A Scalable Method for Router Attack Detection and ... - CiteSeerX

1

A Scalable Method for Router Attack Detection and Location in Link State Routing Anirban Chakrabarti and G. Manimaran Dependable Computing & Networking Laboratory Dept. of Electrical and Computer Engineering Iowa State University, Ames, IA 50011. fanirban,[email protected] Abstract— The Internet infrastructure security has been gaining importance in recent years due to growing concerns for cyber-warfare. Network threats can be categorized as: routing table “poisoning,” packet “mistreating,” and denialof-service attacks. Among these, the routing table poisoning attack is the most devastating and least researched topic which needs immediate research attention. In this paper, we develop a scalable method for detecting router attacks and locating the malicious routers (within a small bounded set of nodes) in link state routing protocols. We carry out analytical and simulation studies to evaluate the proposed secure link state protocol (SLIP) for two performance metrics, viz. attack detection probability and fault detection time, under different network and attack scenarios. Our studies show that the SLIP offers a very high attack detection capability with a little degradation in fault detection time compared to the link state protocol.

I. I NTRODUCTION The Internet has been witnessing enormous growth over the last several years. As indicated in [1], the Internet has grown from a decent 16 million computers in January 1997 to an enormous 100 million in December 2000 reflecting a growth of 60% per year. Until now, the main research focus has been on improving the performance and scalability of the Internet. Although the performance and scalability have their place in Internet research, the criticality of the Internet has forced the research community to look at the dependability aspects of the Internet. The Internet, like any other product, is prone to failures and researchers have started to realize the importance of dependable communication for all Internet users. In the Internet, failures can arise because of device failures (for e.g. link and node failures) or because of the presence of malicious users or “hackers”. The importance of securing the Internet has grown rapidly due to a series of attacks that shut down some of the world’s most high profile Web sites, including Amazon and Yahoo [2]. Several such attacks have also been reported in CERT advisories [3]. These attacks, coupled with the growing fear of cyber-terrorism have made

researchers think of possible ways of compromising the Internet, and means and methods to protect users from the adversaries. Figure 1 lists out the different types of Internet attacks possible. Internet attacks can be classified into three main types:  Routing Table “Poisoning” Attacks: Before the actual packet transmission, routing tables need to be built and maintained based on which packets are routed. This is one of the most fundamental functionalities of the Internet and creation of wrong routing tables may lead to total collapse of the Internet.  Packet “Mistreating” Attacks: These attacks refer to the attacks during the actual transmission of packets.These attacks are limited to a certain number of packets, and are generally less dangerous than the poisoning attacks.  Denial-of-Service Attacks: These attacks refer to the attacks after the packets reach the specified destination. These attacks are extremely dangerous and very easy to produce. A. Routing Table “Poisoning” Routing is one of the most important functions of the Internet. “Poisoning” of routing tables thus forms one of the most potent attacks possible on the Internet [4]. All other attacks (“mistreating” packets and denial-of-service attacks in Figure 1) either affect a group of packets or a group of hosts. Routing table “poisoning”, on the other hand, is capable of affecting the whole of Internet, causing more devastation than any other attack. Several of the potential effects of the routing table “poisoning” are given below:  Sub-optimal routing: With the emergence of Internet as a means of “soft” real-time applications, “optimality” in routing assumes significant importance [5]. Routing table “poisoning” attacks can result in sub-optimal routing which affects the real-time applications over the Internet.  Congestion: Routing table “poisoning” can lead to artificial congestion if packets are forwarded to only certain

2

Attacks

Packet Mistreating

Routing Table Poisoning

Link

Router

Denial of Service

Link

UDP

TCP

ICMP

Router Inter− ruption

Fabri− cation

Proactive

Repli− cation

Link State

Inactive

Changing

Ignore Link

Link Cost

Cost Change

Link

Ignore Link

Addition

Deletion

Link

Ignore Link

Deletion

Addition

Distance Vector

Intra

Malicious Misrouting

Proactive

Inactive

Fabrication Replication Modification Interruption Snooping

Inter

Change Distance Vector

Header

Packet

Fig. 1. Types of Attacks on Internet

portions of the network. Artificial congestion, thus created, is not solved using the traditional congestion control mechanism.  Partition: Wrong entries in the routing table may result in the creation of artificial partitions in the network. This becomes a significant problem as hosts residing in one partition will be unable to communicate with hosts residing in the other partition.  Overwhelmed host: Routing table “poisoning” may be used as a weapon for Denial-of-Service attacks. If a router sends updates which results in concentration of packets to one or a few selected servers,the servers can be taken out of service because of huge amount of traffic. This type of DOS attack is more potent as the attacker is not “spoofing” identity, and is thus impossible to detect by the detection techniques mentioned in [6], [7].  Looping: We mentioned earlier about the possible “triangle routing” threat in case of packet “mistreating” attack. The same type of attack can be simulated through improper updation of the routing table.  Access to data: Adversaries may gain illegal access to data through the “poisoning” of routing table attack. This may lead to adversaries “snooping” packets, which were not supposed to pass through that part of the network.

As mentioned in the Figure 1, routing table poisoning can be broadly categorized into (a) link attacks and (b) router attacks. Link attacks are similar in case of both link state and distance vector protocols, while router attacks vary based on the routing protocols. Link Attacks: Link attacks are said to occur when the adversary gets access to a link. Thus, the adversary can intercept, interrupt, and/or modify the routing messages. Current routing protocols employ techniques to prevent these types of attacks. Extra information in the routing updates in the form of digital signatures and sequence numbers are generally used to detect this type of attack. Router Attacks: In this type of attacks, the routers are malicious in nature. Since the routers are responsible for creating digital signatures, therefore traditional techniques of putting extra information in the packets will not work in this case. Several techniques have been proposed for different routing algorithms. We will discuss about them in the next section. II. M OTIVATION

AND

O BJECTIVES

We focus our research attention to the routing table “poisoning” threat. It is a challenging problem, because security was not enforced into the routing protocols from the

3

start. Such a problem is important because routing table forms the basis of the Internet and any corruption of routing table may lead to dangerous consequence.

A. Motivation Over the years, routing protocols have evolved along two directions: link state and distance vector. In link state routing protocol, each node sends the link status of all its neighbors to all the nodes in the network. Any node, on receiving the link state update, computes the full topology information and the routing table is constructed based on the updated topology. In distance vector routing, each node computes a distance vector based on the distance vector information received from its neighbors. OSPF [8] and IS-IS [9] are examples of link state routing protocol, while RIP [10] and BGP [11] are example distance vector protocols. Link state protocols are also more robust than the distance vector protocols [12]. This is because, each router computes the routes independently, and does not depend on the computation done in the other routers in the network. In spite of the advantages, link state routing protocols suffer from routing table poisoning threats. In case of link state routing protocols, a router either proactively sends malicious updates or remains inactive when the link state of the malicious router has changed. 2 1

3

3 2 2

1

4

2 2

5

4

A.1 Related Work Router attacks in both distance vector and link state protocols have been studied in recent years. For distance vector protocol, based on a simple fault model, Garcia et al. [13] proposed a checking algorithm for detecting inconsistent attacks. The solutions proposed for detecting router attacks in link state protocols can be broadly classified into three categories: (i) Routing Information techniques, (ii) Intrusion Detection Techniques and (iii) Routing Protocol Techniques.

 Routing Information Techniques: In this type of techniques [14], [15] digital signatures are used to detect the presence of malicious intermediate routers. Several schemes have been proposed which aim at reducing the overhead in link state routing protocols [15], [16]. However, these schemes are unable to detect attacks if the source of the LSA is malicious in nature.  Intrusion Detection Techniques: These techniques [17], [18], [19], [20] are used to detect the anomalous behavior in the routers, assuming that intrusion detection devices are available in the network.  Routing Protocol Techniques: In this type of techniques, detection capability is built into the routing protocol itself. In Cisco White Papers [21], several techniques have been mentioned to detect bad/malicious packets. However, though the techniques are able to prevent looping, the problem of malicious LSA source (mentioned before) cannot be solved using those techniques. In [22], the authors applied the concept of system level diagnosis [23] to detect malicious routers. The overhead of such a scheme is very high and is not scalable. Related techniques such as checking the Maxage variable in OSPF (a link state protocol) are discussed in [8], [14].

6 1 6

In this paper, we develop a scalable method (called SLIP) for detecting router attacks in link state protocols, which fall under the third category mentioned above. The primary capability of this protocol is to detect malicious LSA sources, which is not possible in [8], [14], [21]. In addition, the protocol has the capability to locate the malicious source within a small bounded set of nodes.

5

4

Fictitious Link

Fig. 2. An example of a Proactive Attack

5

In Figure 2, an example is shown where a router ( in the figure) uses proactive attack technique to launch a DoS attack on another router (node in the figure). In the figure, node is the malicious router and node is the victim. Node sends a LSA to all the nodes in the network that there is a link of cost between node and node . Therefore, to all nodes in the network the shortest path to node is via node . Therefore, all nodes send messages towards node which may result in a DoS attack.

2

5 5

2

1

2

2

5

2

5

III. S ECURE L INK S TATE P ROTOCOL (SLIP) In this paper, we propose a secure link state protocol (SLIP) which is immune to most malicious router attacks (refer Figure 1) under no-collusion scenario. Before actually describing the protocol, we mention the assumptions and fault model used for the protocol.

4

A. Fault Model and Assumptions

node and its neighbors.

Our research focuses on securing link state protocol, based on the following assumptions:  We model the network as an undirected N V; E , where V is the set of all vertices or nodes (may be malicious) in the network and E is the set of all edges or links in the network.  Both the nodes supporting an edge can identify the change in the link status. It is to be noted that under this assumption inactive attacks are not possible. Therefore, in this paper we concentrate on proactive router attacks.  The malicious nodes are subject to Byzantine [24] as well as fail-stop type of faults.  Each malicious node in the network is surrounded by non-malicious nodes.  There can be multiple malicious nodes in the network, but they are independent, i.e., we assume that there is no malicious collusion in the network.  Whenever a node identifies that the link status of one of the links incident on it has changed, it sends a Link State Advertisement (LSA) to all the nodes in the network. The fault model described above, models a undirected link state network capable of handling collusion-free “link” and “router” attacks. Though the fault model by no means captures all the attack scenarios, it gives us a handle to a very difficult problem. Our future work involves analyzing the current assumptions in terms of real-life attack scenario, and relaxing the assumptions made here to suit the real-world needs. Our claim is that, under the proposed fault model the protocol can detect all possible “poisoning” attacks (Lemma 1). This may not be an ideal situation as a group of hackers may be able to infiltrate a network. We show using theoretical average case analysis, and simulations that, the protocol is able to detect maliof cases, if the number cious updates for more than of malicious hackers is small ( ).

Consistency Check: This procedure is performed to validate the routing updates at each receiving router. The validation involves standard validation checks such as authentication and sequence number [8] comparison. In addition to the standard checks, a delayed routing update check is carried out which results in securing the link state routing from the router attacks. The consistency check algorithm uses three data structures:  Adjacency Matrix (Adj): This matrix captures the global topology. Adj i; j contains the cost of the link i j .  Suspicion Matrix (S ): This matrix contains the cost of the links which have not been confirmed. S i; j indicates the new cost of the link i j as claimed by node j .  Malicious List (M ): This list includes all the nodes which are currently under suspicion.  Suspicion Timer (T ): This is a list of timers. Timer T i; j indicates that link (i j ) requires confirmation from node i or j . Timer duration is an input parameter set by the network administrator. For each suspicious link state update i; j , a timer T i; j is started. The delayed checks involve the following steps: 1. Change of state of each link is identified by both the nodes supporting the link. Let x y be a link. Then nodes, x and y can identify any change in link x y . 2. When a routing update (LSA) arrives, the receiving node checks whether there is any change in the link state. In the paper, routing updates are indicated as x y , where x is the node sending the routing update indicating that the cost of link x y has changed to . 3. If a node x reports that the cost of link x y has changed to (x y ), the receiving nodes check the Suspicion Matrix (S ) by carrying out the following steps. (a) If S y; x  Set S x; y  Start Suspicion Timer T x; y (b) If S y; x

 Accept the update as a valid update  Update Adjacency Matrix (Adj )  Set S y; x .  Stop timer T y; x . (c) If S y; x 6 and S y; x 6  Conclude that an attack has occurred.  Insert x and y into the list of malicious nodes (M ).  Set S y; x .  Stop timer T y; x . 4. When the timer T i; j expires  Conclude that an attack has occurred.  Insert i and j into the list of malicious nodes (M ).  Set S i; j .

=(

)

80% 4

B. Description of SLIP The proposed solution should encompass all the link state threats (adding link, deleting link and changing link cost) based on the assumptions listed above. The protocol consists of two steps:(a) Consistency Check and (b) Synchronization. The check procedure is based on the principle of suspicion. A node, receiving a link state update, does not believe the update unless the node gets a “confirmation” link state update from the other node supporting the same link. Checking may lead to lack of synchronization in terms of routing table for the neighbors. This problem is taken care of in the synchronization procedure, where a “consensus” is applied to all the link states by a

[ ℄

(

)

( [ ℄

)

(

)

( )

( )

( )

(

)

[ : ℄

( [ : ℄ [ ℄=0 [ ℄= [ ℄=

)

( )

[ ℄=0 ( ) [ ℄= [ ℄=0 [ ℄=0 ( ) ( ) [ ℄=0

(

)

5

In the algorithm mentioned above, the attack is detected if a malicious node sends wrong updates, or if the suspicion timer elapses. Thus the duration of suspicion timer is a very important input parameter. If the value is too low, there may be undue false alarms. In the simulation section, we provide a method of selection of the suspicion timer duration. The consistency check algorithm has the following properties:  The checking algorithm runs in O n (See Lemma 1)  The checking algorithm is correct and is able to detect and identify attacks and attackers in no-collusion environment (See Lemma 2).  The ratio of number of malicious nodes identified by the algorithm, and the actual number of malicious nodes is bounded by:

 The protocol should work correctly under inactive and proactive router attacks. 2 1 2 2

=1

(1)

where i is the degree of the ith malicious node, M is the list of malicious nodes, and MS is the set of malicious nodes returned by the checking algorithm (See Lemma 3). Synchronize: The second step in the secured link state protocol lies in the synchronization of the topology among the neighbors. The synchronization is carried out using the principle of voting used in N-Modular Redundancy (NMR) systems [23], [25]. Following are the steps involved in the synchronization process: 1. Each node receives topology information from each of its neighbors. 2. For each entry i of the adjacency matrix (Adj ), comparison is made with the ith entry of the topology information obtained from each of the neighbors. 3. The entry which is agreed by the maximum number of nodes (neighbors and the receiving node) is selected as the final link state information. 4. In case of tie, the entry present in the receiving node is kept as it is. 5. The nodes present in Suspicion Matrix are not considered for synchronization. The synchronization algorithm has a worst-case running time of O n3 (See Lemma 4). Because of its high running time, the synchronization algorithm is called infrequently.

( )

C. Illustration of the working of the SLIP checking algorithm In this section, we provide some examples to describe the operation of SLIP. The main objectives of the SLIP are:  The protocol should work correctly when none of the nodes are malicious.

1

4

2

()

jMS j  1 + PjiM j i jM j jM j

3

3

2

5

4 4

5

4

6

Fig. 3. An example network

C.1 SLIP - Normal Operation When there is no malicious node in the network, SLIP should behave correctly. Table I shows the operation of the SLIP under normal operation for the network mentioned in and changes Figure 3. The cost of the link from to and to , respectively. In the Table I, a LSA indicated by k j denotes that the LSA has been sent by node k and the cost of link k j has changed to . S indicates the Suspicion Matrix, and the third row shows the Timer status. We assume that the timers expire after 3 time units. The timeline, as shown in the Table I, is explained below:  Time0: Time0 shows the initial condition.  Time1: Node sends a LSA indicating that cost of link is changed. Since S ; , no LSA has been received from node regarding the change. So, S ; is set to (indicating that node2 is suspicious) and a T ; is started.  Time2: Node sends a LSA, confirming the claim of node about the change of cost of the link . So T ; is killed, and node is removed from the suspicion matrix. Since, the claim of node2 regarding link cannot be confirmed, node2 is placed in the suspicion matrix and a timer T ; is started. Adjacent Matrix is updated.  Time3: Node2 is removed from the suspicion matrix since LSA from node3 carries the confirmation regarding link , and timer T ; is killed.

3 2

(1 2) 2 1 (1 2)

(1 2)

2 1 [ : ℄

(

1

)

[2 1℄ = 0

2

2

1

(2 3)

[1 2℄ (1 2)

(1 2) (2 3)

(2 3)

(2 3)

(2 3)

C.2 SLIP - Changing Link Cost (Proactive Attack) In the Table II, the correctness of SLIP is shown, when an adversary changes the link cost. The protocol not only detects the error but also creates a list of the Malicious Nodes which contains the adversary. The example is based

6

TABLE I SLIP OPERATION : U NDER NORMAL

Msg/Time LSA

S

Timer

Adj

Time0 000000 000000 000000 000000 000000 000000 032112 302412 220151 141041 115404 221140

Time1

1[2 : 2℄ 020000

SCENARIO

Time2 & 000000 000000 0 0000 000000 000000 000000 Stop T ; , Start T 0 2112 02412 220151 141041 115404 221140

Time3

2[1 : 2℄ 2[3 : 1℄

000000 000000 000000 000000 000000 Start T ; 032112 302412 220151 141041 115404 221140

(1 2)

1

(1 2) 2 2

(2; 3)

3[2 : 1℄ 000000 000000 000000 000000 000000 000000 Stop T ; 022112 20 412 2 0151 141041 115404 221140

(2 3)

1

1

TABLE II SLIP OPERATION : U NDER

Msg/Time LSA

S

Timer M

Time0 000000 000000 000000 000000 000000 000000

f;g

ATTACK SCENARIO

Time1

1[2 : 2℄ 2

0 0000 000000 000000 000000 000000 000000 Start T ;

(1 2)

f;g

Time2

4

on the network shown in the Figure 3. The example is described as follows:  Time0 shows the initialized values.  Time1: Node1 sends a LSA indicating that link cost of has changed. Timer T ; is started. Suspicion matrix is updated.  Time2: Node2 sends a confirmation, with the cost of the link as 4 instead of 2. both 2 and 4 are entered into S.  Time4: T ; expires, node1 and node2 are entered into the list of malicious nodes (M).  Time5: Timer T ; expires.

(1 2)

2[1 : 4℄ 2

0 0000 00000 000000 000000 000000 000000 Start T ;

(1 2)

(1 2)

(1 2)

(2 1)

IV. S IMULATION S TUDIES As mentioned in the previous section, confirmation of a state change of any link, in SLIP, is a two-step process. At each step the nodes supporting the link sends LSA indicating that its link state has changed. As a result, routing

(2 1)

f;g

(C HANGING

LINK COST)

Time4 000000 00000 000000 000000 000000 000000 ; expires

4

T (1

2)

f1; 2g

Time5 000000 000000 000000 000000 000000 000000 ; expires

T (2

1)

f1; 2g

table construction due to the change in any link state, is delayed under SLIP. In our simulation study, we capture the performance of SLIP against the traditional link state protocol under non-malicious environment. The simulation studies are carried out under the following simulation environment:

 Simulation studies were carried out using NS-2 [26].  Random network topologies were generated based on a given input parameter “graph density”. This parameter determines the degree of the nodes and hence the connectivity of the network. Higher its value, denser is the topology.  To simulate attacks, malicious nodes were randomly chosen based on the number of malicious nodes selected as input parameter. Under normal scenario, the number of malicious nodes is selected as .  The default values of the network parameters are:(a) Nodes = 40, (b) Average node degree = : , (c) Each link

0

40

#

7

has unit cost, (d) Non-malicious link faults occur at a rate of 2 faults/sec, (e) Link faults are active for an average time of 5sec, (f) Suspicion timer duration = 10ms.

140

= (1

100

80

60

40

20

0 2

2.5

3

Mi Di ) n i=1 Xi Probability ():  is

(2)

60

4.5

5

5.5

6

6.5

Link State SLIP

50

40

30

defined as the probability that a malicious update is detected. It can be shown that if there are m malicious nodes in a network having n nodes with degree r (n > m), in case of SLIP,

n m  = ((n r )) (See Lemma6). From the above example, r n D 1X i =

4

Fig. 4. Variation of Fault Detection Time Graph Density

)

n 1X (1 =

3.5

Graph Density

Fault Detection Time (ms)

)

Fault Detection Time (ms)

The performance of the secured link state protocol is studied vis-a-vis the traditional link state protocol according to three performance met rices:(i) Fault Detection Time (Æ ), (ii) LSA Confidence () and (iii) Attack Detection Probability (). Æ is an indication of the performance of the protocol in a normal scenario.  and  are used under attack scenarios.  Fault Detection Time (Æ): Æ is defined as the average time taken by any node in the network to detect an occurrence of a fault.  LSA Confidence ():  is defined as the probability that any node i works correctly in presence of malicious attackers. If m malicious nodes are uniformly distributed m(m 1) in a n node network, then SLIP (n 1)(n 2) m (See Lemma 5). Let a node i reand LS (n 1) ceives Li updates, out of which Mi are malicious updates. Among the malicious updates, the node can detect Di updates. Therefore,

 Attack Detection

Link State SLIP

120

A. Performance Metrics

= (1

160

20 0

2

4

6 8 10 12 Fault Rate (per sec)

14

16

1

n i=1 Mi

Fig. 5. Variation of Fault Detection Time with Fault Rate

(3)

B. Effect on Fault Detection Time Figure 4 shows the variation of fault detection time against graph density. Increase in graph density indicates that the network becomes more dense, i.e. the number of links in the network increases (as the number of the nodes in the network remains fixed at 40). Therefore, the possibility of a link failure affecting a connection becomes less, as a result the fault detection time decreases. The interesting point to be noted in this figure is that, fault detection time under SLIP is significantly more than that of link state when the graph density is low (< ). However, as the graph density increases, the fault detection time in case of SLIP is close to that in case of link state protocol. This phenomenon occurs because, as the network becomes more dense there are multiple paths from one node

4

to the other having more or less the same distance. Hence, time for which a node remains in the Suspicion Matrix is very small under high density. Thus, SLIP does not introduce significant overhead in terms of fault detection time in dense networks. The difference of Æ between traditional link state and SLIP gives us the estimate of the Suspicion Timer duration. As shown in the figure, the difference is around ms, when node degree is . Suspicion Timer duration is thus set to ms, to accommodate for all updates. In the Figure 5, the fault detection time is studied with varying fault rate. From the figure it is clear that the time to detect a fault increases almost linearly with the fault rate. More faults in the network indicate more updates and hence fault detection time increases because of the time lag between the arrivals of the link state updates. Under high fault rate, packet loss under SLIP suffers more as compared to that in case of the link state protocol. The reason

3

10

4

8

behind this is that, the increase in fault rate means that the possibility of a fault occurring is high, and SLIP suffers as it takes more time to “notice” a fault. C. Effect on Confidence and Fault Detection Probability 100

4

Simulated-SLIP Theoretical-SLIP Simulated-LS Theoretical-LS

80

100

Simulated Theoretical

70

60

40 2

4

6

8 10 12 14 16 # Malicious Nodes

18

20

Fig. 6. Variation of  with # of malicious nodes

100

Simulated Theoretical

Attack Detection Probability (%)

95

50

90

85

80 2

90

2.5

3

3.5 4 4.5 Node Degree

5

5.5

6

Fig. 8. Variation of  with Node Degree

80

Attack Detection Probability (%)

80%

0

90

Average Confidence (%)

figure indicate that the probability of SLIP to work correctly is much higher than normal link state protocol. Figure 7 shows the variation of attack detection probability () with the number of malicious nodes in the network, in presence of coordinated attacks. Both theoretical and simulated results indicate that, in case of SLIP,  decreases with increasing number of malicious nodes in the . It network. In presence of attackers,  is around is to be noted that  in case of traditional link state protocols is , since traditional link state protocols do not have built-in attack detection capability.

70 60

In Figure 8, variation of attack detection probability () is shown with average node degree. The number of malicious nodes in this set of experiments is selected as . Experimental and the theoretical results more-or-less match, as shown in the Figure. As shown in the Figure, the probability to detect an attack is greater than , when the average degree of the network is high (  : ). Since, the average degree of the nodes in the Internet is on the higher side ( : : ), this type of detection will yield very high probability of detection.

2

50 40

90% 35

30 20 10 0 2

4

6

8 10 12 14 16 # Malicious Nodes

18

20

Fig. 7. Variation of  with # of malicious nodes

Performance of the protocols (SLIP and link state) are studied against coordinated malicious attacks. Confidence of the protocols are plotted against the number of malicious nodes, and the results are shown in Figure 6. As the number of malicious nodes in the network increases, the confidence of both the protocols decrease as probability of getting a malicious update increases. Confidence exuded by SLIP is consistently higher than that of normal link state protocol. As shown in the figure, the simulated values closely follow the theoretical results obtained. The

33 35

V. C ONCLUSIONS In this paper, we first presented a taxonomy of security attacks on Internet routing protocols. Then, we proposed an elegant solution to the routing table poisoning threat in link state protocol, under certain fault model. Our scalable secure link state protocol (SLIP), is based on the principle of suspicion such that a node does not believe a link state update until and unless it receives confirmation from the other node supporting the link. We carried out analytical and simulation studies to evaluate the proposed SLIP for two performance metrics, viz. attack detection probabil-

9

ity and fault detection time, under different network and attack scenarios. Our studies showed that the SLIP offers a very high attack detection capability with a little degradation in fault detection time compared to the link state protocol. Future work includes the following: (i) Relaxing the no-collusion assumption, (ii) Relaxing the symmetric link assumption, (iii) Developing tighter bound for locating malicious routers, and (iv) Developing efficient attack recovery techniques.

[21] [22]

[23]

[24]

R EFERENCES [25] [1] [2] [3] [4]

[5] [6] [7]

[8] [9] [10] [11] [12] [13]

[14] [15]

[16]

[17]

[18]

[19]

[20]

Sally Floyd and Vern Paxson, “Difficulties in simulating the Internet,” IEEE Trans. on Networking, vol.9, no.4, Aug. 2001. Lee Garber, “Denial-of-Service Attacks Rip the Internet,” IEEE Computers, vol.33, no.4, pp.12-17, Apr. 2000. Kevin. J. Houle and George. M. Weaver, “Trends in Denial of Service Attack Technology,” CERT Advisory, v1.0, Oct. 2001. Sandra Murphy, “Technology Transition for Internet Infrastructure Security: Secure OSPF,” NAI Labs Advance Research, June 2000. C. Siva Ram Murthy and G. Manimaran, “Resource Management in Real-time Systems and Networks,” MIT Press, Apr. 2001. G. Sager, “Security Fun with OCxmon and eflowd,” Internet2 Working Group Meeting, Nov. 1998. H. Burch and B. Cheswick, “Tracing anonymous packets to their approximate sources,” Proc. 2000 USENIX LISA Conf., pp. 319327, Dec. 2000. J. Moy, “OSPF Version 2,” RFC 1583, March 1994. International Standards Organization, “Intra-Domain IS-IS Routing Protocol,” ISO/IEC JTCI/SC6 WG2 N323, Sep. 1989. C. Hendrik, “Routing Information Protocol,” RFC 1058, June 1988. Y. Rekhter and T. Li, “A Border Gateway Protocol 4 (BGP-4),” RFC 1654, July 1994. C. Huitema, “Routing in the Internet,” Prentice Hall PTR, 2nd Edition, 2000. Bradley R. Smith, Shree Murthy, and J.J. Garcia-Luna-Aceves, “Securing Distance-Vector Routing Protocols,” in Proc. SNDSS, 1997. S. L. Murphy and M. R. Badger, “Digital Signature Protections of OSPF Routing Protocols,” in Proc. SNDSS, 1996. Ralf Hauser, Tony Przygienda, and Gene Tsudik, “Reducing the Cost of Security in Link State Routing,” in Proc. Symp. on Network and Dist. System Security, 1997. Steven Cheung, “An Efficient Message Authentication Scheme for Link State Routing,” in Proc. Annual Computer Society Applications Conference, Dec. 1997. Kirk. A. Bradley, S. Cheung, B. Mukherjee, and Ronald. A. Olsson, “Detecting Disruptive Routers: A Distributed Network Monitoring Approach,” in Proc. IEEE Symp. on Security and Privacy, 1998. Shyhtsun F. Wu, Fei-yi Wang, Brian M. Vetter, W. Rance Cleaveland II, Y. Frank Jou, Fengmin Gong, and Chandramouli Sargor, “Intrusion Detection for Link-State Routing Protocols,” in Proc. IEEE Symp. on Security and Privacy, 1997. F. Wang, F. Gong, F.S. Wu, and R. Narayan, “Intrusion Detection for Link State Routing Protocol Through Integrated Network Management,” in Proc. ICCCN, pp. 694-699, 1999. F. Wang, F. Gong, and S.F. Wu, “A Property Oriented Fault Detec-

[26]

tion Approach for Link State Routing Protocol,” in Proc. ICCCN, pp. 114-119, 2000. Cisco White Papers, “Strategies to Protect against Distributed Denial of Service Attacks (DDoS),” Feb. 2000. Steven Cheung, and K. N. Levitt, “Protecting Routing Infrastructures from Denial-of-Service using Co-operative Intrusion Detection,” in Proc. New Security Paradigms Workshop, Sept. 1997. Arun K. Somani, Vinod K. Agarwal and David Avis, “A Generalized Theory for System Level Diagnosis”, IEEE Trans. Computers, 38(5), pp. 538-546, 1987. L. Lamport, R. Shostak and M. Pease, “The Byzantine General’s Problem,” ACM Trans. Prog. Languages and System, vol. 4, no. 3, pp. 382-401, Apr. 1982. D. K. Pradhan, “Fault-Tolerant Computing - Theory and Techniques,” Prentice Hall, vol. 2, 1986. UCB/LBNL/VINT Network Simulator - ns (version 2), Available at www.isi.edu/nsnam/ns.

A PPENDIX Lemma 1: Checking algorithm runs in O

(n).

Proof: In checking algorithm, when an LSA arrives the receiving node compares the link state of all the neighbors with the current link state values. At most, a node can have n neighbors. So, the comparison runs in O n time.

(

1)

()

Lemma 2: Checking algorithm is correct and can detect and identify all proactive and inactive attacks under no collusion and no interruption attacks and under assumption that all malicious nodes are surrounded by non-malicious nodes. Proof1 - Correctness: The checking algorithm is correct if we can prove that the algorithm works correctly under nomalicious condition. If there is no link state change, assuming that there is no malicious node in the network, no link state update is sent. Hence, this is a trivial case and the algorithm works correctly. Again assuming no malicious node in the network, let the state of link i j changes. Since, this is an undirected network, both i and j identifies the link state change and sends the update. Since, the network has no interrupting node, the two updates reach node k in the network. Therefore, node k identifies the link state change. Thus, the checking algorithm works correctly under no malicious condition.

(

)

Proof2 - Inactive: Let node j be a malicious node carrying on an inactive router attack on link i j . Since i is the adjacent node to a malicious node, node i is nonmalicious. Link i sends an update indicating there is a link state change for link i j . Checking algorithm detects the attack as there is no confirmation from j . So, the receiving node identifies nodes i and j as the malicious nodes. Thus, the checking algorithm successfully detects an attack and identifies a set of nodes which includes the malicious node.

(

(

)

)

10

Proof3 - Proactive: A malicious node j can proactively change the cost of link i j . Since i is non-malicious, it sends the correct update resulting in a mismatch. Hence, the attack is detected and the attacker is identified. When the malicious node deletes the link i j , there is no update from i. Again, the attack is detected and the attacker identified. When a malicious node adds a link i j , there is no response from i as there is no collusion in the network. Proofs (1), (2) and (3) together prove the Lemma.

(

)

(

)

(

Lemma 3: If M be the set of malicious nodes and the set of malicious nodes returned by SLIP, then:

jMS j jM j

MS be

PjM j

N = (V; E ) be an undirected network. Let M = M1 ; M2 :::MjM j be the set of malicious nodes having degrees 1 ; 2 :::jM j respectively. In the worst case for each malicious node Mj , SLIP identifies Mj and all its Proof: Let

neighbors as malicious nodes. Thus, in the worst case the number of malicious nodes returned by SLIP is equal to the all the malicious nodes and their neighbors. Therefore,

jMS j  (1 +  ) + (1 +  )::: + (1 + jM j) 2

= jM j +

jM j X i=1

jMS j  1 + PjiM j i jM j jM j =1

i

(4)

Lemma 4: Worst case running time of the Synchronization algorithm is O n3 .

( )

Proof: In synchronization algorithm each link state matrix is compared with at most n other nodes (In case of fully connected network). Since there are at most n2 entries in the link state matrix, therefore the worst-case running time of the algorithm is O n3 .

( )

Lemma 5: In a n node network having tributed malicious nodes,

m uniformly dis-

(a)LS = 1 (n m 1) (b)SLIP = 1 (nm 1)(m(n 1) 2)

(5)

(6)

Proof (a): LS = 1 - P(LSA sent by a malicious node) = m n 1

1

Lemma 6: In a n node network having degree r , let there be m uniformly distributed malicious nodes,

SLIP

=

n m
r n 1
r

(7)

Proof: A node is able to detect an attack, if the attacker is surrounded by non-malicious nodes. Since, there are m other malicious nodes, the number of non-malicious nodes m n m. Since each node is equal to n has a degree r , then the problem is equivalent to finding the probability of picking r non-malicious nodes from n nodes.

1

(

1) (

1) =

1

where i = node degree of the ith malicious node

Therefore,

() = ( )

)

 1 + jiM=1j i

1

Proof (b): SLIP = 1 - P(LSA received from 2 malicious m m(m 1) nodes) = n 2 1 (n 1)(n 2) 2