Distributed snapshots: determining global states of distributed systems
ACM Transactions on Computer Systems (TOCS)
Unreliable failure detectors for reliable distributed systems
Journal of the ACM (JACM)
Protecting routing infrastructures from denial of service using cooperative intrusion detection
NSPW '97 Proceedings of the 1997 workshop on New security paradigms
Trajectory sampling for direct traffic observation
Proceedings of the conference on Applications, Technologies, Architectures, and Protocols for Computer Communication
The Byzantine Generals Problem
ACM Transactions on Programming Languages and Systems (TOPLAS)
Space/time trade-offs in hash coding with allowable errors
Communications of the ACM
Ariadne: a secure on-demand routing protocol for ad hoc networks
Proceedings of the 8th annual international conference on Mobile computing and networking
Intrusion Detection via System Call Traces
IEEE Software
Measuring ISP topologies with rocketfuel
Proceedings of the 2002 conference on Applications, technologies, architectures, and protocols for computer communications
Proceedings of the 2nd ACM SIGCOMM Workshop on Internet measurment
A case study of OSPF behavior in a large enterprise network
Proceedings of the 2nd ACM SIGCOMM Workshop on Internet measurment
UMAC: Fast and Secure Message Authentication
CRYPTO '99 Proceedings of the 19th Annual International Cryptology Conference on Advances in Cryptology
Secure traceroute to detect faulty or malicious routing
ACM SIGCOMM Computer Communication Review
Experiences With Monitoring OSPF on a Regional Service Provider Network
ICDCS '03 Proceedings of the 23rd International Conference on Distributed Computing Systems
An efficient message authentication scheme for link state routing
ACSAC '97 Proceedings of the 13th Annual Computer Security Applications Conference
Using Conservation of Flow as a Security Mechanism in Network Protocols
SP '00 Proceedings of the 2000 IEEE Symposium on Security and Privacy
In search of path diversity in ISP networks
Proceedings of the 3rd ACM SIGCOMM conference on Internet measurement
Listen and whisper: security mechanisms for BGP
NSDI'04 Proceedings of the 1st conference on Symposium on Networked Systems Design and Implementation - Volume 1
Path-quality monitoring in the presence of adversaries
SIGMETRICS '08 Proceedings of the 2008 ACM SIGMETRICS international conference on Measurement and modeling of computer systems
Review: Analyzing well-known countermeasures against distributed denial of service attacks
Computer Communications
| Hi-index | 0.00 |
Network routers occupy a unique role in modern distributed systems. They are responsible for cooperatively shuttling packets amongst themselves in order to provide the illusion of a network with universal point-to-point connectivity. However, this illusion is shattered—as are implicit assumptions of availability, confidentiality, or integrity—when network routers are subverted to act in a malicious fashion. By manipulating, diverting, or dropping packets arriving at a compromised router, an attacker can trivially mount denial-of-service, surveillance, or man-in-the-middle attacks on end host systems. Consequently, Internet routers have become a choice target for would-be attackers and thousands have been subverted to these ends. In this paper, we specify this problem of detecting routers with incorrect packet forwarding behavior and we explore the design space of protocols that implement such a detector. We further present a concrete protocol that is likely inexpensive enough for practical implementation at scale. Finally, we present a prototype system, called Fatih, that implements this approach on a PC router and describe our experiences with it. We show that Fatih is able to detect and isolate a range of malicious router actions with acceptable overhead and complexity. We believe our work is an important step in being able to tolerate attacks on key network infrastructure components.