04-04-2010, 09:35 PM
Detecting Malicious Packet Losses
In this article, we consider the problem of detecting whether a compromised router is maliciously manipulating its stream of packets. We consider the attack in which a router selectively drops packets destined for some victim. Modern networks routinely drop packets when the load temporarily exceeds a routerâ„¢s buffering capacity. Previous methods depend on the fact that too many dropped packets implies malicious intent. Here is described a compromised router detection protocol that dynamically infers,
based on measured traffic rates and buffer sizes, the number of congestive packet losses that will occur.
INFERRING CONGESTIVE LOSS:
there are three approaches for addressing the issue whether the absence of a given packet be seen as malicious or benign.
-Static Threshold. Low rates of packet loss are assumed to be congestive, while rates above some predefined
threshold are deemed malicious.
-Traffic modeling. Packet loss rates are predicted as a function of traffic parameters, losses beyond the prediction
are deemed malicious.
-Traffic measurement. Individual packet losses are predicted as a function of measured traffic load and router
buffer capacity. Deviations from these predictions are deemed malicious.
SYSTEM MODEL
Network Model:
We consider a network to consist of individual homogeneous routers interconnected via directional point-to-point links.we assume that packets are forwarded in a hop-by-hop fashion, based on a local forwarding table within a network.This overall model is consistent with the typical construction of large enterprise IP networks or the internal structure of single ISP backbone networks.
Threat Model:
data plane attacks are focused here. A router can be traffic faulty by maliciously dropping packets and protocol faulty by not following the rules of the detection protocol. Attackers can compromise one or more routers in a network.
For more details, refer this PDF:
In this article, we consider the problem of detecting whether a compromised router is maliciously manipulating its stream of packets. We consider the attack in which a router selectively drops packets destined for some victim. Modern networks routinely drop packets when the load temporarily exceeds a routerâ„¢s buffering capacity. Previous methods depend on the fact that too many dropped packets implies malicious intent. Here is described a compromised router detection protocol that dynamically infers,
based on measured traffic rates and buffer sizes, the number of congestive packet losses that will occur.
INFERRING CONGESTIVE LOSS:
there are three approaches for addressing the issue whether the absence of a given packet be seen as malicious or benign.
-Static Threshold. Low rates of packet loss are assumed to be congestive, while rates above some predefined
threshold are deemed malicious.
-Traffic modeling. Packet loss rates are predicted as a function of traffic parameters, losses beyond the prediction
are deemed malicious.
-Traffic measurement. Individual packet losses are predicted as a function of measured traffic load and router
buffer capacity. Deviations from these predictions are deemed malicious.
SYSTEM MODEL
Network Model:
We consider a network to consist of individual homogeneous routers interconnected via directional point-to-point links.we assume that packets are forwarded in a hop-by-hop fashion, based on a local forwarding table within a network.This overall model is consistent with the typical construction of large enterprise IP networks or the internal structure of single ISP backbone networks.
Threat Model:
data plane attacks are focused here. A router can be traffic faulty by maliciously dropping packets and protocol faulty by not following the rules of the detection protocol. Attackers can compromise one or more routers in a network.
For more details, refer this PDF: