IEEE - 40222

A GENERIC REQUEST/REPLY BASED

ALGORITH FOR DETECTION OF
BLACKHOLE ATTACK IN MANET :
SIMULATION RESULT
Swapnil Bhagat1 Puja Padiya2 Nilesh Marathe3
1,2
Computer Department, R. A. I. T., Navi Mumbai, India
3
Information Technology Department, R. A. I. T, Navi Mumbai, India
1
swapnilbhagat21@gmail.com, 2puja.padiya@gmail.com, 3nilesh.marathe@rait.ac.in

Abstract— Mobile Ad Hoc Network (MANET) technology is destination. If it finds latest route, it replies RREP to source
emerging technology in recent year. Many researchers find future otherwise forward the RREQ. Routing protocol uses flood id or
of networking in it. MANET is simple and effective wireless sequence number to avoid processing of same RREQ packets
technology which depends on mutual trust for communication. again and again. If receiving node is a destination node, it will
Due to limited processing and energy power, developers used the reply RREP (Route Reply) to the source. After receiving RREP
lightweight protocol to build it. This made developers concentrate source node will update its routing table and start to send data
on basic functionality (like routing, route discovery) and less on
through this route. If any link breaks, RERR is broadcasted in
security aspects. One of its examples is mutual trust between
nodes. In MANET, nodes are interdependent for communication
network to inform about broken link to other nodes.
as well as data transmission which need mutual trust between Blackhole attack uses this behavior and replies to each
nodes. This mutual trust flaw is exploited by attackers to perform RREQ request packet mentioning that it has the shortest route
a different kind of attacks by injecting malicious node in the to a destination even though it does not have. After receiving a
network. One of these attacks is blackhole attack. In this study, reply, source node forward data to blackhole node which drops
the behavior of blackhole attack is discussed and have proposed a all data. In this paper, we have proposed light weight
lightweight solution for blackhole attack which uses existing blackhole detection technique which works in two stages.
functions. Simulation results of proposed system are discussed at
First, it discovers blackhole in network. If blackhole attack is
the end of the paper.
detected, the detection system will look for a malicious node
Keywords— MANET, Security, RREP packet, RERR packet, which is performing blackhole attack.
malicious node Rest of this paper is organized as follows. Related work is
discussed in Section II. Problem definition on which we have
I. INTRODUCTION worked is given in section III. Our proposed methods are
Mobile Ad Hoc Network (MANET) is one of the rising presented in Section IV. In Section V, simulation results are
topics in a wireless network. Most important and interesting discussed. At the end of this paper, we have concluded our
part of MANET is its lack of infrastructure property. As it does proposed system in section VI.
not need any fixed infrastructure for implementation, it can be
used for many applications like a military operation, II. RELATED WORKS
communication in emergency response system, mining Jian-Ming Chang et. al. [1] have proposed scheme in
operation etc. Though MANET provides almost same services which adjacent node is used as a destination address in RREQ
as an infrastructure-based wireless network, MANET exhibits to bait malicious nodes. This technique is DSR protocol based.
different characteristics than it like open network architecture, Modification in route in the packet can also disable this
shared wireless medium, limited resources (battery power, technique. [2] shows implementation of this bait detection
processing power, memory etc.), and frequently changing technique in AODV and its performance. Payyappilly et. al.
network topology. Some of these characteristics can be [3] have proposed a trust-based approach which calculates
misused by an adversary to perform an attack on a network or trust value for each neighboring node. But this trust value can
a particular node. Adversaries attacks on the network with be modified easily. For instance, colluding injected attack [4]
different intention like interrupt or stop particular service, read can decrease trust value of the legitimate node. If malicious
or modify data flowing through network etc. node succeeds to keep his trust value greater than zero, it will
In this paper, we are concentrating on routing protocol, escape from the detection system.
especially reactive routing protocol like AODV, DSR etc. Backbone techniques are used in [5] and [6]. Use of
Reactive or on demand routing protocols search for a route to backbone makes MANET same as a current wireless system
a destination when source want to dispatch data. First, source which will reduce its application area. MANET is developed
broadcasts RREQ (Route Request) in the network. Nodes considering that it is a wireless network without infrastructure.
receiving RREQ, search its routing table for a route to the A cluster-based technique which uses voting technique
 8th ICCCNT 2017
July 3 -5, 2017, IIT Delhi,
Delhi, India
 IEEE - 40222

proposed in [7]. If the number of malicious node in voting a) Many proposed detection techniques use
increased, the detection system may fail. Ramaswami et. al. additional functions which creates overhead for
[8] have proposed a technique which uses acknowledgment MANET and reduces its performance.
scheme to ensure that data has reached to intended destination.
b) Many proposed detection systems work with
But this system assumes that malicious node has no idea about
certain assumptions which make it somewhat
acknowledgment scheme.
unrealistic. It is not obligatory that all these
Markou Euripides et.al [9] proposed black hole detection assumptions should satisfy in general scenario all
system which uses mobile agents and pebbles for detection in the time.
torus network. This technique fails in collaborative attack.
There is one more issue that it only works with torus network. c) In detection system, one node detects malicious
Bo Sun et. al. [10] proposed a neighborhood-based method. nodes and a broadcast report to other nodes. An
Source ask neighboring nodes to nodes which are sending adversary can use this concept and can broadcast
RREP. If it is different then, it concludes that there is fake messages informing legitimate node as
blackhole. It detects attack but not malicious node. In [11], the malicious.
source buffers the RREP from different nodes and find the
safest route on basis of maximum common nodes in any route. IV. PROPOSED APPROACH
If multiple malicious nodes send RREP with more common We try to develop a new detection system which is more
nodes then the source can select malicious node route. In [12], efficient and effective. From the result, it is visible that we
they have proposed almost same techniques with little bit succeeded to great extent in our goal. Our proposed system
difference. Whereas [11] takes three responses, [12] takes as neither includes any additional device nor provide any
many responses as received before threshold time. privilege to some nodes, so it removes the possibility of any
William Kozma et. al. [13] proposed REAct (Resource- attack which uses compromised legitimate device having
Efficient Accountability) that selects each node in the path and privilege. Considering limited battery power and processing
audits it to produce behavioral proof. This system is useful for capability, we try to develop a detection system which will use
the single misbehaving node but cannot work in the least node’s resources. To accomplish this, we have used
collaborative attack [14]. Weichao Wang et.al. [15] made existing functions of routing protocol which reduce the code
modification in [13] and turn it into a collaborative attack and make it less complex. As we have discussed, we will
detection system. They have generated behavioral proof using perform this detection in two phases. In the first phase, we
a hash function instead of Bloom filter. will discover a blackhole attack and in the second phase, we
will execute detection system to detect malicious node which
Yu-Chee Tseng et. al. [16] proposed a system which uses is performing blackhole attack.
DNS server with the encryption key. Sanjay Ramaswamy et. al.
[17] proposed method in which each node maintains records A. Attack Detection Phase
about forwarded data of other node. From information
Attack detection phase discovers the existence of
provided from table system identify all nodes in the
collaborative attack. [18] is an implementation of [17] with a blackhole attack in network. This is done by requesting the
small modification. This system works well when there is less status of each node in the route from the source node to the
number of malicious nodes but fail when a number of destination node as depicted in Fig. 1.
malicious node increases.
Chang Wu Yu et. al. [19] proposed a good cooperative
technique which can detect black hole attack by overhearing
its neighboring nodes. But this technique increases overhead
and consumes the large resource. [20] proposed system adds
only one bit in RREP packet which does not increase the
overhead but it’s not robust solution. On other side [21]
proposed light weight and robust solution but periodic
transmission of RREQ packets increase traffic in network.
Existing solutions are either lightweight or robust and if
there is any solution which is lightweight and robust both, then Fig. 1. Attack Detection Phase
it increases overhead on network. So, we tried to make
solution which is lightweight, less complex, robust but do not While the packet is traveling through network each node
create overhead on network. will keep track of how many packets it has forwarded and its
source as well as destination. Source node will initiate the
attack detection process by sending request packet with
III. PROBLEM DEFINITION
destination node ID to each node in route for their packet
There are many issues with currently proposed approaches. forwarding status. In Fig. 1, consider node A is sending data to
Some of them are mentioned below: node D. After each predefined interval time, source node starts
the first phase in which it will ask each node in the route about
the number of packets forwarded. By scrutinizing their reply,

8th ICCCNT 2017

July 3 -5, 2017, IIT Delhi,
Delhi, India
 IEEE - 40222

the source node will identify the existence of blackhole attack a reply with zero packets forwarded, it marks that node as
and possible malicious node. If source node suspicious about suspicious and sends an alert message to other nodes. In this
the existence of blackhole attack, it will start malicious node case, A will send an alert message about C to all other nodes.
detection phase. After receiving the alert message, each node will check that
Flow chart for the attack detection technique is depicted in node C is in its vicinity or not. If it found node C in its
Fig. 2. vicinity, it will start malicious node detection system. These
nodes will create one RREQ packet with the fake destination
node and will send to C. Malicious node which is executing
blackhole attack replies to any RREQ. If node C send RREP
reply message for the fake node, that means it is a malicious
node and it is performing blackhole attack. Nodes B, D, F, G
which have to perform malicious node detection system, will
blacklist node C and will not respond to any RREQ or RREP
packet from node C further. It will also send RERR packet to a
source saying that route has broken. After receiving RERR
packet, the source node will find a new path to the destination.
No node will broadcast the detected malicious node and keep
this result up to it. In this way, we can prevent fake messages
that attacker can send.

Fig. 3. Detection of Malicious Node

Fig. 2. Flow Chart For Attack Discovery 2) Scenario 2:-

It is not necessary that malicious node will tell the truth
B. Malicious Node Detection Phase and send a reply with zero packets forwarded. A malicious
Malicious Node Detection Phase will confirm that node may send wrong information and try to escape from the
suspicious node which is found out in attack detection phase is detection system. Different replies that malicious node can
malicious or not. To accomplish this, the source node will send to source node are mentioned below.
inform other nodes about suspicious node. Nodes will search a. It has not received any packet from the previous
for a suspicious node in its neighborhood and if it finds it will node.
start malicious node detection system. Neighboring nodes will b. It has forwarded all packets to next node and next
send RREQ with fake destination. If suspicious node reply node may have dropped all packets.
RREP to the request, we can conclude it as malicious node.
In both cases, the malicious node is either previous node or
In Fig. 3, A is sending data to D. After a predefined time, it
the node which is the reply. So in scenario 2, we are not only
will start attack detection phase and ask a number of packets
marking the node which is replying zero packets forwarded
forwarded to each node in route (B, C, D). Consider C is
malicious node and it is executing blackhole attack. When A but also its previous node.
will ask about forwarded packets it will send two kinds of In Fig. 3, node C replied that it did not receive any packet
reply. Based on this reply we have created two scenarios. from node B. By scenario 2, the source will mark node C and
B both as malicious and will send alert to other nodes. On
receiving the alert message, they will check B and C in its
1) Scenario 1:- vicinity. If found, it will start malicious node detection system
In the First scenario, the malicious node will reply that it on both nodes. As B is a legitimate node, it will not send
has not forwarded any packet. When the source node receives RREP reply for fake node whereas C will send. From reply,

8th ICCCNT 2017

July 3 -5, 2017, IIT Delhi,
Delhi, India
 IEEE - 40222

node F, D, G, B will blacklist node C and will not respond to V. PERFORMANCE EVALUATION
any RREQ or RREP packet further. It will also send RERR
packet to a source saying that route has broken. After A. Simulation Parameters
receiving RERR packet, the source node will find a new path For simulation purpose, we have used QualNet 5.1
to the destination. All nodes will keep this result up to it, so simulation tool. Different parameters used in the simulation
fake messages can be prevented. are given below table I.

TABLE I. SIMULATION PARAMETERS

Parameter Value
Area (meter) 1500 X 1500
Number of Nodes 40
Number of Application 10
Data Traffic Transmitted by 100 packets
Each Application
Packet Size 512 Bytes
Number of Malicious Nodes 0% to 50%
Mobility Model Random Waypoint
Node’s Maximum Speed 10 mps
Node’s Minimum Speed 0 mps
Routing Protocol AODV
MAC Protocol 802.11
Radio Type 802.111b Radio
Data Rate 2Mbps
Antenna Model Omnidirectional

B. Performance Metrics
We have compared scenario 1, scenario 2 and Hybrid scenario
with normal AODV protocol. For comparison their
performance, we have used following performance metrics.

Packet Delivery Ratio :- It is defined as the ratio of the

number of packets received at the destination and the
number of packets sent by the source.
Average End- to -End Delay :- It is defined as the average
time taken for a packet to be transmitted from the source to
Fig. 4. Flow Chart For Malicious Node Detection the destination.
Packet Dropped By Malicious Node :- It is a sum of
packet dropped by all malicious nodes.
3) Hybrid Scenario:-
In the Hybrid scenario, we have combined scenario 1 and Control Packets :- It is a sum of all control packets
scenario 2 both to get advantages of both scenario. For (RREQ, RREP, RERR, Alert Message, etc) generated in
instance, we have used 8 intervals in our simulation. It means the network during simulation.
after 1/8 packets transmission; the source will start attack Control Packets(Except Captured Fake RREP) :- It is a
detection system. If it finds any suspicious activity it will send sum of all control packets (RREQ, RREP, RERR, Alert
an alert message otherwise resume packet transmission. After Message, etc) generated excluding those packets which are
next 1/8 packets transmission, it will again start attack
captured as fake RREP from blacklisted nodes.
detection system.
In the Hybrid scenario, we are using scenario 1 during some C. Simulation Result
intervals and scenario 2 during remaining intervals. As
In the simulation, we have used area of 1500 X 1500 meter
scenario 2 consider two nodes as suspicious, it generates more
area and insert 40 nodes randomly. The topology used in this
control packets compared to scenario 1. So we have used
simulation is shown in Fig. 5. As shown in Fig. 5, we have
scenario 1 in 6 intervals (i.e. interval 1,2,3,5,6,7) and scenario
included 10 transactions sending CBR data to destination
2 in 2 intervals (i. e. interval 4,8). Flow chart of malicious
nodes. Simulation is performed 10 times with growing number
node detection system is shown in Fig. 4.

8th ICCCNT 2017

July 3 -5, 2017, IIT Delhi,
Delhi, India
 IEEE - 40222

of the malicious node from 0% to 50%. Each time, we are transmitting control packets for detection of the malicious
incremented number of malicious nodes by 5%. node, some delay will definitely add in the delivery of the
We have plotted combine result of all scenario models. For packet to the destination.
this simulation, we have taken 8 intervals in each transaction.
We have shown different graphs like packet dropped by
malicious nodes, packet delivery ratio, end to end delay,
number of control packets. First graph of our result depicted in
Fig. 6 is the packet dropped by malicious nodes.

Fig. 7. Graph for Packet Delivery Ratio

Fig. 5. Topology used in Simulation

Fig. 8. Graph for End to End Delay

A number of control packets generated during the
simulation of all scenario are shown in Fig. 9. This graph
includes all control packets like RREQ, RREP, RERR, etc. It
also includes those RREP packets which are generated by the
malicious nodes. But many of these RREP packets are
captured by legitimate nodes who has blacklisted that
malicious node and prevent forwarding that RREP packet to
the source which results in disabling the attack.
Fig. 6. Graph for Packet Drop

It is obvious that packet drop will increase with increasing

number of the malicious node. From the graph, it is very much
clear that our proposed system is working very well and have
reduced packet drop by half. With the time, as many malicious
nodes will be detected, packet drop will reduce. After
detecting all malicious node by all legitimate node, no
malicious node will be able to drop a single packet.
Fig. 7 show graph of packet delivery ratio for all scenario.

The graph show that about half packets are delivered to the
destination in such situation where almost half nodes are
malicious. Fig. 8 shows a graph of an end to end delay. As we Fig. 9. Graph for Control Packets

8th ICCCNT 2017

July 3 -5, 2017, IIT Delhi,
Delhi, India
 IEEE - 40222

As these packets are not allowed to spread in the network, number of malicious nodes are different. We performed
increase in traffic of the network is prevented. In Fig. 10 we experiments where a number of malicious nodes are 20% and
have shown a graph for fake RREP control packets captured 30%. We used one transaction which transmitted 100 packets
during simulation. From Fig. 10, it is clear that main reason from source to destination. From the simulation, we got the
behind an increase in control packet is not proposed system result shown in Fig. 11 and Fig. 12. In this result, it showed
rather it is the malicious nodes. When any malicious node is that system is giving better results when intervals are 8. So,
detected, legitimate node breaks that route and inform source we decided to use 8 intervals in our simulation.
node. The source node then sends another RREQ to find a new
path and this makes malicious node transmit more fake RREP
in the network. This effect can be clearly visible from Fig. 10.
As time will go on and more malicious nodes will be detected,
the number of fake control packets generated by malicious
nodes will be suppressed.

Fig. 12. Effect of Interval With 20% Malicious nodes

In all our graph, we have showed the results for all

scenario (Scenario 1, Scenario 2, Hybrid Scenario) . Scenario
1 detects malicious node but does not handle all kind of reply
that malicious node can send to confuse detection system. On
other side, scenario 2 handles all kind of reply that malicious
Fig. 10. Graph For Captured Fake Packets
node send to confuse detection system, but it generates more
Since our system needs time to detect malicious nodes in the control packets compared to scenario 1 which leads to
network, it is possible that it will not perform well in early increase in traffic of network. So, we suggest to use Hybrid
stage but as our system will detect more malicious nodes with scenario, which handles all kind of reply like scenario 2 but
time, it will improve performance and minimize packets drop. generates less number of control packets (almost near to
scenario 1) than scenario 2.
VI. CONCLUSION
From above discussed results, we can conclude that
proposed system works properly even in such condition where
a number of malicious nodes are large. Since our system is
using existing functions, it creates less overhead and keeps
less coding on each node. Proposed system improves its
performance with time. As much as time proposed system will
spend in the network, it will improve network performance
which leads to less packet drop by malicious nodes. Attack
detection phase can be a limitation for the proposed system.
Attack detection phase can be confused in collaborative
blackhole attack which skip malicious node from detection
phase. If we could find a new technique which will detect
blackhole attack as soon as it starts, it will definitely improve
the overall performance of the system.
Fig. 11. Effect of Interval With 30% Malicious nodes

In proposed system, any number of the interval can be REFERENCES

taken. As we increase the number of intervals, malicious node [1] J. M. Chang, P. C. Tsou, I. Woungang, H. C. Chao, C. F. Lai,
detection possibility will increase but it will increase the “Defending Against Collaborative Attacks by Malicious Nodes
number of control packets in the network. We tried to find the in MANETs: A Cooperative Bait Detection Approach”, IEEE
effect of the different interval on two different cases where a Systems Journal, vol. 9, pp. 65-75, 2015.

8th ICCCNT 2017

July 3 -5, 2017, IIT Delhi,
Delhi, India
 IEEE - 40222

[2] P. R. Dumne and A. Manjaramkar, "Cooperative bait detection [17] S. Ramaswamy, H. Fu, M. Sreekantaradhya, J. Dixon, and K.
scheme to prevent collaborative blackhole or grayhole attacks by Nygard, “Prevention of Cooperative Black Hole Attack in
malicious nodes in MANETs," 2016 5th International Wireless Ad Hoc Networks”, International conference on
Conference on Reliability, Infocom Technologies and wireless networks, 2003.
Optimization (Trends and Future Directions) (ICRITO), Noida,
pp. 486-490, 2016. [18] H. Weerasinghe and H. Fu, “Preventing Cooperative Black Hole
Attacks in Mobile Ad Hoc Networks: Simulation Implementation
[3] P. J. Payyappilly and P. A. Ghosh, “Secure Method for AODV and Evaluation”, Future Generation Communication and
Routing By Detection and Prevention of Collaborative Blackhole Networking (FGCN 2007), Jeju, pp. 362-367, 2007.
Attack in MANET”, IJSMC, vol. 4, pp. 562-569, 2015.
[19] C. W. Yu, T.-K. Wu, R. H. Cheng and S. C. Chang, “A
[4] F. Kandah, Y. Singh and C. Wang, “Colluding injected attack in Distributed and Cooperative Black Hole Node Detection and
mobile ad-hoc networks”, Computer CommunicationsWorkshops Elimination Mechanism for Ad Hoc Networks”, Emerging
(INFOCOM WKSHPS), IEEE Conference, pp. 235-240, 2011. Technologies in Knowledge Discovery and Data Mining,
Springer, pp. 538-549, 2007.
[5] Vishnu K. and A. J. Paul, “Detection and removal of cooperative
black/gray hole attack in mobile ad hoc networks”, International [20] S. R. Deshmukh, P. N. Chatur and N. B. Bhople, "AODV-based
Journal of Computer Applications, Citeseer, vol. 1, pp. 38-42, secure routing against blackhole attack in MANET," 2016 IEEE
2010. International Conference on Recent Trends in Electronics,
Information & Communication Technology (RTEICT),
[6] P. Agrawal, R. K. Ghosh and S. K. Das,"Cooperative black and
Bangalore, pp. 1960-1964, 2016.
gray hole attacks in mobile ad hoc networks", Proceedings of the
2nd international conference on Ubiquitous information [21] M. A. Abdelshafy and P. J. B. King, "Resisting blackhole attacks
management and communication, pp. 310-314, 2008. on MANETs," 2016 13th IEEE Annual Consumer
Communications & Networking Conference (CCNC), Las
[7] N. Marchang and R. Datta, “Collaborative techniques for Vegas, NV, pp. 1048-1053, 2016.
intrusion detection in mobile ad-hoc networks Ad Hoc
Networks”, Ad Hoc Networks, vol. 6, pp. 508-523, 2008.
[8] S. S. Ramaswami and S. Upadhyaya,"Smart handling of
colluding black hole attacks in MANETs and wireless sensor
networks using multipath routing", Information Assurance
Workshop, IEEE, pp. 253-260, 2006.
[9] E. Markou and M. Paquette,"Black hole search and exploration in
unoriented tori with synchronous scattered finite automata",
Principles of Distributed Systems, Springer, pp. 239-253, 2012.
[10] Bo Sun, Yong Guan, Jian Chen and UdoW. Pooch, “Detecting
black- hole attack in mobile ad hoc networks”, Personal Mobile
Communications Conference, 5th European (Conf. Publ. No.
492), pp. 490-495, 2003.
[11] M. Al-Shurman, S.-M. Yoo, and S. Park, “Black hole attack in
mobile ad hoc networks” Proceedings of the 42nd annual
Southeast regional conference, pp. 96-97, 2004.
[12] L. Tamilselvan and V. Sankaranarayanan, “Prevention of Blackhole
Attack in MANET,” The 2nd International Conference on Wireless
Broadband and Ultra Wideband Communications (AusWireless
2007), Sydney, NSW, pp. 21-21, 2007.
[13] W. Kozma and L. Lazos, “REAct: resource-efficient
accountability for node misbehavior in ad hoc networks based
on random audits”, Proceedings of the second ACM conference
on Wireless network security, pp. 103-110, 2009.
[14] F.-H. Tseng, L.-D. Chou and H.-C. Chao, “A survey of black hole
attacks in wireless mobile ad hoc networks”, Human-centric
Computing and Information Sciences, vol. 1, pp. 1-16, 2011.
[15] W. Wang, B. Bhargava and M. Linderman, “Defending against
collaborative packet drop attacks on MANETs”, 2nd
International Workshop on Dependable Network Computing and
Mobile Systems (DNCMS 2009)(in Conjunction with IEEE
SRDS 2009), New York, USA, vol. 27, 2009.
[16] Yu-Cheng Tseng, Jehm-Ruey Jiang and Jih-Hsin Lee, “Secure
bootstrapping and routing in an IPv6-based ad hoc network,”
Parallel Processing Workshops, 2003. Proceedings. 2003
International Conference on, pp. 375-382, 2003.

8th ICCCNT 2017

July 3 -5, 2017, IIT Delhi,
Delhi, India