University of California, San Diego

Fatih:Detecting and Isolating

Malicious Routers

Alper T Mizrak, Yu-Chung Cheng,

Prof. Keith Marzullo, Prof. Stefan Savage

Alper Mizrak, DSN’05 2

Introduction

Routers occupy a key role in modern packet switched data networks Packets need to be forwarded hop-by-hop between routers

Routers can be compromised through [Ao03,Houle01,Labovitz01] One network operator found 5000 compromised routers[Thomas03]

If a router is compromised, an adversary can Disrupt the forwarding process Deny service Implement ongoing network surveillance Provide a man-in-the-middle attack

Alper Mizrak, DSN’05 3

Introduction

Two threats posed by a compromised router: Control plane:

By means of the routing protocol E.g. announce false route updates

Has received the lion’s share of the attention [Perlman88,Subramanian04,Kent00,Hu02,Smith96,Cheung97,

Goodrich01] Data plane:

By means of the forwarding decisions based on the routing tables E.g. alter, misroute, drop, reorder, delay or fabricate data packets

Has received comparatively little attention Our focus is entirely on this problem

Alper Mizrak, DSN’05 4

Goal

Fault tolerant forwarding in the face of malicious routers Routers normally make predictable decisions… so this problem is a candidate for anomaly-based intrusion detection

Practical defenses against compromised routers on data plane Detecting anomalous forwarding behaviors of compromised

routers can be identified by correct routers when it deviates from exhibiting expected forwarding behavior

Bypassing the suspicious entities

Alper Mizrak, DSN’05 5

Hi Mom,I need MONEY.Love,Alper

Basic Idea

Mail communication between me and my mom

SENT3 Keep Alive

1 Money Request

RECEIVED2 Keep Alive

2 Money Check

RECEIVED3 Keep Alive

1 Money Request

SENT2 Keep Alive

2 Money Check

Alper Mizrak, DSN’05 6

Basic Idea

Later on…

SENT2 Keep Alive

2 Money Request

RECEIVED1 Keep Alive

1 Money Check

RECEIVED1 Keep Alive

1 Money Request

SENT2 Keep Alive

2 Money Check

Alper Mizrak, DSN’05 7

Overview

System ModelNetwork ModelThreat Model

Protocol Current Status Conclusion

Alper Mizrak, DSN’05 8

Network Model

Assumptions The routing protocol provides each node with a global

view of the topology: Distributed link-state routing protocol: OSPF or IS-IS

Synchronous system: Link-state protocols operate by periodically

Key distribution between pairs of nearby routers This overall model is consistent with the typical construction

Large enterprise IP networks The internal structure of single ISP backbone networks

Alper Mizrak, DSN’05 9

Definitions

Path: a finite sequence of adjacent routers: <Sun, Den, Kan, Ind, Chi, New>

X-path segment: a sequence of x routers that is a subsequence of a path

<Den, Kan, Ind>: 3-path segment A router is faulty

If it introduces discrepancy into the traffic If it does not participate in the proposed protocol

Alper Mizrak, DSN’05 10

Threat Model

Can’t depend on faulty routers to detect faulty routers

bad(k): Impose an upper bound on the number of adjacent faulty routers in any path

bad(2): there can be no more than 2 adjacent faulty routers in any path

s t

bad(2), s source, t sink

Alper Mizrak, DSN’05 11

Threat Model

Very few end hosts have multiple paths to their network infrastructure

The fate of individual hosts and of the terminal router are directly intertwined

The routers at the source and sink of a flow are not faulty with respect to that flow's path

s t

bad(2), s source, t sink.

Alper Mizrak, DSN’05 12

Overview

System Model Protocol

Traffic validation Distributed detection

Specification An Example Protocol: k+2

Response Current Status Conclusion

Alper Mizrak, DSN’05 13

Traffic Validation

Way to tell whether traffic is disrupted en route

Represent TV as a predicate

TV(, infori,, inforj

,) is a path segment <r1, r2, …, rx>

whose traffic is to be validated between ri and rj

both ri and rj are in

Alper Mizrak, DSN’05 14

Traffic Validation

Way to tell whether traffic is disrupted en route

Represent TV as a predicate

TV(, infori,, inforj

,) infor

, is some abstract description of the traffic router r forwarded to be routed along over some time interval

Alper Mizrak, DSN’05 15

Traffic Validation

Way to tell whether traffic is disrupted en route

Represent TV as a predicate

TV(, infori,, inforj

,) If routers ri and rj are not faulty, then

TV(, infori,, inforj

,) evaluates to FALSE iff contains a router that was faulty in during

Alper Mizrak, DSN’05 16

Traffic Summary Information

How to represent infor, concisely?

The most precise description of traffic An exact copy of that traffic

Many characteristics of the traffic can be summarized far more concisely:

Conservation of flow

a b

infoa,

600infob

, 500

100 packets are lost Threat model:

Drop, misroute

Alper Mizrak, DSN’05 17

Traffic Summary Information

How to represent infor, concisely?

The most precise description of traffic An exact copy of that traffic

Many characteristics of the traffic can be summarized far more concisely:

Conservation of content

a b

infoa,

{f1, f2, f3, f4}infob

, {f1, f3, f4}

f2 is lost

Threat model: Drop, misroute + Modify, fabricate

Alper Mizrak, DSN’05 18

Initial Problem Specification

A perfect failure detector (FD) would implement the following two properties:Accuracy: An FD is Accurate if,

whenever a correct router suspects (r,) then r was faulty during

Completeness: An FD is Complete if, whenever a router r is faulty at some time t then all correct routers eventually suspect (r,) for

some containing t

Alper Mizrak, DSN’05 19

Challenge

Implement the FD via Traffic Validation: By collecting traffic information from different points in the network

Consider

Any other router than b and c Can not distinguish between the case of b being faulty

and of c being faulty Can only infer that at least one of b and c is faulty

s a b dc10 10 10 5 5info,:

? ?

Alper Mizrak, DSN’05 20

Weaken the Specification

Detect suspicious path segments, not individual routers

An FD returns a pair (,) where is a path segment: α-Accuracy: An FD is α-Accurate if,

whenever a correct router suspects (,) then || ≤ α and some router r was faulty in during

α-Completeness: An FD is α-Complete if, whenever a router r is faulty at some time t then all correct routers eventually suspect (,) for some path

segment : || ≤ α such that r was faulty in at t, and for some interval containing t

Alper Mizrak, DSN’05 21

An Example Protocol: k+2

A router r has a set of path segments Pr that it monitors. Pr contains all the path segments

have r at one end whose length is at most k+2

k is the maximum number of adjacent faulty routers along a path

for each path segment in Pr: while (true) { synchronize with router r' at other end of ; collect infor

, about for an agreed-upon interval ; exchange [infor

,]r and [infor’,]r’ with r’ through ;

if TV(, infor,, infor’

,) = FALSE then suspect ; reliable broadcast (,); }

Alper Mizrak, DSN’05 22

Properties of Protocol k+2

k+2 is (k2)-Accurate k+2 is (k2)-Complete

If r is faulty at some time t, then a path segment :

r r introduce discrepancy into the traffic through during

containing t Only and -the first and last routers of - are correct 3 ≤ || ≤ k2

and monitor and apply the k+2 for : Compute TV (, info

,, info,) to be false

Suspect , disseminate this information to the all other correct routers

Alper Mizrak, DSN’05 23

Overhead of Protocol k+2

This algorithm has reasonable overhead For each forwarded packet compute a fingerprint Each router r must synchronize and authenticate with

the other end of each in Pr The size of Pr dominates the overhead

For Sprintlink network [Rocketfuel] of 315 routers and 972 links:

bad(1): a router monitors 35 path segments on average bad(2): a router monitors 110 path segments on average

Dissemination of the suspected path segments can be integrated into the link state flooding mechanism

Alper Mizrak, DSN’05 24

Response

What happens as a result of a detection? Need some countermeasure protocol

Inform the administrator Immediate action:

Bypass the suspicious entities Ideally would be part of the link state protocol We have a version of Dijkstra's SPF that can exclude suspected

xpath segments

a b

c

d

<a,b,c> is suspected

Alper Mizrak, DSN’05 25

Overview

System Model Protocol Current Status

Prototype: FatihExperienceCurrent Work

Conclusion

Alper Mizrak, DSN’05 26

Prototype: Fatih

We have implemented a prototype system, called Fatih.

Runs in user-level on

Linux 2.4-based router platform Cooperating with Zebra

OSPF implementation.

Alper Mizrak, DSN’05 27

Experiences

The behavior of Fatih using an emulated network environment

Topology based on the Abilene network Represent each PoP as a single router Each router is in turn emulated by a User-Mode Linux Host system: 2.6Ghz Pentium4 server with 1GB memory

Alper Mizrak, DSN’05 28

Experiences

Alper Mizrak, DSN’05 29

Current work: Traffic Validation

Accuracy vs. performance In an idealized network, TV checks infori

, = inforj,

False positives Real networks occasionally

Lose packets due to congestion Corrupt packets due to interface errors

False negatives Subtle attacker

Preventing TCP handshake Degrading TCP performance

Alper Mizrak, DSN’05 30

Conclusion

Main contribution Formal specification Distributed detection algorithm

Counterpart issues Traffic validation Routing the traffic around suspicious path segments

It is possible To secure networks against attacks on data plane in a practical

manner To provide fault tolerant forwarding in the face of malicious routers

Alper Mizrak, DSN’05 31

The end

Thank you…