Detecting malicious routers

2007 2007

Other formats: Order a copy

Abstract (summary)

The Internet is not a safe place. Unsecured hosts can expect to be compromised within minutes of connecting to the Internet and even well-protected hosts may be crippled with denial-of-service attacks. However, while such threats to host systems are widely understood, it is less well appreciated that the network infrastructure itself is subject to constant attack as well. Indeed, through combinations of social engineering and exploitation of weak passwords, attackers have seized control over of thousands of Internet routers. Once a router has been compromised in such a fashion, an attacker may interpose on the traffic stream and manipulate it maliciously to attack others—selectively dropping, modifying, or re-routing packets.

First, we specify this problem of detecting routers with incorrect packet forwarding behavior and we explore the design space of protocols that implement such a detector. We further present two concrete protocols that differ in accuracy, completeness, and overhead—one of which is likely inexpensive enough for practical implementation at scale. We present a prototype system that implements this approach on a PC router and describe our experiences with it. We believe our work is an important step in being able to tolerate attacks on key network infrastructure components.

Unfortunately, it is quite challenging to attribute a missing packet to a malicious action because normal network congestion can produce the same effect. Modern networks routinely drop packets when the load temporarily exceeds a router's buffering capacity. Previous detection protocols have tried to address this problem using a user-defined threshold. Recently, we have designed, developed and implemented a new compromised router detection protocol that dynamically infers, based on measured traffic rates and buffer sizes, the number of congestive packet losses that will occur. Once the ambiguity from congestion is removed, subsequent packet losses can be attributed to malicious actions. We have tested this protocol in Emulab and have studied its effectiveness in differentiating attacks from legitimate network behavior. We believe this protocol is the first to automatically predict congestion in a systematic manner and is necessary for making any such network fault detection practical.

Indexing (details)

Computer science
0984: Computer science
Identifier / keyword
Applied sciences; Computer security; Distributed systems; Intrusion detection; Malicious routers; Reliability and security
Detecting malicious routers
Mizrak, Alper Tugay
Number of pages
Publication year
Degree date
School code
DAI-B 68/07, Dissertation Abstracts International
Place of publication
Ann Arbor
Country of publication
United States
Marzullo, Keith; Savage, Stefan
Committee member
Cruz, Rene L.; Rao, Ramesh R.; Voelker, Geoffrey M.
University of California, San Diego
Computer Science and Engineering
University location
United States -- California
Source type
Dissertations & Theses
Document type
Dissertation/thesis number
ProQuest document ID
Database copyright ProQuest LLC; ProQuest does not claim copyright in the individual underlying works.
Document URL
Access the complete full text

You can get the full text of this document if it is part of your institution's ProQuest subscription.

Try one of the following:

  • Connect to ProQuest through your library network and search for the document from there.
  • Request the document from your library.
  • Go to the ProQuest login page and enter a ProQuest or My Research username / password.