1. A Literature Survey
on
SECURITY THREATS IN MOBILE AD HOC NETWORK
(MANET)
by
NISHANTH.N
ME Telecommunication
SR No.: 4812-413-091-06931
Under the Guidance of
Prof. P. Venkataram
Protocol Engineering and Technology Lab
Dept. of Electrical Communication Engineering
Indian Institute of Science
Bangalore-560 012
2. Abstract
In this literature survey, I am focusing on the overall security threats and challenges in Mobile
ad hoc networks (MANET).My literature survey starts with different types of wireless network,
then vulnerabilities and the security issues are analyzed from individual layers namely application
layer, transport layer, network layer, link layer and physical layer. This study provides a good
understanding of the current security challenges and solutions for the MANETs. Finally, a brief
discussion about agents and role of multi-agents in wireless security is also included in my literature
survey.
7. Chapter 1
WIRELESS NETWORKS
Today’s wireless networks have gained momentum in a number of vertical markets such as health-
care, education, retail, manufacturing, warehousing, and more. Wireless networks bring massive
gains - not only in productivity, but also from reduced cabling and fast client relocation. Flexi-
bility is a major reason that wireless networks have become so popular. Just looking at historical
buildings gives us an example of this. Once a building is deemed historical, running wires through
it can quickly become an unacceptable option. With wireless networks, no wires are necessary; a
user just has to plug into an access point and he is set to go. Without having to drill holes for
wires, these historical buildings can keep their old-world look and feel. Another way the flexibility
of wireless networks is useful is in areas or buildings not owned by the occupant. In this case, holes
cannot be drilled into the walls to install wire runs. Wireless allows one to set up the access point
and connects all the needed information systems via a wireless connection. Disaster recovery is
another area where the flexibility of wireless plays a key role. When major damage impedes the
ability to hang cables, using wireless can help keep a workforce connected.
1.1 Types of Wireless Networks
Before we discuss the wireless networks types, a small difference between wired and wireless
network will be discussed. A network that sends data from one point to another point with cable
or wire is called wired network. The data sent over a network which uses wireless medium from
one device to another device is called wireless network. In wireless network data is transmitted
from one point to another through wireless links. For communication the devices have to be in
the transmission or radio range of each other. Wireless networks are divided into two main groups
(1) infrastructure wireless network
(2) Ad hoc or infrastructure-less network.
5
8. 1.1.1 Infrastructure Networks
Fixed network topology is deployed in infrastructure network. These deployed, fixed networks
have base stations or access points from which wireless nodes can get connected. All the base
stations or access points are connected with the main network through wired links (fiber optic,
twisted or coaxial cable) or wireless links. The base station or access point is one of the important
units of infrastructure networks. All of the connections will have to pass from the access point
(AP).
Figure 1.1: Infrastructure Mode
A wireless node can connect to anyone of the access points in its radio range. In this mode,
a wireless node needs to associate with an AP using an association protocol. An AP and its
wireless nodes form a Basic Service Set (BSS). A set of BSS is called Extended Service Set (ESS).
Association and Dissociation allows the wireless node to be mobile within the ESS.
1.1.2 Ad hoc Networks
An Ad hoc network is deployed where wireless network infrastructure is not available. This kind
of ad hoc network is called infrastructure less network or ad hoc network. In infrastructure or ad
hoc network each node is connected through wireless links. These nodes get connected to each
other and also act as a router, by forwarding data to other wireless nodes. There is no restriction
on these nodes to join or leave the network. Thus the network has no vital infrastructure. Ad hoc
networks have two forms; one is static ad hoc networks (SANET), the other is called mobile ad
hoc network (MANET).
Figure 1.2: Ad Hoc Mode
6
9. 1.2 IEEE 802.11 WLAN Standards
1.2.1 IEEE 802.11
In 1997, the IEEE ratified the 802.11 Wireless LAN standards, establishing a global standard for
implementing and deploying Wireless LANS. The throughput for 802.11 is 2Mbps, which was well
below the IEEE 802.3 Ethernet counterpart. As with any of the other 802 networking standards
(Ethernet, Token Ring, etc.), the 802.11 specification affects the lower layers of the OSI reference
model, the Physical and Data Link layers.
Figure 1.3: Layers in OSI model
These networks operate on two physical layers: (1) direct sequence spread spectrum (DSSS)
and (2) frequency hopping spread spectrum (FHSS). Each uses a different method of transmitting
wireless signals across the airwaves. DSSS uses a wide, single, statically defined channel that
is preset in the access point. On FHSS or FH, the access point and the client negotiate a hop
sequence, which is used to allow the signal to switch between small slices of frequency in the 2.4-
GHz range that wireless 802.11 has defined as usable. The MAC layer has been standardized to
help contend with the interference and excessive loss of frames compared to Ethernet. (Detailed
description about MAC layer is made on Data link layer attack).
1.2.2 IEEE 802.11a
In 1999, the IEEE group successfully standardized the 802.11a standard. 802.11a operates at 5GHz
and supports date rates up to 54Mbps. The physical layer technology Orthogonal Frequency
Division Multiplexing (OFDM) is used to transfer the data into radio waves. The FCC has
allocated 300Mz of RF spectrum for unlicensed operation in the 5GHz range. Although 802.11a
supports much higher data rates, the effective distance of transmission is much shorter than
802.11b and is not compatible with 802.11b equipment and in its current state is usable only in
the US. However, several vendors have embraced the 802.11a standard and some have dual band
support AP devices and network cards.
7
10. 1.2.3 IEEE 802.11b
The 802.11b ("baseline") is currently the de facto standard for Wireless LANs. Unlike in 802.11,
in which there is a choice between Direct Sequence Spread Spectrum (DSSS) and Frequency
Hopping Spread Spectrum (FHSS), 802.11b uses DSSS for physical layer transport. The data rate
of 802.11b is raised to11 Mbit/s, but will scale back to 5.5, then 2, then 1 Mbit/s (also known as
Adaptive Rate Selection), if signal quality becomes an issue.
1.2.4 IEEE 802.11g
The 802.11g ("going beyond b") task group, like 802.11a is focusing on raising the data transmis-
sion rate up to 54Mbps, but on the 2.4MHz band. 802.11g hardware is fully backwards compatible
with 802.11b hardware. The modulation scheme used in 802.11g is orthogonal frequency-division
multiplexing (OFDM) which is same as that used in 802.11a standard
1.2.5 IEEE 802.11d
This group is focusing on extending the technology to countries that are not covered by the IEEE.
The IEEE completed the 802.11d standard in 2001. It addresses the need for access points to have
the ability to inform client cards of what regulator domain they are located at and what rules
apply for that location. This helps the business travelers to use wireless network card to use in
different countries (do not need to carry multiple client card).
1.2.6 IEEE 802.11e
This group is focusing on improving multi-media transmission quality of service. This is critical
in time-sensitive communications such as voice or video
1.2.7 IEEE 802.11f
The 802.11f standard provides a standard for roaming. This allows companies to create products
that can seamlessly roam from one to another (interoperability between vendors )
1.2.8 IEEE 802.11h
The 802.11h standard is looking at using 802.11a and developing the ability to self-tune, and
moving away from congested channels.
1.2.9 IEEE 802.11j
This standard is for use in Japan only. It defines the physical and MAC layer communications for
systems running in the 4.9- to 5-GHz range.
8
11. 1.2.10 IEEE 802.11n
IEEE 802.11n is an amendment to IEEE 802.11 standards by adding multiple-input multiple-
output (MIMO) and 40 MHz channels to the PHY (physical layer), and frame aggregation to
the MAC layer. MIMO is a technology which uses multiple antennas to coherently resolve more
information than possible using a single antenna. One way it provides this is through Spatial
Division Multiplexing (SDM). MIMO SDM can significantly increase data throughput as the
number of resolved spatial data streams is increased. It can support a data rate of up to 600
Mbps.
1.3 Wireless Personal Area Network (WPAN)
A wireless personal area network (WPAN) is a low-range wireless network which covers an area
of only a few dozen metres. This sort of network is generally used for linking peripheral devices
(like printers, cellphones, and home appliances) or a personal assistant (PDA) to a computer, or
just two nearby computers, without using a hard-wired connection. The technologies enabling
WPAN include Bluetooth, ZigBee, Ultra-wideband(UWB), IrDA, HomeRF, etc., in which the
Bluetooth is the most widely used technology for the WPAN communication. The IEEE 802.15
Working Groups is the 15th working group of the IEEE 802 specializes in WPAN technologies.
The key concept in WPAN technology is known as plugging in. In the ideal scenario, when any two
WPAN-equipped devices come into close proximity (within several meters of each other) or within
a few kilometers of a central server, they can communicate as if connected by a cable. Another
important feature is the ability of each device to lock out other devices selectively, preventing
needless interference or unauthorized access to information. The technology for WPANs is in its
infancy and is undergoing rapid development. Proposed operating frequencies are around 2.4 GHz
in digital modes. The objective is to facilitate seamless operation among home or business devices
and systems. Every device in a WPAN will be able to plug in to any other device in the same
WPAN, provided they are within physical range of one another.
1.3.1 IEEE 802.15.1 (Bluetooth)
Bluetooth, also known as the IEEE 802.15.1 standard is based on a wireless radio system designed
for short-range and cheap devices to replace cables for computer peripherals, such as mice, key-
boards, joysticks, and printers. Bluetooth is a specification for wireless personal area networks
(PANs) formalized by the Bluetooth SIG in 1999. It was originally developed by Ericsson, who
was a member of SIG with IBM, Intel, Nokia, and Toshiba. The protocol operates in the license-
free ISM band at 2.4 GHz, with a data rate of 723.1Kbps. Two connectivity topologies are defined
in Bluetooth: the piconet and scatternet. A piconet is a WPAN formed by a Bluetooth device
serving as a master in the piconet and one or more Bluetooth devices serving as slaves. All devices
participating in communications in a given piconet are synchronized using the clock of the master.
9
12. Slaves communicate only with their master in a point-to-point fashion under the control of the
master. A scatternet is a collection of operational Bluetooth piconets overlapping in time and
space. Two piconets can be connected to form a scatternet. A Bluetooth device may participate
in several piconets at the same time, thus allowing for the possibility that information could flow
beyond the coverage area of the single piconet.
1.3.2 IEEE 802.15.3 (Ultra Wide Band)
UWB has recently attracted much attention as an indoor short-range high-speed wireless commu-
nication. One of the most exciting characteristics of UWB is that its bandwidth is over 110 Mbps
(up to 480 Mbps) which can satisfy most of the multimedia applications such as audio and video
delivery in home networking and it can also act as a wireless cable replacement of high speed serial
bus such as USB 2.0 and IEEE 1394.
1.3.3 IEEE 802.15.4 (ZigBee)
ZigBee over IEEE 802.15.4 defines specifications for low rate WPAN (LR-WPAN) for supporting
simple devices that consume minimal power and typically operate in the personal operating space
(POS) of 10m. ZigBee provides self-organized, multi-hop, and reliable mesh networking with long
battery lifetime
1.4 Summary
Wireless networks are broadly classified into infrastructure based network and ad hoc network.MANET
is an example for ad hoc network.IEEE 802.11 is a set of standards carrying out wireless local area
network (WLAN) computer communication in the 2.4, 3.6 and 5 GHz frequency bands. While a
wireless personal area network (WPAN) is a low-range wireless network which covers an area of
only a few dozen metres.The IEEE 802.15 Working Groups is the 15th working group of the IEEE
802 specializes in WPAN technologies.
10
13. Chapter 2
MOBILE AD HOC NETWORK (MANET)
A mobile ad hoc network (MANET) is a decentralized, self-organizing and self configuring wireless
network, without any fixed infrastructure. In these networks, each mobile node behaves not only
as a host, but also as a router which is capable of communicating with other nodes, using either
direct wireless links, or multi-hop wireless links. MANET is self-organized in such a way that
a collection of mobile nodes without a fixed infrastructure and central management is formed
automatically. Each node is equipped with a wireless transmitter and receiver that communicate
with other nodes in the vicinity of its radio communication range. If a node decides to send a
packet to a node that is outside its radio range, it requires the help of other nodes in the network.
Due to the fact that mobile nodes are dynamic and they constantly move in and out of their
network vicinity, the topologies constantly change.
Figure 2.1: MANET
2.1 Features of MANET
A mobile ad hoc network has following features:
• Autonomous Terminal: In MANET, each mobile terminal is an autonomous node, which
may function as both a host and a router. In other, since there is no background network
11
14. words, besides the basic processing ability as a host, the mobile nodes can also perform
switching functions as a router. So usually endpoints and switches are indistinguishable in
MANET.
• Distributed Operation: For the central control of the network operations, the control
and management of the network is distributed among the terminals. The nodes involved in
a MANET should collaborate amongst themselves and each node acts as a relay as needed,
to implement functions e.g. security and routing.
• Multihop Routing: Basic types of ad hoc routing algorithms can be single-hop and mul-
tihop, based on different link layer attributes and routing protocols. Single-hop MANET
is simpler than multihop in terms of structure and implementation, with the cost of lesser
functionality and applicability. When delivering data packets from a source to its destina-
tion out of the direct wireless transmission range, the packets should be forwarded via one
or more intermediate nodes.
• Dynamic Network Topology: Since the nodes are mobile, the network topology may
change rapidly and unpredictably and the connectivity among the terminals may vary with
time. MANET should adapt to the traffic and propagation conditions as well as the mobility
patterns of the mobile network nodes. The mobile nodes in the network dynamically establish
routing among themselves as they move about, forming their own network on the fly.
• Light-weight Terminal: In most cases, the MANET nodes are mobile devices with less
CPU processing capability, small memory size, and low power storage. Such devices need
optimized algorithms and mechanisms that implement the computing and communicating
functions.
2.2 Vulnerabilities of the MANETs
Because mobile ad hoc networks have far more vulnerabilities than the traditional wired networks,
security is much more difficult to maintain in the mobile ad hoc network than in the wired network.
In this section, we discuss the various vulnerabilities that exist in the mobile ad hoc networks.
2.2.1 Lack of Secure Boundaries
The meaning of this vulnerability is self-evident: there is not such a clear secure boundary in the
mobile ad hoc network, which can be compared with the clear line of defense in the traditional
wired network. This vulnerability originates from the nature of the mobile ad hoc network:
freedom to join, leave and move inside the network. In the wired network, adversaries must
get physical access to the network medium, or even pass through several lines of defense such
as firewall and gateway before they can perform malicious behavior to the targets. However,
12
15. in the mobile ad hoc network, there is no need for an adversary to gain the physical access to
visit the network: once the adversary is in the radio range of any other nodes in the mobile ad
hoc network, it can communicate with those nodes in its radio range and thus join the network
automatically. As a result, the mobile ad hoc network does not provide the so-called secure
boundary to protect the network from some potentially dangerous network accesses. Lack of
secure boundaries makes the mobile ad hoc network susceptible to the attacks. The attacks mainly
include passive eavesdropping, active interfering, leakage of secret information, data tampering,
message replay, message contamination, and denial of service.
2.2.2 Threats from Compromised nodes
Inside the Network Because of the mobility of the ad hoc network, a compromised node can
frequently change its attack target and perform malicious behavior to different node in the network,
thus it is very difficult to track the malicious behavior performed by a compromised node especially
in a large scale ad hoc network. Therefore, threats from compromised nodes inside the network
are far more dangerous than the attacks from outside the network, and these attacks are much
harder to detect because they come from the compromised nodes, which behave well before they
are compromised. A good example of this kind of threats comes from the potential Byzantine
failures encountered in the routing protocol for the mobile ad hoc network.
2.2.3 Lack of Centralized Management Facility
Ad hoc networks do not have a centralized piece of management machinery such as a Name
Server or Access Point (AP). As a result, detection of attacks is a very difficult problem because
it is not easy to monitor the traffic in a highly dynamic and large scale ad hoc network. It is
rather common in the ad hoc network that benign failures, such as path breakages, transmission
impairments and packet dropping, happen frequently. Therefore, malicious failures will be more
difficult to detect, especially when adversaries change their attack pattern and their attack target
in different periods of time. For each of the victims, because it can only observe the failure
that occurs in itself, this short-time observation cannot produce a convincing conclusion that the
failure is caused by an adversary. Thus, the lack of centralized management machinery will cause
severe problems when we try to detect the attacks in the ad hoc network. Another issue with lack
of centralized administration is that some algorithms in the mobile ad hoc network rely on the
cooperative participation of all nodes and the infrastructure. The adversary can make use of this
vulnerability and perform some attacks that can break the cooperative algorithm.
2.2.4 Restricted PowerSupply
We know that, due to the mobility of nodes in the ad hoc network, it is common that the nodes in
the ad hoc network will rely on battery as their power supply method. The first problem that may
13
16. be caused by the restricted power supply is denial-of-service attacks. Since the adversary knows
that the target node is battery-restricted, either it can continuously send additional packets to
the target and ask it routing those additional packets, or it can induce the target to be trapped in
some kind of time-consuming computations. In this way, the battery power of the target node will
be exhausted by these meaningless tasks, and thus the target node will be out of service to all the
benign service requests since it has run out of power. Furthermore, a node in the mobile ad hoc
network may behave in a selfish manner when it finds that there is only limited power supply, and
the selfishness can cause some problems when there is a need for this node to cooperate with other
nodes to support some functions in the network. Moreover, we should not view all of the selfish
nodes as malicious nodes: some nodes may encounter restricted power supply problem and thus
behave in a selfish manner, which can be tolerated; however, there can be some other node who
intentionally announces that it runs out of battery power and therefore do not want to cooperate
with other nodes in some cooperative operation, but actually this node still has enough battery
power to support the cooperative operation.
2.2.5 Scalability
Unlike the traditional wired network in that its scale is generally predefined when it is designed
and will not change much during the use, the scale of the ad hoc network keeps changing all the
time: because of the mobility of the nodes in the mobile ad hoc network, you can hardly predict
how many nodes there will be in the network in the future. As a result, the protocols and services
that are applied to the ad hoc network such as routing protocol and key management service
should be compatible to the continuously changing scale of the ad hoc network, which may range
from decades of nodes to hundreds of nodes, or even thousands of nodes. In other words, these
protocols and services need to scale up and down efficiently.
From the discussion in this section, we can safely conclude that the mobile ad hoc network
is insecure by its nature: there is no such a clear line of defense because of the freedom for the
nodes to join, leave and move inside the network; some of the nodes may be compromised by the
adversary and thus perform some malicious behaviors that are hard to detect; lack of centralized
machinery may cause some problems when there is a need to have such a centralized coordinator;
restricted power supply can cause some selfish problems; and continuously changing scale of the
network has set higher requirement to the scalability of the protocols and services in the mobile
ad hoc network. As a result, compared with the wired network, the mobile ad hoc network will
need more robust security scheme to ensure the security of it.
2.3 Applications
With the increase of portable devices as well as progress in wireless communication, ad hoc
networking is gaining importance with the increasing number of widespread applications. Ad hoc
14
17. networking can be applied anywhere where there is little or no communication infrastructure or
the existing infrastructure is expensive or inconvenient to use. Ad hoc networking allows the
devices to maintain connections to the network as well as easily adding and removing devices to
and from the network. The set of applications for MANETs is diverse, ranging from large-scale,
mobile, highly dynamic networks, to small, static networks that are constrained by power sources.
Besides the legacy applications that move from traditional infrastructure environment into the ad
hoc context, a great deal of new services can and will be generated for the new environment. It
includes:
• Military Battlefield
• Comercial Sector
• Medical Service
• Personal Area Network
• Rescue Operation
2.4 Summary
A MANET is referred to as a network without infrastructure because the mobile nodes in the
network dynamically set up temporary paths among themselves to transmit packets.Nodes within
each other’s wireless transmission ranges can communicate directly; however, nodes outside each
other’s range have to rely on some other nodes to relay messages.A number of challenges like
open peer-to-peer network architecture, stringent resource constraints, shared wireless medium,
dynamic network topology etc. are posed in MANET.More over, Ad hoc networking allows the
devices to maintain connections to the network as well as easily adding and removing devices to
and from the network.
15
18. Chapter 3
ATTACKS ON MANET
Designing a foolproof security solution for an ad hoc wireless network is a very challenging task.
This is mainly because of certain unique characteristics of ad hoc wireless networks, namely,
shared broadcast radio channel, insecure operating environment, lack of central authority, lack of
association among nodes, limited availability of resources, and physical vulnerability.
• Shared broadcast radio channel: Unlike in wired networks where a separate dedicated
transmission line can be provided between a pair of end users, the radio channel used for
communication in ad hoc wireless networks is broadcast in nature and is shared by all
nodes in the network. Data transmitted by a node is received by all nodes within its direct
transmission range. So a malicious node could easily obtain data being transmitted in the
network. This problem can be minimized to a certain extent by using directional antennas.
• Insecure operational environment: The operating environments where ad hoc wireless
networks are used may not always be secure. One important application of such networks
is in battlefields. In such applications, nodes may move in and out of hostile and insecure
enemy territory, where they would be highly vulnerable to security attacks.
• Lack of central authority: In wired networks and infrastructure-based wireless networks,
it would be possible to monitor the traffic on the network through certain important central
points (such as routers, base stations, and access points) and implement security mechanisms
at such points. Since ad hoc wireless networks do not have any such central points, these
mechanisms cannot be applied in ad hoc wireless networks.
• Lack of association: Since these networks are dynamic in nature, a node can join or leave
the network at any point of the time. If no proper authentication mechanism is used for
associating nodes with a network, an intruder would be able to join into the network quite
easily and carry out his/her attacks.
• Limited resource availability: Resources such as bandwidth, battery power, and com-
putational power (to a certain extent) are scarce in ad hoc wireless networks. Hence, it is
difficult to implement complex cryptography-based security mechanisms in such networks.
16
19. • Physical vulnerability: Nodes in these networks are usually compact and hand-held in
nature. They could get damaged easily and are also vulnerable to theft.
3.1 Attacks On MANET
A variety of attacks are possible in MANET. Some attacks apply to general network, some apply
to wireless network and some are specific to MANETs. These security attacks can be classified
according to different criteria, such as the domain of the attackers, or the techniques used in
attacks. These security attacks in MANET and all other networks can be roughly classified by
the following criteria: passive or active, internal or external, different protocol layer, stealthy or
non-stealthy, cryptography or non-cryptography related.
3.1.1 Passive vs. Active attacks:
The attacks in MANET can roughly be classified into two major categories, namely passive attacks
and active attacks. A passive attack obtains data exchanged in the network without disrupting
the operation of the communications, while an active attack involves information interruption,
modification, or fabrication, thereby disrupting the normal functionality of a MANET. Detection
of passive attacks is very difficult since the operation of the network itself does not get affected.
One way of overcoming such problems is to use powerful encryption mechanisms to encrypt the
data being transmitted, thereby making it impossible for eavesdroppers to obtain any useful
information from the data overheard.
Passive Attacks Eavesdropping, Traffic Analysis, Monitoring
Active Attacks Jamming, Spoofing, Modification, Replaying, DoS
Active attacks can be classified further into two categories, namely, external and internal attacks.
External attacks are carried out by nodes that do not belong to the network. These attacks can
be prevented by using standard security mechanisms such as encryption techniques and firewalls.
Internal attacks are from compromised nodes that are actually part of the network. Since the
adversaries are already part of the network as authorized nodes, internal attacks are more severe
and difficult to detect when compared to external attacks.
3.1.2 Attacks on different layers of the Internet model:
The attacks can be further classified according to the five layers of the Internet model.
17
20. Layer Attacks
Application Layer Repudiation, Data corruption
Transport Layer Session Hijacking, SYN Flooding
Network Layer Wormhole, Blackhole, Byzantine, Flooding
Location Disclosure, Route Cache Poisoning etc
Link Layer Traffic Analysis, NAV attack,WEP weaknesses
Disruption of MAC protocol (802.11)
Physical Layer Jamming, Interception, Eavesdropping
3.1.3 Stealthy vs. Non-stealthy attacks:
Some security attacks use stealth , whereby the attackers try to hide their actions from either an
individual who is monitoring the system or an intrusion detection system (IDS). But other attacks
such as DoS cannot be made stealthy.
3.1.4 Cryptography vs. non-cryptography related attacks:
Some attacks are non-cryptography related, and others are cryptographic primitive attacks.
Cryptographic Primitive Attacks Examples
Pseudorandom Number Attack Nonce, Timestamp, Initialisation Vector (IV)
Digital Signature Attack RSA Signature, ElGamal Signature,
Digital Signature Standard (DSS)
Hash Collision Attack SHA-0, MD4, MD5, HAVAL-128, RIPEMD
3.1.5 Multi-layer attacks
Some security attacks can be launched from multiple layers instead of a particular layer. Examples
of multi-layer attacks are denial of service (DoS), man-in-the-middle, and impersonation attacks.
• Denial of service: Denial of service (DoS) attacks could be launched from several layers.
An attacker can employ signal jamming at the physical layer, which disrupts normal com-
munications. At the link layer, malicious nodes can occupy channels through the capture
effect, which takes advantage of the binary exponential scheme in MAC protocols and pre-
vents other nodes from channel access. At the network layer, the routing process can be
interrupted through routing control packet modification, selective dropping, table overflow,
or poisoning. At the transport and application layers, SYN flooding, session hijacking, and
malicious programs can cause DoS attacks.
• Impersonation attacks: Impersonation attacks are launched by using other node’s iden-
tity, such as MAC or IP address. Impersonation attacks sometimes are the first step for
most attacks, and are used to launch further, more sophisticated attacks.
18
21. • Man-in-the-middle attacks: An attacker sits between the sender and the receiver and
sniffs any information being sent between two ends. In some cases the attacker may imper-
sonate the sender to communicate with the receiver, or impersonate the receiver to reply to
the sender.
3.2 Summary
MANETs are characterised by shared broadcast, radio channel, insecure operating environment,
lack of central authority, lack of association among nodes, limited availability of resources, and
physical vulnerability. The attacks in MANET can roughly be classified into two major cate-
gories, namely passive attacks and active attacks.Active attacks can be classified further into two
categories, namely, external and internal attacks.External attacks can be prevented by using stan-
dard security mechanisms such as encryption techniques and firewalls. Internal attacks are from
compromised nodes that are actually part of the network and is very difficult to detect.
19
22. Chapter 4
SECURITY THREATS IN PHYSICAL
LAYER
As discussed in the previous chapter, we can categorize security attacks according to protocol
layers. Now, I will present a survey of security attacks in MANET on each protocol layer used in
Internet model. Wireless communication is broadcast by nature. A common radio signal is easy to
jam or intercept. An attacker could overhear or disrupt the service of a wireless network physically.
The most common physical layer attacks in MANET are eavesdropping, interference, denial-of-
service (DoS) and jamming. An attacker with sufficient transmission power and knowledge of the
physical and medium access control layer mechanisms can gain access to the wireless medium.
Here we will describe eavesdropping, interference and jamming attacks in brief.
4.1 Eavesdropping
Eavesdropping is the reading of messages and conversations by unintended receivers. The nodes
in MANET share a wireless medium and the wireless communication use the RF spectrum and
broadcast by nature which can be easily intercepted with receivers tuned to the proper frequency.
As a result transmitted message can be overheard as well as fake message can be injected into the
network.
4.2 Jamming
Radio signals can be jammed or interfered with, which causes the message to be corrupted or lost.
If the attacker has a powerful transmitter, a signal can be generated that will be strong enough
to overwhelm the targeted signals and disrupt communications.Jamming attacks can be mounted
from a location remote to the target networks.
20
23. 4.3 Summary
The most common physical layer attacks in MANET are eavesdropping, interference, denial-
of-service (DoS) and jamming.Using Spread spectrum mechanisms e.g. FHSS, DSSS etc. can
avoid jamming and eavesdropping.These mechanisms are secure only when the hopping pattern
or spreading code is unknown to the eavesdropper.
21
24. Chapter 5
SECURITY THREATS IN LINK LAYER
Before going to the security threat in Link layer, let us consider the protocols used in Link layer
and major constraints in wireless networks. Major constraints in wireless networks are
(1) Hidden node problem and Exposed node problem
(2) The received signal energies are very low compared to transmitted signal energy.
Hence it is difficult to design reliable collision detection. (Collision detection techniques are
used in wired LAN).
• Hidden Node Problem
Let two nodes a and b have transmission ranges A and B, respectively, as shown in Figure.
Let X denote the intersection of A and B. Consider an ongoing transmission from node a.
Because node b is out of the transmission range of node a, it cannot sense the carrier from
this transmission and can decide to transmit. If node b transmits at the same time as node
a, the transmissions from a and b will be received at all nodes in X, and there will be a
collision at these receivers. If node a was transmitting to node c in X, then node c will
not be able to decode the packet. However, node a will not know of the collision at node
c and will continue to transmit; recall that collision detection is not practical in wireless
communication. In the scenario just described, we say that node b is hidden from node a
with reference to the transmission of node a to node c.
Figure 5.1: Hidden Node Problem
22
25. • Exposed Node Problem
The interference region of node d is shown as D. Now, suppose the node d wishes to send a
packet to node e when node a is transmitting to node c. Node d is within the interference
region of node a, and hence node d can sense the signal while node a is transmitting to
node c. But the two transmissions, d-e and a-c can co-exist because node c is outside the
interference region of node d ; and node e is outside the interference region of node a. But,
node d will be forced to defer transmission, on sensing the carrier from node a. So, node d
is exposed to a transmission from node .
Figure 5.2: Exposed Node Problem
Hence, in a wireless network, hidden nodes reduce the capacity by causing collisions at
receivers without the transmitter knowing about it, and exposed nodes force a node to be
more conservative in its transmission attempts, thus reducing spatial reuse.
• Carrier Sense Multiple Access with Collision Avoidance Mechanism (CSMA/CA)
Collision Avoidance mechanism (CA) prevents collision due to transmission by hidden nodes.
A simple CA mechanism can be implemented by having an auxiliary signaling channel in
addition to data channel. A node actively receiving data on the data channel transmits a
busy tone on the signaling channel to enable the hidden nodes to defer to receiving nodes
in their transmission ranges. But this mechanism is cumbersome and inefficient.
An alternate mechanism is to use a handshake between transmitter and receiver. IEEE
802.11 MAC frame exchange protocol addresses the hidden node problem by adding two
additional frames. Before transmitting a data packet, a source node transmits a (short)
request to send (RTS) packet to the destination. If the destination receives the RTS correctly,
it means that it is not receiving any other packet, and it acknowledges the RTS with a clear
to send (CTS) packet. The source then begins the packet transmission. If the CTS is not
23
26. received within a specified timeout period, the source assumes that the RTS had a collision
at the receiver (most likely with another RTS packet), and a retransmission is attempted
after a random backoff period. The RTS is used to inform nodes in the decode region of the
transmitter about the imminent transmission of a packet and CTS is used to inform nodes
in the decode region of the receiver about the imminent reception of a packet. Hence, hidden
nodes are also informed.
Figure 5.3: Solving Hidden Node Problem
In the above figure, node is a hidden node and it defers the transmission with the reception
of CTS packet from node B. If the transmission duration information is also included in the
RTS and CTS packets, then nodes in the decode region of both transmitter and receiver
can maintain a Network Allocation Vector (NAV) that indicates a remaining time in current
transmission and schedule their own transmission to avoid collision. After the completion
of RTS/CTS exchange, th e medium is reserved in the region that is union of the decode
regions of transmitter and receiver. Hence this channel access mechanism is also called
Multiple Access with Channel Acquisition (MACA). Thus, in this protocol, collision, if
happens, occurs only for the RTS packet.
The RTS/CTS scheme discussed above can only reduce the hidden node problem but does
not eliminate it. We know that, nodes in the decode region of receiver is alerted by the
CTS. Those nodes in the interference region but not in the decode region of the receiver
have just sensed a carrier but do not know the impending packet transmission (since they
can’t distinguish a CTS packet and a data packet). Hence, these nodes may transmit during
packet transmission which causes collision. Another issue is, any node in the interference
region of the transmitter of an ongoing packet is exposed. Even if such a node (node d in
the above example) were allowed to transmit an RTS to a node (node e, which is outside
the interference region of the ongoing transmission), it will itself not able to receive the
subsequent CTS because collision occurs (node d is in the interference region of node a).
Hence, exposed node will not know if it can transmit.
24
27. 5.1 IEEE 802.11 MAC Protocol
Two basic protocols used are
(1) Polling based protocol called Point Coordination Function (PCF)
(2) Random access protocol called Distributed Coordination Function (DCF)
PCF needs a centralized controller and hence can be used only in infrastructure based network.
DCF is used for infrastructure based and ad hoc based network. Since we are dealing with mobile
ad hoc network, will consider DCF in detail.
The distributed coordinating function (DCF) of 802.11 specifies the use of CSMA/CA to reduce
packet collisions in the network. A node with a packet to transmit picks a random backoff value b
chosen uniformly from the range (0,CW) were CW is the contention window size, and transmits
after waiting for b idle slots. Nodes exchange request to send (RTS) and clear to send (CTS)
packets to reserve the channel before transmission. Three values for interframe space (IFS) are
defined to provide priority-based access to the radio channel. SIFS is the shortest interframe space
and is used for ACK, CTS and poll response frames. DIFS window is used for nodes wishing to
initiate a new frame exchange. When the DIFS timer expires, each node enters a backoff phase.
Here, random backoff is used to avoid collision. The following points are important regarding the
backoff phase.
• The node that just completed its data transmission samples a new random backoff value.
• If a node was already in backoff when a particular node started its transmission, the for-
mer node backoff timer is frozen. After data transmission, the former node continues the
remainder of its backoff value.
• A collision occurs if two node finishes their backoff simultaneously. In this case, both RTS
packet will collide. As a result, a CTS timeout occurs after which the colliding node starts
the backoff timer with double the contention window (CW). After the collision event, the
nodes that were not involved in the collision continue their backoffs with their residual
backoff timers.
Consider three nodes Na, Nb and Nc in which node Na wants to send a data packet to node Nb.
After DIFS duration, node Na sends an RTS packet to Nb. RTS frame containing the time needed
to complete the CTS, data, and ACK frames. Every node receiving this RTS packet now sets
its net allocation vector (NAV) in accordance with the duration field. The NAV then specifies
the earliest point at which the other stations can try to access the medium again. Node Nb
after waiting for SIFS will replies with a CTS packet to node Na. This CTS packet contains the
duration field again and all stations receiving this packet from the node Nb have to adjust their
NAV. Now all the nodes within the receiving distance are informed that they have to wait more
time before accessing the medium. Basically this mechanism reserves the medium for one sender
exclusively and hence the name, virtual reservation scheme. Now, node Na after waiting for SIFS
25
28. duration sends data packet to node Nb. Node Nb after waiting SIFS duration will send an ACK
packet to node Na.
Figure 5.4: Illustration of Channel Contention in 802.11 MAC
5.2 Vulnerabilities in Link Layer
The wireless MAC protocol assumes cooperative behavior among all nodes. Obviously, malicious
or selfish nodes are not forced to follow the normal operation of the protocol. An attacker can
launch the following attack in the link layer by exploiting certain features used in MAC protocol.
1. An attacker can exploit the binary backoff scheme to launch DoS attack in IEEE 802.11
MAC protocol. The binary exponential scheme favors the last winner amongst the contending
node. This will lead to a phenomenon called capture effect. The nodes that are heavily loaded
tend to capture the channel by continuously sending data, thereby causing lightly loaded neighbors
to backoff endlessly. Malicious node can take the advantage of this capture effect vulnerability.
Figure 5.5: NAV Attack
2. Attacker can manipulate the size of Network Allocation Vector (NAV) and assign large idle
time period to its neighbors.
3. Selfish node will wait for smaller backoff interval than the well behaved nodes.
4. Attacker may not wait for SIFS or DIFS duration.
26
29. 5.3 Summary
The wireless MAC protocol assumes cooperative behavior among all nodes in the ad hoc network.
A malicious or selfish nodes are not forced to follow the normal operation of the protocol.
27
30. Chapter 6
SECURITY THREATS IN NETWORK
LAYER
Before going to the details of security threat in Network Layer, let us have look on the different
routing protocols used in MANET. As nodes are mobile in a MANET, links are created and
destroyed in an unpredictable way, which makes quite challenging the determination of routes
between a pair of nodes that want to communicate with each other. In this context, a great
number of routing protocols have been proposed. Such routing protocols can be classified into two
major classes:
(1) proactive routing protocols
(2) reactive routing protocols.
In reactive routing protocols the communication is only possible when the source node requests
to communicate with the other node. Reactive MANET Protocols are mostly suited for nodes
with high mobility or nodes that transmit data rarely. Here, we will discuss two reactive routing
protocols namely, AODV and DSR. Proactive routing protocol detects the layout of the network
actively. A routing table can be maintained at every node from which a route can be determined
with less delay. The proactive routing protocols provide good reliability on the current network
topology and low latency for deciding a route. We will discuss OLSR protocol in this literature
survey. An ad hoc routing protocol is a standard that controls the decision of the nodes that which
route the nodes have to taken from source to destination. When a node wants to join a network,
it discovers the topology by announcing its presence, and listening to broadcasts from other nodes
in the network. This routing discovery is performed differently according to the routing protocol
algorithm implemented in the network.
6.1 Reactive Routing Protocol:
Reactive routing protocols are called on-demand routing protocols so these routing protocols are
called when they are needed and the routes are built. These routes can be acquired by sending
28
31. route requests through the network. Disadvantage of this algorithm is that it offers high latency
in searching a network.
6.1.1 DSR (Dynamic Source Routing)
The Dynamic Source Routing (DSR) protocol is an on-demand routing protocol that is based
on the concept of source routing. The protocol is composed of the two main mechanisms of
"Route Discovery" and "Route Maintenance", which work together to allow nodes to discover and
maintain routes to arbitrary destinations in the ad hoc network. Each node will maintain a route
cache which stores routes to the destination. Entries in the route cache are continually updated
as new routes learned.
Route Discovery:
When a mobile node has a packet to send to some destination, it first consults its route cache
to determine whether it already has a route to the destination. If it has an unexpired route to
destination, it will use this route to send the packet. On the other hand, if the node does not
have such a route, it initiates route discovery by broadcasting route request (RREQ) packet. This
route request contains the address of the destination, along with source node’s address and a
unique identification number. Each node receiving the packet checks whether it knows of a route
to the destination. If it does not have a route, it adds its own address to the route record of the
packet and then forwards the packet along its outgoing links. A route reply is generated when the
route request reaches the destination, or an intermediate node which contains in its route cache
an unexpired route to destination. Consider four nodes say A, B, C and D as shown in the figure
below. Let node A is the source and node D is destination. When node A wish to send a data
packet to the node D, It will first check its route cache that whether it has direct route to node D
or not. If node A does not have a direct route to node D, then it will broadcast a RREQ message
in the network. The neighbor node B will get the RREQ message. First node B will check its
route cache that whether it have a direct route to the destination node D or not, If it finds a route
to the destination node D, it will send a RREP message to the source node A. In the reply of that
message the source node A will start sending the data packets (DP) on the discovered route. If
it didn’t discover the route from node B to node D so it forwards the message RREQ to the next
node C and store the route AB in the cache. The process is going on until the RREQ message
reached to destination node D. The destination node D caches the routes AB, BC and CD in its
memory and sends a RREP message to the source node A.
29
32. Figure 6.1: Route Discovery in DSR
Route Maintenance:
The route maintenance uses two kind of messages i.e. route error (RERR) and acknowledgement
(ACK). The messages successfully received by the destination nodes send an acknowledgement
ACK to the sender. Such as the packets transmitted successfully to the next neighbors nodes gets
acknowledgement. If there is some problem in the communication network a route error message
denoted by RERR is transmitted to the sender, that there is some problem in the transmission.
In other words the source didn’t get the ACK packet due to some problem. So the source gets
the RERR packet in order to re initiate a new route discovery. By receiving the RERR message
the nodes remove the route entries. In figure below, four nodes are shown i.e. A, B, C and D.
The node A sends a message to destination node D. The message goes on up to the node C, while
receiving the ACK message up to node B. When the node C forward the RREQ message to the
node D and it does not receive the ACK message from node D. The node C recognizes that there
is some problem in the transmission. So the node C sends a RRER message to the source node
A, which in return search for a new route to the destination node D.
Figure 6.2: Route Maintenance in DSR
6.2 Proactive Routing Protocol
The routing information about all the nodes is build and maintained by the proactive protocols.
The proactive routing protocols are independent of whether or not the route is needed. Control
messages are transmitted with periodically intervals. Even if there is no data flow still control
messages are transmitted. Because of these control messages proactive routing protocols are not
bandwidth efficient. There are many advantages and disadvantages of proactive routing protocols.
One of its advantages is that the nodes can easily get routing information, and it easily starts a
30
33. session. The disadvantages are, too much data kept by the nodes for route maintenance, when
there is a particular link failure its reform is too slow. Now, we will discuss two proactive routing
protocols namely Destination-Sequenced Distance-Vector (DSDV) protocol and the Optimized
Link State Routing (OLSR) protocol.
6.2.1 Destination-Sequenced Distance-Vector Routing (DSDV)
DSDV is a table-driven routing protocol based on the Bellman-Ford algorithm. The DSDV pro-
tocol can be used in mobile ad hoc networking environments by assuming that each participating
node acts as a router. Each node must maintain a table that consists of all the possible destina-
tions. An entry of the table contains the address identifier of a destination, the shortest known
distance metric to that destination measured in hop counts and the address identifier of the node
that is the first hop on the shortest path to the destination. Furthermore, the DSDV protocol
adds a sequence number to each table entry assigned by the destination node, preventing the for-
mation of routing loops caused by stale routes. The routing tables are maintained by periodically
transmitted updates by each router to all the neighboring routers.
6.3 Secure Routing in MANET
Unlike the traditional wired Internet, where dedicated routers controlled by the Internet service
providers (ISPs) exist, in ad hoc wireless networks, nodes act both as regular terminals (source
or destination) and also as routers for other nodes. In the absence of dedicated routers, providing
security becomes a challenging task in these networks. Various other factors which make the task
of ensuring secure communication in ad hoc wireless networks include the mobility of nodes, a
promiscuous mode of operation, limited processing power, and limited availability of resources
such as battery power, bandwidth, and memory.
6.3.1 Requirements of a Secure Routing Protocol for MANET
The fundamental requisites of a secure routing protocol for ad hoc wireless networks are listed as
follows:
• Detection of malicious nodes: A secure routing protocol should be able to detect the
presence of malicious nodes in the network and should avoid the participation of such nodes
in the routing process. Even if such malicious nodes participate in the route discovery
process, the routing protocol should choose paths that do not include such nodes.
• Guarantee of correct route discovery: If a route between the source and the destination
nodes exists, the routing protocol should be able to find the route, and should also ensure
the correctness of the selected route.
31
34. • Confidentiality of network topology: We know that, an information disclosure attack
may lead to the discovery of the network topology by the malicious nodes. Once the network
topology is known, the attacker may try to study the traffic pattern in the network. If some
of the nodes are found to be more active compared to others, the attacker may try to mount
(e.g., DoS) attacks on such bottleneck nodes. This may ultimately affect the on-going routing
process. Hence, the confidentiality of the network topology is an important requirement to
be met by the secure routing protocols.
• Stability against attacks: The routing protocol must be self-stable in the sense that it
must be able to revert to its normal operating state within a finite amount of time after
a passive or an active attack. The routing protocol should take care that these attacks
do not permanently disrupt the routing process. The protocol must also ensure Byzantine
robustness, that is, the protocol should work properly even if some of the nodes, which were
earlier participating in the routing process, turn out to become malicious at a later point of
time or are intentionally damaged.
Secure routing protocols are discussed in ‘Network Layer Defense’
32
35. The main assumption of the previously presented ad hoc routing protocols is that all partici-
pating nodes do so in good faith and without maliciously disrupting the operation of the protocol.
We know that, network layer protocols extend connectivity from neighboring 1-hops nodes to all
other nodes in MANET. The connectivity between mobile hosts over a multi-hop wireless link re-
lies heavily on cooperation among all network nodes. By attacking the routing protocols, attackers
can absorb network traffic, inject themselves into the path between the source and destination,
and thus control the network traffic flow. The attacking node could forward the packet to a non-
optimal path, which could introduce significant delay. In addition, the packets could be forwarded
to a nonexistent path and get lost. The attackers can create routing loops, introduce severe net-
work congestion, and channel contention into certain areas. Multiple colluding attackers may even
prevent a source node from finding any route to the destination, causing the network to partition,
which triggers excessive network control traffic, and further intensifies network congestion and
performance degradation.
6.4 Attacks at the routing discovery phase
There are malicious routing attacks that target the routing discovery or maintenance phase by not
following the specifications of the routing protocols. Routing message flooding attacks, such as
hello flooding, RREQ flooding, acknowledgement flooding, routing table overflow, routing cache
poisoning, and routing loop are simple examples of routing attacks targeting the route discovery
phase. We know that proactive routing algorithms, such as DSDV and OLSR, attempt to discover
routing information before it is needed, while reactive algorithms, such as DSR and AODV, create
routes only when they are needed. Thus, proactive algorithms performs worse than on-demand
schemes because they do not accommodate the dynamic of MANETs, clearly proactive algorithms
require many costly broadcasts. Proactive algorithms are more vulnerable to routing table overflow
attacks. Some of these attacks are listed below.
• Routing table overflow: In this type of attack, an attacking node advertises routes to
non-existent nodes, to the authorized nodes present in the network. The main objective of
such an attack is to cause an overflow of the routing tables, which would in turn prevent
the creation of entries corresponding to new routes to authorized nodes. Proactive routing
protocols are more vulnerable to this attack compared to reactive routing protocols.
• Routing table poisoning: Here, the compromised nodes in the networks send fictitious
routing updates or modify genuine route update packets sent to other uncompromised nodes.
Routing table poisoning may result in sub-optimal routing, congestion in portions of the
network, or even make some parts of the network inaccessible.
• Packet replication: In this attack, an attacking node replicates stale packets. This con-
sumes additional bandwidth and battery power resources available to the nodes and also
causes unnecessary confusion in the routing process.
33
36. • Route cache poisoning: In the case of on-demand routing protocols (such as the AODV
protocol), each node maintains a route cache which holds information regarding routes that
have become known to the node in the recent past. Similar to routing table poisoning, an
attacking node can also poison the route cache to achieve similar objectives.
6.5 Attacks at data forwarding phase
Some attacks also target data packet forwarding functionality in the network layer. In this sce-
nario the malicious nodes participate cooperatively in the routing protocol routing discovery and
maintenance phases, but in the data forwarding phase they do not forward data packets consis-
tently according to the routing table. Malicious nodes simply drop data packets quietly, modify
data content, replay, or flood data packets; they can also delay forwarding time-sensitive data
packets selectively or inject junk packets
6.6 Advanced Attacks
6.6.1 Wormhole Attack:
Wormhole attack is also known as tunneling attack. A tunneling attack is where two or more
nodes may collaborate to encapsulate and exchange messages between them along existing data
routes. Once the wormhole link is established, the attacker captures the packet on one end, sends
them through the wormhole link and replays them at the other end. The tunnel can be established
in many different ways, such as through an out-of-band hidden channel (e.g., a wired link), packet
encapsulation, or high powered transmission.
Wormhole using Encapsulation:
In the figure below, M1 and M2 are two malicious nodes that encapsulate data packets and falsified
the route lengths.
Figure 6.3: Wormhole Attack
Suppose node S wishes to form a route to D and initiates route discovery. When M1 receives a
34
37. RREQ from S, M1 encapsulates the RREQ and tunnels it to M2 through an existing data route,
in this case {M1 - A - B - C - M2}. Note that due to the packet encapsulation, the hop count
does not increase during the traversal through {M1 - A - B - C - M2}. When M2 receives the
encapsulated RREQ on to D as if had only traveled {S - M1 - M2 - D}. After route discovery, the
destination finds two routes from S of unequal length: one is of 5 and another is of 4. If M2 tunnels
the RREP back to M1, S would falsely consider the path to D via M1 is better than the path to
D via A. Thus, tunneling can prevent honest intermediate nodes from correctly incrementing the
metric used to measure path lengths. Any routing protocol that uses the metric of shortest path
to choose the best route is vulnerable to this mode of wormhole attack.
Wormhole using Out-of-Band Channel:
The second mode for this attack is the use of an out of band channel. This channel can be
achieved, for example, by using a long range directional wireless link or a direct wired link. This
mode of attack is more difficult to launch than the previous one since it needs specialized hardware
capability. Consider the scenario shown in figure below. Node A sends a RREQ to node B, and
nodes M1 and M2 are malicious nodes having an out-of-band channel between them.
Figure 6.4: Wormhole attack using Out-of-Band Channel
Node M1 tunnels the RREQ to M2, which is a not a legitimate neighbor of B. Node M2
broadcasts the packet to its neighbors, including B. B gets two RREQs namely {A - M1 - M2 -
B} and {A - C - D - E - F - B}. The first route is both shorter and faster than the second route,
and is thus chosen by B.
Wormhole with High Power Transmission:
Another method is the use of high power transmission. In this mode, when a single malicious node
gets a RREQ, it broadcasts the request at a high power level, a capability which is not available
to other nodes in the network. Any node that hears the high-power broadcast rebroadcasts it
towards the destination. By this method, the malicious node increases its chance to be in the
routes established between the source and the destination even without the participation of a
colluding node.
35
38. 6.6.2 Blackhole attack
In this attack, a malicious node falsely advertises good paths to the destination node with the
intention of intercepting all data packets being sent to the destination node concerned. The
backhole attack is performed in two steps. At first step, the malicious node exploits the mobile
ad hoc routing protocol such as AODV, to advertise itself as having a valid route to a destination
node, even though the route is spurious, with the intention of intercepting the packets. In second
step, the attacker consumes the packets and never forwards. In an advanced form, the attacker
suppresses or modifies packets originating from some nodes, while leaving the data from the other
nodes unaffected. In this way, the attacker falsified the neighboring nodes that monitor the ongoing
packets. In the figure below, node 1 wants to send data packets to node 4 and initiates the route
discovery process. We assume that node 3 is a malicious node and it claims that it has route
to the destination whenever it receives RREQ packets, and immediately sends the response to
node 1. If the response from the node 3 reaches first to node 1 then node 1 thinks that the route
discovery is complete, ignores all other reply messages and begins to send data packets to node 3.
As a result, all packets through the malicious node is consumed or lost.
Figure 6.5: Blackhole Attack
6.6.3 Byzantine attack
Here, a compromised intermediate node or a set of compromised intermediate nodes works in
collusion and carries out attacks such as creating routing loops, routing packets on non-optimal
paths, and selectively dropping packets. Byzantine failures are hard to detect. The network
would seem to be operating normally in the viewpoint of the nodes, though it may actually be
exhibiting Byzantine behavior. This attack will degrade the routing performance and also disrupts
the routing services.
6.6.4 Information disclosure
A compromised node may leak confidential or important information to unauthorized nodes in the
network. Such information may include information regarding the network topology, geographic
location of nodes, or optimal routes to authorized nodes in the network.
36
39. 6.6.5 Resource consumption attack
In this attack, a malicious node tries to consume/waste away resources of other nodes present in
the network. The resources that are targeted are battery power, bandwidth, and computational
power, which are only limitedly available in ad hoc wireless networks. The attacks could be in the
form of unnecessary requests for routes, very frequent generation of beacon packets, or forwarding
of stale packets to nodes. Using up the battery power of another node by keeping that node always
busy by continuously pumping packets to that node is known as a sleep deprivation attack.
6.6.6 Rushing attack
On-demand routing protocols that use duplicate suppression during the route discovery process
are vulnerable to this attack. An attacking node which receives a RouteRequest packet from
the source node floods the packet quickly throughout the network before other nodes which also
receive the same RouteRequest packet can react. Nodes that receive the legitimate RouteRequest
packets assume those packets to be duplicates of the packet already received through the attacking
node and hence discard those packets. Any route discovered by the source node would contain
the attacking node as one of the intermediate nodes. Hence, the source node would not be able to
find secure routes, that is, routes that do not include the attacking node. It is extremely difficult
to detect such attacks in ad hoc wireless networks.
6.7 Summary
The network layer of the MANET is more immune to attack than all other layers. A good secure
routing algorithm can prevent the attack in a more efficient manner. There is no unique algorithm
that can prevent all the vulnerabilities. They should be used in cooperation with each other.
37
40. Chapter 7
SECURITY THREATS IN TRANSPORT
LAYER
The objectives of TCP-like Transport layer protocols in MANET include setting up of end-to-end
connection, end-to-end reliable delivery of packets, flow control, congestion control, and clearing
of end-to-end connection. Before going to the discussion of transport layer attack, let us consider
a brief review of TCP Connection Management.
7.1 Establishing a TCP connection
Here, we are assuming a client-server model in which a client wants to establish a connection
with the server. For that client application process first informs the client TCP that it wants to
establish a connection to a process in the server. The TCP in the client then proceeds to establish
a TCP connection with the TCP in the server in the following manner.
1. The client side TCP first sends a special TCP segment to the server side TCP. This TCP
segment contains no application data but one of the flag bits in the segment’s header, the so-
called SYN bit, set to 1. Hence this special segment is also called SYN segment. Also, the client
randomly chooses an initial sequence number say client_isn and puts this number in the sequence
number field of the initial TCP SYN segment.
2. Once the TCP SYN segment arrives at server, it allocates TCP buffers and variables to
the connection and sends a connection granted segment to the client TCP. Connection granted
segment also contains no application data. However, it does contain three important pieces of
information in the segment header. First, the SYN bit is set to 1. Second, the acknowledgment
field of the TCP segment header is set to client_isn+1. Finally, the server chooses its own initial
sequence number (server_isn) and puts this value in the sequence number field of the TCP segment
header. The connection-granted segment is sometimes referred to as a SYN-ACK segment. This
connection granted segment is saying, in effect, "I received your SYN packet to start a connection
with your initial sequence number, client_isn. I agree to establish this connection. My own initial
38
41. sequence number is server_isn."
3. Upon receiving SYNACK segment, client also allocates buffers and variables to the connec-
tion. The client host then sends the server yet another segment which acknowledges the server’s
connection granted segment with SYN bit is reset to 0, ACK field = server_isn+1, sequence field
= client_isn+1. This segment is also called ACK segment.
Figure 7.1: TCP 3-way handshake
7.2 Closing TCP connection
Suppose, client application process issues a connection close command. This causes,
1. Client TCP sends a special TCP segment with FIN flag bit set to 1.
2. Server receives the segment and it sends the client an acknowledgement segment in return.
3. Server then sends its own shutdown message with FIN = 1
4. Finally, the client acknowledges the server shutdown message
Figure 7.2: TCP connection termination
39
42. 7.3 Attacks in Transport Layer
The 3-way handshake allows two nodes to learn that other is ready to communicate and to agree
on initial sequence numbers for the conversation. From the above discussion, allocation of buffers
and variables before completing the third step of the 3-way handshake makes TCP vulnerable to
DoS attack. Different Link Layer attack can be classified as
(i) SYN Flooding Attack
(ii) Session Hijacking
7.3.1 SYN flooding attack
The SYN flood attack sends TCP connections requests faster than a machine can process them.
It is a denial-of-service attack in which an attacker creates a large number of half-opened TCP
connections with a victim node, but never completes the handshake to fully open the connection.
For two nodes to communicate using TCP, they must first establish a TCP connection using a
three-way handshake. The three messages exchanged during the handshake allow both nodes to
learn that the other is ready to communicate and to agree on initial sequence numbers for the
conversation. Attacker, first create a half open connection with the neighboring node. Creating
half-open connections is easily accomplished with IP spoofing. The attacking system sends SYN
messages to the victim node. The SYN-ACK packets are sent out from the victim node right
after it receives the SYN packets from the attacker and then the victim waits for the response
of ACK packet. Without receiving the ACK packets, the half-open data structure remains in
the victim node. Attacker, in this way sends a large amount of SYN packets to a victim node.
If the victim node stores these half-opened connections in a fixed-size table while it awaits the
acknowledgement of the three-way handshake, all of these pending connections could overflow the
buffer, and the victim node would not be able to accept any other legitimate attempts to open a
connection. Normally there is a time-out associated with a pending connection, so the half-open
connections will eventually expire and the victim node will recover. However, malicious nodes
can simply continue sending packets that request new connections faster than the expiration of
pending connections.
7.3.2 Session Hijacking
Session hijacking is a critical error and gives a malicious node the opportunity of behaving as
a legitimate system. All the communications are authenticated only at the beginning of session
setup. The attacker may take the advantage of this and commit session hijacking attack. At
first, the attacker spoofs the victim’s IP address, determines the correct sequence number that is
expected by the target, and then performs a DoS attack on the victim. As a result, the target
system becomes unavailable for some time. Thus the attacker impersonates the victim node and
continues the session with the target.
40
43. 7.3.3 TCP ACK Storm
An attacker can start a TCP ACK storm problem after hijacking a TCP session. ACK storm refers
to a situation when a large numbers of Transmission Control Protocol (TCP) acknowledgment
(ACK) packets are generated, usually because of an attempted session hijacking
Figure 7.3: TCP ACK Storm
The attacker sends injected session data, and node A will acknowledge the receipt of the data
by sending an ACK packet to node B. This packet will not contain a sequence number that node
B is expecting (because node B hasn’t sent any data), so when node B receives this packet, it will
try to resynchronize the TCP session with node A by sending it an ACK packet with the sequence
number that it is expecting. The cycle goes on and on, and the ACK packets passing back and
forth create an ACK storm.
Hijacking a session over UDP is the same as over TCP, except that UDP attackers do not have
to worry about the overhead of managing sequence numbers and other TCP mechanisms. Since
UDP is connectionless, edging into a session without being detected is much easier than the TCP
session attacks.
7.4 Summary
From the above discussion, it is clear that both TCP and UDP are vulnerable to attack. Attack
on UDP is more easier since the attacker need nod be woried about the overhead of managing the
sequence number.
41
44. Chapter 8
SECURITY THREATS IN
APPLICATION LAYER
The application layer communication is also vulnerable to attacks compared with other layers.
The application layer contains user data, and it normally supports many protocols such as HTTP,
SMTP, TELNET, and FTP, which provide many vulnerabilities and access points for attackers.
The application layer attacks are attractive to attackers because the information they seek ulti-
mately resides within the application and it is direct for them to make an impact and reach their
goals.
8.1 Malicious code attacks:
Malicious code, such as viruses, worms, spywares, and Trojan Horses, can attack both operating
systems and user applications. These malicious programs usually can spread themselves through
the network and cause the computer system and networks to slow down or even damaged. In
MANET, an attacker can produce similar attacks to the mobile system of the ad hoc network.
8.2 Repudiation attacks:
In the network layer, firewalls can be installed to keep packets in or keep packets out. In the
transport layer, entire connections can be encrypted, end-to-end. But these solutions do not
solve the authentication or non-repudiation problems in general. Repudiation refers to a denial
of participation in all or part of the communication. For example, a selfish person could deny
conducting an operation on a credit card purchase, or deny any on-line bank transaction, which
is the prototypical repudiation attack on a commercial system.
42
45. 8.3 Summary
The application layer attacks are attractive to attackers because the information they seek ulti-
mately resides within the application and it is direct for them to make an impact and reach their
goals.The main security issues involved in application layers are detecting and preventing viruses,
worms, malicious codes and application abuses.
43
46. Chapter 9
COUNTERMEASURES
The ultimate goals of the security solutions for MANETs is to provide security services to mobile
users, such as
1. Authentication,
2. Confidentiality,
3. Integrity,
4. Non-repudiation
5. Availability
In order to achieve this goal, the security solution should provide complete protection spanning
the entire protocol stack. There is no single mechanism that will provide all the security services
in MANETs.
• Authentication: Authentication ensures that the access and supply of data is done only
by the authorized parties. It is concerned with assuring that a communication is authentic.
In the case of a single message, such as a warning or alarm signal, the function is to assure
the recipient that the message is from the source that it claims to be from. In wired
network and infrastructure based wireless network, it is possible to implement a central
authority at a point such as router, base station, or access point. But in MANETs, there
will not be any central authority so that it is much more difficult to authenticate an entity.
Authentication can be provided by using encryption along with cryptographic hash function,
digital signature and certificates.
• Confidentiality: Confidentiality ensures that certain information is only readable or acces-
sible by the authorized party. Basically, it protects data from passive attacks. Transmission
of sensitive information such as military information requires confidentiality. MANETs uses
an open media, so usually all nodes within the direct transmission range can obtain the data.
One way to keep information confidential is to encrypt the data, and another technique is
44
47. to use directional antennas. It also ensures that the transmitted data can only be accessed
by the intended receivers.
• Integrity: Integrity guarantees that the authorized parties are only allowed to modify the
information or messages. To protect the integrity of information one must employ suitable
validation techniques like digital signature.
• Availability: Availability refers to allowing legitimate users to access confidential informa-
tion after they have been properly authenticated. Availability ensures the survivability of
network services despite of various attacks. For example, on the physical and media access
control layers, an attacker could employ jamming to interfere with communication on phys-
ical channel while on network layer it could disrupt the routing protocol and continuity of
services of the network.
• Non-Repudiation: Non-Repudiation prevents either sender or receiver from denying a
transmitted message. Thus, when a message is sent, the receiver can prove that the message
was in fact sent by the alleged sender. On the other hand, after sending a message, the sender
can prove that the message was received by the alleged receiver. Non-repudiation is useful for
detection and isolation of compromised nodes. When node A receives an erroneous message
from node B, non-repudiation allows A to accuse B using this message and to convince other
nodes that B is compromised.
• Scalability: Even though, scalability is not directly related to security, it is very important
issue that has a great impact on security services. An ad hoc network may consist of hundreds
or even thousands of nodes. Security mechanisms should be scalable to handle such a large
network . Otherwise, the newly added node in the network can be compromised by the
attacker and used for gaining unauthorized access of the whole system. It is very easy to
make an island-hopping attack through one rough point in a distributed network.
A variety of security mechanisms have been invented to counter malicious attacks. The conven-
tional approaches such as authentication, access control, encryption, and digital signature provide
a first line of defense. As a second line of defense, intrusion detection systems and cooperation en-
forcement mechanisms implemented in MANET can also help to defend against attacks or enforce
cooperation, reducing selfish node behavior.
9.1 Preventive mechanism:
The conventional authentication and encryption schemes are based on cryptography, which in-
cludes asymmetric and symmetric cryptography. Cryptographic primitives such as hash values
(message digests) are sufficient in providing data integrity in transmission as well. Threshold
cryptography can be used to hide data by dividing it into a number of shares. Digital signatures
45
