Detecting offensive routers: a straightforward approach

Packet dropping attack (PDA) is a network attack that utilizes compromised network elements to degrade network performance or quality by intentionally dropping a certain amount of IP packets. The major distinction of the PDA from traditional denial-of service (DoS) attack is that some victims do not even discern that they are under attack. Offensive router detection (ORD) is a mechanism capable of detecting offensive routers that are performing the PDA. The ORD mechanism is based on the principle of conservation of flow in the network, and employs a new proposed ICMP message, Caddie message, which records packet forwarding information in the Caddie messages. Therefore, after analyzing the information, we can identify routers that are abnormally dropping packets. We show the advantages of the ORD mechanism over other existing network monitoring mechanisms and discusses storage and bandwidth overhead issues. We also demonstrate the advantages and the effectiveness of the approach by simulating the functionality of the ORD mechanism to detect four different packet-dropping patterns.