Detecting disruptive routers: a distributed network monitoring approach

An attractive target for a computer system attacker is the router. An attacker in control of a router can disrupt communication by dropping or misrouting packets passing through the router. We present a protocol called WATCHERS which detects and reacts to routers that drop or misroute packets. WATCHERS is based on the principle of conservation of flow in a network: all data bytes sent into a node, and not destined for that node, are expected to exit the node. WATCHERS tracks this flow, and detects routers that violate the conservation principle. We show that WATCHERS has several advantages over existing network monitoring techniques. We discuss WATCHERS response to several different types of bad router behavior. We demonstrate that in ideal conditions WATCHERS makes no false positive diagnoses, and we describe how WATCHERS can be tuned to perform nearly as well in realistic conditions. Also, we argue that WATCHERS impact on router performance and WATCHERS memory requirements are reasonable for many environments.