(IJCNS) International Journal of Computer and Network Security, 27
Vol. 2, No. 9, September 2010
A Mechanism for detecting Wormhole Attacks on
Wireless Ad Hoc Network
Ajit Singh1, Kunwar Singh Vaisla2
1
Department of CSE, VCT Kumaon Engineering College
Dwarahat, District – Almora (Uttarakhand), India
erajit@rediffmail.com
1
Department of CSE, VCT Kumaon Engineering College
Dwarahat, District – Almora (Uttarakhand), India
vaislaks@rediffmail.com
Abstract: A wireless ad hoc network is an autonomous system
of mobile hosts connected by wireless links. The nodes are free
to move randomly and organize themselves arbitrarily; thus
network’s topology may change rapidly and unpredictably.
Unlike traditional wireless network, ad hoc network do not rely
on any fixed infrastructure. Instead, hosts rely on each other to
keep the network connected. One main challenge in the design
of these networks is their vulnerability to security attacks. Ad
hoc networks are vulnerable due to their fundamental
characteristics, such as open medium, dynamic topology,
distributed cooperation and constraint capability. Routing plays
an important role in security of ad-hoc network. In Ad hoc
network, there are mainly two kinds of routing protocols:
proactive routing protocol and on demand routing protocol. In
general, routing security in wireless ad hoc network appears to
be a problem that is not trivial to solve.
In this paper, we introduce the wormhole attack, a severe attack
in ad hoc networks that is particularly challenging to defend
against. The wormhole attack is possible even if the attacker has
not compromised any hosts and even if all communication
provides authenticity and confidentiality. In the wormhole
attack, an attacker receives packets at one point in the network,
“tunnels” them to another point in the network, and then
replays them into the network from that point. The wormhole
attack can form a serious threat in wireless networks, especially
against many ad hoc network routing protocols and location-
based wireless security systems. For example, most existing ad
hoc network routing protocols, without some mechanism to
defend against the wormhole attack, would be unable to find
routes longer than one or two hops, severely disrupting
communication. We present a technique to identify wormhole
attacks in wireless ad hoc network and a solution to discover a
safe route avoiding wormhole attack. It is time based calculation
which requires minimal calculation.
Keywords: Ad hoc Networks, Wormholes.
1. Introduction
Ad hoc networks consist of wireless nodes that communicate
with each other in the absence of a fixed infrastructure.
These networks are envisioned to have dynamic, sometimes
rapidly changing, random, multi-hop topologies, which are
likely composed of relatively bandwidth-constrained
wireless links. In such a network, each mobile node operates
not only as a host but also as a router, forwarding packets
for other mobile nodes in the network that may not be
within direct wireless transmission range of each other.
Each node participates in an ad hoc routing protocol that
allows it to discover “multi-hop” paths through the network
to any other node. The idea of ad hoc networking is
sometimes also referred to as “infrastructure less
networking”, since the mobile nodes in the network
dynamically establish routing among themselves to form
their own network on the fly. Due to the limited
transmission range of wireless networks interfaces, multiple
network hops may be needed for one node to exchange data
with another across the network.[1] Ad hoc network
technology can provide an extremely flexible method of
establishing communications in situations where
geographical or terrestrial constraints demand a totally
distributed network system without any fixed based station,
such as battlefields, military applications, and other
emergency and disaster situations.[2]
However, security is an important issue of ad hoc network
especially for security sensitive applications. The intrinsic
nature of wireless ad hoc networks makes them vulnerable
to attacks ranging from passive eavesdropping to active
interfering. There is no guarantee that a routed
communication path between two nodes will be free of
malicious nodes that will, in some way, not comply with the
employed protocol and attempt to interfere the network
operation. Most routing protocol cannot cope with
disruptions due to malicious behavior. For example, any
node could claim that it is one hop away from a given
destination node, causing all routes to that destination to
pass through itself.
In this paper, we introduce the wormhole attack, a severe
attack in ad hoc networks that is particularly challenging to
defend against. The wormhole attack is possible even if the
attacker has not compromised any hosts and even if all
communication provides authenticity and confidentiality. In
the wormhole attack, an attacker receives packets at one
point in the network, “tunnels” them to another point in the
network, and then replays them into the network from that
point. The wormhole attack can form a serious threat in
wireless networks, especially against many ad hoc network
routing protocols and location-based wireless security
systems. For example, most existing ad hoc network routing
protocols, without some mechanism to defend against the
wormhole attack, would be unable to find routes longer than
one or two hops, severely disrupting communication. We
present a technique to identify wormhole attacks in wireless
ad hoc network and a solution to discover a safe route
avoiding wormhole attack.
28
The rest of paper is organized as follows. Section II of this
paper presents the wormhole attacks in details. Section III
studies various solutions to wormhole attack. Section IV
discusses proposed mechanism to prevent ad hoc wireless
network from wormhole attack. Section V concludes paper.
2. Wormhole Attacks
In a wormhole attack, an attacker receives packets at one
point in the network, “tunnels” them to another point in the
network, and then replays them into the network from that
point. For tunneled distances longer than the normal
wireless transmission range of a single hop, it is simple for
the attacker to make the tunneled packet arrive sooner than
other packets transmitted over a normal multihop route, for
example by use of a single long-range directional wireless
link or through a direct wired link to a colluding attacker. It
is also possible for the attacker to forward each bit over the
wormhole directly, without waiting for an entire packet to be
received before beginning to tunnel the bits of the packet, in
order to minimize delay introduced by the wormhole.
The wormhole attack is a particularly dangerous attack
against many ad hoc network routing protocols in which the
nodes that hear a single-hop transmission of a packet
consider themselves to be in range of the sender.
Figure 1. Wormhole attack using out of band Channel
2.1 Classification
There are several ways to classify wormhole attacks.
2.1.1 Depending on whether wormhole nodes put their
identity into packet’s header.[12]
Here we can categorize wormhole attack into two categories:
Hidden Attacks and Exposed Attacks.
In Hidden Attack, Wormhole nodes do not update packets’
headers as they should so other nodes do not realize
existence of them.
In Exposed Attack, wormhole nodes do not modify the
content of packets but they include their identities in the
packet header as legitimate nodes do. Therefore, other nodes
are aware of wormhole nodes’ existence but they do not
know wormhole nodes are malicious.
2.1.2 Based on the techniques used for launching
wormhole attack.[2]
(a) Wormhole using Encapsulation
This mode of the wormhole attack is easy to launch since
the two ends of the wormhole do not need to have any
(IJCNS) International Journal of Computer and Network Security,
Vol. 2, No. 9, September 2010
cryptographic information, nor do they need any special
capabilities, such as a high speed wire line link or a high
power source. A simple way of countering this mode of
attack is a by-product of the secure routing protocol ARAN
[10], which chooses the fastest route reply rather than the
one which claims the shortest number of hops. This was not
a stated goal of ARAN, whose motivation was that a longer,
less congested route is better than a shorter and congested
route.
(b) Wormhole using Out-of-Band Channel
This mode of the wormhole attack is launched by having an
out-of-band high-bandwidth channel between the malicious
nodes. This channel can be achieved, for example, by using
a long-range directional wireless link or a direct wired link.
This mode of attack is more difficult to launch than the
previous one since it needs specialized hardware capability.
(c) Wormhole with High Power Transmission
In this mode, when a single malicious node gets a route
request, it broadcasts the request at a high power level, a
capability which is not available to other nodes in the
network. Any node that hears the high-power broadcast,
rebroadcasts it towards the destination. By this method, the
malicious node increases its chance to be in the routes
established between the source and the destination even
without the participation of a colluding node. A simple
method to mitigate this attack is possible if each node can
accurately measure the received signal strength and has
models for signal propagation with distance. In that case, a
node can independently determine if the transmission it
receives is at a higher than allowable power level. However,
this technique is approximate at best and dependent on
environmental conditions. LITEWORP provides a more
feasible defense against this mode.
(d) Wormhole using Packet Relay
In this mode of the wormhole attack, a malicious node
relays packets between two distant nodes to convince them
that they are neighbors. It can be launched by even one
malicious node.
(e) Wormhole using Protocol Deviations
In this mode, a malicious node can create a wormhole by
simply not complying with the protocol and broad casting
without backing off. The purpose is to let the request packet
it forwards arrive first at the destination and it is therefore
included in the path to the destination.
3. Solutions To. Wormhole Attacks
Packet Leash [1] is an approach in which some information
in added to restrict the maximum transmission distance of
packet. There are two types of packet leashes: geographic
leash and temporal leash. In geographic leash, when a node
A sends packet to another node B, the node must include its
location information and sending time into the packet. B
can estimate the distance between them. The geographic
leash computes an upper bound on the distance, whereas the
temporal leash ensures that packet has an upper bound on
its lifetime. In temporal leashes, all nodes must have tight
time synchronization. The maximum difference between any
 (IJCNS) International Journal of Computer and Network Security, 29
two nodes’ clocks is bounded by Δ, and this value should be
known to all the nodes. By using metrics mentioned above,
each node checks the expiration time in the packet and
determine whether or not wormhole attacks have occurred.
If packet receiving time exceed the expiration time, the
packet is discarded.
Capkun et al. [7] presented SECTOR, which does not
require any clock synchronization and location information,
by using Mutual Authentication with Distance-Bounding
(MAD). Node estimates the distance to another node in its
transmission range by sending it one-bit challenge, which
responds to instantaneously. By using the time of flight,
detects whether or not is neighbor or not. However, this
approach uses special hardware that can respond to one-bit
challenge without any delay as Packet leash is.
The Delay per Hop Indicator (DelPHI) [9] proposed by
Hon Sun Chiu and King-Shan Lui, can detect both hidden
and exposed wormhole attacks. In DelPHI, attempts are
made to find every available disjoint route between sender
and receiver. Then, the delay time and length of each route
are calculated and the average delay time per hop along
each route is computed. These values are used to identify
wormhole. The route containing wormhole link will have
greater Delay per Hop (DPH) value. This mechanism can
detect both types of wormhole attack; however, it cannot
pinpoint the location of wormhole. Moreover, because the
lengths of the routes are changed by every node, including
wormhole nodes, wormhole nodes can change the route
length in certain manner so that they cannot be detected.
Hu and Evans [6] use directional antennas to prevent
the wormhole attack. To thwart the wormhole, each node
shares a secret key with every other node and maintains an
updated list of its neighbors. To discover its neighbors, a
node, called the announcer, uses its directional antenna to
broadcast a HELLO message in every direction. Each node
that hears the HELLO message sends its identity and an
encrypted message, containing the identity of the announcer
and a random challenge nonce, back to the announcer.
Before the announcer adds the responder to its neighbor list,
it verifies the message authentication using the shared key,
and that it heard the message in the opposite directional
antenna to that reported by the neighbor. This approach is
suitable for secure dynamic neighbor detection. However, it
only partially mitigates the wormhole problem. Specifically,
it only prevents the kind of wormhole attacks in which
malicious nodes try to deceive two nodes into believing that
they are neighbors.
In [9], another statistical approach called SAM
(Statistical Analysis of Multi-path) was proposed to detect
exposed wormhole attacks in Multi-path routing protocol.
The main idea of the proposed scheme SAM is based on the
observation that certain statistics of the discovered routes by
routing protocols will change dramatically under wormhole
attacks. Because wormhole links are extremely attractive to
routing
requests so it will appear in more routes than normal links.
By doing statistics on the relative frequency of each link
appear in the set of all obtained routes, they can identify
wormhole attacks. This technique is only used to detect
Vol. 2, No. 9, September 2010
exposed attacks. It is unable to detect hidden attacks because
in this kind of attack wormhole links does not appear in
obtained routes.
In [10], the author proposed two statistical
approaches to detect wormhole attack in Wireless Ad Hoc
Networks. The first one called Neighbor Number Test bases
on a simple assumption that a wormhole
will increase the number of neighbors of the nodes (fake
neighbors) in its radius. The base station will get
neighborhood information from all sensor nodes, computes
the hypothetical distribution of the number of neighbors and
uses statistical test to decide if there is a wormhole or not.
The second one called
All Distance Test detects wormhole by computing the
distribution of the length of the shortest paths between all
pairs of nodes. In these two algorithms, most of the
workload is done in the base station to save sensor nodes’
resources. However, one of the major drawbacks is that they
can not pinpoint the location of wormhole which is
necessary for a successful defense.
Possible solutions to wormhole attacks proposed by different
researchers are discussed in this section. The detection of
wormhole attacks that does not need any special hardware
and additional information is proposed in this paper.
4. Proposed Detection Mechanism
In this section the proposed wormhole detection mechanism
is discussed in detail. This mechanism does not need any
special hardware or synchronized clocks because it only
considers its local clock to calculate the RTT.
4.1 Network model and assumptions
The network is assumed to be homogeneous (all network
nodes contain the same hardware and software
configuration), static (network do not move after
deployment), and Symmetric (Node A can only
communicate with node B if and only if B can communicate
with A). All nodes are uniquely identified.
To make detection, it is based on the RTT of the
message between successive intermediate nodes. The
consideration is that RTT between two fake neighbors or
two wormhole links will be considerable higher than that
between two real neighbors.
This proposed mechanism consists of two phases. The first
phase is to find route between source and destination. In
Second phase, it calculates the RTT of all intermediate
nodes and detect wormhole link in route.
4.2 Phase 1: Route Finding
In the first phase, node sends the route request (RREQ)
message to the neighbor node and save the time of its RREQ
sending TREQ. The intermediate node also forwards the
RREQ message and saves
TREQ of its sending time. When the RREQ message
reaches the destination node, it sends route reply message
(RREP) with the reserved path. When the intermediate node
receives the RREP message, it saves the time of receiving of
30
RREP. The assumption is based on the RTT of the route
request and reply. The RTT can be calculated as
RTT= TREP – TREQ ………….. (1).
All intermediate nodes save this information and then send
it also to the source node.
4.3 Phase 2: Wormhole Attack Detection
In this phase, the source node calculates the RTT of all
intermediate nodes since wormhole attack launched by
adversary intermediate nodes there is no need to calculate
RTT between source to first node and last node to
destination. It calculates the RTT of successive intermediate
nodes and compares the value to check whether the
wormhole attack can be there or not. If there is no attack,
the values of them are nearly the same. If the RTT value is
higher than other successive nodes, it can be suspected as
wormhole attack between this link. In this way the
mechanism can pinpoint the location of the wormhole
attack.
Figure 2. Time of forwarding RREQ & receiving RREP.
4.4 Calculation of RTT
In this subsection, the detailed calculation of the RTT is
discussed. The value of RTT is considered the time
difference between a node receives RREP from a destination
to it send RREQ to the destination. During route setup
procedure, the time of sending RREQ and receiving RREP
is described in Figure 2. In this case, every node will save
the time they forward RREQ and the time they receive
RREP from the destination to calculate the RTT and send
these values to source node. The source node is in charge of
calculating all RTT values between intermediate nodes
along the established route.
Given all RTT values between nodes in the route and
the destination, RTT between two successive nodes, say A
and B, can be calculated as follows:
RTTA,B = RTTA – RTTB …………….. (2).
(IJCNS) International Journal of Computer and Network Security,
Vol. 2, No. 9, September 2010
Where RTTA is the RTT between node A and the
destination, RTTB is the RTT between node B and the
destination.
For example, the route from source (S) to destination (D)
pass through node A, and B so which routing path includes:
S → A → B → K→L→D
whereas T(S)REQ, T(A)REQ, T(B)REQ , T(K)REQ,
T(L)REQ, T(D)REQ is the time the node S, A, B, K, L, D
forward RREQ and (S)REP, T(A)REP, T(B)REP, T(K)REP
, T(L)REP ,T(D)REP is the time the node S, A, B, K, L, D
forward REP.
Then the RTT between S, A, B, K, L and D will be
calculated based on equation (1) as follows:
RTTA = T(A)REP – T(A)REQ
RTTB = T(B)REP – T(B)REQ
RTTK = T(K)REP – T(K)REQ
RTTL = T(L)REP – T(L)REQ
And the RTT values between two successive intermediate
nodes along the path will be calculated based on equation
(2):
RTTA,B = RTTA – RTTB
RTTB,K = RTTB – RTTD
RTTK,L = RTTB – RTTD
Under normal circumstances, RTTA,B RTTB,K RTTK,L
are similar value in range. If there is a wormhole line
between two nodes, the RTT value may considerably higher
than other successive RTT values and suspected that there
may be a wormhole link between these two nodes.
Compare to another RTT based technique[12] our technique
has lesser number of calculations. Our technique is based on
the fact that wormhole attack is launched by intermediate
nodes therefore there is no need to calculate RTT between
source node to first node and RTT between last node to
destination node. By doing so, we can reduce number of
calculations which in turn speed up the wormhole attack
detection process.
5. Conclusions
In this paper, we have introduced the wormhole attack, a
powerful attack that can have serious consequences on many
proposed ad hoc network routing protocols. The
countermeasures for the wormhole attack can be
implemented at different layers. For example, directional
antennas are used at the media access layer to defend
against wormhole attacks, and packet leashes are used at a
network layer. To detect and defend against the wormhole
attack, we proposed an efficient mechanism based on the
RTT of the route message. The significant feature of the
propose mechanism is that it does not need any specific
hardware to detect the wormhole attacks and it also reduces
number of RTT calculations. Our mechanism is better than
 (IJCNS) International Journal of Computer and Network Security, 31
Vol. 2, No. 9, September 2010

other RTT based mechanisms since it re-quires lesser Authors Profile

number of calculations to detect wormhole attacks.
References
[1] B. Awerbuch, R. Curtmola, D. Holmer, C. Nita-Rotaru,
and H Rubens, “Mitigating Byzantine Attacks in Ad
Hoc Wireless Networks,” Department of Computer
Science, Johns Hopkins University, Tech. Rep. Version
1, March 2004
[2] Levente Buttyán, László Dóra, István Vajda: Statistical
Wormhole Detection in Sensor Networks. Second
European Workshop on Security and Privacy in Ad Hoc
and Sensor Networks (ESAS 2005) Visegrád, Hungary,
July 13-14, 2005: 128-141
[3] S. Capkun, L. Buttyán, and J.-P. Hubaux, SECTOR:
Secure Tracking of Node Encounters in Multi-hop
Wireless Networks,” in Proceedings of the 1st ACM
workshop on Security of ad hoc and sensor networks
(SASN 03), pp.2132, 2003.
[4] L. Hu and D. Evans, “Using Directional Antennas to
Prevent Wormhole attacks,” in Network and Distributed
System Security Symposium, 2004.
Ajit Singh is currently working as
Associate Professor in Dept. of Computer
Science & Engineering, VCT Kumaon
Engineering College, Dwarahat (Almora),
India. He is having around 11 year teaching
experience. His area of Interest is Artificial
Intelligence.
K. S. Vaisla received the Graduate and Post
Graduate degrees from University of
Rajasthan, Jaipur in 1994 and 1998,
respectively. Presently he is working as
Associate Professor (Computer Science &
Engineering) in Kumaon Engineering
College (A Govt. Autonomous College),
Dwarahat (Almora) – Uttarakhand.
Interested field of research are ICT impact on
G2C of e-Governance, Data Warehouse and Mining, Complex /
Compound Object Mining, IBIR. Authored many research papers
in International / national journals/conferences in the field of
computer science and also many books in reputed publishing
house.

[5] L. Hu and D. Evans, “Using Directional Antennas to

Prevent Wormhole attacks,” in Netwotrk and
Distributed System Security Symposium, 2004
[6] Y. Hu, A. Perrig, and D. Johnson,“Packet leashes: A
defense against wormhole attacks in wireless
networks.,” in INFOCOM, 2003.
[7] Issa Khalil, Saurabh Bagchi, and Ness B. Shroff,
“Liteworp: A lightweight countermeasure for the
wormhole attack in multihop wire-less networks.,” in
DSN, 2005, pp. 612–621.
[8] Lijun Qian, Ning Song, and Xiangfang Li. Detecting
and locating wormhole attacks in Wireless Ad Hoc
Networks through statistical analysis of multi-path.
IEEE Wireless Communications and Networking
Conference -WCNC 2005.
[9] Hon Sun Chiu King-Shan Lui, DelPHI:
WormholeDetection Mechanism for Ad Hoc Wireless
Networks, International Symposium on Wireless
Pervasive Computing ISWPC 2006.
[10] T. V. Phuong, Ngo Trong Canh: Transmission
Time-based Mechanism to Detect Wormhole Attacks.
IEEE Asia-Pacific Services Computing Conference
2007.
[11] V. T. Phuong, Le Xuan Hung, Young-Koo Lee,
Heejo Lee, Sungyoung Lee, TTM: An Efficient
Mechanism to Detect Wormhole Attacks in Wireless
Ad-hoc Networks, Wireless Sensor Network Track at
IEEE Consumer Communications and Networking
Conference (CCNC), Las Vegas, USA, Jan 11-13, 2007.
[12] J. Zhen and S. Srinivas. Preventing replay attacks
for secure routing in ad hoc networks. Proc. of 2nd Ad
Hoc Networks & Wireless (ADHOCNOW' 03), pp.
140--150, 2003.