A simple yet effective attack in which a router selectively drops packets destined for some victim is considered malicious. It is quite challenging to attribute a missing packet to a malicious action because normal network congestion can produce the same effect. The authors have designed, developed, and implemented a compromised router detection protocol that dynamically infers, based on measured traffic rates and buffer sizes, the number of congestive packet losses.
A simple yet effective attack in which a router selectively drops packets destined for some victim is considered malicious. It is quite challenging to attribute a missing packet to a malicious action because normal network congestion can produce the same effect. The authors have designed, developed, and implemented a compromised router detection protocol that dynamically infers, based on measured traffic rates and buffer sizes, the number of congestive packet losses.
Direitos autorais:
Attribution Non-Commercial (BY-NC)
Formatos disponíveis
Baixe no formato DOC, PDF, TXT ou leia online no Scribd
A simple yet effective attack in which a router selectively drops packets destined for some victim is considered malicious. It is quite challenging to attribute a missing packet to a malicious action because normal network congestion can produce the same effect. The authors have designed, developed, and implemented a compromised router detection protocol that dynamically infers, based on measured traffic rates and buffer sizes, the number of congestive packet losses.
Direitos autorais:
Attribution Non-Commercial (BY-NC)
Formatos disponíveis
Baixe no formato DOC, PDF, TXT ou leia online no Scribd
1 Computer Science & Engineering Department, JCET, Tiruchirappalli, India 2 Assistant Professor in CSE, JCET, Tiruchirappalli, India * Corresponding author (email: bala_nov02@yahoo.com)
Abstract
Consider the problem of compromised within minutes of
detecting whether a compromised router connecting to the internet and even well- is maliciously manipulating its stream of protected hosts may be crippled with packets. The concerned with a simple denial-of-service (DOS) attacks. While yet effective attack in which a router such threats to host systems are widely selectively drops packets destined for understood, it is less well appreciated some victim. Unfortunately, it is quite that the network infrastructure itself is challenging to attribute a missing packet subject to constant attack as well. to a malicious action because normal Indeed, through combinations of social network congestion can produce the engineering and weak passwords, same effect. Modern networks routinely attackers have seized control over drop packets when the load temporarily thousands of internet routers. Even more exceeds their buffering capacities. troubling is Mike Lynn’s controversial Previous detection protocols have tried presentation at the 2005 black hat to address this problem with a user- briefings, which demonstrated how defined threshold: too many dropped Cisco routers can be compromised via packets imply malicious intent. This simple software vulnerabilities. Once a heuristic is fundamentally unsound; router has been compromised in such a setting this threshold is, at best, an art fashion, an attacker may interpose on the and will certainly create unnecessary traffic stream and manipulate it false positives or mask highly focused maliciously to attack others-selectively attacks. They have designed, developed, dropping, modifying, or rerouting and implemented a compromised router packets. detection protocol that dynamically infers, based on measured traffic rates Several researchers have and buffer sizes, the number of developed distributed protocols to detect congestive packet losses that will occur. such traffic manipulations, typically by Once the ambiguity from congestion is validating that traffic transmitted by one removed, subsequent packet losses can router is received unmodified by be attributed to malicious actions another. All of these schemes-including our own-struggle in interpreting the Index Terms—Internet dependability, absence of traffic. While a packet that intrusion detection and tolerance, has been modified in transit represents distributed systems, reliable networks, clear evidence of tampering, a missing malicious routers. packet is inherently ambiguous: it may have been explicitly blocked by a Introduction The internet is not a safe compromised router or it may have been place. Unsecured hosts can expect to be dropped benignly due to network congestion. in fact, modern routers considered this class of attacks in this routinely drop packets due to bursts in paper. traffic that exceed their buffering capacities, and the widely used Instead, they have focused on the transmission control protocol (TCP) is less well-appreciated threat of an designed to cause such losses as part of attacker subverting the packet its normal congestion control behavior. forwarding process on a compromised Thus, existing traffic validation systems router. Such an attack presents a wide set must inevitably produce false positives of opportunities including dos, for benign events and/or produce false surveillance, man-in-the-middle attacks, negatives by failing to report real replay and insertion attacks, and so on. malicious packet dropping. Most of these attacks can be trivially implemented via the existing command Developing a compromised shell languages in commodity routers. router detection protocol that dynamically infers the precise number of The earliest work on fault- congestive packet losses that will occur. tolerant forwarding is due to perlman Once the congestion ambiguity is who developed a robust routing system removed, subsequent packet losses can based on source routing, digitally signed be safely attributed to malicious actions. route-setup packets, and reserved It is believed that our protocol is the first buffers. While groundbreaking, to automatically predict congestion in a perlman’s work required significant systematic manner and that it is commitments of router resources and necessary for making any such network high levels of network participation to fault detection practical. detect anomalies. since then, a variety of researchers have proposed lighter weight Background protocols for actively probing the network to test whether packets are There are inherently two threats forwarded in a manner consistent with posed by a compromised router. the the advertised global topology. attacker may subvert the network control plane (e.g., by manipulating the routing Conversely, the 1997 watchers protocol into false route updates) or may system detects disruptive routers subvert the network data plane and passively via a distributed monitoring forward individual packets incorrectly. algorithm that detects deviations from a The first set of attacks has seen the “conservation of flow” invariant. Work widest interest and the most activity- on watchers was abandoned, in part due largely due to their catastrophic to limitations in its distributed detection potential. By violating the routing protocol, its overhead, and the problem protocol itself, an attacker may cause of ambiguity stemming from congestion. large portions of the network to become Finally, our own work broke the inoperable. Thus, there have been a problem into three pieces: a traffic variety of efforts to impart authenticity validation mechanism, a distributed and consistency guarantees on route detection protocol, and a rerouting update messages with varying levels countermeasure. The focused on the ofcost and protection. It is not detection protocol, provided a formal framework for evaluating the accuracy include the maximum number of and precision of any such protocol, and possible congestive legitimate packet described several practical protocols that losses over a measurement interval. allow scalable implementations. We also Thus, any compromised router can drop assumed that the problem of congestion that many packets without being ambiguity could be solved, without detected. Unfortunately, given the nature providing a solution. This paper presents of the dominant TCP, even small a protocol that removes this assumption. numbers of losses can have significant impacts. Subtle attackers can selectively Overview target the traffic flows of a single victim Inferring Congestion Loss and within these flows only drop those packets that cause the most harm. For In building a traffic validation example, losing a TCP SYN packet used protocol, it is necessary to explicitly in connection establishment has a resolve the ambiguity around packet disproportionate impact on a host losses. Should the absence of a given because the retransmission time-out packet be seen as malicious or benign? must necessarily be very long (typically In practice, there are three approaches 3 seconds or more). for addressing this issue System Model Addressing Approaches Network Model Static Threshold This model is an intentional Low rates of packet loss are simplification of real networks (e.g., it assumed to be congestive, while rates does not include broadcast channels or above some predefined threshold are independently failing network deemed malicious. interfaces) but is sufficiently general to encompass such details if necessary. Traffic Modeling Unlike our earlier work, we assume that the bandwidth, the delay of each link, Packet loss rates are predicted as and the queue limit for each interface are a function of traffic parameters and all known publicly. Within a network, losses beyond the prediction are deemed we presume that packets are forwarded malicious. in a hop-by-hop fashion, based on a local Forwarding table. These forwarding Traffic Measurement tables are updated via a distributed link- state routing protocol such as OSPF or Individual packet losses are IS-IS. This is critical, as we depend on predicted as a function of measured the routing protocol to provide each traffic load and router buffer capacity. node with a global view of the current Deviations from these predictions are network topology. Finally, it is assumed deemed malicious. that the administrative ability to assign and distribute cryptographic keys to sets In order to avoid false positives, of nearby routers. This overall model is the threshold must be large enough to consistent with the typical construction of large enterprise IP networks or the collected about traffic and how it is used internal structure of single ISP backbone to determine that a router has been networks but is not well suited for compromised. networks that are composed of multiple administrative domains using BGP. At DISTRIBUTED DETECTION this level of abstraction, we can assume a synchronous network model. Since the behavior of the queue is deterministic, the traffic validation mechanisms detect traffic faulty routers Threat Model whenever the actual behavior of the queue deviates from the predicted A router can be traffic faulty by behavior. A faulty router can also be maliciously dropping packets and protocol faulty: it can behave arbitrarily protocol faulty by not following the rules with respect to the protocol, by dropping of the detection protocol. A router can be or altering the control messages. It is traffic faulty by maliciously dropping masked that the effect of protocol faulty packets and protocol faulty by not routers using distributed detection. following the rules of the detection protocol. ANALYSIS OF PROTOCOL X
Accuracy and Completeness
The problem of detecting
compromised routers as a failure detector with accuracy and completeness properties. There are two steps in showing the accuracy and completeness of x: i) Showing that TV is correct. ii) Showing that x is accurate and complete assuming that TV is correct. Figure validating the queue of an output interface. Traffic Validation Correctness PROTOCOL X Any failure of detecting malicious attack by TV results in a false negative, and Protocol x detects traffic faulty routers any misdetection of legitimate behavior by validating the queue of each output by TV results in a false positive. A interface for each router. It is presented larger concern is the simple way that a that the failure detection protocol in router is modeled in how it internally terms of the solutions of the distinct sub multiplexes packets. This model is used problems: traffic validation, distributed to compute time stamps. If the time detection, and response. stamps are incorrect, then tv could decide incorrectly. Hypothesize that a TRAFFIC VALIDATION sufficiently accurate timing model of a The first problem we address is router is attainable but have yet to show traffic validation: what information is this to be the case. To check the buffer distinguish between a router dropping size, the buffer is free then the packets packets maliciously and a router are received from the source and forward dropping packets due to congestion. to the destination. Otherwise the Previous work has approached this issue discarded the packets. The using a static user-defined threshold, synchronization requirement is not which is fundamentally limiting. Using necessarily daunting; the tight the same framework as our earlier work synchronization is only required by (which is based on a static user-defined routers adjacent to the same router. With threshold) we developed a compromised low-level time stamping of packets and router detection protocol x that repeated exchanges of time , it should be dynamically infers, based on measured straightforward to synchronize the traffic rates and buffer sizes, the number clocks sufficiently tightly. of congestive packet losses that will occur. Subsequent packet losses can be attributed to malicious actions. Because of no determinism introduced by imperfectly synchronized clocks and scheduling delays, protocol uses user- defined significance levels, but these levels are independent of the properties of the traffic. Hence, protocol x does not suffer from the limitations of static thresholds. It is evaluated that the effectiveness of protocol x through an implementation and deployment in a Figure simple Topology. small network. It is shown that even fine-grained attacks, such as stopping a host from opening a connection by Response discarding the syn packet, can be detected. Because of no determinism If the packets are delivered by introduced by imperfectly synchronized destination, acknowledgement to sources clocks and scheduling delays, protocol using routers otherwise packets are uses user-defined significance levels, but losses. these levels are independent of the properties of the traffic. Identify Malicious Router References If the buffer is free, receives the packets from source and then not 1 X. Ao, Report On Dimacs delivered to destination. So this is the Workshop On Large-Scale malicious router in the networks. Internet Attacks,Http://Dimacs.Rutgers.E Conclusion du/Workshops/Attacks/Internet- Attack- 9-03.Pdf, Sept. 2003. To the best of our knowledge, 2 R. Thomas, Isp Security Bof, this paper is the first serious attempt to Nanog 28, Http://Www.Nanog.Org/Mtg- Applications Conf. (Acsac ’97), 0306/Pdf/Thomas.Pdf, June Pp. 90-98, 1997. 2003. 10 M.T. Goodrich, Efficient And 3 K.A. Bradley, S. Cheung, N. Secure Network Routing Puketza, B. Mukherjee, And Algorithms, Provisional Patent R.A. Olsson, “Detecting Filing, Jan. 2001. Disruptive Routers: A Distributed Network Monitoring Approach,” Proc. Ieee Symp. Security And Privacy (S&P ’98), Pp. 115-124, May 1998. 4 A.T. Mizrak, Y.-C. Cheng, K. Marzullo, And S. Savage, “Detecting and Isolating Malicious Routers,” Ieee Trans. Dependable And Secure Computing, Vol. 3, No. 3, Pp. 230-244, July-Sept. 2006. 5 L. Subramanian, V. Roth, I. Stoica, S. Shenker, And R. Katz, “Listen And Whisper: Security Mechanisms For Bgp,” Proc. First Symp. Networked Systems Design And Implementation (Nsdi ’04), Mar. 2004. 6 S. Kent, C. Lynn, J. Mikkelson, And K. Seo, “Secure Border Gateway Protocol (Secure- Bgp),” Ieee J. Selected Areas In Comm., Vol. 18, No. 4, Pp. 582- 592, Apr. 2000. 7 Y.-C. Hu, A. Perrig, And D.B. Johnson, “Ariadne: A Secure On- Demand Routing Protocol For Ad Hoc Networks,” Proc. Acm Mobicom ’02, Sept. 2002. 8 B.R. Smith And J. Garcia-Luna- Aceves, “Securing The Border Gateway Routing Protocol,” Proc. Ieee Global Internet, Nov. 1996. 9 S. Cheung, “An Efficient Message Authentication Scheme For Link State Routing,” Proc. 13th Ann. Computer Security