A Comprehensive Analysis of DoS Attacks and Countermeasures
In Wireless Mesh Networks
Bayan Hallaj1, Mohammad Masdari2
1Computer Engineering Department, Islamic Azad University, Urmia Branch, Urmia, bayan.hallaj@gmail.com
2Computer Engineering Department, Islamic Azad University, Urmia Branch, Urmia, Iran Iran,
m.masdari@iaurmia.ac.ir
Abstract
Wireless mesh networks or WMNs have emerged as a key technology for next-generation wireless networking and
has characteristics such as simplicity, low cost, better performance, wider coverage area, self-healing and etc. Due to the
open nature of WMNs, wireless links, lack of physical protection, frequent changes in topology and membership, these
networks are susceptible to various kinds of attacks. As a result, the security a serious concern to be addressed. A major
attack occurring in a WMN is the Denial of Service (DoS) attack which will make the server overloaded with many
requests and will make that unable to service the requests from the legitimate users. In this paper, various forms of DoS
attacks are investigated and classified in each layer of network. Also we have discussed about countermeasures against
these attacks. So their countermeasures are listed, there are definition of their advantages and disadvantages and they
have been analyzed to choose the best countermeasure.
Keywords: Attack, mesh network, DoS, Countermeasures
1
defense mechanisms that each mechanism has its
advantages and disadvantages and usage of that depends
on the network majorities and priorities. Then we
discuss various forms of countermeasures against all of
DoS attacks in each layer, and analyze the
countermeasures. So WMN admin can choose the most
appropriate mechanism to achieve a secure network.
The rest of paper is organized as follows: in section 2
we introduce DoS attacks in WMNs. Section 3 reviews
the countermeasures for WMNs. At last at the end of
the paper we evaluate the different kinds of DoS attacks
and countermeasure methods.
Introduction
Wireless Mesh Networks or WMNs are multi-hop
wireless communication among different nodes are
dynamically self-organized and self-configured, with
the nodes in the network automatically establishing an
ad-hoc network and maintaining the mesh connectivity.
WMNs are emerged as a promising concept to meet the
challenges in wireless networks such as flexibility,
adaptability, reconfigurable architecture etc. A WMN is
a mesh network established through the connection of
wireless access points installed for each network user's
local. Each network user sends data to the next node.
The WMN infrastructure is decentralized because each
node need only transmit data to the next node. Wireless
mesh networking can be used in remote areas and small
business operating in rural neighborhoods to connect
their networks together for affordable Internet
connections [1, 2].
Denial-of-Service (DoS) attacks are attacks
against availability, attempting to prevent legitimate
users from accessing the network. A DoS attack makes
a computer or network resource unavailable for its
intended users. It includes the combined efforts of a
person or a group of persons to prevent the service from
functioning efficiently, temporarily or indefinitely. DoS
attack makes the server or the victim overloaded with
huge number of requests, so that the server won't be
able to service the legitimate user requests. The main
goal of a DoS attack is to flood the network with service
requests to the server. This can lead to the server being
unable to service all the requests, thereby denying
offering service to legitimate requests [3], [4], [5].
In this paper, we study DoS attacks and
countermeasures in WMN in different layers. Because
of the variety of DoS attacks in WMNs, we classify all
DoS attacks an attacker can carry out in different
2
DoS attacks in WMNs
A DoS attack is one that attempts to prevent the
victim from being able to use all or part of his/her
network connection. Denial of service attacks may
extend to all layers of the protocol stack. They target
service availability or authorized users' access to a
service provider [6].
In this section we will discuss the different ways
that an attacker can carry out “DoS attacks” in different
layers of the protocol. All these methods are listed and a
brief explanation of what each attack means is
explained in this section.
2.1
DoS attacks in Physical Layer
The physical layer is responsible for frequency
selection, carrier frequency generation, signal detection,
modulation, and data encryption. As with any radiobased medium, the possibility of a jamming attack in
WMNs is high since this attack can be launched without
much effort and sophistication. Jamming is a type of
attack which interferes with the radio frequencies that
the nodes use in a WMN for communication [7, 8].
layers, listing and giving a brief explanation of
them. For every attack, network admin has some
1
2.1.1
Jamming attack
Jamming is the most common attack in physical
layer that can drop or reorder transmission of signals.
Jamming signals in the form of continuous or periodic
noise are generated to disrupt the transmission of bits in
the physical layer. The Jamming signal can be reactive
in which case it intercepts the channel only when an
ongoing transaction is detected and disrupts the
transmission. The jamming signal can significantly
reduce the capacity of the channel [9, 10].
All Kinds of jamming attacks are as follows:

Selective Jamming attack
o
o








2.2
2.2.3
Neighbor Attack
Neighbor attacker deceits nodes that are out of each
other's communication range to communicate by
making them believe that they are neighbors. It is
similar to black hole attack but instead of dropping
packets it creates packet loss by creating a false link
that does not exists [9].
2.2.4
Sybil Attack
A Sybil attack is the form of attack where a
malicious node creates multiple identities in the
network, each appearing as a legitimate node [7]. Here
the node fakes multiple identities and claims itself to be
distinct nodes on the network though it is just a single
malicious node. The Sybil attack hampers the routing
protocols by creating false links between an honest and
a malicious node. The attack can have detrimental
effects on resource allocation, misbehavior detection
and voting techniques in the wireless networks [9].
Channel Selective Jamming attack
Data Selective Jamming attack
Scrambling attack
Resource Unlimited Attack (RUA)
Preamble attack
SFD attack
Reactive attack
HR (Hit and Run) attack
Monopolizing attack
Symbol attack
2.2.5
Rushing Attack
To intrude into the forwarding group, the attacker
suppresses the flooding of Route Request packets
(RREQ) from legitimate nodes. The main goal of this
attack is to suppress valid paths from being established
or to increase its chance of it being part of the optimal
path selected. It rushes its RREQ packet to its neighbor
nodes before any other legitimate nodes can broadcast
their RREQ packets. As a result the protocol processes
or forwards only the first RREQ packet it receives and
drops the others. This chain continues and the packet is
broadcasted across the network increasing its chances of
being a part of the selected route [9].
DoS attacks in Network Layer
The router layer is more susceptible to dropping of
packets or misrouting since multiple hops are involved
in transmission of packets. The mobility of the nodes,
limited bandwidth, signal strength, congestion and
routing protocols make detection of various attacks in
this layer difficult. The attacks mainly target the routing
protocols to misroute packets or drop them, poison node
caches to store incorrect paths and disturb the normal
network formation. More of these attacks can also be
caused by legitimate behavior of network such as
sudden burst of network traffic, link failures, low signal
and battery exhaustion. Due to this, detection of attacks
and finding the actual reason for the failure are very
complex in the network layer. The different attacks that
can be carried out are explained below: [9]
2.2.6
Blackhole attack
In a Blackhole attack the malicious node will
always advertise in the network that it has a fresher
route to the destination by setting the sequence number
to a large value and will reply to the RREQ before other
routers send a reply. Thus the attacker router will attract
all the traffic in its transmission range towards itself and
then may drop the packets [12].
Almost all the traffic within the neighborhood will be
directed toward the malicious node, which may drop all the
packets [13].
The malicious node after intruding into the forwarding
group, drops all the packets that it has to route to the
destination [9].
Blackhole attack can be classified into two types.
Single black hole attack and Collaborative black hole
attack. In single black hole attack one malicious node is
there. It claims itself that its path is shortest to
destination. This node drops routing packets instead of
forward packet to destination. In collaborative black
hole attack minimum two malicious nodes are there and
transfers packet from one malicious node to another.
The aim of black hole attacker is to attract traffic
towards it and block data packets by dropping them
[14].
2.2.1
Byzantine Attack
In this attack, an adversary has full control over an
authenticated node in the network. All integrity and
authentication measures taken by the security protocols
are of little use when the node is hijacked. This hijacked
node is misused to cause several other attacks like black
hole, wormhole and etc [9, 11].
2.2.2
Jelly fish attack
A jelly fish attack is similar to black hole attack
where the attacker intrudes into the forwarding group to
tunnel the packets to an adversary. Here packets are not
dropped instead it increases the end to end delay of the
transmission by unnecessarily delaying the packet
forwarding to the next hop, thereby causing frequent
timeouts and retransmission of packets. It is difficult to
identify this attack because we do not know if the
packet loss was due to network congestion or link
failure. It plunges the network throughput and delay
jitter [9].
2
SYN request is spoofed, the victim server will never
receive the final ACK packet to complete the three-way
handshake. Flooding spoofed SYN requests can easily
exhaust the victim server’s backlog queue, causing all
the incoming SYN requests to be dropped. The stateless
and destination-based nature of Internet routing
infrastructure cannot differentiate a legitimate SYN
from a spoofed one, and TCP does not offer strong
authentication on SYN packets. Therefore, under SYN
flooding attacks, the victim server cannot single out,
and respond only to, legitimate connection requests
while ignoring the spoofed [16, 17].
2.2.7
Grayhole attack
Selective forwarding attack or Grayhole attack is a
kind of Denial of Service (DoS) attack. In this, an
adversary first exhibits the same behavior as an honest
node during the route discovery process, and then
silently drops some or all of the data packets sent to it
for further forwarding even when no congestion occurs.
The malicious nodes could degrade the network
performance; disturb route discovery process, etc. In a
wireless network, it is hard to detect the presence of such
attacker because the packet loss over the wireless link can
be due to bad channel quality, collisions, intentional
dropping etc. If an attacker drops all the packets, the attack
is then called black hole attack. To launch a selective
forwarding attack, an attacker may compromise or hijack
the mesh router that belongs to the network, known as
internal attacks; or attack the network from outside, known
as external attacks [15].
2.3.2
De-synchronization attack
De-synchronization refers to the disruption of an
existing connection. An attacker may, for example,
repeatedly spoof messages to an end host causing the
host to request the retransmission of missed frames. If
timed correctly, an attacker may degrade or even
prevent the ability of the end hosts to successfully
exchange data causing them instead to waste energy
attempting to recover from errors which never really
exist [18]. By continuously causing retransmission
requests, this attack can eventually prevent the endpoints from exchanging any useful information, other
than quickly drain all the power resources of the
attacked nodes [19].
2.2.8
Wormhole attack
The routing path between the source and the
destination is tunneled by a set of colluding malicious
nodes that deceits source nodes to choose its optimal
path compared to all other paths to the destination by
establishing an off - line high speed link between them
and thereby invading into the forwarding group. This
path is called as a “Wormhole” since the adversary
nodes have virtually created a tunnel between the
source and destination. It sniffs the packets from the
sender and communicates it to other end of the tunnel
and the packet is replayed at this end locally. Since the
entire traffic is passed between the malicious nodes, the
packets can be dropped to cause DoS attack or
intercepted to cause “man in the middle attack”. As
long as the worm hole exists it makes sure that no other
paths can be chosen and hence disrupts the network
topology. This is one of the strongest attacks where
even if two adversary nodes collude the attack can be
carried out. In the worst case we can have an entire set
of nodes forming the network overlay to be colluding to
disrupt the network traffic. Such worm hole attacks are
called as super wormhole attacks [9, 13].
2.3
3
Countermeasures for DoS attacks
In this section we introduce the different
countermeasures that have been implemented to combat
DoS attacks in different layers. The countermeasures
explain in detail the principle they are based on and the
limitations of each technique.
3.1
Countermeasures for DoS Attacks in
Physical Layer
Jamming is the most common DoS attackin
physical layer. In this section, solutions to detect or
prevent DoS attacks in physical layer are classified and
explained.
DoS Attacks in Transpoet Layer
The attacks that can be launched on the transport
layer of a WMN are flooding attack and desynchronization attack.
3.1.1
Jamming Attack Detection
Low throughput, low packet delivery ratio (PDR)
and high packet latency are indicators of a jamming
attack. However, these indicators are also present, when
the network is congested. Thus, better metrics should be
used to detect a jamming attack and differentiate it from
other network conditions. Two types of jamming
detection approaches are Signal strength consistency
and location consistency. In signal strength consistency
approach, a station is suspected to be a victim of a
jammer station, if the measured PDR is low and the
measured average signal strength of incoming signals is
high. Signal strength level is an indicator of a high
quality channel. An unexpectedly high frame loss rate
in such a channel is an indication of an active jammer
station. Location consistency is conceptually similar to
signal strength consistency. If the PDR of a data flow
2.3.1
SYN flooding attack
The SYN flooding attacks exploit the TCP’s
three-way handshake mechanism and its limitation in
maintaining half-open connections. When a server
receives a SYN request, it returns a SYN/ACK packet
to the client. Until the SYN/ACK packet is
acknowledged by the client, the connection remains in
half-open state for a period of up to the TCP connection
timeout, which is typically set to 75 seconds. The server
has built in its system memory a backlog queue to
maintain all half-open connections. Since this backlog
queue is of finite size, once the backlog queue limit is
reached, all connection requests will be dropped. If a
3
between a sender and a receiver is extraordinarily low
despite the fact that these stations are physically close
enough (it is possible to estimate the distance between
802.11 stations by using signal strength, up to a few
meters certainty) then a jammer station is suspected to
be present in the surrounding area [4, 20].
proportion to the number of bits being used. The
receiver can use the spreading code with the signal to
recover the original data.In frequency hopping spread
spectrum (FHSS), signals are transmitted by rapidly
switching a carrier signal among many frequency
channels using a pseudo-random sequence which is
known to both the transmitter and the receiver [7].
3.1.2
Table 1 presents a summary of countermeasures
against DoS attacks in physical layer, advantages and
disadvantages of them.
Counter the Intended Actions of the
Jammer Station
In case the jammer station is equipped with a
narrow band transmitter, rapid frequency hopping can
be a highly effective method in combating the jammer's
actions. A single station's jamming attacks are
experimentally shown to be relatively ineffective
against legitimate stations rapid frequency hopping
action. If the number of jammer stations increases then
the effectiveness of rapid frequency hopping gracefully
decreases until all the channels (11 overlapping
channels in North America) are jammed by at least one
jammer station. Since implementing rapid frequency
hopping brings extra overhead, proactive utilization of
such prevention methods is not very efficient if there is
no ongoing DoS attack detected [4, 21].
3.1.4
Countering Channel-Selective Attacks
Several anti-jamming methods have been proposed
to address channel-selective attacks from insider nodes.
All methods trade communication efficiency for
stronger resilience to jamming. Three anti-jamming
methods are described in the following:
 Replication of control information
 Assignment of unique pseudo-noise codes
 Elimination of secrets
3.1.5
Countering
Data-Selective
Jamming
Attacks
An intuitive solution for preventing packet
classification is to encrypt transmitted packets with a
secret key. While a shared key suffices to protect pointto-point-communications, for broadcast packets, this
key must be shared by all intended receivers. Thus, this
key is also known to an inside jammer. In symmetric
encryption schemes based on block encryption,
reception of one cipher text block is sufficient to obtain
3.1.3
Spread Spectrucm Techniques
The traditional defenses against jamming include
spread spectrum techniques such as direct sequence and
frequency hopping. In direct sequence spread spectrum
(DSSS), each data bit in the original signal is
represented by multiple bits in the transmitted signal
using a spreading code. The spreading code spreads the
signal over a wider frequency band which is directly in
Table 1: Countermeasures Against DoS Attack in Physical Layer
Countermeasure
Method
Spread spectrum
Replication of
control information
Attack
Selective
jamming attacks
Channel
selective
jamming
Description
Advantages
Every bit in main signal by several bit
in transmission signal presented
Detection &
Prevention
Implementation is
hard
Every channel bandwidth control for
jamming attacks [22].
Anti-jamming
Limiting bandwidth
the pseudo-noise
code used to spread
each packet is not
known a priori
Assignment of
unique pseudonoise codes
Channel
selective
jamming
Dynamically vary the location of the
broadcast channel, based on the
physical location of the communicating
nodes [23].
Anti-jamming
Elimination of
secrets
Channel
selective
jamming
Attempt to eliminate the use of
common secrets for protecting
broadcast communications. Avoids
secrets in the first place [22].
An inside adversary
can only attempt to
guess it, with a
limited probability of
success.
Counter data
selective jamming
attacks
Cad
Resource
unlimited attack
Every packets for denial of jamming
encrypt &classifying with a shared
code key
Current encryption mechanisms used in
these broadband networks are WEP,
DES, and AES
Every channel control for bandwidth
for high rate change
Multi-hop
forwarding
Spatial retreat
Rapid frequency
hopping
Preamble attack
Relay traffic receive credit in return
WEP ,DES,AES
Data selective
jamming
scrambling
Disadvantages
4
Denial of outside
attacker
Delay in
transmission
Increasing security
High cost implement
Denial of planning
attacks
Implementing needs
clear metrics
Overcome on attack
Utilize more
bandwidth
the corresponding plaintext block, if the decryption key
is known. Hence, encryption alone does not prevent
insiders from classifying broadcasted packets. To
prevent classification, a packet must remain hidden
until it is transmitted in its entirety. One possible way
for temporarily hiding the transmitted packet is to
employ commitment schemes. In a commitment
scheme, the transmitting node hides the packet by
broadcasting a committed version of it [23].
3.2
states. Hence in the case of dense networks where there
are many disjoint paths the network takes time to
identify the reliable link between the source and the
destination because it considers only one path in every
transfer. This approach can get worse when the number
of adversary nodes are more and are participating in
many paths. This approach is fast for sparse network
[9].
A summary of countermeasures against Byzantine
attacks in network layer, advantages and disadvantages
of them has been listed in table 2.
Secure Data Transmission (SDT) is based on the
fundamental principle that the data transmission is
successful only when the source receives an ACK from
the destination node. This approach only helps us to
detect the path in which an adversary node is present
but does not isolate the node itself. It requires the
network to identify all possible disjoint paths and
disseminates the packets across all paths. This approach
is well suited for a fully connected ad hoc wireless
mesh network where the number of disjoint paths is
more as compared to a sparse network where fewer
disjoint paths are present. More ever this approach fails
when subjected to false topology and denial of service
in identifying disjoint paths. It is vulnerable to Rushing
attacks and fails when there are many colluding
attackers.SDT requires a security routing protocol [9].
Countermeasures for Network Layer
The most variant DoS attacks occur in network
layer. So, there are many solutions to secure this layer
against DoS attacks. Detection and prevention
mechanisms against various types of mentioned attacks
are classified and described in the following.
3.2.1
Detect and Prevent Byzantine Attacks
On Demand Secure Byzantine Routing (ODSBR)
protocol is used to detect adversary nodes in a network
and prevent Byzantine attacks. Inside attacks are
difficult to detect since an authenticated node can either
be hijacked by an attacker or a legitimate node may
itself misuse network resources. The protocol uses
reliability metric to identify faulty nodes and avoid
them. It uses a secure probe technique embedded in the
packets which is hidden from an adversary. Every link
is associated with a metric which is used later by the
secure route discovery protocol to avoid faulty links.
This was implemented by operating the network in
two states: probing state and non-probing state. The
network initially operates in the non-probing state
where it expects ACK only from the destination node.
In the case of probing state it expects ACK from every
intermediate node present in the path. The node enters
into the non-probing state only when the fault rate goes
above the fixed threshold value. The threshold value for
packet loss rate, link timeout and sliding window size is
set and is used to switch the network between these two
3.2.2
Detection and Prevention of Sybil Attack
Sybil prevention techniques based on the
connectivity characteristics of social graphs can also
limit the extent of damage that can be caused by a given
Sybil attacker while preserving anonymity, though these
techniques cannot prevent Sybil attacks entirely, and
may be vulnerable to widespread small-scale Sybil
attacks. Examples of such prevention techniques are
SybilGuard and the Advogato Trust Metric [5].
SybilGuard, a novel protocol for limiting the
corruptive influences of sybil attacks, is based on the
“social network” among user identities, where an edge
between two identities indicates a human-established
Table 2 : Countermeasures against Byzantine Attack in Network Layer
Countermeasure
Method
Description
ODSBR
(On Demand Secure
Byzantine Routing)
Assumes bidirectional
communication links and
requires pair wise shared
keys among the nodes which
are established on demand.
This approach is fast for
sparse network.
Watchdog and Path
rater
Detect adversarial nodes by
monitoring the packet
forwarding behaviors of the
nodes in a neighborhood.
Attack detection
SDT
(Secure Data
Transmission)
SDT is based on receiving
ACK from the destination
node.
Helps us to detect the path in
which an adversary node is
present.
Well suited for a fully
connected ad hoc wireless
mesh network where the
number of disjoint paths is
more.
Advantages
5
Disadvantages
1- In the case of dense networks, the network
takes time to identify the reliable link
between the source and the destination.
2-Can get worse when the number of
adversary nodes are more and are
participating in many paths.
1-Suffers from many false positives when
multi – rate or power control is used.
2-When two or more colluding adversary
nodes are neighbors of each other, this
method fails to detect the attack.
1-This approach fails when subjected to false
topology and denial of service in identifying
disjoint paths.
2-It is vulnerable to Rushing attacks and fails
when there are many colluding attackers.
trust relationship. Malicious users can create many
identities but few trust relationships. Thus, there is a
disproportionately-small “cut” in the graph between the
Table 3 presents a summary of countermeasures
against Sybil attack in network layer, advantages and
disadvantages of them. Detection of Blackhole attacks
EBAODV (Enhance Blackhole AODV) is a novel
approach for detection of blackhole attacks in which
leader nodes are used for detecting blackhole nodes. In
this approach, leader nodes are created first. Leader
nodes are used for detection of malicious nodes. From
source node RREQ is generated. At that time one timer
is used for measuring current time. We can assume any
expired time (here 20ms). If RREP received before
expired time then one fake packet will send to the
destination, this packet is not original data packet. After
that if acknowledgement (ACK) receives then original
packet will send by source node. If ACK not receives it
means packets are dropped. If no. of dropped packets
are more than threshold value (here 10) then leader
nodes will send block message to all its neighbors.
Block message contains id of malicious node. All
intermediate nodes receives table having black hole
node. Now, again new RREQ message is generated for
route discovery [14].
Another detection approach is an intelligent
honeypot based system to detect blackhole attackers in
WMNs. Prathapani et al. model the detection
mechanism of malicious blackhole attackers using a
honeypot as a detection agent [25]. A Honeypot is a
security resource whose value lies in being probed,
attacked or compromised. A honeypot is designed to
interact with attackers to collect attack techniques and
behaviors [26].
sybil nodes and the honest nodes. SybilGuard exploits
this property to bound the number of identities a
malicious user can create [24].
increments the ratings of nodes on all actively used
paths by 0.01 at periodic intervals of 200ms [27, 28].
Byzantine - Resilent Secure Multicast Routing
(BSMR) is secure multicast routing protocol that
withstands insider attacks from colluding adversaries.
BSMR ensures that multicast data is delivered from the
source to the members of the multicast group, as long as
the group members are reachable through nonadversarial paths and a non-adversarial path exists
between a new member and a node in the multicast tree.
This is done even in the presence of byzantine attackers.
Outside attackers are prevented using authorization
framework. Nodes have a method to determine the
source authenticity of the received data. This allows a
node to determine correctly the rate at which it receives
multicast data.
BSMR route discovery allows a newly added node to
find a route to the multicast tree. The protocol follows
the typical route request/route reply procedure used by
on-demand routing protocols. All route discovery
messages are authenticated using the public key
corresponding to the network certificate to prevent the
outside interferences. Only group authenticated nodes
can initiate route requests. The group certificate is
required in each request. Tree token are used to prove
their current tree status [27, 29].
A summary of countermeasures against Grayhole
attack in network layer, advantages and disadvantages
of them has been listed in table 4.
Channel Aware Detection (CAD) approach is
implemented to mitigate routing protocol threats and
route disruption attacks by limiting the number of
packets forwarded to the malicious mesh devices. It is
based on two strategies, the channel based estimation
and traffic monitoring. If the monitored loss rate at
particular hops exceeds the estimated normal loss rate,
those nodes identified will be considered as malicious.
The essence of CAD is to identify intentional dropping
from normal channel losses. A normal packet loss can
occur due to bad channel quality or medium access
collision under the infinite buffer assumption. In CAD,
each mesh node maintains a history of packet count to
measure the link loss rate. When a node receives a
packet from the upstream, it updates the packet count
history with the corresponding packet sequence number
[30].
3.2.3
Detection and Prevention of Grayhole
attack
Watchdog and Pathrater are techniques for
detecting and mitigating routing misbehavior.
Watchdog is a method for detecting the misbehavior
nodes. The pathrater is run by each node in the network.
It combines knowledge of misbehaving nodes with link
reliability data to find a reliable path. Each node
maintains a rating for every other node it knows about
in the network. The pathrater assigns ratings to nodes.
When a node in the network becomes known to the
pathrater (through route discovery), 0.5 is assigned by
the pathrater. A node always rates itself with a 1.0. This
ensures that when calculating the path, the pathrater
Table 3: Countermeasures Against Sybil Attack in Network Layer
Countermeasure
Method
Scheme
Description
Advantages
Sybil Guard
Prevention
Limits the corruptive influence of Sybil
attacks, including Sybil attacks exploiting
IP harvesting and even some Sybil
attacks launched from both nets outside
the system.
Advogato
Prevention
Disadvantages
Vulnerable to
widespread small-scale
Sybil attacks.
Vulnerable to
widespread small-scale
Sybil attacks.
6
Table 4: Countermeasures Against Grayhole Attack in Network Layer
Countermeasure
Method
Description
Advantages
Disadvantages
Watchdog and
Pathrater
Technique
A technique for detecting
and mitigating routing
misbehavior.
Detect misbehavior at the forwarding
level.
Do not detect a misbehaving node in
the presence of ambiguous collisions,
receiver collisions, limited
transmission power, false misbehavior,
collusion and partial dropping.
BSMR
Ensures that multicast data
is delivered from the
source to the members of
the multicast group.
Identifies and avoids adversarial links
based on a reliability metric
Assumes static detection threshold
independent of channel quality and
medium access collision
It identifies intentional
selective dropping from
natural wireless losses.
1-Detection of attacker node does not
depend on the data traffic through a
node and CAD works well under
dynamic channel behavior.
2-Efficient detection of attackers and
improved packet delivery ratio.
1-Needs to send extra packet to initiate
the detection.
2-It is difficult to detect the attacks,
when noise is introduced into the
channel.
CAD Algorithm
threshold value, it uses probing state of the network to
detect faulty paths and avoid such faulty paths in the
next route discovery. This is the only method that can
detect even super Wormhole attacks. The disadvantage
of this method is that it becomes very slow to detect the
faulty links when the number of colluding nodes in the
network increases [9]. Table 5 presents a summary of
countermeasures against Wormhole attack in network
layer, advantages and disadvantages of them.
Rakesh Matamand and Somanath Tripathy
proposes WRSR (wormhole-resistant secure routing), a
wormhole-resistant secure routing algorithm that detects
the presence of wormhole during route discovery
process and quarantines it
WRSR identifies route requests traversing a wormhole
and prevents such routes from being established. WRSR
uses unit disk graph model to determine the necessary
and sufficient condition for identifying a wormhole-free
path. The most attractive features of the WRSR include
its ability to defend against all forms of wormhole
(hidden and Byzantine) attacks without relying on any
extra hardware like global positioning system,
synchronized clocks or timing information, and
computational intensive traditional cryptographic
mechanisms [34].
3.2.4
Detection and Prevention of Wormhole
attack
RRT based detection is one way proposed to
measure the value of RRT between the node and its
neighbors to validate the RTT value. If it exceeds the
threshold value then it is suspected to be a malicious
node. This method suffered from exposed attacks [9,
31].
Little Worp Protocol that is used in static
networks to get the entire network topology based on
two hop routing principle is used to detect malicious
nodes and also to probe the neighbors behavior's to
check if they are functioning in the right way [9, 32].
The Certificate based scheme is a scheme that
defends against wormhole attacks which uses the
secured extension of Ad-Hoc routing protocol that
follows the method of issuing certificates by each node
to each other nodes that are within its range and also
monitors other nodes for RTT delay. It classifies the
nodes that it can certify as trusty or untrustworthy based
on the RTT value, depending on this it updates to
certify or decertify the nodes. This method can also
suffer from the drawbacks of an attacker who
maliciously
impersonates
another
node
by
compromising Public key [9].
Directional Antenna strategy has proposed the
usage of antennas in ad-hoc and sensor networks to
determine the distance with its neighbor based on the
signal strength. This approach checks if the link actually
exists by measuring the angle of the arrived information
with the possible signal strength. The node verifies if it
has a link within its region, if it does not fall within the
verifiable region, the node simply rejects the link. This
information is sent to a central controller to determine
the network topology [9, 33].
ODSBR doesn't detect worm hole rather prevents
the selection of the path that contains worm hole. It
allows the network initially to work in the non –
probing state where the optimal wormhole path would
be selected and the path is monitored for packet loss.
Once the packet loss rate or delay jitter increases the
3.3
Countermeasures for Transport Layer
Secure socket layer (SSL), transport layer security
(TLS) protocols and extensible authentication protocol
encapsulating transport layer security (EAP-TLS)
protocol are usually used for securing the transport
layer in wireless networks including the WMNs against
Syn flooding attack.
SSL/TLS uses asymmetric key cryptographic
techniques to ensure secure communication sessions. It
can also help in protecting against masquerading attack,
man-in-the middle attack, rollback attack, replay attack
and buffer overflow attack.
For securing the transport layer in WMNs, an
upper layer authentication protocol (EAP-TLS) is
proposed by Aboba and Simon. Although EAP-TLS
offers mutual authentication between a mesh router
7
Table 5: Countermeasures Against Wormhole Attack in Network Layer
Countermeasure
Method
Description
Advantages
Watchdog And
Pathrater
Technique
A technique for detecting and
mitigating routing misbehavior.
Detect misbehavior at the
forwarding level.
BSMR
BSMR ensures that multicast data
is delivered from the source to the
members of the multicast group.
Identifies and avoids adversarial
links based on a reliability
metric
It identifies intentional selective
dropping from natural wireless
losses.
1-Detection of attacker node
does not depend on the data
traffic through a node and CAD
works well under dynamic
channel behavior because
threshold values are dynamic.
2-Efficient detection of attackers
and improved packet delivery
ratio.
CAD Algorithm
RRT based
detection
Little Worp
protocol
Measure the value of RRT between
the node and its neighbors to
validate the RTT value.
Detect malicious nodes and also to
probe the neighbors’ behaviors to
check if they are functioning in the
right way.
Certificate based
scheme
It classifies the nodes that it can
certify as trusty or untrustworthy
based on the RTT value.
Directional
Antenna
Checks if the link actually exists by
measuring the angle of the arrived
information with the possible
signal strength.
ODSBR
Detecting malicious links based on
end-to-end acknowledgment-based
feedback technique.
WRSR (wormholeresistant secure
routing)
Detects the presence of wormhole
during route discovery process and
quarantines it.
Do not detect a misbehaving node
in the presence of ambiguous
collisions, receiver collisions,
limited transmission power, false
misbehavior, collusion and partial
dropping.
Assumes static detection
threshold
independent of channel quality
and medium access collision
1-Needs to send extra packet to
initiate the detection. Attack
detection is done by the source
router so attacker is identified
only if the source router demands.
2-It is difficult to detect the
attacks, when noise is introduced
into the channel.
This method suffered from
exposed attacks.
This method can also suffer from
the drawbacks of an attacker who
maliciously impersonates another
node by compromising Public
key.
This is the only method that can
detect even super Wormhole
attacks.
(MR) and a mesh client (MC) or between a pair of
MCs, it introduces high latency in WMNs because each
terminal acts as an authenticator for its previous
neighbor before the authentication request reaches an
authentication server (AS). Furthermore, for nodes with
high mobility, frequent re-authentications due to
handoffs can have a very adverse impact on the quality
of service of the applications. As a result, variants of
EAP-TLS have been proposed to adapt IEEE 802.1X
authentication model for multi-hop WMNs.
4
Disadvantages
It becomes very slow to detect the
faulty links when the number of
colluding nodes in the network
increases.
networking, community and neighborhood networks,
delivering video, building automation in entertainment
and sporting venues, etc. Despite its advantages it
suffers from critical security issues that are of major
concern while deploying WMN. Since WMNs are used
for various applications, security is a serious concern to
be addressed. In this paper we surveyed all kinds of
DoS attack in WMNs. DoS attack may occur in each
layer of network. So this paper classified all of them
and gave an introduction about attacks. For each attack,
there is some preventing, detecting or mitigating
method to secure the network. We discussed about this
methods, advantages and disadvantages of them. For
next work, we will study Distributed Denial of Service
(DDoS) attacks on WMNs and discuss about
countermeasures against them. As a conclusion, all kind
of DoS attacks in WMN and defense mechanisms
against them has been listed in table 6.
Conclusion
Self-organization and self-configuration are the
desired features of WMN. These features provide many
advantages like good reliability, market coverage,
scalability and low upfront cost. They also gained
significant attention because of the numerous
applications they support, for example, broadband home
8
Table 6: DoS Attacks and Defense Mechanisms in WMN
Layer
Attack
Defense Mechanism
Physical
Jamming
Spread spectrum, Multipath source routing protocol, Replication of control
information, Counter data selective jamming attacks, WEP, DES,AES, CAD
Byzantin
ODSBR, Watchdog and Path rater , SDT
Sybil
SybilGuard, Advogato, SYIBSEC
Rushing
RAP, ODSBR, ARAN, SAR, SEAD, ARIADNE, SAODV, SRP, SEAODV
Black hole
Detection using Honey pots
Gray hole
Watchdog And Path rater Technique, BSMR, CAD
Worm hole
RRT based detection, Little Worp protocol, Certificate based scheme,
Directional Antenna, ODSBR, WRSR
Network
5
References
1.
2.
monika, Denial of service attacks in wireless mESH NETWORK. IJCTIS, 2012. 3(3): p. 7.
Akyildiz, I.F., X. Wang, and W. Wang, Wireless mesh networks: a survey. Computer networks, 2005. 47(4): p.
445-487.
3.
Misra, S., et al., An adaptive learning routing protocol for the prevention of distributed denial of service attacks
in wireless mesh networks. Computers & Mathematics with Applications, 2010. 60(2): p. 294-306.
4.
Bicakci, K. and B. Tavli, Denial-of-Service attacks and countermeasures in IEEE 802.11 wireless networks.
Computer Standards & Interfaces, 2009. 31(5): p. 931-941.
5.
al., M.M.C.e., Survey on various forms of attacks and countermeasures in wireless mesh network. IJAIR, 2013.
2(3).
6.
Soomro, S.A., et al., Denial of Service Attacks in Wireless Ad hoc Networks. Journal of Information &
Communication Technology, 2010. 4(2): p. 10.
7.
Sen, J., Security and privacy issues in wireless mesh networks: A survey, in Wireless Networks and
Security2013, Springer. p. 189-272.
8.
Vaghela, M.M.D. and K.H. Wandra, Detection and Prevention Denial of Service Attacks in Wireless Mesh
Networks. 2014.
9.
Mohan, D., Denial of Service attack in Wireless Mesh Networks.
10.
Pintea, C.-M. and P.C. Pop. Sensitive ants for denial jamming attack on wireless sensor network. in
International Joint Conference SOCO’13-CISIS’13-ICEUTE’13. 2014. Springer.
11.
Aggarwal, N. and K. Dhankhar, Attacks on Mobile Adhoc Networks: A Survey. International Journal of Research
in Advent Technology, 2014. 2(5): p. 307-316.
12.
Prasoon, P., Security Frame Work against Denial of Service Attacks in Wireless Mesh Networks, 2011, National
Institute of Technology Rourkela.
13.
Gankotiya, A.K., S. Seth, and G. Singh, Attacks and their Counter Measures in Wireless Mesh Networks. Cyber
Security Research Center, 2010.
14.
Rachh, A.V., Y.V. Shukla, and T.R. Rohit, A Novel Approach for Detection of Blackhole Attacks. 2014.
15.
V, V.V. and V.M.A. Rajam, Detection of Colluding Selective Forwarding Nodes in Wireless Mesh Networks
Based
on Channel Aware Detection Algorithm. MES Journal of Technology and Management: p. 5.
16.
Wang, H., D. Zhang, and K.G. Shin. Detecting SYN flooding attacks. in INFOCOM 2002. Twenty-First Annual
Joint Conference of the IEEE Computer and Communications Societies. Proceedings. IEEE. 2002. IEEE.
17.
Sgora, A., D.D. Vergados, and P. Chatzimisios, A survey on security and privacy issues in wireless mesh
networks. Security and Communication Networks, 2013.
18.
Sen, J., Secure routing in wireless mesh networks. arXiv preprint arXiv:1102.1226, 2011.
19.
Di Pietro, R., et al., Security in Wireless Ad-Hoc Networks–A Survey. Computer Communications, 2014.
20.
Xu, W., et al., Jamming sensor networks: attack and defense strategies. Network, IEEE, 2006. 20(3): p. 41-47.
21.
Gummadi, R., et al., Understanding and mitigating the impact of RF interference on 802.11 networks. ACM
SIGCOMM Computer Communication Review, 2007. 37(4): p. 385-396.
22.
Lazos, L. and M. Krunz, Selective jamming/dropping insider attacks in wireless mesh networks. IEEE network,
2011. 25(1): p. 30-34.
23.
Kumar, M.V. and M. Tech, Blocking Selective Jamming Attacks.
24.
Yu, H., et al. Sybilguard: defending against sybil attacks via social networks. in ACM SIGCOMM Computer
Communication Review. 2006. ACM.
9
25.
26.
27.
28.
29.
30.
31.
32.
33.
34.
Prathapani, A., L. Santhanam, and D.P. Agrawal, Detection of blackhole attack in a Wireless Mesh Network
using intelligent honeypot agents. The Journal of Supercomputing, 2013. 64(3): p. 777-804.
Gupta, P., et al., Securing WMN using Honeypot Technique. International Journal on Computer Science and
Engineering, 2012. 4(2).
Thomas, C. and D.S. Pankaj, Performance Evaluation of Various Contermeasures for Grayhole Attack in
Wireless Mesh Network. International Journal of Advanced Research in Computer and Communication
Engineering (IJARCCE), 2013. 2(4).
Marti, S., et al. Mitigating routing misbehavior in mobile ad hoc networks. in Proceedings of the 6th annual
international conference on Mobile computing and networking. 2000. ACM.
Curtmola, R. and C. Nita-Rotaru, BSMR: byzantine-resilient secure multicast routing in multihop wireless
networks. Mobile Computing, IEEE Transactions on, 2009. 8(4): p. 445-459.
Bhide, A., M.A.S. DR, and S. Arshad, Channel Aware Detection based Network Layer Security in Wireless
Mesh Networks. International Journal of Advanced Engineering and Global Technology, 2014. 2(5).
Zhen, J. and S. Srinivas, Preventing replay attacks for secure routing in ad hoc networks, in Ad-Hoc, Mobile,
and Wireless Networks2003, Springer. p. 140-150.
Khalil, I., S. Bagchi, and N.B. Shroff. LITEWORP: a lightweight countermeasure for the wormhole attack in
multihop wireless networks. in Dependable Systems and Networks, 2005. DSN 2005. Proceedings. International
Conference on. 2005. IEEE.
Wang, W. and B. Bhargava. Visualization of wormholes in sensor networks. in Proceedings of the 3rd ACM
workshop on Wireless security. 2004. ACM.
Matam, R. and S. Tripathy, WRSR: wormhole-resistant secure routing for wireless mesh networks. EURASIP
Journal on Wireless Communications and Networking, 2013. 2013(1): p. 1-12.
10