Security Architecture for Wormhole Detection &
Prevention in IEEE 802.11 WLANs
Sandeep Kumar, Krishna Kant Agrawal
Department of Computer Science & Engineering,
Birla Institute of Technology, Mesra, Ranchi, India
sandeepkmr.cse@gmail.com, krishna.agrawal@sify.com
Abstract: Wormhole attacks can destabilize or disable wireless
networks. In a typical wormhole attack, the attacker receives
packets at one point in the network, forwards them through a
wired or wireless link with less latency than the network links,
and relays them to another point in the network. Initial research
focused that this attack is possible on Ad-hoc network only, but
in present scenario wormhole attack is possible on infrastructure
based wireless LANs also. In this paper we propose a Fusion
mapping based architecture for wormhole detection. The
proposed mechanism involves the shared information between
communicating Access Points to prevent Rouge Access Points
from camouflaged as false neighbors. The wormholes having
higher strength have a higher detection ratio as compared to
other method.
Keywords: Wormhole attack, Wireless Network, Access point (AP)
Rouge Access Point (RAP), RTT, RSS, Hop Count.
I. INTRODUCTION
With the growth of Information technology, and the way
of transmitting data from one corner of the world to another,
Wireless technology has brought many changes in the way of
communication. With the invention of Radio technology by
MARCONI a new era of radio communication started and as
time passed by, wireless technology has become an
indispensable part of our life. Today Wireless networks have
become a very important part of all the activities related to
Information Technology. Wireless networks are very useful
platforms for a number of applications. These networks are
very attractive and useful especially in those cases where it is
practically non- viable, infeasible or expensive to use really
significant networking infrastructure. In fact practically it very
difficult to attain such situations with cost efficiency.
The following reasons prevent wireless networks from
being free of the wormhole attack make them vulnerable to a
wide range of security attacks:-
a) The open nature of the wireless
communication channels.
b) The lack of infrastructure due to various
reasons locally prevailing,
c) The fast deployment practices,
d) The hostile environments where they may be
used to fulfill a particular task.
The result of these attacks could cause a number of
problems finally resulting in the failure of the whole
communication or project.
V.S.Shankar Sriram, G.Sahoo
Department of Information Technology,
Birla Institute of Technology, Mesra, Ranchi, India
sriram@bitmesra.ac.in, drgsahoo@yahoo.com
a) Eavesdropping.
b) Message tampering.
c) Identity changes or tampering.
There are many proposed ways of routing protocols which
have their special focus on energy saving, and thus these
protocols provide no protection against an adversary. There
are also some secure routing protocols which have been
proposed in the past. However, due to the unpredictability of
type, nature and location of wireless networks, it is practically
very hard to detect such behavior dissimilarities in the process
of route discovery. In fact talking specifically, proposed
routing protocols cannot prevent practically all the wormhole
attacks. Initially most of the proposed protocol to prevent
wormhole attacks which have been focused on Ad-hoc
network only, but in the present situation wormhole attack is
possible in Infrastructure mode also by using two rouge access
point and high quality, low latency link. A Rogue Access
Point can be defined as a Wi-Fi Access Point which is setup
by an attacker for the whole and sole purpose of hampering
and acquiring access to the particular wireless network traffic.
In wormhole attack for infrastructure network, an attacker
introduces two Rouge access point into a wireless network and
connects them with a high quality, low latency link. Routing
messages received by one wormhole endpoint are
retransmitted at the other endpoint. Attackers can exploit
wormholes to build misleading route information.
The rest of the paper is organized as follows: Section II
describes Worm-hole attacks, Section III focuses on the
related work, Section IV describes the proposed algorithm, in
Section V Experimental Assumptions are discussed, , in
Section VI detailed Simulation Results are shown and finally
Section VII Concludes the paper, followed by References in
section VIII.
II. WORMHOLE ATTACKS
Wormhole attack is caused by attacker who tunnels
packets at one point to another point in the network, and then
replays them into the network from that point. Wormhole can
attacks in Ad-hoc network as well as infrastructure network.
First let us see how a wormhole attack is done in ad hoc
networks. The wormhole attack can form a serious threat in
wireless networks, especially against many ad hoc network
routing protocols. Since the tunneled distances are longer than
the normal wireless transmission range for a single hop, the
source prefers the path that includes the attackers. A
successful attack may result in a disruption or breakdown of a
network. Figure 1 shows a typical wormhole attack. The
attacker replays the packets received by X to node Y, and vice
versa. If it would normally take several hops for a packet to
traverse from a location near X to a location near Y, packets
transmitted near X traveling through the wormhole will arrive
at Y before packets traveling through multiple hops in the
network. The attacker can make A and B believe they are
neighbors by forwarding routing messages, and then
Methodology for securing wireless LANs against Wormhole
attack selectively drop data messages to disrupt
communications between A and B.
Figure 1.Wormhole attack
In infrastructure network, a Rogue Access point captures
packets from one location to another at a distant point. The
tunnel can be established in many different ways. This makes
the tunneled packet arrive lesser number of hops as compared
to the packets transmitted over normal multi-hop routes. This
creates the illusion that the two end points of the tunnel are
very close to each other. The Figure 2, below shows a typical
scenario of a possible wormhole attack in the Infrastructure
WLANs.
Figure 2.Wormhole attack in Infrastructure mode WLANs
III. RELATED WORK
Many of research has been already give their idea how the
wormhole attack and how we can prevent wormhole attack
both in ad hoc and infrastructure network. Dahill [6],
Papadimitratos [7], and Hu [8], thwart wormhole attacks
suggest using secure modulation of bits over the wireless
channel that can be demodulated only by authorized nodes.
This only defends against outside attackers who do not possess
cryptographic keys.
A similar approach called RF watermarking [9] modulates
the radio waveform in a specific pattern and any change to the
pattern is used as the trigger for detection. This mechanism
will fail to prevent a wormhole if the waveform is accurately
captured at the receiving end of the wormhole and exactly
replicated at the transmitting end.
Hu et al. [8] give the concept of geographical and temporal
packet leashes for detecting wormholes. In geographic leashes,
node location information is used to bind the distance a packet
can traverse. Since wormhole attacks can affect localization,
the location information must be obtained via an out-of-band
mechanism such as GPS. Further, the “legal” distance a packet
can traverse is not always easy to determine. In temporal
leashes, extremely accurate globally synchronized clocks are
used to bind the propagation time of packets that could be hard
to obtain particularly in low-cost sensor hardware. Even when
available, such timing analysis may not be able to detect cut-
through or physical layer wormhole attack.
Capkun et al. [10] presented SECTOR; they show how to
detect wormhole attacks without requiring any clock
synchronization through the use of MAD (Mutual
Authentication with Distance- Bounding). The approach is
similar to packet leashes at a high level, but does not require
location information or clock synchronization. But it still
suffers from other limitations of the packet leashes technique.
Each node u estimates the distance to another node v by
sending it a one bit challenge, which node v responds to
instantaneously. Using the time of flight, node u detects if
node v is a neighbor or not. The approach uses special
hardware for the challenge request-response and accurate time
measurements.
Hu and Evans [11] used directional antennas [12, 13] to
prevent wormhole attacks. The authors develop a cooperative
protocol where nodes share directional information to prevent
wormhole endpoints from masquerading as false neighbors
that needs to be certified free from wormhole attack. However,
use of directional antennas limits use of such protocol and it
only partially mitigates the wormhole problem. Moreover, the
requirement of directional antennas on all nodes may be
infeasible for certain deployments. Till now there is no
concrete research which addresses the possibility of a
wormhole attack in Infrastructure WLANs. As a core we
would like to expose this fact that there is a possibility of a
wormhole attack in Infrastructure WLANs. This type of attack
uses a set of rouge access points and a base channel of low
latency to achieve this attack.
 IV. PROPOSED ALGORITHM A. Algorithm
For the purpose of explaining our methodology we take an 1. Broadcast a HELLO to all the neighbors
example of a WLAN as in Figure 3. To achieve a real
Wireless network we need to provide a wireless backhaul 2. Receive response and calculate RSS, RTT and Hop
between the access points. In our architecture we have one Count for each AP
access point connected to the corporate network (i.e) the wired
network using a wired backhaul, the access points that cover 3. Generate a FMi,n and store as FMs,n
the entire area are installed in such a way that they have a 4. Broadcast FMs,n to all neighbors and request for their
wireless backhaul and are wirelessly connected to the nearby
access points. FM’s
5. ∀ x: responses (x)
6. Update FM repository with FMs received from the
Neighbors
7. Initialize Watch buffer
8. Set Attack() = Null
9. If (Communication Request arrives from Any Access
Point, say APn)
If (FMs,n(Flag) = 1)
Calculate FMi,n
If (FMi,n <= FMs,n)
Allow communication
Figure 3.Sample architecture Else
In this security architecture, to identify and remove Discard communication
wormhole attacks in IEEE 802.11 WLANs a new concept of
Fusion Mapping is used which can identify the wormholes and Set Attack (FMs,n(Flag = 0))
remove them from the network. The proposed technique Broadcast Attack (FMs,n)
Fusion Mapping is a mapping between one Access Point and
another Access Point. This methodology uses mapping goto step 5
elements like Physical Address, RTT(Round Trip Time), Else
RSS(Receive Signal Strength), Hop Count and Flag. Physical
Address is used for communication between two Access Discard communication
Points (APs). RTT, RSS and Hop count are used for detection
goto step 9
of wormhole in the wireless network. The RTT between two
successive nodes and their node’s neighbor number is needed Else
to compare the values of other successive nodes. The
goto step 9
identification of wormhole attacks is based on the two
considerations. The first consideration is that the transmission V. EXPERIMENTAL ASSUMPTIONS
time between two affected nodes is considerable higher than
that between two normal neighbor nodes. The other In this section we discuss the implementation details of our
consideration is RSS comparison made between the stored proposed mechanism; we used OPNET modeler to develop a
signal information and the signal strength information simulation model for the detection and elimination of
received by the Access Point and is represented as RSSI wormhole in 802.11 WLAN. We have two network group i.e.
(Received Signal Strength Indication). The network is said to network A and network B. Network group A having access
be under attack, if the difference between the stored point AP1, AP2, AP3, AP4 and AP5. Network group B having
RSS/RTT/Hop Count is lesser than the information calculated access point AP_1, AP_2, AP_3, AP_4, AP_5 and AP_6. All
for each communication request. In this case a ‘Boolean Flag’ the access points are connected with each other. Initially there
is used to represent network under attack with flag value set as is no wormhole attack the network. We consider that the AP1
‘0’ otherwise flag value is set to default value i.e. ‘1’. is a source access point of the network A and AP_6 is a
destination access point of the network B.

Figure 4.Network without Wormhole attack
In Figure 4, AP2 sends packets with a constant length of 1024
bits at a constant rate of 1 packet per second. When those
packets arrive at AP3 the RSS, RTT and Hop Count is
calculated and checked with the stored Fusion Map. If the
difference between the stored value and the calculated value is
0 or positive then communication is safe but if the difference
comes out to be a negative value then there is an attempt to
attack the network. The red cross shows that the rouge access
points are not a part of the network but are attempting to be a
part of the network so that the wormhole attack can be
executed.
Network with Wormhole attack
Figure 5.Network with Wormhole attack
Again we use the same network but this time there are two
rogue access points attempting an attack on the network, let us
consider these access points to be RAP_0 and RAP_1, as
shown in figure 5. A packet is sent from access point AP5 of
network A destined for AP_1 of network B, which was
captured by RAP_0 and forwarded to RAP_1 before it reaches
AP_1. Now RAP_1 releases the captured packet directing it to
access point AP_1 in network B. As we know, in the case of
wormhole attack, the RTT value of captured packets is more
as compared to the normally transmitted packets between
access points also the RSS value decreases with increasing
distance. When the packet was captured and re-inserted at
AP_1 of network B, it resulted in increase of RTT value,
decrease in RSS value and unexpected hop count associated
with the packet. In simulated attack scenario, the stored Fusion
Map from access point AP5 at AP_1 is having RTT difference
value as 159, RSS difference value as 34 and hop count as 3
but on receiving the packet at access point AP_1 the
calculated RTT difference increased to 197, RSS difference
value reduced to 22 and the hop count value reached 6. On
simulation of the proposed algorithm it generated an error and
warning indicating the wormhole attack and the access point
AP_1 generated an alert message to all the neighboring access
points after discarding the communication with RAP_0 and
RAP_1.
VI. SIMULATION RESULTS
Simulation Software: OPNET Modeler 11.5
Operating System: Windows XP (Service Pack2)
Processor: Intel Core2 Duo 1.60 GHz
RAM: 1 GB
Table 1: Values of RTT, RSS, Hop Count for the access points
The Graphs [Figure 6] are plotted with respect of above Table
1. Graph show that high defection of RTT and RSS value and
hop count when wormhole attack in the network.

Figure 6.Deflection of RTT, RSS & Hop Count in a wormhole scenario
VII. CONCLUSION AND FUTURE WORK
Wormhole attacks are significant problems that need to be
addressed in wireless network security. Wormhole attacks are
powerful attacks that can be conducted without requiring any
cryptographic breaks. In this paper, we have presented a
classification for possible wormhole attack in Infrastructure
based wireless Architecture. We have proposed a model for
securing WLANs from wormhole using fusion mapping. It is
simple, cost effective and less network resource consuming.
Also this system architecture employs efficient mapping
between access point to access point for detection and
prevention of wormhole in WLANs. The proposed fusion
mapping algorithm proves efficient in terms of reduced
computational overhead when compared to that of existing
cryptographic mechanism. More over this architecture is
simple and easily implementable. In future we will try to
overcome some more sophisticated wormholes using Mobile
agents. Additionally, we are anticipating the inclusion of new
features for the framework that can further improve its
wireless network protection abilities.
VIII. REFERENCES
[1] V.S.Shankar Sriram, Ashish Pratap Singh, G.Sahoo
“Methodology for securing wireless LANs against Wormhole
attack”, International Journal of Recent Trends in Engineering,
Issue. 1, Vol. 1, May 2009
[2] Lingxuan Hu David Evans “Using Directional Antennas to
Prevent Wormhole Attacks”, Department of Computer
Science University of Virginia Charlottesville, VA [lingxuan,
evans]@cs.virginia.edu
[3] C. Karlof, D. Wagner, “Secure routing in sensor networks:
attacks and countermeasures”, First IEEE International
Workshop on Sensor Network Protocols and Applications,
2003.
[4] Y.C. Hu, A. Perrig, D.B. Johnson, “Packet leashes: a
defense against wormhole attacks in wireless networks”,
Proceedings of the 22nd INFOCOM, 2003, pp. 1976– 1986
[5] V.S.Shankar Sriram, K.K.Agrawal, G.Saho “Detecting and
Eliminating Rouge Access Points in IEEE-802.11 WLAN - A
Multi-Agent Sourcing Methodology” IEEE International
Advance Computing Conference (IACC’2010), Conference
Proceedings ISBN: 978-1-4244-4791-6, IEEE Catalog
Number: CFP1039F-CDR.
[6] B. Dahill, B. N. Levine, E. Royer, and C. Shields, “A
secure routing protocol for ad-hoc networks,” Electrical
Engineering and Computer Science, University of Michigan,
Tech. Rep. UM-CS-2001-037, August 2001.
[7] P. Papadimitratos and Z. Haas, “Secure routing for mobile
ad hoc networks,” in SCS Communication Networks and
Distributed Systems Modeling and Simulation Conference
(CNDS 2002), January 2002.
[8] Y. C. Hu, A. Perrig, and D.B. Johnson, “Packet leashes: a
defense against wormhole attacks in wireless networks,”
Proceedings of the 22nd Annual Joint Conference of the IEEE
Computer and Communications Societies (INFOCOM), pp.
1976-1986, 2003.
[9] Defense Advanc ed Research Projects Agency. Frequently
Asked Questions v4 for BAA 01-01, FCS Communications
Technology. Washington, DC. Available at
http://www.darpa.mil/ato/solicit/baa01_01faqv4.doc, October
2000.
[10] S. Capkun, L. Buttya´n, J.-P. Hubaux, “SECTOR: secure
tracking of node encounters in multihop wireless networks”,
Proceedings of the First ACM Workshop on Security of Ad
hoc and Sensor Networks (SASN 03), 2003, pp. 21–32.
[11] L. Hu, D. Evans, Using directional antennas to prevent
wormhole attacks, in: Proceedings of Network and Distributed
System Security Symposium, 2004.
[12] Y. Ko, V. Shankar kumar, N. Vaidya, “Medium access
control protocols using directional antennas in ad hoc
networks”, Proceedings of the 19th Annual JointConference of
the IEEE Computer and Communications Societies
(INFOCOM), 2000, pp. 13–21.
[13] R. Choudhury, X. Yang, R. Ramanathan, N. Vaidya,
“Using directional antennas for medium access control in ad
hoc networks”, 8th ACM International Conference on Mobile
Computing and Networking (MobiCOM), 2002