Routing Protocols Security in Ah Hoc Networks

Ebrahim Mohammed
Louis Dargin
Oakland University School of Computer Science and Engineering
CSE 681 Information Security
ledargin@oakland.edu
eamohamm@oakland.edu



Abstract

Mobile Ad hoc networks, also known as MANETs, are a new and useful innovation in
the field of mobile wireless communication. Due to the various applications that have
been and can be developed under this technology including ocean and wildlife
monitoring, manufacturing machinery performance monitoring, building safety and
earthquake monitoring, and many military applications, MANETs have been attracting
many researchers. Unlike other types of networks, MANETs are usually deployed
without a centralized control unit; the devices participating in a MANET rely on other
units to route information to their destinations. This, along with the fact that MANET
nodes are often constrained in power, makes MANETs vulnerable to various malicious
attacks and applying the routing techniques that work with wired networks is infeasible
here. In this research project we will analyze the routing protocols and security attacks in
such networks. We will survey MANET routing protocols and security schema. Finally,
we will propose new features to secure Ad hoc on demand Distance Vector routing
protocol (AODV) against Denial of Service (DOS) attacks, and to detect malicious nodes,
including black and gray holes attacks.

Keywords: ad hoc network, black hole, routing protocols, security, AODV


Introduction:

A mobile ad-hoc network (MANET) consists of wireless devices, commonly called
"nodes," that communicate with each other without a central access point. Essentially,
each MANET node is a router. They are typically used to quickly set up a network where
a wired infrastructure does not exist. Also, through the use other nodes that lie along the
path, MANETS allow for nodes to communicate with out-of-range destinations. We will
refer to those in-between nodes as "Intermediate Nodes." A common routing protocol
(the set of rules defining how routing nodes determine the path that packets follow to
reach their destination) is used to route communications through intermediate nodes. In
this research paper, we will discuss the types of MANET routing protocols available, and
the types of attacks that are possible against them. MANET security should be defined in
every layer of the network, in this paper we will focus on the network layer.

1
The nodes in ad hoc networks functions as routers that discover and maintain routes to
other nodes in the network. The primary goal of a MANET routing protocol is to
establish a correct and efficient route between a pair of nodes so that messages may be
delivered in a timely manner. If routing can be misdirected, the entire network can be
paralyzed. Thus, routing security plays an important role in the security of the whole
network. The nature of MANET networks presents a unique set of problems. The
vulnerabilities include:
Broadcasting wireless channels allow malicious nodes to gain access to the network
and then eavesdropping and injection messages easily
Nodes are also routers, so MANETs are dynamic change network topology.
Computing resources in MANET nodes are quite limited. Attacks can be design to
disable nodes by drawing them to exceed their bandwidth, processing power, RAM
storage, or battery life limitations. Examples of this are routing table overflow and energy
consummation.
Unattended wireless nodes can be easily stolen. An attacker can use a stolen node to
develop a malicious decoy, and plant it near the original nodes. This can lead to
impersonation and information disclosure
Wireless MANET nodes are inherently vulnerable to insider attacks.


The rest of the paper is organized as follow. In section 2, we introduce types of routing
protocols for MANETs. Next, in section 3, we present security challenges and types of
attacks. Then, in section4, we introduce the current mechanism to prevent such attacks.
After that, in section 5, we describe the way AODV (Ad hoc on demand Distance Vector)
protocol works, and we propose a solution to detect malicious nodes like black and gray
hole nodes, prevent against external attack to like Dos, and a detection of member
malicious nodes. Finally, in section 6, we discuss the future work for this research.

2-Types of routing protocols in MANETs

Routing is the most important aspect in ad hoc network since ad hoc network topology
frequently changes and multi-hop communication is required. Several routing protocols
have been developed, and most of them are designed without security in mind. They
generally they can be classified into three types: Proactive (Table Driven), Reactive (on
demand routing), and Hybrid.

Proactive protocols: Every node in the topology maintains the routing information in a
table format; they are also called table driven protocols. The routing table holds a
complete set of destination address and the list of intermediate nodes needed to reach
each destination. The routing tables are updated whenever the network topology changes
(i.e. existing nodes are moved or dropped, or new nodes are introduced). Such changes
are announced to every other node. This ensures that each sender knows the route in
advance of packet transmissions. Unfortunately, this is one of the disadvantages of this
category of protocols; if a malicious node has the routing information before packet data
transmission takes place; it will be able to change routes, drop packets, etc. Another
problem is that rapid changes in network topology might overwhelm the network with
2
control messages (messages for updating the routing table at every node) and the excess
messaging overhead will compromise the throughput of actual data transmissions.
Examples of proactive protocols are DV (Distance Vector) protocol, DSDV (Destination
Sequenced Distance Vector) protocol, WRP (Wireless Routing Protocol), and FSR
(Fisheye State Routing) protocol [5]. They are called table-driven protocols since the
routing table will be updated for each change in link states in a network and routes are
discovered using information stored in routing tables.

Reactive protocols: They differ from the proactive protocols in that the node will only
discovers a route when it is desired by the source node. When a node wants to send
information to another node in a network, a source node will initiates a route-discovery
process. Once a route is discovered, it is maintained in the temporary cache at a source
node unless it is expired or unless some event happens (e.g., a link failure) that requires
another route discovery to start over again. One advantage of Reactive protocols is that
they require less storage for routing information compared to proactive protocols,
because there is no need to obtain and maintain the routing information for every node in
a network. Another advantage is that intermediate nodes do not have to make routing
decisions. An obvious disadvantage in reactive protocols is the delay due to route
discovery; this is called the "route acquisition delay." Furthermore, since route
discoveries require global broadcasts, if routing information changes frequently, which is
common in MANETs, and if route discoveries are needed for those changed routes, they
may generate a large volume of messaging overhead. Currently popular reactive
protocols include DSR (Dynamic Source Routing), AODV (Ad hoc On Demand Distance
Vector), and ABR (Associativity Based Routing) [1].

Hybrid (combination of proactive and reactive) Protocols: Because of the
disadvantages of the previous protocols such as initial delay due to route discovery and
high control overhead in reactive protocols, a pure reactive protocol may not be the best
solution for routing in MANETs. On the other hand, a pure proactive protocol used for a
large network may not be possible to deploy because of the need to keep a large routing
table at all times. A protocol that uses the best features of both reactive and proactive
protocol may be a better solution. An example for such an approach is the ZRP (Zone
Routing Protocol), Centralized Ad hoc Network Architecture (CANA).

3- Types of Attacks on MANETs:
We mentioned earlier that the nature of MANETs make them vulnerable to attacks that
are not feasible in wired networks. Attacks on MANETs can be classified into Passive
Attack and Active attacks. Passive attacks do not disrupt the operation of the protocol,
but try to discover information by listening to traffic or sniffing on packet transmission.
On the other hand, active attacks try to disrupt the protocol operation, inject arbitrary
packets, and gain authentication. In this research we will introduce a classification on the
active attacks on MANETs [8].

Classification of the Active attacks

3
Attacks based on modification: One very simple way for a node to disturb the protocol
operation is to announce that it has a better route than the existing one. This can be
achieved by modifying metric values for a route or by altering control message fields.
There are 3 ways in which this can be done:

Redirection by Changing the Route Sequence Number: network nodes rely on metrics like
hop count; smaller values help indicate the best path to take through network. Hence, a
simple way to attack a network is to report a smaller number than the last best value.
Redirection by Altering Hop Count: This attack is more specific to the AODV protocol
wherein the optimum path is chosen by the hop count metric. A malicious node can
disturb the network by announcing the smallest hop count value to reach the
compromised node. In general, an attacker would use a value of zero to ensure the
smallest hop count.
Denial of Service by Altering Routing Information: Consider a scenario wherein node A
wants to communicate with node E. At node A, the routing path in the header is A-B-C-
D-E. If B is a compromised node, it can alter the routing path to A-B-C-E. Since there
exists no direct route from C to E, C will drop the packet. Thus, A will never be able to
access any service / information from E.

Impersonation Attacks
In this attack, the malicious node hides its IP address and uses another IP address in the
network, this is known as spoofing.

Fabrication Attacks: there are three types that can be classified here.
Falsification of Rote Error Messages: The weakness of this architecture is that whenever
a node moves, the closest node sends an error message to the other nodes so as to
inform them that a route is no longer accessible. If an attacker can cause a DoS attack by
spoofing any node and sending error messages to the all other nodes, it can isolate any
node quite easily. This is most common in AODV and DSR protocol.

Routing table overflow attack: Consider ad-hoc networks that use a proactive protocol
i.e. an algorithm which tries to find routing information even before it is needed; this
creates vulnerabilities since the attacker can attempt to create routes to non-existent
nodes. If enough routes are created, new routes can no longer be added due to an
overwhelming pressure on the protocol.

Route poisoning: This passive attack occurs when nodes are in the updating mode of their
routing tables. Information stored in the routing tables get deleted, changed, and injected
with false information.

4- Techniques to secure MANETs:

There are two techniques that are the most common approaches today are:
Prevention: This is a scenario where the solution is to stop nodes from initiating attack.
Prevention mechanisms usually require encryption techniques to provide authentication,
4
integrity, etc. Some proposals use symmetric algorithms, some use asymmetric
algorithms, and others using one way hashing.
Prevention using Asymmetric cryptography: SAODV and ARAN (Authenticated Routing
for Ad hoc) are two protocol proposed in this category. SAODV secures the AODV
protocol by digitally signing the fields of the routing message, for authentication. ARAN
makes use of the cryptographic certificate to offer the routing certificate [3].
Prevention using Symmetric cryptography: SAR (Security aware ad hoc routing) and
SRP (Secure routing protocol) are the two protocols in this category that can be applied
to most of the commonly used protocol today. SAR attempts to use the traditional shared
symmetric key encryption, and involves some sort of key distribution system to distribute
the trust level keys to the correct devices. SRP is based on security association via secret
key schema to provide routing information
Prevention using one-way hash chain: SEAD and Ariadne are two protocols that use this
mechanism. SEAD implements one way hash chains to protect modification of routing
information like sequence number and source route. Ariadne relies on efficient symmetric
cryptography [10].

Detection and Reaction: These are solutions that attempt to identify the malicious
activities in the network and take actions against such nodes. Examples include
Byzantine, Confidant, DSR, CORE, and using watchdog and pathrater. Wachdog and
Pathrater can be deployed to most existing protocols. Wachdog is used to identify the
misbehaving nodes while the parthrater avoids routing packets through these nodes [9].

5- Ad hoc On Demand Distance Vector Routing: Ad-hoc On Demand Distance Vector
(AODV) protocol is a reactive routing protocol; however it has a feature of proactive
protocol in a sense that a source node stores the valid routes for the next hop node in
routing table. AODV uses a distributed approach [1]; meaning that source nodes do not
know the routing sequence of the intermediate nodes it has to go through to reach the
destination. AODV uses the route discovery and route reply process to create and
maintain a route on demand. In the route discovery phase for a source node to send
information to a destination node, it first looks up its own routing table to see if a valid
route exists. If a valid route does not exist, a source node broadcasts a global route
request message (RREQ) that contains the source address, source sequence number,
destination address, destination sequence number, broadcast ID, and hop count [5]. The
combination of the source address and the broadcast-ID is used to uniquely identify each
RREQ message. A node that receives the RREQ message which is usually the nearest
node to the source node replies immediately with a routing reply (RREP) if it has a fresh
route. Otherwise, it forwards the RREQ message to establish the route to the destination.
The sender selects the first node to respond with a RREP (Routing Reply) as the
intermediate node to send messages through. During the route discovery phase a forward
pointer link between source node, destination node, and all the intermediate nodes as the
RREQ messages propagate in the routing discovery, Figure [1]. Similarly, backward
pointer links between all nodes as the RREP messages propagate back to the source node,
Figure [2]. This result in a pair of forward and backward pointers set up between all the
intermediate nodes participating in the routing process, Figure [3].

5


Figure [1] RREQ Prorogate Figure [2] RREP Prorogate



Figure [3] pair of forward and backward pointers in each node.



Figure [1] Traffic from sender Node0 to receiver Node3

Figure [2] forward bytes when Node2 not present. Figure [3] forward bytes when
Node2 present

We used a network simulation tool (NS-2) to simulate traffic in AODV protocol, the
figures above show the corresponding process of route discovery through the closest path
in the network. In the arrangement of the simulation, node 2 is close to the source node 0
SN


SN DN SN DS
DS
6
so if node2 is present in the network, then traffic sequence will go through 0-2-4-3. If it is
not present then traffic will flaw through this route sequence will follow 0-1-4-3.

AODV maintains the routing process by having three messages. A route error message
that generate when any links in a route fails, a route-error message is generated by an
intermediate node to source nodes on the link and this message will propagate to every
source node that uses the failed link. Then, source nodes will initiate the route discovery
process. A periodic hello messages between immediate neighbor nodes are required to
prevent the forward and backward pointers from expiration and make sure the nodes still
an available and participating in the routing process. Finally, route time-out message that
delete the links between intermediate nodes if there is no activity on a route for a certain
amount of time.



Security Problems in AODV and possible solutions

AODV is vulnerable to a well known malicious node called black hole and gray hole
attacks. These nodes are planted by a hacker. They tend to be the first node to respond to
a RREQ message broadcast by the source node because they do not check their own
routing table to see if there is a route to the destination. These nodes can ignore packets
that are routed to them, and as a result they can perform denial of service attack. Grey
Hole is a node that can switch from behaving correctly to behaving like a black hole.
This is done to avoid detection. Some researchers [4] discussed and proposed a solution
to a black hole attack by Disable the ability for intermediate nodes to reply to an RREP;
and only allow the destination to reply. Venkatraman [7] presents two models to secure
AODV: EAPM (External Attack Prevention Model), and IADM (Internal Attack
Detection Model). Previously proposed protocols to secure AODV including SAODV
(Secure Ad Hoc Distance Vector) are still vulnerable to some external and internal
attacks. SAODV uses Assymetric cryptography mechanism to authenticate the fields of
the routing message by using a digital signature, which is quite strong technique.
However, when considering external attacks, SAODV still vulnerable to malicious nodes
attacks like black hole and Denial of service attack. In our solution to this problem we are
introducing a schema that can be implemented to AODV protocol to ensure detecting
external malicious nodes like black hole and also ensure authentication between member
nodes in network to prevent a against possible denial of service attack. In our research we
are not sure how multiple black holes nodes will be detected, but previous researches
have proposed a solution to this problem [6].
.
Solution

To detect black and gray hole nodes, we propose having the sender occasionally check
through all available routes, whether the destination received all of its messages intact.
This must be done after some data has been sent. In order to circumvent any black hole
nodes that might interfering with message traffic, the sender broadcast a "check" request
message (figure 2), and the destination's response would follow the same route as the
7
request (figure 3). To deal with the possibility of a node altering or faking the client
response, the sender compares each response with the data that it sent to the destination.
If the responses differ from what the sender sent, it may indicate a bad link or a malicious
node. If any two client responses differ, that is almost a sure sign of a malicious node. In
any case, the sender can choose another intermediate node for sending its data, as shown
in figure 4, or send an alarm.

Two new control messages can be added to the AODV protocol to facilitate this. One,
which we call "RRCS" for "Routing Request Checksum" is broadcast by the sender to
reach the destination, like an RREQ when no intermediate nodes hold a route to the
destination. Each node through which it passes adds its ID to RRCS. The destination
responds to each RREQ it receives with the second control message, RCSR for "Routing
Checksum Reply." It contain a checksum or CRC code of the data that the client
received from the server, including routing control messages, and the size of the data that
it received. It also contains a copy of the list of nodes that its corresponding RREQ
passed through; and each node that the RRCS passes through refers to that list, in reverse
order, to determine the next node to forward it to. This ensures that the RCSR follows
the exact route as the RRCS, in reverse order. As the server receives each RCSR
response, it compares its checksum with the checksum of the data that was sent.
Figure 1 Figure 2
Figure 3
Figure 4

To prevent denial of service attack on AODV protocol based network from an external
malicious node and intruder or from an internal misbehaving node that can flood the
network with any kind of control messages, such as RREQ and RREP. A set of two types
of keys in the member nodes will be used in this protocol. Secret key shared between all
nodes and public-private key pair for each node. Using this approach will provide a
8
mechanism to authenticate member nodes in the same group that have the same shared
secret key. Therefore, an external malicious node planted physically by external user can
be identified and any member nodes receive any messages from a node that does not have
the secret shared key will drop that message. This will detect and prevent the external
attacks including Dos attack. Also, internal nodes and messages between them will be
authenticated by digital signature using their own private key. This will provide internal
security to an external node that assumingly got the shares key. This node will not be able
to communicate with member nodes since it will not use its private key.

Applying the previous mentioned approach of using the digital signature to authenticate
all messages between member nodes will provide us with a way to detect the
misbehaving nodes in the member community; such node can not deny sending particular
information since member nodes send messages authenticated through their own private
key. If misbehaving node detected regularly, then neighbors nodes will report to other
member nodes in the network. We also propose applying the fingerprint mechanism to
authenticate specific users to have access to certain nodes, and also to prevent any non
legitimate user to gain access to member nodes in the network.




Proposal Risk:

We identified some questions that cross the mind concerning our proposed methodology,
these questions are: Q1-What if another problem prevented the destination from receiving
all of the packets that were sent. Q2- What about the network and power overhead
involved in broadcasting a new message. Q3- What if another malicious node, in the path
of an alternative route between the sender and the destination, alters the destinations
response. Q4- What if another malicious node alters the destinations positive response to
say that no data has been sent?

A1-As long as the TCP protocol is used to transfer the data, this shouldnt be a problem,
since TCP provides reliable delivery. If such a problem still occurred, it would be better
for the sender to sent messages through a different route.
A2-The interval in which the checksum message is sent can be varied based on the
application requirements. In this, there would be a tradeoff between security and network
traffic.
A3- We are assuming a reliable path between sender and destination since we proposed
technique to detect external malicious nodes and a way to authenticate internal nodes. If
there are no good paths between the sender and the destination, this may fail to detect a
black hole attack.
A4-The system would know that a bad node exists anyway and would send an alarm to
other nodes. Further action can then be taken to identify and isolate malicious nodes

6- Future Research
9
In this paper we have analyzed routing protocols and security issues of MANETs; we
also described AODV protocol and proposed methods to solve security issues of the
black hole, Dos, and detecting and reporting malicious nodes in AODV protocol.
As future work, we are intended to test the performance of our solutions through
simulation, and also demonstrate how our solutions can co-exist with other published
solutions.

References:

[1] C. Karlof and D. Wagner., Secure Routing in Wireless Sensor Networks: Attacks
and Countermeasures, Sensor Network Protocols and Applications (SNPA'03), May
2003

[2] Anthon Wood, A. D., and Stankovic, J. A. Denial of service in sensor networks. IEEE
Computing (2002), 54--62.

[3] Deng, J., Han, R., Mishra, S.: INSENS: Intrusion-tolerant routing in wireless Sensor
Networks. Technical Report CU CS-939-02, Department of Computer Science,
University of Colorado, November 2002.
http://citeseer.ist.psu.edu/680475.html

[4] H. Deng, W. Li, and D. Agrawal, "Routing Security in Wireless Ad Hoc Networks,"
IEEE Comm. Magazine, vol. 40, no. 10, 2002, pp. 70 75.

[5] P Papadimitratos, Secure Data Communications in Mobile Ad Hoc Networks
IEEE Journal On Selected Areas In Communications, vol. 24, No. 2, February 2006 pp
346 356

[6] S. Ramaswamy, H. Fu, M. Sreekantaradhya, J. Dixon, K. Nygard Prevention of
Cooperative Black Hole Attack in Wireless Ad Hoc Networks

[7] L. Venkatraman and D.P. Agrawal, Strategies for enhancing routing security in
protocols for mobile ad hoc networks, J. Parallel Distrib. Comp., 2002.

[8] S. Yi, P. Naldurg, and R. Kravets Security-Aware Ad hoc Routing for Wireless
Networks The Second ACM Symposium on Mobile Ad Hoc Networking & Computing
(MobiHoc'01), 2001.(another version Security-Aware Ad Hoc Routing Protocol for
Wireless Networks, Report, August, 2001)

[9] Sergio Marti and T. J. Giuli and Kevin Lai and Mary Baker. Mitigating routing
misbehavior in mobile ad hoc networks. Mobile Computing and Networking (2000):

[10] Yih-Chun Hu, David B. Johnson, and Adrian Perrig. SEAD: Secure Efficient
Distance Vector Routing for Mobile Wireless Ad Hoc Networks. Proceedings of the 4th
IEEE Workshop on Mobile Computing Systems & Applications (WMCSA 2002), pp. 3-
13, IEEE, Calicoon, NY, June 2002.
10