Wireless Pers Commun (2017) 97:2939–2950

DOI 10.1007/s11277-017-4643-z

Wormhole Attack Detection Technique in Mobile Ad Hoc

Networks

Parvinder Kaur1 • Dalveer Kaur2 • Rajiv Mahajan3

Published online: 6 July 2017

 Springer Science+Business Media, LLC 2017

Abstract A wormhole attack is harmful attack against routing protocols in ad hoc network
where node attracts packets from one location and retransmits them to other location using
long range link within the network. A wormhole attack can be easily launched between two
attacker nodes without compromising the mobile nodes. Most of routing protocols don’t
have any defending technique against wormhole activities; so in the presence of attacker
nodes malicious activities may occur and disrupt network communication by tamper the
data or forward the message to unknown location of the network to disrupt it functionality.
Several routing protocols have been proposed to defend against wormhole attack in mobile
ad hoc networks by adapting synchronization clocks, GPS or any special hardware. In this
research article, we proposed a novel wormhole detection technique which identifies the
wormhole link by calculating the maximum end to end delay between two nodes within the
communication range. Mobile nodes do not need to be equipped with GPS, clock syn-
chronized or any other type of special hardware. The simulation results prove that proposed
scheme detects wormhole attack.

Keywords Mobile ad hoc networks (Manets)  AODV  Wormhole attack  Metrics 

Network simulator  Friis equation  DelPHI

& Parvinder Kaur

Jassi33@gmail.com
Dalveer Kaur
dn_dogra@rediffmail.com
Rajiv Mahajan
rajivmahajan08@gmail.com
1
Department of Research, Innovation and Consultancy, Punjab Technical University,
Jalandhar-Kapurthala Highway, Punjab, India
2
Punjab Technical University, PIT University Campus, Jalandhar-Kapurthala Highway, Punjab,
India
3
Department of Computer Science and Engineering, Golden College of Engineering and
Technology, Gurdaspur, Punjab, India

123
2940 P. Kaur et al.

1 Introduction

In wireless networks, mobile nodes are dynamic, self motivated, multi-hop, self-maintained,
self configured and infrastructure-less type of nature. Each node is free to move anywhere at
any time and link to any other device independently. Each mobile node performs a role of host
as well as a router to maintain routing information. Mobile nodes not only cooperate with one
another to forward data but also form a network. Abolhasan et al. [1] described that with the
emergence of wireless networks from last few decades’ mobility power has enhanced rapidly.
According to Corson et al. [2], by removal of different types of attacks we enhance the
robustness and efficiency of each mobile node in mobile ad hoc networks. Manets have
numerous features; but dynamic topology, limited bandwidth and energy resources are
limited [1, 3]. Due to dynamic nature of mobile nodes, they are susceptible to different types
of attacks like wormhole, blackhole, sinkhole, DOS, DDOS, spoofing etc. To cope up with
different types of attacks, security of mobile nodes has considerably gained much more
interest. In Manets, there are several types of attacks which affect the security of routing
protocols by destroy the integrity, availability, reliability and confidentiality. However, a
wormhole is most sophisticated attack, where the shortest path is formed between the two end
points using long range wireless tunnel [4]. The packets are transferred from one attacker to
another attacker through this long range tunnel. A Wormhole attack can be easily launched
without the need of physical information of network.
In this paper, we presented secure wormhole detection scheme which detects the wormhole
link in AODV and build a secure route. The proposed scheme helps source node to identify the
wormhole link within the network. By observing the total time taken (hop to hop) using different
paths wormhole link can be detected. The proposed scheme is able to detect the wormhole
without underlying assumptions and does not require any hardware, position information or
clock synchronization. The main work carry out in this paper are summarized as below:
• We proposed a wormhole detection scheme which help source node to determine the
wormhole link in the network.
• We accomplished effectiveness and efficiency of our proposed scheme based on the
simulation results.
The paper is organized as follow: Sect. 2, discusses the wormhole and its types. Section 3,
presents a brief overview of related works. Section 4, discusses the proposed wormhole
detection mechanism. Performance evaluation and results analysis are presented in Sect. 5.
A conclusion and future work is drawn in Sect. 6.

2 Wormhole Attack and Its Types

Wormhole is a trivial type of attack which uses a pair of colluding nodes to transfer a packet
from one location to another location using high speed private link [4]. The first attacker node is
placed within the network which transfer the packet to the next attacker node located on the
other location. This long range tunnel is called wormhole link. These attacker nodes acting as
neighbor nodes to other nodes but in reality they are several hops away from each other [5, 6]. In
the presence of wormhole attack, hop count value decreases; but delay increases. Wormhole
attack exploits networks communication by performing DOS attack or overburden the network
communication with flooding of packets. In wormhole attack, attacker nodes don’t modify
packets contents, so cryptography methods can’t detect and prevent wormhole attack. The
wormhole can be launched within the network in three ways which is represented in Fig. 1 [5].

123
Wormhole Attack Detection Technique in Mobile Ad Hoc Networks 2941

Fig. 1 Categorization of wormhole attack

2.1 Hidden/Closed Wormhole

The malicious nodes don’t modify the packet content and packet header [5, 6]. The malicious
node at one area simply transfers the packet at other area in the network using long range tunnel.
The malicious nodes pretend as they are neighbors of legitimate nodes [6]. Malicious nodes
hide their identities in the created path. As shown in Fig. 1a {S, A, B, D} represents legal nodes
and {M1 and M2} represent malicious nodes. S directly tunnels the packet to D by considering
M1 and M2 direct neighbors. M1 and M2 not include their identities in the packet header.

2.2 Half Open Wormhole

The attacker node modifies the packet contents only at one side. Attacker node at other
point does not change the packet content during the route discovery process [5]. As shown
in Fig. 1b S directly transfer the packet to M1 because M1 acting as a neighbor of S. Then
M1 directly tunnel the packet to D by hiding its details in the packet header. Only one node
is visible in half open wormhole attack.

2.3 Exposed/Open Mode Wormhole

Malicious nodes don’t modify the packet contents and mark their presence in the packet
header by including themselves [5]. Malicious nodes are part of the created path and
transfer data with legitimate nodes. Nodes are aware about presence of malicious nodes in
the created path but unable to detect there exact location in the network [5, 6]. Figure 1c
illustrates the malicious nodes M1 and M2 are visible to S and D.

3 Related Work

Extensive researches have been done by the researchers on the detection and prevention
schemes of wormhole attack. The detail studies of these countermeasure helps in under-
stand the problem and its proposed solution.

123
2942 P. Kaur et al.

Chiu et al. [6], introduced DelPHI which uses multipath approach to calculate mean
delay of all available routes. Source node observes delay/hop count values received from
every disjoint path. The routes under wormhole represent high delay than normal path.
DelPHI doesn’t require clock synchronization. The main limitation of this scheme is
unable to find exact location and it doesn’t work well, if all the paths are under the
wormhole attack. Hu et al. [7], examined packet leash method against the wormhole by
appending information about location or time in the packet to restrict transmission area.
Packet leash is of two types—geographical and temporal leash. In the geographical leash,
packet requires location information and loose clock synchronization. In the temporal
leash, nodes are restricted with tight clock synchronization. The main drawback of
geographical lease can’t work well with GPS technology. Temporal leash required tight
clock synchronization and not appropriate for sensor networks. Capkun et al. [8], pre-
sented sector wormhole detection scheme allows nodes to mark their presence with other
nodes. Round trip time (RTT) per hop is used for detection of wormhole attack. When
request reaches the node; it sends back the verification message to previous node. It
doesn’t require clock synchronization. Such a scheme required exact location informa-
tion. Song et al. [9], proposed a statistical analysis method that study the affect of
wormhole on multipath routing. SAM uses statistical analysis tool to observe the drastic
changes in routes due to wormhole attack. SAM works well on multipath routing and
mobility of nodes is low. Wang et al. [10], proposed a noble scheme MDS-VOW (Multi-
Dimensional Scaling-Visualization of Wormhole) to notice the wormhole by visualizing
deterioration caused from fake connections. It requires distance message between each
pair, so that inaccurate distance can be measured. The main drawback of this scheme is
to detect wormhole under real environments more complex scenarios are required. Chen
et al. [11], described DV-Hop localization mechanism that uses label to provide secure
location accuracy. The nodes are mark by different labels to violate different commu-
nication properties. Pseudo neighbors are identified and communication between them is
forbidden. The scheme can’t work well where packet loss and radii of the nodes are not
identical. Lazos et al. [12], introduced SeRLoc referred as secure localization
scheme equipped with directional antennas to discover the location of malicious nodes
based on the sector uniqueness property and communication range violation property.
The secure location can be search locate after searching the attackers position. It doesn’t
work well if anchor nodes are compromised and unable to differentiate between complex
and simplex wormhole attack. Madria et al. [13], proposed SeRWA that uses symmetric
key cryptography mechanism for creating the secure routes. It doesn’t require any special
hardware or clock synchronized. The key factor of SeRWA is it provides secure routing
against the wormhole attack after detecting its presence. SeRWA is only appropriate for
the sensor networks.
In all countermeasures against wormhole attack, every scheme has its own weakness
and strengths. Applicability of any wormhole detection scheme depends upon type of
network and its configuration. After evaluating the various countermeasures against
wormhole detection techniques; we have depicted some drawbacks like multipath, RTT,
directional antenna, special hardware, tight clock synchronization, exact location of the
nodes etc. The main aim of this paper is to detect wormhole attack without using additional
resources like directional antenna, GPS or clock synchronization. In proposed scheme, the
threshold value is calculated on the basis of total communication time between source node
to its neighbors’ node. Then hop by hop delay is compared with the threshold value. Any
link contains more delay than threshold marked as a wormhole link.

123
Wormhole Attack Detection Technique in Mobile Ad Hoc Networks 2943

4 Proposed Wormhole Detection Mechanism

4.1 The System Model and Assumptions

We consider Manets which consists of mobile nodes and attackers. All nodes are homoge-
nous, symmetric and dynamic in nature. We assume that communication channels uses
bidirectional mode; it means node A accept message from B then B can also accept message
from A. To establish communication between two nodes normal wireless transmission range
is used. We assume that two wormhole nodes are connected with each other using high speed
link known as out-of-band channel. This long range tunnel is called wormhole link and two
end points used are known as wormhole nodes. Our consideration is to detect wormhole link
with larger delay. The proposed work is based on the details of following assumptions:
1. All the nodes are communicating in the same environment and are having the same
communication range.
2. The source node cannot be used as a wormhole. It can never cause wormhole attack in
the network.
3. While calculating maximum end to end delay; we are considering processing time of
the packet, queue delay and packet loss as negligible.

4.2 Phase I: Transmission Range

Friis equation is used to mark the presence of wormhole attack in the transmission range.
Friis equation can be simplified; but factors like polarization, impedance, placement of
antenna, reflection from building make this equation more typical and complex. The ideal
condition where these factors cannot effect is satellite communication, where atmospheric
factors are negligible [14, 15]. When the source node broadcast a packet, it won’t be able to
communicate beyond a certain range. The formula to calculate communication range for
distance ‘d’ is as follow in (Eq. 1):
 
Pr     k 2  
¼ Gt ht; /t Gr hr; /r 1  jCt j2 1  jCr j2 jVt: Vr j2 caR ð1Þ
Pt 4pR
whereas Gt and Gr are the gains of transmitting and receiving antennas. (ht; /t ) and (hr; /r )
direction of transmitting and receiving antenna. Ct and CR reflection coefficients gains of
transmitting and receiving antennas. Vt and Vr are polarization vectors. a is absorption
coefficient of medium. R is distance between receiving and transmitting antenna.

4.3 Phase II: Attack Detection

In this section, we described our proposed wormhole detection technique in detail. Attempt is
to detect suspected link which is part of a wormhole. Then try to assure these links are not
used for data transfer in future. We described our wormhole detection technique in AODV
routing protocols. The source node would undergo a process to discover route for destination,
so it broadcast packet to all of its neighbors. Now, whenever any malicious node is intended
to steal the data from the network, it would behave as an intermediate node and would falsely
pretend to have a path to destination. Same happens in wormhole attack where the route is
falsified by increasing the communication range and shortening hop counts of route by
creating the tunnel. Figure 2, shows an example of proposed wormhole detection technique.

123
2944 P. Kaur et al.

Fig. 2 Wormhole Detection Technique. Trreq = Time taken for route request to reach one hop neighbor,
Trrep = Time taken for reply packet to reach source, Rd = Communication range, D = Distance from
source to neighbor, N = One hop neighbor

The step by step detail of our proposed scheme as follow:

1. The source node will send the route request to the nodes in its communication
range. These will be referred as one hop nodes.
2. The source node can never cause the wormhole attack in the network, taking this
forward time difference will be calculated.
3. After receiving the RREQ, the one hop nodes will inform the source node about
the time when the packet was received. After having the knowledge of the packet
received time, the source node can know about the complete time taken to
communicate with one hop node.
4. The source node will calculate the threshold for the maximum delay which can
occur between the two nodes.
5. A source node can have more than one neighbor nodes. The source node will
compute the time difference (time when it sent the RREQ packet and time when
the node received it). Say the maximum time difference value obtained is T.
6. Now threshold formula will be (Eq. 2):
Trreq þ Trrep þ 2  ðT  ððRd=DÞ  1ÞÞÞ ð2Þ
whereas, Trreq is the time taken by the packet to reach the node during route request
phase. Trrep is the time taken by the packet to reach the source node when its
neighbors reply back. Rd = Node’s communication range. T = End to End delay
between source and its one hop neighbor. D = Distance between the source and
the neighbor for which T is calculated.
qffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffi
D ¼ ðX1  X2Þ2 þðY1  Y2Þ2

(whereas, X1, Y1 are coordinators of source. X2, Y2 are coordinators of neighbor

nodes.)
7. Trreq ? Trrep will total communication time between the nodes. And additional
factor is added to account for the remaining distance w.r.t. the communication
range.
8. This will give us the maximum value of delay which can occur between the two
nodes while forwarding the RREQ message towards the destination node and
sending RREP message back to the source node. By assuming the path loss

123
Wormhole Attack Detection Technique in Mobile Ad Hoc Networks 2945

negligible and then any node should not take time more than this value to
communicate.
9. The source node will store the threshold value.
10. The one hop nodes and the subsequent intermediate nodes will forward route
request packet towards the destination along with the time at which request was
received by them from the predecessor nodes.
11. When the RREQ packet will reach the destination node, the destination node will
start the route reply phase.
12. The nodes which occur in the path from source to destination must send the time at
which reply message was received by them.
13. The source node upon receiving the reply messages from various paths will
compare the timings of every hop with the threshold value.
14. If the time difference between two nodes is greater than the threshold value, then
the wormhole link will be detected by the source node.
15. The source node will not select the path having the wormhole links and will send
data to the destination node via other path.

5 Performance Evaluation and Result Analysis

In this section, we conducted the simulation to measure the effectiveness of proposed

scheme with following network configuration setup using network simulator (NS2): 50
mobile nodes with in the area of 1000 m 9 1000 m [11]. The transmission range for the
normal nodes is 250 m with random way point mobility model. Simulation time is 50 s.
The pause time is 0.1 m/s. The minimum speed is 0 m/s and maximum speed is 10 m/s.
The packet size is 256 bytes. We position the malicious nodes randomly within the net-
work to perform the wormhole attack. The results are summarized as follow in Table 1
[16].
Table 1 Simulation parameters
Protocols AODV, DSR, ZRP

Channel Wireless
Simulation area 1000 9 1000
Number of nodes 50
Simulation time 50 s
Range for normal network 250 m
Range for wormhole network 500 m
Mobility model Random way point
Queue Drop tail
Queue length 500
Packet size 256 bytes
Maximum speed 10 m/s
Pause time 0.1 m/s
Antenna Omni direction
Propagation Two ray ground
Version 802.11
Frequency 914 MHz

123
2946 P. Kaur et al.

5.1 Result Analysis

The performance of our proposed technique is compared with the AODV (including
wormhole) and DelPHI by using five metrics like throughput, packet delivery ratio, packet
loss, jitter and end to end delay. After simulation, generated graphs represent the com-
parison between AODV (including wormhole), DelPHI and Proposed scheme. We inclu-
ded AODV in our graphs, so we can easily conclude that how wormhole effect its
performance in terms of network metrics. From above Figs. 3, 4, 5, 6 and 7, we can

Fig. 3 Throughput ratio of 9000

AODV, DelPHI and proposed
method 8000

7000
Throughput(Kbps)

6000

5000

4000

3000

2000

1000

0
AODV DelPHI Proposed
(including Method
Wormhole)

Fig. 4 Packet delivery ratio of 100000

AODV, DelPHI and proposed
method 90000

80000
Packet Delivery Ratio(%)

70000

60000

50000

40000

30000

20000

10000

0
AODV DelPHI Proposed
(including Method
Wormhole)

123
Wormhole Attack Detection Technique in Mobile Ad Hoc Networks 2947

Fig. 5 Packet loss ratio of 60000

AODV, DelPHI and proposed
method
50000

40000

Packet Loss(%)
30000

20000

10000

0
AODV DelPHI Proposed
(including Method
Wormhole)

Fig. 6 End to end delay of 80.0000

AODV, DelPHI and proposed
method 70.0000
End to End Delay (Sec)

60.0000

50.0000

40.0000

30.0000

20.0000

10.0000

0.0000
AODV DelPHI Proposed
(including Method
Wormhole)

observe the results of AODV are improved by implementing DelPHI in terms of above
defined parameters. But our proposed scheme shows much better results for AODV than
DelPHI.

123
2948 P. Kaur et al.

Fig. 7 Jitter of AODV, DelPHI 300.0000

and proposed method
250.0000

200.0000

Jitter (Sec)
150.0000

100.0000

50.0000

0.0000
AODV(including DelPHI Proposed Method
Wormhole)

6 Conclusion and Future Work

In this paper, we have presented the wormhole attack and investigated various wormhole
detection schemes. Most of the detection schemes are based on the strong assumption like
clock synchronization, special hardware, location information etc. We proposed a secure
wormhole detection scheme for mobile ad hoc network. The proposed scheme uses
threshold values to identify the wormhole link without the need of any special hardware,
time synchronization etc. In our scheme, first of all paths are totally independent. Data
collection process is one time because we are calculating maximum distance with respect
to communication range. This will give us the maximum value of delay which can occur
between the two nodes while forwarding the message towards the destination node and
while sending message back to the source node.
In future work, proposed scheme can be implemented to detect and prevent rushing
attacks. Initially proposed scheme is implemented with AODV only but it can be
extendable with other routing protocols also.

Acknowledgements The authors are thankful to the Department of RIC, I.K.G. Punjab Technical
University, Kapurthala, Punjab, India and providing me opportunity to carry out my research work.

Compliance with Ethical Standards

Conflict of interest The authors declare that there is no conflict of interest regarding the publication of this
paper.

References
1. Abolhasan, M., Wysocki, T., & Dutkiewicz, E. (2004). A review of routing protocols for mobile ad hoc
networks. Ad Hoc Networks, 2(1), 1–22.
2. Corson, S., & Macker, J. (1998). Mobile ad hoc networking (MANETSS): Routing protocol performance
issues and evaluation considerations (No. RFC 2501).
3. Naı̈t-Abdesselam, F., Bensaou, B., & Taleb, T. (2008). Detecting and avoiding wormhole attacks in
wireless ad hoc networks. IEEE Communications Magazine, 46(4), 127–133.
4. Khabbazian, M., Mercier, H., & Bhargava, V. K. (2009). Severity analysis and countermeasure for the
wormhole attack in wireless ad hoc networks. IEEE Transactions on Wireless Communications, 8(2), 736–745.
5. Wang, W., Bhargava, B., Lu, Y., & Wu, X. (2006). Defending against wormhole attacks in mobile ad
hoc networks. Wireless Communications and Mobile Computing, 6(4), 483–503.

123
Wormhole Attack Detection Technique in Mobile Ad Hoc Networks 2949

6. Chiu, H. S., & Lui, K. S. (2006) DelPHI: Wormhole detection mechanism for ad hoc wireless networks.
In 1st international symposium on wireless pervasive computing. IEEE.
7. Hu, Y. C., Perrig, A., & Johnson, D. B. (2003, April). Packet leashes: A defense against wormhole
attacks in wireless networks. In INFOCOM 2003. Twenty-second annual joint conference of the IEEE
computer and communications. IEEE Societies (Vol. 3, pp. 1976–1986). IEEE.
8. Čapkun, S., Levente B., & Hubaux, J.-P.(2003) SECTOR: Secure tracking of node encounters in multi-hop
wireless networks. In Proceedings of the 1st ACM workshop on security of ad hoc and sensor networks. ACM.
9. Song, N., Qian, L., & Li, X. (2005, April). Wormhole attacks detection in wireless ad hoc networks: A
statistical analysis approach. In 19th IEEE international parallel and distributed processing sympo-
sium (p. 8). IEEE.
10. Wang, W., & Bhargava, B. (2004, October). Visualization of wormholes in sensor networks. In Pro-
ceedings of the 3rd ACM workshop on wireless security (pp. 51–60). ACM.
11. Chen, H., Lou, W., Wang, Z., Wu, J., Wang, Z., & Xia, A. (2015). Securing DV-Hop localization
against wormhole attacks in wireless sensor networks. Pervasive and Mobile Computing, 16, 22–35.
12. Lazos, L., & Poovendran, R. (2005). SeRLoc: Robust localization for wireless sensor networks. ACM
Transactions on Sensor Networks (TOSN), 1(1), 73–100.
13. Madria, S., & Yin, J. (2009). SeRWA: A secure routing protocol against wormhole attacks in sensor
networks. Ad Hoc Networks, 7(6), 1051–1063.
14. Atmel. Range calculation for 300 MHz to 1000 MHz communication systems. http://www.Atmel.com/
Images/doc9144.pdf. February 16th, 2012.
15. https://en.wikipedia.org/wiki/Friis_transmission_equation.
16. Pirzada, A. A., & McDonald, C. (2006). Detecting and evading wormholes in mobile ad hoc wireless
networks. IJ Network Security, 3(2), 191–202.

Parvinder Kaur received the Master Degree in Computer Application

from Amritsar College of Engineering and Technology, Amritsar in
2010 and pursuing Ph.D. in Computer Application as Research Scholar
from Department of Research, Innovation and Consultancy, Punjab
Technical University, Jalandhar, Punjab, India. Areas of interests are
wireless networks, mobile computing. She has published five papers in
international journals and one conference paper in the area of mobile
ad hoc networks.

Dr. Dalveer Kaur received her Ph.D. in Electronic Engineering from

Guru Nanak Dev University, Amritsar, Punjab, India in 2010. She is an
Assistant Professor, Department of Electronics and Communication
Engineering, IKG PTU, Jalandhar-Kapurthala Highway, Punjab, India.
She has published no. of research papers in national national/interna-
tional conferences and journals.

123
2950 P. Kaur et al.

Dr. Rajiv Mahajan is currently working as Director–Principal Golden

College of Engineering and Technology, Gurdaspur, Punjab, India. His
area of specialization is data communication and network security. He
has worked as a professor and vice-principal in Global Institute of
Management and Technology, Amritsar, Punjab and as Director–
Principal in CT Institutes Shahpur, Jalandhar, Punjab. He has pub-
lished no. of research papers in national/international journals and
conferences. He is also associated with journals and conferences as an
editorial board member and reviewer.

123