"Defending AODV Routing Protocol Against the Black Hole Attack"
(IJCSIS) International Journal of Computer Science and Information Security, Vol. 08, No.2, 2010 Defending AODV Routing Protocol Against the Black Hole Attack Fatima Ameza, Nassima Assam, Rachid Beghdad Department of computer sciences, Department of computer sciences, Department of computer sciences, University of Bejaia, 06000 University of Bejaia, 06000 University of Bejaia, 06000 Algeria. Algeria. Algeria. We address here the problem of securing the AODV routing Abstract—In this paper we propose a simple method to protocol against the Black Hole attack. detect Black hole attacks in the Ad hoc On Demand During routing in a mobile ad hoc network (MANET), if Vector (AODV) routing protocol. Even if many previous no control is done on the origin and integrity of the routing works focused on authentication and cryptography message of the network, a malicious node can easily cause techniques, nevertheless these techniques suffer from some disturbances. This will be even easier than wireless ad hoc weaknesses. In fact, this kind of solution is just a first line networks have no physical barrier to protect themselves and of defense, which should be completed by an intrusion all elements can potentially participate in the routing detection system as a second line. mechanism. If a malicious node has the ability to compromise The second line which is proposed here consists of a valid network node, it can at the discovery process respond including the source route in the header of the control to route initiator node with a route reply message by packets (RREQ). In addition to that, any intermediate announcing a minimal cost path, to the target node. The node records the sequence number of the destination. transmitter node will then update its routing table with the Thus, if the packet is compromised, the destination node wrong information. The data packet of the transmitter node can easily retrieve the address of the attacker. To secure will be relayed to the target node by the malicious node that RREP packets, any intermediate node records the can simply ignore them. This attack is called a “black hole”. addresses of the nodes to which it forwards RREQ. Thus, The packets are picked up and absorbed by the malicious any node receiving RREP can check if the sender is node. This is an example of attack that may occur in a wireless legitimate or not. Simulation results show the robustness of ad hoc network routing protocol. our protocol and that it allows delivering a high ratio of The first approach of securing the AODV protocol has data and consumes less route establishment delay. been made by Zapata with his Secured AODV (SAODV) . In a second publication  the protocol is presented in greater Keywords-component; AODV routing protocol; Black hole detail. SAODV which is based on public key cryptography attacks; Intrusion detection; Reactive routing protocols; extends the AODV message format to include security Wireless ad hoc networks. parameter for security the routing messages. Adaptive Secure AODV (A-SAODV)  is a prototype I. INTRODUCTION implementation of SAODV, based on the AODV-UU Wireless networks are inherently susceptible to security implementation by Uppsala University. Unlike AODV-UU, problems. The intrusion on the transmission medium is easier A-SAODV is a multithreaded application: cryptographic than for wired networks and it is possible to conduct denial of operations are performed by a dedicated thread to avoid service attacks by scrambling the used frequency bands. The blocking the processing of other messages. ad hoc context increases the number of potential security SecAODV  is a secure routing protocol, its vulnerabilities. Because by definition without infrastructure, implementation is similar to that of Boostrapping Security ad hoc networks can not benefit from the security services Associations for Routing in Mobile Ad hoc Networks (BSAR) offered by dedicated equipment: firewalls, authentication  and Secure Bootstrapping and Routing in an IPv6-based ad servers, etc... The security services must be distributed, hoc network (SBRP)  for DSR. SecAODV is a distributed cooperative and consistent with the available bandwidth. algorithm designed for MANETs under IPv6, it did not Routing also poses specific problems: each node in the require a trust relationship established between pairs of nodes, network can serve as a relay and is able to capture or divert or synchronization between nodes, or shared key or other traffic in transit. The work presented here is in this context. secure association between nodes. M. Al-Shurman et al.  propose two solutions to the Black Hole attack. In the first solution the transmitter is required to authenticate the node that sent the route reply packet (RREP). 112 http://sites.google.com/site/ijcsis/ ISSN 1947-5500 (IJCSIS) International Journal of Computer Science and Information Security, Vol. 08, No.2, 2010 The idea here is to wait the arrival of the RREP packet from hop, the node invalidates its route by sending an RERR to all more than one node, until the identification of a safe route. In nodes that potentially received its RREP. On receipt of the the second solution, each packet in the network must have a three AODV messages: RREQ, RREP and RERR, the nodes unique sequence number; and the following packet must have update the next hop, sequence number and the hop counts of a sequence number greater than the one of the current packet. their routes in such a way as to satisfy the partial order Each node records the sequence number of the packet and constraint mentioned above. uses it to check if the received packet is sent by the same node or not. III. ATTACKS AGAINST AODV C. Tseng et al  propose a solution based on the Attacks against AODV can be classified in two classes specification of intrusion detection to detect attacks on AODV : , their approach is to model the behavior of AODV by a machine of finite-state (finite state machine) to detect - Passive attacks: In a passive attack, the attacker does not violations of the protocol specification. disturb the routing process but only attempts to discover In this article we present an approach for defending AODV valuable information by listening to the routing traffic. The protocol against Black Hole attacks. Our main first idea is to major advantage for the attacker in passive attacks is that in a include the source route in the header of the RREQ control wireless environment the attack is usually impossible to packets. In addition to that, any intermediate node records the detect. This also makes defending against such attacks sequence number of the destination. Thus, if the packet is difficult. Furthermore, routing information can reveal compromised, the destination node can easily retrieve the relationships between nodes or disclose their IP addresses. If a address of the attacker. On the other hand, each node route to a particular node is requested more often than to other forwarding a RREQ packet records the addresses of its nodes, the attacker might expect that the node is important for successors in a local table. Thus, it can check if the sender of the functioning of the network, and disabling it could bring the the RREP received packet is legitimate or not. entire network down. - Active attacks: These attacks involve actions performed by The remainder of the paper is organized as follows: adversaries, for instance the replication, modification and Section 2 presents briefly the AODV protocol. Attacks against deletion of exchanged data. The goal may be to attract packets AODV are described in Section 3. We especially detail the destined to other nodes to the attacker for analysis or just to Balck hole attack in this section. Our approach is described in disable the network. A major difference in comparison with details in section 4. Section 5 presents simulation results. passive attacks is that an active attack can sometimes be Finally, section 6 concludes the paper. detected. II. THE AODV PROTOCOL The following is a list of some types of active attacks that AODV (Ad-hoc On-demand Distance Vector)  is a can usually be easily performed against AODV protocol. loop-free routing protocol for ad-hoc networks. It is designed Black hole: In the black hole attack , a malicious node to be self-starting in an environment of mobile nodes, uses the routing protocol to advertise itself as having the withstanding a variety of network behaviors such as node shortest path to the node whose packets it wants to intercept. mobility, link failures and packet losses. Black hole attack against RREQ packets: As it was said At each node, AODV maintains a routing table. The before (section 2), the sequence number of a packet acts as a routing table entry for a destination contains three essential form of time-stamping, and is a measure of the freshness of a fields: a next hop node, a sequence number and a hop count. route. Indeed, the node having the higher sequence number to All packets destined to the destination are sent to the next hop reach a given destination node D, will be considered as the node. The sequence number acts as a form of time-stamping, one having the shorter route to D. So, on receipt of the RREQ and is a measure of the freshness of a route. The hop count packet, the attacker will simply set the sequence number to the represents the current distance to the destination node. higher possible value. In this case, this malicious device will In AODV, nodes discover routes in request-response be able to insert itself between the communicating nodes, and cycles. A node requests a route to a destination by will be able to do anything with the packets passing between broadcasting an RREQ message to all its neighbors. When a them. node receives an RREQ message but does not have a route to Black hole attack against RREP packets: Similarly, on the requested destination, it in turn broadcasts the RREQ receipt of a RREP from the legitimate destination node D, the message. Also, it remembers a reverse-route to the requesting malicious node M will set the sequence number of this packet node which can be used to forward subsequent responses to to the higher possible value. Consequently, all the this RREQ. This process repeats until the RREQ reaches a intermediate nodes between M and the source node, will node that has a valid route to the destination. This node forward the message of the malicious node. (which can be the destination itself) responds with an RREP Wormhole: In the wormhole attack , an attacker records message. This RREP is unicast along the reverse-routes of the packets (or bits) at one location in the network, tunnels them intermediate nodes until it reaches the original requesting to another location, and retransmits them there into the node. Thus, at the end of this request-response cycle a network. The wormhole attack is possible even if the attacker bidirectional route is established between the requesting node has not compromised any hosts and even if all communication and the destination. When a node loses connectivity to its next provides authenticity and confidentiality. The wormhole attack can form a serious threat in wireless networks, 113 http://sites.google.com/site/ijcsis/ ISSN 1947-5500 (IJCSIS) International Journal of Computer Science and Information Security, Vol. 08, No.2, 2010 especially against many ad hoc network routing protocols and location-based wireless security systems. Rushing attack: This kind of attack  is a malicious attack RREQ<B, D, 60> that is targeted against on-demand routing protocols that use B duplicate suppression at each node, like AODV. An attacker disseminates RREQs quickly throughout the network, A D RREQ<M, D, 1000> suppressing any later legitimate RREQs when nodes drop RREQ<A, D, 30> RREP them due to the duplicate suppression. Thus the protocol can M not set up a route to the desirable destination. RREQ<M, D, 1000> Spoofing: By masquerading as another node, a malicious node can launch many attacks in a network. This is commonly Fig. 1. Example of Black hole attack on RREQ packets. known as spoofing . Spoofing occurs when a node misrepresents its identity in the network, such as by altering By using AODV-SABH the node D will detect that node M is its MAC or IP address in outgoing packets. Spoofing malicious, it will reject its packet and will send a RREP combined with packet modification is really a dangerous packet to the source node A via the legitimate node B (see attack. figure 2). In fact, SN_D is really equal to 60, but the sequence Routing table overflow: In a routing table overflow attack the number of the packet of M is equal to 1000 (!) attacker attempts to create routes to nonexistent nodes . The goal is to create enough routes to prevent new routes from being created or to overwhelm the protocol implementation. RREQ<A, B, D, 60> Proactive routing algorithms attempt to discover routing B RREP information even before it is needed while a reactive algorithm creates a route only once it is needed. This property D RREQ<A, B, D, 60> A appears to make proactive algorithms more vulnerable to table overflow attacks. An attacker can simply send excessive route RREQ<A, D, 30> M advertisements to the routers in a network. Reactive protocols, on the other hand, do not collect RREQ<A, M, D, 1000> routing data in advance. For example in AODV, two or more malicious nodes would need to cooperate to create false data Fig. 2. Using AODV-SABH to detect the malicious node. efficiently. The other node requests routes and the other one replies with forged addresses. Securing RREP packets: To secure RREP packets, every node will record the addresses of all nodes to whom it will IV. OUR APPROACH forward the RREQ packet in a local table. To do that, every node receiving RREQ packet during the route discovery We called our approach AODV-SABH (AODV Secured process must sends its address to the sender. So, when a node Against Black Hole attack). This is why our approach leads receives a RREP packet it can check if the address of the to secure both the RREQ and the RREP packets. sender belongs or not to its local table. If the address of the Securing RREQ packets: To secure RREQ packets we sender of RREP does not match any address recorded in its propose to add two fields in the RREQ packet. The first field local table, then the receiving node concludes that the sender will be used to include the list of the addresses of all the is a malicious node. So, it will reject the packet, and will alert intermediate nodes between the source and the destination, in the other nodes. order to detect the address of the attacker. On the other hand, each node will use the second field to record the sequence V. SIMULATIONS number of the destination node that it knows. On receipt of the RREQ packet, the destination node D compares its own A. Simulation parameters sequence number (SN_D) to the one of the received packet. If For our simulations we used the Network Simulator 2 (ns- the sequence number of the received packet is greater than 2). Our simulations consist of 20 nodes evolving in a region of SN_D then the packet will be rejected, D will use the first (950 m × 950 m) during 100 seconds. Transmission range is added field in the packet to find the intruder, and it will alert set to 250 meters. Random waypoint movement model is used the other nodes. and maximum movement speed is 12m/s. For example, the following graph (figure 1) represents a Packets among the nodes are transmitted with constant bit network where the node A requests a route to node D. It sends rate (CBR) of one packet per second, and the size of each a RREQ packet having a sequence number equal to 30. On packet is 512 bytes. receipt of this packet, the malicious node M will set the In these simulations we used the following evaluation sequence number to 1000. On receipt of the packet of node A, metrics: node B will set the sequence number to 60. Finally, the Packet delivery ratio (PDR): The percentage of data packets destination node D will focus on the message of M thinking delivered to destination with respect to the number of packets that this node has the freshness route to the source node A. D sent. This metric shows the reliability of data packet delivery. will then send a RREP message to A via the node M. 114 http://sites.google.com/site/ijcsis/ ISSN 1947-5500 (IJCSIS) International Journal of Computer Science and Information Security, Vol. 08, No.2, 2010 Control traffic: This metric informs us about the amount of control packets generated by the protocol for the research, the establishment and the maintenance of routes. Route establishment delay (RED): This parameter shows us the time needed for the creation of a route by a source node, it is computed in milliseconds. B. Simulation results AODV under attack All the results described here are mean values of 50 experiments. Firstly, the aim of our simulation is to study the effect of the black hole attack on both the AODV and AODV- SABH protocols. This is why; by varying the number of source nodes from 10 to 15, this first experiment aims to show the impact of this parameter on the PDR. The following graph illustrates the results. Fig. 4. The impact of the nodes mobility on the PDR. According to figure 4, we can conclude that AODV-SABH outperforms AODV under attack in term of PDR while varying the movement speed of nodes. Even if AODV-SABH detects attackers and rejects compromised control packets; it behaves like a safe AODV (it performs the same PDR values as those of AODV). In this case, the PDR decreases lightly (from 99% to 98%) when the speed increases. In fact, when the speed increases, links between nodes may break and the source nodes must re-run the discovery route process to AODV under attack establish new routes. In this case, there will be more control packets transmitted and less data packets. The PDR of AODV which is subject to an attack decreases when the movement speed of nodes increases. This is justified by the fact that when the mobility of nodes increases the network topology changes frequently, and hence the links are Fig. 3. The impact of the number of source nodes on the PDR. broken, forcing source nodes to re-run the route discovery process. Consequently, the attacker can easily exploit these According to figure 3, we can conclude that AODV-SABH new phases of route discovery to insert itself between outperforms AODV protocol in term of PDR. This is mainly legitimate nodes and do anything with the received packets. due to the fact that our protocol detects the attacker and allows In the next experiment we want to compute the cost of the source nodes to avoid it. By avoiding the attacker, our route discovery, while using 5 source nodes, by computing the protocol finds shortest paths, and so, delivers more packets. number of control packets needed to establish a route. To do On the other hand, the PDR decreases in the case of AODV this, we computed the number of control packets that is subject to an attack. This is due to the fact that the (RREQ/RREP) according to the movement speed of nodes number of correctly received packet is very less then the and the number of malicious nodes (from 1 to 9) in the number of transmitted packets. Indeed, with the increase of network. the source nodes, the probability of intrusion increases, and the malicious node absorbs all the data packets passing through it. In the following experiment we will look for the impact of the nodes mobility on the PDR, in case of AODV and AODV- SABH. We will vary the movement speed of nodes from 8 to 12 m/s and we will use 5 source nodes. AODV under attack Fig. 5. The impact of the nodes mobility on the number of control packets (RREQ/RREP). 115 http://sites.google.com/site/ijcsis/ ISSN 1947-5500 (IJCSIS) International Journal of Computer Science and Information Security, Vol. 08, No.2, 2010 According to figure 5, the number of control packets increases whatever is the used protocol. The attacked AODV (green graph) performs the less number of control packets (RREQ/RREP). In fact, in the absence of any countermeasure against the attacker, all the source nodes believe that their established routes are correct, and do not re-run the route AODV under attack discovery process. If there is no attack against AODV (red graph) we observe that the number of control packets grows with the growing of the movement speed of nodes. As said previously, this is due to the fact that links between nodes may break and the nodes must re-run the discovery route process to establish new routes. AODV-SABH performs the higher number of control packets. Indeed, whenever the attacker is detected, this protocol re-runs Fig. 7. The impact of the number of nodes on the route establishment delay. the discovery route process, and rejects any compromised RREQ or RREP packets. On the other hand, there are 5 source Figure 7 shows that AODV-SABH behaves like AODV nodes, so there are more control packets to manage. In (without attack). Indeed, the two protocols reach the same addition to that, the nodes are moving, so, the risk of broken RED values while varying the number of nodes. When the links increases, and then the source nodes must restart the number of nodes increases, the nodes are more close to each route discovery process. other, and less is the delay of route establishment. In case of the attacked AODV (without any countermeasure), the delay is constant even if the number of nodes increases. This is mainly due to the fact that the whole network is compromised and source nodes do not request new routes. VI. CONCLUSION An efficient and simple approach for defending the AODV protocol against Black Hole attacks is proposed. Our main contribution consists of including the source route in the header of the control messages. Indeed, each intermediate node receiving a RREQ packet adds its own address to the message. After that, it sends it to its successors. In addition to that, any node must include in such a packet the sequence number of the destination. Thus, when the destination node Fig. 6. The impact of the number of malicious nodes on the number of receives the RREQ packet, it checks if its sequence number is control packets (RREQ/RREP). less than the one included in the packet. If it is, it will According to figure 6, the number of control packets conclude to an attack and can find the address of the intruder decreases when the number of malicious nodes increases in by consulting the list of addresses in the RREQ packet. On the case of AODV-SABH. This can be explained by the fact that other hand, to secure RREP packets, every node sending our protocol detects the intruders and does not transmit any RREQ must record the addresses of its receptors in a local RREP packet if the received RREQ is compromised. We can table. So, when it receives a RREP packet it can check if the also conclude that if 6 nodes among the 20 composing the address of the sender is included or not in this table. Any network are malicious, they can compromise the whole compromised packets will be rejected and the detecting node network and our protocol is not efficient in this case. In this alerts the other nodes in the network. In this case, source case the source nodes believe that their established routes are nodes must request new routes to reach the destination. correct and do not request new routes. As future work we will focus on securing AODV against Finally, the following experiment will show the impact of the other known attacks. We will also focus on resolving the number of nodes on the RED. problem of multiple attacks against AODV. After that we will implement robust software to detect and counter any intruder. REFERENCES  M. G. Zapata, “Secure ad-hoc on-demand distance vector (saodv) rout- ing,”ftp://manet.itd.nrl.navy.mil/pub/manet/2001-10.mail,October 2001.  M. G. Zapata and N. Asokan, “Securing ad-hoc routing protocols,” in Proceedings of the 2002 ACM Workshop on Wireless Security, pp. 1–10, Sept 2002.  Davide Cerri and Alessandro Ghioni, “Securing AODV: The A-SAODV Secure Routing Prototype”, IEEE Communications Magazine, Vol. 42(2), pp. 120-125, 2008. 116 http://sites.google.com/site/ijcsis/ ISSN 1947-5500 (IJCSIS) International Journal of Computer Science and Information Security, Vol. 08, No.2, 2010  A.J. Michaele, I.Karygiannis,T Anand and al. “Secure Routing and Rachid Beghdad, received his computer science engineer degree in 1991 intrusion Detection in Ad Hoc Networks”, in the Proceedings of the 3rd from the ENITA school of engineers, Algiers, Algeria. He received his Master International Conference on pervasive computing and computer science degree from Clermont-Ferrand University, France, in 1994. communications(Percom 2005), Kauai Island, Hawaii. 2005. He earned his Ph.D. computer science degree from Toulouse University,  V.R.G.Bobba, L.Eschenauer and W.Arbaugh. Bootstarpping Security France, in 1997. He obtained his Habilitation from the University of Association for Routing in Mobile Ad HocNetworks, in the Proceedings of Constantine, 2010. GlobeCom’2003, pp. 1511-1515, 2003. He is a reviewer for some journals, such as the Advances in Engineering  J.R.Jiang, Y.C.Tseng and J.H.Lee. Secure Bootstrapping and routing in an Software journal, Elsevier, UK, the Computer Communications journal, IPv6-based Ad Hoc Network, ICCP Workshop on Wirless Security and Elsevier, UK, the WESEAS transactions on computer journal, Greece, and the Privacy, pp.375-390, 2003. IJCSSE journal, UK. He was also a reviewer for the CCCT’04, CCCT’05,  M. Al-Shurman and al., “Black Hole Attack in Mobile Ad hoc Networks”, CCCT’09, and CCCT’10 International Conferences, USA. in the Proceedings of ACMSE'04, pp. 96-97, 2004. His main current interest is in the area of computer communication systems  C. Tseng.”A Specification-based Intrusion Detection System for AODV”, including intrusion detection methods, wireless sensor networks, unicast and in the Proceeding of the lst ACM Workshop Security of Ad Hoc and Sensor multicast routing protocols, real-time protocols, and wireless LAN protocols. Networks Fairfax, pp. 125-134, 2003.  E.M.Beldin Adg-Royer, C.E.Perkins and S.Das. “Ad hoc on demand distance vector (aodv) Routing”, IETF Internet draft, draft-ietf-manet-aodv- 12.txt, 2002.  Madanlal Musuvathi, David Y. W. Park, Andy Chou, Dawson R. Engler, David L. Dill: “CMC: A Pragmatic Approach to Model Checking Real Code”. In the Proceedings of OSDI’ 2002, pp. 75-88, 2002.  Qifeng Lu , ” Vulnerability of Wireless Routing Protocols “, internal report, University of Massachusetts Amherst, Dec 15, 2002.  Feiyi Wang, Brian Vetter and Shyhtsun Wu. Secure Routing Protocols: Theory and Practice. North Carolina State University, May 1997.  Y.-C. Hu, A. Perrig, and D. B. Johnson. Ariadne: A secure on-demand routing protocol for ad hoc networks. In Proceedings of the 8th ACM International Conference on Mobile Computing and Networking. (MobiCom), pp. 21-38, 2002.  K. Sanzgiri, B. Dahill, B. N. Levine, C. Shields, and E. M. Belding- Royer. A secure routing protocol for ad hoc networks. In Proceedings of the 10th IEEE InternationalConference on Network Protocols (ICNP), pp. 78-87, 2002.  www.tcm.hut.fi/Opinnot/Tik-110.501/2000/papers/lundberg.ps AUTHORS PROFILE Fatima Ameza obtained Master degree in computer sciences from the University of Bejaia in 2009. She is currently a PhD student in the RESYD doctoral school of Bejaia university. His research topic focuses on securing wireless networks. Nassima Assam obtained Master degree in computer sciences from the University of Bejaia in 2009. 117 http://sites.google.com/site/ijcsis/ ISSN 1947-5500