Warmhole Attack and Its Prevention
Warmhole Attack and Its Prevention
Warmhole Attack and Its Prevention
Abstract
As an increasing number of people are going wireless, reducing the vulnerability of
wireless networks is becoming a top priority. Wireless networks are susceptible to many
attacks, including an attack known as the wormhole attack. The wormhole attack is very
powerful and preventing the attack has proven to be very difficult. A strategic placement
of the wormhole can result in a significant breakdown in communication across a
wireless network.
B. Problem Definition
Ad-hoc or spontaneous wireless networks are threatened by a powerful attack known as
the wormhole attack. A wormhole attack can be set up with relative ease, but preventing
one is difficult. To set up a wormhole attack, an attacker places two or more transceivers
at different locations on a wireless network as shown in Figure 1.6
Figure 1: Set-up of a wormhole. Node A can reach node C within a shorter time with the help
of a wormhole.
This establishes a wormhole or tunnel through which data can transfer faster than it could
on the original network. After setting up a wormhole, an attacker can disrupt routing to
direct packets through the wormhole using a technique known as selective forwarding
depicted in Figure 2. A strategic placement of the wormhole can result in a significant
breakdown in communication across a wireless network as shown in Figure 3 [4: 3].
Figure 2: Selective Forwarding. Lower right portion of network relies on wormhole link to
route information. Disconnecting wormhole link results in breakdown of the network.
B. Packet Leashes
Hu, Perrig and Johnson developed protocols with packet leashes have been
proven to be reliable wormhole attack detectors [6: 4]. Packet leashes place restrictions
on a packet’s maximum allowed transmission distance in a network [6: 4]. Two types of
packet leashes discussed in this article are temporal and geographical leashes. Temporal
leashes require tightly synchronized clocks on all nodes [6: 4]. Protocols based on
temporal leashes ensure that packets transmitted across the network have an upper bound
on its lifetime, which restricts the maximum distance of travel [6: 4]. Packets on a
network remain valid for a certain time interval before they are rejected. However,
setting up wormhole attacks under temporal leashes is difficult because packets must be
sent through the wormhole within the restricted time period.
A geographical leash is the second type of leash discussed. Protocols based on
geographical leashes differ slightly from temporal leashes in that each node must know
its location and have loosely synchronized clocks [6: 4]. Using location and time, nodes
can determine whether the packet is coming from a valid node or a wormhole. This
protocol allows more flexibility in the synchronization time among nodes than temporal
leashes [6: 5]. This type of packet leash also incorporates some of the same ideas used in
localization schemes of using location to prevent wormhole attacks.
A more refined temporal leash protocol known as the TESLA with Instant Key
disclosure (TIK) is discussed by Hu, Perrig and Johnson. TIK uses a hash tree to hold
symmetric keys to authenticate nodes [6: 6-7]. Receiving nodes will be able to determine
a packet’s validity based on the time interval and the corresponding key of the sender
node [6: 9]. TIK packets are structured so that the receiver node verifies the time interval
14
and message authentication codes (HMAC) before the key arrives. If the time interval is
valid, then the node verifies the key [6: 9]. Completing both tests would verify the sender
was not a wormhole. The TIK temporal leash protocol effectively detects a majority of
wormholes. An attacker must know the right time intervals and keys pairs so that nodes
in the wireless network will accept the wormhole’s packet. A disadvantage of this
protocol is its strict requirements in timing. Each node must be synchronized at exactly
the same time and errors in time difference must not be larger than a few microseconds or
even hundreds of nanoseconds [6: 4].
C. Conclusion
Protocols based on localization schemes and packet leashes can prevent wormhole
attacks. However, each protocol has different costs in achieving this goal. As mentioned
before, temporal leashes require strict time synchronization among all nodes. As a result,
this project focuses more on localization schemes and geographical leashes because it
does not require tight time synchronization. However, the trade-off is that localization
schemes and geographical leashes tend to use additional equipment
This mode of the wormhole attack is easy to launch since the two ends of the wormhole do not
need to have any cryptographic information, nor do they need any special capabilities, such as a
high speed wireline link or a high power source. A simple way of countering this mode of attack
is a by-product of the secure routing protocol ARAN [17], which chooses the fastest route reply
rather than the one which claims the shortest number of hops. This was not a stated goal of
ARAN, whose motivation was that a longer, less congested route is better than a shorter and
congested route.
4 LITEWORP
In this section, we describe the method for wormhole detection in LITEWORP followed by the
method for isolation of the malicious nodes. This is described in the context of static networks,
while an extension to mobile wireless networks is briefly described in Section 7.
Local Monitoring: A collaborative detection strategy for wormholes is used, where a node
monitors the traffic going in and out of its neighbors. For a node, say a, to be able to watch a node
say, b, two conditions are required: (i) each packet forwarder must explicitly announce the
immediate source of the packet it is forwarding, i.e., the node from which it receives the packet,
and (ii) a must be a neighbor of both b and the previous hop from b, say d. If the second condition
is satisfied, we call a the guard node for the link from d to b. This implies that α is the guard node
for all its outgoing links. For example, in Figure 3, nodes M, N, and X are the guard nodes of the
link from X to A. Information from each packet sent from X to A is saved in a watch buffer at each
guard. The information includes the packet identification and type, the packet source, the packet
destination, the packet’s immediate sender (X), and the packet’s immediate receiver (A). The
guards expect that A will forward the packet towards the ultimate destination, unless A is itself the
destination. Each entry in the watch buffer is time stamped
11 with a time threshold,t, by which A must forward the packet. Each packet forwarded by A with
X as a previous hop is checked for the corresponding information in the watch buffer.