Dismiss
InnovationQ will be updated on Sunday, Oct. 22, from 10am ET - noon. You may experience brief service interruptions during that time.
Browse Prior Art Database

System for Detection of Intrusions Based on Sequence Number Irregularities

IP.com Disclosure Number: IPCOM000123888D
Original Publication Date: 1999-Jun-01
Included in the Prior Art Database: 2005-Apr-05
Document File: 3 page(s) / 137K

Publishing Venue

IBM

Related People

Dacier, M: AUTHOR [+3]

Abstract

Problem Background. Link state routing protocols such as OSPF {OSPF} and PNNI {PNNI} describe the elements of a network (for example the nodes, links, and reachable addresses) in special control packets called LSAs in OSPF and PTSEs in PNNI. Hereafter these are referred to by the generic term topology state element (TSE). A TSE is created by a node to describe its local topology (the node itself, the links going out of that node, and the addresses reachable on that node) and all TSEs are flooded through the network and stored in each node. Therefore each node is aware of the topology of the entire network, and is able to route data through the network to its intended destination.

This text was extracted from an ASCII text file.
This is the abbreviated version, containing approximately 43% of the total text.

System for Detection of Intrusions Based on Sequence Number Irregularities

   Problem Background

   Link state routing protocols such as OSPF {OSPF} and PNNI
{PNNI} describe the elements of a network (for example the nodes,
links, and reachable addresses) in special control packets called
LSAs in OSPF and PTSEs in PNNI.  Hereafter these are referred to by
the generic term topology state element (TSE).  A TSE is created by a
node to describe its local topology (the node itself, the links going
out of that node, and the addresses reachable on that node) and all
TSEs are flooded through the network and stored in each node.
Therefore each node is aware of the topology of the entire network,
and is able to route data through the network to its intended
destination.

   Since networks are distributed, and since the parameters
in the TSEs change over time, it is not possible to keep all nodes in
the network perfectly synchronized all of the time.  In particular
there will frequently be multiple versions of any given TSE in the
network.  Every protocol defines a method (or methods) of determining
which TSE is more recent so that nodes can keep the current
information and discard the out of date information.  The most common
method is to use a sequence number field that starts at zero and
which is incremented by one each time the information in the TSE is
updated.  A node will use the TSE with the highest sequence number
and discard the rest.

   Networks in which a link state protocol is used for routing
(this includes most of today's IP and ATM networks) are vulnerable
to attack or incorrect operation since the TSEs of a given node can
easily be overridden by any other node in the network.  As an
example consider the network shown in Figure 1.

   In the example network, node C is at a critical location
since it provides connectivity to the rest of the network for nodes
A, B, and D.  Node C will create and flood TSEs to advertise the link
C-A, and the link C-B.  Node D could maliciously or due to an error
condition flood TSEs into the network that cause those links to be
lost in the topology.  To accomplish this it would put the node
identification of node C in the TSE, use the same TSE identifier as
in the real TSEs, use a higher sequence number than that used in the
real TSEs, and in a manner specific to the protocol in use, indicate
that the link is no longer available.  Since these incorrect TSEs are
flooded in the network, node C will eventually be able to recognize
the error, and issue an updated TSE (with a higher sequence number)
that adds the links back again.  However to ensure network stability
a node is prevented from reissuing its TSEs for some interval, and
therefore there will be a delay before the links can be re-added.  As
soon as C floods the new (correct) TSEs, node D could immediately
remove them again by repeating the procedure described above.  In
this way node D can keep all other nodes from using those li...