MTSR: Wormhole Attack Resistant Secure Routing for Ad Hoc Network*

���������������������������������������������������������������*This work is supported by the national high technology research and development program(“863” program) of China(NO.2009AA01Z418), the Fundamental

Research Funds for Central Universities(NO.YWF1002009) and China Postdoctoral Science Foundation Funded Project(NO.20090460192)

� �

QIU Xiu-feng1,2 LIU Jian-wei1, Abdur Rashid Sangi1

(1.School of Electronics and Information Engineering, Beihang University, Beijing 100191, China)

(2.Department of Mathematics and Computer, Gannan Normal College, Ganzhou 341000, China)

Abstract

Routing security is an important and well known issue in Ad hoc

network applications and development. Various kinds of solutions

have been proposed but they are impractical to be fully applied. In

this paper, firstly the wormhole attack topology is analyzed, then

cryptography and trust mechanism are combined to design a new

multipath trust-based secure routing protocol(MTSR). MTSR

based on AODV and SAODV, is distributed and can resist almost all

available routing attacks such as discarding, Sybil, spoofing,

jamming, flooding, rushing, and especially wormhole attack. Its trust

value computation follows the principle of slowly increasing but

sharply decreasing, and it does not require any additional equipment,

strict assumptions, node location and precise time information.

Index terms—wormhole attack , trust , multipath, secure routing

1. Introduction

Routing security is a key point affecting the Ad hoc network

application and popularization. Because the inherently vulnerability

of Ad hoc network, various of attacks i.e. discarding, Sybil, spoofing,

jamming, flooding, rushing, and wormhole attack can be launched[1].

The wormhole attack is considered more devastating to overall

network performance which is difficultly detected but quite easy to

initiate [2]. The attacker may establish a tunnel or more between two

or more nodes not neighboring in network, so the routing protocol

related to hop count or delay could be destroyed, and then the

routing is hijacked to the attacking nodes. Most of packets would be

absorbed to the tunnel, and the next step attack would happen at will.

We believe a secure routing protocol is significant in practice

only if it can resist almost all available attacks. Though a substantial

number of solutions have been proposed but these efforts are far

beyond the practical application in some context, especially lack of

resisting all attacks. A single technique could not mitigate all attacks,

so it is necessary to combine different techniques to design a security

aware routing protocol. We first discuss and analyze the wormhole

attack network topology, and then propose MTSR (multipath

trust-based secure routing protocol), which is based on AODV [3],

SAODV [4] and use a combination of cryptography and trust

mechanism. Unlike other secure routing protocols, it is distributed

and does not require any additional equipment, strict assumptions,

node location or precise time information. It can resist almost all

available routing attacks especially wormhole attack. Its trust value

computation follows the rule of slowly increasing but quickly

decreasing. Analysis and simulation show that MTSR outperforms

existing secure routing protocols and quite practical to implement.

2. Related work

Some attacks such as the wormhole attack cannot be resisted by

traditional cryptography[2]. A variety of solutions to detect and resist

the wormhole attack have been proposed[2][5-13]. Many of them

have their own advantages such as distribution[2] [6-9] [11-13],

multipath [9] and trust-based mechanism [9], etc. and can detect and

resist the wormhole attack somewhat. However, there are many

shortcomings or limitations: (1) requiring additional equipments i.e.

directional antennas [11], GPS [2], special RF devices [20] and

special ultrasonic devices [21] etc., precise time information [2]

[12-13] or node location information [2] [7]; (2) a high false alarm

rate[8]; (3) strict assumptions i.e. the Unit Disk Graph (UDG) model

[6], special guard nodes [7] and packets discarding of attack nodes

[9] etc.; (4) lack of resistance to other attacks[6] [8].

Wormhole attack disrupts normal network topology. So many

researchers focus on this point, [5] [7] and [10] analyze the topology

of wormhole attack from different perspectives.

AODV is a widely used Ad hoc routing protocol but unsecure.

SAODV [4]which is based on traditional cryptography, extends

AODV and proposes single or double signature mechanism

___________________________________ 978-1-4244-8886-5/10/$26.00 ©2010 IEEE

according to whether intermediate nodes generate RREP message or

not. It digitally signs the non-mutable part of routing messages,

and protects the mutable part with one-way hash chain. It can resist

attacks such as identity fraud, modification of hop number but

cannot prevent many other attacks such as discarding, wormhole

attack and keeping hop count unvaried while missing hash operation.

The protocol in [9] can resist various attacks. However, while

detecting wormhole attack, it assumes that attack nodes must discard

packets. In addition it is not compatible with the existing ones.

3. Resistance and topology analysis of wormhole attack

We only analyses the case of two attack nodes (More nodes have the

similar nature). Suppose w1 and w2 are possible wormhole nodes

whose topology are shown in figure 1. We believe that generally the

most likely scenario of wormhole attack is building a tunnel between

two distant nodes. If only one of routes in one node (N1) reaching its

2 or 3 hop neighbor node (W2 or N2) has 2 or 3 hop length, but the

lengths of other routes are much greater than 2 or 3, we will

determine the corresponding one-hop neighbor node(W1) and two

hop neighbor node(W2) are wormhole nodes with great probability.

A further conclusion is: if there are multiple paths between two

nodes, and the gap between minimal route length and second

minimal route length is too large, then the route owning minimal

length is likely to contain some wormhole nodes.

�Fig. 1. Topology of wormhole attack

We use multipath trust mechanism to resist the wormhole attack.

For a node N, multipath refers to a different route going through a

different next hop neighbor node. If a neighbor node reaches the

destination node through multipath, node N still takes these routes

as one route. Node N maintains a trust value for each neighbor. We

specially process wormhole nodes or neighbor nodes probably

belonging to a wormhole attack path to reduce their trust value. As

node N sends or forwards packets, it chooses a route according to

the trust values of neighbor nodes in multipath. The higher trust

value a node has, the greater probability it will be chosen.

If the length gap between multipath (the minimal path length and

the second minimal one) is not very large, while a wormhole attack

were launched, it can’t achieve the purpose because the traffic is

divided into different paths.

4. MTSR: multipath trust-based secure routing

4.1 Assumptions and symbol description

The protocol only assumes the link is dual. Description of main

symbols in the protocol is shown in table 1:

Table 1 Description of main symbols

��� Trust value of node �� to neighbor node ��

��� Number of the successful forwarding packets

��� Number of the failing forwarding packets

�� Probability that Node �� forwards packets along

routing j

� � Adjustment factor used in calculation of the trust value

�� � Adjustment factor used in the calculation of the trust

value of wormhole node

�� Anomaly threshold of the route length difference

�� Anomaly threshold of the trust value

4.2 Signature of routing message and hash chain

Signature of routing message and generation or verification of hash

chain are similar to [4].But [4] cannot detect the attack of keeping

hop count unvaried and missing hash operation while forwarding

RREQ or RREP. While calculating trust value, our protocol traces

the neighbor node which forwards packets and detects whether the

neighbor node makes a hash operation to the hash chain of the

RREQ or RREP and increment the hop count or not.

4.3 Establishment of next-hop-different k-path routing table

At any give node when its route number to a destination is less than

k, it sends a RREQ ; after one node receiving a RREQ , it establishes

k next-hop-different routes to the source node, and if the node is the

destination or it have routes to the destination, it would send a RREP

to each reverse route; if one node receives a RREP, it will establishes

or updates the k next-hop-different routes to the destination.

4.4 Computation of the trust value

4.4.1 Computing principle

Similar to human psychology towards each other, we compute the

trust value according to the principle of increasing slowly but

decreasing rapidly; to the nodes suspected as wormhole node, we

accelerate the decline of its trust value; our algorithm do not use the

indirectly recommended values of other nodes to prevent lies; the

computing algorithm should be only related with local neighbors and

distributed; any additional equipment, location information, accurate

time information or strict assumptions is not required.

4.4.2 Computing method

The computational formula of ��� is ��� � ����������

(referring to [9]),

while the computing methods of ��� initiated value: 1 and ���initiated value: 1 are as following

(1) To a broadcast message, if �� is forwarded successfully then

��� � ����� � � ���� � ���� otherwise, ����� � �����

��� � ���� � �.

(2) To a unicast message, assuming there are � ( � � � )

next-hop-different routes to the destination, �� represent the length

of the route whose next hop is ��, d present the difference between

the minimal route length value and the second minimal one in all of

� . While ! " ��, the trust value is higher as the length is shorter.

if �� is forwarded successfully then ��� � # $%&%'()$�

����� � � , ���� �

# $%&*'(+$�

����� ,otherwise, ���� � # $%&%'(+$�

����� , ���� � # $%&*'(+$�

����� � � .

while ! , �� , the trust value is lower as the length is shorter.

if ����is forwarded successfully then ��� � -�+$�

# $%&*'(����� � �,

���� � -�+$�

# $%&*'(��������, otherwise, ����� � -�

+$�# $%&*'(

�����,

���� � -�+$�

# $%&*'(����� � �. . " � � " � � " ��that controls

the trust value increasing slowly but decreasing rapidly ��� �� are

adjustment factor used in calculation of trust value.� � � ���,

�-� � /01� 23�456�71899674�:89;6�2<�899�=3�� 27�6>;89�4=�0=?�@1����������������������������������������������������������������������=456?A276 , if the

minimal value in all of �� is equal to 2 or 3 and ! , ��, then the

probability of existing wormhole node in its neighbors is high, so the

decreasing rate of trust value should be accelerated.

4.5 Routing selection according to probability

If �� receives a unicast message, assuming there are m(� � �)

next-hop-different routes to the destination, and the trust value of

every route is ���, then the probability that node �� forwards the

packets along routing j is �� � B��# B��&�'(

. If ��� " �� then the

message do not be forwarded along routing j but randomly select a

route (��� , �� ) to forward.

4.6 Preventing attacks of jamming, flooding and rushing

If the trust value of node �� to neighbor node �� ��� " ��, then

�� discards packets from ��. If a node launches jamming, flooding

or rushing attacks, then the neighbor area whose center is the node

will congest. The congestion arises discarding and the trust values

that other nodes to nodes in the neighbor area will decrease rapidly

and drop the packets from attacking nodes, so the attacking nodes

will be isolated.

5. Security Analysis

Discarding: If an intermediate node drops all the packets passing

through it (black hole),or selectively discard some packets (gray

hole), the node’s neighbors will reduce the trust value associated

with it. As a result the node will be isolated.

Sybil: Sybil attack means that a malicious node would

impersonate some legitimate nodes and transmit information. In

MTSR, all nodes need to be verified by the digital signature and thus

unable to impersonate any other node.

Wormhole attack: MTSR will give suspected wormhole node

lower trust value than the other nodes, so comparatively fewer

packets will pass through the suspected wormhole node. If in worst

case, the wormhole node also drops the packet, its trust value will be

quickly reduced, then it will be isolated once and for all.

Routing spoofing: In our protocol, each node would digitally sign

the routing information to avoid forged routing attack. In this way, a

source node can track, detect the routing information and thus

prevent routing spoofing attack i.e. unauthorized/illogical

modification of hop count, or keeping hop count unvaried and

skipping hash operation while forwarding RREQ or RREP.

Jamming, flooding and the rushing: When a malicious node

launches a jamming, flooding or rushing attack; other nodes would

reduce the trust value associated to it. In such a way, malicious node

would be bypassed.

6. Simulation Analysis

We evaluate MTSR by simulation and compare it with AODV,

single signature SAODV (SS-SADOV)[4] and double signature

SAODV (DS-SADOV)[4]. All simulations were performed in NS-2,

and the main parameters and their values used in simulation are

shown in Table 2. Simulation on each protocol is repeated 50 times

with the same parameters, and the results are averaged for analysis.

Malicious nodes launched wormhole attacks (and dropped packet)

between 100s and 500s. As shown in Figure 2, unlike AODV,

SS-SAODV or DS-SAODV, only the MTSR maintained a higher

packet delivery rate (PDR) even when the colluding pairs of

malicious node were 5. Figure 3 shows the average change in trust

value of malicious nodes that initiate wormhole attack (during

0s-10s and 99s-109s). It relatively is increasing slowly in the

beginning, then stay maintained and rapidly decline after the

malicious nodes initiate the wormhole attack.

Table 2 Main parameters in simulation

scenario size: 3km*3km Simulating time: 600S

MAC type: 802.11 Node number: 100

Link number:4 Traffic type: CBR

Packet size: 256 bytes

Packet sending rate: 4 packets/s

Random waypoint mobility

Max. speed:20M/s

Min. speed:1M/s

pause time: 0s

�� � .CD �� � .CE� FG � H,�FI � .C.J

Digital signature algorithm: ECC Hash function: md5

Fig. 2. PDR in case of wormhole attack

Fig. 3. Trust value of neighbor nodes to wormhole node

The results also indicates that AODV protocol cannot resist any

attack, while MTSR, SS-SADOV and DS-SADOV protocol can

resist Sybil and routing spoofing attack. Whereas unlike MTSR,

the SS-SADOV and DS-SADOV cannot resist discarding, jamming,

flooding, rushing and the attack of keeping hop count unvaried and

skipping hash operation while forwarding RREQ or RREP.

7. Conclusion

We develop a new secure routing protocol MTSR. Compared to

other available routing protocol, MTSR can resist numerous attacks

especially wormhole attack. It integrates a combination of

cryptography and trust mechanism and is excel for its distribution

and characteristics that does not require any additional equipment,

strict assumptions, node location and precise time information.

References

[1] Abusalah L., Khokhar A. and Guizani M., “A Survey of Secure Mobile

Ad Hoc Routing Protocols” ,IEEE COMMUNICATIONS SURVEYS &

TUTORIALS, VOL. 10, NO. 4, pp.78-93, 2008.

[2] Y. C. Hu, A. Perrig, and D. B. Johnson, “Packet leashes: a defense against

wormhole attacks in wireless ad hoc networks,” in INFOCOM 2003,

[3] C. E. Perkins, E. M. Royer, and S. R. Das., ”Ad hoc on-demand distance

vector (AODV) routing”, IETF, INTERNET DRAFT, MANET working

group, draft-ietf-manet-aodv-10.txt, Jan.2002.

[4] Manel Guerrero Zapata, “Secure Ad hoc On-Demand Distance Vector

(SAODV) Routing draft-guerrero-manet-saodv-06.txt”, Mobile Ad Hoc

Networking Working Group, 5 September 2006

[5] Viren Mahajan, Maitreya Natu, and Adarshpal Sethi, ” Analysis of

Wormhole Intrusion Attacks in MANETS”, in MILCOM 2008

[6] Maheshwari R., Jie Gao, Das S.R., “Detecting Wormhole Attacks in

Wireless Networks Using Connectivity Information”, in INFOCOM 2007

[7] Radha Poovendran and Loukas Lazos, “A graph theoretic framework for

preventing the wormhole attack in wireless ad hoc networks”, Wireless

Networks, VOL. 13, NO. 1, pp. 27-59 , 2007.

[8] Marianne A. Azer, Sherif M. El-Kassas and Magdy S. El-Soudani, “ An

Innovative Approach for the Wormhole Attack Detection and Prevention In

Wireless Ad Hoc Networks”, in ICNSC 2010.

[9] Wojciech Galuba, Panos Papadimitratos, Marcin Poturalski, Karl

Aberer,Zoran Despotovic and Wolfgang Kellerer, “Castor: Scalable Secure

Routing for Ad Hoc Networks”, in INFOCOM 2010

[10] D.Z. Dong, M. Li, Y. H. Liu, et al., “ Topological Detection on

Wormholes in Wireless Ad Hoc and Sensor Networks”, in ICNP 2009.

[11] L. Hu and D. Evans, “Using directional antennas to prevent wormhole

attacks,” in NDSS 2004.

[12] S. Capkun, L. Buttya’n, and J.-P. Hubaux, “Sector: secure tracking of

node encounters in multi-hop wireless networks,” in Proc. of the 1st ACM

workshop on Security of ad hoc and sensor networks, 2003.

[13] N. Sastry, U. Shankar, and D. Wagner, “Secure veri�cation of location

claims,” in Proc. of the 2nd ACM workshop on Wireless security, 2003.

1*2=2 3*2=6 5*2=100

0.2

0.4

0.6

0.8

1

wormhole attack node number

pack

et d

eliv

ery

rate

AODVSS-SAODVDS-SAODVMTSR

0 5 100

0.5

1

time(s)

Tval

ue

99 104 1090

0.5

1

time(s)

Tval

ue