RWD - Securing Mobile Ad-hoc Networks from Wormhole Attacks

Kshitij Dogra Neeraj Garg

Computer Science and Engineering Assistant Professor
Maharaja Agrasen Institute of Technology Computer Science and Engineering
Delhi, India Maharaja Agrasen Institute of Technology
k.raj223@gmail.com Delhi, India
neerajgarg04@gmail.com

Abstract— Ad hoc routing protocols are good enough for nodes have the capability to tunnel the data traffic from one
routing but provide next to no protection from security threats. colluding party to the other in a single hop. This operation
The intrusion threat that we are considering in this paper is (tunneling) is accomplished by either using an out-of-band
known as a wormhole attack. In this attack, there are two signal, frame relay or encapsulation [1]. When a route is
colluding parties, which exist on either side of the network. By
being discovered between source and destination, these
displaying a shorter route between two distant nodes, they are
able to attract the network traffic towards them. The idea of nodes tunnel the request packets and then routed locally.
smaller hop count seems good but is a real security threat
when the wormhole creating nodes have malicious intents, as
they can monitor all the data in the network. The detection
that we wish to propose requires a modification in the AODV
protocol, in terms of allowing nodes to maintain a buffer of
duplicated RREQ. This helps to find the different routes
available, all originating from the same source. We have
devised two methodologies called Backtracking and Sharing
Buffer, to help in the Reverse Wormhole Detection (RWD).
Our proposed idea works best in the case where all nodes in
the network initially have an empty routing table, i.e. no node
poses a route to a specific node. Hence, during the time of route
discovery, we expect the Destination to receive at least one
RREQ. At each intermediate node of the route, we try to find
an alternate route to its 2 hop upstream neighbor. For Fig. 1. Wormhole attack (colluding parties – M1 and M2)
analyzing the distance, we define a leniency parameter which is
analyzed based upon the percentage detection and number of Owing to this capability, of the N number of routes
false positives on NS-2. obtained between the source and destination, the route
passing through the colluding parties will be the shortest;
Keywords- Wormhole, tunneling, AODV, MANET, pseudo- hence it would be the final chosen path. This method is used
sender, pseudo-destination, backtracking, leniency parameter, to attract the network traffic over many source and
sharing buffer. destinations. This type of intrusion can lead to two types of
attacks, namely – black hole and gray hole. In black hole
I. INTRODUCTION attack, all the data packets passing through the colluding
In the modern day scenario, wireless mobile ad-hoc nodes are discarded, hence severely affecting the data-rate.
network (MANET) devices, have observed a rise in Gray hole attack is the other kind, where selective data
popularity. Several standard protocols have been made for packets are dropped. In relation to Fig.1, we observe a
these networks [6,7,8,9]. Since in a wireless mode of source node S and destination node D. During the process of
communication, data packets are distributed over a route discovery, a number of routes are determined of which
transmission range, these protocols are based on relaying the shortest is S-1-2-3-4-D. The nodes M1 and M2 have
data packets from source to destination. The possibility of a acted as closed wormholes, and relayed the packets from 2
malicious node in the network that wishes to sniff the data to 3. Thus they will be a security threat to the network, by
packets have been looked over. In such networks intrusion monitoring each node that is in the network.
by a malicious third party is easy, as the signals travel in an
open medium and are available for interception.
In this paper, we address the problems of wormholes in
MANETs. Two malicious nodes exist on either side of the
network and are separated by a number of hops. These

Fig. 2. (a) Short wormhole (b) Long wormhole
We now define two types of wormholes [16]. Short
wormhole (a) is the one, where only one malicious node is
taking part in the tunneling. On the other hand, a Long
wormhole is the one in which two or more than two
colluding nodes act as attackers.
The paper falls under the category of IDS. The method
that we are proposing is a slight modification of the default
AODV protocol, in which each node poses some memory to
store the superfluous RREQ.
The rest of the paper has been organized as follows.
Section 2 contains the related works linked to the chosen
topic (IDS), done in the past. Section 3 is the proposed idea,
and Section 4 is the analysis using simulations. The paper
has been concluded in Section 5 and future work has been
outlined in the same.
II. RELATED WORKS
As we discussed in a wormhole attack, malicious nodes
should mislead other nodes in a network by abusing cost
effectiveness of routing protocols. Thus most researches that
have been done so far used temporal and geographical
measures to identify falsified information.
Some researches like Hu et al. [4] have applied the
concept of geographical and temporal leashes. For
geographical leashes, each node calculates the distance
between the neighbor and itself. This is accomplished by
using accurate location information and loose time
synchronization. The distance is calculated by noting the
„send‟ and „receive‟ timestamp, and the velocity. If the
calculated distance is greater than the threshold, then we can
say a wormhole exists. The use of temporal leashes is
implemented by the usage of highly synchronized time
clocks. The time taken to transit a data packet is calculated
and measured with a pr-defined value. If the time exceeds
then a wormhole is said to exist.
Song et al. [10], has given the concept of frequency
matching. It has been stated that the malicious nodes work
at a higher frequency than the good nodes. The proposal is
to identify those nodes which work at a different frequency.
Chiu et al. [11], implements a delay analysis approach.
It calculates mean delay per hop of every possible route. To
do so, sender initiates a detection packet, and receiver
responds to every received detection packet. After collecting
all response, sender computes mean delay per hop of each
route. After arranging the delays, the algorithm finds
whether there is a large difference between two adjacent
values. This method is vulnerable to attack, as the attacker
can easily take the guise of the sender.
Khalil et al. suggest two wormhole detection and
response methods such as LiteWorp for static ad hoc
network and MobiWorp for mobile ad hoc network [12, 13].
They collect information about neighbors that exist in two
hops distance, and some nodes, which can overhear both the
forwarder and the next node of it. Monitoring nodes check
whether both two packets transmitted by them are the same
or not. The MobiWorp requires a CA to verify the truth of
node‟s location information. Moreover, in the MobiWorp,
each node should acquire an authentication message from
the authority in order to transmit a message whenever it is
mobile. Evans et al. [5], the concept of authentication has
been applied. Each node shares a secret key with every other
node. During the tme of route discovery, the direction from
which response is coming is matched, to ensure that an
attacker is not replying. Sun et al. [14], again the concept of
timing has been implemented. It says, each node after
sending teh RREQ, waits till it overhears the neighbor
broadcasting the RREQ. If not, this is a case os a closed
wormhole.
Luis et al. [15], has proposed a wormhole preventing
method called WIM-DSR. It states that the network checks
whether the nodes involved in he source route are being
strongly witnessed. This is approach has been implemented
in DSR.
III. PROPOSED METHODOLOGY
A. Reverse Wormhole Detection
Our proposal is based on a particular default aspect of
AODV protocol. The protocol says, during the path
discovery each node broadcasts the source IP address and
the broadcast ID to its neighbors. The neighbors check their
routing tables to find if they have a direct route to the
destination. During the propagation of RREQ, a reverse
route entry is simultaneously set up. The use of this entry is
to back track RREP to the source, once the destination has
been reached. In the mean time if a node obtains any
superfluous RREQ, having the same broadcast ID, the
packet is silently discarded. This is where we propose a
modification to AODV.
Besides discarding the RREQ, each node has to maintain
them as records in their buffer. The significance of these
RREQ comes from the fact that each request asks the
processing node to make a reverse route entry signifying –
source node‟s IP address, number of hops to the source and
the IP address of the node from where RREQ was received.
The modification is necessary to have multiple options of
routing paths, for the same RREQ generated by the source.
Comment: Our proposed idea works best in the case where
all nodes in the network have an empty routing table, and
i.e. no node poses a route to a specific node. Hence, during
the time of route discovery, we expect the Destination to
have received at least one RREQ.
Our algorithm starts from the destination, or the
node which had last received a RREQ for a path between
source S and destination D. It utilize the informative RREQ
and finds the number of hops to the 2 hop distant node
(P2S,D) on the route from source to destination (upstream).
This is done by replying to each RREQ with RREP, and
propagating it, till the required node is arrived at. If this
distance is greater than a pre-set leniency parameter (λ), we
can consider a wormhole to exist.

Comment: When a wormhole exists, the node immediate to

the malicious node might not have a buffer ( ), as this node
would have broadcasted RREQ to the immediate neighbors
during path discovery. This could happen when the two
legitimate nodes are not in transmission range (closed
wormhole – Fig. 1). Hence we propose an enhancement to
the algorithm, by asking one of the sender‟s neighbors to
use its buffer for finding the route.
In such cases, this node (Sender) broadcasts a
HELLO packet with TTL = 1 and waits for
acknowledgement. This would get it all its neighbors
(Bsender). The Sender would then ask Bsender – PS,D (where PS,D
in AODV terminology denotes predecessor and next hop
towards D for the Sender) to act as pseudo senders and do
backtracking. They are provided with a unique ID from the
sender. This process is called sharing the buffer. The hop Fig. 3 – Flow chart of the Protocol
count is incremented each time a new pseudo-sender is
The above shown is the flow diagram that we consider
chosen. The process of local broadcasts continues till at
apt for wormhole detection. Note, that this algorithm is
least one route between ρ and Sender is obtained.
evoked after the shortest route from source to destination
Comment: In this type of attack, there may be an exception. has been established. Let us define some basic terminology
In relation to Fig. 1, if during route discovery node 4 had a in reference to the flow chart and the Fig. 1, before we
direct path to D, it would have not broadcasted a RREQ. In continue with the explanation of the flow chart.
this case, 4 would have attained a buffer of requests from Source: The initial node S, from where the AODV protocol
nodes 12 and 13. Same can be said for node 3. is initiated in order to find a live route.
Destination: The node D, the final destination of the
packets to be initiated by source S.
Sender: During the process of Backtracking, the node
which initiates RREP to the nodes which have provided
superfluous RREQ. This node is the one enlisted in
observed path between S and D.
Pseudo Destination: The two hop on route neighbor of the
sender, during Backtracking.
Pseudo Sender: Neighbor of sender. In case sender
possesses no buffer, neighbor has to work on sender‟s
behalf (during shared buffer).
Buffer: Storage space B, which stores the RREQ with
repeated source IP and Broadcast ID pair.

Step (1): The algorithm starts from the destination / node

which has a reverse route entry for the source, and traverses
backwards towards the source (S) node. The reason can be
stated as; the nodes towards the destination have a
repository / buffer B, specifying the numerous other routes
that exist between the source, intermittent nodes and the
destination.
Step (2): The Sender is checked to see, whether it has a
valid buffer. Valid buffer means, the RREQ sent by the
upstream neighbor is not accounted for.
Step (3): Sharing the buffer –

Fig. 5 - Flow chart for Backtracking

Step (5.1): Each neighboring node (α) receives the RREP

along with the unique ID.
Fig. 4 – Flow chart for „sharing the buffer‟ Step (5.2&5.3): α searches its routing table to check whether
it already has a route to the destination D. If the node (α) has
Step (3.1): Sender marks one hop neighbors for route to D.
a live route to D, then its IP address is noted and matched
Step (3.2): A “HELLO” packet is broadcasted to all
with the predecessor of the Sender (on the actual route from
neighbors.
S-D).
Step (3.3): The unmarked node is assigned as a pseudo-
Step (5.4): If this step is reached, it means α and the sender
sender.
are two hops away. Hence, α = ρ. Let us say, the hop-count
Step (3.4): Sender broadcasts the unique ID to pseudo-
mentioned in the RREP with the current node is h.c. 1 . The
sender, which is further propagated to other to-be pseudo-
distance mentioned in the routing table of this node is h.c. 2 .
nodes. At this stage, if the unique ID had already been
Step (5.5): The ID is matched to check the validity of
received earlier, then request is discarded. Use of the IDs
RREP. The ID check avoids the same nodes being accessed
can be considered as marking the nodes as black or white.
repeatedly to find path to pseudo-destination (ρ).
Step (3.5): If the pseudo-sender has a buffer then continue,
Step (5.6): The RREP in then forwarded to its neighbor, as
otherwise the whole process is repeated to find a better
stated in the buffer, along with unique ID.
legitimate pseudo-sender.
Step (6): Specifically, the distance between the node and
Step (4): The current node acts as the Sender, and replies to
Sender is –
the numerous RREQ stored in the buffer, with a unique ID.
Li = h.c.1 - (h.c.2 - 2 ) i = 1 to n (1)
The nodes listed in PS,D (one-hop neighbors of sender for
'n' is the total number of such paths that have been obtained
route to D) are not replied to and thus is a forbidden list.
over the course of backtracking operation.
Sender is an intermediate node between S and D, and replies
Step (7): The Sender tests for the existence of wormhole by
as having an active path to the destination. RREP includes
comparing the length L of the 'selected route' to pseudo
the IP address of the destination, its own IP address and the
destination, ρ [2]. Specifically if L – 2 > λ, then the sender
number of hops to D [6].
will assume that a wormhole is detected. Here L – 2 is used
Step (5): BACKTRACKING – This operation has been
because ρ is 2 hops away from sender and λ is the leniency
encapsulated in the Fig.3. The following shows its flow
parameter. Of the 'n' number of routes available, we have
chart –
chosen Laverage as the effective length, while finding the
wormhole. Detailed study of λ is performed later in the
analysis and simulation.
Step (8): If no wormhole is detected, then the procedure is
shifted to the predecessor of the current sender.
Step (9): If the new sender is not the one hop neighbor of
the source S, the above mentioned steps are repeated in
same order.
Step (10&11): This step is reached when the following
exception occurs. The node acting as the sender is a direct
neighbor of the source node. S sends a broadcast to its
neighbors, with TTL=1. Let us call the neighbors B ρ.
Sender sets one node in the B ρ to act as ρ. Then the same
steps 2-6 are retraced, to get length of the alternate path (L).
Step (12): The earlier formulae are applied, i.e. (1) and L – 2
> λ to determine the existence of a wormhole.
Example – The following is the implementation of the
above stated algorithm in consideration to Fig. 1. In the
figure, it is observed that the route from source S to
destination D is S-1-2-3-4-D. It is obvious that the route
passes over the two malicious nodes M1 and M2. The buffer
available with nodes are tabulated as –
TABLE I. Nodes and the buffered RREQ from one hop neighbors.
Node Buffer
D 14,15
14 12,13
16 15
13 12,4
15 3 length wormholes can be easily detected. But this would
The steps taken to identify the wormhole are as follows –
Step (1): D becomes the sender.
Step (2): D has a buffer of RREQ.
Step (4): A unique ID is created and (selective) unicasted to
14,15.
BACKTRACKING
Step (5.1): RREP is received by 14 and 15.
Step (5.2): Consider node 14 does not already have a route
to D, but 15 did via 16.
Step (5.3): For node 15, next hop to D is 16. But as IP of 16
≠ 4, go to step 5.5.
Step (5.5): Unique ID‟s validity is verified.
Step (5.6): RREP are unicasted to (12, 13) and 3 by 14 and
15 respectively. BACKTRACKING continues.
Node 13 selectively unicasts RREP to 12 and 4. From step
5.2, 12 would have already heard the packet with same ID
and thus discards it. Node 4 is predecessor of sender (D),
and RREP gets discarded.
Node 15 sends RREP to node 3. 3 has a route to D (5.2),
and its next hop is predecessor of sender i.e., node 4 (5.3).
Hence 3 = ρ.
Step (6): Here h.c.1 = 2 and h.c.2 = 2. So, L1 = 2 – (2 - 2) = 2.
Similarly other paths obtained would be (D-14-12-3). L1 and
L2 can thus be calculated as 2 and 3 respectively. Laverage is
3.
Step (7): Now, to detect the L – 2 > λ, where λ = 2, 3-2>2 is
false. Hence no wormhole detected.
Step (8): Node 4 is made the sender.
In relation to Fig. 1 node 4 finds an empty buffer, hence
the case of a sharing buffer. It assigns node 12 as the
pseudo sender and sends it the unique ID. The h.c. is also
incremented by 1. Here h.c.1 = 6 and h.c.2 = 3.So L1 = 6 –
(3-2) = 5. The path length L, is compared with the leniency
parameter, 5 - 2 > λ, and hence the wormhole M1 & M2 are
detected.
The lower part of the main flowchart would work only
in an exceptional condition where the Sender is just one hop
away from the source S. Following would take place -
Step (10): The sender would set node 5 as the pseudo-
destination.
Step (11): Sender (1) finds that it has no buffer. So, it uses
node 6 as the pseudo sender and backtracks using the earlier
stated algorithm. It finds a path to ρ, (1-6-5).
Step (12): Here h.c.1 = 6 and h.c.2 = 6.So L1 = 6 – (6-2) = 2.
As (2-2) > λ is false, hence no wormhole detected.
B. Analysis of Reverse Wormhole Detection
1) Selected Path (L) and the Leniency Parameter (λ)
This methodology utilizes to basic parameters namely L
and λ. By the definition of an effective wormhole, a
wormhole is at least greater than the transmission range
between two nodes. If the value of λ is small, then the
detection percentage would be high as even the smaller
induce many false positives. On the other hand if the value
of λ is high, number of false positives would decrease but
many short wormholes would escape from being detected.
Based upon the simulations carried out, we can say – for a λ
between 2 and 3, the ratio of detection percentage to the
number of false positives is appreciably maintained.
Selected Path (L) is the other parameter which plays a
role in the wormhole formula. Of the „n‟ number of selected
routes, there are three types of path lengths available –
shortest, average and the longest. If shortest route is chosen,
this could lead to a drop in detection percentage. The
longest would induce many false positives, as we could get
an outlandish path between sender and the pseudo-
destination. The option that we have considered in the
simulation and analysis is an average of all the selected
paths, i.e. Laverage = ∑Li /n ; i = 1 to n where n is the total
number of paths available. Although this has given us
satisfactory results, more has been discussed in section 5.
2) Limitations
The Reverse Wormhole Detection methodology has a
limitation. The algorithm relies on the existence of more than
one route to exist between sender and ρ. Considering the
dynamic nature of MANETs, existence of a critical node is
something common. To avoid this problem, it is advisable to
detect such critical nodes on a timely basis, and generate
warnings in our methodology. Some research work
associated to this is - [3].
 number of false positives also rise accordingly with
variation to the leniency parameter.
IV. PERFORMANCE EVALUATION TABLE II – Selected path L = Lmax
In the proposed reverse wormhole analysis, there are two
parameters that needed to be tested. They are – Leniency Leniency parameter Leniency parameter
parameter λ and the selected path L. As we have discussed =2 =3
before in the analysis of the methodology, the relation % False % False
between each of the parameters and the detection rate, false detection positives detection positives
positives we now try and prove the relevant theory. 99.16 16.7 95.23 13.4
In our simulation we used 47 nodes, spread over an area
of 1.5km × 1.5km. After the nodes have been arranged, the In the Table III, average of the arrived paths is chosen as
sender node and destination is chosen randomly. A the metric. We observe a decrease in percentage detection
wormhole is randomly created somewhere in the network. but the number of false positives decreases appreciably.
Also the maximum range of radio transmission is less than TABLE III – Selected path L = Laverage
the distance between source and destination.
Leniency parameter Leniency parameter
=2 =3
% False % False
detection positives detection positives
96.2 11.4 89.40 7.8

Hence we could conclude, to choose Laverage as the acceptable

Selected Path (L).

V. FUTURE WORK AND CONCLUSION

Fig. 6 (a) - Percentage detection vs. Leniency parameter
Fig. 6 (b) - False positive percentage vs. Leniency parameter
Simulations have been carried out in OPNET and
Matlab. The above mentioned simulations were carried out
to determine the apt values of λ. It would thus be fair to
assume, λ to be between 2 and 3.
From Table II it is observed that when the longest path
is chosen as L, the detection percentage goes up, but the
As for the earlier works proposed for the determination of
wormholes by Hu et al. [4], Hu and Evans [5], the methods
require other hardware which increases the hardware
requirements. Some other proposals rely on the encryption
and decryption of data packets, which might be too much
processing by PDAs and are not considered a good
mechanism as an IDS scheme. On the other hand our
proposal does not incorporate exuberant cost, but relies on
some buffer space. The method that we propose is an
alternative to one of the previous works. We had proposed,
repeat execution of AODV, to find the pseudo destination,
but in the forward direction, (from source to destination).
The current proposal decreases the time complexity, but has
an increased cost over the memory consumption. In recent
future we would like to simulate this algorithm and compare
the delay in determination of the wormhole and compute the
space complexity. The simulations that we have put forth
where decisive enough for us to compute the value of λ, but
the selected path length L, can further be enhanced.
We can say, the proposed methodology is perfect
to determine any length wormholes, but needs further
revisions to determine the delay in detection, over our
previous work.
REFERENCES
[1] K. Issa, B. Saurabh, and B. S. Ness, "LiteWorp: Detection and
Isolation of the Wormhole Attack in Static Multihop Wireless
Networks," The International Journal of Computer and
Telecommunications Networking vol. 51, pp. 3750-3772, 2007.
[2] Thaier, Prashant and David. DeWorm: A Simple Protocol to
Detect Wormhole Attacks in Wireless Ad hoc Networks. Third
International Conference on Network and System Security,
2009. Pages 73-80.
[3] B. Milic and M. Malek, “Adaptation of the breadth first search
algorithm for cut-edge detection in wireless multihop
networks,” in Proc. of .ACM MSWiM, 2007.
[4] Y. Hu, A. Perrig, and D. Johnson. Packet leashes: A defense
against wormhole attacks in wireless ad hoc networks. In
Proceedings of INFOCOM, 2003.
[5] L Hu and D. Evans. Using directional antennas to prevent
worm hole attacks. In Proceedings of Network and Distributed
System Security Symposium, 2004.
[6] C. E. Perkins, E. M. Belding-Royer, and S. R. Das. Ad hoc on-
demand distance vector (AODV) routing. RFC 3561, The
Internet Engineering Task Force, Network Working Group,
Jul 2003. http://www.ietf.org/rfc/rfc3561.txt.
[7] D. B. Johnson and D. A. Maltz. Dynamic source routing in ad
hoc wireless networks. In Imielinski and Korth, editors, Mobile
Computing, volume 353, pages 153–181. Kluwer Academic
Publishers, 1996.
[8] D. A. Maltz and D. B. Johnson and Y. Hu. The dynamic
source routing protocol (DSR) for mobile ad hoc networks for
IPv4. RFC 4728, The Internet Engineering Task Force,
Network Working Group, Feb 2007.
http://www.ietf.org/rfc/rfc4728.txt
[9] R. V. Boppana and S. P. Konduru. An adaptive distance vector
routing algorithm for mobile, ad hoc networks. In IEEE
Computer and communications Societies (INFOCOM 2001),
pages 1753–1762, 2001.
[10] N. Song, L. Qian, and X. Li. Wormhole attacks detection in
wireless ad hoc networks: A statistical analysis approach.
Proc. of 19th IEEE International Parallel and Distributed
Processing Symposium, pages 8–15, April 2005.
[11] H. S. Chiu and K. S. Lui. Delphi: wormhole detection
mechanism for ad hoc wireless networks. 1st International
Symposium on Wireless Pervasive Computing, pages 6–11,
January 2006.
[12] I. Khalil, S. Bagchi, and N. B. Shroff. Liteworp: Detection
and isolation of the wormhole attack in static multihop wireless
networks. Computer Networks, 51(13):3750–3772, September
2007.
[13] I. Khalil, S. Bagchi, and N. B. Shroff. Mobiworp: Mitigation
of the wormhole attack in mobile multihop wireless networks.
Securecomm and Workshops 2006, pages 1–12, August 2006.
[14] Sun Choi, Doo-yong, Do-hyeon, Jae-il: WAP: Wormhole
Attack Prevention Algorithm in Mobile Ad Hoc Networks.
IEEE International Conference on Sensor Networks,
Ubiquitous, and Trustworthy Computing, pages 343-348,
2008.
[15] L.F. Garcia and Jean-Mark Robert: Preventing Layer-3
Wormhole Attacks in Ad-hoc Networks with Multipath DSR.
.8th IFIP Annual Mediterranean Ad hoc Networking
Workshop, 2009.
[16] Marianne Azer, Sherif El-Kassas, Magdy El-Soudani: A Full
Image of the Wormhole Attacks Towards Introducing
Complex Wormholes Attacks in Wireless Ad Hoc Networks.
IJCSIS of Computer Science and Information Security, Vol.
1,No.1,pages 41-51, May 2009