Introduction

Since their appearance in 1970 in the form of ALOHANET, wireless packet radio networks
have come a long way in terms of numbers, applications, and the feature set, among other
things. The two largest attractions of wireless communication have been mobility and ease
of deployment laying cables is not only laborious and time consuming, but their
maintenance is equally bothersome. Wireless communication today surrounds us in many
colors and flavors, each with its unique frequency band, coverage, and range of
applications. It has matured to a large extent, and standards have evolved for Personal Area
Networks, Local Area Networks as well as Broadband Wireless Access.

1.1 Infrastructure-less Networks

In any but the most trivial networks (point-to-point links), some mechanism is required for
routing the packets from the source to the final destinations. This includes discovery and
maintenance of routes along with associated costs. In what is called an infrastructurebased wireless network, the job of routing is assigned to dedicated nodes called access
points (AP). Configurations of the APs are much less dynamic than their, possibly mobile,
end-point

nodes.

APs

are

like

base

stations

which

keep

track

of

nodes

associations/disassociations, authentication etc. and control the traffic flow between their
clients as well as between fellow APs. The AP may also be connected to the Internet
thereby providing Internet connectivity to its clients.

A very attractive and promising category of wireless networks that has emerged is based on
an Ad Hoc topology; these networks are called Wireless Ad Hoc Networks. The term
wireless network implies a computer network in which the communication links are
wireless. The term Ad Hoc comes from the fact that there is no fixed infrastructure for
forwarding/ routing the packets. Figure 1.1 [2] shows an infrastructure-based and an Ad
Hoc wireless network.

Network
BSS #1
AP
Client

AP

Client

Client

Node 1

Node 2

Node 1

BSS #2

Node 2

Figure 11-1 - Ad Hoc and Infrastructure Network Topologies

Figure 11-2 A Typical MANET

A typical MANETs (Mobile AdHoc Networks) is shown in Fig 1-2 [6]. The circles indicate
communication ranges of individual nodes. In the real-world, this boundary is never likely
2

to be a perfect circle and the links in fact can even be unidirectional in many cases node
A can reach node B on link 1 but node B may not be able to use this link to reach node
A. This can happen due to the signal strengths of the two transmitters being unequal or
can even be based on the transmission path.
In Ad Hoc networks, each node is willing to forward data to other nodes, and so the
determination of which nodes forward data is made dynamically based on the network
connectivity. This is in contrast to the infrastructure-based networks in which designated
nodes, usually with custom hardware and variously known as routers, switches, hubs, and
firewalls, perform the task of forwarding the data. Minimal configuration and quick
deployment make Ad Hoc networks suitable for emergency situations like natural or
human-induced disasters, military conflicts, emergency medical situations etc. An Ad Hoc
network is formed for a purpose by participating wireless nodes and is then torn off.
These networks introduced a new art of network establishment and are well suited for
environments where either the infrastructure is lost or where deploying an infrastructure is
not cost-effective.

1.2 A Brief History of Wireless Ad Hoc Networks

The whole life-cycle of Ad Hoc networks [33] could be categorized into first, second, and
third generation Ad Hoc network systems. Present ad-hoc networks systems are considered
the third generation.

The first generation of wireless Ad Hoc networks dates back to 1972. At the time, they
were called PRNET (Packet Radio Networks). In conjunction with ALOHA and CSMA
3

(Carrier Sense Multiple Access), approaches for medium access control and a kind of
distance-vector routing, PRNET were used on a trial basis to provide different networking
capabilities in a combat environment.

The second generation [6] of Ad hoc networks emerged in 1980s, when the ad-hoc network
systems were further enhanced and implemented as a part of the SURAN (Survivable
Adaptive Radio Networks) program. This provided a packet-switched network to the
mobile battlefield in an environment without infrastructure. This program proved to be
beneficial in improving the radios' performance by making them smaller, cheaper, and
resilient to electronic attacks.

In the 1990s, the concept of commercial ad-hoc networks [6] arrived with notebook
computers and other viable communications equipment. At the same time, the idea of a
collection of mobile nodes was proposed at several research conferences.

The IEEE 802.11 [7] subcommittee had adopted the term "ad-hoc networks" and the
research community had started to look into the possibility of deploying ad-hoc networks in
other areas of application.

Meanwhile, work was going on to advance the previously built ad-hoc networks. GloMo
[8] (Global Mobile Information Systems) and the NTDR (Near-term Digital Radio) are
results of these efforts. GloMo was designed to provide an office environment with
Ethernet-type multimedia connectivity anywhere and anytime in handheld devices.

NTDR [9] is the only "real" non-prototypical ad-hoc network that is in use today. It uses
clustering and link-state routing, and is self-organized into a two-tier ad-hoc network.
4

Development of different channel access approaches now in the CSMA/CA and TDMA
molds, and several other routing and topology control mechanisms were some of the other
inventions of that time.

Later on in mid-1990s, within the Internet Engineering Task Force (IETF), the Mobile AdHoc Networking working group was formed to standardize routing protocols for ad-hoc
networks. The development of routing within the working group and the larger community
resulted in the invention of reactive and proactive routing protocols.

Soon after, the IEEE 802.11 subcommittee standardized a medium access protocol that was
based on collision avoidance and tolerated hidden terminals, making it usable for building
mobile ad-hoc networks prototypes out of notebooks and 802.11 PCMCIA (Personal
Computer Memory Card International Association cards). Wireless local area products
(IEEE 802.11, Hiperlan) provide in-building wireless access; however, they are usually
deployed as access links only, packet relaying being performed by traditional bridges or
routers. Bluetooth is a low cost technology for short range communication; its market is
targeted towards PCs, phones, appliances, watches, etc. It allows multiple nodes to connect
to each other in a multi-hop arrangement.

Efforts are on to standardize different existing schemes for different network controls in a
single framework which could be taken as a standard for all the future applications utilizing
ad-hoc networks as a networking technology. Wireless devices are getting smaller, cheaper,
and more sophisticated. As these devices become more ubiquitous, organizations are
looking for inexpensive ways to keep these devices connected. Building an ad-hoc network
could make that happen.
5

Wireless Ad Hoc Networks can broadly be classified into three categories: Mobile ad-hoc
networks (MANETs), Wireless Sensor Networks, and Wireless Mesh Networks. Each one
of these has significance for different application areas; each of these differs in the capacity
and capabilities of nodes that participate in the network, the purpose of the network and the
communication protocols employed. The focus of this thesis is MANETs; from this point
onwards, the words MANETs and Wireless Ad Hoc Networks will be used
interchangeably.

1.3 Challenges in Wireless Ad Hoc Networks

The two most significant differences between infrastructure-based and Ad Hoc networks
are a) communications in Ad Hoc networks are truly peer-to-peer and b) the individual
nodes that do jobs of their own are also now required to route packets as required. These
differences lead to some unique and extremely difficult challenges for Ad Hoc networks.
Unlike dedicated routers, hosts in MANETs have limited computational resources and
more importantly, being battery-operated, very limited power. Building routing decisions in
the general-purpose hosts for constantly changing surroundings is big challenge.
However, arguably the most important of these challenges is that of security. MANETs are
like consistent zero-administration personal environment. The absence of infrastructure and
the consequent absence of authorization facilities impede the usual practice of establishing
a line of defense to separate the trusted from the non-trusted. This would have been based
on a security policy, possession of necessary credentials and the ability of nodes to validate
them. In the context of MANETs, there may be no basis for an a priori classification.
Additionally, freely roaming nodes join and leave MANETs independently and without
6

notice, making it difficult to have a clear picture of the Ad Hoc network membership. In
such an environment, there is no guarantee that a path between two nodes would be free of
malicious nodes. These nodes would not comply with the employed protocol and would
attempt to harm the network operation. The presence of even a small number of adversarial
nodes could cause the entire network to collapse.

1.4 Routing in Ad Hoc Networks

The lack of a backbone infrastructure [37] coupled with the fact that mobile Ad Hoc
networks change their topology frequently and without prior notice makes packet routing in
ad-hoc networks a challenging task. The suggested approaches for routing can be divided
into topology-based and position-based routing.
Topology-based routing protocols use the information about the links that exist in the
network to perform packet forwarding. They can be further divided into proactive, reactive,
and hybrid approaches.
Proactive algorithms employ classical routing strategies such as distance-vector routing
(e.g., DSDV) or link-state routing (e.g., OLSR and TBRPF). They maintain routing
information about the available paths in the network even if these paths are not currently
used. The main drawback of these approaches is that the maintenance of unused paths may
occupy a significant part of the available bandwidth if the topology of the network changes
frequently.
In response to this observation, reactive routing protocols were developed (e.g., DSR,
TORA, and AODV). Reactive routing protocols maintain only the routes that are currently
7

in use, thereby reducing the burden on the network when only a small subset of all
available routes is in use at any time. However, they still have some inherent limitations.
First, since routes are only maintained while in use, it is typically required to perform a
route discovery before packets can be exchanged between communication peers. This leads
to a delay for the first packet to be transmitted. Second, even though route maintenance for
reactive algorithms is restricted to the routes currently in use, it may still generate a
significant amount of network traffic when the topology of the network changes frequently.
Finally, packets en route to the destination are likely to be lost if the route to the destination
changes.
Hybrid Ad Hoc routing protocols such as ZRP combine local proactive routing and global
reactive routing in order to achieve a higher level of efficiency and scalability. However,
even a combination of both strategies still needs to maintain at least those network paths
that are currently in use, limiting the amount of topological changes that can be tolerated
within a given amount of time.
Position-based routing algorithms eliminate some of the limitations of topology-based
routing by using additional information. They require that information about the physical
position of the participating nodes be available. Commonly, each node determines its own
position through the use of GPS or some other type of positioning service. A location
service is used by the sender of a packet to determine the position of the destination and to
include it in the packets destination address.
The routing decision at each node is then based on the destinations position contained in
the packet and the position of the forwarding nodes neighbors. Position-based routing thus
8

does not require the establishment or maintenance of routes. The nodes have neither to
store routing tables nor to transmit messages to keep routing tables up to date. As a further
advantage, position-based routing supports the delivery of packets to all nodes in a given
geographic region in a natural way. This type of service is called geocasting.
Regardless of the approach to routing, a routing protocol should be able to automatically
recover from any problem in a finite amount of time without human intervention.
Conventional routing protocols are designed for nonmoving infrastructures and assume that
routes are bidirectional, which is not always the case for ad-hoc networks. Identification of
mobile terminals and correct routing of packets to and from each terminal while moving
are certainly challenging.

1.4.1 Some Popular Routing Protocols for Ad-Hoc Networks

In this section we discuss some popular routing algorithms proposed for MANETs.
1.4.1.1 Destination-Sequenced Distance Vector (DSDV) Protocol
The Destination-Sequenced Distance Vector (DSDV) protocol is a table-driven routing
protocol based on the improved version of classical Bellman-Ford routing algorithm.
DSDV is based on the Routing Information Protocol (RIP). With RIP, a node holds a
routing table containing all the possible destinations within the network and the number of
hops to each destination. DSDV is also based on distance vector routing and thus uses
bidirectional links. A limitation of DSDV is that it provides only one route for a
source/destination pair.

DSDV requires each node to periodically broadcast routing updates. The key advantage of
DSDV over traditional distance vector protocols is that it guarantees loop-freedom.
Each DSDV node maintains a routing table listing the next hop for each reachable
destination. DSDV tags each route with a sequence number and considers a route R1 more
favorable than R2 if R1 has a greater sequence number, or if the two routes have equal
sequence numbers but R has a lower metric. Each node in the network advertises a
monotonically increasing even sequence number for itself. When a node B decides that its
route to a destination D has broken, it advertises the route to D with an infinite metric and a
sequence number one greater than its sequence number for the route that has broken
(making an odd sequence number). This causes any node A routing packets through B
to incorporate the infinite-metric route into its routing table until node A hears a route to
D with a higher sequence number.
The structure of the routing table for this protocol is simple. Each table entry has a
sequence number that is incremented every time a node sends an updated message. Routing
tables are periodically updated when the topology of the network changes and are
propagated throughout the network to keep consistent information throughout the network.
Each DSDV [12] node maintains two routing tables: one for forwarding packets and one
for advertising incremental routing packets. The routing information sent periodically by a
node contains a new sequence number, the destination address, the number of hops to the
destination node, and the sequence number of the destination. When the topology of a
network changes, a detecting node sends an update packet to its neighboring nodes.

10

1.4.1.2 Dynamic Source Routing (DSR)

DSR [13] uses source routing rather than hop-by-hop routing, with each packet to be routed
carrying in its header the complete, ordered list of nodes through which the packet must
pass. The key advantage of source routing is that intermediate nodes do not need to
maintain up-to-date routing information in order to route the packets they forward, since
the packets themselves already contain all the routing decisions. This fact, coupled with the
on-demand nature of the protocol, eliminates the need for the periodic route advertisement
and neighbor detection packets present in other protocols.
The DSR protocol consists of two mechanisms: Route Discovery and Route Maintenance.
Route Discovery is the mechanism by which a node S wishing to send a packet to a
destination D obtains a source route to D. To perform a Route Discovery, the source node S
broadcasts a ROUTE REQUEST packet that is flooded through the network in a controlled
manner and is answered by a ROUTE REPLY packet from either the destination node or
another node that knows a route to the destination. To reduce the cost of Route Discovery,
each node maintains a cache of source routes it has learned or overheard, which it uses to
limit the frequency and propagation of ROUTE REQUESTs.
Route Maintenance is the mechanism by which a packets sender S detects if the network
topology has changed such that it can no longer use its route to the destination D because
two nodes listed in the route have moved out of range of each other. When Route
Maintenance indicates a source route is broken, S is notified with a ROUTE ERROR
packet. The sender S can then attempt to use any other route to D already in its cache or
can invoke Route Discovery again to find a new route.
11

1.4.1.3 Temporally-Ordered Routing Algorithm (TORA)

TORA [14] is a distributed routing protocol based on a link reversal algorithm. It is
designed to discover routes on demand, provide multiple routes to a destination, establish
routes quickly, and minimize communication overhead by localizing algorithmic reaction
to topological changes when possible. Route optimality (shortest-path routing) is
considered of secondary importance, and longer routes are often used to avoid the overhead
of discovering newer routes.
The actions of TORA can be described in terms of water flowing downhill towards a
destination node through a network of tubes that models the routing state of the real
network. The tubes represent links between nodes in the network, the junctions of tubes
represent the nodes, and the water in the tubes represents the packets flowing towards the
destination. Each node has a height with respect to the destination that is computed by the
routing protocol. If a tube between nodes A and B becomes blocked such that water can no
longer flow through it, the height of A is set to a height greater than that of any of its
remaining neighbors, such that water will now flow back out of A (and towards the other
nodes that had been routing packets to the destination via A).
At each node in the network, a logically separate copy of TORA is run for each destination.
When a node needs a route to a particular destination, it broadcasts a QUERY packet
containing the address of the destination for which it requires a route. This packet
propagates through the network until it reaches either the destination or an intermediate
node having a route to the destination. The recipient of the QUERY then broadcasts an
UPDATE packet listing its height with respect to the destination. As this packet propagates
12

through the network, each node that receives the UPDATE sets its height to a value greater
than the height of the neighbor from which the UPDATE was received. This has the effect
of creating a series of directed links from the original sender of the QUERY to the node that
initially generated the UPDATE.
When a node discovers that a route to a destination is no longer valid, it adjusts its height
so that it is a local maximum with respect to its neighbors and transmits an UPDATE
packet. If the node has no neighbors of finite height with respect to this destination, then
the node instead attempts to discover a new route as described above. When a node detects
a network partition, it generates a CLEAR packet that resets routing state and removes
invalid routes from the network. TORA is layered on top of IMEP, the Internet MANETs.
Encapsulation Protocol, which is required to provide reliable, in-order delivery of all
routing control messages from a node to each of its neighbors, plus notification to the
routing protocol whenever a link to one of its neighbors is created or broken. To reduce
overhead, IMEP attempts to aggregate many TORA and IMEP control messages (which
IMEP refers to as objects) together into a single packet (as an object block) before
transmission. Each block carries a sequence number and a response list of other nodes from
which an ACK has not yet been received, and only those nodes ACK the block when
receiving it; IMEP retransmits each block with some period, and continues to retransmit it
if needed for some maximum total period, after which time, the link to each
unacknowledged node is declared down and TORA is notified. IMEP can also provide
network layer address resolution, but we did not use this service, as we used ARP [19] with
all four routing protocols. For link status sensing and maintaining a list of a nodes
13

neighbors, each IMEP node periodically transmits a BEACON (or BEACON-equivalent)

packet, which is answered by each node hearing it with a HELLO (or HELLOequivalent) packet.
1.4.1.4 Ad Hoc On-Demand Distance Vector (AODV)
AODV [15] can be thought of as a combination of both DSR and DSDV. It borrows the
basic on-demand mechanism of Route Discovery and Route Maintenance from DSR, plus
the use of hop-by-hop routing, sequence numbers, and periodic beacons from DSDV.
AODV is an on-demand routing protocol, which initiates a route discovery process only
when desired by a source node. When a source node S wants to send data packets to a
destination node D but cannot find a route in its routing table, it broadcasts a Route Request
(RREQ) message to its neighbors, including the last known sequence number for that
destination. Its neighbors then rebroadcast the RREQ message to their neighbors if they do
not have a fresh enough route to the destination node. (A fresh enough route is a valid route
entry for the destination node whose associated sequence number is equal to or greater than
that contained in the RREQ message.) This process continues until the RREQ message
reaches the destination node or an intermediate node that has a fresh enough route.
Every node has its own sequence number and RREQ ID1. AODV uses sequence numbers
to guarantee that all routes are loop-free and contain the most recent routing information.
RREQ ID in conjunction with source IP address uniquely identifies a particular RREQ
message. The destination node or an intermediate node only accepts the first copy of a
RREQ message, and drops the duplicated copies of the same RREQ message.

14

Each node that forwards the ROUTE REQUEST creates a reverse route for itself back to
node S; after accepting a RREQ message, the destination or intermediate node updates its
reverse route to the source node using the neighbor from which it receives the RREQ
message. The reverse route will be used to send the corresponding Route Reply (RREP)
message to the source node when the ROUTE REQUEST reaches a node with a route to
D, that node generates a ROUTE REPLY that contains the number of hops necessary to
reach D and the sequence number for D most recently seen by the node generating the
REPLY. Meanwhile, it updates the sequence number of the source node in its routing table
to the maximum of the one in its routing table and the one in the RREQ message. When the
source or an intermediate node receives a RREP message, it updates its forward route to
the destination node using the neighbor from which it receives the RREP message. It also
updates the sequence number of the destination node in its routing table to the maximum of
the one in its routing table and the one in the RREP message. A Route Reply
Acknowledgement (RREP-ACK) message is used to acknowledge receipt of a RREP
message. The state created in each node along the path from S to D is hop-by-hop state;
that is, each node remembers only the next hop and not the entire route, as would be done
in source routing.
In order to maintain routes, AODV normally requires that each node periodically transmit a
HELLO message, with a default rate of once per second. Failure to receive three
consecutive HELLO messages from a neighbor is taken as an indication that the link to the
neighbor in question is down. Alternatively, the AODV specification briefly suggests that a
node may use physical layer or link layer methods to detect link breakages to nodes that it
considers neighbors. When a link goes down, any upstream node that has recently
15

forwarded packets to a destination using that link is notified via an UNSOLICITED

ROUTE REPLY containing an infinite metric for that destination. Upon receipt of such a
ROUTE REPLY, a node must acquire a new route to the destination using Route Discovery
as described above.
Route maintenance is done with Route Error (RERR) messages. If a node detects a link
break in an active route, it sends out a RERR message to its upstream neighbors that use it
as the next hop in the broken route. When a node receives a RERR message from its
neighbor, it further forwards the RERR message to its upstream neighbors.
AODV is a stateless protocol; the source node or an intermediate node updates its routing
table if it receives a RREP message, regardless of whether it has sent or forwarded a
corresponding RREQ message before. If it cannot find the next hop in the reverse routing
table, it simply drops the RREP message. Otherwise, it unicasts the RREP message to the
next hop in the reverse route.
In general, a node may update the sequence numbers in its routing table whenever it
receives RREQ, RREP, RERR, or RREP-ACK messages from its neighbors.

1.5 Threats and Attacks

The number of different threats and attacks [34] can be categorized into a number of
different areas that they target. The first is to consider the level of the attack which can be
perceptual where the human perception is targeted using the media as a bearer. It may be
broadcasting false information or just observation of social behavior to be able to alter
decision processes.
16

Secondly the attacks can target the information itself where interception and eavesdropping
comes naturally in thought. Of the more active nature of these attacks might be the creation
of false messages injected into networks. Also the denial or degradation of network
services is a form of active attack on the information level. In this category application
level attacks such as Trojan horses or viruses and the like are also included.
The physical attacks are the third category. The passive nature of this category can be
radiation interception or inductive wiretapping. The more hands on attacks include theft of
equipment, cryptographic or physical keys, and different storage medias. Other kinds of
attacks are social engineering or as drastic as destruction using explosives or other physical
force [3].

1.5.1 Wireless Network Attacks

In contrast to network equipment in wired networks where the devices usually are kept
behind locked doors the Ad Hoc network equipment are usually carried around as small
battery-powered devices or placed inside mobile units like cars. This makes them even
more attractive for attackers since they are often easier to get to and also easier to carry
away from the crime scene. Another point is that it can be quite hard to intercept wired
media without getting noticed both because the media itself might be hard to get to and to
intercept the cables often will need cutting the cables for a while. In the wireless medium it
is as easy as just putting up an antenna, usually small enough not to be noticed [11,6].
Also, since many users of the Ad Hoc networks will be using it in public places the threat
of unintentionally revealing secrets are large. This can be in the form of a conversation

17

being held so that someone can overhear secret information or shoulder surfing, that is,
someone reading the computer screen or keyboard from behind while entering passwords
or the like. The human nature of bad memory can also be of some help for the attacker. It is
not uncommon that individuals write down passwords and user details on post-it notes and
at a later time throw them away in garbage cans. The retrieval of this kind of information
can help attackers to guess the correct passwords to system resources. This kind of attack
has gotten the common name of dumpster diving [3].

1.5.2 Attacks on Ad Hoc Networks

In addition to often being wireless the structure of an Ad Hoc network, or lack there of,
leads to some special kinds of attacks. Especially attacks on the connectedness of the
network which means attacks on the routing protocol. In this section some of these attacks
will be addressed.
Routing Loop
By sending forged routing packets an attacker can create a routing loop [35,6,10]. This will
result in data packets being sent around consuming both bandwidth and power for a
number of nodes. The packets will not reach their intended recipient and thus can be
considered a sort of denial-of-service attack.
Black Hole
The setup for the black hole attack [35,6,10] is similar to the routing loop attack in which
the attacker sends out forged routing packets. It can setup a route to some destination via

18

itself and when the actual data packets get there they are simply dropped, forming a black
hole where data enters but never leaves.
Another possibility is for the attacker to forge routes pointing into an area where the
destination node is not located. Everything will be routed into this area but nothing will
leave also creating a sort of black hole.
Grey Hole
A special case of the black hole attack is an grey hole attack [35,6,10]. In this attack the
adversary selectively drops some kinds of packets but not other. For example the attacker
might forward routing packets but not data packets.
Partitioning
Another kind of attack is for the attacker to create a network partition in which some nodes
are split up to not being able to communicate with another set of nodes. By analysing the
network topology the attacker can choose to make the partitioning between the set of nodes
that makes the most harm into the system.
This attack can be accomplished in many kinds of ways. Both by forging routing packets as
in the previous attacks but also using some physical attack such as radio jamming.
Blackmail
Some Ad Hoc routing protocols tries to handle the security problems by keeping lists of
possibly malicious nodes. Each node has a blacklist of, what it thinks, bad nodes and
thereby avoiding using them when setting up routing paths. An attacker might try to
19

blackmail a good node causing other good nodes to add this node to their blacklists and so
avoid it.
Wormhole
In the wormhole attack an attacker uses a pair of nodes connected in some way. It can be a
special private connection or the packets are tunnelled over the Ad Hoc network. Every
packet that one of the nodes sees are forwarded to the other node which in turn broadcast
them out. This might create short circuits for the actual routing in the Ad Hoc network and
thereby create some routing problems.
Also, all the data can be selectively forwarded or not using this attack thereby controlling
the Ad Hoc network to a large extent. This kind of attack together with a partitioning attack
can gain almost complete control over the network traffic.
Rushing Attack
Many reactive routing protocols keep a sequence number for duplication suppression at
every node. An attacker can distribute a large number of route requests with increasing
sequence numbers forged to appear to be from other nodes. This way when the actual route
request is sent out many nodes suppress it as a duplicate and thereby disrupt the actual
route discovery.
Resource Consumption
By injecting extra data packets into the Ad Hoc network limited resources such as
bandwidth and maybe battery power are consumed for no reason. Even more resources
might be consumed by injecting extra control packets since these might lead to additional
20

computation. Also, the other nodes might forward control information as it comes in
resulting in even more resource consumption [4].
For devices that try to conserve battery power by only occasionally enabling their
communication device a malicious attacker might communicate in an ordinary way but
with the only intent to drain battery power. Stajano and Anderson call this resource
consumption attack sleep deprivation torture [5].

Dropping Routing Traffic

It is essential in the Ad Hoc network that all nodes participate in the routing process.
However, a node may act selfishly and process only routing information that are related to
itself in order to conserve energy. This behaviour/attack can create network instability or
even segment the network.
Location disclosure
A location disclosure attack can reveal information related to the location of a node or the
topology and structure of the network. The information gained might reveal which other
nodes are adjacent to the target or the physical location of a participating node. The attack
can be implemented by using a command similar to traceroute that exists in Unix-like
systems or with the use of the time-to-live attribute of the routing packet and the addresses
of the devices by sending ICMP error messages. In the end, the attacker knows which
nodes are situated on the route to the target node. If the locations of some of the
intermediary nodes are known, one can gain information about the location of the
destination node as well.
21

1.6 Security Model and Attributes

The field of security [34] is large and some model to use for attacking the problem is
needed. The following attributes needs to be considered [1] for classifying the different
security [34] needs of the applications of Ad Hoc network.

Confidentiality

Authentication

Availability

Integrity.

Non-Repudiation

Certainty of discovery

Isolation

Lightweight computations

Location.

Self

Byzantine robustness

1.7 Security of Ad-Hoc Networks

Because of dynamic topological changes, ad-hoc networks are vulnerable at the physical
link, as they can easily be manipulated. An intruder can easily attack ad-hoc networks by
loading available network resources, such as wireless links and energy (battery) levels of
other users, and then disturb all users. Attackers can also disturb the normal operation of
routing protocols by modifying packets. The intruder may insert spurious information into

22

routing packets, causing erroneous routing table updates and thus misrouting. Some other
security vulnerabilities of ad-hoc networks are:
Limited computational capabilities: Typically, nodes in ad-hoc networks are modular,
independent, and limited in computational capability and therefore may become a source of
vulnerability when they handle public-key cryptography during normal operation.
Limited power supply: Since nodes normally use battery as power supply, an intruder can
exhaust batteries by creating additional transmissions or excessive computations to be
carried out by nodes.
Challenging key management: Dynamic topology and movement of nodes in an Ad Hoc
network make key management difficult if cryptography is used in the routing protocol.

1.8 Securing the MANETs

The provision of security services in the MANETs context faces a set of challenges specific
to this new technology. The insecurity of the wireless links, energy constraints, relatively
poor physical protection of nodes in a hostile environment, and the vulnerability of
statically configured security schemes are definitely such challenges. However, the single
most important feature that differentiates MANETs is the absence of a fixed infrastructure.
No part of the network is dedicated to support individually any specific network
functionality, with routing (topology discovery, data forwarding) being the most prominent
example. Additional examples of functions that cannot rely on a central service, and which
are also of high relevance to this work, are naming services, certification authorities (CA),
directory and other administrative services.
23

Even if such services were assumed, their availability would not be guaranteed, either due
to the dynamically changing topology that could easily result in a partitioned network or
due to congested links close to the node acting as a server. Furthermore, performance
issues such as delay constraints on acquiring responses from the assumed infrastructure
would pose an additional challenge.
The absence of infrastructure and the consequent absence of authorization facilities impede
the usual practice of establishing a line of defense, separating nodes into trusted and nontrusted. Such a distinction would have been based on a security policy, the possession of
the necessary credentials and the ability for nodes to validate them. In the MANETs
context, there may be no ground for an a priori classification since all nodes are required
to cooperate in supporting the network operation, while no prior security association can be
assumed for all the network nodes. Additionally, in MANETs freely roaming nodes form
transient associations with their neighbors, join and leave MANETs sub-domains
independently and without notice. Thus it may be difficult in most cases to have a clear
picture of the Ad Hoc network membership. Consequently, especially in the case of a
large-size network, no form of established trust relationships among the majority of nodes
could be assumed.
In such an environment, there is no guarantee that a path between two nodes would be free
of malicious nodes, which would not comply with the employed protocol and attempt to
harm the network operation. The mechanisms currently incorporated in MANETs routing
protocols cannot cope with disruptions due to malicious behavior. For example, any node
could claim that is one hop away from the sought destination, causing all routes to the
24

destination to pass through itself. Alternatively, a malicious node could corrupt any intransit route request (reply) packet and cause data to be misrouted.
The presence of even a small number of adversarial nodes could result in repeatedly
compromised routes, and, as a result, the network nodes would have to rely on cycles of
time-out and new route discoveries to communicate. This would incur arbitrary delays
before the establishment of a non-corrupted path, while successive broadcasts of route
requests would impose excessive transmission overhead. In particular, intentionally
falsified routing messages would result in a denial-of-service (DoS) experienced by the end
nodes. The proposed scheme have combats such types of misbehavior and safeguards the
acquisition of topological information.

1.9 Secure Routing and Intrusion Detection in MANETs

The majority of the routing protocols proposed in the literature are assuming non-hostile
environments. Due to its dynamically changing topology, open environment and lack of
centralized security infrastructure, a MANETs is extremely vulnerable to malicious node
presence and to certain types of attacks that can occur. To address these concerns, several
secure routing protocols have been proposed recently: SAODV, Ariadne, SEAD, CSER,
SRP, SAAR, BSAR, and SBRP.
Mobile Ad Hoc Networks (MANETs) present a number of unique problems for Intrusion
Detection Systems (IDS). Differentiating between malicious network activity and spurious,
but typical, problems associated with an Ad Hoc networking environment is a challenging
task. In an Ad Hoc network, malicious nodes may enter and leave the immediate radio
transmission range at random intervals or may collude with other malicious nodes to
25

disrupt network activity and avoid detection. Malicious nodes may behave maliciously only
intermittently, further complicating their detection. A node that sends out false routing
information could be the one that has been compromised, or merely one that has a
temporarily stale routing table due to volatile physical conditions. Dynamic topologies
make it difficult to obtain a global view of the network and any approximation can become
quickly outdated. Traffic monitoring in wired networks is usually performed at switches,
routers and gateways, but an Ad Hoc network does not have these types of network
elements where the IDS can collect audit data for the entire network. Network traffic can
be monitored on a wired network segment, but Ad Hoc nodes or sensors can only monitor
network traffic within its observable radio transmission range. NIST is working with the
University of Maryland Baltimore County (UMBC) to simulate, implement, and test
various MANETs IDS.

1.10 Motivation of Research

Mobile Ad Hoc networks (MANETs) are vulnerable due to its fundamental characteristics,
such as open medium, dynamic topology, distributed operation and constrained capability.
AODV is an important on demand routing protocol. Security is a central requirement for
mobile Ad Hoc networks. Security and robustness will impact the design of the standard
for Ad Hoc networks is the main motivation for this thesis.

1.11 Problem Statement

Intrusion Detection System aimed at securing the AODV protocol has been studied by
Stamouli et al [10] using specification based technique. They conclude that AODV
26

performs well at all mobility rates and movement speeds. However, we argue that their
definition of mobility (pause time) does not truly represent the dynamic topology of
MANETs. In this thesis, the work of Stamouli et al[10] has been extended and the proposed
protocol is called IDAODV(Intrusion Detection AODV).
In our work, we make use of Knowledge-based intrusion detection. Our Intrusion Detection
and Response Protocol for MANETs have been demonstrated to perform better than that
proposed in [10] in terms of false positives and percentage of packets delivered. Since the
earlier work by Stamouli et al [10] do not report true positive i.e. the detection rate, we
could not compare our results against that parameter with their method.
The implementation of the IDAODV protocol reported in this thesis has shown to work in
real life scenarios. IDAODV performs real time detection of attacks in MANETs running
AODV routing protocol. The prototype has also given some insight into the problems that
arise when trying to run real applications on an Ad Hoc network.
Experimental results validate the ability of our protocol to successfully detect both local
and distributed attacks against the AODV routing protocol, with a low number of false
positives. The algorithm also imposes a very small overhead on the nodes, which is an
important factor for the resource constrained nodes.

1.12 Organization of the Thesis

Chapter 1 provides an overview of Mobile Ad Hoc Networks (MANETs), the application
push and the technology pull, and the different technological issues involved in the design
of MANETs and also discuss some popular routing protocols with security model.
27

Motivation and problem statement is defined in this chapter. Chapter 2 discusses the
specific problem of Intrusion Detection in MANETs and reviews the methods proposed in
the literature.
We make two contributions in this thesis. The first is detection of intrusion in the form of
attacks on routing infrastructure dropping of packets and sequence number attacks. This
is described and analyzed in Chapter 3. The second type of attack is resource depletion
attack, which is describes and analyzed in Chapter 4. Conclusions are drawn in chapter 5
along with discussions of possible future extensions.
Appendix A contains the terminology and Appendix-B contains AODV implementation
for NS-2 and Appendix C contains pseudo code.

1.13 Chapter Summary

Wireless Ad Hoc networks are becoming an increasingly common platform for bringing

computation to environments with minimal infrastructure. With increasing number of

office, home and personal devices being equipped with computation and wireless
communication capabilities, formation of networks with an as-on-required basis offers
attractive application domains.
The very advantage of Ad Hoc networks the elimination of fixed/ rigid infrastructure
introduces complexities in routing and also raises serious concerns about security issues in
MANETs. However, the flexibility offered by MANETs promise that these networks are
here to stay. The security of such networks has become an important topic of research and
this has formed the basic of the work reported in this thesis.
28

2 Intrusion Detection in MANETs

The success of MANETs-based applications depends on many factors, trustworthiness
being one of the primary challenges to be met. Despite the existence of well-known
security mechanisms, additional vulnerabilities and features pertinent to this new
networking paradigm might render such traditional solutions inapplicable. The absence of a
central authorization facility in an open and distributed communication environment is a
major challenge, especially due to the need for cooperative network operation. In
particular, in MANETs, any node may compromise the routing protocol functionality by
disrupting the route discovery process.
Wireless Ad Hoc networks are vulnerable to various attacks. These include passive
eavesdropping,

active

interfering,

impersonation,

and

denial-of-service.

Intrusion

prevention measures, such as strong authentication and redundant transmission, can be used
to address some of these attacks. However, these techniques can address only a subset of
the threats, and, moreover, are costly to implement.
The dynamic nature of Ad Hoc networks suggests that prevention techniques should be
complemented by detection techniques that monitor the security status of the network and
identify anomalous and/or malicious behavior. These techniques are usually less expensive
to implement and can be easily deployed in existing Ad Hoc networks without requiring
modifications to the nodes configuration or the routing protocols being used.

29

2.1 Intrusion Detection

Intrusion is defined as a sequence of related actions performed by a malicious adversary
that results in the compromise of a target system. It is assumed that the actions of the
intruder violate a given security policy. The existence of a security policy that states which
actions are considered malicious and should be prevented is a key requisite for an intrusion
detection system to work.
Intrusion detection is the process of identifying and responding to malicious activities
target at computing and network resources. This identification introduces the notion of
intrusion detection as a process, which involves technology, people and tools. Intrusion
detection is an approach that is complementary with respect to mainstream approaches to
security such as access control and cryptography.

2.2 Motivation
Adoption of intrusion detection system is motivated by several factors, some of which are
listed below:
1. Surveys have shown that most computers are flawed by vulnerabilities, regardless
of manufacturer or purpose, that the number of security incidents is continuously
increasing, and that users and administrators are generally very slow in applying
fixes to vulnerable systems. As a consequence, many experts believe that computer
systems will never be absolutely secure.
2. Deployed security mechanisms e.g. authentication and access control may be
disabled as a consequence of misconfiguration or malicious actions.
30

3. Users of the system may abuse their privileges and perform damaging activities.
4. Even if an attack is not successful, in most cases it is useful to be aware of the
compromise attempt.
Intrusion detection systems (IDS) are software applications dedicated to detect intrusions
against a target network. IDS are designed to address the issues discussed above; they are
not intended to replace traditional security methods, but to complement and complete them.
An intrusion detection system must fulfill the following requirements [36,20]:
Accuracy: An IDS must not identify a legitimate action in a system environment as an
anomaly or a misuse (a legitimate action identified as an intrusion is called a false positive).
Performance: The performance of the IDS must be sufficient enough to carry out real-time
intrusion detection (real-time means an intrusion must be detected before significant
damage has occurred). As per the literature, this should be under a minute .
Completeness: An IDS should not fail to detect an intrusion (an undetected intrusion is
called a false negative). Arguably this requirement is rather difficult to fulfill because it is
almost impossible to have a global knowledge about past, present and future attacks. IDS
should however, minimize false negatives.
Fault-tolerance: An IDS must itself be resistant to attacks.
Scalability: An IDS must be able to process the worst-case number of events without
dropping information. This point is especially relevant for systems that correlate events

31

from difference sources at a small number of dedicated hosts. As networks grow bigger and
get faster, such nodes become overwhelmed by increasing number of events.

2.3 Approaches to Intrusion Detection

Intrusion detection techniques [16, 17], have traditionally been classified into two
paradigms, namely anomaly detection, also known as behavior-based intrusion detection
and misuse detection, also called knowledge-based intrusion detection.
In anomaly or behavior-based detection techniques, historical data about a systems activity
and specifications of the intended behavior of users and applications are used to build a
profile of the normal operation of the system. The detection process then attempts to
identify patterns of activity that deviate from the defined profile; anything that does not
correspond to a previously learned behavior is considered anomalous and suggests an
intrusion attempt.
Misuse or knowledge-based detection techniques take a complementary approach. Misuse
detection tools are equipped with a number of attack descriptions (or signatures) that are
matched against the stream of audit data to identify evidence of the occurrence of the
modeled attacks. These IDS accumulate knowledge about attacks examine traffic and try to
identify patterns indicating that a suspicious activity may be occurring.
Misuse and anomaly detection both have advantages and disadvantages. Misuse detection
can perform focused analysis of the audit data and usually produces very few false
positives. However, it can detect only those attacks that have been modeled and possibly

32

variations on those attacks. This means that this approach can be applied against known
attack patterns only, and the knowledge-base must be updated frequently.
Anomaly detection has the advantage of being able to detect attempts to exploit new and
unforeseen vulnerabilities without a priori knowledge of explicit security flaws. This
advantage is paid for in terms of the large number of false positives generated; the entire
scope of system behavior may not be covered during the learning phase and also legitimate
behavior may change over time . It also comes with the difficulty of training a system with
respect to a highly dynamic environment; obviously a finite training period is also needed.
The assumption that the system in question is free of anomaly during the training period
also may not always be true.

2.4 Intrusion Detection for MANETs

As discussed earlier, Mobile Ad Hoc Networks are fundamentally different from their
wired-side counterparts or even the infrastructure-based networks. The nature of MANETs
not only introduces new security concerns but also exacerbates the problem of detecting
and preventing anomalous behavior. While in a wired network or in an infrastructure-based
wireless network, an intruder could be a host that is either inside or outside the network and
could be subjected to varying degrees of access control and authentication, in a MANETs,
an intruder is a part of the network infrastructure. Moreover, at the outset, an intruder in a
MANETs could be a trusted and integral component of the network infrastructure and only
later exhibit aberrant behavior.

33

2.5 IDS Techniques for MANETs proposed in the literature

Intrusion Detection that addresses secure routing, arguably the most important issue in
MANETs has interested many researchers. Numerous techniques for ID have been
proposed in the literature, in both the categories of anomaly detection and misuse detection.
In this section we discuss some of these techniques.

2.5.1 Watchdog and Pathrater

Watchdog [18] was the first snooping intrusion detection protocol for MANETs. Watchdog
relies upon DSR. Each node participates by watching its downstream node on the route
from source to destination to ensure that it has retransmitted the packet without
modification. The authors hold that if source routing is not used then a misbehaving node
could simply broadcast to a non-existent node to fool the watchdog. To mitigate the effects
of a misbehaving node, the authors also introduce Pathrater, which selects a path from
source to destination based on reliability metric instead of the shortest path. This
approach relieves the malicious node from the requirement of participating in the routing
process which may be construed as a reward.

2.5.2 Security Enhancements in AODV

BHARGAVA et al [19] proposes a solution to attacks that are caused from a node internal
to the Ad Hoc network where the underlying routing protocol is AODV. The intrusion
detection system is composed of the Intrusion Detection Model (IDM) and the Intrusion
Response Model (IRM). The Intrusion Detection Model claims to capture the following
attacks:
34

o Distributed False Route Requests

o Denial of Service
o Destination is compromised
o Impersonation
o Routing Information Disclosure
The Intrusion Response Model is a counter that is incremented wherever a malicious act is
encountered. When the value reaches a predefined threshold, the malicious node is isolated.
The authors have provided statistics for the accuracy of the model.

2.5.3 Intrusion Detection in Wireless Ad Hoc Networks

In this scheme, Zhang et al. [20] propose an intrusion detection technique for wireless Ad
Hoc networks that used cooperative statistical anomaly detection techniques. Each
intrusion detection agent runs independently and detects intrusion from local traces. Only
one-hop information is maintained at each node for each route. If local evidence is
inconclusive, the neighboring IDS agents cooperate to perform global intrusion detection.
The authors utilize misuse detection technique to reduce the number of false positives.
This method leverages information about the physical location of the nodes. Therefore, the
nodes need to have an IDS running and a built-in GPS device.
The approach to intrusion detection presented by the authors does not require each node to
possess location detection capabilities. However, dependence on location information may
not always be desirable for all the applications.

35

2.5.4 Real-time Intrusion Detection for Ad hoc Networks (RIDAN)

The RIDAN system [10] is a novel architecture that used knowledge-based intrusion
detection techniques to detect active attacks that an adversary can perform against the
routing fabric of mobile Ad Hoc networks. Moreover, the system is designed to take
countermeasures to minimize the effectiveness of an attack and keep the performance of
the network within acceptable limits.
The novelty of the system lies in the usage of timed finite state machines that enable the
real-time detection of active attacks; the detection process relies on a state-based misuse
detection system. In this case, every node needs to run the IDS agent.
It is not clear in this system how an attack that requires more than one-hop information gets
detected.

2.5.5 A Specification-based Intrusion Detection System for AODV

[21] proposes a solution based on specification-based intrusion detection to detect attacks
on AODV. The approach involves the use of finite state machines for specifying correct
AODV routing behavior and distributed network monitors for detecting run-time violation
of the specifications. An additional field in the protocol message is proposed to enable the
monitoring.

2.5.6 Secure Efficient Ad hoc Distance Vector (SEAD)

SEAD [22] is a proactive routing protocol based on the design of DSDV. The work focuses
on protecting routing updates, both periodic and triggered, by preventing an attacker to
forge better metrics or sequence numbers in such update packets.
36

Besides the fields common with DSDV such as destination, metric, next hop and sequence
number, SEAD routing tables maintain a hash value for each entry. The use of one-way
hash chains using a one-way hash function H is the key feature of the proposed security
protocol.
Each node computes a list of hash values h0, h1, , hn, where hi = H(hi-1), 0 < i < n, based
on initial random value h0. The paper assumes the existence of a mechanism for
distributing hn, to all the intended receivers. If a node knows H and a trusted value hn, then
it can authenticate any other value hi, 0 < i n by successively applying the hash function
H and then comparing the result with hn.
To authenticate a route update, a node adds a hash value to each routing table entry. For a
metric j and a sequence number i, the hash value hn-mi+j is used to authenticate the routing
update entry for that sequence number, where, m-1 is the maximum network diameter.
Since an attacker cannot compute a hash value with a smaller index than the advertised
value, he is not able to advertise a route to the same destination with a greater sequence
number or with a better metric.
SEAD provides a robust protocol against attackers trying to create incorrect routing state in
other nodes by modifying the sequence number or the routing metric. SEAD does not
provide a way to prevent an attacker from tampering next hop or destination field in a
routing update. Also, it cannot prevent an attacker to use the same metric and sequence
number learnt from some recent update message for sending a new routing update to a
different destination.

37

2.5.7 Context Aware Detection of Selfish Nodes in DSR

This system utilizes hash chains in the route discovery phase of DSR and destination keyed
hash chains and promiscuous mode of link layer to observe malicious acts of neighboring
nodes [23]. The observers of malicious node independently communicate their acquisition
to the source node. The source node executes an interference scheme based on the majority
voting to rate an accused node. After the source node has reached a decision it advertises
this rating along with adequate proof to trusted nodes. The trusted nodes upon reception of
these ratings decide not to provide any service to the malicious node. This approach
introduces a fear-based awareness in the malicious nodes that their actions are being
watched and rated, which helps in reducing mischief in the system.
A potential problem of this system could be mobility of the nodes. Since the malicious
node can go out of range and again come in the network with a different IP address, it can
still take advantage of the network. Also, since this method uses cryptographic mechanisms
to detect malicious attacks, it cannot be classified as a pure intrusion detection system.
However, it holds many properties as in [24] like network auditing to decide whether a
node is malicious.

2.6 Chapter Summary

We discussed the problem of secure routing in Mobile Ad Hoc Networks and various
issues involved in the process. We then discussed some of the Intrusion Detection
mechanisms proposed in the literature for MANETs.

38

In the literature survey, we discussed different types of approaches to Intrusion Detection

in MANETs. Each of the approaches works best for a given type of attack, for a particular
scenario. Most of the problems work well for Intrusion Detection one-hop away. There are
not many distributed solutions addressing Intrusion Detection deep down.
In the next chapter, we discuss our approach to the problem of intrusion detection in
MANETs with respect to sequence number modification attack and packet dropping attack.

39

3 Intrusion Detection AODV (IDAODV)

In this chapter we propose and discuss IDAODV, an Intrusion Detection mechanism for
Wireless Mobile Ad Hoc Networks.
IDAODV is based on State Transition Analysis Technique, which was initially developed
to model host-based and network-based intrusions in a wired network environment.
Of all the routing protocols proposed for MANETs, AODV has been very popular and has
become an Internet standard. This also has been the reason for AODV becoming more and
more vulnerable to attacks. The AODV routing protocol was described in Chapter 2. Our
IDS has been designed on top of this protocol.

3.1 Problem Statement/ AODV Routing Attacks

AODV presents many opportunities to attackers. We first identify a number of misuse
goals that an inside attacker may want to achieve [32]. The misuse goals can be one or
more of the following:
o Route Disruption: Route Disruption means either breaking down an existing route or
preventing a new route from being established.
o Route Invasion: Route invasion means that an inside attacker adds itself into a route
between two endpoints of a communication channel.

Node Isolation: Node isolation refers to preventing a given node from communicating
with any other node in the network. It differs from Route Disruption in that Route

40

Disruption is targeting at a route with two given endpoints, while node isolation is
aiming at all possible routes.

Resource

Consumption:

Resource

consumption

refers

to

consuming

the

communication bandwidth in the network or storage space at individual nodes. For

example, an inside attacker may consume the network bandwidth by either forming a
loop in the network.

Denial of Service

To achieve these goals, the following misuse actions or attacks may be performed:

3.1.1 Packet Dropping Attack

In a packet dropping attack, the attacker simply drops the received routing message. Packet
dropping is detected by checking whether a neighbor forwards packets towards the final
destination. To be able to do this, it is necessary to maintain a neighbor table.
This attack can be divided into various subcategories as follows:
If an attacker applies such attacks to all the RREQ messages it receives, this kind of misuse
is equivalent to not having the attacking node in the network. An inside attacker may also
selectively drop RREQ messages. Attackers that launch such misuses are in nature similar
to the selfish nodes.
If the attacker applies this attack to RREP message, it can in some cases lead to route
disruption.

41

The attack can also be applied to data packets, where an inside attacker prevents a victim
node from receiving data packets from other nodes for a short period of time. The attacker
may make the following modifications after it receives a RREQ message from the victim
node: (1) Increase the RREQ ID by a small number; (2) Replace the destination IP address
with a non-existent IP address; (3) Increase the source sequence number by at least one; (4)
Set the source IP address in IP header to a non-existent IP address. The attacker then
broadcasts the forged message. When the neighbors of the attacker receive the faked RREQ
message, they update the next hop to the source node to the non-existent node, since the
faked RREQ message will have a greater source sequence number. Due to the non-existent
destination IP address, the faked message can be broadcast to the farthest nodes in the adhoc network. When other nodes want to send data packets to the source node, they will use
the routes established by the faked RREQ message, and the data packets will be dropped
due to the non-existent node. This attack, however, cannot fully isolate the victim node due
to local repair mechanisms in the AODV protocol. The other nodes will initiate another
round of route discovery if they note that the data packets cannot be delivered successfully.
In addition, the victim node

RREQ Broadcast
6
A

5
B

D
2

Figure 3.1: Concept of Sequence Number Attack

42

may still be able to send data packets to other nodes.

Several of the atomic misuses of RREQ messages use RREQ messages to add entries the
routing table of other nodes. These entries are different from those established through
normal exchange of RREQ and RREP messages. In particular, the lifetime of these entries
is set to a default value (e.g., 3 seconds as in our experiments). Thus, to make such entries
effective, an attacker needs to launch the atomic misuses periodically.

3.1.2 Sequence Number Attack

Sequence number indicates the freshness of route to the associated node. F an attacker
sends out an AODV control packet with a forges large sequence number of the victim
node, it will change the route to that victim node. The sequence number can be increased to
update other nodes' reverse route tables, or decreased to suppress its update. This can apply
to the Source Sequence Number or the Destination Sequence Number.
RREQ ID along with the source IP address uniquely identifies a RREQ message; they
indicate the freshness of a RREQ message. Since a node only accepts the first copy of a
RREQ message, an increased RREQ ID along with the source IP address can guarantee that
the faked RREQ message is accepted by other nodes.
The concept of sequence number attack has been highlighted in Figure 3.1

3.1.3 Field Modification Attack

Although sequence number attack is a subclass of this attack, we list it separately to
highlight its importance and its impact on proper routing.

43

The attacker can modify other fields in a RREQ or RREP message. Some of these are
RREQ Message Field

Modifications

Type

Change the message type

RREQ ID

Increase to make the faked RREQ message acceptable, or

decrease to make the RREQ message unacceptable.

Hop Count

Decrease to update other nodes' reverse routing tables, or

increase to invalidate the update.

Destination IP Address

Replace with another IP address

Source IP Address

Replace with another IP address to change the reverse route

Several fields have immediate security implications when modified.

To ensure loop freedom in AODV, after receiving a RREQ message, a node updates its
reverse routing table only if the source sequence number field in the RREQ message is
greater than that in its routing table, or the source sequence numbers are equal, but the hop
count field in the RREQ message is smaller than that in the routing table. An inside
attacker may also change these fields to affect other nodes' routing table.
An intermediate node or a source node updates its forward routing table if the destination
sequence number in the RREP message is greater than the one in its routing table, or the
destination sequence numbers are the same, but the hop count in the RREP message plus
44

one is smaller than the one in its routing table. An inside attacker may increase the
sequence numbers or decrease the hop count in a faked RREQ message to update other
nodes' routing tables, or decrease the sequence numbers or increase the hop count to
invalidate a RREQ message
The attacker can also forge an RREP message, as if it had a fresh enough route to the
destination node. By increasing the destination sequence number, the attacker may suppress
the legitimate RREP message.

3.1.4 Field Addition Attack

An inside attacker may forge a RREQ message without receiving an RREQ message. The
attacker may need to collect some necessary information to forge RREQ messages (e.g., by
listening to the traffic). Theoretically, the attacker may forge any field in a RREQ message
and cause disruption.

3.2

Outline of Intrusion Detection AODV

Our method is based on the work presented in [10]. Like RIDAN, our method uses Finite
State Machines to enable the real-time detection of active attacks. However, RIDAN does
not offer a solution for distributed architecture to detect attacks that require more than onehop information.
The IDAODV can be characterized as an architecture models for intrusion detection in
wireless Ad Hoc networks. We call this an architecture model because it does not perform
any change in the underlying routing protocol but merely intercepts routing and application
traffic.
45

IDAODV has been implemented on top of AODV, which has recently become an Internet
standard. However, the attacks that the IDAODV is designed to detect are specific to the
AODV protocol. The process of detecting the attacks and the overall architecture can be
extended to operate with ease with other protocols like DSR.
The system follows knowledge-based technique to detect network intrusions. The fact that
it uses Finite State Machine (FSM) enables the system to detect malicious activity in realtime rather than using statistical analysis of previously captured traffic.
A finite state machine can be defined as an abstract machine consisting of a set of states
(including the initial state), a set of input events, a set of output events, and a state
transition function [25]. The function takes the current state and an input event and returns
the new set of output events and the next state. The state machine can also be viewed as a
function, which maps an ordered sequence of input events into a corresponding sequence of
output events.
The intrusion detection component operates locally in every participating node and thus its
performance depends on the network traffic. Based on the number of packets received in
any time unit, more than one FSM that are part of the intrusion detection component may
be triggered.
The FSM was constructed after studying the internal operations of the AODV routing
protocol. In order to recognize the traffic patterns occurring when a malicious attack is
performed against the routing fabric, the traffic for the protocol was analyzed in both its
static and mobile conditions.
46

Figure 3.2 depicts the top-level architecture of IDAODV.

3.3 Assumptions
We make the following assumptions. They are realistic and can easily be realized in a
MANETs.
o Every link between the participating nodes is bidirectional
o The MAC addresses of the participating nodes remain unchanged.
o Duplicate MAC addresses are not present.
o Network monitor is able to cover all nodes. Monitors passively listen to the routing
messages and are discussed subsequently.
o Nodes can listen to transmissions from immediate neighbors.
o All the participating nodes other than the malicious nodes have the intrusion detection
component activated.

47

3.4 Details of IDAODV

We now describe the details of the design and implementation of the proposed IDAODV.
IDAODV detects attacks against the AODV routing protocol in Wireless Mobile Ad Hoc
Networks. The components of IDAODV are discussed in the following sections.

Intruder

Knowledge
Base
A

Public

Network

Active

IDS

Monitor
S
Attack

Figure 3.2: Architecture of IDAODV

3.4.1 Network Monitor

The nature of Ad Hoc networks prohibits any single IDS node to observe all messages in a
request-reply flow. Therefore, tracing of RREQ and RREP messages in a request-reply
flow has to be performed by distributed network monitors (NM).

48

Figure 3.3 depicts the architecture of a network monitor. Network monitors passively listen
to IDAODV routing message and detect incorrect RREQ and RREP messages.
Messages are grouped based on the request-reply flow to which they belong. A requestreply flow can be uniquely identified by the RREQ ID, the source and destination IP
addresses.

Packets

Sniff New Packet

Exchange Data with Other
Network Monitor

NM if needed
Updates

Forwarding Table

Session Tree

Detect Anomaly
FSM Constraints

Figure 3.3: Network Monitor

3.4.2 Finite State Machine

Specification-based approach provides a model to analyze attacks based on protocol
specifications.

49

A network monitor employs a finite state machine (FSM) [26] for detecting incorrect
RREQ and RREP messages [21, 27, 28, 29]. It maintains an FSM for each branch of a
request-reply flow. A request flow starts at the Source state. It transits to the RREQ
Forwarding state when a source node broadcasts the first RREQ message (with a new
REQ ID). When a forwarded broadcasting RREQ is detected, it stays in RREQ
Forwarding state unless a corresponding RREP is detected. Then if a unicast RREP is
detected, it goes to RREP Forwarding state and stays there until it reaches the source
node and the route is set up. If any suspicious activity or an anomaly is detected, it goes to
the Suspicious or Alarm states.
When an NM compares a new packet with the old corresponding packet, the primary goal
of the constraints is to make sure that the AODV header of the forwarded control packets is
not modified in an undesired manner. If an intermediate node responds to the request, the
NM will verify this response from its forwarding table as well as with the constraints in
order to make sure that the intermediate node is not lying. In addition, the constraints are
used to detect packet drop and spoofing. The finite state machine is depicted in Figure 3.4.
Stamouli [10] has not used network monitor to trace RREQ and RREP message in a request
reply flow for distributed network. Whereas in the proposed FSM, we used the above flows
Figure 3.3.

3.4.3 Sequence Number Attack Detection

In order for the intrusion detection to identify the sequence number attack, we analyzed
RREQ and RREP messages. The logic flow for the two is shown in Figures 3.5 and 3.6.

50

RREP Broadcast by
intermediate node and no
anomaly detected

Otherwise

go

to

RREP

forwarding if it is an RREQ
Source
RREQ from source

RREQ
forwarding

If SN/ HC is not consistent

SNHC forged
Alarm

RERR from destination or

RREP from intermediate
node, no anomaly detected

If none of the neighboring

NM disagrees
RERR to source and no
anomaly is detected

If pair of IP and MAC

address unknown

SNHC forged

If pair of IP and MAC

address unknown

Spoofing

RERR
RERR from intermediate
If SN/ HC is not consistent

node
RREP
forwarding

RREP unicast by intermediate node

If forwarding RREP
is not heard

Otherwise

and no anomaly is detected

Out of Range
Suspicious
If no forwarding is heard from neighboring
NM

Dropped/ Lost
Alarm

Figure 3.4: The finite state machine

51

Detected
Forwarded RREQ
Message

Detected New
RREQ

Retrieve Session

No

HC = 0

Tree

Session
Tree
Found

Yes

No

RREQID <
Saved ID

Yes

Yes

No

Anomaly
Detected

No

Src Sqn <

Saved Sqn

Dest IP =
Saved Dest
IP

No

Yes

Yes
1. Update Node Info
2. Create Session Tree

Sqn = Saved
Sqn

No

Yes

HC = Saved
HC

Yes

No

Anomaly
Detected

1. Update RREQ Session Info

2. Insert New Node into Session Tree

Figure 3.5: Analyze RREQ Message

52

IP-MAC

A
Monitored
Node

No

Yes
Send an Inquiry Message
Get Session Tree Using
Dest_IP in RREP

Tree
Found

No

Yes
Anomaly
Detected
Replying
Node is in
the Tree

No

Yes

No

Next Hop
IP is in
the Tree

Yes

Yes

Analyze Destination

RREP
Initiator IP
= Dest IP

No

Analyze Intermediate Node

Figure 3.6: Analyze RREP Message

53

We simulated to evaluate IDS performance in both static and mobile conditions. The nodes
chosen as NM were static in both the cases because it is assumed that NM does not leave
the assigned monitor. New RREQ for which the source node is not registered at the
neighboring NM, forwarded RREP unicast by intermediate node and no anomaly is
detected .The IDS traced the different RREQ and RREP flows initiated by the nodes. The
IDS resulted in delaying the route discovery due to including monitoring messages as well
as the processing overhead in the monitoring nodes.

3.4.4

Algorithms

For the intrusion detection to identify the sequence number attack, we analyzed two
algorithms.

3.4.4.1

Notations

The following notations have been used for the description of the algorithms.
For a set of paths denoted by P, where, path P is an ordered set of nodes,
The length of P is defined in terms of number of hops and denoted by |P|
For 0 i |P|, P[i] is the ith node in the path.

3.4.4.2

Assumptions

The following assumptions have been made for the algorithms.

54

1. Pi, Pj P, Pi Pj
e.g. if P1 = {A, B, C} and P2 = {A, B, C, D}, remove P1
2. Pi, Pj P, Pi[|Pi| - 1] Pj, |Pj|
e.g. if P1 = {A, B, C} and P2 = {A, B, D, E}, remove C from P1
3. Pi P, |Pi| > 1
3.4.4.3

Algorithm 1: Detection of Routing Packets Dropped

Check a path from the farthest node to the nearest

p P, check p[|p|]

If an ACK is received v p and v p[|p|], v is Good

Otherwise, check p[|p| - 1]

If an ACK is not received from p[i+1] but received from p[i], 0 i < |p|, select p[i]

3.4.4.4

Algorithm 2: Node Selection

If p[i] is responsive but p[i+1] is not, there are three possibilities:

o p[i] is Bad
o p[i+1] is Lost
o The link p[i+1] p[i] is broken

55

Search next shortest path, pa, to p[i+1] without going through p[i]

If p[i+1] is responsive, check p[i] over pa p[i+1] p[i]. If p[i] is responsive, p[i]
is Bad. Otherwise p[i+1] p[i] is broken

3.4.5 Simulation
The experiments were simulated using NS-2. The following section details the simulation
environment, metrics and the results.

3.4.6 Simulation Environment

Grid Size: 1000x1000 Meters

Packet Traffic: 10 Constant Bit Rate (CBR) Traffic connections were generated
simultaneously. Four nodes were the sources for two streams each, and two nodes
were the sources for a single stream each. Destination nodes only receive one CBR
stream each.

Nodes: A total of 30 nodes were simulated. Of these, 16 were communicating.

Number of bad nodes was varied through the simulation.

Mobility: Random waypoint model was chosen with maximum seed set to 20
meters per second. Pause time was set to 15 seconds.

Routing Protocol: AODV

MAC Layer: 802.11, peer-to-peer MAC Layer model was used.

56

Radio: We used the no fading radio model with the radio range set to 250 meters.

Simulation Time: 900 Seconds

Dropped Packet Timeout: Timeout period was set to 10 seconds

Dropped Packet Threshold: Set to 10 packets

Clear Delay: Set to 100 seconds, this is an event expiration timer. This is the
amount of time for which a node would consider an event before arriving at a
conclusion.

Modification Threshold: Set to 5 events

Neighbor Hello Period: Set to 30 Seconds.

3.4.7

Metrics

For the performance measure of IDAODV, we consider the following metrics: False
Positives, Detection Rate and Packet Delivery Ratio in both static and mobile conditions.
All results are averaged over a number of simulation runs.

3.4.8

Results and Discussion

As mentioned earlier, our work is a modification of that done by Stamouli et. al. [10]. Each
graph in the results plots its metric as a percentage of packet delivery and number of
connections.

57

3.4.8.1

Evaluation of Sequence Number Attack Detection

The four metrics that were used in the evaluation of the Sequence Number Attack
Detection and countermeasure mechanism are the delivery ratio, the number of false
routing packets sent by the attacker, false positive and detection rate.

Figure 3.7: Delivery Ratio Vs Number of Connections

58

Figure 3.8:
3.8: Delivery Ratio Vs Speed of Nodes

Figure 3.9: percentage of False Positives Vs percentage of bad nodes

59

Figure 3.10: percentage of Detected bad nodes Vs percentage of bad nodes

In figures 3.7 and 3.8, delivery ratio is plotted as the node mobility or density increases.
The normalized overhead of AODV is 2-4 times more when the network is loaded. In the
graphs, the overhead of AODV is considered with a fully loaded network. As can be seen
from the graph, with IDAODV running, delivery ratio is increased by as much as 72%.
The second metric that was used in the evaluation of this attack was the number of false
packets sent by the attacking node versus the number of active connections and the node
mobility. This metric was used to examine the overhead of the sequence number attack and
we considered only the extra cost on communication imposed by the attack. We observed

60

that the average number of RREP sent by the malicious node in all the experiments was
1856 and the number of nodes that inserted the false route into their routing table was 20
out of 30.
In figure 3.9, false positives are nodes incorrectly labeled as malicious. As expected, the
performance of Active response protocol improved with respect to false positives as the
density of the malicious nodes increased.
Figure 3.10 shows the detection rate. In the best case, 93% of the attacks can be detected,
whereas, the worst case detection rate is 80%. There are several reasons why a bad node
may go undetected. First, the bad node may not be in any path in the routing cache each
time when the monitors begin to check. Since the paths are based solely on the paths
maintained by the routing cache, if a node is not contained in any path, its forwarding
function will not be monitored. Second, there may be two consecutive bad nodes in a path
bad behavior of one node is hidden by the other bad node.

3.4.9 Evaluation of the Drop Routing Packets Attack Detection

To evaluate this attack, the metrics chosen were delivery ratio and routing overhead ratio.
The following graphs show the performance.

61

Figure 3.11: Delivery Ratio Vs Number of Connections

Figure 3.12: Delivery Ratio Vs Node Mobility

62

Figure 3.13: percentage of False Positive Vs percentage of bad

bad nodes

Figure 3.14: percentage of detected bad nodes Vs percentage of bad nodes

63

Figure 3.11 shows that IDAODV system improves the delivery ratio by 51% compared to
plain AODV. Figure 3.12 shows that the routing overhead introduced by the attack reduces
by 52%. IDAODV reduces the routing overhead ratio to approximately the levels that
normal AODV demonstrates.
In Figure 3.13 we see that the performance of active response protocol improves with
respect to false positives as the density of malicious nodes increases.
Figure 3.14 shows that in the best case, 93% of the bad nodes can be detected. The worstcase detection rate is 77%.

3.4.10

Response to Intrusions

Our intrusion detection protocol allows for either an active or passive response to
intrusions. With either response mode, the outcome is the isolation of the offending node
from the network. In the passive mode, a node makes a unilateral decision based on its own
observations of anomalous behavior. The more frequent and abnormal the behavior on the
part of the malicious node, the sooner the intrusive node will be isolated and denied access
on the underlying network infrastructure.
The active response mode offers a higher level of assurance than does the passive mode.
The increased assurance level is due to a majority voting scheme and consequently, the
flooding of the intrusive nodes identity throughout the network. The active mode,
however, is more complex to implement.

64

3.4.10.1

Passive Response

Once the threshold value which mitigates the effects of link error for message misrouting
or message modification has been exceeded, an alarm is raised. In the passive mode, the
node that raised the alarm removes the intrusive node from its neighbor table and does
participate in further route discoveries, Hello Messages or collaborative routing with the
intrusive node. Additionally, the intrusive nodes address is recorded in the BadNode
Table. As we show in a later section on details of experiments, the denser the network, the
more the number of nodes simultaneously declaring a node intrusive and preventing the
malicious node from utilizing the network resources. If the node in question continues to
act intrusively, each node in the network will eventually make a unilateral decision to
disassociate itself with the intruder.

3.4.10.2

Active Response

Tay et al. [30] propose the Cluster Based Routing Protocol (CBRP) where nodes form
clusters, each with an elected cluster head. The role of the cluster head is to optimize
the route discovery process.

3.5 Improvements
The simulations using NS-2 have shown that AODV versions that use link layer support
has the overall best results in almost all simulations. AODV has, as mentioned
earlier, the advantage that it learns more information for each request it sends out. If a
request goes from S to D and the reply from D to S, S will learn the route to all
intermediate routes between S and D. This means that it is not necessary to send out as

65

many requests as, for AODV. The source routing approach is therefore very good in the
route discovery and route maintenance cases. However, source routing is not desirable to
use for data packets. First of all, it adds a lot of overhead. Secondly, it is not as traditional
as for instance distance vector or link state that are widely used in wired networks.
Our proposal is therefore to implement a protocol that is a combination of source routing
and distance vector. Source routing should be used in route discovery and route
maintenance phases. These phases would also include that the routing tables are set
up dynamically during the propagation of the requests and replies. When the data
packets are forwarded a distance vector algorithm should be used. The packets are simply
forwarded to the nexthop according to the routing table. This, in combination with that the
protocol stores several routes for each destination, would probably mean a protocol with a
performance that is even better than the protocols that have been simulated in this thesis.

3.6 Chapter Summary

There are not many intrusion detection techniques proposed for Ad Hoc networks and the
field has not been explored completely. We believe that the proposed IDS will have a
positive impact in intrusion detection for wireless mobile Ad Hoc networks.
Our intrusion detection and response protocol for MANETs have been demonstrated to
perform better than described in [10] in terms of false positives and percentage of packets
delivered. The link changes and route changes are, with a high probability, linear functions
of the maximum speed, and the node pause time. In less stressful environments, IDAODV
outperforms for all metrics except protocol overhead. On-demand protocols propagate the

66

link changes faster, and reduce the packet drop caused by them. Network congestion is the
dominant reason for packet drop. The performance of the protocol can be further be
improved if congestion can be avoided.

67

4 Resource Depletion Attack for AODV Protocol

Introduction
Routing protocols have been developed that allow nodes to communicate, but these
protocols typically provide only best effort service. In particular, they do not provide a way
to control the consumption of resources in the network, such as battery power, bandwidth
or the carrying capacity of the nodes. Resource consumption refers to consuming the
communication bandwidth in the network or storage space at individual nodes.
For example: - An insider attacker may consume the network bandwidth by forming a loop
in the network.

4.1 Create a Route Loop

Consider the following sequence of operations.
Route_Loop(addr_t src, addr_t dst)
{
if ((!read_route_entry(src) || (!read_route_entry(dst)))
{
return NO_ATTACK;
}
68

cur = read_local_entry()->dst;
prev = read_route_entry(src).next_hop;
next = read_route_entry(dst).next_hop;
dseq = read_route_entry(dst).seq;
Add_Route(dst, prev, dseq+1);
Active_Reply(src, dst, dseq+1, cur, next);
}

If the attacker is close to a route from Source to Destination such that two consecutive
nodes in this route, prev and next, are in the attackers 1-hop neighborhood, the attacker
can first add a route to the Destination using prev as the next hop. It then generates an
Active_Reply to next, using a larger sequence number for Destination in the RREP
message. It will make next update its route to Destination via cur.
When prev receives a packet from Source, the packet is forwarded according to the
normal path and it will eventually reach next. However, next now thinks the best route
to Destination is through cur and cur forwards it back to prev. This effectively
creates a loop from Source to Destination and all packets will be dropped in the route
when their TTL values drop to zero.

69

A similar attack can be implemented when the attacker is not close to the targeted route.
The attacker can first find a victim node V that is close to the route. Instead of calling
Add_Route locally on V (which will require an additional compromise on V), the attacker
can use either False_Request or Active_Reply to force V to update its route to
Destination via Vs corresponding prev.

4.1.1 Loop Freedom of IDAODV

AODV is a loop free protocol, which has already proved in [38]. IDAODV also follows the
loop freedom properties of normal AODV protocol.

4.2 Depleting Batteries

Intruders may send data with the objectives of congesting a network or depleting batteries.
We propose a method to detect this type of attack. The method calls for a minor
modification to the existing AODV protocol. It incurs no additional overhead. This attack
can be defined as being due to more number of RREQ_RATELIMIT. The proposed method
has been designed to detect this type of attack on pure AODV as well as modified AODV
protocols. To calculate the effectiveness of the proposed scheme, we simulated the attack in
a mobile environment and studied the performance results.

4.2.1 Proposed Method

From RFC-3561, the default value for RREQ_RATELIMIT is 10 RREQs per second. This
means that each node is expected to observe some self-control on the number of RREQs it
sends each second. A compromised node may choose to set the value of
RREQ_RATELIMIT to a very high number or even disable this limiting feature, allowing it
70

to send a large number of RREQs packets per second. The proposed scheme shifts the
responsibility of monitoring this parameter to the nodes neighbor, ensuring compliance of
this restriction. This technique solves all of the problems caused due to unnecessary
RREQs from a compromised node. Instead of self control, the control exercised by a
nodes neighbor results in preventing this attack.
RREQ_GOODLIST_LIMIT and RREQ_BADLIST_LIMIT
The proposal is based on the application of two parameters: RREQ_GOODLIST_LIMIT
and RREQ_BADLIST_LIMIT.
RREQ_GOODLIST_LIMIT denotes the number of RREQs that can be accepted and
processed per unit of time by a node. The purpose of this parameter is to specify a value
that ensures uniform usage of a nodes resources by its neighbors. RREQs exceeding this
limit are dropped, but their time stamps are recorded. This information aids in monitoring
the neighbors activities. In the simulations carried out, the value of this parameter was
kept at three (3 RREQs can be accepted per unit of time). This value, however, can be
adaptive, depending upon node metrics such as memory, processing power and battery.
The RREQ_BADLIST_LIMIT parameter is used to specify a value that aids in determining
whether a node is acting malicious or not. To do so, the number of RREQs originated or
forwarded by a neighboring node per unit time is tracked. If this count exceeds the value of
RREQ_BADLIST_LIMIT, one can safely assume that the corresponding neighboring node
is trying to flood the network with fake RREQs. A neighboring node identified as
malicious can be badlisted, preventing further flooding of fake RREQs into the network.
71

The badlisted node is ignored for a period of time given by BADLIST_TIMEOUT, after
which it is unblocked. The proposed scheme has the ability to block a node for
BADLIST_TIMEOUT period on an incremental basis. The BADLIST_TIMEOUT period is
doubled each time the node repeats its malicious behavior.
In our simulations, the value of RREQ_BADLIST_LIMIT is kept as 10 (i.e. more than 10
RREQs per unit time results in flooding activity). By badlisting a malicious node, all
neighbors of the malicious node restrict the flood of RREQs. In addition, the malicious
node is isolated by this distributed defense and cannot hog its neighbors resources. The
neighboring nodes are therefore free to entertain the RREQs from genuine nodes. Nodes
that are confident about the malicious nature of a particular node can avoid using it for
subsequent network functions. In this way, genuine nodes are saved from experiencing this
attack.
Advantages of the Proposed Scheme
1. The proposed scheme incurs no extra overhead, as it makes minimal modifications
to the existing data structures and functions related to bad listing a node in the
existing version of pure AODV.
2. The proposed scheme is more efficient in terms of the resultant routes established,
resource reservations and computational complexity.
3. If multiple malicious nodes collaborate, they in turn will be restricted and isolated
by their neighbors, because they monitor and exercise control over forwarding
RREQs by nodes. Hence, the scheme successfully prevents distributed attacks.
72

The algorithms for our scheme are described below:

Algorithm-1 (TIME of RREQ)
1. RREQ Received
2. If RREQ is forwarded then exit
3. Find NODE_ID in the table of RREQ_RATELIMIT for the node that sent the
RREQ
4. Find NODE_ID and
RREQ_TIME = RREQ_TIME + 1
Algorithm-2 (Find RATE of RREQ and find the intruder): This algorithm is run once
every second)
1. For every item of RREQ_RATELIMIT Do
2. If RREQ_TIME > threshold then put NODE_ID into BADLIST
RREQ_TIME = 0
3. Else
RREQ_TIME = 0
The functioning of the intruder is depicted pictorially in Fig 4.1

73

4.3 Simulation
This experiment result was carried out using NS-2 [31]. We used the simulation
environment detailed in [18] as a starting point. The following subsection provides details
of the simulation environment, metrics and experimental results.

4.3.1 Simulation Environment

Grid Size: 1000x1000 Meters

Number of Nodes: 30 nodes in total. Out of these, 16 were involved in normal

communication, and we varied the number of bad nodes.

Routing Protocol: AODV was used.

74

Intruder

Bogus Traffic

A
D
T
Intruder

C
E

Node
F
G

Link for Attack Packet

K
N

Figure 4.1: Functioning

Functioning of Intruder (Top) , (Bottom)

MAC Layer: 802.11, peer-to-peer mode was chosen as the MAC layer protocol.

Radio: The No fading model was used, with the radio range set to 250 meters.

Mobility: Random waypoint model was used with maximum speed set to 20 meters
per second. Pause time was set to 15 seconds.

Packet Traffic: 10 Constant Bit Rate (CBR) connections were generated

simultaneously, where 4 nodes were the source for two streams each, and 2 nodes
75

were the source for single stream. Each destination node receives only one CBR
stream.

Simulation Time: Simulation was run for 900 seconds.

Dropped Packet Timeout: Timeout period for dropped packets was set to 10
seconds.

Dropped Packet Threshold: Set to 10 packets.

Clear Delay: This is an event expiration timer, set to 100 seconds. This is the
amount of time for which a node considers an event before arriving at a conclusion.

Modification Threshold: The modification threshold was set to 5 events.

Neighborhood Hello Period: 30 seconds

The metrics such as delivery ratio, false positive, detected bad nodes are the important
determinants of network performance, which have been used to compare the performance
of the proposed scheme in the network with the performance of the original protocol i.e.
AODV. The study shows that the proposed scheme enhances the security of the routing
protocol without causing substantial degradation in the network performance.

76

Figure 4.2: Delivery Ratio Vs Number of Connections

Figure 4.3: Delivery Ratio Vs Node Mobility

77

Figure 4.4: Percentage of False Positive Vs percentage of Bad nodes

Figure 4.5: percentage of detected bad nodes Vs percentage of bad nodes

78

The average results from Figures 4.2 and 4.3 show that the attack decreases while the
delivery ratio improves by 80%.
Figure 4.4 shows that the performance of Active Response protocols improves with respect
to false positives as the density of the malicious nodes increases.
Detection rate is shown in Figure 4.5. In the best case, 93% of the bad nodes can be
detected; the worst case detection rate is 78%. In the previous chapter, we discussed why a
bad node may go undetected.

4.4 Performance Comparison Analysis with RIDAN System

In this section, we present results of our experiment by using NS-2 simulator for an Ad Hoc
network consisting of 30 nodes. We assume that there is one intruder sending a sequence of
consecutive packets constituting an attack to the destination [39]. The intrusion is
considered detected if the attack packets pass through any of the nodes that constitute the
intrusion detection system.
We use a randomly selected set of 5 nodes out of 30 nodes and experimented with [10] and
consider a sequence of five consecutive packets as constituting the attack signature. We
found the accuracy of detection both in static and dynamic condition.
It is not clear in [10], how an attack that requires more than one-hop information gets
detected but in IDAODV, multihop information is considered which overcome the
limitation of RIDAN system.
79

We have produced percentage of detection of attack using RIDAN system [10] for both
static and dynamic node case, which was not present in the original work. We have given a
relative performance of IDAODV and RIDAN system below.

For Static Case

Consider that there is only one node in the intrusion detection system. This node is
randomly selected to be one of the nodes out of 30 .We consider a system in which nodes
that constitute the intrusion detection system (IDS) are chosen randomly.

Figure 4.6: percentage of Detection

We show the results for systems with no of Nodes 30 in Figure 4.6. We see that the
performance of IDAODV is better than the RIDAN system [10]. IDAODV also detects
multimode intrusion detection for a static condition.
80

For Dynamic case

In Dynamic case, we consider a network using AODV. We assume that the intruder is
moving at a speed of 15m/s. We change the criterion used to determine the nodes that make
up the IDS. We use the same criterion as used in case of used in static case. The only
difference is that now the intruder is assumed to be mobile. We show the results for such a
case in Figure 4.7. Here IDAODV also detects multimode intrusion detection for a dynamic
condition.

Figure 4.7: percentage of detection

81

Number of Nodes
Static

20

40

60

80

RIDAN(Stamouli)

52

80

94

98.5

IDAODV

54

84

96

99.3

RIDAN(Stamouli)

52

80.5

94

99

IDAODV

57.5

85.1

95

99.8

Node case

Dynamic
Node case

Table 4.1: Comparison between RIDAN and IDAODV for % of Detection

The above table gives a comparison of percentage of detection between RIDAN system and
proposed method. For all values of number of nodes, the detection rate of proposed method
is higher than RIDAN system. Where as the complexity of IDAODV is almost same as
RIDAN system.

4.5 Chapter Summary

In this chapter, we discussed how the loop freedom property can be reduced to an invariant
on pairs of nodes. Each node decides and transmits its decision to control center.
We have compared the results obtained from IDAODV with RIDAN system. We also
discussed robustness to threats and robustness to resource depletion and concluded that the
82

loss of performance (in the form of ratio) is least for distributed operation and highest for
the centralized one. IDAODV also discussed the robustness of the above methods.

83

5 Discussions and Conclusions

5.1 Discussions
Stamouli et al [10] have proposed architecture for Real-time Intrusion Detection for Ad
Hoc Networks [RIDAN]. The detection process relies on a state-based misuse detection
system. In this case, every node needs to run the IDS agent. There is no mention of a
distributed architecture to detect attacks that require more than one-hop information.
We show that our work has improved on many fronts. Our method has been shown to
detect local as well as distributed attacks.
In their work, Stamouli et al conclude that AODV performs well at all mobility rates and
movement speeds. Our conclusions are the same; however, we argue that their definition of
mobility (pause time) does not truly represent the dynamic topology of MANETs. Our
mobility factor is based on actual relative movement pattern. The only node speeds that
Stamouli et al have shown are 5 meters/ second and 20 meters/ second which, in our
opinion, do not cover the complete range. Our mobility factor has a speed range from 0
meters/ second (static scenario) up to 20 meters/ second, and we show how our protocol
behaves in the complete range.
According to the analysis that we performed, the most serious attacks are carried out by
insiders who carry out their attacks via an attached terminal, not via the network.
Consequently, network-based IDS will fail to detect the most damaging attacks. Moreover,

84

the most pervasive network-based IDSs are signature-based and are only able to detect
known attacks.
We presented new techniques that advance the field of intrusion detection in several areas.
We have designed novel mechanisms to detect and mitigate aberrant behaviors encountered
in Mobile Ad Hoc Networks (MANETs). Since MANETs are comprised of resourceconstrained devices, we designed our intrusion detection mechanisms as protocols that
monitor network state rather than system state. We also experimented with reactive
protocols for MANETs, extending prior research to work with all mobile Ad Hoc routing
protocols, not just AODV.
We use a randomly selected set of 5 nodes out of 30 nodes and experimented with [10] and
consider a sequence of five consecutive packets as constituting the attack signature. We
found the accuracy of detection both in static and dynamic condition. It is not clear in
RIDAN system, how an attack that requires more than one-hop information gets detected
but in IDAODV, multihop information is considered which overcomes the limitation of
RIDAN system. We have produced percentage of detection of attack using RIDAN system
[10] for both static and dynamic node case, which was not present in the original work. We
have also given a relative performance of IDAODV and RIDAN system.
Our experiments and simulations have demonstrated that our protocol is functionally
feasible given limited resources.

85

5.2 Conclusions
An Intrusion Detection System aiming at securing the AODV protocol has been developed
using specification-based technique. It is based on a previous work done by Stamouli et al
[10]. The IDS performance in detecting misuse of the AODV protocol has been discussed.
In all the cases, the attack was detected as a violation to one of the AODV protocol
specifications. From the results obtained, it can be concluded that our IDS can effectively
detect Sequence Number Attack, Packet Dropping Attack and Resource Depletion Attack
with Incremental Deployment. The method has been shown to have low overheads and
high detection rate.
Our Intrusion Detection and Response Protocol for MANETs have been demonstrated to
perform better than the ones proposed by Stamouli et al in terms of false positives and
percentage of packets delivered. Since Stamouli et al do not report true positive i.e. the
detection rate, we could not compare our results against that parameter with their method.
The implementation of the IDAODV protocol has shown its feasibility to work in real life
scenarios; IDAODV performs real-time detection of attacks in MANETs running AODV
routing protocol. The prototype has also given some insight into the problems that arise
when trying to run real applications on an Ad Hoc network.
Simulation results validate the ability of our protocol to successfully detect both local and
distributed attacks against the AODV routing protocol, with a low number of false
positives. The algorithm also imposes a very small overhead on the nodes, which is an
important factor for the resource-constrained nodes.

86

5.3 Further Studies

The work can be extended to study the robustness of Wireless Ad Hoc Networks for
all types of protocols.

A study can be conducted on the relationship between the average detection delay
and the mobility of the nodes.

More types of attacks including group attacks can be studied and their relations to
the vulnerability of the protocols can be ascertained.

A complete system can be designed to implement intruder identification.

A complete approach can be developed that considers more parameters such as the
available queue length and the delay on a path during the route determination.

In order to avoid traffic fluctuation, randomness can be introduced into route

determination.

A fast response mechanism (local repair) can be developed for proactive protocols
to reduce packet drop due to route changes.

87

Bibliography
[1] ZHOU, L., AND HAAS, Z. J. Securing Ad Hoc Networks. IEEE Network 13, 6
(1999), 2430.
[2]

www.itrainonline.org/.../04_en_mmtk_wireless_basic-infrastructure-

topology_slides.pdf.
[3] NICHOLS, R. K., AND LEKKAS, P. C. Wireless Security Models, Threats, and
Solutions. McGrawHill, 2002. ISBN: 0-07-138038-8.
[4] HU, Y.-C., PERRIG, A., AND JOHNSON, D. B. Ariadne: A Secure On
Demand Routing Protocol for Ad Hoc Networks. In Eigth ACM International
Conference on Mobile Computing and Networking (Mobicom 2002) (Sept. 2002).
[5] STAJANO, F., AND ANDERSON, R. The Resurrecting Duckling: Security
Issues for Ad-hoc Wireless Networks. In Security Protocols, 7th International
Workshop Proceedings (1999), B. Christianson, B. Crisp, and M. Roe, Eds.,
Springer-Verlag Berlin Heidelberg. Lecture Notes in Computer Science.
[6] C. Siva Ram Murthy, B.S. Manoj, "Ad Hoc Wireless Networks : Architectures
and Protocols", Prentice Hall PTR, May 2004, New Jersey, USA
[7] http://compnetworking.about.com/cs/wireless80211/a/aa80211standard.htm
[8] http://users.tkk.fi/~msarela/texts/cs/military/node11.html

88

[9]

http://library.uws.edu.au/adt-NUWS/uploads/approved/adt

NUWS20060125.131604/public/12Chapter11.pdf
[10] I. STAMOULI. Real-time intrusion detection for ad hoc networks. Master's
thesis, University of Dublin, September, 2003.
[11] http://www.gcn.com/online/vol1_no1/23053-1.html
[12] PERKINS, C. E., AND BHAGWAT, P. DSDV Routing over a Multihop
Wireless Network of Mobile Computers. In Perkins [20], 2001, ch. 3, pp. 5374.
[13] JOHNSON, D. B., MALTZ, D. A., AND BROCH, J. DSR The Dynamic
Source Routing Protocol for Multihop Wireless Ad Hoc Networks. In Perkins [20],
2001, ch. 5, pp. 139172.
[14] TORA (Temporally-Ordered Routing Algorithm routing protocol) - V. PARK,
S. CORSON TEMPORALLY-ORDERED ROUTING ALGORITHM (TORA)
VERSION 1 Internet Draft, draft-ietf-manet-tora-spec- 03.txt, work in progress,
June 2001. A Link Reversal Routing (LRR) algorithm.
[15] CHARLES E. PERKINS, Ad Hoc On Demand Distance Vector (AODV)
Routing. Internet draft, draft-ietf- manet-aodv-01.txt, August 1998. Work in
progress.
[16] D. E. DENNING, An Intrusion Detection Model, IEEE Transactions in
Software Engineering, vol. 13, no2, February 1987.

89

[17] D. ANDERSON, T. FRIVOLD, A. VALDE, Hext Generation Intrusion

Detection Expert System (NIDES): A summary, Technical Report, Computer
Science Laboratory, SRI International, 1995.
[18] SERGIO MARTI, THOMAS J. GIULI, KEVIN LAI, AND MARY BAKER.
Mitigating routing misbehavior in mobile ad hoc networks. In Proceedings of
MOBICOM, pages 255 . 265, 2000.
[19] S. BHARGAVA, D. P. AGRAWAL, Security Enhancements in AODV
protocol for Wireless Ad hoc Networks, in IEEE Semi-annual Proceedings of
Vehicular Technology Conference (VCT01), 2001.
[20] YONGGUANG ZHANG, WENKE LEE, AND YI-AN HUANG. Intrusion
detection for wireless Ad Hoc networks. In Mobile Networks and Applications.
ACM, 2002.
[21] TSENG, CHIN-YANG, ET AL. A Specification-based Intrusion Detection
System for AODV, In Proceedings of the 1st ACM Workshop on Security of Ad
hoc and Sensor Networks (SASN03). Fairfax, VA. 2003.
[22] Y. -C. HU, D. B. JOHNSON AND A. PERRIG, SEAD: Secure Efficient
Distance Vector Routing for Mobile Wireless Ad Hoc Networks, Fourth IEEE
Workshop on Mobile Computing Systems and Applications (WM-CSA02), Jun.
2002.
[23] P. PAPADIMITRATOS, Z. J. HAAS, Secure Routing for Mobile Ad hoc
Networks, in Proceedings of the SCS Communication Networks and Distributed
90

Systems, Modelling and Simulating Conference (CNDS02), pp. 27-31, January

2002.
[24]

SCOTT CORSON AND

JOSEPH MACKER,

Mobile

Ad

Hoc

Networking (MANET): Routing Protocol Performance Issues and Evaluation

Considerations. Internet-Draft, draft-ietf-manet-issues-01.txt, March 1998. Work
in progress.
[25] National Institute of Standards and technology, Definition of finite state
machines,http://www.nist.gov/dads/HTML/finiteStateMachine.html 2003.
[26] K. ILGUN, R. A. KEMMERER, AND P. A. PORRAS. State Transition
Analysis: A Rule-Based Intrusion Detection Approach. IEEE Transactions on
Software Engineering, 21(3):181199, 1995.
[27] C. KO, M. RUSCHITZKA, AND K. LEVITT, Execution Monitoring of
Security-Critical

Programs

in

Distributed

Systems:

Specification-based

Approach, In Proceedings of the 1997 IEEE Symposium on Security and Privacy,

May 1997, pp. 134-144.
[28] D. DREEF ET AL, Utilizing the Uncertainty of Intrusion Detection to
Strengthen Security for Ad Hoc Networks, Third International Conference,
ADHOCNOW2004, Vancouver, Canada, July 22-24, 2004, pp.82-95.
[29] R. RAO AND G. KESIDIS, Detection of malicious packet dropping using
statistically regular traffic patterns in multihop wireless networks that are not
bandwidth limited, Brazilian Journal of Telecommunications, 2003.
91

[30] MINGLIANG JIANG, JINYANG LI, AND Y.C. TAY. INTERNET-DRAFT :

Cluster Based Routing Protocol (CBRP). IETF.
[31] http://www.isi.edu/nsnam/ns/
[32] Peng Ning, Kun Sun, "How to Misuse AODV: A Case Study of Insider
Attacks against Mobile Ad Hoc Routing Protocols," in Proceedings of the 4th
Annual IEEE Information Assurance Workshop, pages 60-67, West Point, June
2003.
[33] www.computingunplugged.com/issues/issue200508/00001598001.html.
[34] www.cs.cmu.se/education/examina/Rapporter/ClaesGahlin.pdf.
[35]www.baam.boun.edu.tr/news&events/seminar%20ppt/Evren_NETLAB_2006.p
pt
[36] www.snort.org/docs/IDS_criteria.pdf
[37] www.etd.unipi.it/theses/available/etd-05182005122420/unrestricted/
LVMM.pdf
[38] www.di.unipi.it/maggiolo/lucidi_MSV/Modelcheckig.pdf.
[39] www.cs.columbia.edu/opensig2003/papers/opensig2003anjum.ps

92

Appendix A Terminology
This appendix contains some terminology that is related to ad-hoc networks.
A.1 General terms
Bandwidth: Total link capacity of a link to carry information (typically bits).
Channel: The physical medium is divided into logical channel, allowing possibly shared
uses of the medium. Channels may be made available by subdividing the medium into
distinct time slots, distinct spectral bands, or decorrelated coding sequences.
Convergence: The process of approaching a state of equilibrium in which all nodes in the
network agree on a consistent state about the topology of the network.
Flooding: The process of delivering data or control messages to every node within the any
data network.
Host: Any node that is not a router.
Interface: A node attachment to a link.
Link: A communication facility or medium over which nodes can communicate at the link
layer.
93

Loop free: A path taken by a packet never transits the same intermediate node twice before
arrival at the destination.
MAC-layer address: An address (sometimes called the link address) associated with the
link interface of a node on a physical link.
Next hop: A neighbor, which has been designated to forward packets along the way to a
particular destination.
Neighbor: A node that within transmitter range from another node on the same channel.
Node: A device that implements IP.
Node ID: Unique identifier that identifies a particular node.
Router: A node that forwards IP packets not explicitly addressed to itself. In case of adhoc networks, all nodes are at least unicast routers.
Routing table: The table where the routing protocols keep routing information for various
destinations. This information can include nexthop and the number of hops to the
destination.
Scalability: A protocol is scalable if it is applicable to large as well as small populations.
Source route: A route from the source to the destination made available by the source.
Throughput: The amount of data from a source to a destination processed by the protocol
for which throughput is to be measured for instance, IP, TCP, or the MAC protocol.

94

A.2 Ad Hoc related terms

Ad-hoc: For this special or temporary purpose or a special case without generic
support.
AODV: Ad Hoc On-demand Distance Vector Routing protocol for wireless ad-hoc
networks.
Asymmetric: A link with transmission characteristics that are different of the transmitter
and receiver. For instance, the range of one transmitter may be much higher than the range
of another transmitter on the same medium. The transmission between the two hosts will
therefore not work equally well in both directions. See also symmetric.
Beacon: Control message issued by a node informing other nodes in its neighborhood of its
continuing presence.
Bi-directional: See symmetric.
CBRP: Cluster Based Routing Protocol. Routing protocol for wireless ad-hoc networks.
Cluster: A group of nodes typically in range of each other, where one the nodes is elected
as the cluster head. The cluster head ID identifies the cluster. Each node in the network
knows its corresponding cluster head(s) and therefore knows which cluster(s) it belongs to.
DSDVL: Dynamic Sequenced Distance Vector. Routing protocol for wireless Ad Hoc
networks.
DSR: Dynamic Source Routing. Routing protocol for wireless Ad Hoc networks.
95

Proactive: Calculates route only upon receiving a specific request. See also proactive
RREQ: Routing Request. A message used by AODV for the purpose of discovering new
routes to a destination node.
RREP: Route Reply. A message used by AODV to reply to route requests.
Symmetric: Transmission between two hosts works equally well in both directions. See
also asymmetric.
TORA: Temporally Ordered Routing Algorithm. Routing protocol for wireless ad-hoc
networks.
Unidirectional: see asymmetric.

96

Appendix B AODV implementation for NS-2

This appendix contains a little more details about the implementation of AODV that we did
for NS-2.
B.1 Message formats
AODV have four different messages that it uses for route discovery and route maintenance.
All messages are sent using UDP.
B.1.1 Route Request RREQ
Type: Type of message.
Reserved: Reserved for future use. Currently sent as 0 and ignored on reception.
Hop count: Number of hops from the source IP address to the node handling the
request.
Broadcast IP address: IP address of the destination for which a route is required.
Destination sequence number: The last sequence number received in the past by the
source for any route towards the destination.
Source IP address: IP address of the node that originated the request.
Source sequence number: Current sequence number for route information generated
by the source of the route request.
B.1.2 Route Reply RREP
97

Type: Type of message.

L: If the L-bit is set the message is a hello message and contains a list of the nodes
neighbors.
Reserved: Reserved for future use. Currently sent as 0 and ignored on reception.
Hop count: Number of hops from the source IP address to the destination IP address.
Destination IP address: IP address of the destination for which a route is supplied.
Destination sequence number: The destination sequence number associated to the
route.
Lifetime: Time for which nodes receiving the Reply consider the route to be valid.
B.1.3 Hello
Hello messages are a special case of Route reply messages. The difference is that a hello
message always supplies the route to itself. This means that the hop count field is set to 0,
the destination address set to the nodes IP address and the destination sequence number set
to the nodes latest sequence number.
B.1.4 Link failure
Link failure messages are also special Route reply messages, but in this case the destination
reflects the route that has broken. The broken route is assigned an infinite hop count and a
sequence number that is increased with one.

98

B.2 Design
AODV
The TCL scripts that starts the AODV routing agent and creates all mobile nodes that are
using AODV as routing protocol.
AODV_Agent
Implements all AODV specific parts. Handles RREQ, RREP, Hello and Triggered RREP.
It also has a send buffer that buffer packet while a route is searched for. The timer that
handles timeouts on route entries and the send buffer are also implemented here.
Hdr_AODV
Defines the message format for all messages that AODV uses.
Request Buffer
Implements the request buffer that prevents a node to process the same RREQ multiple
times.
AODV_RTable
The routing table that AODV uses. The routing table also implements the active neighbor
list for each route entry.
AODV Constants

99

All AODV constants are defined here, which makes it easy to modify for instance he hello
interval.
B.3 Important routines
B.3.1 Sending RREQ
RREQ will only be sent by the source nodes (no intermediate node sends RREQs), if there
does not exist any route for the destination.
IF (no route exists)
check-request buffer for requests already sent for destination
IF (no request sent already)
create a RREQ packet
add (dest addr, broadcast ID) to request buffer
locally broadcast RREQ
set timer for RREP_WAIT_TIME before rebroadcasting RREQ
increment broadcast ID
ELSE
buffer packet from stream or discard, according to need
ENDIF
100

ENDIF
B.3.2 Receiving RREQ
When a node receives a RREQ, it must first of all decide if it already has processed the
RREQ. The RREQ is discarded if it has been processed. Otherwise the source address and
the broadcast ID from RREQ will be buffered to prevent it from being processed again.
IF ((source addr, broadcast ID) in request buffer)
discard request already heard and processed
ELSE
add (source addr, broadcast ID) to request buffer
ENDIF
The next step is to create or update the route entry in the routing table. This route can be
used by the RREP when a route is found.
IF (no route to source)
create a route entry for source addr
ELSE IF (source seqno in RREQ > source seqno in route entry)
update route entry for source addr
ELSE IF ((source seqno in RREQ = source seqno in route entry) AND (hop count in RREQ
< hop count in route entry))
101

update route entry for source sddr

ENDIF
Then , the node must check if it knows the route to the wanted destination. If the node
knows the route, it will unicast a RREP to the source. Otherwise it will forward the RREQ.
IF (you are destination of RREQ)
create a RREP packet
unicast RREP to source of request
ELSE IF ((have route to destination) AND (destination seqno in route entry >= destination
seqno in RREQ))
create a RREP packet
unicast RREP to source of request
ELSE
forward RREEQ
ENDIF
B.3.3 Forwarding REEQ
When a node receiving a RREQ that it has not processed yet does not have a route, it will
forward the RREQ.

102

1.

create a RREQ packet

2.

copy all fields from received RREQ into new packet

3.

incremnet hop count field

4.

locally broadcast new RREQ packet

5.

discard received RREQ

B.3.4 Forwarding RREQ

When a node receives a RREP that is not addressed for the node, it will set up forward
route by updating the table and forward the RREP back to the requesting source. This part
is however not explicit specified in the AODV draft.
IF (route to requested destination does not exist)
create a route entry for requested destination
ELSE IF (destination seqno in RREP > destination seqno in route entry)
update-route entry for requested destination
ELSE IF ((destination seqno in RREP = destination seqno in route entry) AND (hop count
in RREP < hop count in entry))
update route entry for requested destination

103

IF (route to requesting source exists)

forward RREP to requesting source
ENDIF
ENDIF
B.3.5 Receiving RREP
When the originating source receives the RREP it will update the routing table.
IF (route to destination does not exist)
create a route entry for destination
ELSE IF (destination seqno in RREP > destination seqno in route entry)
update route entry for destination
ELSE IF ((destination seqno in RREP = destination seqno in route entry) AND (hop count
in RREP < hop count in entry))
update route entry for destination
ELSE
discard RREP
ENDIF
B.3.6 Hello handling
104

Each node periodically broadcasts a hello message to all neighbors. When a node receives a
hello message it knows that the sending node is a neighbor and will update the routing
table.
IF (route entry for HELLO source exists)
update route entry
IF (destination seqno in HELLO > destination seqno in route entry)
update destination seqno in route entry
ELSE
create route entry for HELLO source
ENDIF
ENDIF
B.3.7 Forwarding packets
AODV uses an active neighbor list to keep track of which neighbors that are using a
particular route. These lists are used when sending triggered route replies. The neighbor
lists are updated every time a packet is forwarded.
IF (route entry to destination exists)
IF (neighbor who forwarded packet to you != active neighbor for route)
add neighbor to active neighbor list for route entry
105

ENDIF
ENDIF
B.3.8 Sending Triggered RREP
Link breakages are detected by either the link layer which notifies the routing agent or by
using hello messages. If a node has not received hello messages from a node for a certain
amount of time it will assume that the link is down. Every time a link detected as down,
AODV will send a Triggered RREP to inform the affected sources.
FOR (each address in the active neighbor list for a route entry)
create a link failure notice packet
unicast to active neighbor
ENDFOR
B.3.9 Receiving Triggered RREP
Every time a triggered RREP is received informing about a broken link, the affected route
entry must be deleted and neighbors using this entry must be informed.
IF (have active neighbors for broken route) send Triggered RREP
ENDIF delete route entry for broken route.

106

Appendix C (Pseudo code of the Sequence Number

detection algorithm)
Seq_no_detection(station_state, current_frame)
{
if (station_state.in_verification)
{
verify_possible_seq_no(station_state,current_frame);
return;
}
gap = 0xfff & (current_frame.sn station_state.last_sn);
if (gap >= 1 && gap <= 2)

//normal sequence number change

{
station_state.last_sn = current_frame.sn;
return;
}
if (gap == 0 || gap >= 0xffd)
{
if (current_frame.an exist in our buffer)
{
If (the content of current_frame is the same as buffered frame)
if yes, normal, return;
if no, seq_no, raise alarm, return;
}
else

//current_frame.sn is not in our buffer

{
If (station_state.last_frame_type is beacon or probe respose &&
current_frame.type is data)
107

if yes, valid management frame goes out of order before data frames,
return;
if no, seq_no, raise alarm, return;
}
}
if (gap >= 3 && gap < 0xffd)

//abnormal sequence number change

{
station_state.current_sn = current_frame.sn;
send ARP probing;
station_state.in_verfication = TRUE;
return;
}
}
verify_possible_seq_no(station_state, next_frame)
{
gap_of_next_frame = 0xfff & (next_frame.sn station_state.last_sn);
gap_of_current_frame = 0xfff & (station_state.current_sn station_state.last_sn);
if (gap_of_next_frame >= gap_of_current_frame)
{
if (gap_of_next_frame == gap_of_current_frame) && content of
current_frame and next_frame is different)
{
seq_no, raise alarm; goto exit;
}
//next frame is bigger than current one, normal
if (verification timer expires)
{
108

goto exit;
}
}
else

// next frame is smaller than current frame

{
seq_no, raise alarm; goto exit;
}
exit;
station_state.last_an = next_frame.sn;
station_state.in_verification = FALSE;
}

When a frame is received, if its source station is not in the verification state, there are three
cases for the value of inter frame sequence number gap. If gap E [4093, 4095] or gap = 0,
the current frame is treated as a retransmitted frame. If gap E [1, 2], the current frame is a
normal frame. If gap E [3, 4092], whether the current frame is spoofed depends on the
result of verification. When an STA is in the verification state, there are two cases for next
SN: either between last SN and current SN or out of this range.

109

110