A mobile ad-hoc network is a type of wireless network. MANET depends on the mobile nodes as it is an infrastructure-less network. Mobile nodes move freely in arbitrary directions changing location from time to time. A node may be a sender or a receiver or a router. The lack of any centralized infrastructure in MANET is one of the greatest security concerns in the deployment of wireless networks. Thus communication in MANET functions properly only if the participating nodes cooperate in routing without any malicious intention. MANETs are vulnerable to various types of attack because of features like continuous changing topology, resource constraints and non availability of any centralized infrastructure. Many denial of service (DoS) type of attacks are possible in the MANET. Flooding attack is one of the attacks in which malicious node sends the useless packets to consume the valuable network resources. Flooding attack is possible mostly in on-demand routing protocol. In this chapter, a technique to mitigate the effect of flooding attack in MANET using trust estimation function in Dynamic Source Routing (DSR) is presented.
Ad-hoc networks are simple peer-to-peer networks, self-organized with no fixed infrastructure. This leads to new vulnerabilities which are not known in wired networks. The wireless links and dynamic topology definitely gives flexibility in installation. But, at the same time, security is a major concern in these networks. The wireless channels are vulnerable to various security attacks. Some of the ad-hoc nodes may be victimized in the network by malicious nodes and may indulge in various denial-of-service attacks . The lack of security frameworks in these networks is one of the major concerns in their large-scale deployment. The proposal is an initiative towards developing a fool proof security model which can detect and prevent a good subset of security attacks possible in an ad-hoc environment. This chapter focuses on the implementation of flooding attacks by neighbouring nodes and strategies to prevent this attack in ns-2  .
5.2. Trust in MANET
Trust is a critical factor which depends on uncertain conditions and is used for decision making on cooperating with unknown participants . It includes establishment and updation of trust . In general, trust management and reputation management is believed to be invariably used  but it is not a fact. There lies a difference between the trust and reputation. Trust is active while reputation is passive . Direct observation and recommendation are the two ways used to measure trust or reputation. Recommendation is simply an effort to pass one node's trust or reputation to another  . Golbeck  elaborates about three main properties of trust with reference to social network. Trust cannot be completely transitive in mathematical terms. That is, if A trusts B, and B trusts C, it does not guarantee that A trusts C. Second, trust is not necessarily symmetric, meaning not identical in both directions. Yonfang  discusses about policy-based trust management and reputation-based trust management. Policy based techniques use logical rules and verifiable properties encoded in signed credentials for user access to resources.
Policy based technique takes binary decision based on which the requester is trusted or not and accordingly access is decided. Due to its binary decision methodology it provides less flexibility. On the other side reputation based scheme derives trust based on numerical and computational mechanism.
Trust is an inevitable property in the design and analysis of distribution systems . Trust is a critical part through which the relationships emerge . Proper security measures and correct decisions shall be arrived by clarifying the trust relationship. A trust model involves specification and setting up of trust relationship among entities. Trust modelling is seen as growing technique to represent trust in digital format. Recently, it has gained significance in providing security in electronic systems. Current academic work in the areas of Trust covers such aspects as analysing the problems of current secure systems  , proposing models for achieving trust in digital systems   and quantifying or specifying trust in digital systems . The above section depicts some of the existing trust management schemes developed for MANET environment.
5.3. Routing Protocols
The primary goal of routing protocols in ad-hoc network is to establish optimal path or min hops between source and destination with minimum overhead and minimum bandwidth consumption so that packets are delivered in a timely manner . A MANET protocol should function effectively over a wide range of networking context from small ad-hoc group to larger Mobile Multihop networks . Routing protocols can be divided into proactive, reactive and hybrid protocols, depending on the routing topology. Proactive protocols are typically table-driven, e.g. Destination Sequenced Distance Vector (DSDV) protocol. Reactive or source-initiated on-demand protocols, on the contrary, do not periodically update the routing information. It is propagated to the nodes only when necessary, e.g. DSR and Ad-hoc On-Demand Distance Vector (AODV). Hybrid protocols make use of both reactive and proactive approaches e.g. Zone Routing Protocol (ZRP), Zone-Based Hierarchical Link State Routing Protocol (ZHLS) etc.   . The advantage of proactive routing protocol is that node experiences minimal delay when route is needed and unexpired route is available in the routing table but the disadvantage of proactive routing is that these are not scalable and maintenance of routing table requires substantial network resources. In the case of reactive routing protocol, route between the nodes is searched only when a node wants to communicate with the other node. To discover the routes they use route discovery procedure which in turns uses the flooding method. In this, initiator forwards the RREQ packet to its entire neighbour's. If neighbour has the route for destination they reply, otherwise forward the RREQ to the next node. In this way RREQ packet reaches the destination which sends the reply to RREQ. But the method which is used to facilitate route discovery is used by the Intruders or the malicious node to consume the network resources which may lead to flooding attack. The DSR is a reactive unicast routing protocol that utilizes source routing algorithm. In source routing algorithm, each data packet contains complete routing information to reach its destination. Additionally, in DSR, each node uses caching technology to maintain route information that it has learnt . There are two major phases in DSR, the route discovery phase and the route maintenance phase. When a source node wants to send a packet, it first consults its route cache. If the required route is available, then the source node includes the routing information inside the data packet before sending it. Otherwise, the source node initiates a route discovery operation by broadcasting route request packets. A route request packet contains addresses of both the source and the destination and a unique number to identify the request. On receiving a route request packet, a node checks its route cache. If the node doesn't have routing information for the requested destination, it appends its own address to the route record field of the route request packet. Then, the request packet is forwarded to it's neighbours. To limit the communication overhead of route request packets, a node processes route request packets that it has not seen before and its address that is not presented in the route record field. If the route request packet reaches the destination or an intermediate node has routing information to the destination, a route reply packet is generated. When the route reply packet is generated by the destination, it comprises of addresses of nodes that have been traversed by the route request packet. Otherwise, the route reply packet comprises the addresses of nodes the route request packet has traversed concatenated with the route in the intermediate node's route cache. After being created, either by the destination or an intermediate node, a route reply packet needs a route back to the source. There are three possibilities to get a backward route. The first one is that the node already has a route to the source. The second possibility is that the network has symmetric (bi-directional) links. The route reply packet is sent using the collected routing information in the route record field, but in a reverse order. In the last case, there exists a symmetric (unidirectional) link and a new route discovery procedure is initiated to the source. The discovered route is piggy-backed in the route request packet.
In DSR, when the data link layer detects a link disconnection, a ROUTE_ERROR packet is sent backward to the source. After receiving the ROUTE_ERROR packet, the source node initiates another route discovery operation. Additionally, all routes containing the broken link should be removed from the route caches of the immediate nodes when the ROUTE_ERROR packet is transmitted to the source. DSR has increased traffic overhead by containing complete routing information into each data packet, which degrades its routing performance .
5.4. Routing Attacks
The malicious node(s) can attack MANET using different ways, such as sending fake messages several times, fake routing information, and advertising fake links to disrupt routing operations. In the following sub-section, some of the current routing attacks in MANET protocols are discussed.
A. Flooding Attack: Flooding attack is a DoS type of attack in which the malicious node broadcasts the excessive false packet in the network to consume the available resources so that valid or legitimate user will not be able to use the network resources for valid communication. Because of the limited resource constraints in the MANET, resource consumption due to flooding attack reduces the throughput of the network. The flooding attack is possible in almost all of the on-demand routing protocols. Depending upon the type of packet used to flood the network, flooding attack can be categorized in to two categories.
a) RREQ Flooding: In the RREQ flooding attack, the attacker broadcasts the many RREQ packets per time interval to the IP address which does not exist in the network and disables the limited flooding feature. On-demand routing protocol uses the route discovery process to obtain the route between the two nodes. In the route discovery the source node broadcasts the RREQ packets in the network. Because the priority of the RREQ control packet is higher than data packet, at the high load also RREQ packets are transmitted. A malicious node exploits this feature of on-demand routing to launch the RREQ flooding attack.
b) Data Flooding: In the data flooding, malicious node flood the network by sending useless data packets. To launch the data flooding, first malicious node builds a path to all the nodes then sends large amount of bogus data packets. These useless data packet exhaust the network resources and, hence, legitimate users are not able to use the resources for valid communication.
B. Black hole Attack: In a black hole attack, a malicious node sends fake routing information, claiming that it has an optimum route and causes other good nodes to route data packets through the malicious one. For example, in AODV, the attacker can send a fake Route Reply (RREP) (including a fake destination sequence number that is fabricated to be equal or higher than the one contained in the RREQ) to the source node, claiming that it has a sufficiently fresh route to the destination node. This causes the source node to select the route that passes through the attacker. Therefore, all traffic will be routed through the attacker and the attacker can misuse or discard the traffic.
The model used for detection and prevention of flooding attack is distributed cooperative model in which all the node locally run the intrusion detection code  and cooperate with each other to detect and prevent flooding attack in the network. In this work the DSR routing protocol along with the trust  estimation function is used because the communication between the nodes in the MANET depends on the cooperation and the trust level on its neighbours. To calculate the trust level, the trust estimation function is used in the route discovery phase of the basic DSR routing protocol. The function calculates the trust level of each neighbouring node. Various parameters which are used for trust estimation are: Total number of RREQ packet sent by the neighbour per unit time, total number of packet successfully transmitted by the neighbour, Ratio of number of packet received correctly from the neighbour to the total number of received packets. In the work, based on the relationship of a node with its neighboring node, three categories of trusts are considered, namely stranger, acquaintance and friend.
The strangers are the non-trusted node - means that a stranger node is a node with minimum trust level. Initially, when any node joins the network, this trust relationship with all its neighbours are low or negligible and that this node is treated as a stranger. Acquaintances are the nodes which have the trust level between the friends and strangers. A node is acquainted to its neighbour means it has received some packets through that node. Friends are most trusted nodes or the nodes with highest trust level can be treated as friends. Here the higher trust level means that neighbours had received or transferred many packets successfully through this particular node .
During the route discovery phase of the DSR routing protocol, the trust value is also computed for all the neighbours of any node. The result of trust estimation function is the relationship status of all of neighbours as friend, acquaintance or stranger .
Consider a MANET of figure 5.1 with seven nodes, (n0 to n6) where node n1, n2, n3, n4, n5, n6 are the neighbouring nodes of node n0. Node n1 and n4 have a friendly relationship with n0, node n2 and n6 are strangers to n0 and n3, and n5 is acquaintance to node n0. These relationships are shown in the friendship table 5.1.
To detect the intrusion, in our scheme each node stores a friendship table. Friendship table is used to store the relationship status of any node with its neighbours. The friendship table has two columns. First the identifier or name of its entire neighbouring node and second its relationship status with the neighbour node that could be friend, acquaintance or stranger. This table is referred to every time any node receives the packet. Initially when a node joins the networks it is considered a stranger. A node is considered a stranger if nodes have never sent or received message to or from the neighbour. A node is considered as an acquaintance if it's trust level is neither very low nor too high, which means that node receives some packet through this neighbour. If node receives many packets to or from any node successfully, then the trust level is very high and the node is considered a friend. There is very high probability of attack from stranger but very low probability from friend. Different threshold values are defined for different types of neighbours to become friend, acquaintance and stranger. Ta and Tf are the threshold values for the acquaintance and the friend respectively. Along with this every node maintains a local counter to count RREQ that is compared with threshold value of neighbours. If RREQ count is greater than Tf then neighbour is considered as a friend and if it is greater than Ta and less than Tf then neighbour is acquaintance, otherwise considered a stranger.
To extend the method proposed in  for higher node mobility, we added the concept of delay queue. Consider the situation where the node mobility is very higher. So, relationship status of almost all the nodes can be that of a stranger or acquaintance because to become a friend to its neighbour, node has to forward many packets successfully to its neighbour. But because of the higher mobility, nodes change its position frequently; so possibility of friendly relationship is very low. As we know that the threshold value of the stranger or acquaintance is lower than that of the friend. So if any node sends many RREQ packets per unit time because of the mobility, then this is considered a misbehaviour because it's count exceeds threshold limits. Then according to method proposed in , the neighbour node discards the packets and declares the node as a intruder or malicious node, which is not true. So to deal with such kinds of situations we have added the concept of delay queue here.
Fig 5.1: Relationship of Friend- Acquaintance - Stranger in MANET
The relationships are represented as
R (ni ,nj) = F when T >=Tf
R (ni ,nj) =A when Ta <= T <Tf
R (ni ,nj) =S when 0 < T < Ta
The threshold trust level for a stranger node to become an acquaintance to it's neighbour is represented by Ta and the threshold trust level for an acquaintance node to become a friend of its neighbour is denoted by Tf.
The above relationships are represented as a Friendship table for each node in an ad hoc network. During the route discovery phase of the DSR Routing protocol, the trust value is also computed for all the neighbours of any node. The result of trust estimation function is the Association status of all of neighbours as Friend, Stranger or Acquaintance.
Table 5.1: Friendship table
The Association status  discussed above depends upon the trust value and threshold values. The trust values are calculated based on the following parameters of the nodes. We propose a very simple equation for the calculation of trust value.
Te = tanh (R1+R2+A)
Te = Trust value
R1= Ratio between the number of packets actually forwarded and number of packets to be forwarded.
R2 = Ratio of number of packets received from a node but originated from others to total number of packets received from it.
A = Acknowledgement bit. (0 or 1)
The threshold trust level for an unknown node to become known to its neighbour is represented by TK and the threshold trust level for a known node to become an Acquaintance of its neighbour is denoted by Tc. The Associations are represented as
A (node x → node y) = C when T ≥ 0.5
A (node x → node y) = K when 0.1 ≤ T < 0.5
A (node x → node y) = UK when 0<T ≥0.1
Also, the Association between nodes is asymmetric, (i.e.,) R (node x → node y) is an Association evaluated by node x based on trust levels calculated for its neighbour node y.
R (node y → node x) is the Association from the friendship table of node y. This is evaluated based on the trust levels assigned for its neighbour. Asymmetric Associations suggest that the direction of data flow may be more in one direction. In other words, node x may not have trust on node y the same way as node y has trust on node x or vice versa.
The proposed steps to detect the flooding attack when any node receives the RREQ from its neighbours are as follows:
First of all store number of RREQ packets received from neighbour and increment the R[i] by one which is a counter maintained by every node.
Checks the type of relationship with friendship table. It could be friend, acquaintance or stranger.
Compares the R[i] with the corresponding threshold values which is a node's maximum number of RREQ packets that can be allowed from its neighbour.
If the neighbour is friend node then it compares whether the R[i] is below the threshold value Tf. Then it forwards the packet to next hop, otherwise discards the packet and blacklists the node.
If the neighbour is acquaintance and the R[i] is less than Ta then it forwards the packet, otherwise put the node into the delay queue and allow the node to forward the same packets and analyse its behaviour continuously. If still it is misbehaving then declare as an intruder and blacklist the node. Otherwise treat it a normal node.
When any node wishes to send messages to a distant node, its sends the ROUTE REQUEST to all the neighbouring nodes. The ROUTE REPLY obtained from its neighbour is sorted by trust ratings. The source selects the most trusted path. If it's one hop neighbour node is an Acquaintance, then that path is chosen for message transfer. If it's one-hop neighbour node is known, and if the one hop neighbour of the second best path is an acquaintance, choose C. Similarly an optimal path is chosen based on the degree of Association existing between the neighbour nodes. Whenever a neighbouring node is a companion, the message transfer is done immediately. If it is known or unknown, the transfer is done based on the ratings. This protocol will converge to the DSR protocol if all the nodes in the ad hoc network are companions.
5.6. Simulation Environment
The performances of DSR routing protocol under the presence of malicious node were evaluated using NS-2 simulator. The simulations have been carried out under a wide range of mobility and traffic scenarios. The goal is to study the performance of the Flooding Attack Prevention algorithm, WLAN throughput and delay in the network.
The DSR routing protocol is used for all simulation and the other simulation parameters are shown in the Table 5.2. The topology of the MANET depends on the pause time and mobility speed. It changes frequently when pause time is less and mobility speed is more.
Table 5.2: Simulation Parameter
NS-2 (ver 2.34)
Number of Mobile Nodes
1000 m X 1000 m
No. of Malicious node
1 to 5
The sample screen shot (fig 5.2) of a scenario of fifty mobile nodes with source and destination are as follows:
Fig 5.2: Sample Simulation Scenario with 5 different clusters of node
5.7. Result and Discussion
We compare the performance of original DSR protocol in presence of malicious node and the performance of proposed technique in presence of malicious node. To evaluate the performance of the system, we used total number of RREQ sent and RREQ received in the network as a performance matrix. The figure 5.3 shows the graph of total RREQ sent/received versus malicious node with mobility speed 5 m/s and pause time zero (0). It is clear from the graph that total number of RREQ packet in the network increases with malicious node because malicious node floods the RREQ packet in the network.
Fig 5.3: Data Analysis of RREQ Packet Sent
Fig 5.4: Data Analysis of RREQ Packet Received
From the above two figures we see that our algorithm is able to restrict flooding attack up to a reasonable extent.
5.8. Chapter Summary
MANET is often attacked by malicious nodes. For better MANET, an efficient security model is needed to counter attacks on security. In this chapter, a new trust establishment scheme is used to detect and prevent flooding attacks. The trust function is used in DSR protocol. A reasonable outcome is observed. In future, a more sophisticated trust model may be developed to identify a node. The attack may be minimized through that model. The work may further be extended to malicious node and others to provide a trustworthy security framework against all possible security attacks in MANET.