Detecting disruptive routers: a distributed network monitoring approach
- 27 November 2002
- conference paper
- Published by Institute of Electrical and Electronics Engineers (IEEE)
- No. 10816011,p. 115-124
- https://doi.org/10.1109/secpri.1998.674828
Abstract
An attractive target for a computer system attacker is the router. An attacker in control of a router can disrupt communication by dropping or misrouting packets passing through the router. We present a protocol called WATCHERS that detects and reacts to routers that drop or misroute packets. WATCHERS is based on the principle of conservation of flow in a network: all data bytes sent into a node, and not destined for that node, are expected to exit the node. WATCHERS tracks this flow, and detects routers that violate the conservation principle. We show that WATCHERS has several advantages over existing network monitoring techniques. We argue that WATCHERS' impact on router performance and WATCHERS' memory requirements are reasonable for many environments. We demonstrate that in ideal conditions WATCHERS makes no false-positive diagnoses. We also describe how WATCHERS can be tuned to perform nearly as well in realistic conditions.Keywords
This publication has 5 references indexed in Scilit:
- OSPF Version 2Published by RFC Editor ,1997
- Protecting routing infrastructures from denial of service using cooperative intrusion detectionPublished by Association for Computing Machinery (ACM) ,1997
- Setting optimal intrusion-detection thresholdsComputers & Security, 1995
- Simple Network Management Protocol (SNMP)Published by RFC Editor ,1990
- Security problems in the TCP/IP protocol suiteACM SIGCOMM Computer Communication Review, 1989