Visible to the public Router Systems Security

SoS Newsletter- Advanced Book Block

Router Systems Security

Routers are among the most ubiquitous electronic devices in use. Basic security from protocols and encryption can be readily achieved, but routing has many leaks. The articles cited here look at route leaks, stack protection, and mobile platforms using Tor, iOS and Android OS. They were published in the first half of 2014.

  • Siddiqui, M.S.; Montero, D.; Yannuzzi, M.; Serral-Gracia, R.; Masip-Bruin, X., "Diagnosis of Route Leaks Among Autonomous Systems In The Internet," Smart Communications in Network Technologies (SaCoNeT), 2014 International Conference on , vol., no., pp.1,6, 18-20 June 2014. doi: 10.1109/SaCoNeT.2014.6867765 Border Gateway Protocol (BGP) is the defacto inter-domain routing protocol in the Internet. It was designed without an inherent security mechanism and hence is prone to a number of vulnerabilities which can cause large scale disruption in the Internet. Route leak is one such inter-domain routing security problem which has the potential to cause wide-scale Internet service failure. Route leaks occur when Autonomous systems violate export policies while exporting routes. As BGP security has been an active research area for over a decade now, several security strategies were proposed, some of which either advocated complete replacement of the BGP or addition of new features in BGP, but they failed to achieve global acceptance. Even the most recent effort in this regard, lead by the Secure Inter-Domain Routing (SIDR) working group (WG) of IETF fails to counter all the BGP anomalies, especially route leaks. In this paper we look at the efforts in countering the policy related BGP problems and provide an analytical insights into why they are ineffective. We contend a new direction for future research in managing the broader security issues in the inter-domain routing. In that light, we propose a naive approach for countering the route leak problem by analyzing the information available at hand, such as the RIB of the router. The main purpose of this paper was to position and highlight the autonomous smart analytical approach for tackling policy related BGP security issues. Keywords: Internet ;computer network security; routing protocols; BGP security issue; IETF ;Internet autonomous systems; Secure InterDomain Routing working group; border gateway protocol; interdomain routing protocol; interdomain routing security problem; route leak diagnosis; security issues; IP networks; Internet; Radiation detectors; Routing; Routing protocols; Security (ID#:14-2464) URL:
  • Peng Wu; Wolf, T., "Stack Protection In Packet Processing Systems," Computing, Networking and Communications (ICNC), 2014 International Conference on, pp.53, 57, 3-6 Feb. 2014. doi: 10.1109/ICCNC.2014.6785304 Network security is a critical aspect of Internet operations. Most network security research has focused on protecting end-systems from hacking and denial-of-service attacks. In our work, we address hacking attacks on the network infrastructure itself. In particular, we explore data plane stack smashing attacks that have demonstrated successfully on network processor systems. We explore their use in the context of software routers that are implemented on top of general-purpose processor and operating systems. We discuss how such attacks can be adapted to these router systems and how stack protection mechanisms can be used as defense. We show experimental results that demonstrate the effectiveness of these stack protection mechanisms. Keywords: Internet; computer crime; computer network security; general purpose computers; operating systems (computers);packet switching; telecommunication network routing; Internet; computer network security; denial of service attacks; end systems protection; general purpose processor; hacking attacks; network infrastructure; network processor systems; operating systems; packet processing system; router systems; smashing attacks; software routers; stack protection mechanism; Computer architecture; Information security; Linux; Operating systems; Protocols; attack; defense; network security; stack smashing} (ID#:14-2465) URL:
  • Frantti, Tapio; Roning, Juha, "A Risk-Driven Security Analysis For A Bluetooth Low Energy Based Microdata Ecosystem," Ubiquitous and Future Networks (ICUFN), 2014 Sixth International Conf on, vol., no., pp.69,74, 8-11 July 2014. doi: 10.1109/ICUFN.2014.6876753 This paper presents security requirements, risk survey, security objectives, and security controls of the Bluetooth Low Energy (BLE) based Catcher devices and the related Microdata Ecosystem of Ceruus company for a secure, energy efficient and scalable wireless content distribution. The system architecture was composed of the Mobile Cellular Network (MCN) based gateway/edge router device, such as Smart Phone, Catchers, and web based application servers. It was assumed that MCN based gateways communicate with application servers and surrounding Catcher devices. The analysis of the scenarios developed highlighted common aspects and led to security requirements, objectives, and controls that were used to define and develop the Catcher and MCN based router devices and guide the system architecture design of the Microdata Ecosystem. Keywords: Authentication; Ecosystems; Encryption; Logic gates; Protocols; Servers; Internet of Things; authentication; authorization; confidentiality; integrity; security; timeliness (ID#:14-2466) URL:
  • Wassel, H.M.G.; Ying Gao; Oberg, J.K.; Huffmire, T.; Kastner, R.; Chong, F.T.; Sherwood, T., "Networks on Chip with Provable Security Properties," Micro, IEEE , vol.34, no.3, pp.57,68, May-June 2014. doi: 10.1109/MM.2014.46 In systems where a lack of safety or security guarantees can be catastrophic or even fatal, noninterference is used to separate domains handling critical (or confidential) information from those processing normal (or unclassified) data for purposes of fault containment and ease of verification. This article introduces SurfNoC, an on-chip network that significantly reduces the latency incurred by strict temporal partitioning. By carefully scheduling the network into waves that flow across the interconnect, data from different domains carried by these waves are strictly noninterfering while avoiding the significant overheads associated with cycle-by-cycle time multiplexing. The authors describe the scheduling policy and router microarchitecture changes required, and evaluate the information-flow security of a synthesizable implementation through gate-level information flow analysis. When comparing their approach for varying numbers of domains and network sizes, they find that in many cases SurfNoC can reduce the latency overhead of implementing cycle-level noninterference by up to 85 percent. Keywords: network-on-chip; processor scheduling; security of data; SurfNoC; cycle-by-cycle time multiplexing; ycle-level noninterference; gate-level information flow analysis; information-flow security; network scheduling; networks on chip; provable security properties; Computer architecture; Computer security; Microarchitecture; Network-on-chip; Ports (Computers);Quality of service; Schedules; Computer architecture; Computer security; Microarchitecture; Network-on-chip; Ports (Computers);Quality of service; Schedules; high performance computing; high-assurance systems; networks on chip; noninterference; security; virtualization (ID#:14-2467) URL:
  • Sivaraman, V.; Matthews, J.; Russell, C.; Ali, S.T.; Vishwanath, A, "Greening Residential WiFi Networks under Centralized Control," Mobile Computing, IEEE Transactions on, vol . PP, no.99, pp.1, 1, May 2014. doi: 10.1109/TMC.2014.2324582 Residential broadband gateways (comprising modem, router, and WiFi access point), though individually consuming only 5-10 Watts of power, are significant contributors to overall network energy consumption due to large deployment numbers. Moreover, home gateways are typically always on, so as to provide continuous online presence to household devices for VoIP, smart metering, security surveillance, medical monitoring, etc. A natural solution for reducing the energy consumption of home gateways is to leverage the overlap of WiFi networks common in urban environments and aggregate user traffic on to fewer gateways, thus putting the remaining to sleep. In this paper we propose, evaluate, and prototype an architecture that overcomes significant challenges in making this solution feasible at large-scale. We advocate a centralized approach, whereby a single authority coordinates the home gateways to maximize energy savings in a fair manner. Our solution can be implemented across heterogeneous ISPs, avoids client-side modifications (thus encompassing arbitrary user devices and operating systems), and permits explicit control of session migrations. We apply our solution to WiFi traces collected in a building with 30 access points and 25,000 client connections, and evaluate via simulation the trade-offs between energy savings, session disruptions, and fairness. We then prototype our system on commodity WiFi access points, test it in a two-storey building emulating 6 residences, and demonstrate radio energy reduction of over 60% with little impact on user experience. Keywords: Bandwidth; Buildings; Energy consumption; Green products; IEEE 802.11 Standards; Logic gates; Security (ID#:14-2468) URL:
  • Tennekoon, R.; Wijekoon, J.; Harahap, E.; Nishi, H.; Saito, E.; Katsura, S., "Per HOP DATA ENCRYPTION PROTOCOL FOR TRANSMISSION OF MOTION CONTROL DATA OVER PUBLIC NETWORKS," Advanced Motion Control (AMC),2014 IEEE 13th International Workshop on , vol., no., pp.128,133, 14-16 March 2014. doi: 10.1109/AMC.2014.6823269 Bilateral controllers are widely used vital technology to perform remote operations and telesurgeries. The nature of the bilateral controller enables control objects, which are geographically far from the operation location. Therefore, the control data has to travel through public networks. As a result, to maintain the effectiveness and the consistency of applications such as teleoperations and telesurgeries, faster data delivery and data integrity are essential. The Service-oriented Router (SoR) was introduced to maintain the rich information on the Internet and to achieve maximum benefit from networks. In particular, the security, privacy and integrity of bilateral communication are not discoursed in spite of its significance brought by its underlying skill information or personal vital information. An SoR can analyze all packet or network stream transactions on its interfaces and store them in high throughput databases. In this paper, we introduce a hop-by-hop routing protocol which provides hop-by-hop data encryption using functions of the SoR. This infrastructure can provide security, privacy and integrity by using these functions. Furthermore, we present the implementations of proposed system in the ns-3 simulator and the test result shows that in a given scenario, the protocol only takes a processing delay of 46.32 ms for the encryption and decryption processes per a packet. Keywords: Internet; computer network security; control engineering computing; cryptographic protocols; data communication; data integrity; data privacy; force control; medical robotics; motion control; position control; routing protocols; surgery; telecontrol; telemedicine; telerobotics; Internet; SoR; bilateral communication; bilateral controller; control objects; data delivery; data integrity; decryption process; hop-by-hop data encryption; hop-by-hop routing protocol; motion control data transmission; network stream transaction analysis;ns-3 simulator operation location; packet analysis; per hop data encryption protocol; personal vital information; privacy; processing delay; public network; remote operation; security; service-oriented router; skill information; teleoperation; telesurgery; throughput database; Delays; Encryption; Haptic interfaces; Routing protocols; Surgery; Bilateral Controllers; Service-oriented Router; op-by-hop routing; motion control over networks; ns-3 (ID#:14-2469) URL:
  • Bingyang Liu; Jun Bi; Vasilakos, AV., "Toward Incentivizing Anti-Spoofing Deployment," Information Forensics and Security, IEEE Transactions on, vol.9, no.3, pp.436,450, March 2014. doi: 10.1109/TIFS.2013.2296437 IP spoofing-based flooding attacks are a serious and open security problem on the current Internet. The best current antispoofing practices have long been implemented in modern routers. However, they are not sufficiently applied due to the lack of deployment incentives, i.e., an autonomous system (AS) can hardly gain additional protection by deploying them. In this paper, we propose mutual egress filtering (MEF), a novel antispoofing method, which provides continuous deployment incentives. The MEF is implemented on the AS border routers using access control lists (ACLs). It drops an outbound packet whose source address does not belong to the local AS if the packet is related to a spoofing attack against other MEF-enabled ASes. By this means, only the deployers of the MEF can gain protection, whereas nondeployers cannot free ride. As more ASes deploy MEF, deployment incentives become higher. We present the system design of MEF, and propose an optimal prefix compression algorithm to compact the ACL into the routers' limited hardware resource. With theoretical analysis and simulations with real Internet data, our evaluation results show that MEF is the only method that achieves monotonically increasing deployment incentives for all types of spoofing attacks, and the system design is lightweight and practical. The prefix compression algorithm advances the state-of-the-art by generalizing the functionalities and reducing the overhead in both time and space. Keywords: IP networks; Internet; authorisation; computer network security; telecommunication network routing; ACL; AS border routers; IP spoofing-based flooding attacks; Internet; MEF; access control lists; antispoofing deployment incentivization; deployment incentives; functionality generalization; mutual egress filtering; open security problem; optimal prefix compression resource; overhead reduction; Compression algorithms; Filtering; Hardware; IP networks; Internet; Routing protocols; System analysis and design; DoS defense; IP spoofing; deployment incentive; spoofing prevention (ID#:14-2470) URL:
  • Naito, K.; Mori, K.; Kobayashi, H.; Kamienoo, K.; Suzuki, H.; Watanabe, A, "End-to-end IP Mobility Platform In Application Layer for iOS and Android OS," Consumer Communications and Networking Conference (CCNC), 2014 IEEE 11th , vol., no., pp.92,97, 10-13 Jan. 2014. doi: 10.1109/CCNC.2014.6866554 Smartphones are a new type of mobile devices that users can install additional mobile software easily. In the almost all smartphone applications, client-server model is used because end-to-end communication is prevented by NAT routers. Recently, some smartphone applications provide real time services such as voice and video communication, online games etc. In these applications, end-to-end communication is suitable to reduce transmission delay and achieve efficient network usage. Also, IP mobility and security are important matters. However, the conventional IP mobility mechanisms are not suitable for these applications because most mechanisms are assumed to be installed in OS kernel. We have developed a novel IP mobility mechanism called NTMobile (Network Traversal with Mobility). NTMobile supports end-to-end IP mobility in IPv4 and IPv6 networks, however, it is assumed to be installed in Linux kernel as with other technologies. In this paper, we propose a new type of end-to-end mobility platform that provides end-to-end communication, mobility, and also secure data exchange functions in the application layer for smartphone applications. In the platform, we use NTMobile, which is ported as the application program. Then, we extend NTMobile to be suitable for smartphone devices and to provide secure data exchange. Client applications can achieve secure end-to-end communication and secure data exchange by sharing an encryption key between clients. Users also enjoy IP mobility which is the main function of NTMobile in each application. Finally, we confirmed that the developed module can work on Android system and iOS system. Keywords: Android (operating system); IP networks; client-server systems; cryptography; electronic data interchange; iOS (operating system);real-time systems; smart phones; Android OS;IPv4 networks; IPv6 networks ;Linux kernel; NAT routers; NTMobile; OS kernel; application layer; client-server model encryption key; end-to-end IP mobility platform; end-to-end communication; iOS system; network traversal with mobility; network usage; real time services; secure data exchange ;smartphones; transmission delay; Authentication; Encryption; IP networks; Manganese; Relays; Servers (ID#:14-2471) URL:
  • Zhen Ling; Junzhou Luo; Kui Wu; Wei Yu; Xinwen Fu, "TorWard: Discovery of Malicious Traffic Over Tor," INFOCOM, 2014 Proceedings IEEE , vol., no., pp.1402,1410, April 27 2014-May 2 2014. doi: 10.1109/INFOCOM.2014.6848074 Tor is a popular low-latency anonymous communication system. However, it is currently abused in various ways. Tor exit routers are frequently troubled by administrative and legal complaints. To gain an insight into such abuse, we design and implement a novel system, TorWard, for the discovery and systematic study of malicious traffic over Tor. The system can avoid legal and administrative complaints and allows the investigation to be performed in a sensitive environment such as a university campus. An IDS (Intrusion Detection System) is used to discover and classify malicious traffic. We performed comprehensive analysis and extensive real-world experiments to validate the feasibility and effectiveness of TorWard. Our data shows that around 10% Tor traffic can trigger IDS alerts. Malicious traffic includes P2P traffic, malware traffic (e.g., botnet traffic), DoS (Denial-of-Service) attack traffic, spam, and others. Around 200 known malware have been identified. To the best of our knowledge, we are the first to perform malicious traffic categorization over Tor. Keywords: computer network security; peer-to-peer computing; telecommunication network routing telecommunication traffic; DoS; IDS; IDS alerts;P2P traffic; Tor exit routers; denial-of-service attack traffic; intrusion detection system; low-latency anonymous communication system; malicious traffic categorization; malicious traffic discovery; spam; Bandwidth; Computers; Logic gates; Malware; Mobile handsets; Ports (Computers);Servers; Intrusion Detection System; Malicious Traffic; Tor (ID#:14-2472) URL:
  • Ganegedara, T.; Weirong Jiang; Prasanna, V.K., "A Scalable and Modular Architecture for High-Performance Packet Classification," Parallel and Distributed Systems, IEEE Transactions on , vol.25, no.5, pp.1135,1144, May 2014. doi: 10.1109/TPDS.2013.261 Packet classification is widely used as a core function for various applications in network infrastructure. With increasing demands in throughput, performing wire-speed packet classification has become challenging. Also the performance of today's packet classification solutions depends on the characteristics of rulesets. In this work, we propose a novel modular Bit-Vector (BV) based architecture to perform high-speed packet classification on Field Programmable Gate Array (FPGA). We introduce an algorithm named StrideBV and modularize the BV architecture to achieve better scalability than traditional BV methods. Further, we incorporate range search in our architecture to eliminate ruleset expansion caused by range-to-prefix conversion. The post place-and-route results of our implementation on a state-of-the-art FPGA show that the proposed architecture is able to operate at 100+ Gbps for minimum size packets while supporting large rulesets up to 28 K rules using only the on-chip memory resources. Our solution is ruleset-feature independent, i.e. the above performance can be guaranteed for any ruleset regardless the composition of the ruleset. Keywords: field programmable gate arrays; packet switching; FPGA; core function ;field programmable gate array; high performance packet classification solutions; high speed packet classification; modular architecture; modular bit vector; network infrastructure; on-chip memory resources; range-to-prefix conversion; ruleset expansion; ruleset-feature independent; scalable architecture; wire speed packet classification; Arrays; Field programmable gate arrays; Hardware; Memory management; Pipelines; Throughput; Vectors; ASIC; FPGA; Packet classification; firewall; hardware architectures; network security; networking; router (ID#:14-2473) URL:
  • Sgouras, K.I; Birda, AD.; Labridis, D.P., "Cyber Attack Impact On Critical Smart Grid Infrastructures," Innovative Smart Grid Technologies Conference (ISGT), 2014 IEEE PES , vol., no., pp.1,5, 19-22 Feb. 2014. doi: 10.1109/ISGT.2014.6816504 Electrical Distribution Networks face new challenges by the Smart Grid deployment. The required metering infrastructures add new vulnerabilities that need to be taken into account in order to achieve Smart Grid functionalities without considerable reliability trade-off. In this paper, a qualitative assessment of the cyber attack impact on the Advanced Metering Infrastructure (AMI) is initially attempted. Attack simulations have been conducted on a realistic Grid topology. The simulated network consisted of Smart Meters, routers and utility servers. Finally, the impact of Denial-of-Service and Distributed Denial-of-Service (DoS/DDoS) attacks on distribution system reliability is discussed through a qualitative analysis of reliability indices. Keywords: computer network security; power distribution reliability; power engineering computing; power system security; smart meters; smart power grids; AMI; DoS-DDoS attacks; advanced metering infrastructure ;critical smart grid infrastructures; cyber attack impact; distributed denial-of-service attacks; distribution system reliability; electrical distribution networks; grid topology; qualitative assessment; routers; smart grid deployment; smart meters; utility servers; Computer crime; Reliability; Servers; Smart grids; Topology; AMI; Cyber Attack; DDoS; DoS; Reliability; Simulation; Smart Grid (ID#:14-2474) URL:
  • Sarma, K.J.; Sharma, R.; Das, R., "A Survey Of Black Hole Attack Detection In Manet," Issues and Challenges in Intelligent Computing Techniques (ICICT), 2014 International Conference on , vol., no., pp.202,205, 7-8 Feb. 2014. doi: 10.1109/ICICICT.2014.6781279 MANET is an infrastructure less, dynamic, decentralised network. Any node can join the network and leave the network at any point of time. Due to its simplicity and flexibility, it is widely used in military communication, emergency communication, academic purpose and mobile conferencing. In MANET there no infrastructure hence each node acts as a host and router. They are connected to each other by Peer-to-peer network. Decentralised means there is nothing like client and server. Each and every node is acted like a client and a server. Due to the dynamic nature of mobile Ad-HOC network it is more vulnerable to attack. Since any node can join or leave the network without any permission the security issues are more challenging than other type of network. One of the major security problems in ad hoc networks called the black hole problem. It occurs when a malicious node referred as black hole joins the network. The black hole conducts its malicious behavior during the process of route discovery. For any received RREQ, the black hole claims having route and propagates a faked RREP. The source node responds to these faked RREPs and sends its data through the received routes once the data is received by the black hole; it is dropped instead of being sent to the desired destination. This paper discusses some of the techniques put forwarded by researchers to detect and prevent Black hole attack in MANET using AODV protocol and based on their flaws a new methodology also have been proposed. Keywords: client-server systems; mobile ad hoc networks; network servers; peer-to-peer computing; radio wave propagation; routing protocols; telecommunication security; AODV protocol; MANET; academic purpose; black hole attack detection; client; decentralised network; emergency communication; military communication; mobile ad-hoc network; mobile conferencing; peer-to-peer network; received RREQ; route discovery; security; server; Europe; Mobile communication; Routing protocols; Ad-HOC; Black hole attack; MANET; RREP; RREQ (ID#:14-2475) URL:


Articles listed on these pages have been found on publicly available internet pages and are cited with links to those pages. Some of the information included herein has been reprinted with permission from the authors or data repositories. Direct any requests via Email to SoS.Project (at) for removal of the links or modifications to specific citations. Please include the ID# of the specific citation in your correspondence.