Countering Black hole and Gray hole Attack in
AODV-based MANET
Saumia Gopi Nair
Manoj Kumar K V
Department of Computer Science & Engineering
Government Engineering College, Thrissur
Kerala, India
saumia89@gmail.com
Department of Computer Science & Engineering
Government Engineering College, Thrissur
Kerala, India
kvm.kumar@yahoo.com
Abstract—A mobile ad hoc network (MANET) is an
autonomous, self-organized collection of wireless nodes that
communicates over the wireless medium. Nodes that are in direct
radio range of each other communicates directly whereas nodes
that are not in range rely on intermediate nodes to route their
data and control packet. Thus a multi hop, neighbour based
routing scenario exists in MANET. Traditional routing protocols
of MANET, including AODV do not take security issues into
consideration and hence is vulnerable to attacks by nodes with
malicious intent. Black hole attack is an active attack that
exploits the vulnerabilities of route discovery process by sending
fake or incorrect routing information. The attacker advertises
itself as having the shortest and fresher route to destination to
attract the data packets. On reception of data packets, the black
hole node simply drops it rather than forwarding to the intended
destination. A variety of black hole attack, called gray hole attack
is where the attacker initially agrees to route the packets and will
later exhibits malicious behavior. In the proposed scheme, we use
secure route discovery to differentiate between genuine and fake
route replies. The number of packets received and forwarded by
each node is calculated and compared against a detection
threshold to detect black hole and gray hole attackers. The
number of packets dropped by a malicious node will be high
when compared to that of a normal node. Once the attacker is
detected, alert packets are sent by the detecting node to alert the
network.
Keywords—MANET; AODV; Security; Black hole attack;
Gray hole attack
I.
INTRODUCTION
A mobile ad hoc network (MANET) consists of a set of
wireless nodes that can communicate with each other without
the aid of fixed infrastructure or centralized administration, i.e.,
MANET is a self-forming, self-organized network of mobile
nodes. In a MANET, nodes move freely and randomly leading
to rapid and unpredictable changes in network topology. Node
cooperation is central to the proper function of MANET. Direct
communication is possible between the nodes that are in the
wireless transmission range of each other, whereas nodes
outside the range depend on intermediate nodes to relay their
packets. Hence, each node in a MANET functions both as a
host and as a router. MANETs are widely used in applications
such as military communication, automated battlefields,
emergency management teams to rescue, search by police or
fire fighters, replacement of fixed infrastructure in case of
earthquake, floods, fire etc[1].
Wireless networks by their very nature are less secure and
hence, are more vulnerable to attacks by malicious nodes. The
dynamic nature and lack of infrastructure of MANET implies
that there is no clear line of defense and nodes are free to join
or leave the network at any time. It is easy for an attacker to
become part of the network and carry out its malicious
activities. The attacks on MANET can be categorized as
passive and active attacks. In passive attacks, the adversary
simply listens to on-going communications in the network.
Passive attacks involve eavesdropping or traffic analysis but do
not disrupt the normal operation of the network. Active attacks,
on the other hand, result in serious security breach and usually
involve packet fabrication, DoS, packet discard and
impersonation. Black hole attack is a type of Denial of Service
attack where the attacker deceives the route requester by
claiming to have fresher and shorter route to destination. The
attracted traffic is then dropped without forwarding to actual
destination. A variation of black hole attack where the attacker
drops packet selectively is called gray hole attack.
In this paper, a method to detect and isolate black hole and
gray hole attackers is proposed. The solution works in two
phases with the first phase being secure route discovery. Based
on received replies, the genuinity of the replier is further tested
to differentiate original replies from fake ones. Once the data
transmission commences, the number of packets received and
forwarded by each node is recorded and compared against a
drop threshold. Nodes for which the packets dropped exceed
the drop threshold are considered malicious and are isolated
from the network by discarding future messages send from
them. Rest of the paper is organized as follows. Section II and
III presents the details of AODV protocol and black hole
attack. Section IV discusses related works. The proposed
solution is presented in section V. Security analysis is given in
section VI. Finally, conclusion and future works are discussed
in Section VII.
II.
AD HOC ON DEMAND DISTANCE VECTOR (AODV)
Many routing protocols have been developed for MANET.
Based on the way in which routing tables are managed, the
protocols are classified as: proactive, reactive and hybrid.
Proactive protocols require every node to maintain consistent,
update information about the network topology. Reactive
routing protocols adopt a dynamic scheme, where route are
established only when required. Hybrid routing protocols
combine the benefits of reactive and proactive schemes.
Ad hoc On Demand Distance Vector (AODV) [2] is one of
the most commonly used reactive routing protocols for mobile
ad hoc networks. AODV is equipped with both unicast and
multicast routing capabilities. In AODV, routes between source
and destination are established on demand and are maintained
as long as needed by the sources. Only the nodes that are part
of the active paths need to maintain routing information and
take part in periodic routing exchanges. AODV uses the
concept of sequence numbers to determine freshness of routes.
Sequence numbers are monotonically increasing 32 bit integers
which serve as timestamps. A node uses sequence numbers to
determine whether the information it has about other nodes are
fresh or not. Higher sequence number means fresher route.
Sequence number is incremented every time a packet is send
out by a node. AODV also ensures that the discovered routes
are loop free and include mechanisms to handle route failures.
Whenever a source wants to send data to a destination to
which it has no route, it broadcasts a route request message
throughout the network. A route request packet includes source
address, destination address, source sequence number,
destination sequence number, broadcast-id and hop count.
Each RREQ is uniquely identified by the (source address,
broadcast-id) pair. If a node receives an RREQ that it has seen
already, the packet is discarded without forwarding further. An
intermediate node that receives a route request may respond to
the route request by sending a route reply (RREP) only if the
node is the destination or if it has a fresher route to the
destination determined by the destination sequence number.
Otherwise, the node will update its routing table and then
rebroadcast the route request to its neighbours. The process is
repeated until RREP from intermediate node or the destination
reaches the source. It is possible for the source to get multiple
RREPs for a single RREQ. In such cases, source always prefers
the reply with highest destination sequence number and least
hop count.
III.
BLACK HOLE ATTACK
Black hole attack is one of the most common types of
denial of service attack in MANET. The route discovery phase
allows any intermediate node with a fresh and valid route to
destination, to reply to a RREQ message. This feature is
exploited by the black hole nodes to become a part of the data
transmission path and then launch the attack on the network. A
black hole node waits for RREQ messages to arrive from other
nodes. On reception of a route request message, the attacker
will immediately respond by sending back an RREP message
with the destination sequence number of the message set to the
maximum possible value and hop count set to minimum value.
On getting such a reply, the source thinking that the reply is
genuine will establish a route through the attacker and will start
sending out data packets. The attacker thus attracts the traffic
towards itself by propagating fake routing information and will
subsequently drop the packets. A variation of black hole attack,
commonly known as gray hole attack, is where the incoming
data packets are selectively dropped by the attacker with a
certain probability. The attacker may adopt different strategies
to launch the attack on the network. For example, the attacker
may drop packets arriving from or sent to specific source or
destination respectively while correctly forwards the remaining
traffic. Another type of gray hole attacker switches between
black hole and normal behavior periodically.
Fig 1. Black hole attack
In fig.1, source node S initiates route discovery for finding
path to destination D. On receiving the RREQ packet, any
intermediate node IN may respond with an RREP packet. The
RREP packet may also reach from the destination node.
Everything works fine unless reply from the black hole node B
reaches the source before any of the genuine replies. In most
cases, the reply from the attacker arrives at the source before
any other replies. This is because the attacker never consults its
routing table before responding to an RREQ. Any packet that
reaches the attacker through the established route is dropped.
IV.
RELATED WORKS
Deng et.al [3] has proposed solution for preventing black
hole attacks by checking, for each intermediate node that
responds to the RREQ packet, whether a route to destination
exists or not. In this approach, two new packets are introduced:
FurtherRequest and FurtherReply. Each intermediate node that
replies to the route request is required to append the next hop
information when it sends the RREP to the source. The source
then extracts the next hop information from the reply packet
and then sends a Further-Request to the next hop to confirm
that it has a route to the intermediate node from which the reply
message was received, and that it has a route to the destination
node. For confirming the route information next hop node of
neighbour sends back the FurtherReply packet to the sender. If
the source does not get back this reply, it concludes that the
inquired intermediate node is malicious.
Bo Sun et al. [4] proposed a neighbourhood-based method
to recognize the black hole attack, and a routing recovery
protocol to build the correct path. Once the normal path
discovery procedure in a routing protocol is finished, the
source node sends a special control packet to request the
destination to send its neighbour set. The neighbour set of a
node.is defined as all of the nodes that are within the radio
transmission range of a node. By comparing the received
neighbour sets, the source node can detect whether there is a
black hole attack in the network. A routing recovery protocol
follows to establish the path to the correct destination.
However, this scheme fails when the attackers cooperate to
forge the fake reply packets.
Shurman et al.[5] proposed two methods to prevent the
black hole attack in MANETs. The first solution is to find more
than one route from the source to the destination. Initially, the
source unicasts RREQ packet along the different routes to the
destination and waits for the RREP packets to come from more
than two nodes. On receiving these packets, the source checks
for shared hops in an attempt to find a safe route. The existence
of shared hops or nodes indicates a safe path. This solution has
a drawback of time delay due to the need to wait for multiple
RREPs to arrive. The second solution is based on unique
sequence numbers. In this scheme, for each node, two
additional tables are used: one to record the sequence-numbers
for the last packet sent to every node and the other for the
sequence-numbers for the last packet received from every
node. These table values are updated when any packet is
transmitted or received. The intermediate nodes or the
destination that responds to the RREQ packet of the source will
include the sequence number of the last packet received from
that source. The source then compares the last sequence
number with the value stored in its table. Any mismatch
specifies the presence of the malicious node. This method does
not incur any additional overhead as it uses the sequence
numbers that is included in every packet in the base protocol
itself. However, both solutions fail to detect cooperative black
hole attacks.
Satoshi Kurosawa et al.[6] proposed a dynamic learning
approach to detect black hole attack in MANET. In this
scheme, the characteristic change of node within a given time
is observed and a node will be identified as black hole node if
its characteristic change goes over the particular time. The
characteristics are observed on the basis of number of sent
RREQs and the number of received RREPs and the mean
destination sequence numbers of RREQs and RREPs. When a
node transmits an RREQ message it records the destination IP
address and the destination sequence number in its list. When a
RREP message is received, the node consults its list to see if
there is a same destination IP address. If it does exist, the
difference destination sequence number is calculated, and this
operation is repeated for every received RREP message. The
average of this difference is finally calculated for each time slot
as the feature. But, it consumes considerable amount time to do
calculations for every RREP packet.
Latha Tamilselvan, Dr. V Sankaranarayanan [7] proposed a
solution that avoids multiple black holes in the group, by
modifying the AODV protocol. It uses a fidelity table to assign
a fidelity level to every participating node. The fidelity level
serves as a measure of reliability of the node. Fidelity level of a
node is updated based on the trusted participation of the node
in the network. For each acknowledgement send by the
destination to the source, the fidelity level of the intermediate
nodes along the path will be incremented. If acknowledgement
is not received, the values of intermediate nodes will be
decremented. A node with a fidelity value of 0 is will be
identified as malicious and will be removed.
In [8], a DPRAODV (Detection, Prevention and Reactive
AODV) to prevent security threats of black hole is proposed.
Unlike normal AODV protocol, an additional check of RREPsequence-no is performed to find whether it is higher than a
threshold or not. The threshold value is the average of the
difference of destination sequence number in the routing table
and that in the RREP packet, in each time slot. The threshold
value is dynamically updated in every time interval. If the
sequence number in RREP packet is found to be higher than
the threshold value, the node is suspected to be malicious and
is added to the black list. The node that detected an anomaly
then sends a new control packet, called ALARM to its
neighbours. The ALARM packet includes the black list node as
a parameter and informs the neighbouring nodes that RREP
packet from the node is to be discarded.
In solution [9], a new table Cmg_RREP_Tab, a timer
MOS_WAIT_TIME and a variable Mali_node are added to the
data structures in the default AODV protocol. In this scheme,
the source node after receiving first RREP message waits for
MOS_WAIT_TIME. For this time, the source node will save
all the coming RREP control messages in Cmg_RREP_Tab
table. MOS_WAIT_TIME is defined to be the half the value of
RREP_WAIT_TIME – the time for which source node waits
for RREP control messages before regenerating RREQ.
Subsequently, the source node analyses all the stored RREPs
from Cmg_RREP_Tab table, and discard the RREP having
presumably very high destination sequence number. The node
that sent this RREP is suspected to be the malicious node.
Once, such malicious node is identified, reply having highest
destination sequence number is selected from Cmg_RREP_Tab
table. The identity of the malicious node is maintained as
Mali_node, so that in future, it can discard any control
messages coming from that node.
In [10], a method to counter black hole and gray hole attack
is presented. An intermediate node dynamically calculates a
PEAK value after every time interval that uses three
parameters for calculation: RREP sequence number, routing
table sequence number and number of replies received during
the time interval. The PEAK value is the maximum possible
value of sequence number that any RREP can have in the
current state. If the destination sequence number in the RREP
exceeds the peak value, the originator of RREP is considered
as malicious.
V.
PROPOSED METHOD
The proposed method requires each node to detect and
isolate the attackers in its local neighbourhood. The proposed
solution works in two phases. In the first phase, the security of
the route discovery phase of AODV is improved by detecting
black hole nodes. A black hole node will always respond to
any route request that reaches it by sending a fake reply. The
reply is fake in the sense that the attacker never checks it
routing table before replying and will always set the destination
sequence number of the reply to maximum possible value and
the hop count field to unity. However, as sequence numbers are
incremented by a node each time a packet is sent out, the
sequence numbers may easily build up in a network with large
number of nodes and with large amount of control and data
exchanges. In such cases, it is possible for a normal node to
generate a reply packet with such high sequence number and
low hop count. Hence, when a suspicious reply is received,
additional checks must be performed to decide whether the
replier is actually an attacker or not.
Whenever an intermediate node receives an RREP packet,
and if the intermediate node is the first receiver of the RREP, it
checks whether the destination sequence number of the RREP
is maximum and hop count is minimum. If yes, the received
reply packet is buffered and local detection scheme is initiated.
The intermediate node creates a bait request packet (BRQ). The
destination address of the bait RREQ is set to one of the known
neighbour address of the intermediate node. The TTL of the
packet is set to 1 to limit the propagation in the local
neighbourhood. The packet is then broadcast to the all
downstream neighbours. The intermediate node will collect
replies received for the bait packet. The node then compares
the sequence number in the bait reply (BRP) received from the
suspected node and that from the known neighbour (original
destination node of the bait RREQ). If destination-sequencenumber of the reply from the suspected node is larger than
original destination-sequence-number, the suspected node is
malicious. The buffered RREP is then discarded. The suspected
node is then added to the malicious list and alert packet is sent
across the network.
Rebroadcast RREQ
For each node,
If RREP is from malicious node
Drop RREP
If current node is first receiver of RREP
If (RREP_sequence_number=max&& REP_hopcount=1)
Buffer RREP
Create bait_RREQ for a known neighbour
Receive RREPs for the bait_RREQ
Compare RREP from known neighbour and that from
suspected node
If (suspect_RREP_dest_seq_no >Original_dest_seq_no)
Drop buffered RREP
Mark suspected node as malicious
ALERT the network
Else
Forward the buffered RREP
Else
Forward the received RREP
Secure route discovery algorithm
Fig 2. Secure Route Discovery
In fig. 2, when IN receives a suspicious reply, it sends
BBREQ to all neighbours except the one from which it
received the original RREQ. A, B, E, F and C are the one-hop
neighbours of the current intermediate node IN. The
destination address of BRQ can be set to any of A, B, C, E, F.
In this stage, all other replies (BRP) received for the bait
request packet can be checked in the similar way to detect any
other attackers in the neighbourhood of the intermediate node.
Source broadcasts RREQ
While RREQ_timer not expired
{
Receive RREP
If RREP from malicious node
Drop RREP
}
Unlike black hole nodes, the gray hole nodes drop packets
with a certain probability making them even hard to detect.
Initially, a gray hole node behaves like any other normal node
and agrees to forward the packets not destined towards it.
Later, the node may drop packets coming from or going to a
particular node or it may drop all the incoming packets for a
certain time period. Hence, detection of gray hole attack
requires monitoring of activities of nodes within the network.
The second phase of the solution aims at detecting and
isolating gray holes and further black hole nodes in the
network.
After performing secure route discovery, a route will be
established between the source and destination. Two new fields
are added to the neighbour table of node. One to keep the count
of number of packets forwarded to the neighbour by this node
and another field to count the number of packets overheard
from the neighbour. i.e.,
the count of packets further
forwarded by the neighbour. Each time a data packet is
forwarded by a node to its neighbour, it increments the forward
count, fvcount for that neighbour in its neighbour table. A
normal node is expected to forward the packets that are not
destined for itself towards the actual destination. After
forwarding the data packet, the node overhears the
transmission of the neighbour to ensure whether the given
packet is being correctly forwarded by that neighbour. If so, the
node will increment the overhear count, ovcount for the
neighbour. In each interval, a node calculates the dropcount for
each of its neighbours. Dropcount for a neighbour is defined as
the difference of packets forwarded to that neighbour and those
forwarded by the neighbour. Dropcount will be low for a
normal node whereas it will be high for a malicious node. In
each interval, if the dropcount for a node exceeds the threshold,
the node is considered as malicious. Once the attacker is
detected, alert packets are sent by the detecting node to alert
the network. On receiving the alert packet, each node will add
the id of the attacker to its malicious table. Any routes going
through the malicious node is removed from the routing table.
Also, all future messages from malicious nodes are discarded
without further processing.
Initialize neighbour table with fields < fvcount, ovcount>
For each packet forwarded to the neighbour node ,
increment fvcount for the neighbour
For each packet overheard from neighbour node ,
increment ovcount for the neighbour
In each interval, compute the number of dropped packets.
Dropcount = fvcount - ovcount
While (dropcount < threshold)
{
interaction with the attacker can be avoided and adverse effect
on the network can be minimized. Thus, algorithm effectively
combats black hole and gray hole nodes present in the network.
With the proposed solution, the packet delivery ratio (PDR)
and throughput of the network will be considerably improved.
VII. CONCLUSION AND FUTURE WORK
A method to counter black hole and gray hole attackers in
AODV based MANET is proposed. A secure route discovery is
performed prior to actual data transmission. The typical
behaviour exhibited by black hole nodes is exploited to
distinguish between genuine and fake route replies. Additional
tests are performed to determine the genuinity of nodes that
generate suspicious replies. Multiple black hole attackers can
be detected using the proposed scheme. The second phase of
the solution works by monitoring the data forwarding activities
of a node. Any node with drop count that exceeds the threshold
is considered as malicious. The drop count is a measure of
number of packets received by a node and that are correctly
forwarded by the node. Any node that detects the attacker alerts
the entire network so that routes through the malicious nodes
can be avoided in future.
As future work, we intend to implement and simulate the
proposed solution using NS-2 and measure the performance
metrics like packet delivery ratio, average throughput and endto-end delay.
Continue transmission
}
REFERENCES
Mark neighbour as malicious.
Remove all routes going through neighbour
ALERT the network
Reinitiate route discovery
Packet flow monitoring algorithm
VI.
SECURITY ANALYSIS
The first phase of the proposed algorithm secures the route
discovery phase of the AODV protocol from black hole nodes.
Instead of simply forwarding the received route requests, each
intermediate node checks the RREPs for suspicious routing
information. If the reply is suspicious, additional checks are
performed to confirm whether the reply is genuine or not. By
detecting and isolating black hole nodes in the route discovery
phase itself, the number of packets dropped can be effectively
reduced.
Detection of gray hole is even more difficult since these
nodes behave like normal nodes during route discovery. The
second phase of the algorithm requires each node to keep track
of the packets send to its neighbours for further forwarding.
Based on the packets received and forwarded by a node, the
number of packets dropped by the node is computed. All nodes
for which the drop count exceeds a drop threshold are treated
as malicious and are isolated from the network. By propagating
the information about the attacker in the network, further
N. Qasim, F. Said, and H. Aghvami, “Performance evaluation of mobile
ad hoc networking protocols,” in World Congress, 1999, pp. 90–100.
[2] C. E. Perkins and E. M. Royer, “Ad-hoc on-demand distance vector
routing” in Proceedings of Second IEEE Workshop on Mobile
Computing Systems and Applications, 1999, pp.25-26.
[3] I W. Li, H. Deng, and D. P. Agrawal, “Routing security in wireless ad
hoc networks,” in IEEE Communication Magazines, vol. 40, 2002,
pp.70–75.
[4] B. Sun, Y. Guan, J. Chen, and U. W. Pooch, “Detecting black-hole
attack in mobile ad hoc networks,” in Fifth European Personal Mobile
Communications Conference, 2003, pp. 490–495.
[5] M. Al-Shurman, S. Yoo, and S. Park, “Black hole attack in mobile ad
hoc networks,” in ACMSE, April, 2004, pp. 96–97.
[6] S. Kurosawa, H. Nakayamaand, N. Kat, A. Jamalipour, and Y. Nemoto,
“Detecting blackhole attack on aodv based mobile ad hoc networks by
dynamic learning method,” in International Journal of Network Security,
vol. 5, no. 3, 2007, pp. 338–346.
[7] V. Sankaranarayanan and L. Tamilselvan, “Prevention of co-operative
black hole attack in manet,” in Journal of Networks, vol. 5, no. 3, 2008,
pp.13–20.
[8] P. N. Raj and P. B. Swadas, “Dpraodv: A dynamic learning system
against black hole attack in aodv based manet,” in International Journal
of Computer Science Issues, vol. 2, no. 3, 2010, pp. 54–59.
[9] M. Zaveri, N. Mistry, and D. C. Jinwala, “Improving aodv protocol
against blackhole attacks,” in International Multi Conference of
Engineers and Computer Scientists, IMECS, 2010.
[10] R. H. Jhaveri, S. J. Patel, and D. C. Jinwala, “A novel approach for
grayhole and blackhole attacks in mobile ad-hoc networks,” in
Proceedings of International Conference on Advanced Computing and
Communication, 2012, pp. 556–560.
[1]