Attackers may exploit the routing protocol in order to gain full control over data owing through the network. It enables them to stop or redirect data traffic, intercept critical information, or modify data. Additionally they can corrupt the routing protocol, and completely stop network operations. This paper presents a new intrusion-detection system capable of warning network administrators of such attacks as well as of any abnormal behavior of the routing protocol by continuously monitoring the behavior of the network. The attacks considered are based either on the reachability prefix information advertised by the nodes participating in the protocol execution, on the rate by which elements are generated, or on the amount of topology-related information generated. The proposed model is capable of detecting abnormal behavior, such as misconfigurations that are not detectable by conventional network-management tools, and specific malicious attacks (e.g. denial of service and misrouting). It applies to the IS-IS, OSPF, and PNNI routing protocols because it uses a generic model of a network topology capable of dealing with link-state routing protocols. The scheme developed has been successfully tested on several large production networks.
By: Daniel Bauer, Marc Dacier, Ilias Iliadis and Paolo Scotton
Published in: RZ3493 in 2001
LIMITED DISTRIBUTION NOTICE:
This Research Report is available. This report has been submitted for publication outside of IBM and will probably be copyrighted if accepted for publication. It has been issued as a Research Report for early dissemination of its contents. In view of the transfer of copyright to the outside publisher, its distribution outside of IBM prior to publication should be limited to peer communications and specific requests. After outside publication, requests should be filled only by reprints or legally obtained copies of the article (e.g., payment of royalties). I have read and understand this notice and am a member of the scientific community outside or inside of IBM seeking a single copy only.
Questions about this service can be mailed to reports@us.ibm.com .