Presentation is loading. Please wait.

Presentation is loading. Please wait.

Fault-Tolerant Forwarding in the Face of Malicious Routers Alper T. Mızrak, Keith Marzullo, Stefan Savage University of California, San Diego.

Published byPresley Kings Modified over 10 years ago

Similar presentations

Presentation on theme: "Fault-Tolerant Forwarding in the Face of Malicious Routers Alper T. Mızrak, Keith Marzullo, Stefan Savage University of California, San Diego."— Presentation transcript:

1 Fault-Tolerant Forwarding in the Face of Malicious Routers Alper T. Mızrak, Keith Marzullo, Stefan Savage University of California, San Diego

2 Alper T. Mızrak; University of California, San Diego2 Introduction Modern packet switched data networks. Data must be forwarded hop-by-hop from router to router towards destination. If a router is compromised, then  Control plane: E.g. announce false route updates  Data plane: E.g. alter, misroute, drop, reorder, delay or fabricate data packets. Threat model: Byzantine failures.

3 Alper T. Mızrak; University of California, San Diego3 Goal Fault tolerant forwarding in the face of malicious routers. Detect the existence of compromised routers in a network. Remove them from the routing fabric.

4 Alper T. Mızrak; University of California, San Diego4 Approach Given a routing protocol the decisions routers make are predictable. … so this problem is a candidate for anomaly-based intrusion detection A compromised router  can be identified by correct routers  when it deviates from exhibiting expected behavior.

5 Alper T. Mızrak; University of California, San Diego5 Overview System Model  Network Model  Threat Model Traffic validation  Traffic summary functions Distributed detection  Specification  An example protocol Response: Changing the routing fabric Conclusion

6 Alper T. Mızrak; University of California, San Diego6 Network Model Assumptions  The routing protocol provides each node with a global view of the topology: Distributed link-state routing protocol: OSPF or IS-IS.  Synchronous system: Link-state protocols operate by periodically  measuring network connectivity  disseminating information  Key distribution between pairs of nearby routers This overall model is consistent with the typical construction  Large enterprise IP networks  The internal structure of single ISP backbone networks

7 Alper T. Mızrak; University of California, San Diego7 Definitions  Path: a finite sequence of adjacent routers:  X-path segment: a sequence of x routers that is a subsequence of a path:,  A router is faulty if it introduces discrepancy into the traffic.

8 Alper T. Mızrak; University of California, San Diego8 Threat Model  bad(k): Impose an upper bound on the number of adjacent faulty routers in any path. bad(2): there can be no more than 2 adjacent faulty routers in any path.  The routers at the source and sink of a flow are not faulty with respect to that flow's path. st bad(2), s source, t sink.

9 Alper T. Mızrak; University of California, San Diego9 Traffic Validation Way to tell that traffic isn’t disrupted en route We represent TV mechanisms as a predicate TV ( , info r i , , info r j ,  ), where:   is a path segment whose traffic is to be validated between routers r i and r j both r i and r j are in  ;  info r ,  is some abstract description of the packets router r forwarded to be routed along  over some time interval .  If routers r i and r j are not faulty, then TV ( , info ri , , info rj ,  ) evaluates to FALSE iff  contains a router that was faulty in  during .

10 Alper T. Mızrak; University of California, San Diego10 Traffic Summary Information How to concisely represent info r ,  ? The most precise description of traffic  an exact copy of that traffic. Many characteristics of the traffic can be summarized far more concisely:  Conservation of flow: a counter  Conservation of content: a set of fingerprints  Conservation of content order: a list of fingerprints a b info a ,  : [f 1, f 2, f 3, f 4 ] info b ,  : [f 2, f 4, f 3 ]

11 Alper T. Mızrak; University of California, San Diego11 Traffic Validation Evaluation In an idealized network, TV might check info r i ,  = info r j ,  However, real networks occasionally  Lose packet due to congestion.  Reorder packets due to internal multiplexing.  Corrupt packets due to interface errors. TV must be sophisticated to accommodate this abnormal, but non-malicious behaviors. Implementing TV is a tricky engineering problem. a b info a ,  : [f 1, f 2, f 3, f 4 ] info b ,  : [f 2, f 4, f 3 ]

12 Alper T. Mızrak; University of California, San Diego12 Overview System Model  Network Model.  Threat Model. Traffic validation.  Traffic summary functions. Distributed detection.  Specification.  An example protocol. Response: Changing the routing fabric. Conclusion

13 Alper T. Mızrak; University of California, San Diego13 Specification A perfect failure detector (FD) would implement the following two properties:  Accuracy (tentative): An FD is Accurate if, whenever a correct router suspects (r,  ), then r was faulty during .  Completeness (tentative): An FD is Complete if, whenever a router r is faulty at some time t, then all correct routers eventually suspect (r,  ) for some  containing t.

14 Alper T. Mızrak; University of California, San Diego14 Inadequate Implement the FD via Traffic Validation:  By collecting traffic information from different points in the network. Consider Any other router than b and c  Can not distinguish between the case of b being faulty and of c being faulty.  Can only infer that at least one of b and c is faulty. sab d c 10 55 info ,  : ?

15 Alper T. Mızrak; University of California, San Diego15 Weaken the Specification Detect suspicious path segments, not individual routers. An FD returns a pair ( ,  ) where  is a path segment:  α -Accuracy: An FD is α -Accurate if, whenever a correct router suspects ( ,  ), then |  | ≤ α and some router r   was faulty in  during .  α -Completeness: An FD is α -Complete if, whenever a router r is faulty at some time t, then all correct routers eventually suspect ( ,  ) for some path segment  : |  | ≤ α such that  r was faulty in  at t, and  for some interval  containing t.

16 Alper T. Mızrak; University of California, San Diego16 An Example Protocol:  k+2 A router r has a set of path segments P r that it monitors.  P r contains all the path segments that have r at one end and whose length is at most k+2.  k is the maximum number of adjacent faulty routers along a path. for each path segment  in P r : while (true) { synchronize with router r' at other end of  ; collect info r ,  about  for an agreed-upon interval  ; exchange [info r ,  ] r and [info r’ ,  ] r’ with r’ through  ; if TV( , info r , , info r’ ,  ) = FALSE then suspect  ; reliable broadcast ( ,  ); }

17 Alper T. Mızrak; University of California, San Diego17 Properties of Protocol  k+2  k+2 is (k  2)-Accurate:  k+2 is (k  2)-Complete.  If r is faulty at some time t, then  a path segment  :  r  .  r introduce discrepancy into the traffic through  during  containing t.  Only  and  -the first and last routers of  - are correct.  3 ≤ |  | ≤ k  2.  and  monitor  and apply the  k+2 for  :  Compute TV ( , info  , , info  ,  ) to be false  Suspect , disseminate this information to the all other correct routers.

18 Alper T. Mızrak; University of California, San Diego18 Overhead of Protocol  k+2 This algorithm has reasonable overhead  For each forwarded packet compute a fingerprint.  Each router r must synchronize and authenticate with the other end of each  in P r.  The size of P r dominates the overhead. For Sprintlink network[Rocketfuel] of 315 routers and 972 links:  bad(1): a router monitors 35 path segments on average  bad(2): a router monitors 110 path segments on average  Dissemination of the suspected path segments can be integrated into the link state flooding mechanism.

19 Alper T. Mızrak; University of California, San Diego19 Response What happens as a result of a detection? Need some countermeasure protocol.  Inform the administrator.  Immediate action: Ideally would be part of the link state protocol. We have a version of Dijkstra's SPF that can exclude suspected x  path segments. ab c d is suspected

20 Alper T. Mızrak; University of California, San Diego20 Current Status We have implemented a prototype system, called Fatih. Runs in user-level on Linux cooperating with Zebra OSPF implementation. Gaining experience with traffic summary and validation mechanisms Still work-in-progress

21 Alper T. Mızrak; University of California, San Diego21 Conclusion Specified the problem formally. Explore the implementation  Traffic validation  Distributed detection  Countermeasure It might be feasible to protect networks from insider attacks of routers. There's a lot of design and engineering to do first.

22 Alper T. Mızrak; University of California, San Diego22 The end Thank you…

23 Alper T. Mızrak; University of California, San Diego23 Challenges Efficient, compact and accurate traffic summaries  What disruptions can be detected?  Sensitivity vs overhead? Sampling? Traffic validation predicates  Noise: how to distinguish normal packet loss, reordering, corruption from malicious activities. Requires secure control plane.

24 Alper T. Mızrak; University of California, San Diego24 WATCHERS WATCHERS protocol developed (and criticized) at University of California, Davis through 2000. Based on conservation of flow: Input to a system must either be absorbed at that system or passed along to another system.

25 Alper T. Mızrak; University of California, San Diego25 WATCHERS: Transit Packets xy T x,y S x,y D x,y For each router pair x and y, both routers maintain six counters for transit packets: T y,x D y,x S y,x xy

26 Alper T. Mızrak; University of California, San Diego26 WATCHERS: Conservation of Flow xy T x,y S x,y D x,y Conservation of flow can be expressed using these counters:

27 Alper T. Mızrak; University of California, San Diego27 WATCHERS: Assumptions System assumptions: Each router is a neighbor to at least one good router (good neighbor condition). Each pair of good routers has at least one path of only good routers connecting them (good path condition). A majority of the routers are good.

28 Alper T. Mızrak; University of California, San Diego28 WATCHERS: Algorithm Each router A and each neighbor N: 1. Compares counters of A and N.... if they don’t agree, then A diagnoses N is bad. 2. Check counters of N with those of each N ’s neighbor M.... if they don’t agree, then N and M will sort it out.

29 Alper T. Mızrak; University of California, San Diego29 WATCHERS: Algorithm (cont'd) 3. Check conservation of flow with each neighbor N using N ’s counters. I =   M: M  N : (S M, N + T M, N ) O =   M: M  N : (D M, N + T M, N ) If |I  O| > T for some threshold T then A diagnoses N as bad.

30 Alper T. Mızrak; University of California, San Diego30 WATCHERS: Consorting Routers By itself, this algorithm is not sufficient to detect consorting routers: A1234 B 3 and 4 increment D 3,4 rather than T 3,4 A sends to B 4 discards... so, changed algorithm so router maintains counters with each neighbor and destination (here, B).

31 Alper T. Mızrak; University of California, San Diego31 WATCHERS: Discussion Some observations: WATCHERS requires global synchronization for counter comparison. The good neighbor requirement is strong. Traffic validation is explicit. It took authors a few tries to get it right. There gave no real specification of the problem.

Download ppt "Fault-Tolerant Forwarding in the Face of Malicious Routers Alper T. Mızrak, Keith Marzullo, Stefan Savage University of California, San Diego."

Similar presentations

Data-Plane Accountability with In-Band Path Diagnosis Murtaza Motiwala, Nick Feamster Georgia Tech Andy Bavier Princeton University.

Data-Plane Accountability with In-Band Path Diagnosis Murtaza Motiwala, Nick Feamster Georgia Tech Andy Bavier Princeton University.
Detecting Malicious Routers Alper T. Mızrak, Keith Marzullo, Stefan Savage University of California, San Diego.

Detecting Malicious Routers Alper T. Mızrak, Keith Marzullo, Stefan Savage University of California, San Diego.
1 Routing Protocols I. 2 Routing Recall: There are two parts to routing IP packets: 1. How to pass a packet from an input interface to the output interface.

1 Routing Protocols I. 2 Routing Recall: There are two parts to routing IP packets: 1. How to pass a packet from an input interface to the output interface.
University of California, San Diego Fatih : Detecting and Isolating Malicious Routers Alper T Mizrak, Yu-Chung Cheng, Prof. Keith Marzullo, Prof. Stefan.

University of California, San Diego Fatih : Detecting and Isolating Malicious Routers Alper T Mizrak, Yu-Chung Cheng, Prof. Keith Marzullo, Prof. Stefan.
Ch. 12 Routing in Switched Networks. 12.1 Routing in Packet Switched Networks Routing Algorithm Requirements –Correctness –Simplicity –Robustness--the.

Ch. 12 Routing in Switched Networks Routing in Packet Switched Networks Routing Algorithm Requirements –Correctness –Simplicity –Robustness--the.
BY MICHAEL SUDKOVITCH AND DAVID ROITMAN UNDER THE GUIDANCE OF DR. GABI NAKIBLY OSPF Security project: Summary.

BY MICHAEL SUDKOVITCH AND DAVID ROITMAN UNDER THE GUIDANCE OF DR. GABI NAKIBLY OSPF Security project: Summary.
Byzantine Generals Problem: Solution using signed messages.

Byzantine Generals Problem: Solution using signed messages.
Mobile and Wireless Computing Institute for Computer Science, University of Freiburg Western Australian Interactive Virtual Environments Centre (IVEC)

Mobile and Wireless Computing Institute for Computer Science, University of Freiburg Western Australian Interactive Virtual Environments Centre (IVEC)
1 LINK STATE PROTOCOLS (contents) Disadvantages of the distance vector protocols Link state protocols Why is a link state protocol better?

1 LINK STATE PROTOCOLS (contents) Disadvantages of the distance vector protocols Link state protocols Why is a link state protocol better?
Distributed systems Module 2 -Distributed algorithms Teaching unit 1 – Basic techniques Ernesto Damiani University of Bozen Lesson 3 – Distributed Systems.

Distributed systems Module 2 -Distributed algorithms Teaching unit 1 – Basic techniques Ernesto Damiani University of Bozen Lesson 3 – Distributed Systems.
Traffic Engineering With Traditional IP Routing Protocols

Traffic Engineering With Traditional IP Routing Protocols
Multiple constraints QoS Routing Given: - a (real time) connection request with specified QoS requirements (e.g., Bdw, Delay, Jitter, packet loss, path.

Multiple constraints QoS Routing Given: - a (real time) connection request with specified QoS requirements (e.g., Bdw, Delay, Jitter, packet loss, path.
1 ITC242 – Introduction to Data Communications Week 12 Topic 18 Chapter 19 Network Management.

1 ITC242 – Introduction to Data Communications Week 12 Topic 18 Chapter 19 Network Management.
CCNA 2 v3.1 Module 6.

CCNA 2 v3.1 Module 6.
1 Relates to Lab 4. This module covers link state routing and the Open Shortest Path First (OSPF) routing protocol. Dynamic Routing Protocols II OSPF.

1 Relates to Lab 4. This module covers link state routing and the Open Shortest Path First (OSPF) routing protocol. Dynamic Routing Protocols II OSPF.
A General approach to MPLS Path Protection using Segments Ashish Gupta Ashish Gupta.

A General approach to MPLS Path Protection using Segments Ashish Gupta Ashish Gupta.
Chapter 10 Introduction to Wide Area Networks Data Communications and Computer Networks: A Business User’s Approach.

Chapter 10 Introduction to Wide Area Networks Data Communications and Computer Networks: A Business User’s Approach.
Link-State Routing Reading: Sections 4.2 and 4.3.4 COS 461: Computer Networks Spring 2011 Mike Freedman

Link-State Routing Reading: Sections 4.2 and COS 461: Computer Networks Spring 2011 Mike Freedman
User-level Internet Path Diagnosis R. Mahajan, N. Spring, D. Wetherall and T. Anderson.

User-level Internet Path Diagnosis R. Mahajan, N. Spring, D. Wetherall and T. Anderson.
Routing and Routing Protocols

Routing and Routing Protocols

Similar presentations

Ads by Google