The Community for Technology Leaders
RSS Icon
Issue No.02 - February (2009 vol.20)
pp: 191-206
Stefan Savage , University of California - San Diego, La Jolla
Keith Marzullo , University of California - San Diego, La Jolla
In this paper, we consider the problem of detecting whether a compromised router is maliciously manipulating its stream of packets. In particular, we are concerned with a simple yet effective attack in which a router selectively drops packets destined for some victim. Unfortunately, it is quite challenging to attribute a missing packet to a malicious action because normal network congestion can produce the same effect. Modern networks routinely drop packets when the load temporarily exceeds their buffering capacities. Previous detection protocols have tried to address this problem with a user-defined threshold: too many dropped packets imply malicious intent. However, this heuristic is fundamentally unsound; setting this threshold is, at best, an art and will certainly create unnecessary false positives or mask highly focused attacks. We have designed, developed, and implemented a compromised router detection protocol that dynamically infers, based on measured traffic rates and buffer sizes, the number of congestive packet losses that will occur. Once the ambiguity from congestion is removed, subsequent packet losses can be attributed to malicious actions. We have tested our protocol in Emulab and have studied its effectiveness in differentiating attacks from legitimate network behavior.
Internet dependability, intrusion detection and tolerance, distributed systems, reliable networks, malicious routers.
Stefan Savage, Keith Marzullo, "Detecting Malicious Packet Losses", IEEE Transactions on Parallel & Distributed Systems, vol.20, no. 2, pp. 191-206, February 2009, doi:10.1109/TPDS.2008.70
[1] X. Ao, Report on DIMACS Workshop on Large-Scale Internet Attacks, internet-attack-9-03.pdf, Sept. 2003.
[2] R. Thomas, ISP Security BOF, NANOG 28, http://www.nanog. org/mtg-0306/pdfthomas.pdf , June 2003.
[3] K.A. Bradley, S. Cheung, N. Puketza, B. Mukherjee, and R.A. Olsson, “Detecting Disruptive Routers: A Distributed Network Monitoring Approach,” Proc. IEEE Symp. Security and Privacy (S&P '98), pp. 115-124, May 1998.
[4] A.T. Mizrak, Y.-C. Cheng, K. Marzullo, and S. Savage, “Detecting and Isolating Malicious Routers,” IEEE Trans. Dependable and Secure Computing, vol. 3, no. 3, pp. 230-244, July-Sept. 2006.
[5] L. Subramanian, V. Roth, I. Stoica, S. Shenker, and R. Katz, “Listen and Whisper: Security Mechanisms for BGP,” Proc. First Symp. Networked Systems Design and Implementation (NSDI '04), Mar. 2004.
[6] S. Kent, C. Lynn, J. Mikkelson, and K. Seo, “Secure Border Gateway Protocol (Secure-BGP),” IEEE J. Selected Areas in Comm., vol. 18, no. 4, pp. 582-592, Apr. 2000.
[7] Y.-C. Hu, A. Perrig, and D.B. Johnson, “Ariadne: A Secure On-Demand Routing Protocol for Ad Hoc Networks,” Proc. ACM MobiCom '02, Sept. 2002.
[8] B.R. Smith and J. Garcia-Luna-Aceves, “Securing the Border Gateway Routing Protocol,” Proc. IEEE Global Internet, Nov. 1996.
[9] S. Cheung, “An Efficient Message Authentication Scheme for Link State Routing,” Proc. 13th Ann. Computer Security Applications Conf. (ACSAC '97), pp. 90-98, 1997.
[10] M.T. Goodrich, Efficient and Secure Network Routing Algorithms, provisional patent filing, Jan. 2001.
[11] R. Perlman, “Network Layer Protocols with Byzantine Robustness,” PhD dissertation, MIT LCS TR-429, Oct. 1988.
[12] V.N. Padmanabhan and D. Simon, “Secure Traceroute to Detect Faulty or Malicious Routing,” SIGCOMM Computer Comm. Rev., vol. 33, no. 1, pp. 77-82, 2003.
[13] I. Avramopoulos and J. Rexford, “Stealth Probing: Efficient Data-Plane Security for IP Routing,” Proc. USENIX Ann. Technical Conf. (USENIX '06), June 2006.
[14] S. Cheung and K.N. Levitt, “Protecting Routing Infrastructures from Denial of Service Using Cooperative Intrusion Detection,” Proc. Workshop on New Security Paradigms (NSPW '97), pp. 94-106, 1997.
[15] J.R. Hughes, T. Aura, and M. Bishop, “Using Conservation of Flow as a Security Mechanism in Network Protocols,” Proc. IEEE Symp. Security and Privacy (S&P '00), pp. 131-132, 2000.
[16] A. Mizrak, Y. Cheng, K. Marzullo, and S. Savage, “Fatih: Detecting and Isolating Malicious Routers,” Proc. Int'l Conf. Dependable Systems and Networks (DSN '05), pp. 538-547, 2005.
[17] A. Kuzmanovic and E.W. Knightly, “Low-Rate TCP-Targeted Denial of Service Attacks: The Shrew versus the Mice and Elephants,” Proc. ACM SIGCOMM '03, pp. 75-86, 2003.
[18] M. Mathis, J. Semke, and J. Mahdavi, “The Macroscopic Behavior of the TCP Congestion Avoidance Algorithm,” SIGCOMM Computer Comm. Rev., vol. 27, no. 3, pp. 67-82, 1997.
[19] J. Padhye, V. Firoiu, D. Towsley, and J. Kurose, “Modeling TCP Throughput: A Simple Model and Its Empirical Validation,” Proc. ACM SIGCOMM '98, pp. 303-314, 1998.
[20] M. Yajnik, S.B. Moon, J.F. Kurose, and D.F. Towsley, “Measurement and Modeling of the Temporal Dependence in Packet Loss,” Proc. INFOCOM '99, pp. 345-352, 1999.
[21] N. Cardwell, S. Savage, and T.E. Anderson, “Modeling TCP Latency,” Proc. INFOCOM '00, pp. 1742-1751, 2000.
[22] E. Altman, K. Avrachenkov, and C. Barakat, “A Stochastic Model of TCP/IP with Stationary Random Losses,” Proc. ACM SIGCOMM '00, pp. 231-242, 2000.
[23] W. Jiang and H. Schulzrinne, “Modeling of Packet Loss and Delay and Their Effect on Real-Time Multimedia Service Quality,” Proc. 10th Int'l Workshop Network and Operating Systems Support for Digital Audio and Video (NOSSDAV), 2000.
[24] T.J. Hacker, B.D. Noble, and B.D. Athey, “The Effects of Systemic Packet Loss on Aggregate TCP Flows,” Proc. ACM/IEEE Conf. Supercomputing (SC '02), pp. 1-15, 2002.
[25] G. Appenzeller, I. Keslassy, and N. McKeown, “Sizing Router Buffers,” Proc. ACM SIGCOMM '04, pp. 281-292, 2004.
[26] R.J. Larsen and M.L. Marx, Introduction to Mathematical Statistics and Its Application, fourth ed. Prentice Hall, 2005.
[27] K. Arvind, “Probabilistic Clock Synchronization in Distributed Systems,” IEEE Trans. Parallel and Distributed Systems, vol. 5, no. 5, pp. 474-487, May 1994.
[28] J. Black, S. Halevi, H. Krawczyk, T. Krovetz, and P. Rogaway, “UMAC: Fast and Secure Message Authentication,” LNCS, vol. 1666, pp. 216-233, 1999.
[29] P. Rogaway, UMAC Performance (More), http://www.cs.ucdavis. edu/~rogaway/umac/ 2000perf00bis.html, 2000.
[30] N. Shah, Understanding Network Processors. Master's thesis, Univ. of California, Sept. 2001.
[31] W. Feghali, B. Burres, G. Wolrich, and D. Carrigan, “Security: Adding Protection to the Network via the Network Processor,” Intel Technology J., vol. 6, pp. 40-49, Aug. 2002.
[32] L.A. Sanchez, W.C. Milliken, A.C. Snoeren, F. Tchakountio, C.E. Jones, S.T. Kent, C. Partridge, and W.T. Strayer, “Hardware Support for a Hash-Based IP Traceback,” Proc. Second DARPA Information Survivability Conf. and Exposition (DISCEX II '01), pp. 146-152, 2001.
[33] D.L. Mills, Network Time Protocol (Version 3) Specification, Implementation, RFC 1305, IETF, Mar. 1992.
[34] H.F. Wedde, J.A. Lind, and G. Segbert, “Achieving Internal Synchronization Accuracy of 30 ms under Message Delays Varying More than 3 msec,” Proc. 24th IFAC/IFIP Workshop Real-Time Programming (WRTP), 1999.
[35] B. White et al., “An Integrated Experimental Environment for Distributed Systems and Networks,” Proc. Fifth Symp. Operating System Design and Implementation (OSDI '02), pp. 255-270, Dec. 2002.
[36] Emulab—Network Emulation Testbed, http:/, 2006.
[37] S. Floyd and V. Jacobson, “Random Early Detection Gateways for Congestion Avoidance,” IEEE/ACM Trans. Networking (TON '93), vol. 1, no. 4, pp. 397-413, 1993.
[38] C.V. Hollot, V. Misra, D.F. Towsley, and W. Gong, “On Designing Improved Controllers for AQM Routers Supporting TCP Flows,” Proc. INFOCOM '01, pp. 1726-1734, Apr. 2001.
[39] S. Athuraliya, S. Low, V. Li, and Q. Yin, “REM: Active Queue Management,” IEEE Network, vol. 15, no. 3, pp. 48-53, 2001.
[40] S. Floyd, “TCP and Explicit Congestion Notification,” ACM Computer Comm. Rev., vol. 24, no. 5, pp. 10-23, 1994.
[41] K. Ramakrishnan, S. Floyd, and D. Black, The Addition of Explicit Congestion Notification (ECN) to IP, RFC 3168, IETF, 2001.
[42] L. Le, J. Aikat, K. Jeffay, and F.D. Smith, “The Effects of Active Queue Management on Web Performance,” Proc. ACM SIGCOMM '03, pp. 265-276, 2003.
[43] A. Kuzmanovic, “The Power of Explicit Congestion Notification,” Proc. ACM SIGCOMM '05, pp. 61-72, 2005.
[44] K. Pentikousis and H. Badr, “Quantifying the Deployment of TCP Options—A Comparative Study,” IEEE Comm. Letters, vol. 8, no. 10, pp. 647-649, 2004.
[45] A. Medina, M. Allman, and S. Floyd, “Measuring the Evolution of Transport Protocols in the Internet,” SIGCOMM Computer Comm. Rev., vol. 35, no. 2, pp. 37-52, 2005.
27 ms
(Ver 2.0)

Marketing Automation Platform Marketing Automation Tool