EFFECT OF BLACKHOLE INTRUSION IN WIRELESS NETWORKS Mr. Vishal S. Badgujar 1, Prof. Sudhir N. Dhage 2

Transcription

1 International Journal of Computer Engineering and Applications, Volume VII, Issue III, September 14 EFFECT OF BLACKHOLE INTRUSION IN WIRELESS NETWORKS Mr. Vishal S. Badgujar 1, Prof. Sudhir N. Dhage 2 1,2 Sardar Patel Institute of Technology, Mumbai , India. ABSTRACT: A Wireless Network consist of Wireless Sensor Network and wireless Ad-hoc Network, WSN collected of hundreds and even thousands of small cheap sensor nodes which communicate with one another wirelessly. And Wireless Ad-hoc Network by wireless mobile nodes moving arbitrary in the places that have no network infrastructure, hence they are easily vulnerable to attacks. Thus intrusion detection systems, are needed to achieve complete defence. In wireless Ad-hoc networks possible various intrusion detection like Blackhole, Wormhole, Rushing etc. but not any modules for malicious protocol to stimulate in network simulator for this we create new protocol BlackholeAODV to identify malicious nodes. Using BlackholeAODV protocol we detect Blackhole attack. Then we will analyse the effect by comparing BlackholeAODV QoS parameters such as Throughput, Delay, Packet Drop Ratio, Number of Packets sent, Received, Forwarded, Dropped, with AODV routing protocol's QoS parameters. Keywords: Intrusion Detection, Wireless Network, Mobile Ad-hoc Network, Blackhole Intrusion, Routing Protocol, AODV, BlackholeAODV. [1] INTRODUCTION According to the 31 st Statistical Survey Report on Internet Development in China [1], the use of Internet, E-commerce activities like online shopping have expanded rapidly reached 242 hundred millions up by 42.9%. Therefore due to openness of internet, the expansion of internet and unexpected security threat shows increased Attacks or intrusions like Blackhole, Wormhole etc. on network. That effect increased in criminal activity therefore to monitor these attacks Intrusion Detection System is introduced. If firewall is security guard's then Intrusion Detection System is an security camera's therefore, For truly secure networks we need a second line of defence: an Intrusion Detection System that can detect a third party that tries to develop the security of the network, even if this attack has not been seen before. we used Network Simulator (NS) for detecting and analysing intrusion, Ns is a discrete event simulator targeted at networking research. Ns provide real support for simulation of TCP, routing, and multicast protocols over wired and wireless networks[2][3]. While Nam is a Tcl based animation tool that is used to visualize the ns simulations. For writing Tcl script we generate.nam file [4] and execute.nam to visualize the ns simulation. We generate.tr file while executing tcl script. This trace file contains a lot of information. And AWK Scripts are very good in processing the data from the trace files which we get from NS2 [5]. AWK is a language for processing files of 9

2 Effect Of Blackhole Intrusion In Wireless Networks text. AWK Scripts are very good in processing the data column wise. We used this awk files for calculating QOS parameters of attacks and AODV routing protocols QOS parameters. [2] TYPES OF INTRUSION DETECTION SYSTEMS An Intrusion Detection System that can detect an outsiders that tries to break the security of the network, even if this attack has not been seen before. If the intruder is detected earlier, we can take any respective measures before any damage is done or any data is compromised in [Figure-1]. Therefore, intrusion detection presents a second wall of defence[6]. All computer activity and network traffic falls in one of three categories including, normal, abnormal but not malicious, and malicious. [7] Traditionally, intrusion detection systems are divided into three categories: A) Host-based IDS and B) Network-based IDS. C) Specification based Intrusion Detection. Figure: 1. Intrusion Detection System A) Host-based Intrusion Detection (HIDS): It monitors computer processes for signs of misuse. It is designed to detect, and respond to system activity and attacks on a given host (node). All this decision is made based on information collected at that host by reviewing audit logs for suspicious activity. B) Network-based Intrusion Detection (NIDS): It monitors network traffic for signs of misuse. It uses raw network packets as the data source. It listens on the network, captures and examines individual packets in real time. It can analyse the entire packet, including the header. Long term objective of NIDS is to address all aspect of Intrusion detection. [8] C) Specification based Intrusion Detection: Out of these Specification Based IDS combines the aim of misuse and anomaly but having drawback is the manual development of all specifications, which is a time-consuming process for human beings. 10

3 International Journal of Computer Engineering and Applications, Volume VII, Issue III, September 14 [3] MOBILE AD-HOC NETWORKS Nodes in a Mobile ad-hoc network are allowed to move in an unrestrained manner. Such node mobility results in a highly dynamic network with rapid topological changes causing frequent route failures. A good routing protocol for this system environment has to dynamically adapt to the changing network topology. Second, the wireless channel provides much lower and more variable bandwidth than wired networks. The wireless channel working as a shared medium makes available bandwidth per node even lower. Therefore routing protocols should be bandwidth effective such that bandwidth is available for the actual data communication. Third, nodes run on batteries which have limited energy supply. For nodes to stay and communicate for longer periods, it is necessary that a routing protocol be energy efficient as well. Thus, routing protocols must meet the convicting goals of dynamic adaptation and low overhead to deliver good overall performance. [3.1] MANET ROUTING PROTOCOLS Table Driven (proactive) Routing Protocols On-Demand (reactive) Routing Protocols [3.1.1] TABLE DRIVEN (PROACTIVE) ROUTING PROTOCOLS In Table-driven routing protocols each node maintains one or more tables containing routing information in the network. All nodes modernize these tables to maintain up-to-date view of the network. When the network topology deviations the nodes broadcasts update messages and modify its routing table from time to time throughout the network in order to maintain consistent and upto date routing information about the whole network. How many hops are required to arrive that particular node and which stations are accessible is result of broadcasting of packets between nodes. Each node that transmissions data will contain its new sequence number and for each new route, node contains the following info: How many hops are essential to arrive that particular destination node. Generation of new sequence number marked by the target The destination address Illustration of Proactive Routing Protocol is Destination Sequenced Distance Vector (DSDV) throughout the network in order to maintain consistent and up-to-date routing information about the whole network. [3.1.2] ON-DEMAND (REACTIVE) ROUTING PROTOCOL On-Demand Routing Protocols are not maintained periodically. Here route tables are created when required. When the source node wants to connect to the destination node, it broad casts the route request (RREQ) packet to its neighbours. Just as neighbours of the source node receive the broadcasted request packet, they forward the packet to their neighbours and this action is happen until the destination is found. Afterward, the 11

4 Effect Of Blackhole Intrusion In Wireless Networks destination node sends acknowledgement to source node in the shortest path. The route remains in the route tables of the nodes through shortest path until the route is no longer needed. Examples of reactive routing protocols are the dynamic source Routing (DSR), ad hoc on demand distance vector routing (AODV). [3.2] WHY REACTIVE ROUTING PROTOCOL? In Table Driven Routing Protocols [9], each node has to keep up-to-date routing tables. To maintain reliable routing tables, every node sends update messages to the network when network topology changes. Because every node has information about network topology, Table Driven Routing Protocols present several problems. Sometimes updating the network topology increases bandwidth overhead, Sometimes updating route tables keeps the nodes awake and quickly exhausts their batteries, Many redundant route accesses to the specific destination needlessly take place in the routing tables. [3.3] WHY AD-HOC ON-DEMAND DISTANCE VECTOR (AODV) ROUTING PROTOCOL? In our work, we have used Ad-Hoc On-Demand Distance Vector Routing (AODV) and implemented Black Hole attack to this protocol. The Ad Hoc On-demand Distance Vector Routing (AODV) protocol [9] is a reactive unicast routing protocol for mobile ad hoc networks. As a reactive routing protocol, AODV one needs to maintain the routing information about the active paths. In AODV, the routing statistics is maintained in the routing tables at all the nodes. Every mobile node keeps a next hop routing table, which holds the destinations to which it currently has a route. A routing table entry terminates if it has not been used or reactivated for a pre-specified expiration time. In AODV, when a source node wants to send packets to the destination but no route is available, it initiates a route discovery operation. In the route discovery operation, the Source node broadcasts route request (RREQ) packets which includes Destination Sequence Number. When the destination or a node that has a route to the destination receives the RREQ, it checks the destination sequence numbers it currently knows and the one specified in the RREQ. To guarantee the freshness of the routing information, a route reply (RREP) packet is Created and forwarded back to the source only if the destination sequence number is equal to or greater than the one stated in RREQ. AODV practises only symmetric links and a RREP follows the reverse path of the respective RREQ. Upon receiving the RREP packet, each intermediate node along the route updates its Next-hop table entries with respect to the destination node. The redundant RREP packets or RREP packets with lower destination sequence number will be dropped. The advantage of this protocol is low Linking setup delay and the disadvantage is more number of control overheads due to many route reply messages for single route request. 12

5 International Journal of Computer Engineering and Applications, Volume VII, Issue III, September 14 [4] TYPES OF ATTACKS ON REACTIVE ROUTING PROTOCOLS There are many types of attack in different layers. We are mainly concerned on reactive routing protocols attack on network layer. Generally talking about reactive routing protocols first the source node broadcasts route request (RREQ) packets which includes Destination Sequence Number. So in this RREQ Flooding attack [10] is possible. To guarantee the cleanness of the routing information, a route reply (RREP) packet is created and forwarded back to the source only if the destination sequence number is equal to or greater than the one specified in RREQ. Upon receiving the RREP packet, each intermediate node along the route updates its next-hop table entries with respect to the destination node. The redundant RREP packets or RREP packets with lower destination sequence number will be dropped. So Blackhole attack [11] is possible where malicious node sends RREP packet with higher destination sequence and after receiving data packets it drops packets. [4.1] BLACKHOLE ATTACK In Blackhole attack [11], attacker may generate a RREP message to form Blackhole as follows: Set the type field to RREP Set the hop count field to 1 Set the originator IP address as the creating node of the route and the destination IP address as the destination node of the route Increase the destination sequence number by at least one Set the source IP address (in the IP header) to a non-existent IP address (Blackhole). The attacker unicasts the fake RREP message to the originating node. When originating node receives the faked RREP message, it will modernize its route to destination node through the non-existent node, Then RREP Blackhole is formed. [4.2] WORMHOLE ATTACK In wormhole attack [12], two colluding nodes that are far apart are connected by a tunnel giving an illusion that they are neighbours. Each of these nodes receive route request and topology control messages from the network and send it to the other colluding node via tunnel which will then replay it into the network from there. By using this extra tunnel, these nodes are able to advertise that they have the shortest path through them. Once this link is recognized, the attackers may choose each other as multipoint relays (MPRs), which then lead to an exchange of some topology control (TC) messages and data packets through the wormhole tunnel. [4.3] FLOODING ATTACK Flooding attack [10] is a denial of service type of attack in which the malicious node broadcast the excessive false packet in the network to consume the available resources so that valid user can not able to use the network resources for valid communication. Because of the 13

6 Effect Of Blackhole Intrusion In Wireless Networks limited resource restrictions in the mobile ad hoc networks resource consumption due to Flooding attack reduces the throughput of the network. In the RREQ Flooding attack, the attacker broadcast the many RREQ packets time-totime to the IP address which does not exist in the network. On demand routing protocols uses the route discovery process to obtain the route between the two nodes. In the route discovery the source node broadcast the RREQ packets in the network. Since the priority of the RREQ control packet is higher than data packet then at high load also RREQ packet are transmitted. A malicious node activities this feature of on demand routing to launch the RREQ Flooding attack. [4.4] RUSHING ATTACK Rushing attack is a zero delay attack and more effective when the attacker nearby source or destination node[13]. On-demand routing protocols like AODV and DSR are more vulnerable to this attack, because whenever source node floods the route request packet in the network, an adversary node receives the route request packet and sends without any hop count update and delay into the network. Whenever the legitimate nodes receive the original source request packets, they are dropped because legitimate nodes, would have already received packet from the attacker and treat the currently received packets as duplicate packets. Thus, adversary is included in active route and disturbs the data forwarding phase. Rushing attack can be taken place at source side or destination side or at the middle. [5] IMPLEMENTING A NEW ROUTING PROTOCOL TO SIMULATE BLACKHOLE BEHAVIOUR IN NS All routing protocols in NS are installed in the directory of ns allinone-2.35/ns-2.35". We start the work by copying AODV protocol in this directory and change the name of directory as blackholeaodv"[14][15]. Names of all files that are labeled as aodv" in the directory are changed to blackholeaodv" such as blackholeaodv.cc, blackholeaodv.h, blackholeaodv.tcl, blackholeaodv rqueue.cc, blackholeaodv rqueue.h, etc. in this new directory except for aodv packet.h. The key point in our work is that AODV and Black Hole AODV protocol will send each other the same AODV packets. Therefore, we did not copy aodv packet.h file into the blackholeaodv directory. We have new all classes, functions, structs, variables and constants terms in all the files in the directory except struct names that belong toward AODV packet.h code. We have designed aodv and blackholeoadv protocols to send each other aodv packets. These two protocols are actually the same After the above changes, Procedures for adding new blackhole protocols in NS2. [5.1] CHANGES FOR BLACKHOLEAODV PROTOCOL We have implemented a new routing protocol which is labeled as blackholeaodv. But Black Hole behaviors have not yet been implemented in this new routing protocol. To add 14

7 International Journal of Computer Engineering and Applications, Volume VII, Issue III, September 14 Black Hole behavior into the new AODV protocol we made some changes in blackholeaodv/blackholeaodv.cc C++ file. If the received packet is a data packet, normally AODV protocol sends it to the destination address, but behaving as a Black Hole it drops all data packets as long as the packet does not come to itself. In the code below, the first if condition provides the node to receive data packets if it is the destination. The else condition drops all remaining packets. If the packet is an AODV management packet, recv function sends it to recvblackholeaodv function. recvblackholeaodv function checks the type of the AODV management packet and based on the packet type it sends them to appropriate function with a case statement. For example; RREQ packets are sent to the recvrequest function, RREP packets to recvreply function etc. In our case we will consider the RREQ function because Black Hole behaviour is carried out as the malicious node receives an RREQ packet. When malicious node receives an RREQ packet it immediately sends RREP packet as if it has fresh enough path to the destination. Malicious node tries to deceive nodes sending such an RREP packet. Maximum sequence number of AODV protocol is , 32 bit unsigned integer value. Values of RREP packet that malicious node will send are termed below. The sequence number is fixed to and hop count is set to 1. After all changes are finished we have recompiled all NS-2 files to create object files. Having finished compilation, we have a new test bed to simulate Black Hole Attack in AODV protocol[14][15]. [6] SIMULATION OF BLACKHOLE INTRUSION AND ITS EFFECTS All the Simulation Parameters, Metrics, Software Requirement s which we used for the implementation of Blackhole Intrusion is as follows: Simulation Parameters and Measured Metrics: Operating System: Ubuntu LTS Simulator: ns-allinone-2.35 Source Agent: CBR Destination Agent: NULL CBR Packet size: 512 bytes CBR Rate: 0.3Mb CBR Start time: 0.0 CBR Stop time: 10.0 Application: UDP UDP Packet size: 512 bytes Max packet in queue: 50 Routing protocol: AODV Flat Space: 1040 x 568 Number of Mobile Nodes: 4 15

8 Effect Of Blackhole Intrusion In Wireless Networks We simulated in a scenarios which has 4 nodes that contains one Blackhole Node as Malicious node as described in [Figure-2] into the network. In Blackhole attack all network traffics are redirected to a specific node or from the malicious node causing serious damage to networks and nodes as shown in the result of the simulation. Figure: 2. Data flow between Node 0 and Node 2 and Node 3 as malicious node absorbs Data Comparison between AODV and blackholeaodv protocol in QOS parameters like packets sent, packets received, packet dropped, packet forwarded, throughput of network and end to end delay. Simulation results show the difference between the number of packets lost in the network with and without a Black Hole Attack. Figure: 3. Network statistics of AODV protocol Figure: 4. Network statistics of blackholeaodv protocol Following [Figure-5] and [Figure-6]. shows the Difference between Throughput of AODV and Avg.E2E Delay as well as same in terms of the blackhole AODV Throughput and Avg.E2E Delay. 16

9 International Journal of Computer Engineering and Applications, Volume VII, Issue III, September 14 Figure: 5. Throughput vs Average end to end delay using AODV Protocol. Figure: 6. Throughput vs Average end to end delay using blackholeaodv Protocol. In [Figure-3] and [Figure-4] shows that by keeping number of sent packets same in both blackhole scenario and AODV scenario, but in Blackhole total number of Drop packets are more than drop packets in AODV, therefore throughput of the network is also reduced in blackhole scenario. [7] CONCLUSIONS Wireless ad hoc networks are vulnerable to various attacks due to the physical characteristic of both the environment and the nodes. In our system, we analysed that Blackhole attack using BlackholeAODV with different performance parameters such as packets sent, packets received, packet dropped, packet forwarded, throughput of network and end to end delay. After simulating the Blackhole Attack, we saw that the packet loss is amplified in the ad-hoc network simulation results show the difference between the number of packets lost in the network with and without a Blackhole Attack. This also shows that Black hole Attack touches the overall network connectivity and the data loss could show the existence of the Blackhole Attack in the network. If the number of Blackhole Nodes is enlarged then the data loss would also be expected to increase. We tried to discover and analyse the impact of Blackhole attack in MANETs using AODV protocols. There is a need to analyse Blackhole attack in other MANETs routing protocols such as DSR, TORA and OLSR. All routing protocols are expected to present different results. Therefore, the greatest routing protocol for minimizing the Blackhole Attack may be determined. 17

10 Effect Of Blackhole Intrusion In Wireless Networks REFERENCES [1] cnnic, The 29th Statistical Survey Report on Intenet Development in China, [2] K.Fall and K.Varadhan, The NS Manual, doc.pdf [3] Jae Chung and Mark Claypool, NS by Example-Tutorial", [4] Network Simulator blog, [5] AWK Script for NS2, [6] Vishal S. Badgujar, Sudhir N. Dhage, A Review of Intrusion Detection Schemes in Wireless Network using Anomaly and Misuse Approach, Journal of Applied Engineering and Technologies (AET) ISNN , Vol. 3, Issue 1, April 2014, pp [7] Giannetsos Athanasios, Intrusion Detection in Wireless Sensor Networks, Master THESIS, Carnegie Mellon University, April 8, [8] Sudhir N. Dhage, et al, Network Intrusion Detection System (NIDS) using Data Mining Techniques, SPIT-IEEE, International Conference Mumbai, Vol.5, [9] P. Manickam, T. Guru Baskar, M. Girija and Dr. D. Manimegalai, \performance comparisons of routing protocols in mobile ad hoc networks", International Journal of Wireless & Mobile Networks (IJWMN) Vol. 3, No. 1, February [10] Shishir K. Shandilya and Sunita Sahu, A Trust Based Security Scheme for RREQ Flooding Attack in MANET, International Journal of Computer Applications ( ) Volume 5 No.12, August [11] Sheenu sharma and Roopam gupta, simulation study of blackhole attack in the mobile adhoc networks, Journal of Engineering Science and Technology Vol. 4, No. 2 (2009) [12] Reshmi Maulik and Nabendu Chaki, A Study on Wormhole Attacks in MANET, International Journal of Computer Information Systems and Industrial Management Applications ISSN Volume 3 (2011) pp [13] Rushing Attack, 10 May [14] Monika Roopak and Prof. BVR Reddy, Blackhole Attack Implementation in aodv routing protocol, International Journal of Scientific & Engineering Research, Volume 4, Issue 5, May [15] Semih Dokurer, Y. M. Erten, et al, Performance analysis of ad-hoc networks under black hole attacks, Southeast international Conference, IEEE