Docstoc
EXCLUSIVE OFFER FOR DOCSTOC USERS
Try the all-new QuickBooks Online for FREE.  No credit card required.

Enhance WATCHERS Protocol _ OSPF Attack Detection

Document Sample
Enhance WATCHERS Protocol _ OSPF Attack Detection Powered By Docstoc
					Enhance WATCHERS Protocol



 H. K. Chang
 2000/12/17
Outline
 WATCHERS Protocol
 Attack Scenarios in WATCHERS Protocol
 Questionable Assumption in WATCHERS
  Protocol
 Enhance WATCHER Protocol(My Design)
 Reference
Introduction
 There are several method for network
  security.

 -Encryption
 -Firewall
 -Intrusion detection
Introduction(Cont.)

 An attacker in control of a router

  - Dropping packets.
  - Misrouting packets.
  - Unstable network topology.
WATCHERS Protocol[1]
 WATCHERS is a distributed network
 monitoring protocol designed to detect and
 isolate these malicious routers.

 The WATCHERS protocol requires each
 pair of directly connected routers to
 maintain counter type.
Counter type
 Let x and y be adjacent routers.

  -Tx,y:The number of packets transiting through x and then
  y.
  -Sx,y:The number of packets with source x that pass
  through y.
  -Dx,y:The number of packets with destination Y that pass
  x.
  -Mx,y:The number of times x misroutes a packets to y.
Work
 Periodically,each router sends a broadcast
  message to begin a round of WATCHERS.
  (Request message)
 When a router has received a request
  message from a majority of routers, it
  floods the network with the value of its
  counters.(Response message)
Work(Cont.)
 Validation
  -Checks that the router’s neighbor

 Conservation-of-Flow
  -Each router performs this test on its
   neighbors,having received the counters
   form each neighbor’s neighbor.
Attack Scenarios[2]
 Packet Modification
 Packet Substitution
 Ghost router
 Hot Potato
 Kamikaze router
 Source routing
 Premature Aging
Packet Modification
                                             C
                              Pax

           Pac
   A                    B
           Pax


                            Pac
                                             X


       Fig.1 Switching packet destinations
Packet Substitution


      Pax                               Pbx

 A                   B            C           X




            Fig.2 Packet Substitution
Ghost router


    A             A             B




        Fig.3 Ghost router creation
                    A                  A-E down




E                                         B




        X                       C



Fig.4 Topology changes used to induce packet
               misrouting(a)
                    A                  A-E up




E                                          B


                   Pxa



         X                      C



Fig.4 Topology changes used to induce packet
               misrouting(b)
Hot Potato
                          A

                                           A-C up
   A-B up
                                          A-B down
  A-C down




    C                                                B


 Fig.5 Topology changes used to delay incoming messages
                     A




                     B




Fig. 6 Bad router A neighboring critical router B
Source routing
 Discarded packets must be accounted for.

 A malicious router can place on network a
  self-addressed packet.

 We postulate that intermediate routers will
  only check whether the next hop is
  reachable.
Premature Aging
 Internet packets have a Time to Live(TTL)
  field that,upon reaching 0,will cause the
  packet to be discarded.

 A router can set the TTL field to 1 in both
  originating and transient packets, forcing
  the next hop to drop the packet before
  reaching its destination.
Questionable Assumption(1)
 Spoofing and packet modification will not
  occur.
 All possible routing action and methods are
  validated by the WATCHERS protocol.
 Routers that have external links are not
  required to be Good.
Questionable Assumption(2)
 Consistence in nodes’ views of the network
  topology
 WATCHERS Protocol will be performed on
  all nodes.
 Realistic disagreements in the Conservatio-
  n-of-Flow analysis stage can be resolved
  through setting appropriate threshold levels.
Questionable Assumption(3)
 Messages are not passed simultaneously,
  and routers have no associated delay in
  WATCHERS’ proof of correctness
Enhance WATCHERS Protocol
 We must make sure that

 - Consistence of the network topology.

 - WATCHERS Protocol will be performed
   on all nodes.

 - Spoofing and packet modification will be
   detected.
Counter type
 Let x and y be adjacent routers.
  -Tx,y:The number of packets transiting through x and then
        y.
  -Sx,y:The number of packets with source x that pass
        through y.
  -Dx,y:The number of packets with destination Y that pass
        x.
  -Mx,y:The number of times x misroutes a packets to y.
  -TDy : The number of TTL field error times at y.
                                    Router 2                   Router 4             172.16.127.x


                                                                    Monitor
                                      Monitor
           Monitor



                     172.16.121.x               172.16.123.x              Monitor     Router 6
Router 1


                                     Monitor
                                                                   Monitor


                                    Router 3                   Router 5             172.16.125.x




                             Fig. 7 Design Architecture
Consistence of the network topology.

 The WATCHER paper suggests using
  OSPF.
 We must to make sure that the Consistence
  in nodes’ views of the network topology by
  OSPF.
 Unfortunately OSPF contains vulnerable
  fields in its LSA.
OSPF attack[5]
 Four OSPF insider attacks
  -Seq++ Attack
  -MaxAge Attack
  -MaxSeq Attack
  -LSID Attack
OSPF attack
 Seq++ Attack
 -When the attacker receives an LSA instance, it
  modifies the link-state metric and inceases the
  LSA sequence number by 1.
 -The effect of this attack is an unstable network
  topology.
OSPF attack
 MaxSeq Attack
 -MaxSeq attack modifies the link state metric and
  set LSA sequence number to Max Sequence
  Number.
 -If the OSPF protocol is indeed implemented
  correctly, then it is similar to Seq++ attack.
 -An attack can control the network topology
  database for up to one hour.
OSPF attack
 LSID Attack
 -The Link State ID and the Advertising router ID
  of router LSA should be the same.
 -The attacker modifies LSA’s link state ID such
  that it’s different from the router ID.
 -The originator of this LSA will use this LSID as a
  hash key to locate the database index pointer.
 -It will cause a segmentation fault.
OSPF Attack Detection
 The monitor must to establish the link state
  of the network by the monitor’s communic-
  ation.

 Using Shortest Path and Checking sequence
  field , age field , Link State ID Field, the
  Advertising router ID field to detect OSPF
  attack.
OSPF Attack Detection
If (!shortest path)
begin
  if (seq is new) then
    Route[n].seq attack = Route[n].seq attack+1
  else if (age==MaxAge)
    Route[n].MaxAge attack =Route[n].MaxAge attack+1
  else if (LinkStateID!=AdvertisingRouterID) then
    Route[n].LSID attack =Route[n].LSID attack+1
end

if ((Route[n].seq attack+Route[n].MaxAge attack+Route[n].LSID attack)> threshold) then

 Route[n] is a malicious router
           A                   B




X                                       F
                     C




           D                   E


    Fig. 8 Shortest path and network topology
                       malicious router


    A                       B




X                                         F
                C




    D                       E


        Fig. 9 Attack Detection
Work
 When network topology has been change ,
  each monitor floods the network with the
  value of its counters.
 Each monitor will check the value which
  receives form another monitor.
 Each monitor will floods the network with
  the malicious router of it detects.
Work(Cont.~)
 If n/2 monitors think a router is a malicious
  router, the router is a malicious router.
 The malicious router must be remove
  logically.
Reference
 Bradley, K.A.; Cheung, S.; Puketza, N.; Mukherjee, B.;
  Olsson, R.A. Detecting disruptive routers: a distributed
  network monitoring approach Security and Privacy,
  1998. Proceedings. 1998 IEEE Symposium on , 1998

 Hughes, J.R.; Aura, T.; Bishop, M. Using conservation of
  flow as a security mechanism in network protocols
  Security and Privacy, 2000. S&P; 2000. Proceedings.
  2000 IEEE Symposium on , 2000

 F.Baker and R. Coltum. OSPF version 2 management
  information base, Internet RFC 1850, November
References(Cont.~)
 Steven Cheung and Kaarl N. Levitt. “Protecting Routing
  Infrastructu-res from Denial of Service Using
  Cooperative Intrusion Detection” In New Security
  Paradigms Workshop,Cumbria, UK, September 23-26
  1997 IEEE Computer Society Press

 Diheng Qu,B.Vetter, Feiyi Wang, R. Narayan, S.Wu, Y.
  Jou, F.Gong, and C. Sargor. Statically anomaly
  detection for link state routing protocols. In IEEE
  International Conference on Network Protocol, pages
  62-70, Austin, Texas,October 13-16 1998,IEEE
  computer Society.

				
DOCUMENT INFO