The Internet is not a safe place. Unsecured hosts can expect to be compromised within minutes of connecting to the Internet and even well-protected hosts may be crippled with denial-of-service attacks. However, while such threats to host systems are widely understood, it is less well appreciated that the network infrastructure itself is subject to constant attack as well. Indeed, through combinations of social engineering and exploitation of weak passwords, attackers have seized control over of thousands of Internet routers. Once a router has been compromised in such a fashion, an attacker may interpose on the traffic stream and manipulate it maliciously to attack others -- selectively dropping, modifying, or re- routing packets. First, we specify this problem of detecting routers with incorrect packet forwarding behavior and we explore the design space of protocols that implement such a detector. We further present two concrete protocols that differ in accuracy, completeness, and overhead -- one of which is likely inexpensive enough for practical implementation at scale. We present a prototype system that implements this approach on a PC router and describe our experiences with it. We believe our work is an important step in being able to tolerate attacks on key network infrastructure components. Unfortunately, it is quite challenging to attribute a missing packet to a malicious action because normal network congestion can produce the same effect. Modern networks routinely drop packets when the load temporarily exceeds a router's buffering capacity. Previous detection protocols have tried to address this problem using a user-defined threshold. Recently, we have designed, developed and implemented a new compromised router detection protocol that dynamically infers, based on measured traffic rates and buffer sizes, the number of congestive packet losses that will occur. Once the ambiguity from congestion is removed, subsequent packet losses can be attributed to malicious actions. We have tested this protocol in Emulab and have studied its effectiveness in differentiating attacks from legitimate network behavior. We believe this protocol is the first to automatically predict congestion in a systematic manner and is necessary for making any such network fault detection practical

Network routers occupy a unique role in modern distributed systems. They are responsible for cooperatively shuttling packets amongst themselves in order to provide the illusion of a network with universal point-to-point connectivity. However, this illusion is shattered -- as are implicit assumptions of availability, confidentiality or integrity -- when network routers act in a malicious fashion. By manipulating, diverting or dropping packets arriving at a compromised router, an attacker can trivially mount denial-of-service, surveillance or man-in-the-middle attacks on end host systems. Consequently, Internet routers have become a choice target for would-be attackers and thousands have been subverted to these ends. In this paper, we specify this problem of detecting routers with incorrect packet forwarding behavior and we explore the design space of protocols that implement such a detector. We further present two concrete protocols that differ in accuracy, completeness, and overhead -- one of which is likely inexpensive enough for practical implementation at scale. We believe our work is an important step in being able to tolerate attacks on key network infrastructure components.

Pre-2018 CSE ID: CS2004-0789

While it is widely understood that criminal miscreants are subverting large numbers of Internet-connected computers (e.g., for bots, spyware, SPAM forwarding, etc.) it is less well appreciated that Internet routers are also being actively targeted and compromised. Indeed, due their central role in end-to-end communication, a compromised router can be leveraged to empower a wide range of direct attacks including eavesdropping, man-in-the-middle subterfuge and denial-of-service. In response, a range of specialized anomaly detection protocols has been proposed to detect misbehaving packet forwarding between routers. This paper provides a general framework for understanding the design space of this work and reviews the capabilities of various detection protocols.

Pre-2018 CSE ID: CS2007-0899

In this paper we consider the problem of detecting whether a compromised router is maliciously manipulating its stream of packets. In particular, we are concerned with a simple yet effective attack in which a router selectively drops packets destined for some victim. Unfortunately, it is quite challenging to attribute a missing packet to a malicious action because normal network congestion can produce the same effect. Modern networks routinely drop packets when the load temporarily exceeds a router's buffering capacity. Previous detection protocols have tried to address this problem using a user-defined threshold: too many dropped packets implies malicious intent. However this heuristic is fundamentally unsound; setting this threshold is, at best, an art and will necessarily create unnecessary false positives or mask highly-focused attacks. We have designed, developed and implemented a compromised router detection protocol that dynamically infers, based on measured traffic rates and buffer sizes, the number of congestive packet losses that will occur. Once the ambiguity from congestion is removed, subsequent packet losses can be attributed to malicious actions. We have tested our protocol in Emulab and have studied its effectiveness in differentiating attacks from legitimate network behavior.

Pre-2018 CSE ID: CS2007-0889