Content uploaded by Stones Chindipha
Author content
All content in this area was uploaded by Stones Chindipha on Feb 13, 2024
Content may be subject to copyright.
Investigating a blackhole attack solution in Mobile
Peer-to-Peer networks with AODV routing protocol
Sthabile Lushaba∗Stones Dalitso Chindipha†
∗Computer Science Department, Rhode University
1g17l3794@campus.ru.ac.za
2S.Chindipha@ru.ac.za
Abstract—Over time, the proliferation of mobile devices has
led to the emergence of Mobile Peer-to-Peer (MP2P) networks.
These networks consist of mobile nodes such as cellphones,
sensors, or mobile vehicles, and offer improved scalability
and performance. However, MP2P networks are vulnerable to
various security attacks, including the Sybil, Wormhole, and
Blackhole attacks. This research focuses specifically on the
blackhole attack, which involves a malicious node advertising a
counterfeit route to attract and subsequently drop all incoming
traffic. This attack degrades the network performance as it
results in the loss of data packets. Consequently, this study
investigates the impact of the blackhole attack on the Ad hoc On-
demand Distance Vector (AODV) routing protocol. The attack
exploits the sequence number system employed by AODV. To
mitigate this threat, a dynamic sequence number threshold-
based solution is proposed and evaluated through simulations
using the Network Simulator 3. The results demonstrate that
the modified AODV outperforms the original AODV in terms of
Packet Delivery Ratio, Network Throughput, and End-to-End
Delay, thus enhancing network performance.
Index Terms—AODV, Blackhole attack, Routing protocol, Ad-
hoc networks, Mobile P2P
I. INTRODUCTION
MP2P networks possess characteristics such as node mobil-
ity, dynamic topology, ad-hoc connections, and the absence of
central network control [1]–[3]. Unlike traditional networks,
MP2P networks allow nodes to join or leave the network
at any time without relying on a base station [1]. Node
mobility in such networks impacts the distance between
communicating nodes, making it possible for a destination
node to be outside the transmission range of the source node.
Due to this, data packets must be sent through multicasting
and forwarding [1].
Multiple protocols exist to handle routing in MP2P net-
works, and one such example is the AODV routing protocol
[1], [4], [5]. The AODV routing protocol, as a reactive routing
protocol, establishes routes only when they are required [1],
[4], [5]. It offers several advantages to networks, including en-
hanced scalability, reduced network overhead, and improved
network performance, particularly in situations involving high
mobility [4]. The AODV routing protocol assumes that all
nodes are trustworthy and non-malicious [1], [4], [6]. How-
ever, this assumption leaves the network vulnerable to various
security attacks, including the blackhole, sybil, wormhole, and
grayhole attacks. Amongst these, the blackhole attack poses a
significant threat. A blackhole node disrupts communication
across the network by advertising itself as having the optimal
Fig. 1. Blackhole node sending Fake RREP
route and deliberately dropping all the data packets it receives
[1]. This is detrimental to the overall network performance
since the proper functioning of the AODV routing protocol
relies on each node accurately forwarding packets [1], [4],
[6].
The AODV routing protocol uses Route Request (RREQ)
and Route Reply (RREP) packets during the route discovery
process. A source node initiates the process by broadcasting
an RREQ packet to neighbouring nodes. Neighbouring nodes
then forward the request until it reaches the destination node.
Next, the destination node replies with an RREP, which is
forwarded back to the source. RREP packets consist of two
significant fields, the sequence number, and a hop count [4].
The sequence number is used as a timestamp to track the most
recent routes [4]. The hop-count field is used to determine the
shortest routes [4]. The source node chooses the best route
based on the highest sequence number and the least hop count
[1], [4].
A blackhole node attracts traffic by sending a fake RREP
with an arbitrarily high sequence number and the lowest hop
count [1], [5]. This tricks the source node into selecting the
malicious route for sending data packets. Figure 1 shows
a blackhole node Mal posing as an intermediate node with
the best route. When the malicious node receives an RREQ
packet, an RREP packet with an arbitrarily high sequence
number is built and sent to the source node. The source node
then selects the malicious route and sends a data packet to the
blackhole node Mal. Subsequently, the data packet is dropped
and never reaches the intended destination.
Several methods exist for detecting blackhole nodes, such
as trust-based [5], routing-based [7], and other verification
methods. However, these solutions often introduce challenges
such as high computational overhead, routing overhead, or
increased End-to-End Delay (EED). This research paper ex-
plores a straightforward yet efficient approach based on the
sequence number. Some sequence number threshold-based
approaches utilize static values [8], which are inadequate for
networks characterized by high mobility [8], [9]. Thus, this
study incorporates a dynamic destination sequence number
threshold-based solution into the AODV routing protocol. The
effectiveness of the proposed solution is assessed through
simulations, using performance metrics such as Network
Throughput (NT), Packet Delivery Ratio (PDR), and EED.
The objectives of this research are as follows:
1) Simulate a generic mobile network based on the AODV
routing protocol and study its network performance
2) Simulate the blackhole attack and evaluate its impact
on the network performance
3) Identify and implement a dynamic destination sequence
number threshold-based solution into the AODV routing
protocol
4) Evaluate the effectiveness of the implemented solution
The rest of this paper is organised as follows: Section
II briefly discusses the previously proposed blackhole attack
solutions. Section III describes the dynamic sequence number
threshold-based solution in detail. The simulation environment
used for evaluating the solution is described in Section IV.
The implementation is briefly explained in Section V. Simu-
lation results are provided in Section VI. Finally, Section VII
concludes and provides future work.
II. RE LATE D STU DI ES
This section discusses existing blackhole attack solution
techniques.
A routing-based solution that uses an initial fake RREQ
packet has been proposed [10]. In this approach, a source
node broadcasts an RREQ with a fake destination IP address.
When a blackhole node receives this request, it sends back an
RREP packet without realising that the RREQ packet is fake.
As a result, the source node can deduce that the replying
node must be a blackhole node since the RREQ was fake
[10]. Since the source waits for all RREP packets to arrive
before selecting the route, the overall EED is increased. The
additional RREQ also increases the routing overhead.
The trust-based solution proposed in [1] uses trust values to
determine the validity of a route. In this approach, each node
tracks the number of data packets, RREQ packets, and RREP
packets received from each neighbouring node. Each node
used this data to evaluate confidence before forwarding data
packets. This approach also incorporated digital signatures to
ensure the integrity of data packets. Each packet, including
control packets, is signed with the corresponding key and only
signed packets are processed [1]. In effect, unsigned packets
received from malicious nodes will be ignored, including
control packets. Using this approach in the presence of
blackhole nodes improved the PDR from approximately 20%
to 70% and the NT from 18 Kpbs to 100 Kpbs. However, the
requirement that public keys are first assigned is problem-
atic for unknown non-malicious nodes. A similar approach
was employed in [5]. However, the number of packets not
relayed, malformed packets, and unanswered requests were
used instead. A PDR improvement of 42% was observed,
in the presence of blackhole nodes. In [11], the number of
packets dropped by a particular node within a given time
interval was used to evaluate trust. This approach produced an
improved performance in comparison to the original AODV,
in the presence of blackhole nodes. Digital signatures were
also incorporated in this approach [11]. A large amount of
computation is required to sign and verify the packets, which
increases the overall computational overhead [1], [11].
Various techniques based on verification exist. An approach
based on a challenge-response-confirm pattern has been pro-
posed [12]. In this approach, the RREQ packet contains a
random number referred to as the challenge. A destination
node responds to requests with an RREP containing a corre-
sponding response value. The response value is determined
using a logistic map to ensure that the response is dependent
on the challenge value [12]. For the confirm step, the source
node uses a timer to wait for all RREP packets. When the
timer expires, the destination node shares the information
used to calculate the response. The source then recalculates
the response value and compares that against the received
response values. RREP packets with response values that do
not match are then marked as suspicious. This approach was
successful at protecting against the blackhole attack. However,
the timer increases the EED, and the extra packets used
increase routing overhead.
Simpler solutions are based on the sequence number [8],
[9], [13]. In [13], each node stores the sequence numbers of all
nodes from which data packets were received. Upon receiving
an RREP packet, each node computes the difference between
the sequence number of the RREP and the stored sequence
number. A difference greater than a predefined threshold,
computed by averaging the sequence number, suggested that
the sender of the RREP is malicious. This approach achieved
a performance improvement, however, a high number of false
negatives and false positives was observed depending on the
threshold value. An approach where computing the threshold
value considered the standard deviation of the sequence
number has been proposed [9]. In this approach, the threshold
value is calculated dynamically as RREP packets arrive at
a particular node. This approach showed an improved NT
and PDR. However, overall routing overhead showed a high
increase. In [8], a static threshold value of 100 was used.
In the case where an RREP contains a sequence number
greater than 100, the RREP is considered suspicious. A second
RREQ with a new sequence number is broadcast. The RREP
packet’s sequence is used for the second RREQ. A malicious
node would re-send an RREP packet with an even higher
destination sequence number. This additional step helps with
confirming malicious nodes [8]. This approach outperformed
the original AODV, in the presence of blackhole nodes [8].
This research aimed to employ the latter approach [8] but
incorporate a dynamic threshold [9].
III. PROP OS ED SOLUTION
The proposed solution leverages the core characteristic
of the blackhole attack. A dynamic threshold is applied to
the destination sequence number to detect arbitrarily high
sequence numbers. The proposed solution has two main
features:
1) Computing the dynamic threshold. In [8], a threshold
value of 100 was used. This research calculates the
threshold by computing the average and standard de-
viation of the destination sequence number for RREPs
received [9].
2) Distinguishing between suspicious and normal RREP
packets [8]. Suspected nodes are added to the blacklist.
A. Dynamic Threshold Algorithm
The pseudocode for computing the dynamic destination
sequence number threshold is outlined in Algorithm 1. During
route discovery, a source node broadcasts an RREQ. When
corresponding RREPs are received, the source updates the
routing table if the packet has a higher sequence number.
A route discovery timer is set for each RREQ. While the
timer has not expired, the destination sequence numbers are
collected and stored, as shown on lines 3 to 4. When the path
discovery timer expires, the collected sequence numbers are
used to compute the threshold according to Equations 1, 2
and 3:
Average(A) =
i
X
n=1
D.SeqN oi
n(1)
V ariance(V) =
i
X
n=1
(D.SeqN oi−A)2
n(2)
T hreshold(T) = √V ariance (3)
where nis the total number of RREP packets received and
D.SeqNo is the destination sequence number of each RREP
packet.
Algorithm 1: Dynamic threshold algorithm [9]
1 : SN broadcasts an RREQ
2 : SN waits to receive RREPs
3 : While PATH-DISCOVERY-TIME not run out
4 : Collect RREP DstSeqNo
6 : compute Average DstSeqNo
7 : compute Threshold T
Algorithm 2: Detecting blackhole node behavior
1 : SN initiates the route discovery process
2 : Waits PATH-DISCOVERY-TIME long
3 : Calculate the Threshold T
4 : Select RREP1 with high D-SeqNo AND least H.Count
6 : if RREP1.DstSeqNo >T
7 : Create New-RREQ
8 : New-RREQ.SSN=RREP1.DstSeqNo
9 : Broadcast New-RREQ
10: if RREP2.DstSeqNo >T AND RREP2.IP==RREP1.IP
11: Node with address IP is malicious
12: Add node to blacklist
13: else
14: Non-malicious RREP1
15: Update Route
16: Send Data packet
B. Detection Algorithm
Algorithm 2 outlines the pseudocode for detecting the
blackhole node behaviour. The initial step of the route discov-
ery process remains unchanged. The source node initiates this
process by broadcasting an RREQ packet. In the unmodified
AODV routing protocol, the source node then compares the
destination sequence number and hop count and selects a route
for sending packets. In the proposed approach, the source
node performs an additional step to confirm the legitimacy
of the selected route. It follows Algorithm 1 to compute
the threshold to which the destination sequence number is
compared against. Once the best route is selected, the corre-
sponding sequence number is compared against the computed
threshold as shown in line 5. If there exists an RREP packet
with a destination sequence number greater than the threshold
value, the corresponding route is marked as suspicious. The
RREQ packet is then updated with the suspected sequence
number and re-broadcast, as per lines 6 to 9. If the source node
receives a suspicious RREP packet from the same suspected
node, the said node is marked as suspicious and added to the
blacklist.
IV. SIMULATION SETUP
A. Simulation Tool
The NS3 is a discrete-event simulator used for simulating
and studying various network scenarios [14]. It provides
the environment for simulating protocols such as the User
Datagram Protocol (UDP), Internet Protocol (IP), and routing
protocols for wired and wireless communications. The NS3 is
open source and provides support for simulation scripts to be
written in C++. The main files modified from the NS3 are the
aodv-routing-protocol.cc and aodv-routing-protocol.h files.
B. Simulation Environment
The proposed solution was evaluated using a network built
on the IEEE 802.11 MAC, with the number of nodes varying
from 10 to 50. A simulation area of 1500 x 1500 meters
was used. Since IEEE 802.11b’s maximum raw data rate is
11 Mbps, the data transmission was set to 11 Mbps [15].
The Random Way Point (RWP) mobility model was used for
simulating human movement patterns. The RWP specifies the
random movement of nodes at a constant speed and allows
user-specific boundary values to keep nodes within the simula-
tion area [1]. Two source-sink pairs were selected to exchange
Constant Bit Rate (CBR) UDP-type traffic. Table I lists the
remainder of the simulation parameters used throughout the
study.
C. Network Performance Evaluation Metrics
The metrics used for evaluating performance are as follows:
•Packet Delivery Ratio (PDR): The packet delivery ratio
refers to the ratio of the number of packets received (PR)
by the destination node to the number of packets sent
(PS) by the source node [9]. As shown by Equation 4,
the PDR was measured as a percentage.
P DR =
i
X
n=1
P Ri
P Si
X100 (4)
In Equation 4, nis the number of packet flows between
source and sink nodes, PR is the number of packets
received by the sink, and PS is the number of packets
sent by the source.
•Network Throughput (NT): Network Throughput refers
to the amount of data transmitted (in bytes) across the
network at a given time [9]. This is calculated as shown
by Equation 5.
T hroughput =
i
X
n=1
T otalBy tesi
T otalT imei−S tartT imei
(5)
In Equation 5, nis the number of packet flows between
source and sink nodes, TotalBytes is the sum of bytes
received at the sink, Total Time is the simulation duration,
and StartTime is when the first data packet was sent.
•End-to-End Delay (EED): This refers to the time taken
for a packet to reach its destination. The EED is some-
times referred to as the round-trip time (RTT) [9].
V. IMPLEMENTATION
This section briefly discusses the modifications made to the
NS3 source files for simulating the blackhole attack scenario
and integrating the proposed solution.
A. Blackhole Attack Implementation
The blackhole attack was implemented to evaluate its
impact on the network performance. The aodv-routing-
protocol.cc and aodv-routing-protocol.h files were modified
to include a boolean variable such that selected nodes can
be configured to drop all received packets. This followed a
blackhole attack contributed for NS3.20 - NS3.25 [16]. The
ReceiveRequest() function was modified to generate RREP
packets with a fake routing entry. The Forwarding() function
was modified to discard data packets received if the boolean
variable is true.
TABLE I
SIMULATION PARAMETERS
Simulation Parameter Value
Simulator NS-3 (Version 3.6)
Simulation Time 200 s
Simulation Area 1500 m x 1500 m
Number of Nodes 10 to 50 nodes
Malicious Nodes 3 blackhole node
Transmission power 20 dBm
Propagation Delay Model Constant Speed
Propagation Loss Model Friis
Mobility Model Random Way Point
Node Speed 25 m/s
Pause Time 0 s
Transmission Rate (Wi-Fi) 11 Mbps
Traffic Type CBR - UDP
Packet Size 64 bytes
Data Rate (UDP) 2048kps
Routing Protocol PureAODV, BAODV, IAODV
Phy/MAC IEEE 802.11
Operating System Ubuntu 21.10
B. Proposed Solution Implementation
The aodv-routing-protocol.cc and aodv-routing-protocol.h
files were modified to include a boolean variable for config-
uring the source node to check for malicious behaviour. The
RecvAodv() function was modified such that when detection
mode is enabled, the current node checks if it originated the
corresponding RREQ before validating any RREP packets.
The default PathDiscoveryTimer variable was used to wait
until all RREPs have been received. The RecvReply() function
was modified to only update the routing table if the sequence
number of the RREP being processed is less than the current
threshold value. The SetUnidirectional() function was used to
flag routes as malicious, thus adding them to the blacklist.
VI. RE SU LTS AN D DISCUSSION
This section discusses the findings after running various
simulations. The network performance was measured for
the unmodified AOVD (PureAODV), AODV with blackhole
nodes (BAODV) and AODV with the proposed solution and
blackhole nodes (IAODV).
A. Network Visualisation
NetAnim was used for visualising the simulation. Figure
2 provides a snapshot where the route discovery process is
initiated. Source N3 Broadcast an RREQ packet to neighbour-
ing nodes. Since the destination node is not reachable, the
network relies on N6 and N4 to forward the RREQ packet
for destination N9. Figure 3 shows the RREQ arriving at
destination N9.
B. Node Mobility
Node mobility is an important feature to consider as it
affects how quickly nodes move out of the transmission range.
Figure 4 shows the PDR for varying mobility rates. This
experiment was done to determine a suitable node mobility
value. A PDR of 100% was observed for a speed of 1 m/s.
Low mobility means nodes are more likely to be within the
Fig. 2. Source node broadcasts an RREQ
Fig. 3. RREQ arriving at the destination node
transmission range. Therefore, a speed of 1 m/s is expected
to perform best. However, 1 m/s is unrealistic. Increasing the
speed to 15 m/s causes nodes to spread across the simulation
area. This increases link breakage thus the observed decrease
in PDR from 100% to 65,32%. The PDR increased to 85,26%
with a speed of 25 m/s. Therefore, it is reasonable to keep
the mobility at 25 m/s.
C. Network Throughput
Simulations were run to compare the NT for the original
AODV and the modified AODV, in the presence of the
blackhole attack. Figure 5 shows that PureAODV clearly per-
forms better compared to BAODV and IAODV. As expected,
BAODV performed the worse with throughput levels falling
below 500 Bps at 25 nodes. An improvement is observed with
IAODV. It can be noted that the NT for IAODV is relatively
low compared to the PureAODV. This is due to the extra
steps involved in validating the destination node thus less data
packets can be exchanged in a given time. The sudden drop
observed for the PureAODV at 40 nodes is possibly due to a
single node being part of multiple routes. In the case that that
Fig. 4. PDR comparison for varying node speed
Fig. 5. Throughput comparison for the three scenarios
particular node shifts positions, multiple routes are broken.
D. Packet Delivery Ratio
Figure 6 shows the PDR comparison for the three scenarios.
It can be noted that IAODV outperforms BAODV. This is
expected as blackhole nodes block data packets from reaching
their intended destinations, thus decreasing the overall packet
delivery. Figure 6 shows an apparent sudden drop at 25 nodes
which is observed for PureAODV, BAODV and IAODV. This
is the effect of node mobility and increased number of nodes.
Link breakage is increased thus decreasing the amount of
packets exchanged at a given time.
Fig. 6. PDR comparison for the three scenarios
Fig. 7. End-to-End Delay comparison for the three scenarios
E. End-to-End Delay
As shown in Figure 7, the EED was compared from all
three scenarios. IAODV performs the worst while PureAODV
and BAODV showed relatively similar levels. The perfor-
mance levels of IAODV are expected since the source must
wait for the path discovery timer to expire before selecting
a route. The extra time spent calculating the threshold and
processing RREP packets also worsens the delay.
VII. CONCLUSION
This study investigated the impact of the blackhole attack
on the AODV routing protocol within MP2P networks and
focused on detecting blackhole nodes. A dynamic sequence
number threshold-based solution was implemented, detecting
RREP packets with excessively high sequence numbers. The
solution builds upon the approach presented in [8]. The static
threshold value of 100 was replaced with a dynamic threshold
value. Although the solution did not include resending the
RREQ with an updated sequence number, the modified AODV
demonstrated some improvements in performance compared
to the original AODV in the presence of blackhole nodes,
as observed in terms of NT and PDR. However, the EED
increased. This is expected as the solution incorporates a timer
and additional routing steps.
The future work includes extending the implementation to
include resending RREQ packets with an updated sequence
number. Additionally, the blackhole attack will be studied for
the different routing protocols such as the Optimised Link
State Routing Protocol (OLSR).
ACK NOW LE DG EM EN T
This research was conducted under the Distributed Mul-
timedia Center of Excellence at Rhodes University, with
financial support from Telkom SA. The authors wish to
acknowledge that the opinions, findings, conclusions, or rec-
ommendations presented in this work are solely those of the
author(s), and the aforementioned sponsor bears no responsi-
bility or liability concerning these aspects.
REFERENCES
[1] P. Ndajah, A. O. Matine, and M. N. Hounkonnou, “Black hole attack
prevention in wireless peer-to-peer networks: A new strategy,” Interna-
tional Journal of Wireless Information Networks, vol. 26, pp. 48–60, 3
2019.
[2] N. Suri, “Distributed systems security knowledge area version n,”
The Cyber Security Body Of Knowledge, 2021. [Online]. Available:
http://www.nationalarchives.gov.uk/doc/open-
[3] A. I. Ameur, A. Lakas, Y. M. Bachir, and O. S. Oubbati, “Peer-to-
peer overlay techniques for vehicular ad hoc networks: Survey and
challenges,” Vehicular Communications, p. 100455, 2022.
[4] E. M. B.-R. Charles Perkins and S. R. Das, “RFC 3561: Ad hoc On-
Demand Distance Vector (AODV) Routing,” RFC 3561, IETF, Tech.
Rep. 3561, 2003.
[5] A. Kumar, V. Varadarajan, A. Kumar, P. Dadheech, S. S. Choudhary,
V. A. Kumar, B. K. Panigrahi, and K. C. Veluvolu, “Black hole
attack detection in vehicular ad-hoc network using secure aodv routing
algorithm,” Microprocessors and Microsystems, vol. 80, p. 103352,
2021.
[6] C. Panos, C. Ntantogian, S. Malliaros, and C. Xenakis, “Analyzing,
quantifying, and detecting the blackhole attack in infrastructure-less
networks,” Computer Networks, vol. 113, pp. 94–110, 2017.
[7] M. Sathish, K. Arumugam, S. N. Pari, and V. Harikrishnan, “Detection
of single and collaborative black hole attack in manet,” in 2016 Inter-
national Conference on Wireless Communications, Signal Processing
and Networking (WiSPNET). IEEE, 2016, pp. 2040–2044.
[8] S. Shrestha, R. Baidya, B. Giri, and A. Thapa, “Securing blackhole
attacks in manets using modified sequence number in aodv routing
protocol,” in 2020 8th International Electrical Engineering Congress
(iEECON). IEEE, 2020, pp. 1–4.
[9] S. Gurung and S. Chauhan, “A dynamic threshold based algorithm for
improving security and performance of aodv under black-hole attack in
manet,” Wireless Networks, vol. 25, no. 4, pp. 1685–1695, 2019.
[10] K. Arora, V. Jain, and A. Professor, “Recognition of black hole attacks
in manet using efficient ad hoc on-demand distance vector,” Journal of
the Gujarat Research Society, 2019.
[11] M. I. Talukdar, R. Hassan, M. S. Hossen, K. Ahmad, F. Qamar, and
A. S. Ahmed, “Performance improvements of aodv by black hole attack
detection using ids and digital signature,” Wireless Communications and
Mobile Computing, vol. 2021, 2021.
[12] A. M. El-Semary and H. Diab, “Bp-aodv: Blackhole protected aodv
routing protocol for manets based on chaotic map,” IEEE Access, vol. 7,
pp. 95 197–95 211, 2019.
[13] M. Dmitry and I. Denis, “Cybersecurity of ad-hoc distributed systems,”
in Proceedings of the 8th International Conference on Security of
Information and Networks, vol. 08-10-Sep-2015. Association for
Computing Machinery, 9 2015.
[14] (2002) The NS-3 website, [Online]. Available:https://www.nsnam.org/.
[15] M. M. Hamdi, A. S. Mustafa, H. F. Mahd, M. S. Abood, C. Kumar, and
M. A. Al-shareeda, “Performance analysis of qos in manet based on
ieee 802.11 b,” in 2020 IEEE international conference for innovation
in technology (INOCON). IEEE, 2020, pp. 1–5.
[16] The NS3 contibuted code website, [Online]. Avail-
able:https://www.nsnam.org/wiki/Contributed Code.
Sthabile Lushaba completed her undergraduate studies at Rhodes University,
earning a BSc in Computer Science and Biochemistry. She also obtained a
BSc Honours in Computer Science from the same institution.
