1. CS 399: Seminar
Term Paper
Ad-hoc On-Demand Distance Vector Protocol and Black
Hole Attack in AODV
By:
Rajkumar Singh∗ (09010138)
email s.rajkumar[*]iitg.ernet.in
Under the guidance of:
Professor Santosh Biswas
Department of Computer Science and Engineering
Indian Institute of Technology, Guwahati
10th April 2012
1
2. Abstract
Mobile ad-hoc networks(MANETs) are extensively useful many civilian applica-
tions as well as in Military purposes. One of the very basic and important application
of MANETs is Blue-tooth send the files from one mobile node to another mobile node
using blue-tooth like mobile phones use this a lot. Ad-hoc networks are having a lot use
suppose in IIT guwahati A group of students have a meeting and in the room there is
only one LAN Port and every member in the meeting require the internet connection,
then one of the best and not expensive solution is create an Ad-hoc network and all
the member can join it, like this there are many uses of adhoc networks. Mobile ad-hoc
networks allow the construction of flexible and adaptive networks with no fixed/static
infrastructure. The dynamic topology of mobile ad-hoc networks (MANETs) allows
nodes to join and leave the ad-hoc network at any point of time. Due to this generic
characteristic of Mobile ad-hoc networks it is having lots of vulnerability for security
attacks. In this term paper first i will discuss Ad-hoc on-demand distance vector pro-
tocol in detail and after that a few vulnerabilities in brief after that a attack which is
performed by a group of malicious nodes known as Black hole attack. I will discuss the
technique to identify the multiple black holes cooperating to each other and a solution
to avoid this attack. In short the main focus will be on How AODV routing protocol
works and detecting the black hole attack(Nodes which are contributing to attack) and
removing the attack so that can have a secure efficient routing from one node to an-
other. I will discuss how the malicious nodes that are responsible for BlackHole attack
can be Detected and thus avoid the black-hole attack.
Keywords: AODV (Ad-hoc on-demand Distance vector protocol), Black hole, Routing,
Ad-hock Networks.
1 Introduction
Ad-hoc networks have a large number of important applications. Ad-hoc networks are hav-
ing extensive use in daily life as we can connect any mobile node to the network and can
perform required tasks like Mobile Phone and Laptop can be connected to Ad-hoc network
and can access the Internet without having the fixed infrastructure. Military also use adhoc
networks for their many of the applications. Sometimes military uses adhoc networks to
connect to soldiers in battlefield or military units connect to each other or sometimes for
creating sensory arrays with thousands of sensors. Ad-hoc networks provides the facility
of creating a networks in the situations where creating infrastructure seems impossible or
creating infrastructure is very expensive means it is impossible to have a network with fixed
infrastructure every where, so on such places Ad-hoc networks are highly useful. Without
having the fixed infrastructure we can solve the purpose of network by using Ad-hoc net-
works.Unlike a networks with fixed/static infrastructure, mobile nodes in adhoc networks
do not communicate via access points (fixed structures). Here each node acts as a host at
the time of requesting or providing information from or to some other nodes in the network,
and act as router when discovering and maintaining routes for other nodes in the network.
Means Every node in the adhoc network can act as a Router node or the host node.
2
3. There are many routing protocols exist out of those main three routing protocols are
as follows.
• Destination-Sequenced Distance Vector routing (DSDV).
• Dynamic Source Routing (DSR).
• Ad-hoc on Demand Distance Vector Protocol (AODV).
Details of each protocol are described briefly as follows. Mainly i will discuss Ad-hoc on-
demand distance vector protocol in section 2.
As Ad-hoc networks can be used for Military purposes or can also be used for some
other Common secure purposes like online Transaction so main requirement is to make it
secure or attack free so that Malicious node can not enter this Network and can not be able
access the secure information. As in AODV Protocol sequence numbers and hop counts
can be modified so using these options a malicious node can crash the whole network. By
Changing TTL a malicious node can choke the whole network. Or using some other attacks
like black hole attack whole secure information can be obtained at the time of transfer from
one node to another node. Due to the generic nature of AODV protocol a malicious node
can spoof its identity and by doing so malicious node can get the secure information and
do whatever that node want using the information. Either can dump the whole packets
that malicious node obtained or can forward them depending on the behaviour of malicious
node.I discussed such attacks in the section 3 in this Term paper. Also i have discussed the
detection of such malicious nodes and removal/avoidance of such attacks so that AODV
can be more secure. Some people have already fixed some of the security issues of AODV
protocol.
2 Different Routing Protocol
2.1 DSDV Details
(Destination-Sequenced Distance vector)DSDV protocol is a table driven protocol. Means
in DSDV protocol every mobile node maintains a routing table with entries for each and
every possible destination node, and required number of hopes to reach those destinations,
means if there are n nodes in a network then routing tables corresponding to each node
will have almost n − 1 entries. Every Routing table is updated periodically for each and
every change in the network (like a new node joins or leaves etc.) to maintain consistency.
This updation of Routing tables require frequent route update broadcasts But the problem
with this protocol is the size of table as the network increases so is the routing table size in
the ratio of O(n*n) that makes it inefficient As network size increases, table size will also
increases hence any operation (like update, searching) will be very inefficient. Hence This
Protocol is good for networks having less number of nodes.
3
4. 2.2 DSR Details
Dynamic Source Routing(DSR) is on demand routing protocol and it maintains a route
cache, which leads to memory overhead. DSR protocol is similar to AODV protocol in
terms that it is also the on-demand routing protocol like AODV protocol, means it requests
for route to a particular node when it is having the need of that route. But DSR does
not rely on the path information from the intermediate nodes, DSR has a higher overhead
as each packet carries the complete route and it does not support multicast. As each
packet contains the whole route information, this increases its overhead. Hence for small
information there will be lot more overhead hence it is inefficient in terms of packet overhead.
2.3 AODV Details
2.3.1 Introduction to AODV
As the name itself suggests that Ad-hoc on demand Distance vector(AODV) protocol is an
on demand routing protocol. Means whenever there is something to route to a particular
node then only it request for the route to that particular node. The Ad-hoc On-demand
Distance Vector (AODV) algorithm enables dynamic, self-starting, multihop routing be-
tween participating mobile nodes wishing to establish and maintain an ad hoc network.
AODV allows mobile nodes to obtain routes quickly for new destinations, and does not re-
quire nodes to maintain routes to destinations that are not in active communication means
there is no need to maintain the table for all the destinations, in this protocol the infor-
mation of the nodes are stored that are active parts of the communication. AODV allows
mobile nodes to respond to link breakages and changes in network topology in a timely
manner. The operation of AODV is loop-free, and avoiding the Bellman Ford ”Counting
to infinity” problem offers quick convergence when the ad hoc network topology changes
(typically, when a node moves in the network). When line break, AODV causes the affected
set of nodes to be notified so that they are able to invalidate the routes using the lost link.
Means if a node or a group of nodes leave the network then all the remaining nodes in
the network are informed that such nodes are no more in the network so that every node
can update their table if it having the route information through those nodes. Means all
remaining nodes can invalidate the routes having the nodes who left the network. The
highly Distinguishing feature of Ad-hoc on-demand distance vector protocol is its use of a
destination of sequence number for each route entry means here in this protocol for each
route entry a Destination sequence number is used. The destination sequence number is
created by the destination to be included along with any route information it sends to re-
questing nodes means destination node itself sends a sequence number to a requesting node
along with some other fields in the packet. Using destination sequence numbers ensures
loop freedom. Means sequence numbers are used to avoid looping problem, Suppose there
is no concept of Destination sequence number in AODV then when a node get a packet that
was broadcast-ed by the same node will again be broadcast-ed by the same node and this
process will go on for almost all nodes until packet’s hop count become zero, but when se-
quence number concept is there then the packet received by a node which was broadcast-ed
by the same node will be dropped, hence no situation of looping can not arise. Given the
choice between two routes to a destination, a requesting node is required to select the one
4
5. with largest sequence number, means Requesting node will choose the route having largest
sequence number out of received packet’s sequence numbers. Choosing greatest sequence
number’s route ensures the freshness of the route.
2.3.2 Overview of AODV
There are three types of messages are defined in Ad-hoc on-demand distance vector protocol
are Route Requests (RREQs), Route Replies (RREPs), and Route Errors(RERRs). These
message types are received via UDP(User Datagram Protocol), and normal IP header pro-
cessing applies. So, for instance, the requesting node is expected to use its IP address as the
Originator IP address for the messages, means in the RREQ packet there is a field for origi-
nator IP address (IP address of the node who has generated this RREQ packet or requesting
for Route). For broadcast messages, the IP limited broadcast address (255.255.255.255) is
used in the destination address field all 1’s are put. This means that such messages are not
blindly forwarded. However, Some messages in AODV like Route Request are supposed
to forward to the whole ad-hoc network. The range of dissemination of such RREQs is
indicated by the TTL or the HopCount in the IP header, when Hop count is a downward
counter, means when HopCount becomes zero then that packet is not forwarded further or
in other way that packet is dropped. To avoid the Looping in the network due to the broad-
cast of RREQ messages sequence number’s are used, as shown in packet structure there is
one field for sequence number. As long as the endpoints of a communication connection
have a valid routes to each other means if starting node has the information of the route
to destination node in its routing table then that path is followed for Routing from source
node to destination node, Means in that case AODV has no role to play. But when there is
requirement of route from source to a new destination and no information of route exist in
the source node’s routing table then AODV comes into account. The Source node broadcast
a RREQ to find a route to the destination. A route can be determined when the RREQ
reaches either the destination node itself or some intermediate node having the information
of ”fresh enough” route to the desired destination node. As the freshness of the route is
ensured by the destination sequence number, this is a field in the packet. As in the routing
table Destination sequence number is also stored along with the route information to know
the freshnesh of the route. A fresh enough route is valid route entry for the destination
whose associated sequence number is at least as great as that contained in RREQ packet
means the sequence number in the routing entry corresponding to route to Destination
node should be grater or equal to the destination sequence number that is contained in the
RREQ packet. The route is made available by uni-casting a RREP back to the origina-
tor/generator of the request, so that the RREP can be unicast from the destination along
a path to the originator, or likewise from any intermediate node that is able to satisfy the
request. RREP message is send to the node from which that node has received the RREQ
packet. Nodes in the ad-hoc network monitor the link status of the next hops in active
routes. When a link break in an active route is detected, a RERR message is used to notify
other nodes that particular link went down so that node can invalidate the routes that are
having that particular link. The RERR messages indicates those destinations(possibly sub-
nets which are no longer reachable by way of the lost/broken link. In order to enable this
error/link down reporting mechanism, each node keeps a ”precursor list”(it is implemented
5
6. using either the link list or the array) containing the IP address for each of its neighbours
that are likely to use it as a next hop towards each destination means in the precursor list
the IP’s of the neighbourhood nodes to a particular nodes are stored. The information in
the precursor list is most easily acquired during the processing for generation of a RREP
message, which by destination has to be sent to a node in a precursor list. If the RREP
has a nonzero prefix length, then the originator of the RREQ which solicited or sent the
RREP information is included among the precursors for the subnet route.
AODV is also table driven routing protocol means it deals with route table management
but this routing table does not store all the possible routes to all destination like DSDV
protocol . Routing table information must be kept even for short lived (Routes that Van-
ishes after a little time) time routes, such as are created to temporarily store reverse paths
towards nodes originating RREQs. If a node found some new path then that also has to
be entered into the routing whether that route won’t last for very long time. AODV uses
the following fields with each route table entry :
• Destination IP Address.
• Destination sequence number.
• Other State and routing flags (e.g.: valid, repairable, being repaired).
• Valid Destination Sequence Number flag.
• Network Interface.
• Next Hop.
• List of Precursors.(its kind of group of neighbouring nodes)
• Hop Count (number of hops needed to reach destination)
• Lifetime (Expiry or Deletion time of the route). This states that Route may be valid
at-most this much time.
With the help of Sequence number we can avoid routing loops and also can invalidate rout-
ing entries in some scenarios like when a link is down or deactivated. Managing the sequence
number is the crucial job to avoiding routing loops, even when link break and node is no
longer reachable to supply its own information about its sequence number. A destination
becomes unreachable when a link breaks or is deactivated. When these conditions occur,
the route is invalidated by operations involving the sequence number and marking the route
table entry state as invalid.
The AODV protocol is quite efficient with respect to network, using this protocol we can
deal with thousands of nodes in the adhoc network means The AODV routing protocol
is designed for mobile networks with populations of tens of thousands of mobile nodes.
AODV can handle low, moderate, and relatively high mobility rates, as well as a variety
of data traffic levels means AODV can solve our purpose of routing for a variety of data
traffic and at varying mobility rates. AODV is designed for use in networks where the
nodes can all trust each other means AODV will work flawlessly if there is none of the
6
7. node is malicious in the whole ad-hoc network. AODV has been designed to reduce the
dissemination of control traffic and eliminate overhead on data traffic like in case DSR
and DSDV, in order to improve scalability and performance. Means AODV is the efficient
Protocol with respect to network performance but in security aspect AODV is not Secure,
I will address the security issues of the AODV protocol in coming sections in this document.
2.3.3 AODV Message Formats
There are three mainly used messages AODV protocol those are RREQs(Route Requests),
RREPs(Route Reply’s), RERRs(Route Errors).
I have described structure of each of the messages with its containing fields. The exact
structure of RREQ is as follows.
Figure 1: RREQ Message format
The details of the fields are as follows.
7
8. Type: 1 Byte long. Type = 1 for RREQ
R: Repair Flag, Reserved for Multicast
G: Gratuitous RREP flag; it indicates whether a gratuitous RREP should
be Uni-cast to the node specified in the destination IP Address field
D: Destination only flag; indicates only the destination may respond to
this RREQ.
U: Unknown Sequence number; It indicates the destination sequence
number is unknown
Reserved: Reserved for future expansion. Sent as 0; ignored on reception
Hop Count: The number of hops from the originator IP Address to the node
handling the request.
RREQ ID: A sequence number uniquely identifying the particular RREQ when
taken in Conjunction with the originating node’s IP address.
Destination IP Address: The IP address of the destination for which a route is desired.
Destination Sequence Number: The latest sequence number us received in the past by the
originator for any route towards the destination.
Originator IP Address: The IP address of the node which originated the Route Request.
Originator Sequence Number: The current sequence number to be used in the route entry
pointing towards the originator of the route request.
Route Reply (RREP) Message Format
RREP is used to replying a node from which the node has received the RREQ about the
valid route information to the destination node (as in RREQ’s Destiation field). The RREP
Packet’s structure with all the details about its fields is shown below.
Figure 2: RREP Message Format
Message containing following fields.
8
9. Type: Type = 2 for RREP.
R: Repair flag reserved for multicast.
A: Acknowledgement required.
Reserved: Reserved for future expansion.
Prefix Size: If nonzero, the 5-bit Prefix Size specifies that the
indicated next hop may be used for any nodes with the
same routing prefix (as defined by the Prefix Size) as
the requested destination.
Hop Count: The number of hops from the Originator IP Address to the
Destination IP Address. For Multicast route requests this
indicates the number of hops to the multi-cast tree member
sending the RREP.
Destination IP Address: The IP address of the destination for which a route is supplied
Destination Sequence Number: The destination sequence number associated to the route.
Originator IP Address: The IP address of the node which originated the RREQ
for which the route is supplied.
Lifetime: The time in the milliseconds for which nodes receiving
the RREP consider the route to be valid
*The Prefix Size allows a subnet router to supply a route for every host in the subnet
defined by the routing prefix, which is determined by the IP address of the subnet router
and the Prefix Size. In order to make use of this feature, the subnet router has to guarantee
reach-ability to all the hosts sharing the indicated subnet prefix. When the prefix size is
nonzero, any routing information (and precursor data) MUST be kept with respect to the
subnet route, not the individual destination IP address on that subnet.
The ’A’ bit is used when the link over which the RREP message is sent may be unreliable
or unidirectional. When the RREP message contains the ’A’ bit set, the receiver of the
RREP is expected to return a RREP-ACK message.
Route Error (RERR) Message Format
When some link terminates or deactivate than all the node supposed to know about that
link termination. So to tell all the nodes about the Link termination, RREPs are sent
to every node in the ad-hoc network so that every node can invalidate their route entries
which are having routes through that terminated or deactivated link. Route Error(RERR)
Message structure is shown below with full details about its containing fields.
9
10. Figure 3: RERR Message Format
Message containing following fields.
Type: Type = 3 for RERR Message.
N: No Delete flag; Set when a node has performed a local repair a
link, and upstream nodes should not delete the route.
Reserved: Reserved for future expansion.
DestCount: The number of unreachable destinations included in the message.
Unreachable Dest. IP Address: The IP address of the destination that has become
unreachable due to a link break.
Unreachable Destination Seq No. The sequence number in the route table entry for the
destination listed in the previous unreachable destination
IP Address Field.
Ad-hoc on demand distance vector protocol (AODV) is source initiated on-demand
routing protocol. Every mobile node maintains a routing table that maintains the next hop
node information for a route to the destination node. When a source node wants to route
a packet to some destination node then first it will check for the path information to that
corresponding destination node. If the information about the path is there in the routing
table then source node route the packet to the corresponding path and some boundary cases
may come in picture for that there are some special treatments. But if the source node does
not find any information about the path to the destination means there does not exist any
fresh enough path to the destination node then it stars a route discovery by broadcasting
the Route Request(RREQ) packet/message to its neighbourhood nodes, which is further
propagated until it reaches to an intermediate node which is having a fresh enough route
to the destination node specified in the RREQ packet, or the destination node itself. Every
intermediate node that has received RREQ message will make an entry in its routing table
for the node that has forwarded the packet and also for the source node. The destination
node or the intermediate node having the fresh enough route to the destination send, uni-
casts Route Response or Route Reply (RREP) to its neighbourhood node from which it
has received the RREQ. An intermediate node makes an entry for the neighbourhood node
from which it has received RREP, then forwards the RREP in reverse direction. At the
10
11. time of receiving the RREP, source node will make an entry for the destination node and
also for its neighbourhood node from which it received the RREP. And then source node
starts routing the data packets to the destination node through the neighbourhood node
that first responded with an RREP.
Here is the example of AODV routing at a bunch of nodes.
Figure 4: Source to Dest Routing using AODV
In the above network topology node ”Source” want to route the packet to node ”Dest”.
For that node ”Source” checks for fresh enough path from Source to Dest in its Routing
table. Node ”Source” could not find any entry for path to node ”Dest” so node ”source”
have to discover the route starting from itself to node ”Dest”. For that node Source sends
RREQ to its neighbour nodes having certain fields as discussed in AODV Message format.
In the given topology source will send RREQ to its Neighbours. Intermediate nodes not
having any information about the path from the node ”Source” to node ”Dest” forward the
RREQ message to its neighbourhood nodes. This forwarding may cause looping so to avoid
looping we use sequence number in the RREQ message. Every node rejects the message
that is having sequence number less than its sequence number. And Also Hop count and
TTL helps in avoiding the looping. In the given topology node N7 gets the RREQ message
11
12. from Source but node N7 does not have any information about the fresh enough route to
Dest. So it forward the RREQ Message to its neighbours. And Then Dest receive the
RREQ message (requesting the path to Dest). As Dest itself is the final node so it will
send an RREP to the node from which it received the RREQ i.e node ”Dest” will send the
RREP message to node N7 and then node N7 will forward back to the node from which
it has received the RREQ for the path to node ”Dest”. Here node N7 will send RREP
message to the Source node. All the RREPs are send as uni-cast If Node ”Source” already
received the information about the path or received some other RREP then Source will
discard this RREP. But if Source do not get any RREP till now then source will accept the
RREP from Node N7. And after that they will start sending the data. And Source will
discard every RREP about the route to Dest. Hence in the above topology RREP from
the N2 to Source is Discarded. There may be some other possibilities as well. Here looping
is avoided using sequence number and TTL. To ensure the Freshness of the route we use
sequence number.
3 Vulnerabilities in AODV
Ad-hoc on-demand distance vector protocol is very efficient as a network service but it is
having lots of vulnerabilities means this protocol can easily be attacked. AODV is not so
secure. AODV is designed for an ideal network means for a network having no malicious
node. For a network having no malicious nodes AODV protocol is the most efficient one.
But we all know that nothing is ideal means there are some unsocial nodes everywhere.
Some greedy nodes are also there in the node that attack on the network to solve there
purpose. In AODV what we can do during the RREQ messages or RREP messages is as
follows. Possible types of attacks.
• Sequence numbers can be modified.
• Hop Counts can be modified. (main attack is Looping in the network).
• modification of source routes( Black hole attack, wrong information about path).
Tunnelling.
• Spoofing.
• Fabrication of Error messages (Error message that Destination is not reachable so
don’t send anything and greedy node capture the media).
• Fabrication of Source routes (Cache Poisoning).
As we have seen there are many types of attack possible in this AODV protocol. But these
attacks can be avoided by taking a little bit of care. Black Hole attack is the serious one.
As in this attack the malicious node get whole of the data that source is sending and after
that it dump the data. So in this paper i will discuss the Black hole attack detection and
removal of this attack.
12
13. 3.1 The Black Hole Attack IN AODV Protocol
AODV is an important on-demand routing protocol that creates routes only when desired
by the source node. When a node requires a route to a destination,(if it is not there in
the routing table) it initiates a route discovery process within the network. It broadcasts
a route request (RREQ) packet to its neighbours, which then forward the request to their
neighbours, and so on, until either the destination or an intermediate node with a fresh
enough route to the destination is located. In this process the intermediate node can reply
to the RREQ packet only if it has a fresh enough route to the destination. Once the RREQ
reaches to destination or to a intermediate node having a fresh enough route to destination
node, then the destination node or the intermediate node respond by uni casting a route
reply(RREP) to the node from which it has received the RREQ packet. After selecting
and establishing a route, it is maintained by a route maintenance procedure until either the
destination becomes inaccessible along every path from the source or the route is no longer
desires.
According to the original AODV protocol, any intermediate node may reply to the
RREQ by sending a RREP if it is having a fresh enough route to the Destination. This
destination route is checked by the Destination sequence number that is contained in RREQ
packet/message. This technique is used to decrease the routing delay but it makes the
system vulnerable to a malicious node. A malicious node easily can disrupt the correct
functioning of the routing protocol and makes at least part of the network crash. a single
black hole node does not harm much but a group of black hole nodes can bring the whole
network down.
As any intermediate node having fresh enough route can respond to the RREQ. A ma-
licious node respond quickly just after receiving the RREQ message from the source node.
Malicious node is not having any fresh enough route to destination but still it send RREP
stating that i have fresh enough route to the destination as soon as possible. Malicious node
doesn’t even search for destination sequence number in its routing table because malicious
node try to send RREP message as soon as possible so that source node will drop all the
other original/real RREPs. And source node After receiving the RREP from the malicious
node update its routing table with the information of the malicious node and also reject all
other RREPs from other nodes. And after that Source node start sending data through the
malicious node because source node is having the route that goes by that malicious node.
And malicious node after receiving the data drop it or can use the secure information. Thus
a group of malicious nodes can bring down the hole network. An Example is given below
and the whole process is explained.
13
14. Figure 5: Black Hole attack
In the above given figure node N1 is the source node and this node wants to route the
data to node N6, Means N6 is the destination node. And in the topology node N4 is
the malicious node. Let us suppose node N1 does not have the fresh enough route to the
destination node N6. So N1 have to discover the route to N6 for that node N1 will send a
RREQ packet. Suppose IP of node N1 is ”10.11.11.12” and Destination node (N6)’s IP is
”10.11.12.24” then node N1 will send a RREQ packet that look like as follows.
Figure 6: RREQ packet from Source node
14
15. This RREQ packet is broadcast and nodes will receive this packet and search for the Desti-
nation sequence number in their respective routing tables. if they find destination sequence
number or the destination IP in the routing table then that node will send an RREP to the
source node otherwise forward the RREQ packet to its neighbourhood nodes. Here in this
topology there is one malicious node that will respond to RREQ just after receiving RREQ
packet. Because malicious node will send a fake information so it has no need to search it
routing table. Hence the malicious node will send RREP packet as soon as possible after
receiving the RREQ from the Source node or may be some intermediate node. Before re-
ceiving the RREP packet sent by Malicious node if source node receives some other RREP
packet then it will work as usual but if the source node N1 receives the RREP sent by
Malicious node N4. Then it rejects all other RREPs from other nodes until this route is
desirable. Malicious node is as near to the source node better are the chances of attack
because RREP generated by malicious node will reach first. In this way source node will
believe that it is the route to destination that i require. But in reality there is no path from
N4 to N6 in the given network. Node N4 sends a spoofed RREP packet. Let IP of Node
N4 is ”10.11.11.19”.RREP packet that is sent by Node N4 is shown below.
Figure 7: RREP packet from node N4
As malicious node is nearer to source node so this RREP is supposed to reach first to the
Source node. And this will force source node to think that Route Discovery is complete
and thus source node will reject all other RREPs that it might have received from other
nodes. And after that node N1 will start sending the data through malicious node N4 and
N4 will drop that data. Other option is that as Node N4 got the whole data, it can perform
everything that is possible with that data, i mean to say is that the data send by source
node to destination node is not secure anymore, a third party is having the data. Node N4
can also drop the data, Hence data is lost. So a group of malicious nodes can crash the
whole network.
Node N4 has succeeded in attracting the source node to send the data through N4.
After this node N4 can perform any type of attack out of the following.
• Eavesdropping messages,
• Selectively dropping data,
15
16. • Manipulating data, or
• Launching Denial of Service (DoS) attack.
In the above case a a group of malicious node node spoofs the routing path information
single handed means one node from the group focus on one part of the network, i mean to
say all the malicious nodes in the group attack exclusively, hence this is comparatively easy
to detect using next hop information in the RREPs. but some time a group of cooperative
malicious nodes perform the attack in the adhoc network. In this case a group of malicious
nodes spoof the routing information by cooperation between them and this attack is not
detected by algorithm discussed in [3]. The Figure shown below will discuss everything
about the attack.
Figure 8: RREQs Broadcasts in The Ad-hoc Network
In the above shown figure The RREQ requests are broadcast to the adhoc networks. RREQ
flooding in networks is shown in the network. In the next figure shown below i have shown
the propagation of RREP from malicious node as well as from the other normal nodes.
As Malicious node is nearer to the source node hence source node will get RREP sent by
malicious node and if after receiving the RREP if source node wants to confirm the next
hop then in RREP packet next hop is node M2 hence source node will check M2.
16
17. Figure 9: Route Reply(RREPs) Propagation in the network
The attack shown in the above diagram is the example of Cooperative Black hole attack
in which a group of malicious nodes such that all nodes are cooperative in nature. This
attack is not easily detectable like simple black hole attack . Sometimes in modified AODV
RREP should also supply the next hop information if the RREP is generated by some
intermediate node so that the source node can cross check the route information with the
next hop provided in Received RREP. Hence by cooperation malicious nodes able to spoof
the route information, thus perform the black hole attack. A special case of the black
hole attack is called Gray hole attack in which some of the packets are dropped and some
of the packets are forwarded, as sum packets are forwarded so its little hard to detect that
whether that node is malicious node or normal node and also the source node will keep on
sending the data as some of the data is received by the destination. But Gray hole attack
is harder to detect.
4 Detection of Black Hole Attack
Many tried to Detect black hole nodes in a network and also try to resolve the black hole
attack. Some of the approaches are as follows.
Deng et. al. [3] have proposed an algorithm to avoid black hole attacks in ad hoc networks.
According to their algorithm, any node on receiving a RREP packet (which is the reply to
the route request in AODV) from a node, cross checks with the next hop on the route to
the destination means the node that is sending an RREP should also send the information
about its next hop if exist (because in case of Destination node itself will not be able to find
a next hop on the same route in that case it sends that i am destination node) The cross
checking is done only for intermediate nodes, because malicious node can not spoof that i
am destination, what an intermediate node can spoof is that it can only send a message
that i am having a route to the required destination. If the next hop either does not have
17
18. a link to the node that sent the RREP or does not have a route to the destination then the
node that sent the RREP is considered as malicious. This technique does not work when
the malicious nodes cooperate with each other. Means a group of malicious nodes such
that all are very cooperative nodes then in that case one malicious node will send RREP
and in Next hop field it will send other malicious node which is cooperative and hence by
cooperating they can spoof the routing path and thus black hole attack can be incurred
in the network. Hence this suggested algorithm will not work, when there is a group of
cooperating black hole nodes.
An algorithm presented in [4] claims to prevent the cooperative black hole attacks in ad-
hoc network by modifying AODV protocol by introducing Data Routing Information (DRI)
Table and Cross Checking. It is a computation intensive algorithm and takes O(n2 ) time,
whenever a node decides to send packets to another node.
Moreover, in case when the network in not under the attack (which will be the usual
case) means no malicious node is there in the whole adhoc network, in this case the algo-
rithm takes more time to complete. This algorithm is mainly based on a trust-relationship
between the nodes in the adhoc network. But this algorithm discussed in [4] fails in de-
tecting Gray hole attack. Gray hole attack is the variant of Black hole attack. In Gray
hole attack instead of dropping all the packets like in black hole attack it drops some of the
packets and forwards some of the packets. The algorithm that i about to describe here is
presented in [5] by P.agarwal et. al in which first they created a back bone of the network.
The details the algorithm are as follows. This Algorithm also detects Gray hole attack.
The main idea behind the algorithm described in [5] is to devise a mechanism for monitoring
all the nodes in the network in terms of the traffic being forwarded through them. in this
algorithm we are assuming that the nodes are in promiscuous mode (means the nodes can
listen to the traffic through their neighbourhood node) so that they can listen to the traffic
through there respective neighbours. However, it will not be good option to allow all the
nodes in the adhoc network to monitor all the other nodes, because doing so increases the
chances of black hole attacks considerably (because malicious node will be able to spoof
the traffic management). Hence, In this algorithm, some of the nodes which are powerful
in terms of computing power and radio range are chosen, and making them trustworthy
means those chosen nodes can be trusted. Such chosen nodes are referred as strong nodes,
and those chosen nodes will maintain a BackBone Network [6] which operates at a level
above the ad hoc network of regular nodes. Rubin et. al. [6] proposed the use of backbone
networks in scalable routing. This idea of back bone network is adapted in this algorithm
of detecting malicious nodes and avoiding black hole attack, using backbone at one level
up for monitoring traffic for other nodes in the ad hoc network, detecting the presence the
presence of black or Gray holes and preventing these malicious nodes from interfering with
the routing.
In this algorithm all the nodes in the adhoc network are divided into Three parts/categories
and these three categories are as follows.
1. RN: These are the low power, low transmission range nodes whose information is not
trustworthy Means such nodes can be Malicious nodes.
2. BN: These are the Backbone nodes which have a higher power, transmission range
18
19. compared to a RN. These nodes form a core that monitors the network nodes(means
BN nodes monitor the traffic flow for other nodes in the given ad-hoc network).
3. BCN: These are Backbone Capable nodes with similar capabilities like BN nodes,
means these nodes are having the almost same strength as BN nodes. BCN nodes
does not form core, but these nodes can be used to become BN nodes or forming the
core for increasing both the connectivity and coverage of the network. BCN nodes
can be included in the core nodes.
The Algorithm to detect malicious nodes and removing black hole attack mainly consists
of two parts.
• Core/Back-Bone Network Formation and Maintenance,
• Detection of Black/malicious Nodes.
4.1 Core/Back-Bone Formation and Maintenance
The core/Back-Bone formation progresses incrementally means core is formed by a group
of nodes joining the core one by one in a incremental fashion. That is a new node enters
into the adhoc network during the core formation and maintenance stage.
Suppose there is a BackBone Core Node NBC is there then what task/checks it will perform
during the core/backbone formation are described below.
Actions by BackBone Core Node (BCN) NBC
Step 1: First of all NBC detects RN nodes in its neighbourhood/vicinity. If somehow it
found any of such node then broadcasts ”Invitation” message or the message to send
a joining request to these RN nodes in its neighbourhood and waits to receive a join
request from a RN node.
Step 2: NBC on receiving a joining request from a RN node, let say NR . Then NBC checks
if NR is reachable in a predefined hop limit from NBC itself, if NR is reachable in
those specified hop limits then it adds NR to the list of its associated nodes, else NR
in the list of its unassociated nodes. As NBC maintains two lists one for associated
nodes and another for unassociated nodes in its neighbourhood.
Step 3: If NBC does not receive any other join request within a predefined timeout (a down
counter for timeout timer becomes zero), then NBC checks for BN(BackBone Nodes)
nodes in the its neighbourhood, if not a single BN node is found in its neighbourhood,
then NBC checks for node in its associated list. If the associated list is empty then
move to adjacent grid location and repeats from step 1.
Step 4: If somehow NBC detects a BN node in its neighbourhood or vicinity, then NBC
sends a coordination message to those BN nodes or to the single BN node and waits for
reply from that BN node until a time timeout. The coordination message is handled
by a separate coordination protocol executed by BN nodes discussed in [6].
19
20. Step 5: NBC on receiving reply from the BN node to the coordination message that it had
sent before to that BN node, and then NBC executes the required actions as specified
in the reply that it has received from the BN node. The action will be like whether
NBC should promote itself to a BN node or move to a new grid location for promotion
NBC also performs some other respective tasks. Coordination protocol description in
detail can be found in [5].
Actions by a regular node N:
We can uniformly view the actions of a new node entering for the first time in the adhoc
network whether its type is BCN or RN, but that will look little clumsy.Hence to keep the
description simple, the actions by different nodes are presented separately so that actions
by different types of nodes can be easily understood.
Step 1 N Checks if this node is already associated with some BN or BCN node. If this
node is already associated to BN or BCN node, then terminates its actions.
Step 2 N on receiving an invitation message from BN or BCN node then it sends a join
request message to that BN or BCN node from which it had received the Invitation
request, and wait for reply from that node.
Step 3 N on receiving a reply from corresponding node to its join request that it had sent
to either BN or BCN node, N sends accept message(that i am joining you) to the
node with lowest id(in case a it receives more than on Join Request from BN or BCN
nodes then it chooses the node with lowest id to reply) among those which sent join
Acknowledgement(ACKs) to it. After than it just discard the any subsequent join
Invitation request.
4.2 Detection of Black Node
With the help of a backbone network that we have discussed in previous section in this
paper, we propose a algorithm to detect black/malicious nodes which requires O(mdBN )
number of hops to detect the chain of malicious nodes, where m( n) is the number of
malicious nodes in the chain of cooperative malicious nodes or the black nodes, and dBN
is the diameter of the backbone network that we have formed using the BN and some of
the BNC nodes(dBN will be significantly less than the diameter let say DN etwork of the
actual ad-hoc network ). Moreover, the describe algorithm takes significantly less time if
there is no attack in network means unnecessarily the computation will not be there. The
main idea in this described algorithm is that after every block of data packets, Source node
asks the backbone network to perform an end-to-end check with the destination node to
confirm the delivery of data packets, means source node want to check that destination
node has received the transferred data or not. If the destination did not receive a block
of data packets, or the destination node becomes aware of some kind of attack in between
the communication, then the destination node would inform the backbone network about
the attack in communication or non receipt of data packets. After getting this information
either of attack or the non receipt of the data packets the backbone network initiates the
procedure of detection of the chain of malicious nodes that are cooperating together or
20
21. the exclusive malicious nodes which are somehow dumping the packets. In our detection
techniques One important assumption we have made is that there are not many malicious
nodes in the network means if let say m is the number of malicious nodes and n is the total
number of nodes in the network than m n. However, the assumption that we have made
is a reasonable assumption, because in any network if there are too many malicious nodes,
then they can overpower the network and for that we can apply some other technique. So,
in this algorithm mainly focus is on the situations where there are not too many malicious
nodes in the network. To be more precise, the number of malicious nodes in the network is
less than the number of non-malicious neighbours of the node to be monitored. Because if
not so malicious node will overpower the whole network.
Figure 10: Control Messages for detection of malicious nodes
in the above shown figure the description of the symbols are as follows.
1. S is the source node which wishes to communicate with a destination node D.
S D
2. S and D are associated respectively with the backbone node Nb and Nb .
3. S and D share a secret key, K.
4. The RREQ from source node S for discovering the route to Destination node D was
replied by a RREP message from an intermediate node Nrrep with the shortest route
to Source node S.
In this checking of Black/ malicious nodes by Back-Bone network Five different types of
nodes are involved and those five type of nodes are as follows.
21
22. 1. S: It is the source Node, which initiated sending of data packets to destination node.
2. D: It is destination Node, to which data packets are being sent by Source node.
S
3. Nb : It is a back bone node to which source node S is associated.
S
4. Nb : It is back bone node to which Destination node D is associated.
5. V: It is a regular node of the ad-hoc network.
Now each of the node what they will do, i mean what will be the each node’s actions?
Actions of all the five types of nodes as described above in detection of Malicious nodes are
as follows.
Actions of Source Node S:
Step 1: Node S Divides the set of data packets that have to be sent in k equal parts of
some size(Last part may not be of the same size), Data[1..k], initializes a running
variable i to 1.
S
Step 2: Source node S Sends a prelude = EK (Ri ), ni , Nb message to D over the backbone,
where Ri is the randome nonce, ni is the number of packets to be sent in the current
block that is about to sent, and EK () is the encryption function with the shared key
S
K. This Prelude messages that is sent over backbone network is received by Nb , Nb D
and as well as D.
Step 3: Source node S Starts transmitting packets from the block Data[i] to D. Source
node start sending the data blocks out of those k blocks.
S
Step 4: Source node Sends a message check = Ri , S, D, Nrrep to Nb . So that Backbone
node starts checking the end -to end connection between destination.
S
Step 5: If Source node received an OK from Nb then it increments the running variable
i and repeats from step 2 to send data packets from the next block of data. Means
destination is getting data then source keep on sending the data.
S
Step 6: If Source node received a Not OK from Nb , it means that either destination node
detected some attack in the network or the destination has not received the data sent
by source node(it means some malicious node is dumping the data), then source node
sets a timer for removal of malicious node. If Source node S Received a Removed OK
S
from Nb before the timer timeouts then it executes the steps starting from step 2 to
resume the sending of data to destination node. But if either timer timeout before
receiving the ”Remove OK” Message or not received the ”Remove OK” message then
Source node once again wait for ”Remove OK” message and if then also not receive
any message then it terminates Data Sending.
Actions of Destination Node D:
Step 1: Destination node on receiving prelude message from Source node S extracts Ri ,
S
ni and Nb , and then sets a timer for the receipt of the current data sample. Waits
for the data packets from source node S. Here as we know Source and Destination
22
23. share a secret key K, Hence D can decrypt the encrypted prelude message using that
shared key K.
Step 2: While the receipt timer has not timeout, Destination node D on receiving a data
packet Destination updates the count (dataCnt) of data packets received.
Step 3: After the receipt timer timeout, Destination node sends a message known as pos-
tulate containing fields are as follows.
S S
postlude = {Ri , dataCnt, Nb , D, S} to Nb message to S, where dataCnt is the
number of packets that destination node has received from Source node S.
S
Actions of Nb :
S
Step 1: Node Nb on receiving a prelude message from source node S, sends monitor mes-
sage to all neighbours of source nod S asking them to monitor the data that is sent
by source node S .
S
Step 2: Node Nb Initializes a counter ”max = 0” to count the maximum number of data
S
packets that are transmitted from source node S, and sets the timer for Nb s actions
to terminate.
S
Step 3: Node Nb On receiving check from source node S sends query for check to all
neighbours of Source node S and waits for result messages from the Neighbours of
Source node S.
S
Step 4: Node Nb on receiving a result from a neighbour of Source node S perform the
following actions:
1. if the value of counter max is less than the number of packets reported in a result
message from the neighbours of Source node S, then updates max to the number
that is reported by the result messages.
2. if the value of counter max equals to dataCnt from postlude message then sets
D
a timer for receiving Acknowledgement(ACK) from Nb and then it wait for
further messages either from S or Node Nb D.
S
3. If node Node Nb receives D malicious before expiry of timer, then it sends ”OK”
to source node S and go to step 1.
4. If the timer expires before receiving the ”D malicious” or not received D malicious
S
then node Node Nb broadcasts S malicious message to backbone and go to step
5.
S
Step 5: Terminate Nb s actions.
D
Actions of Nb :
D
Step 1: Node Nb on receiving prelude , message from node S, sends monitor message to
all the neighbours of Destination node D.
D
Step 2: Node Nb initializes timer and sets a counter max to 0, where counter max will
be updated to the estimated number of packets received by Destination node D.
23
24. Step 3: If the timer timeouts or an Acknowledgement(ACK) is received from Destination
D
D, then Node Nb does the following:
D
1. Node Nb sends query message to all the neighbours of Destination node D;
D
2. Node Nb on receiving a result message from a neighbour of Destination, if value
of max is less than the value of number of packets reported in result message
D
than node Nb updates counter max to the number of packets reported in result
message;
3. if max == dataCnt (dataCnt extracted from postlude message sent by Destina-
S
tion node D) then sends Acknowledgement(ACK) to Nb and goes back to step
1.
Step 4: Broadcasts D malicious to backbone and terminates its actions.
Actions by a regular node RN:
Step 1: Regular bide in receiving monitor message , extract the source IP, destination IP
and node-id of the sender.
Step 2: If this Regular node is a neighbour of either S or destination node D, then starts
counting the number of packets from source node S to destination node D.
Step 3: RN on receiving query message, sends the result message to the node from which
it got the query message.
4.2.1 Black Hole Removal Process
S
Once a BN node (Here say Nb in this case) could not receive Acknowledgement(ACK)
message until a specified timer timeouts, Then the black hole removal process(Here we can
say Gray hole removal process as well because our algorithm is able to remove the Gray
S
holes as well) gets initiated by Nb . The actions of different nodes for the Black hole
removal process is specified below.
S
Actions by Nb :
Step 1: Broadcast find-chain message on the backbone network to find the chain of coop-
erative black or malicious nodes. The message contains the id of node Nrrep (it is the
node which is sending route reply message to source node S), the victim node or the
source node S and the destination node (D).
Actions by any backbone node Nb :
Step 1: Node Nb On receiving the findc hainmessage, checksif thenodeNrrep (node that
send the RREP message to source node S) belongs to the association list of this
BN node (as already described BN nodes maintain two list named as Associated node
list and Unassociated). If not belongs to Associated node list, then no further action
is required.a
24
25. Step 2: Node Nb Initialize a list (called BlackHole-Chain) to contain node Nrrep . If a
BlackHole-Chain is also received with the broadcast, use that instead of initializing a
new list.
Step 3: Instruct all the neighbours of node Nrrep to vote for the next node to which Nrrep
is forwarding(if this node is forwarding some of the packets) packets originating from
Source node S and destined to Destination node D.
Step 4: On receiving nodei d sf romneighboursof Nrrep , elect the next node to which Nrrep
is forwarding the packets based on reported reference counts.
Step 5: If the elected node for next node to Nrrep is a null node, it means that the in-
termediate node Nrrep is itself dropping all the packets(this is the case of mutual
malicious node black hole ). In this case, the black hole removal terminates, and a
broadcast message is sent across the network to alert all other nodes about the nodes
in BlackHole-chain to be considered as malicious, hence all the nodes will black list
that particular node here in this case is Nrrep .
Step 6: Also Append the elected node to the list (Black-Hole Chain) So that without
checking can say that particular node is malicious one. If that elected node is in the
association list of this Nb , then go to step 3, it replaces node Nrrep with the elected
node. But in this case the elected node is a valid node. because it is in the associated
node list.
Step 7: Node Nb Broadcast a find chain message over the backbone network, containing
the id’s of the malicious nodes. And it also broadcasts the BlackHole-Chain formed
till the time over the whole network so that other backbone network nodes can also
append malicious nodes to the their respective list so that in future if they received
RREP from any of the node in the BlackHole-Chain then they can just ignore that
message.
Actions by a regular/BCN node:
Step 1: On receiving instructions from a backbone network node to find the next node to
which a malicious node M is forwarding some of the packets, then regular node will
check if M is a neighbour of this node. If M is one of its neighbour, then turn on to
promiscuous mode and listen to packets from node M , which has Source node S as
source and D as destination. And then infer the next node whom node M is forwarding
the packets, regular node will send an message to BN containing the node-id of that
node to which packet is forward by malicious node M.
Thus Black hole attack can be removed.
5 Conclusion
In this Report i have discussed about Ad-hoc on-demand distance vector protocol, Black
Hole attack , Detection of Malicious nodes and Removal of Black hole attack. As i have
25
26. described that black hole attack can be removed by forming the Back bone network of the
Trusted nodes in the network. This Back bone network will monitor the traffic flow for
other nodes in the network and by executing some of the specific checks as described in
above specified algorithm on traffic for each node we can detect the malicious node or the
chain of malicious nodes. And By this detecting them we can black list those IPs of the
malicious node, means if the source node receive any RREP from the blacklisted IP list
then that RREP should be dropped, Hence This will lead to removal of Black hole attack,
a secure routing can take place. Some other techniques may also be possible for removing
black hole attacks. In this Report the algorithm that i have discussed will be able to remove
the black hole attack from the network.
6 References
1. RFC standard-3561, http://www.ietf.org/rfc/rfc3561.txt
2. Izhak Ruhin,Arash Behzad, Runlie Zhang, Iluiyu Luo,Eric Caballero : TBONE: A
Mobile-Backbone Protocol for Ad Hoc Wireless Networks.
3. H. Deng, W. Li, and D. P. Agrawal. Routing security in wireless ad hoc network.
IEEE Communications Magzine, pages 70 - 75, 2002.
4. S. Ramaswamy, H. Fu, M. Sreekantaradhya, J. Dixon, and K. Nygard. Prevention
of cooperative black hole attack in wireless ad hoc networks. In Proceedings of 2003
International Conference on Wireless Networks (ICWN03), pages 570575. Las Vegas,
Nevada, USA, 2003.
5. P.Agarwal, R.K Ghosh, S.K Das, Cooperative Black and Gray Hole Attacks in Mobile
Ad Hoc Networks
6. I. Rubin, A. Behzad, R. Zhang, H. Luo, and E. Caballero. Tbone: A mobile-backbone
protocol for ad hoc wireless networks. In Proceedings of IEEE Aerospace Conference,
volume 6, pages 2727 2740, 2002.
7. Y. C. Hu, A. Perrig, and D. B. Johnson, Ariadne: A secure on-demand routing
protocol for ad hoc networks, in Eighth Annual International Confer- ence on Mobile
Computing and Networking (Mobi-Com 2002), pp. 12-23, Sept. 2002.
8. Y. C. Hu and A. Perrig, A survey of secure wireless ad hoc routing, IEEE Security
Privacy Magazine, vol. 2, no. 3, pp. 28-39, May/June 2004.
9. S. Lee, B. Han, and M. Shin, Robust routing in wireless ad hoc networks, in ICPP
Workshops, pp.73, 2002.
10. Y. A. Huang and W. Lee, Attack analysis and de-tection for ad hoc routing protocols,
in The 7th In-ternational Symposium on Recent Advances in Intru-sion Detection
(RAID04), pp. 125-145, French Riv-iera, Sept. 2004.
26
27. 11. Charles E. Perkins, Elizabeth M. Royer and Samir R. Das. Ad hoc On-Demand
Distance Vector (AODV) Routing. Internet Draft, work in progress, IETF Mobile
Ad Hoc Networking Working Group, July 2000.
12. F. Stajano and R. Anderson, The Resurrecting Ducking: Security Issues for Ad-Hoc
Wireless Networks, Security Protocols, 7th Intl. Wksp. Proc., LNCS, 1999.
13. Hongmei Deng, Wei Li, and Dharma P. Agrawal. Routing Security in wireless adhoc
networks.
14. L. Venkatraman and D. P. Agrawal, Strategies for Enhancing Routing Security in
Protocols for Mobile Ad Hoc Networks, J. Parallel Distrib. Comp., 2002
27