DoS/Wormhole Attack: Difference between revisions
From charlesreid1
(Fix Countermeasures table: change single | to || for third column separator so Description and Limitation columns render correctly (via update-page on MediaWiki MCP Server)) |
|||
| (One intermediate revision by the same user not shown) | |||
| Line 92: | Line 92: | ||
Several approaches exist for detecting and mitigating wormhole attacks: | Several approaches exist for detecting and mitigating wormhole attacks: | ||
{| class="wikitable" | {| class="wikitable" border="1" | ||
|- | |- | ||
! Method !! Description !! Limitation | ! Method !! Description !! Limitation | ||
|- | |- | ||
| '''Packet Leashes''' || Geographic leashes bind packets to a maximum physical distance per hop; temporal leashes enforce strict per-hop time bounds. | Requires tightly synchronized clocks or GPS. | | '''Packet Leashes''' || Geographic leashes bind packets to a maximum physical distance per hop; temporal leashes enforce strict per-hop time bounds. || Requires tightly synchronized clocks or GPS. | ||
|- | |- | ||
| '''Watchdog Model''' || A sender monitors whether the next hop forwards the packet within a time limit. If not, the node is flagged as malicious. | High false-positive rate; defeated if combined with selective forwarding. | | '''Watchdog Model''' || A sender monitors whether the next hop forwards the packet within a time limit. If not, the node is flagged as malicious. || High false-positive rate; defeated if combined with selective forwarding. | ||
|- | |- | ||
| '''Delphi Technique''' || Measures per-hop delay across the network; tunnel paths exhibit abnormally high delay per hop compared to the average. | Ineffective when many wormholes exist, as the average delay gets skewed. | | '''Delphi Technique''' || Measures per-hop delay across the network; tunnel paths exhibit abnormally high delay per hop compared to the average. || Ineffective when many wormholes exist, as the average delay gets skewed. | ||
|- | |- | ||
| '''WRHT (Wormhole Resistant Hybrid Technique)''' || Combines Watchdog and Delphi, monitoring both packet loss and delay-per-hop. | Higher overhead; requires careful threshold tuning. | | '''WRHT (Wormhole Resistant Hybrid Technique)''' || Combines Watchdog and Delphi, monitoring both packet loss and delay-per-hop. || Higher overhead; requires careful threshold tuning. | ||
|- | |- | ||
| '''Round-Trip Time & Hop Count''' || Measures RTT and hop count between nodes; wormhole paths show disproportionate RTT relative to hop count. | Demonstrated on RPL/6LoWPAN in ContikiOS. | | '''Round-Trip Time & Hop Count''' || Measures RTT and hop count between nodes; wormhole paths show disproportionate RTT relative to hop count. || Demonstrated on RPL/6LoWPAN in ContikiOS. | ||
|- | |- | ||
| '''LiteWorp''' || Lightweight countermeasure that relies on nodes overhearing neighbor communications to detect anomalous topology. | Assumes static networks and promiscuous listening. | | '''LiteWorp''' || Lightweight countermeasure that relies on nodes overhearing neighbor communications to detect anomalous topology. || Assumes static networks and promiscuous listening. | ||
|- | |- | ||
| '''Directional Antennas''' || Uses directional or sector antennas to verify that signals arrive from the expected physical direction. | Requires specialized hardware. | | '''Directional Antennas''' || Uses directional or sector antennas to verify that signals arrive from the expected physical direction. || Requires specialized hardware. | ||
|} | |} | ||
Latest revision as of 03:13, 20 June 2026
The wormhole attack is a severe network-layer attack against routing protocols in wireless ad hoc networks, sensor networks, and increasingly in broader Internet routing contexts. In this attack, a malicious node captures packets at one location in the network, tunnels them through a high-speed out-of-band connection (the "wormhole") to another colluding node elsewhere in the network, and replays them locally. The two colluding attackers can make distant nodes believe they are neighbors, thereby distorting the network topology and disrupting the normal operation of routing protocols.
The wormhole attack is particularly dangerous because it can be launched without compromising any legitimate nodes or breaking any cryptographic protections — the attacker simply tunnels legitimate packets from one point to another. It often serves as a launchpad for follow-on attacks such as black hole, sinkhole, selective forwarding, or traffic analysis.
How It Works
The basic mechanism involves two (or more) attacker nodes, A1 and A2, connected by a private, high-bandwidth, low-latency link — the wormhole tunnel. The tunnel can be implemented via:
- Out-of-band wired/wireless link (e.g., a direct Ethernet cable, a long-range directional radio)
- Packet encapsulation (tunneling captured frames inside IP/UDP packets sent over the regular network)
- Protocol-specific replay (capturing routing packets at one end and replaying them at the other)
When a routing protocol (e.g., AODV, DSR, OLSR in MANETs, or RPL in IoT/6LoWPAN networks) broadcasts route discovery messages, the wormhole nodes capture these at one end, tunnel them to the other end, and rebroadcast. Neighboring nodes see what appears to be a short, single-hop path between the two wormhole endpoints and update their routing tables accordingly. In reality, the path may traverse the entire network. This allows the attacker to:
- Attract a large volume of traffic through the wormhole
- Create routing loops or black holes
- Eavesdrop on or selectively drop tunneled traffic
- Partition the network
Classification
Wormhole attacks are commonly categorized into three types based on how the attacker interacts with the routing protocol:
| Type | Description |
|---|---|
| Open Wormhole | The wormhole endpoints are visible to the source and destination. Packets are sent from source → A1 → A2 → destination. Intermediate legitimate nodes are bypassed. |
| Half-Open Wormhole | Only one wormhole endpoint is visible to the source. Packets go source → A1 (wormhole) → destination directly, without the source being aware of the tunnel. |
| Closed Wormhole | Neither wormhole endpoint appears in the route record. Packets appear to travel directly from source to destination in a single fictitious hop, with the wormhole nodes completely hidden from other nodes. |
Practical Execution
Wireless Sensor Networks / IoT (RPL / 6LoWPAN)
In IoT and Wireless Sensor-Actuator Networks (WSANs) running the RPL (Routing Protocol for Low-Power and Lossy Networks), practical wormhole implementations have been demonstrated using:
- Contiki OS / Cooja simulator: Two nodes can be configured with an artificially strong connection (simulating a direct wormhole tunnel) between distant parts of the network. RPL DODAG (Destination-Oriented Directed Acyclic Graph) formation is distorted, causing nodes to select the wormhole as a preferred parent, funneling traffic through the attacker.
- XBee S2C devices: Researchers at the 2018 Colombian Conference on Computing demonstrated a practical wormhole attack on real XBee-based wireless sensor networks. The attack involved capturing routing packets on one node, modifying the hop count and relay list fields, and replaying them through a second node connected via a serial/UART tunnel.
The practical implementation involves:
- Deploy two attacker nodes at opposite ends of the target network
- Establish an out-of-band tunnel between them (serial cable, Wi-Fi, Ethernet, or even a second radio)
- On the first node, sniff for DIO (DODAG Information Object) or DAO (Destination Advertisement Object) messages
- Forward captured messages through the tunnel to the second node
- The second node replays them locally, advertising a false short path
- Neighboring legitimate nodes update their routing tables to route through the wormhole
MANET / Mobile Ad-Hoc Networks
In MANETs using reactive protocols like AODV or DSR:
- Attacker nodes A1 and A2 listen for RREQ (Route Request) broadcasts
- When A1 hears an RREQ, it tunnels it to A2 via the wormhole link
- A2 rebroadcasts the RREQ; the RREP (Route Reply) travels back through the wormhole
- The source node sees an artificially low hop-count path through the wormhole
- The source selects this fake route, and the attacker gains control of the traffic
NS2 and NS3 simulation frameworks include modules for implementing and testing wormhole attacks. Example NS2 setup: create a dedicated high-bandwidth duplex link between two attacker nodes positioned at network edges; disable neighbor discovery on that link so only the wormhole nodes can utilize it.
Cloud and Internet Routing (BGP Wormhole)
In the context of Internet routing (BGP), a wormhole attack takes a related but distinct form. Two colluding Autonomous Systems (ASes) can tunnel BGP UPDATE messages between each other, making it appear that they share a direct peering link when in fact they are geographically or topologically far apart. This distorts the AS-path seen by other networks and can:
- Create false shorter AS-paths that attract traffic
- Enable prefix hijacking by making malicious route announcements appear more attractive
- Circumvent BGP security extensions like BGPsec (which authenticates the AS-path but cannot verify the physical topology)
- Facilitate traffic interception and man-in-the-middle at the wormhole endpoints
Research by Yih-Chun Hu et al. has shown that even with BGPsec deployed, wormhole attacks can still create routing black holes on the Internet because BGPsec validates cryptographic signatures on AS-paths but cannot detect that two ASes are colluding via an out-of-band tunnel.
Cloud / SDN Environments
In Software-Defined Networking (SDN) and cloud environments, a wormhole-like attack can be realized by:
- Compromising two virtual switches or hypervisors in different availability zones
- Establishing a covert GRE/VXLAN tunnel between them
- Selectively redirecting tenant traffic through the tunnel for eavesdropping or manipulation
- Exploiting cross-cloud or hybrid-cloud VPN tunnels as wormhole conduits
Tools and Examples
- NS2/NS3 Wormhole Simulation: The de facto standard for academic research. Scripts configure two attacker nodes with a private wired link bypassing the wireless medium. Example: https://www.ns2project.com/ns2-example-code/
- Contiki OS / Cooja: Used for RPL-based wormhole attack and defense research on IoT networks.
- XBee-based physical wormhole (CCC 2018): A hardware-level proof-of-concept using two XBee S2C radio modules connected via UART, capturing and replaying ZigBee routing packets.
- Scapy-based tunneling: Python/Scapy can be used to capture routing protocol packets, encapsulate them, and replay them on a remote host — effectively creating a wormhole for penetration testing.
- BGP Wormhole (conceptual): Two BGP speakers colluding via a GRE tunnel to inject false shorter AS-paths. Tools like Quagga/FRRouting with BGPsec can be used in lab environments to study the attack.
Countermeasures
Several approaches exist for detecting and mitigating wormhole attacks:
| Method | Description | Limitation |
|---|---|---|
| Packet Leashes | Geographic leashes bind packets to a maximum physical distance per hop; temporal leashes enforce strict per-hop time bounds. | Requires tightly synchronized clocks or GPS. |
| Watchdog Model | A sender monitors whether the next hop forwards the packet within a time limit. If not, the node is flagged as malicious. | High false-positive rate; defeated if combined with selective forwarding. |
| Delphi Technique | Measures per-hop delay across the network; tunnel paths exhibit abnormally high delay per hop compared to the average. | Ineffective when many wormholes exist, as the average delay gets skewed. |
| WRHT (Wormhole Resistant Hybrid Technique) | Combines Watchdog and Delphi, monitoring both packet loss and delay-per-hop. | Higher overhead; requires careful threshold tuning. |
| Round-Trip Time & Hop Count | Measures RTT and hop count between nodes; wormhole paths show disproportionate RTT relative to hop count. | Demonstrated on RPL/6LoWPAN in ContikiOS. |
| LiteWorp | Lightweight countermeasure that relies on nodes overhearing neighbor communications to detect anomalous topology. | Assumes static networks and promiscuous listening. |
| Directional Antennas | Uses directional or sector antennas to verify that signals arrive from the expected physical direction. | Requires specialized hardware. |
See Also
- DoS — Main Denial of Service page
- DoS/Black Hole Attack — Black hole / packet-drop attack
- DoS/Sinkhole Attack — Sinkhole attack (closely related; wormhole often used to create sinkholes)
References
- Hu, Y.-C., Perrig, A., & Johnson, D. B. (2006). "Wormhole Attacks in Wireless Networks." IEEE JSAC, 24(2).
- Pericle, et al. "Implementation of a Wormhole Attack Against a RPL Network: Challenges and Effects." University of Pisa.
- Singh et al. (2016). "WRHT: A Hybrid Technique for Detection of Wormhole Attack in Wireless Sensor Networks." Mobile Information Systems.
- Implementation on XBee S2C: 13th Colombian Conference on Computing (CCC 2018).
- Hu, Y.-C. et al. "Can BGP be Secured with BGPsec?" — On wormhole attacks in BGP.
Flags
 |
Denial of Service denial of service attacks for denying users access to resources that they are otherwise entitled to access.
DoS at Layers 1 and 2: CAM Table Overflow/MAC Flood: DoS/Mac Flood CAM Table Poisoning: DoS/Cam Poisoning
DoS at Layers 3 and 4: Syn Flood: DoS/SYN Flood Smurf Attack (Ping Flood): DoS/Smurf Attack DNS Attacks: DoS/DNS DNSSmurf Attack: DoS/DNSSmurf Wormhole Attack: DoS/Wormhole Attack Black Hole Attack: DoS/Black Hole Attack Byzantine Attack: DoS/Byzantine Attack Sleep Deprivation Attack: DoS/Sleep Deprivation Attack Stale Packets: DoS/Stale Packets
Toolz: Hping · Macof · Tcpnice · Hammer · Tors Hammer
Category:DoS · Category:Attacks · Category:Kali Attack Layers Flags · Template:DoSFlag · e |