Ms. N.S.Raote* et al.
/ (IJAEST) INTERNATIONAL JOURNAL OF ADVANCED ENGINEERING SCIENCES AND TECHNOLOGIES
Approaches towards Mitigating Wormhole Attack
in Wireless Ad-hoc Network
Ms. N.S.Raote
M.E. IV Semester [Wireless Communication & Computing]
Department of Computer Science & Engineering
G.H.Raisoni College of Engineering,
Nagpur, India
n.raote@yahoo.com
Abstract- A wireless ad-hoc network is a temporarily set
network by wireless mobile computers (or nodes) moving arbitrary
in the place that have no fixed network infrastructure. The need
for cooperation among nodes to relay each other’s packets in the
adhoc network exposes them to a wide range of security attacks.
Adhoc wireless network is unprotected to the attacks of malicious
nodes ,out of all the attack cause by the malicious nodes, the most
devastating attack is known as the wormhole attack, in which two
or more malicious colluding nodes create a higher level virtual
tunnel in the network, which transport packets at one location in
the network Where the adversary records transmitted packets at
one location, and retransmit them into the network .Even if all
communication provides authenticity and confidentiality, the
wormhole attack is possible. This paper provides a survey on
wormhole attack and its counter measures in ad-hoc wireless
network.
Wormhole attack.
1. INTRODUCTION
ES
Keywords: Ad Hoc Networks, comprised nodes attacks,
A network is ad-hoc because it does not rely on a
preexisting infrastructure such as routers in wired networks
or access points in managed (infrastructure) wireless
network. An ad-hoc network is self-organizing and adaptive
networks formed on-the-fly, devices can leave and join the
network during its lifetime. This network has the features of
shared broadcast radio channel, insecure operating
A
environment, absence of infrastructure, lack of central
authority, lack of association, limited resource availability
dynamically changing network topology, resource constrains
and lack of clear line of defense, make them vulnerable to a
wide range of security attacks. Attacks on the adhoc network
can be classified into two broad categories, namely, passive
and active attack. A passive attack does not disrupt the
IJ
operation of the network; the adversary snoops the data
exchanged in the network without altering it whereas the
active attack attempts to alter or destroy the data being
exchanged in the network.
These attacks could involve eavesdropping, message
tampering, or identity spoofing. Many attacks are targeted at
the data traffic by dropping all data packets (blackhole
attack), selectively dropping data packets (grayhole attack),
and performing statistical analysis on the data packets to
obtain critical information, such as the location of primary
entities in the network. For an attacker to be able to launch
damaging data attacks, one option is to have a large number
of powerful adversary nodes distributed over the network
and possessing cryptographic keys. Alternately, the attacker
can achieve such attacks by having a few powerful adversary
nodes that need not authenticate themselves to the network
(i.e., external nodes). The attacker can achieve this by
targeting specific control traffic in the network. Typical
ISSN: 2230-7818 @ 2011 http://www.ijaest.iserp.org. All rights Reserved.
Vol No. 2, Issue No. 2, 171 - 174
Mr.K.N.Hande
Assistant Professor
Department of Computer Science & Engineering
G.H.Raisoni College of Engineering,
Nagpur, India
kapilhande@gmail.com
examples of control traffic are routing, monitoring liveness
of a node, topology discovery, and distributed location
determination. A particularly severe control attack on the
routing functionality of wireless networks, called the
wormhole attack [1][2][3], has been introduced in the
context of ad hoc networks. During the attack, a malicious
node captures packets from one location in the network, and
T
―tunnels‖ them to another malicious node at a distant point,
which replays them locally. The tunnel can be established
through a single long range wireless link or even through a
wired link between the two colluding attackers [13]-[14].
Due to the broadcast nature of the radio channel, the attacker
can create a wormhole even for packets not addressed to
itself. This tunnel makes the tunneled packet arrive either
earlier or with number of hops lesser compared to the
packets transmitted over normal multihop routes. This
creates the illusion that the two end points of the tunnel are
very close to each other. A wormhole tunnel can actually be
useful if used for forwarding all the packets, it puts the
attacker in powerful position compared to other nodes in the
network, which the attacker could use in a manner that could
compromise the security of the network. However, in its
malicious incarnation, it can be used by the two malicious
end points of the tunnel to pass routing traffic to attract
routes through them. The malicious end points can then
launch a variety of attacks against the data traffic.
Ad-hoc network are more prone to the security attack as
compared to wired network or infra structure based wireless
network because of distributive nature. These networks are
vulnerable to the wormhole attack launched through the
compromised nodes (node that perform internal attacks).
In wormhole attack the two remote regions are directly
connected through nodes (malicious) that appear to be
neighbor but are actually distant from one another. Such
wormhole attack results in the false route. If the source node
chooses this fake route, malicious nodes have the option of
delivering the packet or dropping them. So the wormhole
attack is one of the most severe threats to ad-hoc networks,
as it can do harm to both sender and receiver.
In general, adhoc routing protocols fall into two
categories: proactive routing protocols that rely on periodic
transmission of routing updates, and on demand routing
protocols that search for routes only when necessary. A
wormhole attack is equally dangerous for both proactive and
on-demand protocols.
In this paper, we explain the attack modes and point to the
impact of this attack and its threats. From an attacker‘s
perspective, we analyze each of the attack‘s modes‘ benefits
and suitable conditions and think how to improve the
Page 171
 Ms. N.S.Raote* et al. / (IJAEST) INTERNATIONAL JOURNAL OF ADVANCED ENGINEERING SCIENCES AND TECHNOLOGIES
wormhole attack by introducing the cryptographic technique
[4] from administrative perspective.
The remainder of this paper is organized as follows.
Section 2 introduces the wormhole attack modes, impact on
the ad hoc networks applications and routing threats in
section 3, we discuss the solutions that have been proposed
in the literature as a countermeasure for this attack.
Finally, conclusion and future directions are given in section
4.
Wireless Link
Malicious Node
Good node
Fig.1 wormhole attack
2. WORMHOLE ATTACK
ES
In this section we explain the wormhole attack modes
[9].Based on the techniques used for launching the wormhole
attack the wormhole attack modes are classified as follows.
A. Wormhole Attack Modes
Wormhole attacks can be launched using several modes,
among these modes, we mention:
2.1 Wormhole using Encapsulation
When the source node broadcast the RREQ packet, a
A
malicious node which is at one part of the network receives
the RREQ packet. It tunnels that packet to a second
colluding party which is at a distant location near the
destination, it then rebroadcasts the RREQ. The neighbours
of the second colluding party receive the RREQ and drop
any further legitimate requests that may arrive later on
IJ
legitimate multihop paths. The result is that the routes
between the source and the destination go through the two
colluding nodes that will be said to have formed a wormhole
between them. This prevents nodes from discovering
legitimate paths that are more than two hops away. In [6] the
authors have given example, consider Figure 2 in which
nodes A is source node and B is the destination node, both
try to discover the shortest path between them, in the
presence of the two malicious nodes X and Y. Node A
broadcasts a RREQ, X gets the RREQ and encapsulates it in
a packet destined to Y through the path that exists between X
and Y (U-V-W-Z). Node Y demarshalls the packet, and
rebroadcasts it again, which reaches B. Note that due to the
packet encapsulation, the hop count does not increase during
the traversal through U-V-W-Z. Concurrently, the RREQ
travels from A to B through C-D-E. Node B now has two
routes, the first is four hops long (A-C-D-E-B), and the
second is apparently three hops long (A-X-Y-B). Node B will
choose the second route since it appears to be the shortest
ISSN: 2230-7818 @ 2011 http://www.ijaest.iserp.org. All rights Reserved.
Vol No. 2, Issue No. 2, 171 - 174
while in reality it is seven hops long. Any routing protocol
that uses the metric of shortest path to choose the best route
is vulnerable to this mode of wormhole attack.
2.2 Wormhole using Out-of-Band Channel
This mode for wormhole attack involves the use of an out of
band channel. This attack is launched by having an out of
band high-bandwidth channel between the malicious nodes.
X Z
S
P
U V W
Q R
Y
A
T
D E B
C
Fig. 2 Wormhole through packet encapsulation
This mode of attack needs specialized hardware capability.
Consider Figure 3 [13] in which node A sends a RREQ to
node B, and nodes X and Y are malicious nodes having an
out-of-band channel between them. Node X tunnels the
RREQ to Y, which is a legitimate neighbour of B. Node Y
broadcasts the packet to its neighbours, including B. B gets
two RREQs—A-X-Y-B and A-C-D-E-F-B. The first route is
both shorter and faster than the second, and is thus chosen by
B.
A P
X
R
Y
Q S
Z
C
D E F
B
Good Node Malicious
Node
Out-of-band channel
Figure 3. Wormhole through out-of-band channel
2.3Wormhole with High Power Transmission
This is another method which involves the use of high
power transmission. In this mode, when a malicious node
gets a RREQ, it broadcasts the request at a high power level;
this capability is not available to other nodes in the network.
Any node that hears the high-power broadcast rebroadcasts it
Page 172
 Ms. N.S.Raote* et al. / (IJAEST) INTERNATIONAL JOURNAL OF ADVANCED ENGINEERING SCIENCES AND TECHNOLOGIES
towards the destination. By this method, the chance of
malicious node to be in the routes established between the
source and the destination increases even without the
participation of a colluding node.
2.4Wormhole using Packet Relay
Another mode of the wormhole attack is by using packet
relay. In this mode a malicious node relays packets between
two distant nodes to convince them that they are neighbours.
This mode can be launched by even one malicious node. It
involves the cooperation by a greater number of malicious
nodes, which serves to expand the neighbour list of a victim
node to several hops. It is carried out by an intruder node X
located within transmission range of legitimate nodes A and
B, where A and B are not themselves within transmission
range of each other. Intruder node X merely tunnels control
traffic between A and B (and vice versa), without the
modification presumed by the routing protocol e.g. without
stating its address as the source in the packets header so that
X is virtually invisible. Node X can afterwards drop tunneled
packets or break this link at will. An extraneous A -B link
can be artificially created by an intruder node X by
wormholing control messages between A and B.
2.5 Wormhole using Protocol Deviations
ES
During the route request forwarding, the nodes typically
back off for a random amount of time before forwarding.
This is motivated by the fact that the request forwarding is
done by broadcasting and hence, reducing MAC layer
collisions is important. A malicious node can create a
wormhole by simply not complying with the protocol and
broadcasting without backing off. The purpose is to let the
request packet it forwards arrive first at the destination and
sit is therefore included in the path to the destination
[13].The advantage of this mode is that the control packet
arrive faster. The challenge for this mode is that there is a
A
possibility of collision to occur between transmissions of
malicious nodes.
B. Wormhole Attack Threats
We can consider wormhole attack as a two phase process
launched by one or several malicious nodes. In the first
IJ
phase, the two malicious end points of the tunnel may use it
to pass routing traffic to attract routes through them. In the
second phase, wormhole nodes could exploit the data in
variety of ways. They can disrupt the data flow by
selectively dropping or modifying data packets, generating
unnecessary routing activities by turning off the wormhole
link periodically, etc.The attacker can also simply record the
traffic for later analysis. Using wormholes an attacker can
also break any protocol that directly or indirectly relies on
geographic proximity. It should be noted that wormholes are
dangerous by themselves, even if attackers are diligently
forwarding all packets without any disruptions, on some
level, providing a communication service to the network.
With wormhole in place, affected network nodes do not have
a true picture of the network, which may disrupt the
localization-based schemes, and hence lead to the wrong
decisions, etc. Wormhole can also be used to simply
aggregate a large number of network packets for the purpose
ISSN: 2230-7818 @ 2011 http://www.ijaest.iserp.org. All rights Reserved.
Vol No. 2, Issue No. 2, 171 - 174
of traffic analysis or encryption compromise.
3. DEFENSES
A wide variety of wormhole attack mitigation techniques
have been proposed for specific kinds of networks: sensor
networks, static networks, or networks where nodes use
directional antennas. In this section, we describe and discuss
such techniques, commenting on their usability and the
possibility of their use in general adhoc network. Hu and
vans propose a solution to wormhole attacks for adhoc
networks in which all nodes are equipped with directional
antennas. In this technique nodes use specific ‗sectors‘ of
their antennas to communicate with each other. Each couple
of nodes has to examine the direction of received signals
from its neighbor. Hence, the neighbors relation is set only if
the directions of both pairs match. This extra bit of
information makes wormhole discovery and introduces
substantial inconsistencies in the network, and can easily be
T
detected.
Wang and Bhargava introduce an approach in which
network visualization is used for discovery of wormhole
attacks in stationary sensor networks [8]. In their approach,
each sensor estimates the distance to its neighbors using the
received signal strength. All sensors send this distance
information to the central controller, which calculates the
network‘s physical topology based on individual sensor
distance measurements. With no wormholes present, the
network topology should be more or less flat, while a
wormhole would be seen as a ‗string‘ pulling different ends
of the network together.
Lazos et al proposed a ‗graph-theoretical‘ approach to
wormhole attack prevention based on the use of Location-
Aware ‗Guard‘ Nodes (LAGNs). Lazos uses ‗local broadcast
keys‘[28] - keys valid only between one-hop neighbours - to
defy wormhole attackers: a message encrypted with a local
key at one end of the network can not be decrypted at
another end. Lazos proposes to use hashed messages from
LAGNs to detect wormholes during the key establishment
[27]. A node can detect certain inconsistencies in messages
from different LAGNs if a wormhole is present. Without a
wormhole, a node should not be able to hear two LAGNs
that are far from each other, and should not be able to hear
the same message from one guard twice.
Khalil et al propose a protocol for wormhole attack
discovery in static networks they call LiteWorp[9]. In
LiteWorp, once deployed, nodes obtain full two-hop routing
information from their neighbours. While in a standard ad
hoc routing protocol nodes usually keep track of their
neighbours are, in LiteWorp they also know who the
neighbours‘ neighbours are,- they can take advantage of two-
hop, rather than one-hop, neighbour information. This
information can be exploited to detect wormhole attacks.
Also, nodes observe their neighbours‘ behavior to determine
whether data packets are being properly forwarder by the
neighbour.
Song et al proposes a wormhole discovery mechanism
based on statistical analysis of multipath routing [16]. Song
observes that a link created by a wormhole is very attractive
in routing sense, and will be selected and requested with
unnaturally high frequency as it only uses routing data
already available to a node.
Page 173
 Ms. N.S.Raote* et al. / (IJAEST) INTERNATIONAL JOURNAL OF ADVANCED ENGINEERING SCIENCES AND TECHNOLOGIES
Vol No. 2, Issue No. 2, 171 - 174

Sr. Wormhole discovery and recovery methods 4. CONCLUSION

No
. Method Requirement Commentary
In this paper we introduced the wormhole attack,
1 Packet GPS coordinates of Robust, describes its different modes in details. We also discussed
leashes, every straightforward
geographical node; Loosely solution; inherits the threats that this attack presents briefly, and overviewed
synchronized general limitations the effort done in the literature to combat this attack. In this
clocks (ms) of type of attacks many modes have been suggested to be used
GPS technology
2 Packet Tightly Impractical;
in conjunction to benefit from the advantages of each to
leashes, synchronized required time compensate for other modes disadvantages. Ethically, this
temporal clocks (ns) synchronization type of wormhole analysis is important to account for
level possible new dangers and variations of this attack.
not currently
achievable in to Furthermore, it can help in putting some constraints on the
sensor networks network topology to design a robust network for such
3 Packet GPS coordinates; Inherits limitations attacks, and in the design of new and more powerful attack
leashes, Loosely of
end-to-end synchronized GPS technology countermeasure.
clocks (ms)
Time of flight
REFERENCES
4 Hardware enabling Impractical;
one-bit message likely [1] Mariane A. Azer,Sherif M. El-Kassas, ―An Innovative Approach for the
and immediate to require MAC- Wormhole Attack Detection and Prevention in Wireless Ad-hoc

T
replies without layer Network‖2010.
CPU modifications [2] Matthew Tan Creti,Matthew Beaman,Saurabh Bagchi,Zhiyuan
involvement Li,Yung-Hsiang Lu, ― Multigrade Security Monitoring for Ad-hoc
5 Directional Directional Good solutions for Wireless Networks‖ ,2009IEEE.
Antennas antennas on all networks relying [3] Bhargava, B.de Oliveira, R. Yu Zhang Idika, ― Addressing
nodes or on directional Collaborative Attacks and Defense in Ad Hoc Wireless Networks‖
several nodes with antennas, but not 29th IEEE International Conference on Distributed Computing
both GPS and directly Systems, 2009

6 Network
visualization
directional
antennas

Centralized
controller
ES
applicable to other
networks

Seems promising;
Works best on
[4]

[5]
Shang-Ming Jen, Chi-sung Laith & Wen-Chung Kuo,, ―

Khabbazian, M.;Mercier,H.;Bhargava, V.K., ―

A Hop Count
scheme for avoiding wormhole attack in MANET‖, Journal on Open
access sensors,2009.
Severity Analysis and
countermeasures for the Wormhole Attack in Wireless Ad Hoc
Not readily dense Networks‖. IEEE Trans. Wireless Commun.2009, 8,736-745.
applicable to networks; [6] Marianne Azer, Sherif Ei-Kassas Magdy El-Soudani, ― A Full image of
mobile Mobility the Wormhole Attack towards introducing Complex wormhole attacks
networks. not studied; Varied in wireless Ad-hoc networks‖, in (IJCSIS) International Journal of
terrains not studied Computer Science and Information Security, Vol. 1, No. 1, May 2009.
7 Localization Location-aware Good solution for [7] F.Nait-Abdesselam,B.Bensaou,and T. Taleb, ― Detecting and avoiding
‗guard‘ Nodes sensor networks Wormhole attacks in Wireless Ad-hoc Networks‖, in IEEE
Communication Magazine.vol.46,April 2008,pp.127-133.
8 LiteWorp none Applicable only to [8] G. Lee, D. k. Kim, J. Seo, ― An Approach to Mitigate Wormhole
A
static Attack in Wireless Ad Hoc Networks,” IEEE International Conference
stationary on Information Security and Assurance, pp. 220-225, 2008.
networks; [9] Naït-Abdesselam, F.; Bensaou, B.; Yoo, J., ― Detecting and Avoiding
Impractical Wormhole Attacks in Optimized Link State Routing Protocol‖. In
IEEE WCNC, Hong Kong, 2007; pp. 3119–3124.
9 Statistical no requirements
[10] Ren, K.; Lou, W.; Zeng, K.,Moran, P.J. ― On Broadcast Authentication
analysis Works only with
multi-path in Wireless Sensor Networks‖. IEEE Trans. Wireless Commun. 2007,
6, 11–23
ondemand
IJ

[11] Maheshwari, R.; Gao, J.; Das, S.R. ― Detecting Wormhole Attacks in
protocols;
Wireless Networks Using Connectivity Information‖. In IEEE
10. MGM Light weight local For necessary INFOCOM, Anchorage, AK, USA, 2007; pp. 107–115.
monitoring condition, the [12] Y.-C. Hu, A. Perrig, D. B. Johnson, ― Wormhole Attacks in Wireless
heavy weight RV Networks,‖ Selected Areas of Communications, IEEE Journal on, vol.
protocol is 24, numb. 2, pp. 370- 380, 2006.
triggered. it is [13] Khalil, I.; Bagchi, S.; Shroff, N.B. ― LITEWORP: A Lightweight
more resource Countermeasure for the Wormhole Attack sin Multihop Wireless
efficient and Networks‖. In IEEE DSN’05, Yokohama, Japan, June 28-July 1, 2005;
powerful pp. 1–10.
Table 1.Summary of various defense mechanisms for Wormhole attack [14] Qian. L.; Song, N.; Li, X. ―Detecting and Locating Wormhole Attacks
in Wireless Ad Hoc Networks through Statistical Analysis of Multi-
path‖. In IEEE WCNC 2005, New Orleans, LA, USA, March 13-17,
These factors allow for easy integration of this method into pp. 2106–2111,2005.
intrusion detection systems only to routing protocols that are [15] Lazos,L.;Poovendran,R ―
SeRLo;Secure Range-independent
both on-demand and multipath. Localization for wireless Sensor Networks‖..In ACM WiSE‘04,New
York,NY,USA,October2004;pp.73-100.

ISSN: 2230-7818 @ 2011 http://www.ijaest.iserp.org. All rights Reserved. Page 174