Ad-hoc On-Demand Distance

Vector Protocol and Black

Hole Attack Detection
 Mobile Ad-hoc Network
A Mobile ad-hoc network is a collection of

wireless nodes that can dynamically be set

up anywhere and anytime without having the
preexisting network infrastructure.

It is an autonomous system in which mobile

hosts connected by wireless links are free to

move randomly. Here the node sometime act
as host and also some time act as Router.

Very Useful in Household, Industry, Study

and Military purposes.

 Ad-hoc On-Demand Distance
Vector Protocol

AODV Routing protocol is one of the more commonly

used routing algorithm in ad-hoc networks, and this is
based on the principle of discovering routes on
requirement. Means AODV is both On-demand and
Table driven protocol.

AODV is a reactive algorithm that has some

capabilities as low processing, memory overhead, low
network utilization.

When a path needed then source node first check in

its routing table and if not found then it send Route
Request (RREQ).
 AODV Contd..
Source node broadcasts a
RREQ packet. RREQ packet
having fields.

Either intermediate node

having Fresh enough route to
the destination or destination
node itself will send Route
Reply (RREP) packet. RREP
packet having fields.

Node uni-casts RREP to its

neighbouring node from which it

has received the RREQ packet
Fig. 1: Route Discovery
 Attacks in Ad-hoc Network

Attacks can be classified into passive and

active attack.
Active attacks can be further divided into

external attacks and internal attacks.

Some of the Active attacks are :
Black Hole

Denial of Service

Routing table overflow

Impersonation

Energy Consumption

Information Disclosure
 Black Hole Attack in AODV
As shown in Fig. 1 any intermediate node having
fresh enough route to destination node can reply to
Route request(RREQ) sent by source node.
Hence taking advantage of this a malicious node send

a RREP packet to source node claiming that i am

having a route to destination node. But in reality that
malicious node is not having any route to destination
node. Means Malicious node send a RREP having
false information.
Source node after receiving this send the data

through this malicious node and this node drops the

data. Hence such nodes can crash the network.
Some times a chain of black nodes perform this

attack cooperatively, known as cooperative black hole

attack. Attacks are shown below.
 Black Hole Attack (Contd..)

Fig. 2: Black Hole attack Fig. 3: Cooperative black hole attack

Some time in AODV if in RREP the next hop information

is also asked than malicious node provide next malicious
node as next hop, so when confirmed with the next hop
then next malicious node replies that i am having route
to the destination node but actually they don't have any
information of routes to destination. This case is shown
in Fig. 3.
 Black Hole Attack Detection
Many solutions are proposed for black hole attack
detection or removal.
The approach that i am discussing is based on the

backbone network discussed by Rubin et. Al.

We maintain a backbone network which operates at a

level above the ad-hoc network. In this algorithm this

idea is used to monitor the traffic flow.
In this Algorithm nodes are divided in three parts:

1.Regular Node (RN): low power and low

transmission range, not trustworthy.
2.Back Bone Node (BN): Have high transmission
range and form a core that monitors the nodes
3. Backbone core node (BCN) : Similar power as
BN, these nodes can be elevated to BN nodes for
increasing connectivity and coverage of the network
Black-hole attack Detection(Contd..)
This algorithm is having mainly two parts.
1. Core Formation and maintenance
2. Detection of Black/malicious nodes.

1. Core Formation and maintenance: Core formation

progresses incrementally. During this BCN node
perform some tasks those are

(i)Detect RN in its neighbourhood, if found broadcast

invitation message.

(ii)On receiving Join request from RN, check if it is

reachable in specified number of hops, if yes add in
associated node list else in unassociated list.

(iii)if no other request go to next grid.

 Core Formation (Contd..)
(iv)If BCN detects any BN in its vicinity then this node
sends a coordination message to BN and waits for
reply.

(v)BCN on receiving reply to coordination message, it

executes action which is specified in the reply.

Action of a Regular node:

(i)Every Regular node first check if it is associated with
some BCN or BN, if yes then terminate its actions.

(ii)On receiving invitation message send a join request,

and after getting reply for its join request from BN or
BCN send accept to BN or BCN.
 Black Node Detection
The key idea is that source node, after every block of
data packets, asks the backbone network to perform
end-to-end check with the destination, whether the
packets have reached it. If destination did not receive a
block of data packets, then backbone network initiates
the detection of the chain of malicious nodes.

Let Suppose here :

S : Source node,
D: Destination node,
N1:Backbone node, to which S is associated
N2:Backbone node, to which D is associated
V : Regular Node
Nr: is the node which send RREP to S (For the RREQ
for S to D route)
Black Node Detection(Contd..)
Actions of S: (i) Divide the data into k equal parts let
say Data[1..k].
(ii)Send a prelude message to D with shared key k.
(iii)Sends the data to D and after that send a message
check having Nr, to N1.
(iv) if an ok is received from N1 the continue data
sending.
(v)if a not ok is received from N1 then sets a timer for
malicious removal. If before timeout receive the
removed ok from N1 then go to (ii), else terminate.

D on receiving prelude from D. Wait for data packet

and after receiving data send a postulate message to
N1 and S stating the number of packets received from
S.
 Black Node Detection
Action of N1: (i) On receiving prelude from S, sends
monitor message to all neighbours of S asking them to
monitor data sent by S.
(ii)on receiving check from S sends query to all
neighbours of S and waits for result message.
(iii) on receiving result message set the the its max
counter value. If it receive D malicious then repeat the
steps, and if not receive any message from D then
sends message to D and terminate.
In same way N2 also send monitor message to

neighbours of D to record the number of packets

received by D and then set its counter accordingly.
Regular node on receiving monitor check if S is its

neighbour then start counting the number of packets S

to D. And also on receiving query message send result
message to the source of query message.
Black Node Detection(Contd..)
Once the BN say N1 finds that ack message not
received until a predefined timeout. Then Black hole
removal process get initiated by N1. The actions of
different node are as follows:
Actions by N1: Broadcast find_chain message on the
backbone network. The message contains the id of
node Nr( node sending RREP to S).
Action of a BN Nb:(i) On receiving the find_chain
message, checks if node Nr belongs to its associated
list. If not, no further action.
(ii)Initialize a list (black_node_chain) to contain node
Nr.
(iii) Instruct all neighbours of Nr to vote for the next
node to which Nr is forwarding packets originating from
S and Destined to D.
(iv)On receiving node ids from the neighbours of Nr,
find the node to which Nr is sending the packet.
Black Node Detection(Contd..)
(v)if no node is getting packet from Nr in its
neighbourhood, means Nr is dropping all the packets.
Hence Nr is malicious node, black hole process
terminates, then this node is black listed and a
broadcast message is sent across the network to alert
all other nodes about the node as malicious.

(vi)Append the elected/found node to black_hole

chain. If that node is in association list of this Nb the go
to step (iii), replacing Nr with the elected node.

(vii)Broadcast a find)chain message over backbone

network containing id of the elected node as the
malicious node. Also Broadcast the Black_hole_chain
formed till now over the network so that other BN can
append malicious nodes to the list
Black Node Detection(Contd..)

Action of BCN/RN: Regular node or Backbone core

node on receiving instruction from a BN node to find
the next node to which malicious node Nr is forwarding
the packets, check if Nr is a neighbour of this node. If
yes, turn on promiscuous mode and listen packets from
node N, which has S as source node and D as
destination node. Infer the next node to which these
packets are going and send a message containing
node id to the BN.

In this way all the black nodes are detected and every
node is having list of such malicious nodes so if they
get any RREP from such malicious node then they just
drop it. And Hence can avoid the Attack.
 Conclusion

Here I have presented AODV details and

Detection of Black hole Attack.
Using this Algorithm the Simple black hole

attack, Cooperative black hole attack can be

removed, and also to some extent Gray hole
attack can also be removed.
This algorithm takes O(md) number of hops

to detect black nodes. Where m is the

number of malicious nodes and d is the
diameter of the network.
 References
1.RFC standard-3561, http://www.ietf.org/rfc/rfc3561.txt
2.Izhak Ruhin,Arash Behzad, Runlie Zhang, Iluiyu Luo,Eric Caballero : TBONE:
A Mobile-Backbone Protocol for Ad Hoc Wireless Networks.
3.H. Deng, W. Li, and D. P. Agrawal. Routing security in wireless ad hoc network.
IEEE Communications Magzine, pages 70 - 75, 2002.
4.S. Ramaswamy, H. Fu, M. Sreekantaradhya, J. Dixon, and K. Nygard.
Prevention of cooperative black hole attack in wireless ad hoc networks. In
Proceedings of 2003 International Conference on Wireless Networks (ICWN03),
pages 570575. Las Vegas, Nevada, USA, 2003.
5.P.Agarwal, R.K Ghosh, S.K Das, Cooperative Black and Gray Hole Attacks in
Mobile Ad Hoc Networks
6.I. Rubin, A. Behzad, R. Zhang, H. Luo, and E. Caballero. Tbone: A mobile
Backbone protocol for ad hoc wireless networks. In Proceedings of IEEE
Aerospace Conference, volume 6, pages 2727 2740, 2002.
7.Y. C. Hu, A. Perrig, and D. B. Johnson, Ariadne: A secure on-demand Routing
protocol for ad hoc networks, in Eighth Annual International Conference
on Mobile Computing and Networking (Mobi-Com 2002), pp. 12-23, Sept. 2002.