Detection Of Wormhole In Wireless Computer Science Essay

Published: Last Edited:

This essay has been submitted by a student. This is not an example of the work written by our professional essay writers.

Mobile ad-hoc networks are endured with several security issues. Among them wormhole attack is the most menacing attack. This kind of attack need not depend on the other legitimate nodes to be compromised. In a wormhole attack, the conspirer records the packets at one location and tunnels them (selective packets) to another location in the network. Thus this wormhole results in fake route with minimum hops, and it is difficult to detect the wormhole attacks because the malicious nodes impersonate legitimate nodes. A strategic emplacement of the wormhole can result in a significant breakdown in communication across a wireless network. If any of the nodes chooses this fake route, the malicious nodes have the option of altering the packets or delivering the packets or dropping them. In this paper we are going to propose a mechanism to detect wormhole attack by using Statistical node-to-node delivery.

Index terms: MANET, Wormhole, N2N delivery(node-to-node), Tunnel link, Wormhole link, Wireless LAN, Network security.


MANET is an infrastructureless network without centralized administration (access point) and maintained by its constituent wireless nodes. The mobile nodes communicate with other nodes which are in radio range using multiple hops and these nodes seek the assistance of its neighboring nodes to forward the packets. MANET has a stale importance and it is used in many fields like business, medicine, scientific applications, personal area network, disaster relief and so on. And it has some attractive features like self maintenance, self-configuration and

lack of need of fixed network infrastructure or centralized administration. However along these advantages Ad-hoc network face intense security problems compared to the wired medium, as the nodes are utilizing open air medium to communicate with other nodes. Several security issues are related to ad-hoc networks like passive and active attacks, information tapping, limited capacity, dynamic topology and the foremost menacing attack is Wormhole attack. In this paper we proposed a mechanism to detect Wormhole attacks in Mobile Ad-hoc Networks.


A wormhole involves conspiracy between two attackers. In Figure1, the malicious node X captures the routing traffic at one end and tunnels to the malicious node y on the other end of the network. Thus a private link exists between the malicious node x and y in the networks. Once the wormhole link is established, the malicious node may perform passive attack or active attack.

Fig 1[9] Wormhole link

Passive attack is an act of eavesdropping with no alteration of the data. On the other hand active attack affects the data integrity. And they replay valid network messages at improper places. Wormhole nodes can make distant nodes believe that they are immediate one hop neighbors, and force all communications to go through them.

Fig 2

In Figure 2, the malicious node M1 capture the routing traffic from the source node S and tunnels the data packet to another malicious node M2 and may or may not relay the data packet to the destination node D. Here the malicious node may follow direct link from M1 to tunnel the data packet to M2 or it may use the intermediate nodes H1, H2, H3, H4 to relay the data packets. But H1, H2, H3, H4 nodes are hidden from the source and destination by the malicious node to percept themselves as a one hop node (shortest hop node to source and destination). So a wormhole link will be established between M1 and M2 and force all communications to go through them.

A.Wormhole Using Encapsulation

In encapsulation technique[8], when the node broadcasts a RREQ packet the malicious node hears it and tunnels it to the other malicious node near the destination. The malicious node at the destination then rebroadcasts the packet to the destination node. The neighbors of the second colluding party receive the request packet and drop any further requests that may arrive later on. Hence the data will be sent through the two wormhole nodes between the source and the destination. Finally, as a result, the source node ignores those nodes that are more than two hops away from the destination. For example, consider Figure 3[7]. When node A broadcasts a RREQ packet to find the route, X encapsulates the request in a packet destined to Y through U-V-W-Z. When node Y receives the packet, demarshalls it and then rebroadcasts it to reach node B. When node A broadcasts the request message, node C reveives it and discovers a new route C-D-F to reach destination B. When both the routes reach the source, instead of selecting C-D-E as the route, source node A selects U-V-W-Z as the route to send the data since the wormhole nodes X and Y shows that the source and destination are only 2 nodes away from each other. This kind of wormhole attack is easily possible because it doesn't need any kind of specially designed hardware.

Fig 3. Wormhole through packet encapsulation [7]

B.Wormhole using Out-of-Band Channel

The another mechanism involved in wormhole attack is the use of an out-of-band channel[8]. This kind of attack is more difficult to achieve than the previous one since this kind needs a special hardware capability like some wired link. Consider the scenario depicted in Figure 4[7]. When node A broadcasts a RREQ packet, nodeX being malicious having an out-of-band channel with another malicious node Y, tunnels the RREQ to Y, which is a legitimate neighbor of B. Node Y, again rebroadcasts the packet to its neighbors, including B. B gets two RREQs-A-X-Y-B and A-C-D-E-F-B. The shortest route A-X-Y-B is chosen to send the data.

Fig 4. Wormhole through out-of-band channel [7]

C.Wormhole using Packet Relay

Wormhole formed using packet relay technique is another kind to either modify or drop the data. This kind is formed even with the single node formed between two non-malicious nodes. Most of the malicious nodes cooperate with each other to increase the neighbor links of non-malicious nodes. This can be done by a malicious node which is in transmission range with both the source and destination nodes but those nodes not in transmission range with each other. Two malicious nodes can also collude to create a longer (and more harmful) wormhole. The wormhole link between two malicious nodes A and B can be created artificially by a wormhole node X which is in transmission range for both A and B as shown in figure 5. A longer wormhole can also be created by two malicious nodes X and X′ when a single malicious node is not in range of both the source and destination nodes as in Figure 6[8].

Fig 5. A wormhole created by node X[8]

Fig 6. A longer wormhole created by two malicious nodes[8]

The remaining of this paper is organized as follows in section (ii), we review the existing wormhole detection mechanism and their limitations. Our proposed wormhole detection mechanism is explained in section (iii). Simulation results are drawn in section (iv). And finally, the conclusion and future work is given in section (v).


Several approaches have been proposed recently to detect the wormhole attacks in Mobile Ad-hoc Network. Jane Zhen and Sampalli Srinivas proposed a wormhole detection mechanism based on Round Trip Time (RTT) between two nodes [1].The RTT between two nodes S and D is calculated by sending a request and receiving message from D, requiring an immediate reply from D. The RTT between S and D is the time between A's sending the request message and receiving the reply message from B. In this mechanism every node will calculate the RTT between N and all N's neighbors. Because the RTT between two fake neighbors is higher than that between two real neighbors so by comparing these RTTs between Sand S node's neighbors, node S can identify which neighbors are fake neighbors and which neighbors are real neighbors. This mechanism does not require any special hardware and it is easy to implement but it cannot detect exposed attacks because no fake neighbor is created in exposed attacks.

Z.Tun and A.H.Maw proposed a wormhole detection method based on neighbor numbers and Round trip time[6] . When the RTT between two nodes is considerably greater, they check the neighbor number. If the value of neighbor number is greater than the average neighbor number, then there exists a wormhole. This detection method assumes that all nodes in the network use the same hardware and software configuration.

T. Van Phuong, N.T.Canh, Y.K.Lee, S.Lee, presented a wormhole detection based on RTT calculation between itself and the destination and then send this value back to the source node[4]. As only delays are measured, this scheme suffers from poor false alarm rate when two legitimate neighbors suffer link congestion and have different intra-nodal processing capabilities.

Ajit Singh and Kunwar Singh Vaisla proposed a wormhole detection mechanism based on RTT calculation between intermediate nodes rather than between source and destination node[2].When the RTT between the intermediate node is considerably greater than other intermediate node then there exist a wormhole. This detection assumes that all nodes have the same software and hardware configuration and they do not detect wormhole using packet relay[2].

Shalini Jain, Dr. Satbir Jain proposed a wormhole detection based on trust value which are required for each of the nodes for further transmission of the packet[10]. Trust values are given to each node based on the number of acknowledgements it receives for the transmission of the packet. In this method, eaves dropping can be easily detected. But, this method cannot detect wormholes when the malicious nodes modify the packets. Because acknowledgements are anyway received even if the packets are modified and sent.

A.Vani, D. Sreenivasa Rao proposed a hybrid routing algorithm based on AODV(hop count, anomaly detection, neighbor list)[11]. AODV drops under the presence of normal wormhole attack.

Xia Wang, Johnny Wong proposed a scheme where a wormhole can be detected by probabilistic means[12]. Probability density function is calculated based on which a wormhole is detected. To find the end points of the wormhole, a TRACING procedure is usedso that packets are not sent using that route. Longer wormholes cannot be detected using this procedure.

T. Sakthivel, R. M. Chandrasekaran proposed a wormhole detection scheme using the frequent use of the route and detecting it by comparing its distance to the destination with another route[13]. If the difference between both the distances is greater than the threshold, then the route is marked as a wormhole and further packets are not sent through this route.

T. Hayajneh, P. Krishnamurthy, David Tipper, Anh Le detected wormhole using SECUND, SECUre Neighborhood Detection[14]. One of the true neighbors of the source are used to find a route to the destination without using the common neighbors of both the source and destination neighbors for routing the packet. This hop count is then compared with the hop count through the suspicious wormhole node(always 3). If the difference is greater than the threshold, wormhole is detected. This method cannot detect if the destination is a fake neighbor.


In this paper, we are going to propose a mechanism for detecting the presence of a wormhole using N2N. This includes 3 phases:

Phase 1: Threshold calculation

Phase 2: N2N delivery calculation

Phase 3: Wormhole Detection




st:=simulation start time

et:=simulation end time



N2N:=node-to-node delivery

Malicious path fixing

For each path


Measure throughput

Measure node-to-node delivery

Measure difference between N2N[i] and N2N[i-1]

If difference>maximum threshold or difference<minimum threshold

Fix malicious path

end for

Phase 1: Threshold calculation

In our mechanism, when a node wants to establish a route with another node, we will check whether there exists a wormhole or not by using statistical N2N delivery calculation. Consider a node sending the RREQ(Route Request) packet. When the request packet reaches the destination node, it sends route reply packet through the same request sent route. Thus the time between RREQ and RREP messages is noted to find out the wormhole nodes between the source and the destination nodes. The threshold can be calculated as


Declare variables

ps:=packet size of successfully delivered packets

st:=simulation start time

et:=simulation end time


For each path


Phase 2: N2N Delivery Calculation

In this phase, every node will calculate N2N between itself and the destination and compares the N2N values to check whether the wormhole is present in that particular route to the destination. If there is no wormhole, there will be only slight difference between the values. If the N2N value is higher than the other successive nodes, it can be suspected as wormhole attack using encapsulation or packet relay technique between the source and the destination. Otherwise, if the N2N value is lower than other successive nodes, then it can be suspected as wormhole attack using out of band channel link. In this fashion the mechanism can identify the route where the wormhole nodes are present. The time of sending RREQ and receiving RREP is described in Figure 7. The source node is responsible for calculating all N2N values of every successive node along the established route.

Fig 7: TREQ and TREP[4]


TREQ is the time taken by the corresponding node to forward RREQ.

TREP is the time taken by the corresponding node to forward RREP.

Then the N2N between S, A, B, C and D will be:





And the N2N values between two successive nodes along the path will be:

N2NS,A = N2NS,D - N2NA,D ;

N2NA,B = N2NA,D - N2NB,D;

N2NB,C = N2NB,D - N2NC,D;

Under normal situation, N2NS,A, N2NA,B, N2NB,C, N2NC,Dare similar. But if there is a wormhole link which uses

encapsulation or packet relay technique between B & C,thenN2NB,C is considerably greater than N2N,A, N2NA,B &N2NC,D, as in Figure 8

out of band channel technique between B & C, then N2NB,C is considerably lower than N2NS,A, N2NA,B&N2NC,D.

Phase 3: Wormhole Detection

When the source node gets the RREP, it triggers the detecting process to check if the established route is having wormhole attack or not. The source node will calculate N2N's between every two successive nodes along the path based on N2N values in the extensional part of RREP. As we know, a considerably higher N2N value between two successive nodes than others will indicate a wormhole link of type encapsulation or packet relay between those two nodes. As we know, a considerably lower N2N value between two successive nodes than others will indicate a wormhole type of out of band channel between those two nodes. The question is how much higher or lower the N2N is considered a wormhole link. As in some other proposals, we used a threshold to make the decision. The threshold can be determined based on our simulation with appropriate parameters. As we can see in Fig.7[4], to improve the performance of the proposed mechanism the N2N value should me more accurate. But unfortunately, the processing time at every node greatly varies depending on the process and the network traffic. So instead of calculating the N2N values between two nodes only once, we can calculate the N2N several times, say n times and then we can take the statistical value between every two nodes within source and the destination.


Declare variables

xi := N2N[i]


n:= number of hops

For each path

Calculate N2NF



If we measure the N2N between two nodes k times then compute the average value, the N2N value will be more accurate. So to enhance the performance, after getting the RREP from the destination node, the source node will keep sending the RREQ via the established path k-1 more times to calculate the N2N between every two successive nodes along the path. The final N2N values between each two nodes used to detect wormhole are the averages of those k N2N values.


N2N is calculated for each source to destination in the network. N2N would vary gradually depending upon the distance in the network. But if the N2N values show a sudden steep of either upward or downward, we can conclude the presence of the wormhole. Figure 8 shows the variation of N2N of the network which has a wormhole. From the graph we can easily find that there is a wormhole in the network. By analyzing the graph we can find the route in which the wormhole is present. The entire simulation is done in ns2 with the awk file created to analyse the results and the graph is plotted using xgraph.


Fig 8 Graph showing variation of N2N delivery


In this paper, we have introduced the wormhole attack, a most threatening attack. To detect and defend against this wormhole attack which uses encapsulation or relay packet or out of band channel, we proposed a optimized mechanism based on the average N2N delivery of the route message. The significant feature of the proposed mechanism is that it does not need any special hardware to detect the wormhole attacks. In future we would like to simulate this mechanism to calculate the degree of detection rate and accuracy of alarms.