Detecting Compromised Routers via Packet Forwarding Behavior

Alper Mizrak, Keith Marzullo and Stefan Savage
June 27, 2007

While it is widely understood that criminal miscreants are subverting large numbers of Internet-connected computers (e.g., for bots, spyware, SPAM forwarding, etc.) it is less well appreciated that Internet routers are also being actively targeted and compromised. Indeed, due their central role in end-to-end communication, a compromised router can be leveraged to empower a wide range of direct attacks including eavesdropping, man-in-the-middle subterfuge and denial-of-service. In response, a range of specialized anomaly detection protocols has been proposed to detect misbehaving packet forwarding between routers. This paper provides a general framework for understanding the design space of this work and reviews the capabilities of various detection protocols.

How to view this document

The authors of these documents have submitted their reports to this technical report series for the purpose of non-commercial dissemination of scientific work. The reports are copyrighted by the authors, and their existence in electronic format does not imply that the authors have relinquished any rights. You may copy a report for scholarly, non-commercial purposes, such as research or instruction, provided that you agree to respect the author's copyright. For information concerning the use of this document for other than research or instructional purposes, contact the authors. Other information concerning this technical report series can be obtained from the Computer Science and Engineering Department at the University of California at San Diego,

[ Search ]

This server operates at UCSD Computer Science and Engineering.
Send email to