(in case a it receives more than on Join Request from BN or BCNnodes then it chooses the node with lowest id to reply) among those which sent joinAcknowledgement(ACKs) to it. After than it just discard the any subsequent joinInvitation request.

4.2 Detection of Black Node

With the help of a backbone network that we have discussed in previous section in thispaper, we propose a algorithm to detect black/malicious nodes which requires O(mdBN )number of hops to detect the chain of malicious nodes, where m(� n) is the number ofmalicious nodes in the chain of cooperative malicious nodes or the black nodes, and dBN

is the diameter of the backbone network that we have formed using the BN and some ofthe BNC nodes(dBN will be significantly less than the diameter let say DNetwork of theactual ad-hoc network ). Moreover, the describe algorithm takes significantly less time ifthere is no attack in network means unnecessarily the computation will not be there. Themain idea in this described algorithm is that after every block of data packets, Source nodeasks the backbone network to perform an end-to-end check with the destination node toconfirm the delivery of data packets, means source node want to check that destinationnode has received the transferred data or not. If the destination did not receive a blockof data packets, or the destination node becomes aware of some kind of attack in betweenthe communication, then the destination node would inform the backbone network aboutthe attack in communication or non receipt of data packets. After getting this informationeither of attack or the non receipt of the data packets the backbone network initiates theprocedure of detection of the chain of malicious nodes that are cooperating together or

20

the exclusive malicious nodes which are somehow dumping the packets. In our detectiontechniques One important assumption we have made is that there are not many maliciousnodes in the network means if let say m is the number of malicious nodes and n is the totalnumber of nodes in the network than m� n. However, the assumption that we have madeis a reasonable assumption, because in any network if there are too many malicious nodes,then they can overpower the network and for that we can apply some other technique. So,in this algorithm mainly focus is on the situations where there are not too many maliciousnodes in the network. To be more precise, the number of malicious nodes in the network isless than the number of non-malicious neighbours of the node to be monitored. Because ifnot so malicious node will overpower the whole network.

Figure 10: Control Messages for detection of malicious nodes

in the above shown figure the description of the symbols are as follows.

1. S is the source node which wishes to communicate with a destination node D.

2. S and D are associated respectively with the backbone node NSb and ND

b .

3. S and D share a secret key, K.

4. The RREQ from source node S for discovering the route to Destination node D wasreplied by a RREP message from an intermediate node Nrrep with the shortest routeto Source node S.

In this checking of Black/ malicious nodes by Back-Bone network Five different types ofnodes are involved and those five type of nodes are as follows.

21

1. S: It is the source Node, which initiated sending of data packets to destination node.

2. D: It is destination Node, to which data packets are being sent by Source node.

3. NSb : It is a back bone node to which source node S is associated.

4. NSb : It is back bone node to which Destination node D is associated.

5. V: It is a regular node of the ad-hoc network.

Now each of the node what they will do, i mean what will be the each node’s actions?Actions of all the five types of nodes as described above in detection of Malicious nodes areas follows.Actions of Source Node S:

Step 1: Node S Divides the set of data packets that have to be sent in k equal parts ofsome size(Last part may not be of the same size), Data[1..k], initializes a runningvariable i to 1.

Step 2: Source node S Sends a prelude = EK(Ri), ni, NSb message to D over the backbone,

where Ri is the randome nonce, ni is the number of packets to be sent in the currentblock that is about to sent, and EK() is the encryption function with the shared keyK. This Prelude messages that is sent over backbone network is received by NS

b , NDb

and as well as D.

Step 3: Source node S Starts transmitting packets from the block Data[i] to D. Sourcenode start sending the data blocks out of those k blocks.

Step 4: Source node Sends a message check = Ri , S, D, Nrrep to NSb . So that Backbone

node starts checking the end -to end connection between destination.

Step 5: If Source node received an OK from NSb then it increments the running variable

i and repeats from step 2 to send data packets from the next block of data. Meansdestination is getting data then source keep on sending the data.

Step 6: If Source node received a Not OK from NSb , it means that either destination node

detected some attack in the network or the destination has not received the data sentby source node(it means some malicious node is dumping the data), then source nodesets a timer for removal of malicious node. If Source node S Received a Removed OKfrom NS

b before the timer timeouts then it executes the steps starting from step 2 toresume the sending of data to destination node. But if either timer timeout beforereceiving the ”Remove OK” Message or not received the ”Remove OK” message thenSource node once again wait for ”Remove OK” message and if then also not receiveany message then it terminates Data Sending.

Actions of Destination Node D:

Step 1: Destination node on receiving prelude message from Source node S extracts Ri,ni and NS

b , and then sets a timer for the receipt of the current data sample. Waitsfor the data packets from source node S. Here as we know Source and Destination

22

share a secret key K, Hence D can decrypt the encrypted prelude message using thatshared key K.

Step 2: While the receipt timer has not timeout, Destination node D on receiving a datapacket Destination updates the count (dataCnt) of data packets received.

Step 3: After the receipt timer timeout, Destination node sends a message known as pos-tulate containing fields are as follows.postlude = {Ri, dataCnt, NS

b , D, S} to NSb message to S, where dataCnt is the

number of packets that destination node has received from Source node S.

Actions of NSb :

Step 1: Node NSb on receiving a prelude message from source node S, sends monitor mes-

sage to all neighbours of source nod S asking them to monitor the data that is sentby source node S .

Step 2: Node NSb Initializes a counter ”max = 0” to count the maximum number of data

packets that are transmitted from source node S, and sets the timer for NSb s actions

to terminate.

Step 3: Node NSb On receiving check from source node S sends query for check to all

neighbours of Source node S and waits for result messages from the Neighbours ofSource node S.

Step 4: Node NSb on receiving a result from a neighbour of Source node S perform the

following actions:

1. if the value of counter max is less than the number of packets reported in a resultmessage from the neighbours of Source node S, then updates max to the numberthat is reported by the result messages.

2. if the value of counter max equals to dataCnt from postlude message then setsa timer for receiving Acknowledgement(ACK) from ND

b and then it wait forfurther messages either from S or Node ND

b .

3. If node Node NSb receives D malicious before expiry of timer, then it sends ”OK”

to source node S and go to step 1.

4. If the timer expires before receiving the ”D malicious” or not received D maliciousthen node Node NS

b broadcasts S malicious message to backbone and go to step5.

Step 5: Terminate NSb s actions.

Actions of NDb :

Step 1: Node NDb on receiving prelude , message from node S, sends monitor message to

all the neighbours of Destination node D.

Step 2: Node NDb initializes timer and sets a counter max to 0, where counter max will

be updated to the estimated number of packets received by Destination node D.

23

Step 3: If the timer timeouts or an Acknowledgement(ACK) is received from DestinationD, then Node ND

b does the following:

1. Node NDb sends query message to all the neighbours of Destination node D;

2. Node NDb on receiving a result message from a neighbour of Destination, if value

of max is less than the value of number of packets reported in result messagethan node ND

b updates counter max to the number of packets reported in resultmessage;

3. if max == dataCnt (dataCnt extracted from postlude message sent by Destina-tion node D) then sends Acknowledgement(ACK) to NS

b and goes back to step1.

Step 4: Broadcasts D malicious to backbone and terminates its actions.

Actions by a regular node RN:

Step 1: Regular bide in receiving monitor message , extract the source IP, destination IPand node-id of the sender.

Step 2: If this Regular node is a neighbour of either S or destination node D, then startscounting the number of packets from source node S to destination node D.

Step 3: RN on receiving query message, sends the result message to the node from whichit got the query message.

4.2.1 Black Hole Removal Process

Once a BN node (Here say NSb in this case) could not receive Acknowledgement(ACK)

message until a specified timer timeouts, Then the black hole removal process(Here we cansay Gray hole removal process as well because our algorithm is able to remove the Grayholes as well) gets initiated by NS

b . The actions of different nodes for the Black holeremoval process is specified below.

Actions by NSb :

Step 1: Broadcast find-chain message on the backbone network to find the chain of coop-erative black or malicious nodes. The message contains the id of node Nrrep (it is thenode which is sending route reply message to source node S), the victim node or thesource node S and the destination node (D).

Actions by any backbone node Nb :

Step 1: Node Nb On receiving the findchainmessage, checksifthenodeNrrep(node thatsend the RREP message to source node S) belongs to the association list of thisBN node (as already described BN nodes maintain two list named as Associated nodelist and Unassociated). If not belongs to Associated node list, then no further actionis required.a

24

Step 2: Node Nb Initialize a list (called BlackHole-Chain) to contain node Nrrep. If aBlackHole-Chain is also received with the broadcast, use that instead of initializing anew list.

Step 3: Instruct all the neighbours of node Nrrep to vote for the next node to which Nrrep

is forwarding(if this node is forwarding some of the packets) packets originating fromSource node S and destined to Destination node D.

Step 4: On receiving nodeid′sfromneighboursofNrrep , elect the next node to which Nrrep

is forwarding the packets based on reported reference counts.

Step 5: If the elected node for next node to Nrrep is a null node, it means that the in-termediate node Nrrep is itself dropping all the packets(this is the case of mutualmalicious node black hole ). In this case, the black hole removal terminates, and abroadcast message is sent across the network to alert all other nodes about the nodesin BlackHole-chain to be considered as malicious, hence all the nodes will black listthat particular node here in this case is Nrrep.

Step 6: Also Append the elected node to the list (Black-Hole Chain) So that withoutchecking can say that particular node is malicious one. If that elected node is in theassociation list of this Nb , then go to step 3, it replaces node Nrrep with the electednode. But in this case the elected node is a valid node. because it is in the associatednode list.

Step 7: Node Nb Broadcast a find chain message over the backbone network, containingthe id’s of the malicious nodes. And it also broadcasts the BlackHole-Chain formedtill the time over the whole network so that other backbone network nodes can alsoappend malicious nodes to the their respective list so that in future if they receivedRREP from any of the node in the BlackHole-Chain then they can just ignore thatmessage.

Actions by a regular/BCN node:

Step 1: On receiving instructions from a backbone network node to find the next node towhich a malicious node M is forwarding some of the packets, then regular node willcheck if M is a neighbour of this node. If M is one of its neighbour, then turn on topromiscuous mode and listen to packets from node M , which has Source node S assource and D as destination. And then infer the next node whom node M is forwardingthe packets, regular node will send an message to BN containing the node-id of thatnode to which packet is forward by malicious node M.

Thus Black hole attack can be removed.

5 Conclusion

In this Report i have discussed about Ad-hoc on-demand distance vector protocol, BlackHole attack , Detection of Malicious nodes and Removal of Black hole attack. As i have

25

described that black hole attack can be removed by forming the Back bone network of theTrusted nodes in the network. This Back bone network will monitor the traffic flow forother nodes in the network and by executing some of the specific checks as described inabove specified algorithm on traffic for each node we can detect the malicious node or thechain of malicious nodes. And By this detecting them we can black list those IPs of themalicious node, means if the source node receive any RREP from the blacklisted IP listthen that RREP should be dropped, Hence This will lead to removal of Black hole attack,a secure routing can take place. Some other techniques may also be possible for removingblack hole attacks. In this Report the algorithm that i have discussed will be able to removethe black hole attack from the network.

6 References

1. RFC standard-3561, http://www.ietf.org/rfc/rfc3561.txt

2. Izhak Ruhin,Arash Behzad, Runlie Zhang, Iluiyu Luo,Eric Caballero : TBONE: AMobile-Backbone Protocol for Ad Hoc Wireless Networks.

3. H. Deng, W. Li, and D. P. Agrawal. Routing security in wireless ad hoc network.IEEE Communications Magzine, pages 70 - 75, 2002.

4. S. Ramaswamy, H. Fu, M. Sreekantaradhya, J. Dixon, and K. Nygard. Preventionof cooperative black hole attack in wireless ad hoc networks. In Proceedings of 2003International Conference on Wireless Networks (ICWN03), pages 570575. Las Vegas,Nevada, USA, 2003.

5. P.Agarwal, R.K Ghosh, S.K Das, Cooperative Black and Gray Hole Attacks in MobileAd Hoc Networks

6. I. Rubin, A. Behzad, R. Zhang, H. Luo, and E. Caballero. Tbone: A mobile-backboneprotocol for ad hoc wireless networks. In Proceedings of IEEE Aerospace Conference,volume 6, pages 2727 2740, 2002.

7. Y. C. Hu, A. Perrig, and D. B. Johnson, Ariadne: A secure on-demand routingprotocol for ad hoc networks, in Eighth Annual International Confer- ence on MobileComputing and Networking (Mobi-Com 2002), pp. 12-23, Sept. 2002.

8. Y. C. Hu and A. Perrig, A survey of secure wireless ad hoc routing, IEEE SecurityPrivacy Magazine, vol. 2, no. 3, pp. 28-39, May/June 2004.

9. S. Lee, B. Han, and M. Shin, Robust routing in wireless ad hoc networks, in ICPPWorkshops, pp.73, 2002.

10. Y. A. Huang and W. Lee, Attack analysis and de-tection for ad hoc routing protocols,in The 7th In-ternational Symposium on Recent Advances in Intru-sion Detection(RAID04), pp. 125-145, French Riv-iera, Sept. 2004.

26

11. Charles E. Perkins, Elizabeth M. Royer and Samir R. Das. Ad hoc On-DemandDistance Vector (AODV) Routing. Internet Draft, work in progress, IETF MobileAd Hoc Networking Working Group, July 2000.

12. F. Stajano and R. Anderson, The Resurrecting Ducking: Security Issues for Ad-HocWireless Networks, Security Protocols, 7th Intl. Wksp. Proc., LNCS, 1999.

13. Hongmei Deng, Wei Li, and Dharma P. Agrawal. Routing Security in wireless adhocnetworks.

14. L. Venkatraman and D. P. Agrawal, Strategies for Enhancing Routing Security inProtocols for Mobile Ad Hoc Networks, J. Parallel Distrib. Comp., 2002

27