路由器防火墙:防止路由错误行为

37th Annual IEEE/IFIP International Conference on Dependable Systems and Networks (DSN'07) Pub Date : 2007-06-25 DOI:10.1109/DSN.2007.7

Ying Zhang, Z. Morley Mao, Jia Wang

{"title":"路由器防火墙:防止路由错误行为","authors":"Ying Zhang, Z. Morley Mao, Jia Wang","doi":"10.1109/DSN.2007.7","DOIUrl":null,"url":null,"abstract":"In this work, we present the novel idea of route normalization by correcting on the fly routing traffic on behalf of a local router to protect the local network from malicious and misconfigured routing updates. Analogous to traffic normalization for network intrusion detection systems, the proposed RouteNormalizer patches ambiguities and eliminates semantically incorrect routing updates to protect against routing protocol attacks. Furthermore, it serves the purpose of a router firewall by identifying resource-based attacks against routers. Upon detecting anomalous routing changes, it suggests local routing policy modifications to improve route selection decisions. Deploying a RouteNormalizer requires no modification to routers if desired using a transparent TCP proxy setup. In this paper, we present the detailed design of the RouteNormalizer and evaluate it using a prototype implementation based on empirical BGP routing updates. We validate its effectiveness by showing that many well-known routing problems from operator mailing lists are correctly identified.","PeriodicalId":405751,"journal":{"name":"37th Annual IEEE/IFIP International Conference on Dependable Systems and Networks (DSN'07)","volume":"81 1","pages":"0"},"PeriodicalIF":0.0000,"publicationDate":"2007-06-25","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"5","resultStr":"{\"title\":\"A Firewall for Routers: Protecting against Routing Misbehavior\",\"authors\":\"Ying Zhang, Z. Morley Mao, Jia Wang\",\"doi\":\"10.1109/DSN.2007.7\",\"DOIUrl\":null,\"url\":null,\"abstract\":\"In this work, we present the novel idea of route normalization by correcting on the fly routing traffic on behalf of a local router to protect the local network from malicious and misconfigured routing updates. Analogous to traffic normalization for network intrusion detection systems, the proposed RouteNormalizer patches ambiguities and eliminates semantically incorrect routing updates to protect against routing protocol attacks. Furthermore, it serves the purpose of a router firewall by identifying resource-based attacks against routers. Upon detecting anomalous routing changes, it suggests local routing policy modifications to improve route selection decisions. Deploying a RouteNormalizer requires no modification to routers if desired using a transparent TCP proxy setup. In this paper, we present the detailed design of the RouteNormalizer and evaluate it using a prototype implementation based on empirical BGP routing updates. We validate its effectiveness by showing that many well-known routing problems from operator mailing lists are correctly identified.\",\"PeriodicalId\":405751,\"journal\":{\"name\":\"37th Annual IEEE/IFIP International Conference on Dependable Systems and Networks (DSN'07)\",\"volume\":\"81 1\",\"pages\":\"0\"},\"PeriodicalIF\":0.0000,\"publicationDate\":\"2007-06-25\",\"publicationTypes\":\"Journal Article\",\"fieldsOfStudy\":null,\"isOpenAccess\":false,\"openAccessPdf\":\"\",\"citationCount\":\"5\",\"resultStr\":null,\"platform\":\"Semanticscholar\",\"paperid\":null,\"PeriodicalName\":\"37th Annual IEEE/IFIP International Conference on Dependable Systems and Networks (DSN'07)\",\"FirstCategoryId\":\"1085\",\"ListUrlMain\":\"https://doi.org/10.1109/DSN.2007.7\",\"RegionNum\":0,\"RegionCategory\":null,\"ArticlePicture\":[],\"TitleCN\":null,\"AbstractTextCN\":null,\"PMCID\":null,\"EPubDate\":\"\",\"PubModel\":\"\",\"JCR\":\"\",\"JCRName\":\"\",\"Score\":null,\"Total\":0}","platform":"Semanticscholar","paperid":null,"PeriodicalName":"37th Annual IEEE/IFIP International Conference on Dependable Systems and Networks (DSN'07)","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.1109/DSN.2007.7","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"","JCRName":"","Score":null,"Total":0}

引用次数: 5

摘要

在这项工作中，我们提出了路由规范化的新思想，通过代表本地路由器纠正路由流量，以保护本地网络免受恶意和错误配置的路由更新。与网络入侵检测系统的流量规范化类似，建议的RouteNormalizer修补歧义并消除语义上不正确的路由更新，以防止路由协议攻击。此外，它还可以识别针对路由器的基于资源的攻击，从而达到路由器防火墙的目的。当检测到异常路由变化时，建议修改本地路由策略，以改进路由选择决策。如果需要使用透明的TCP代理设置，部署RouteNormalizer不需要修改路由器。在本文中，我们介绍了RouteNormalizer的详细设计，并使用基于经验BGP路由更新的原型实现对其进行了评估。我们验证了它的有效性，表明许多著名的路由问题，从运营商的邮件列表被正确识别。

本文章由计算机程序翻译，如有差异，请以英文原文为准。

查看原文本刊更多论文

A Firewall for Routers: Protecting against Routing Misbehavior

In this work, we present the novel idea of route normalization by correcting on the fly routing traffic on behalf of a local router to protect the local network from malicious and misconfigured routing updates. Analogous to traffic normalization for network intrusion detection systems, the proposed RouteNormalizer patches ambiguities and eliminates semantically incorrect routing updates to protect against routing protocol attacks. Furthermore, it serves the purpose of a router firewall by identifying resource-based attacks against routers. Upon detecting anomalous routing changes, it suggests local routing policy modifications to improve route selection decisions. Deploying a RouteNormalizer requires no modification to routers if desired using a transparent TCP proxy setup. In this paper, we present the detailed design of the RouteNormalizer and evaluate it using a prototype implementation based on empirical BGP routing updates. We validate its effectiveness by showing that many well-known routing problems from operator mailing lists are correctly identified.

求助全文

通过发布文献求助，成功后即可免费获取论文全文。去求助

来源期刊

37th Annual IEEE/IFIP International Conference on Dependable Systems and Networks (DSN'07)

自引率

0.00%

发文量