Fatih: Detecting and Isolating Malicious Routers

1
FatihDetecting and Isolating Malicious Routers

• Alper T Mizrak, Yu-Chung Cheng,
• Prof. Keith Marzullo, Prof. Stefan Savage

2
Introduction

• Routers occupy a key role in modern packet
  switched data networks
• Packets need to be forwarded hop-by-hop between
  routers
• Routers can be compromised through
  Ao03,Houle01,Labovitz01
• One network operator found 5000 compromised
  routersThomas03
• If a router is compromised, an adversary can
• Disrupt the forwarding process
• Deny service
• Implement ongoing network surveillance
• Provide a man-in-the-middle attack

3
Introduction

• Two threats posed by a compromised router
• Control plane
• By means of the routing protocol
• E.g. announce false route updates
• Has received the lions share of the attention
• Perlman88,Subramanian04,Kent00,Hu02,Smith96,Cheun
  g97, Goodrich01
• Data plane
• By means of the forwarding decisions based on the
  routing tables
• E.g. alter, misroute, drop, reorder, delay or
  fabricate data packets
• Has received comparatively little attention
• Our focus is entirely on this problem

4
Goal

• Fault tolerant forwarding in the face of
  malicious routers
• Routers normally make predictable decisions
• so this problem is a candidate for
  anomaly-based intrusion detection
• Practical defenses against compromised routers on
  data plane
• Detecting anomalous forwarding behaviors of
  compromised routers
• can be identified by correct routers
• when it deviates from exhibiting expected
  forwarding behavior
• Bypassing the suspicious entities

5
Basic Idea

• Mail communication between me and my mom

6
Basic Idea

• Later on

7
Overview

• System Model
• Network Model
• Threat Model
• Protocol
• Current Status
• Conclusion

8
Network Model

• Assumptions
• The routing protocol provides each node with a
  global view of the topology
• Distributed link-state routing protocol OSPF or
  IS-IS
• Synchronous system
• Link-state protocols operate by periodically
• Key distribution between pairs of nearby routers
• This overall model is consistent with the typical
  construction
• Large enterprise IP networks
• The internal structure of single ISP backbone
  networks

9
Definitions

• Path a finite sequence of adjacent routers
• ltSun, Den, Kan, Ind, Chi, Newgt
• X-path segment a sequence of x routers
• that is a subsequence of a path
• ltDen, Kan, Indgt 3-path segment
• A router is faulty
• If it introduces discrepancy into the traffic
• If it does not participate in the proposed
  protocol

10
Threat Model

• Cant depend on faulty routers to detect faulty
  routers
• bad(k) Impose an upper bound on the number of
  adjacent faulty routers in any path
• bad(2) there can be no more than 2 adjacent
  faulty routers in any path

11
Threat Model

• Very few end hosts have multiple paths to their
  network infrastructure
• The fate of individual hosts and of the terminal
  router are directly intertwined
• The routers at the source and sink of a flow are
  not faulty with respect to that flow's path

12
Overview

• System Model
• Protocol
• Traffic validation
• Distributed detection
• Specification
• An Example Protocol ?k2
• Response
• Current Status
• Conclusion

13
Traffic Validation

• Way to tell whether traffic is disrupted en route
• Represent TV as a predicate
• TV(?, infori?,?, inforj?,?)
• ? is a path segment ltr1, r2, , rxgt
• whose traffic is to be validated between ri and
  rj
• both ri and rj are in ?

14
Traffic Validation

• Way to tell whether traffic is disrupted en route
• Represent TV as a predicate
• TV(?, infori?,?, inforj?,?)
• infor?,? is some abstract description of the
  traffic
• router r forwarded
• to be routed along ?
• over some time interval ?

15
Traffic Validation

• Way to tell whether traffic is disrupted en route
• Represent TV as a predicate
• TV(?, infori?,?, inforj?,?)
• If routers ri and rj are not faulty, then
• TV(?, infori?,?, inforj?,?) evaluates to FALSE
  iff
• ? contains a router that was faulty in ? during ?

16
Traffic Summary Information

• How to represent infor?,? concisely?
• The most precise description of traffic
• An exact copy of that traffic
• Many characteristics of the traffic can be
  summarized far more concisely
• Conservation of flow

• 100 packets are lost
• Threat model
• Drop, misroute

17
Traffic Summary Information

• How to represent infor?,? concisely?
• The most precise description of traffic
• An exact copy of that traffic
• Many characteristics of the traffic can be
  summarized far more concisely
• Conservation of content

• f2 is lost
• Threat model
• Drop, misroute
• Modify, fabricate

18
Initial Problem Specification

• A perfect failure detector (FD) would implement
  the following two properties
• Accuracy An FD is Accurate if,
• whenever a correct router suspects (r,?)
• then r was faulty during ?
• Completeness An FD is Complete if,
• whenever a router r is faulty at some time t
• then all correct routers eventually suspect (r,?)
  for some ? containing t

19
Challenge

• Implement the FD via Traffic Validation
• By collecting traffic information from different
  points in the network
• Consider
• Any other router than b and c
• Can not distinguish between the case of b being
  faulty and of c being faulty
• Can only infer that at least one of b and c is
  faulty

? ?
info?,?
20
Weaken the Specification

• Detect suspicious path segments, not individual
  routers
• An FD returns a pair (?,?) where ? is a path
  segment
• a-Accuracy An FD is a-Accurate if,
• whenever a correct router suspects (?,?)
• then ? a and some router r was faulty in ?
  during ?
• a-Completeness An FD is a-Complete if,
• whenever a router r is faulty at some time t
• then all correct routers eventually suspect (?,?)
  for some path segment ? ? a such that
• r was faulty in ? at t, and
• for some interval ? containing t

21
An Example Protocol ?k2

• A router r has a set of path segments Pr that it
  monitors.
• Pr contains all the path segments
• have r at one end
• whose length is at most k2
• k is the maximum number of adjacent faulty
  routers along a path
• for each path segment ? in Pr
• while (true)
• synchronize with router r' at other end of ?
• collect infor?,? about ? for an agreed-upon
  interval ?
• exchange infor?,?r and infor?,?r with
  r through ?
• if TV(?, infor?,?, infor?,?) FALSE then
• suspect ?
• reliable broadcast (?,?)

22
Properties of Protocol ?k2

• ?k2 is (k2)-Accurate
• ?k2 is (k2)-Complete
• If r is faulty at some time t, then
• ? a path segment ?
• r ? ?
• r introduce discrepancy into the traffic through
  ? during ? containing t
• Only ? and ? -the first and last routers of ?-
  are correct
• 3 ? k2
• ? and ? monitor ? and apply the ?k2 for ?
• Compute TV (?, info??,?, info??,?) to be false
• Suspect ?, disseminate this information to the
  all other correct routers

23
Overhead of Protocol ?k2

• This algorithm has reasonable overhead
• For each forwarded packet compute a fingerprint
• Each router r must synchronize and authenticate
  with the other end of each ? in Pr
• The size of Pr dominates the overhead
• For Sprintlink network Rocketfuel of 315
  routers and 972 links
• bad(1) a router monitors 35 path segments on
  average
• bad(2) a router monitors 110 path segments on
  average
• Dissemination of the suspected path segments can
  be integrated into the link state flooding
  mechanism

24
Response

• What happens as a result of a detection?
• Need some countermeasure protocol
• Inform the administrator
• Immediate action
• Bypass the suspicious entities
• Ideally would be part of the link state protocol
• We have a version of Dijkstra's SPF that can
  exclude suspected x-path segments

c
lta,b,cgt is suspected
a
b
d
25
Overview

• System Model
• Protocol
• Current Status
• Prototype Fatih
• Experience
• Current Work
• Conclusion

26
Prototype Fatih

• We have implemented a prototype system, called
  Fatih.
• Runs in user-level on
• Linux 2.4-based router platform
• Cooperating with Zebra OSPF implementation.

27
Experiences

• The behavior of Fatih using an emulated network
  environment
• Topology based on the Abilene network
• Represent each PoP as a single router
• Each router is in turn emulated by a User-Mode
  Linux
• Host system 2.6Ghz Pentium4 server with 1GB
  memory

28
Experiences
29
Current work Traffic Validation

• Accuracy vs. performance
• In an idealized network, TV checks infori?,?
  inforj?,?
• False positives
• Real networks occasionally
• Lose packets due to congestion
• Corrupt packets due to interface errors
• False negatives
• Subtle attacker
• Preventing TCP handshake
• Degrading TCP performance

30
Conclusion

• Main contribution
• Formal specification
• Distributed detection algorithm
• Counterpart issues
• Traffic validation
• Routing the traffic around suspicious path
  segments
• It is possible
• To secure networks against attacks on data plane
  in a practical manner
• To provide fault tolerant forwarding in the face
  of malicious routers

31
The end

• Thank you