An Analysis of Wormhole and Blackhole Attacks in Ad Hoc Networks

Submitted by -: Abhishek Gupta 703/IT/08

1

Table of Contents

I.Abstract 3II.Introduction 4III.Collaborative Attack III.aCategorization of Coolaborative Attacks III.a.1Direct Collaborative III.a.2 Indirect Collabortive

5555

IV. Wormhole Attack IV.a Severity of a Wormhole Attack IV.b Simulations IV.c Analysis

67911

V. Blackhole Attack V.a Simulations V.b Analysis

131318

VI. Conclusion 20VII. References 21

I.Abstract

2

A Mobile Ad hoc Network (MANET) consists of a set of communicating wireless mobile nodes or devices that do not have any form of fixed infrastructure or centralized authority. The security in MANET has become a significant and active topic within the research community. This is because of high demand in sharing streaming video and audio in various applications, one MANET could be setup quickly to facilitate communications in a hostile environment such as battlefield or emergency situation likes disaster rescue operation. In spite of the several attacks aimed at specific nodes in MANET that have been uncovered, some attacks involving multiple nodes still receive little attention. A reason behind this is because people make use of security mechanisms applicable to wired networks in MANET and overlook the security measures that apply to MANET. Furthermore, it mayalso have to do with the fact that no survey or taxonomy has been done to clarify the characteristics of different multiple node attacks. This thesis addresses the aforementioned gap by providing a proper definition and categorization of collaborative attacks against MANET from the various multiple node attacks found.Simulation using GLOMOSIM was used to investigate the performance impact of a collaborativeblackhole and wormhole attack on a mobile ad hoc network. Network throughput, packet delivery ratio and end-to-end delay are the performance metrics used in our result analysis.

II.Introduction

3

During the past few decades the world has become a global village by virtue of the technological revolution. Information Technology (IT) is growing day-by-day. Businesses tend to use more and more complex network environments. Despite the efforts of network administrators and IT vendors to secure the computing environments, the threats posed to personal privacy, company privacy and various assets by attacks upon networks and computers continue unabated. The Mobile Ad hoc Networks (MANETs) are most certainly a part of this technological revolution. A MANET is a collection of wireless devices or nodes that communicate by dispatching packets to one another or on behalf of another device/node, without having any central network authority or infrastructure controlling data routing. MANET nodes have limitless connectivity and mobility to other nodes routing, each node acts as a router and network manager to another node [17].

Having a secured transmission and communication in MANET is a challenging and vital issue due to the fact that there are various types of attacks that the mobile network is open to. In order to secure communication in such networks, understanding the liable security attacks to MANET is a great task and concern. MANETs suffer from a variety of security attacks and threats such as: Denial of Service (DoS), flooding attack, impersonation attack, selfishnode misbehaving, routing table overflow attack, wormhole attack, blackhole attack, and so forth. MANET is open to vulnerabilities as a result of its basic characteristics like: no point of network management, topology changes vigorously, resource restriction, no certificate authority or centralized authority, to mention a few [1, 2, 4].

Previous studies show that there are different categories of attacks on MANET [1, 2, 8] such as Passive and Active attacks, Internal and External attacks and the Routing and Packet Forwarding attacks. Some of these attacks are termed as single attacks while some are referred to as attacks on multiple nodes and are malicious. In this thesis, we make investigation on the multiple node attacks against MANET and provide a new categorization of multiple node attacks. In addition, based on the characteristics of these attacks, we will present a proper definition of such attacks in MANET. After that, the simulations of different network sizes are performed to see the impact on MANET’s performance with and without collaborative attack. Finally, the various mitigation plans for collaborative attacks are discussed and highlighted.

4

III.Collaborative AttackA collaborative attack in MANET is a homogeneous attack (i.e. blackhole or wormhole attack), involving two or more colluding nodes; classified as internal active attack that can be processed using wired or wireless link and triggered by single or multiple attackers. It can also be referred to as the first level of attack, in which the adversary only interests in disrupting the foundation mechanism of the ad hoc network, for instance routing protocol, which is crucial for proper MANET operation.

III.a Categorization of Collaborative attacksIn collaborative attacks, as defined in the previous section, there are numerous nodes involved during the attack. These nodes can be physically existent or not existing at all. These unique characteristics can be observed and were distinguished in the section on Multiple Node Attacks. After the study of different multiple node attacks, and then provided the definition of collaborative attacks, we are now going to categorize these attacks into two different categories.

III.a.1 Direct Collaborative AttacksHere, the attacker nodes are already in existence in the original network or a malicious node joins the network or an internal node is compromised in the network. This kind of collaborative attacks can be referred to as direct collaborative attacks. Blackhole and Wormhole attacks belong to this category. The reason for this classification is based on the nature behaviour of these attacks. In the blackhole attack, one or more malicious nodes try to disrupt the network routing operation by advertising itself as the shortest path to the destination node. Therefore, there will be at least three physical nodes must be involved in this attack, namely: the source node, blackhole node (malicious node) and the destination node.

The second attack belonging to this category is the wormhole attack; there always exists two colluding malicious nodes, since they can tunnel data packets back and forth even packets not addressed to them without being known by other nodes. Thus, the wormhole attack involves at least two physical nodes.

III.a.2 Indirect Collaborative AttacksThe attacks in this category use different non-existent nodes in order to fake other nodes to redirect data packets to malicious node. This kind of collaborative attacks can be referred to as indirect collaborative attacks. The attacker nodes are not already in existence in the original network but created along the line of their attack. Sybil attack belongs to this category of collaborative attacks. The malicious node in Sybil can generate arbitrary number of additional identities for itself while using only one physical node. This physical node may be a legitimate node or an already compromised or malicious node by Sybil attack in the MANET.Routing table overflow is another attack in this category in which the malicious node tries tocreate as much as possible routes to non-existent nodes. It aims to prevent new routes frombeing produced or to overpower the routing protocol.

5

IV.Wormhole attack

Wormhole attack is a type of a collaborative attack in which the attacker provides two choke-points of malicious nature , that are used to degrade the network or analyze the network traffic. These two checkpoints constitute the end points of a wormhole .The end points are connected via a high speed link [Fig 1]of some sort or tunnel. Packets are captured from one end point and are tunnelled to the other malicious end in some other part of the network, where they are replayed, typically without modification. The following figure illustrates a network topology affected with a wormhole:-

Figure 1: X and Y are the end points of the wormhole with a communication link between them known as the wormhole link. X is in transmission range of a, b and m where as Y is in transmission range of d, e and c.

6

IV.a Severity of a wormhole attack

Wormhole attack is considered one of the most severe attacks on ad hoc networks. Wormhole is severe against on demand as well as proactive routing mechanisms. Firstly, in on demand routing mechanisms , a wormhole is capable of attracting a significant percentage of network traffic. This is because of the fact that most of the on demand routing protocols are shortest path routing mechanisms using hop count as a metric and the link between the two adversial nodes of the wormhole is a fast link with small number of hops and in most cases a single hop. Data forwarded via the wormhole thus reaches the destination sooner or with smaller number of hops as compared to data forwarded by the genuine nodes using multiple hops for transmission. To understand this, let us divide the network in two partitions A and B [Fig 2], each containing one of the end points of the wormhole. If packets are to transmitted from a node in Partition A to Partition B, most of the routes discovered will include the wormhole due to presenting of a shorter path. Therefore, most of the

Figure 2 : Nodes 1, 2, 3, 4 and 5 are in transmission range of M1. Nodes A, B, C and D are in transmission range of M2. The network is divided into two partitions A and B. The wormhole will handle significant amount of routing between partition A and Partition B. Also nodes 1, 2, 3, 4 and 5 will consider nodes A, b, C and D as their immediate neighbours due to the presence of wormhole.

routing done between these two partitions is affected by the wormhole. In another situation a wormhole can directly tunnel a ROUTE REQUEST packet to its destination. When destination node’s neighbour hear the ROUTE REQUEST packet it will follow normal routing procedure to rebroadcast it and then discard all other ROUTE REQUEST packets originating from the same Route Discovery. Any routes other than the wormhole is thus prevented from being discovered. If the wormhole is near the originator of the ROUTE REQUEST packet routes more than two hops can be prevented from being identified.

7

After the wormhole has become significant part of the routing the possible ways of exploiting can be that it may be used to analyse the routing traffic. The critical points of the network such as the sender node or the destination node may be identified and then the attack may be launched against these. The adversial nodes of the wormhole may drop the packets instead of forwarding them all thus creating a permanent Denial of Service Attack. In this case, this attack would be more detrimental as the wormhole is handling significant routing of the network. The wormhole may also selectively discard the packets such as the control packets in the on demand routing mechanisms or modify them.

In the case of pro-active routing mechanisms which employ neighbour discovery procedures wormhole attack is equally dangerous. These protocols use HELLO PACKETS for neighbour discovery. If HELLO PACKETS of A are tunnelled across,via a wormhole and are transmitted to B then A will consider B as its neighbour. The routing will get disrupted when A will try and communicate with B as its one hop neighbour and won’t be able to, as they are not in transmission range. In Fig 2 nodes 1, 2, 3, 4 and 5 will take nodes A, B, C and D as their immediate neighbours.

The severity of wormholes is also reflected by the fact that they are not easily detectable . Cryptographic techniques are not useful in detecting wormhole as in most cases it only relays the encrypted or authenticated packets. Suppose the attacker places two transceivers at two critical positions in the network and initiates a fast link between the two. These transceivers will just pick up packets from the network and tunnel them across. These transceivers need not be part of the network for performing this task as they will be just sneaking on the packets transmitted by the neighbour nodes. Cryptographic techniques will be useless in this case. The nature of wireless communication allows the attacker to design such transceivers. It is also possible for the attacker to transmit each bit instead of waiting for the whole packet thus decreasing the delay of transmission. If the attacker does the tunnelling non -maliciously then the wormhole can be very useful in routing as it provides a fast route with less number of hops .But in most scenarios this is not the case.

In work done by[9] it has been shown that in shortest path routing protocols, two strategically located malicious nodes can disrupt on average 32% of all communications across the network , when the nodes of the network are distributed uniformly. When the wormhole targets a particular node in the network, it can disrupt on average 30% to 90%(based on the location of the target) of all communication between the target node and all other nodes in the network. In a network of grid topology it has been shown that 40% to 50% of all communication can be disrupted if the wormhole is placed along the diagonal of the grid. The above study illustrates the severity of wormhole attacks in wireless ad hoc networks.

IV.b Wormhole Attack-Simulation Results

8

Simulation Parameters:-

SIMULATION-TIME 30MTERRAIN-DIMENSIONS (1200, 1200)NUMBER-OF-NODES 100,120,140,160 and 180.NODE-PLACEMENT UNIFORMMOBILITY NONETraffic Generators:-

CBR 2 5 10000 512 0.05S 70S 100SCBR 0 99 10000 512 0.5S 80S 400SCBR 90 18 10000 512 0.8S 104.39S 400SCBR 89 97 10000 512 1.1S 300.8S 700S

Malicious node pairs are introduced in the order:-1)26-982)83-173)50-56

The wormholes used in the simulation are unidirectional i.e. only one of the two malicious nodes can intercept and unicast the control packets to the other malicious node. In this scenario these nodes are 26 ,83and 50.

Note:-

In this implementation of wormhole one of the ends of the wormhole must be a one hop neighbor of the destination node. The reason for above is- The transmission range of the wormhole nodes is much greater than that of the genuine nodes. Destination may here RREQ packets from a malicious node but won’t be able to reply because the malicious node may be out of range. Thus it is necessary for us to place one of the ends of the wormhole as close as possible to the destination node.

9

90 100 110 120 130 140 150 160 170 180 1900

0.005

0.01

0.015

0.02

0.025

0.03

0.035

0.04

0.045

End to End Delay

0 malicious2 malicious4 malicious6 malicious

No. of nodes

End

to E

nd d

elay

(sec

)

Fig. 3

90 100 110 120 130 140 150 160 170 180 1900

5

10

15

20

25

30

35

40

45

50

No. of Hop Counts

0 malicious2 maicious4 malicious6 malicious

No.of Nodes

Hop

Coun

ts

Fig. 4

10

90 100 110 120 130 140 150 160 170 180 1900

200

400

600

800

1000

1200

Data Handled by Wormhole

0 malicious2 malicious4 malicious6 malicious

No. of nodes

No.

of p

acke

ts

Fig. 5

In case of mobile nodes, there is a possibility that the malicious node of a wormhole may travel out of range of the destination node thus not allowing the path containing the wormhole to get selected.

IV.c Analysis

Average End To End Delay:

This is the average delay between the sending of the data packet by the CBR source and its receipt at the corresponding CBR receiver. This includes all the delays caused during route acquisition, buffering and processing at intermediate nodes, retransmission delays at the MAC layer, etc.

A significant drop in the values of average end to end delay (fig 1) can be observed from the graph as we increase the number of malicious nodes in the network. Average value of End to End Delay taken over various no. of nodes in the network with no malicious nodes is 0.0306 sec. Value for 6 malicious nodes is 0.01774 thus giving a drop of around 42%. This drop can be explained by the fact that the route through the wormhole is a route with smaller no. of hops. Thus the buffering time, processing at intermediate nodes, retransmission delays etc are reduced significantly which in turn reduces the end to end delay.

11

Number of Hop Counts:

It is the total number of hop counts for all the selected routes in the network. The value of this metric(fig 2) also shows drop in the values as we increase the number of wormholes of the node. Average no. of hop counts with no wormholes is 30. The value with 3 wormholes is 17.

Data Handled by Wormholes:

Data handled by malicious nodes increases (fig 3) as we introduce more wormholes in the network. The 3 wormholes in the network are handling around 50% of the data being generated.

Another observation that can be made from the graph is that there no significant difference in the values for 2 and 3 wormholes. This shows that the 3rd wormhole introduced in the network is not attracting any traffic towards itself. Functioning of wormholes is dependent on the location(its closeness to the senders, the direction of the wormhole link-should be towards the destination).

Throughput:

Throughput values show an increase (fig 4) as we introduce wormholes in the network. The wormholes in the above implementation do not have the packet dropping property. The throughput, thus increases with the introduction of wormholes as wormholes allows the senders to find shorter routes to the destination.

12

V. Blackhole Attack

A blackhole attack occurs when a malicious node impersonates the destination node or forging route reply message that is sent to the source node, with no effective route to the destination. The malicious node may generate unwanted traffics and usually discards packets received in the network . When this malicious node (blackhole node) has effects on one or more nodes, making them malicious as well, then this kind of attack can be referred to as multiple node attack or collaborative attack.

In a blackhole attack, the malicious node presents itself as having the shortest path to thenode it is impersonating, making it easier to intercept the message. To achieve this, themalicious node waits and tries to get the replies from nearby nodes in order to discover a safeand valid route. This route could be forged, illegitimate or an imitation but it appearsgenuine to the source node.

V.a Simulations Simulation Parameters:-

SIMULATION-TIME 30MTERRAIN-DIMENSIONS (1200, 1200)NUMBER-OF-NODES 100, 120, 140, 160 and 180.NODE-PLACEMENT UNIFORMMOBILITY RANDOM-WAYPOINTMOBILITY-WP-PAUSE 20SMOBILITY-WP-MIN-SPEED 0MOBILITY-WP-MAX-SPEED 5RADIO-TX-POWER 4.0

Traffic Generators:-

CBR 9 90 10000 512 0.05S 70S 100S

CBR 0 99 10000 512 0.05S 80S 400S

CBR 0 4 10000 512 0.8S 104.39S 400S

CBR 80 90 10000 512 1.1S 300.8S 700S

CBR 32 67 10000 512 1.1S 400.8S 700S

CBR 22 70 10000 512 1.1S 500.8S 700S

13

CBR 99 58 10000 512 1.1S 600.8S 800S

CBR 63 33 10000 512 1.1S 800.8S 1200S

CBR 27 28 10000 512 1.1S 900.8S 1300S

CBR 33 34 10000 512 1.1S 1000.8S 1100S

CBR 59 99 10000 512 1.1S 1200.8S 1600S

CBR 1 3 10000 512 1.1S 1500.8S 1800S

The malicious nodes chosen are introduced in the order :- 75,96,33 and 2

Static Nodes

90 100 110 120 130 140 150 160 170 180 1900

50000

100000

150000

200000

250000

Throughput

0 malicious1 malicious2 malicious3 malicious4 malicious

No. of Nodes

Thro

ughp

ut

Fig.7

14

90 100 110 120 130 140 150 160 170 180 1900

0.2

0.4

0.6

0.8

1

1.2

Packet Delivery Ratio

0 malicious1 malicious2 malicious3 malicious4 malicious

No. of Nodes

Pdr

Fig.8

90 1001101201301401501601701801900

1000

2000

3000

4000

5000

6000

7000

8000

9000

10000

Data handled by Malicious Nodes

0 malicious1 malicious2 malicious3 malicious4 malicious

No. of Nodes

No.

of p

acke

ts

Fig.9

15

Mobile Nodes

90 100 110 120 130 140 150 160 170 180 1900

50000

100000

150000

200000

250000

Throughput

0 malicious1 malicious2 malicious3 malicious4 malicious

No. of Nodes

Thro

ughp

ut

Fig. 10

90 100 110 120 130 140 150 160 170 180 1900

0.2

0.4

0.6

0.8

1

1.2

Packet Delivery Ratio

0 malicious 1 malicious2 malicious3 malicious4 malicious

No. of Nodes

Pdr

Fig.11

16

90 100 110 120 130 140 150 160 170 180 1900

1000

2000

3000

4000

5000

6000

7000

8000

9000

Data Handled by Malicious Nodes

0 malicious1 malicious2 malicious3 malicious4 malicious

No. of Nodes

No.

of P

acke

ts

Fig. 12

17

V.b Analysis

The simulations have been carried out in GloMoSim Network Simulator.The results for following metrics have been extracted:-

a) Throughput

b) Packet Delivery Ratio

c) Data Handled by Malicious nodes

The results were taken for static as well as mobile environments. For each, 25 different simulations were carried out each time varying the number of nodes for a particular number of malicious nodes in the network. The analysis is as follows:-

Throughput:

Throughput can be defined as the average rate of successful message delivery over a communication channel.

18

Throughput = (Total bits received by each application at server / session time) .

In the static environment there is a significant decrease in throughput values of the network with and without Blackhole attack (fig 1). Average throughput value of the network without the attack is 182532 bits/sec. The average value with attack comprising of 4 malicious nodes is 17974 bits/sec. There is a 90% drop in throughput values, indicating the severity of the attack. The drop in throughput values can be attributed to the packet dropping mechanism of the Blackhole nodes.

Another observation that can be made from the graph is that there is no significant difference in the throughput values of the network with 1,2,3 and 4 malicious nodes(for 1 malicious node the average value of throughput varying with no. of nodes is 28022 bits/sec and for 4 malicious nodes it is 17973 malicious nodes giving a drop of around 35%) as compared to the difference between the values of the network without attack and that of with the attack comprising of 1 malicious node. This can be explained by the fact that activity of a Blackhole node depends on the presence of other blackhole nodes in the network. One of the Blackhole nodes attracts a large percentage of network traffic and thus does not leave enough for rest of the malicious nodes of the network. Thus, a strategically placed blackhole node in the network is capable of attracting traffic equivalent to that attracted by multiple blackhole nodes.

Whereas in mobile environment (fig 4), the difference in the values of throughput of the network with malicious nodes are more pronounced( 41968 bits/sec for 1 malicious node and 15792 bits/sec for 4 malicious nodes thus giving a drop of 62%) than those in the case of static nodes(drop of 35 %). This can be explained by the fact that the dependency of behavior of blackhole nodes on other malicious blackhole nodes is reduced in this case. Due to mobility, malicious nodes would be attracting data packets from different set of nodes from time to time. The behavior of blackhole nodes is also dependent on its position(its effectiveness will increase with its closeness to the senders).In mobile environment a malicious node may be closer to a group of senders for some time interval, during which it will be most effective. It will be handling the major chunk of the total data handled by the malicious nodes, thus not allowing other malicious nodes to handle data packets. When its distance increases from the senders its effectiveness will decrease which would in turn allow other blackhole nodes to get involved.

Also, in general the throughput values decreases with the introduction of mobility in the network.

Packet Delivery Ratio:

Packet Delivery Ratio can be defined as the ratio between the number of packets originated by the “application layer” CBR sources and the number of packets received by the CBR sink at the final destination.

19

The values of PDR (fig 2) range from 0.977 (average value for no malicious nodes) to 0.13136(for 4 malicious nodes) in the case of static nodes and 0.9468(no malicious nodes) to 0.24(4 malicious nodes)in the case of mobile nodes (fig 5) for network with and without attack. This huge drop in the values can be attributed to the packet dropping mechanism of Blackhole nodes. This clearly shows the severity of the Blackhole attack. Introduction of just 4 malicious Blackhole nodes in an active network of 12 traffic generators and over 100 nodes paralyses the network functioning to an extent of almost killing it.

The observation of no significant difference in the PDR values of the network with 1,2,3 and 4 malicious nodes as compared to the difference between the values of the network without attack and that of with the attack comprising of 1 malicious node can be made here. Also, in the case of mobile nodes this difference does increase as it increases in the case of throughput. The reason for the above is the same as explained in the analysis of throughput behavior.

Introduction of mobility increases the average PDR when the network is under Blackhole Attack as compared to the case of static nodes. Mobility of nodes allows new routes involving different set of nodes to be found out from time to time. This reduces the probability of the Blackhole node to be in the route all the time. The result is increased PDR.

Data Handled by Malicious Nodes:

Equal to number of packets dropped by malicious nodes and inversely proportional to Packet Delivery Ratio. As large as 86% of the total data packets (fig 3) generated by the source nodes are being dropped by the malicious nodes.

VI.Conclusion

A significant amount of research has been devoted to study security issues as well as countermeasures to various attacks in MANET. However, we believe that there is still muchresearch work needed to be done in the area. The underlying rationale is that, existing security solutions are well-matched with specific attacks, these solutions have proven to be useful to defend against known attacks, but eventually they fail to counteract unanticipated or combined attacks. In this thesis, we try to discover multiple node attacks and categorize them as direct or indirect collaborative attacks but we still have doubts that there could be some other kind of attacks that can be classified as collaborative attacks. Thus, further research would be carried out in order to validate the theoretical model: the definition of collaborative attacks and in identifying other collaborative attacks. Due to time constraints, we only simulate the blackhole

20

attack on MANET to show how this attack impacts the regular operation in MANET. Therefore, in order to further establish the consequences of collaborative attacks, another direction for future work would be to simulate other types of collaborative attacks, e.g., wormhole, sybil and routing table overflow attacks and compare the results. Such studies may result in a more complete picture of how network performance is affected during a specific collaborative attack or even combined collaborative attacks. The aforementioned research is quite challenging but interesting to conduct. Finally, the development of a mitigation plan capable of defending against various collaborative attacks would be considered as another important direction for future work.

VII. REFERENCES[1] H. Deng, W. Li, and D. P. Agrawal, "Routing security in wireless ad hoc networks," IEEECommunications Magazine, vol. 40, pp. 70-75, 2002.[2] H. Yang, H. Luo, F. Ye, S. Lu, and L. Zhang, "Security in Mobile Ad Hoc Networks:Challenges and Solutions," IEEE Wireless Communications, vol. 11, pp. 38-47, 2004.[3] T. Clausen Ed. and P. Jacquet Ed., "Optimized link state routing protocol (OLSR)," IETFRFC 3626, October 2003.[4] L. Peters, F. De Turck, I. Moerman, B. Dhoedt, P. Demeester, and A. A. Lazar, "Networklayer solutions for wireless shadow networks," Proceedings of the International Conferenceon #etworking, International Conference on Systems andInternational Conference on MobileCommunications and Learning Technologies, IC#/ICO#S/MCL'06, vol. 2006, p. 1628384,2006.[5] L. Peters, I. Moerman, B. Dhoedt, and P. Demeester, "MEHROM: Micromobility supportwith efficient handoff and route optimization mechanisms," 16th ITC Specialist Seminar onPerformance Evaluation of Wireless and Mobile Systems (ITCSS16 2004), pp. 269 - 278,2004.[6] IEEE Std. 802.11, "Wireless LAN Medium Access Control (MAC) and Physical Layer(PHY) Specifications," 1997.[7] A. Mishra, Security and Quality of Service in Ad Hoc Wireless #etworks, 2008.[8] S. A. Razak, S. M. Furnell, and P. J. Brooke, "Attacks against Mobile Ad Hoc Networks

21

Routing Protocols," 2004.[9] L. Tamilselvan and V. Sankaranarayanan, "Prevention of co-operative blackhole attack inMANET," Journal of #etworks, vol. 3, pp. 13-20, 2008.[10] S. Saraeian, F. Adibniya, M. GhasemZadeh, and S. Abtahi, "Performance Evaluation ofAODV Protocol under DDoS Attacks in MANET," Proceedings of World Academy ofScience, Engineering and Technology, vol. Vol. 33, pp. 501 - 503, September 2008.[11] H.-X. Tan and W. K. G. Seah, "Framework for statistical filtering against DDoS attacks inMANETs," ICESS 2005 - Second International Conference on Embedded Software andSystems, vol. 2005, pp. 456-465, 2005.[12] S. Djahel, F. Nait-Abdesselam, and A. Khokhar, "An acknowledgment-based scheme todefend against cooperative blackhole attacks in optimized link state routing protocol," IEEEInternational Conference on Communications, pp. 2780-2785, 2008.[13] F. Anjum and P. Mouchtaris, Security for Wireless Ad Hoc #etworks, Illustrated Edition:illustrated, Wiley-Interscience, 2007.

22