01-07-2010, 04:07 PM
Abstract:
The Internet is not a safe place. Unsecured hosts can expect to be compromised within minutes of connecting to the Internet and even well-protected hosts may be crippled with denial-of-service (DoS) attacks. However, while such threats to host systems are widely understood, it is less well appreciated that the network infrastructure itself is subject to constant attack as well. Indeed, through combinations of social engineering and weak passwords, attackers have seized control over thousands of Internet routers. Even more troubling is Mike Lynnâ„¢s controversial presentation at the 2005 Black Hat Briefings, which demonstrated how Cisco routers can be compromised via simple software vulnerabilities. Once a router has been compromised in such a fashion, an attacker may interpose on the traffic stream and manipulate it maliciously to attack others selectively dropping, modifying, or rerouting packets.
Several researchers have developed distributed protocols to detect such traffic manipulations, typically by validating that traffic transmitted by one router is received unmodified by another. However, all of these
Schemes including our own struggle in interpreting the absence of traffic. While a packet that has been modified in transit represents clear evidence of tampering, a missing packet is inherently ambiguous: it may have been explicitly blocked by a compromised router or it may have been dropped benignly due to network congestion. In fact, modern routers routinely drop packets due to bursts in traffic that exceed their buffering capacities, and the widely used Transmission Control Protocol (TCP) is designed to cause such losses as part of its normal congestion control behavior. Thus, existing traffic validation systems must inevitably produce false positives for benign events and/or produce false negatives by failing to report real malicious packet dropping.
Existing System:
Network routers occupy a unique role in modern distributed systems. They are responsible for cooperatively shuttling packets amongst themselves in order to provide the illusion of a network with universal point-to-point connectivity. However, this illusion is shattered - as are implicit assumptions of availability, confidentiality, or integrity - when network routers are subverted to act in a malicious fashion. By manipulating, diverting, or dropping packets arriving at a compromised router, an attacker can trivially mount denial-of-service, surveillance, or man-in-the-middle attacks on end host systems. Consequently, Internet routers have become a choice target for would-be attackers and thousands have been subverted to these ends. In this paper, we specify this problem of detecting routers with incorrect packet forwarding behavior and we explore the design space of protocols that implement such a detector. We further present a concrete protocol that is likely inexpensive enough for practical implementation at scale. Finally, we present a prototype system, called Fatih, that implements this approach on a PC router and describe our experiences with it. We show that Fatih is able to detect and isolate a range of malicious router actions with acceptable overhead and complexity. We believe our work is an important step in being able to tolerate attacks on key network infrastructure components
Proposed System:
We have designed, developed, and implemented a compromised router detection protocol that dynamically infers, based on measured traffic rates and buffer sizes, the number of congestive packet losses that will occur.
Once the ambiguity from congestion is removed, subsequent packet losses can be attributed to malicious actions. We have tested our protocol in Emulab and have studied its effectiveness in differentiating attacks from legitimate network behavior.
IMPLEMENTATION
Implementation is the stage of the project when the theoretical design is turned out into a working system. Thus it can be considered to be the most critical stage in achieving a successful new system and in giving the user, confidence that the new system will work and be effective.
The implementation stage involves careful planning, investigation of the existing system and itâ„¢s constraints on implementation, designing of methods to achieve changeover and evaluation of changeover methods.
Modules:
1. Network Module
2. Threat Model
3. Traffic Validation
4. Random Early Detection(RED)
5. Distributed Detection
Module Description:
1. Network Module
Client-server computing or networking is a distributed application architecture that partitions tasks or workloads between service providers (servers) and service requesters, called clients. Often clients and servers operate over a computer network on separate hardware. A server machine is a high-performance host that is running one or more server programs which share its resources with clients. A client also shares any of its resources; Clients therefore initiate communication sessions with servers which await (listen to) incoming requests.
2.Threat Model:This focuses solely on data plane attacks (control plane attacks can be addressed by other protocols with appropriate threat models, and moreover, for simplicity, we examine only attacks that involve packet dropping.
However, our approach is easily extended to address other attacks such as packet modification or reordering similar to our previous work. Finally, as in, the protocol we develop validates traffic whose source and sink routers are uncompromised. A router can be traffic faulty by maliciously dropping packets and protocol faulty by not following the rules of the detection protocol. We say that a compromised router r is traffic faulty with respect to a path segment during if contains r and, during the period of time, r maliciously drops or misroutes packets that flow through. A router can drop packets without being faulty, as long as the packets are dropped because the corresponding output interface is congested. A compromised router r can also behave in an arbitrarily malicious way in terms of executing the protocol we present, in which case we indicate r as protocol faulty. A protocol faulty router can send control messages with arbitrarily faulty information, or it can simply not send some or all of them. A faulty router is one that is traffic faulty, protocol faulty, or both.
3.Traffic Validation
The first problem we address is traffic validation what information is collected about traffic and how Consider the queue Q in a router r associated with the output interface of link. The neighbor routers feed data into Q.
The traffic information collected by router r that traversed path segment over time interval, meaning traffic into Q, or Q out, meaning traffic out of Q. At an abstract level, we represent traffic, a validation mechanism associated with Q, as a predicate it is used to determine that a router has been compromised.
4.Random Early Detection(RED)
RED monitors the average queue size, based on an exponential weighted moving average: where is the actual queue size and w is the weight for a
Low- pass filter. RED uses three more parameters: min, minimum threshold; Max, maximum threshold; and maximum probability.
Using, RED dynamically computes a dropping probability in two steps for each packet it receives. First, it computes an interim probability further; the RED algorithm tracks the number of packets, since the last dropped packet. The final dropping probability, p, is specified to increase slowly as increases
5.Distributed Detection
Since the behavior of the queue is deterministic, the traffic validation mechanisms detect traffic faulty routers whenever the actual behavior of the queue deviates from the predicted behavior. However, a faulty router can also be protocol faulty. It can behave arbitrarily with respect to the protocol,
by dropping or altering the control messages .We mask the effect of protocol faulty routers using distributed detection.
Given TV, we need to distribute the necessary traffic information among the routers and implement a distributed detection protocol. Every outbound interface queue Q in the network is monitored by the neighboring routers and validated by a router rd such that Q is associated with the link.
Hardware Requirements:
¢ System : Pentium IV 2.4 GHz.
¢ Hard Disk : 40 GB.
¢ Floppy Drive : 1.44 Mb.
¢ Monitor : 15 VGA Colour.
¢ Mouse : Logitech.
¢ Ram : 256 Mb.
Software Requirements:
¢ Operating system : - Windows XP Professional.
¢ Coding Language : - JavaTool Used : - Eclipse.
read full report
http://sysnet.ucsd.edu/~amizrak/papers/d...tation.pdf
