Countering Black hole and Gray hole Attack in AODV-based MANET Saumia Gopi Nair Manoj Kumar K V Department of Computer Science & Engineering Government Engineering College, Thrissur Kerala, India saumia89@gmail.com Department of Computer Science & Engineering Government Engineering College, Thrissur Kerala, India kvm.kumar@yahoo.com Abstract—A mobile ad hoc network (MANET) is an autonomous, self-organized collection of wireless nodes that communicates over the wireless medium. Nodes that are in direct radio range of each other communicates directly whereas nodes that are not in range rely on intermediate nodes to route their data and control packet. Thus a multi hop, neighbour based routing scenario exists in MANET. Traditional routing protocols of MANET, including AODV do not take security issues into consideration and hence is vulnerable to attacks by nodes with malicious intent. Black hole attack is an active attack that exploits the vulnerabilities of route discovery process by sending fake or incorrect routing information. The attacker advertises itself as having the shortest and fresher route to destination to attract the data packets. On reception of data packets, the black hole node simply drops it rather than forwarding to the intended destination. A variety of black hole attack, called gray hole attack is where the attacker initially agrees to route the packets and will later exhibits malicious behavior. In the proposed scheme, we use secure route discovery to differentiate between genuine and fake route replies. The number of packets received and forwarded by each node is calculated and compared against a detection threshold to detect black hole and gray hole attackers. The number of packets dropped by a malicious node will be high when compared to that of a normal node. Once the attacker is detected, alert packets are sent by the detecting node to alert the network. Keywords—MANET; AODV; Security; Black hole attack; Gray hole attack I. INTRODUCTION A mobile ad hoc network (MANET) consists of a set of wireless nodes that can communicate with each other without the aid of fixed infrastructure or centralized administration, i.e., MANET is a self-forming, self-organized network of mobile nodes. In a MANET, nodes move freely and randomly leading to rapid and unpredictable changes in network topology. Node cooperation is central to the proper function of MANET. Direct communication is possible between the nodes that are in the wireless transmission range of each other, whereas nodes outside the range depend on intermediate nodes to relay their packets. Hence, each node in a MANET functions both as a host and as a router. MANETs are widely used in applications such as military communication, automated battlefields, emergency management teams to rescue, search by police or fire fighters, replacement of fixed infrastructure in case of earthquake, floods, fire etc[1]. Wireless networks by their very nature are less secure and hence, are more vulnerable to attacks by malicious nodes. The dynamic nature and lack of infrastructure of MANET implies that there is no clear line of defense and nodes are free to join or leave the network at any time. It is easy for an attacker to become part of the network and carry out its malicious activities. The attacks on MANET can be categorized as passive and active attacks. In passive attacks, the adversary simply listens to on-going communications in the network. Passive attacks involve eavesdropping or traffic analysis but do not disrupt the normal operation of the network. Active attacks, on the other hand, result in serious security breach and usually involve packet fabrication, DoS, packet discard and impersonation. Black hole attack is a type of Denial of Service attack where the attacker deceives the route requester by claiming to have fresher and shorter route to destination. The attracted traffic is then dropped without forwarding to actual destination. A variation of black hole attack where the attacker drops packet selectively is called gray hole attack. In this paper, a method to detect and isolate black hole and gray hole attackers is proposed. The solution works in two phases with the first phase being secure route discovery. Based on received replies, the genuinity of the replier is further tested to differentiate original replies from fake ones. Once the data transmission commences, the number of packets received and forwarded by each node is recorded and compared against a drop threshold. Nodes for which the packets dropped exceed the drop threshold are considered malicious and are isolated from the network by discarding future messages send from them. Rest of the paper is organized as follows. Section II and III presents the details of AODV protocol and black hole attack. Section IV discusses related works. The proposed solution is presented in section V. Security analysis is given in section VI. Finally, conclusion and future works are discussed in Section VII. II. AD HOC ON DEMAND DISTANCE VECTOR (AODV) Many routing protocols have been developed for MANET. Based on the way in which routing tables are managed, the protocols are classified as: proactive, reactive and hybrid. Proactive protocols require every node to maintain consistent, update information about the network topology. Reactive routing protocols adopt a dynamic scheme, where route are established only when required. Hybrid routing protocols combine the benefits of reactive and proactive schemes. Ad hoc On Demand Distance Vector (AODV) [2] is one of the most commonly used reactive routing protocols for mobile ad hoc networks. AODV is equipped with both unicast and multicast routing capabilities. In AODV, routes between source and destination are established on demand and are maintained as long as needed by the sources. Only the nodes that are part of the active paths need to maintain routing information and take part in periodic routing exchanges. AODV uses the concept of sequence numbers to determine freshness of routes. Sequence numbers are monotonically increasing 32 bit integers which serve as timestamps. A node uses sequence numbers to determine whether the information it has about other nodes are fresh or not. Higher sequence number means fresher route. Sequence number is incremented every time a packet is send out by a node. AODV also ensures that the discovered routes are loop free and include mechanisms to handle route failures. Whenever a source wants to send data to a destination to which it has no route, it broadcasts a route request message throughout the network. A route request packet includes source address, destination address, source sequence number, destination sequence number, broadcast-id and hop count. Each RREQ is uniquely identified by the (source address, broadcast-id) pair. If a node receives an RREQ that it has seen already, the packet is discarded without forwarding further. An intermediate node that receives a route request may respond to the route request by sending a route reply (RREP) only if the node is the destination or if it has a fresher route to the destination determined by the destination sequence number. Otherwise, the node will update its routing table and then rebroadcast the route request to its neighbours. The process is repeated until RREP from intermediate node or the destination reaches the source. It is possible for the source to get multiple RREPs for a single RREQ. In such cases, source always prefers the reply with highest destination sequence number and least hop count. III. BLACK HOLE ATTACK Black hole attack is one of the most common types of denial of service attack in MANET. The route discovery phase allows any intermediate node with a fresh and valid route to destination, to reply to a RREQ message. This feature is exploited by the black hole nodes to become a part of the data transmission path and then launch the attack on the network. A black hole node waits for RREQ messages to arrive from other nodes. On reception of a route request message, the attacker will immediately respond by sending back an RREP message with the destination sequence number of the message set to the maximum possible value and hop count set to minimum value. On getting such a reply, the source thinking that the reply is genuine will establish a route through the attacker and will start sending out data packets. The attacker thus attracts the traffic towards itself by propagating fake routing information and will subsequently drop the packets. A variation of black hole attack, commonly known as gray hole attack, is where the incoming data packets are selectively dropped by the attacker with a certain probability. The attacker may adopt different strategies to launch the attack on the network. For example, the attacker may drop packets arriving from or sent to specific source or destination respectively while correctly forwards the remaining traffic. Another type of gray hole attacker switches between black hole and normal behavior periodically. Fig 1. Black hole attack In fig.1, source node S initiates route discovery for finding path to destination D. On receiving the RREQ packet, any intermediate node IN may respond with an RREP packet. The RREP packet may also reach from the destination node. Everything works fine unless reply from the black hole node B reaches the source before any of the genuine replies. In most cases, the reply from the attacker arrives at the source before any other replies. This is because the attacker never consults its routing table before responding to an RREQ. Any packet that reaches the attacker through the established route is dropped. IV. RELATED WORKS Deng et.al [3] has proposed solution for preventing black hole attacks by checking, for each intermediate node that responds to the RREQ packet, whether a route to destination exists or not. In this approach, two new packets are introduced: FurtherRequest and FurtherReply. Each intermediate node that replies to the route request is required to append the next hop information when it sends the RREP to the source. The source then extracts the next hop information from the reply packet and then sends a Further-Request to the next hop to confirm that it has a route to the intermediate node from which the reply message was received, and that it has a route to the destination node. For confirming the route information next hop node of neighbour sends back the FurtherReply packet to the sender. If the source does not get back this reply, it concludes that the inquired intermediate node is malicious. Bo Sun et al. [4] proposed a neighbourhood-based method to recognize the black hole attack, and a routing recovery protocol to build the correct path. Once the normal path discovery procedure in a routing protocol is finished, the source node sends a special control packet to request the destination to send its neighbour set. The neighbour set of a node.is defined as all of the nodes that are within the radio transmission range of a node. By comparing the received neighbour sets, the source node can detect whether there is a black hole attack in the network. A routing recovery protocol follows to establish the path to the correct destination. However, this scheme fails when the attackers cooperate to forge the fake reply packets. Shurman et al.[5] proposed two methods to prevent the black hole attack in MANETs. The first solution is to find more than one route from the source to the destination. Initially, the source unicasts RREQ packet along the different routes to the destination and waits for the RREP packets to come from more than two nodes. On receiving these packets, the source checks for shared hops in an attempt to find a safe route. The existence of shared hops or nodes indicates a safe path. This solution has a drawback of time delay due to the need to wait for multiple RREPs to arrive. The second solution is based on unique sequence numbers. In this scheme, for each node, two additional tables are used: one to record the sequence-numbers for the last packet sent to every node and the other for the sequence-numbers for the last packet received from every node. These table values are updated when any packet is transmitted or received. The intermediate nodes or the destination that responds to the RREQ packet of the source will include the sequence number of the last packet received from that source. The source then compares the last sequence number with the value stored in its table. Any mismatch specifies the presence of the malicious node. This method does not incur any additional overhead as it uses the sequence numbers that is included in every packet in the base protocol itself. However, both solutions fail to detect cooperative black hole attacks. Satoshi Kurosawa et al.[6] proposed a dynamic learning approach to detect black hole attack in MANET. In this scheme, the characteristic change of node within a given time is observed and a node will be identified as black hole node if its characteristic change goes over the particular time. The characteristics are observed on the basis of number of sent RREQs and the number of received RREPs and the mean destination sequence numbers of RREQs and RREPs. When a node transmits an RREQ message it records the destination IP address and the destination sequence number in its list. When a RREP message is received, the node consults its list to see if there is a same destination IP address. If it does exist, the difference destination sequence number is calculated, and this operation is repeated for every received RREP message. The average of this difference is finally calculated for each time slot as the feature. But, it consumes considerable amount time to do calculations for every RREP packet. Latha Tamilselvan, Dr. V Sankaranarayanan [7] proposed a solution that avoids multiple black holes in the group, by modifying the AODV protocol. It uses a fidelity table to assign a fidelity level to every participating node. The fidelity level serves as a measure of reliability of the node. Fidelity level of a node is updated based on the trusted participation of the node in the network. For each acknowledgement send by the destination to the source, the fidelity level of the intermediate nodes along the path will be incremented. If acknowledgement is not received, the values of intermediate nodes will be decremented. A node with a fidelity value of 0 is will be identified as malicious and will be removed. In [8], a DPRAODV (Detection, Prevention and Reactive AODV) to prevent security threats of black hole is proposed. Unlike normal AODV protocol, an additional check of RREPsequence-no is performed to find whether it is higher than a threshold or not. The threshold value is the average of the difference of destination sequence number in the routing table and that in the RREP packet, in each time slot. The threshold value is dynamically updated in every time interval. If the sequence number in RREP packet is found to be higher than the threshold value, the node is suspected to be malicious and is added to the black list. The node that detected an anomaly then sends a new control packet, called ALARM to its neighbours. The ALARM packet includes the black list node as a parameter and informs the neighbouring nodes that RREP packet from the node is to be discarded. In solution [9], a new table Cmg_RREP_Tab, a timer MOS_WAIT_TIME and a variable Mali_node are added to the data structures in the default AODV protocol. In this scheme, the source node after receiving first RREP message waits for MOS_WAIT_TIME. For this time, the source node will save all the coming RREP control messages in Cmg_RREP_Tab table. MOS_WAIT_TIME is defined to be the half the value of RREP_WAIT_TIME – the time for which source node waits for RREP control messages before regenerating RREQ. Subsequently, the source node analyses all the stored RREPs from Cmg_RREP_Tab table, and discard the RREP having presumably very high destination sequence number. The node that sent this RREP is suspected to be the malicious node. Once, such malicious node is identified, reply having highest destination sequence number is selected from Cmg_RREP_Tab table. The identity of the malicious node is maintained as Mali_node, so that in future, it can discard any control messages coming from that node. In [10], a method to counter black hole and gray hole attack is presented. An intermediate node dynamically calculates a PEAK value after every time interval that uses three parameters for calculation: RREP sequence number, routing table sequence number and number of replies received during the time interval. The PEAK value is the maximum possible value of sequence number that any RREP can have in the current state. If the destination sequence number in the RREP exceeds the peak value, the originator of RREP is considered as malicious. V. PROPOSED METHOD The proposed method requires each node to detect and isolate the attackers in its local neighbourhood. The proposed solution works in two phases. In the first phase, the security of the route discovery phase of AODV is improved by detecting black hole nodes. A black hole node will always respond to any route request that reaches it by sending a fake reply. The reply is fake in the sense that the attacker never checks it routing table before replying and will always set the destination sequence number of the reply to maximum possible value and the hop count field to unity. However, as sequence numbers are incremented by a node each time a packet is sent out, the sequence numbers may easily build up in a network with large number of nodes and with large amount of control and data exchanges. In such cases, it is possible for a normal node to generate a reply packet with such high sequence number and low hop count. Hence, when a suspicious reply is received, additional checks must be performed to decide whether the replier is actually an attacker or not. Whenever an intermediate node receives an RREP packet, and if the intermediate node is the first receiver of the RREP, it checks whether the destination sequence number of the RREP is maximum and hop count is minimum. If yes, the received reply packet is buffered and local detection scheme is initiated. The intermediate node creates a bait request packet (BRQ). The destination address of the bait RREQ is set to one of the known neighbour address of the intermediate node. The TTL of the packet is set to 1 to limit the propagation in the local neighbourhood. The packet is then broadcast to the all downstream neighbours. The intermediate node will collect replies received for the bait packet. The node then compares the sequence number in the bait reply (BRP) received from the suspected node and that from the known neighbour (original destination node of the bait RREQ). If destination-sequencenumber of the reply from the suspected node is larger than original destination-sequence-number, the suspected node is malicious. The buffered RREP is then discarded. The suspected node is then added to the malicious list and alert packet is sent across the network. Rebroadcast RREQ For each node, If RREP is from malicious node Drop RREP If current node is first receiver of RREP If (RREP_sequence_number=max&& REP_hopcount=1) Buffer RREP Create bait_RREQ for a known neighbour Receive RREPs for the bait_RREQ Compare RREP from known neighbour and that from suspected node If (suspect_RREP_dest_seq_no >Original_dest_seq_no) Drop buffered RREP Mark suspected node as malicious ALERT the network Else Forward the buffered RREP Else Forward the received RREP Secure route discovery algorithm Fig 2. Secure Route Discovery In fig. 2, when IN receives a suspicious reply, it sends BBREQ to all neighbours except the one from which it received the original RREQ. A, B, E, F and C are the one-hop neighbours of the current intermediate node IN. The destination address of BRQ can be set to any of A, B, C, E, F. In this stage, all other replies (BRP) received for the bait request packet can be checked in the similar way to detect any other attackers in the neighbourhood of the intermediate node. Source broadcasts RREQ While RREQ_timer not expired { Receive RREP If RREP from malicious node Drop RREP } Unlike black hole nodes, the gray hole nodes drop packets with a certain probability making them even hard to detect. Initially, a gray hole node behaves like any other normal node and agrees to forward the packets not destined towards it. Later, the node may drop packets coming from or going to a particular node or it may drop all the incoming packets for a certain time period. Hence, detection of gray hole attack requires monitoring of activities of nodes within the network. The second phase of the solution aims at detecting and isolating gray holes and further black hole nodes in the network. After performing secure route discovery, a route will be established between the source and destination. Two new fields are added to the neighbour table of node. One to keep the count of number of packets forwarded to the neighbour by this node and another field to count the number of packets overheard from the neighbour. i.e., the count of packets further forwarded by the neighbour. Each time a data packet is forwarded by a node to its neighbour, it increments the forward count, fvcount for that neighbour in its neighbour table. A normal node is expected to forward the packets that are not destined for itself towards the actual destination. After forwarding the data packet, the node overhears the transmission of the neighbour to ensure whether the given packet is being correctly forwarded by that neighbour. If so, the node will increment the overhear count, ovcount for the neighbour. In each interval, a node calculates the dropcount for each of its neighbours. Dropcount for a neighbour is defined as the difference of packets forwarded to that neighbour and those forwarded by the neighbour. Dropcount will be low for a normal node whereas it will be high for a malicious node. In each interval, if the dropcount for a node exceeds the threshold, the node is considered as malicious. Once the attacker is detected, alert packets are sent by the detecting node to alert the network. On receiving the alert packet, each node will add the id of the attacker to its malicious table. Any routes going through the malicious node is removed from the routing table. Also, all future messages from malicious nodes are discarded without further processing. Initialize neighbour table with fields < fvcount, ovcount> For each packet forwarded to the neighbour node , increment fvcount for the neighbour For each packet overheard from neighbour node , increment ovcount for the neighbour In each interval, compute the number of dropped packets. Dropcount = fvcount - ovcount While (dropcount < threshold) { interaction with the attacker can be avoided and adverse effect on the network can be minimized. Thus, algorithm effectively combats black hole and gray hole nodes present in the network. With the proposed solution, the packet delivery ratio (PDR) and throughput of the network will be considerably improved. VII. CONCLUSION AND FUTURE WORK A method to counter black hole and gray hole attackers in AODV based MANET is proposed. A secure route discovery is performed prior to actual data transmission. The typical behaviour exhibited by black hole nodes is exploited to distinguish between genuine and fake route replies. Additional tests are performed to determine the genuinity of nodes that generate suspicious replies. Multiple black hole attackers can be detected using the proposed scheme. The second phase of the solution works by monitoring the data forwarding activities of a node. Any node with drop count that exceeds the threshold is considered as malicious. The drop count is a measure of number of packets received by a node and that are correctly forwarded by the node. Any node that detects the attacker alerts the entire network so that routes through the malicious nodes can be avoided in future. As future work, we intend to implement and simulate the proposed solution using NS-2 and measure the performance metrics like packet delivery ratio, average throughput and endto-end delay. Continue transmission } REFERENCES Mark neighbour as malicious. Remove all routes going through neighbour ALERT the network Reinitiate route discovery Packet flow monitoring algorithm VI. SECURITY ANALYSIS The first phase of the proposed algorithm secures the route discovery phase of the AODV protocol from black hole nodes. Instead of simply forwarding the received route requests, each intermediate node checks the RREPs for suspicious routing information. If the reply is suspicious, additional checks are performed to confirm whether the reply is genuine or not. By detecting and isolating black hole nodes in the route discovery phase itself, the number of packets dropped can be effectively reduced. Detection of gray hole is even more difficult since these nodes behave like normal nodes during route discovery. The second phase of the algorithm requires each node to keep track of the packets send to its neighbours for further forwarding. Based on the packets received and forwarded by a node, the number of packets dropped by the node is computed. All nodes for which the drop count exceeds a drop threshold are treated as malicious and are isolated from the network. By propagating the information about the attacker in the network, further N. Qasim, F. Said, and H. Aghvami, “Performance evaluation of mobile ad hoc networking protocols,” in World Congress, 1999, pp. 90–100. [2] C. E. Perkins and E. M. Royer, “Ad-hoc on-demand distance vector routing” in Proceedings of Second IEEE Workshop on Mobile Computing Systems and Applications, 1999, pp.25-26. [3] I W. Li, H. Deng, and D. P. Agrawal, “Routing security in wireless ad hoc networks,” in IEEE Communication Magazines, vol. 40, 2002, pp.70–75. [4] B. Sun, Y. Guan, J. Chen, and U. W. Pooch, “Detecting black-hole attack in mobile ad hoc networks,” in Fifth European Personal Mobile Communications Conference, 2003, pp. 490–495. [5] M. Al-Shurman, S. Yoo, and S. Park, “Black hole attack in mobile ad hoc networks,” in ACMSE, April, 2004, pp. 96–97. [6] S. Kurosawa, H. Nakayamaand, N. Kat, A. Jamalipour, and Y. Nemoto, “Detecting blackhole attack on aodv based mobile ad hoc networks by dynamic learning method,” in International Journal of Network Security, vol. 5, no. 3, 2007, pp. 338–346. [7] V. Sankaranarayanan and L. Tamilselvan, “Prevention of co-operative black hole attack in manet,” in Journal of Networks, vol. 5, no. 3, 2008, pp.13–20. [8] P. N. Raj and P. B. Swadas, “Dpraodv: A dynamic learning system against black hole attack in aodv based manet,” in International Journal of Computer Science Issues, vol. 2, no. 3, 2010, pp. 54–59. [9] M. Zaveri, N. Mistry, and D. C. Jinwala, “Improving aodv protocol against blackhole attacks,” in International Multi Conference of Engineers and Computer Scientists, IMECS, 2010. [10] R. H. Jhaveri, S. J. Patel, and D. C. Jinwala, “A novel approach for grayhole and blackhole attacks in mobile ad-hoc networks,” in Proceedings of International Conference on Advanced Computing and Communication, 2012, pp. 556–560. [1]