Immuning Routing Protocols from the Wormhole Attack

9 Fourth International Conference on Systems and Networks Communications Immuning Routing Protocols from the Wormhole Attack in Wireless Ad Hoc Networks Marianne A. Azer Computer Dept. National Telecommunication Institute Cairo, Egypt mazer@nti.sci.eg Sherif M. El-Kassas Computer Science Dept. American University in Cairo Cairo, Egypt sherif@aucegypt.edu Magdy S. El-Soudani Electronics and Communications Dept. Cairo University, Faculty of Engineering Cairo, Egypt melsoudani@menanet.net Abstract Ad hoc networks can be rapidly deployed and reconfigured. Hence, they are very appealing as they can be tailored to lots of applications. Due to their features they are vulnerable to attacks. A particularly severe security attack, called the wormhole attack, has been introduced in the context of ad-hoc networks. During the attack a malicious node captures packets from one location in the network, and tunnels them to another malicious node at a distant point, which replays them locally. In this paper, we propose a scheme for the wormhole attack prevention in ad hoc networks. The scheme relies on the idea that usually the wormhole nodes participate in the routing in a repeated way as they attract most of the traffic. Therefore, each node will be assigned a cost depending in its participation in routing. The cost function is chosen to be exponential in powers of two such that to rapidly increase the cost of already used nodes. Besides preventing the network from the wormhole attack, the scheme provides a load balance among nodes to avoid exhausting nodes that are always cooperative in routing. In addition, a better network performance has been achieved in terms of traffic. Keywords- Ad Hoc Network; attacks; routing; security; wormhole attack. I. INTRODUCTION A wireless ad-hoc network consists of a collection of autonomous peer mobile nodes that self-configure to form a network and have no pre-determined organization of available links. The broadcast nature of the radio channel introduces characteristics in ad hoc wireless networks that are not present in their wired counterparts. Ad hoc networks are vulnerable to attacks due to many reasons; amongst them are the absence of infrastructure, wireless links between nodes, limited physical Protection, the Lack of a centralized monitoring or management, and the resource constraints. One of the most famous attacks on this type of networks is the wormhole attack. During the attack a malicious node captures packets from one location in the network, and tunnels them to another malicious node at a distant point, which replays them locally. In this paper we suggest a scheme to prevent this attack based on its effects. The remainder of this paper is organized a follows. In section II, we explain briefly the Ad Hoc on Demand Distance Vector (AODV) protocol used for routing in ad hoc networks, the wormhole attack and the effort done in the literature to combat this attack. In section III, we present our proposed scheme. Simulation results are presented in section IV and finally, conclusions and future work are given in section V. II. BACKGROUND In this section we give a brief overview on the Ad Hoc on Demand Distance Vector (AODV) routing protocol in section A and the wormhole attack description and proposed solutions in section B. A. The Ad Hoc on Demand Distance Vector Routing Protocol The AODV [] builds and maintains routes between nodes only as needed by source nodes. When a source node desires a route to a destination for which it does not already have a route it broadcasts a RREQ packet across the network. Nodes receiving this packet update their information for the source node and set up backwards pointers to the source node in the route tables. In addition to the source node's IP address, current sequence number, and broadcast ID, the RREQ also contains the most recent sequence number for the destination of which the source node is aware. A node receiving the RREQ may send a RREP if it is either the destination or if it has a route to the destination with corresponding sequence number greater than or equal to that contained in the RREQ. If this is the case, it unicasts a RREP back to the source. Otherwise, it rebroadcasts the RREQ. Nodes keep track of the RREQ's source IP address and broadcast ID. If they receive a RREQ, which they have already processed, they discard the RREQ and do not forward it. As the RREP propagates back to the source, nodes set up forward pointers to the destination. Once the source node receives the RREP, it may begin to forward data packets to the destination. If the source later receives a RREP containing a greater sequence number or contains the same sequence number with a smaller hop count, it may update its routing information for that destination and begin using the better route. As long as the route remains active, it will continue to be maintained. 8--7695-75-7/9 $26. 9 IEEE DOI.9/ICSNC.9.6 3

A route is considered active as long as there are data packets periodically traveling from the source to the destination along that path. Once the source stops sending data packets, the links will time out and eventually be deleted from the intermediate node routing tables. If a link break occurs while the route is active, the node upstream of the break propagates a route error (RERR) message to the source node to inform it of the now unreachable destination(s). After receiving the RERR, if the source node still desires the route, it can reinitiate route discovery. B. The Wormhole Attack A particularly severe security attack, called the wormhole attack, has been introduced in the context of ad-hoc networks [2], [3], [4]. During the attack [5] a malicious node captures packets from one location in the network, and tunnels them to another malicious node at a distant point, which replays them locally. The tunnel can be established in many different ways, such as through an out-of-band hidden channel (e.g., a wired link), packet encapsulation, or high powered transmission. This tunnel makes the tunneled packet arrive either sooner or with less number of hops compared to the packets transmitted over normal multihop routes. This creates the illusion that the two end points of the tunnel are very close to each other. A wormhole tunnel can actually be useful if used for forwarding all the packets. However, in its malicious incarnation, it is used by attacking nodes to subvert the correct operation of ad-hoc and sensor network routing protocols. The two malicious end points of the tunnel may use it to pass routing traffic to attract routes through them. They can then launch a variety of attacks against the data traffic flowing on the wormhole, such as selectively dropping the data packets. The wormhole attack can affect network routing, data aggregation and clustering protocols, and location-based wireless security systems. Finally, it is worth noting that the wormhole attack can be launched even without having access to any cryptographic keys or compromising any legitimate node in the network. Several solutions have been proposed in the literature for the wormhole attack, the solutions can be categorized into location-based and time-based solutions such as in [3], [4], [6], [7], [8], [9], [], [], key-based solutions as in [2], [3], statistical solutions such as in [4], [5], graph-based solutions as in [6], [7], [8], [9] and finally neighbor monitoring-based solutions [9], [2], [2], [22]. The added burden of location identification, time synchronization, attack graph automatic formation, make the solutions that rely on them complex and in most of the time consume a lot of the limited nodes resources. III. WORMHOLE PREVENTION SCHEME In this section we present pour proposed wormhole attack prevention scheme. The basic idea that lies behind the wormhole attack is that the wormhole malicious nodes pull the traffic by advertizing short paths, with minimum number of hops. It is therefore more likely possible to have those wormhole routes participate in routing packets. From this perspective, we suggest the modification of the AODV protocol in such a way to disable the malicious nodes to attract the traffic all the time and be able to process it maliciously. Hence, each node will be assigned a cost depending on its contributions in routing using the following cost function. c(i) new = 2 n + c(i) old where c(i) is the cost of a node i, initially c(i)=. n is the number of times a node has contributed in routing to a certain destination, initially n =. This function takes into consideration the number of times a node has participated in routing for a certain source and the node s cost will be increased accordingly. In order to apply our approach other additional features should be added /modified in the default AODV protocol. One concerns the RREQs, the other concerns the added cost function. To start with, it was mentioned earlier in the default AODV protocol description that if a node receives a RREQ, which it has already processed, it discards the RREQ and does not forward it. This step should be modified as we need to have multiple options of routing paths for the same request originated by the source. It follows that a node should process all arrived RREQs forwarded to it by different previous hops. A new cost field should be added to the RREQs and RREPs (signaling packets), and to the nodes routing tables as well. Now if a source node needs a route to the destination, it broadcasts the RREQ packets, which will be now processed differently at intermediate nodes, and a hop by hop decision is made. The following algorithm and flow chart shown in Figure describe this hop-based decision. - A signaling packet (RREQ/RREP) is received by node (X) from Node (N) looking for a path for destination (D). 2- Node (X) extracts target (S/D) from signaling packet (If the signaling packet is a RREQ then the target is the source, if the signaling packet is a RREP, then the target is the Destination). 3- Node (X) searches in routing table for another node (O) having a fresh route to the target. 4- If the node (O) is not found or if the route is not fresh enough, an entry for the target node is added to the routing table of node (X) 5- If the node (O) is found in the routing table, and has a route to the target the following should be verified: i- How many times node (X) has used node (O) as a next hop (R ) ii- How many times node (X) has used node (N) as a next hop (R 2 ) iii- Compare R and R 2 iv- Update the routing table v- Add node (X) s cost to the signaling packet and forward it to the target node. 3

6- Target node (S/D) receives the coming signaling packet calculates the final cost and compares with its routing table to select the route with minimum cost. Figure Flow Chart of suggested Wormhole Prevention Scheme IV. SIMULATION RESULTS We have chosen to use the OPNET modeler since this simulator includes lots of facilities for ad hoc networks such as defining protocol packet format, defining the state transition machine for processes running the protocol, defining process modules and transceiver modules we need in each device node, defining the network model by connecting the device nodes together using user-defined link models, and above all programming and implementing new functions. We have used some of these facilities to modify the AODV protocol in OPNET. Simulations were done for default and customized AODV protocol to test the effect of assigned cost due to the repeated use of nodes in routing in the presence of tempting existing paths with minimum number of hops. The number of nodes is 35 distributed randomly on an area of 3.5by 3.5 kilometers, all using the AODV protocol. The AODV protocol parameters are shown in Table. TABLE I. SIMULATION PARAMETERS AODV Parameter Settings Route Request Retries 5 Route Request Rate Limit (Packets/second) Active Route Timeout 3 (Seconds) Hello Interval (Seconds) Uniform (,.) Allowed Hello Loss Net Diameter (The 35 maximum possible number of hops between two nodes in the network) Node Traversal Time.4 (Seconds) Route Error Limit (Packets/sec) 32

Time To Live Threshold Local Repair Enabled Addressing Mode IPv4 lack of space we shall only present two windows that represent two rounds for each cost function in Figures 4, 5, 6, and 7. First, simulations have run for this network using the default AODV protocol in the absence and in the presence of a wormhole attack. The change in routing is illustrated by Figure 2 and Figure 3 respectively. The malicious colluding nodes have been chosen to be node 9 and node 2, that is why the traffic has changed its regular minimum hop path as the wormhole path appears to have five hops, while normally the minimum hop path in this network has six hops. In the path details window, the hops used for routing are mentioned to make sure the wormhole path bypasses node 2 although it seems to use it from the first look. Node 9 Node 2 Figure 4 Path details using the custom AODV protocol with a linear cost function under wormhoe attack by nodes 9 and 2, second round Figure 2 Routing and path details using the default AODV protocol Node 9 Node 2 Figure 5 Path details using the custom AODV protocol with a linear cost function under wormhoe attack by nodes 9 and 2, third round Node 9 Node 2 Figure 3 Routing and path details using the default AODV protocol under wormhoe attack by nodes 9 and 2 The next step was then to run simulations under wormhole attack using our custom AODV protocol that uses cost. We have run the simulations using two types of costs, a linear cost and the exponential cost mentioned in section III. The routing and chosen paths details have changed due to the use of the cost functions. The first window for each custom AODV protocol is the same as Figure 3, because at the beginning all nodes costs are equal, so the custom protocol performs similarly to the default AODV protocol. For the Node 9 Node 2 Figure 6 Path details using the custom AODV protocol with exponential cost function under wormhoe attack by nodes 9 and 2, second round 33

Node 9 Node 2 Figure 7 Path details using the custom AODV protocol with exponential cost function under wormhoe attack by nodes 9 and 2, third round To compare the performance of the two cost functions and evaluate the custom AODV protocol, we use the delay at the destination and the traffic sent and received by malicious nodes as a measure. From Figure 8, we notice that the average delay at destination has decreased when the default AODV protocol was used under the wormhole attack. The delay has slightly increased when our custom schemes were used. We also notice that the average delay of the custom protocol is the same using both cost functions. In Figures 9,,, and 2, we present the change in the average traffic sent and received by malicious nodes 9 and 2 respectively. We notice that our suggested scheme has contributed in a significant decrease in the traffic sent by the malicious nodes. We also notice that the exponential cost function has slightly a better performance than the linear one..4.35.3..2.5..5 9E 7.5 aodv_defaullt 4 wormhole DES : Campus Network.destination.MANET.Delay (secs) aodv_defaullt 4-DES-: Campus Network.destination.MANET.Delay (secs) Average Delay using a linear cost function (secs) Average delay using an exponential cost function (secs) 4 7 3 6 9 22 28 3 4 43 46 52 55 58 6 64 67 7 76 79 82 88 9 94 Figure 8 Comapring average delay at destination 7 6 5 aodv_defaullt wormhole: node9.aodv.routing Traffic Sent (bits/sec) Average Traffic sent by node 9 using a linear cost function (bits/sec) Average Traffic sent by node 9 using an exponential cost function (bits/sec) 3 5 9 3 7 2 29 33 4 45 53 57 6 65 69 77 8 89 93 Figure 9 Comapring average traffic sent by node 9

8 6 8 6 aodv_defaullt wormhole: node9.aodv.routing Traffic Received (bits/sec) Average Traffic received by malicious node 9 using linear cost function(bits/sec) Average Traffic received by malicious node 9 using exponential cost function(bits/sec) 5 9 3 7 2 29 33 4 45 53 57 6 65 69 77 8 89 93 Figure Comapring average traffic received by node 9 35 3 5 5 manet_internals aodv_defaullt 4 wormhole DES : Campus Network.node2.AODV.Routing Traffic Sent (bits/sec) Average traffic sent by node 2 using linear cost function (bits/sec) Average traffic sent by node 2 using exponential cost function (bits/sec) 4 7 3 6 9 22 28 3 4 43 46 52 55 58 6 64 67 7 76 79 82 88 9 94 Figure Comapring average araffic sent by node 2 8 6 aodv_defaullt wormhole: Campus Network.node2.AODV.Routing Traffic Received (bits/sec) Average traffic received by node 2 using linear cost function (bits/sec) Average traffic received by node 2 using an exponential cost function (bits/sec) 4 7 3 6 9 22 28 3 4 43 46 52 55 58 6 64 67 7 76 79 82 88 9 94 Figure 2 Comapring average traffic received by node 2 V. CONCLUSIONS AND FUTURE WORK Throughout this paper, we introduced the wormhole attack and the effort that has been done in the literature either to prevent, or to detect this attack, we have also explained briefly the AODV protocol used in the ad hoc networks for routing. To immune the network from the wormhole attack, we suggested the modification of the AODV protocol in such 35

a way to disable the malicious nodes from attracting the traffic all the time and be able to process it maliciously. The idea relies basically on assigning cost to the nodes that participate in routing packets for a certain source. A node that has been used more than once has its cost increased either linearly or exponentially (power of two), this is to ensure that a tempting path that offers apparently small number of hops will have a high cost because it contains a node that was used before. By this, the attractive wormhole node will not be able to attract the traffic all the time as there cost will increase very fastly. The suggested method uses the cost function to compare, at every node receiving a control message, between a next hop offering a route to the destination and nodes in its routing table also having routes to the destination. In addition to immuning the network from the wormhole attack, and minimizing the traffic sent by malicious nodes, this solution has the privilege of providing a load balance in the ad hoc networks, which saves regular nodes from resource consumption if they repeatedly participate in routing. Other attractive features of this scheme are simplicity, the scheme also benefits from being totally decentralized, which is more suitable to the distributed nature of ad hoc networks and finally, there are no resource requirements, except for a single extra field in the entry of nodes routing tables. Results have also shown that the penalty paid for these advantages was a slight increase in the delay compared to the delay achieved using the default AODV protocol in the absence of the wormhole attack. We plan to modify this scheme such as to take the number of hops into consideration while calculating the nodes costs, as this might lead to a decrease in the delay. We could thus obtain an optimum scheme with the minimum hop repetition and hop count. The new suggested scheme performance will also be compared to other wormhole prevention schemes proposed in the literature. REFERENCES [] C. E. Perkins and E. M. Royer. The Ad hoc On-Demand Distance Vector Protocol. In C. E. Perkins, editor, Ad hoc Networking, Addison-Wesley,, pp. -29. [2] C. Karlof and D. Wagner, Secure Routing in Sensor Networks: Attacks and Countermeasures, in the st IEEE International Workshop on Sensor Network Protocols and Applications, May, 3. [3] Y. C. Hu, A. Perrig, and D.B. Johnson, Packet leashes: a defense against wormhole attacks in wireless networks, in Proceedings of the 22nd Annual Joint Conference of the IEEE Computer and Communications Societies (INFOCOM), pp. 6-986, 3. [4] L. Hu and D. Evans, Using Directional Antennas to Prevent Wormhole Attacks, Network and Distributed System Security Symposium (NDSS), San Diego, Feb 4. [5] I. Khalil, S.Bagchi, N. B. Shroff, "LITEWORP: A Lightweight Countermeasure for the Wormhole Attack in Multihop Wireless Networks", dsn, pp. 62-62, 5 International Conference on Dependable Systems and Networks (DSN'5), 5. [6] S. Capkun, L. Buttyan, and J. Hubaux, SECTOR: Secure Tracking of Node Encounters in Multi-hop Wireless Networks, ACM Workshop on Security of Ad Hoc and Sensor Networks (SASN), pp.- 2, Washington,USA, Oct 3. [7] W. Ribeiro, P. Junior, T. Figueiredo, H. Wong, and A. Loureiro. "Malicious Node Detection in Wireless Sensor Networks", ipdps, p. 24b, 8th International Parallel and Distributed Processing Symposium (IPDPS'4) - Papers, 4. [8] X. Wang, "Intrusion Detection Techniques in Wireless Ad Hoc Networks", compsac, pp. 7-9, 3th Annual International Computer Software and Applications Conference (COMPSAC'6), 6. [9] X. Wang, and J. Wong, "An End-to-end Detection of Wormhole Attack in Wireless Ad-hoc Networks," compsac, pp. 39-48, 3st Annual International Computer Software and Applications Conference - Vol. - (COMPSAC 7), 7. [] F. Naït-Abdesselam, B. Bensaou, and T. Taleb, "Detecting and Avoiding Wormhole Attacks in Wireless Ad Hoc Networks," in IEEE Communications Magazine. vol. 46, April 8, pp. 27-33. [] S. Khurana and N. Gupta, "FEEPVR: First End-to-End Protocol to Secure Ad Hoc Networks with Variable Ranges against Wormhole Attacks," in Second International Conference on Emerging Security Information, Systems and Technologies, secureware, 8, pp. 74-79. [2] Y. Zhang, W. Liu, W. Lou and Y. Fang Securing Sensor Networks with Location-Based Keys, WCNC 5 - IEEE Wireless Communications and Networking Conference, no., March 5, pp. 99 94. [3] R. Poovendran, L., Lazos, A graph theoretic framework for preventing the wormhole attack in wireless ad hoc networks, in Wireless Networks, Volume 3, Issue, ISSN:22-38, pp. 27 59, 7. [4] N. Song, L. Qian, and X. Li. "Wormhole Attacks Detection in Wireless Ad Hoc Networks: A Statistical Analysis Approach", ipdps, p. 289a, 9th IEEE International Parallel and Distributed Processing Symposium (IPDPS'5) - Workshop 7, 5. [5] L. Buttyan, L. Dora, and I. Vajda, Statistical wormhole detection in sensor networks, Hungary, July 5. [6] W. Wang and B. Bhargava, Visulization of wormholes in sensor networks, Proceeding of the ACMWorkshop onwireless Security (WiSe), pages 5 6, 4. [7] M. Azer, S. El-Kassas,and M. El-Soudani, Using Attack Graphs in Ad Hoc Networks - For Intrusion Prediction Correlation and Detection,, SECRYPT 6, pp. 63-68. [8] R. Maheshwari, J. Gao, and S. R. Das, "Detecting Wormhole Attacks in Wireless Networks Using Connectivity Information," in INFOCOM 7. 26th IEEE International Conference on Computer Communications. IEEE, 7, pp. 7-5. [9] C. Sun, K. Doo-young, L.Do-hyeon, and J. Jae-il, "WAP: Wormhole Attack Prevention Algorithm in Mobile Ad Hoc Networks," in Proceedings of the 8 IEEE International Conference on Sensor Networks, Ubiquitous, and Trustworthy Computing (SUTC 8), June 8, pp. 3-8. [2] K. Win, "Analysis of Detecting Wormhole Attack in Wireless Networks," in Proceedings of World Academy of Science, Engineering and Technology, Volume 36, December 8, ISSN 27-4. [2] F. KONG, C. LI, Q.DING, G. CUI, and B. CUI, "WAPN: A Distributed Wormhole Attack Detection Approach for Wireless Sensor Networks," Journal of Zhejiang University SCIENCE A, vol., p. 279~289, February 9. [22] L. Gunhee, S. Jungtaek, and K. Dong-kyoo ", An Approach to Mitigate Wormhole Attack in Wireless Ad Hoc Networks," in Proceedings of the 8 International Conference on Information Security and Assurance (ISA 8), 8, pp. 22-2. 36