Mphil Ee b23398103f

Copyright Warning
Use of this thesis/dissertation/project is for the purpose of

private study or scholarly research only. Users must comply
with the Copyright Ordinance.
Anyone who consults this thesis/dissertation/project is

understood to recognise that its copyright rests with its
author and that no part of it may be reproduced without the
author’s prior written consent.
CITY UNIVERSITY OF HONG KONG

Network Infrastructure Security – A Design of

Secure Spanning-Tree Protocol and an Analysis on
Distributed Denial of Service Attack

!
Submitted to
Department of Electronic Engineering

in Partial Fulfillment of the Requirements
for the Degree of Master of Philosophy

by
Yan Fan

June 2008

I
Abstract
Two problems of network infrastructure security are addressed in this thesis.
The first one is the security problem of Spanning-Tree Protocol (STP), and the
second one is Distributed Denial of Service (DDoS) attack.
Although STP is widely used in switching networks, it is vulnerable to STP attacks.
In this thesis, we solve this problem of STP by proposing an enhanced STP. The
proposed solution partitions a STP network into multiple tiers of switching networks.
The reason of the partitioning is to hide the STP operations of the network
infrastructure (i.e. higher tiers switching networks) from the lower tiers of switching
networks (those are closer to end computers). To realise the partitioning, a new kind
of Ethernet boundary switches is designed and implemented. These boundary
switches will on one hand participate in the normal STP operations. On the other
hand, the enhanced STP operations inside the boundary switches actually partition
the STP operations between tiers.
To quantify the security performance of the enhanced STP protocol,
performance evaluation on the new switches is studied and compared with that of
the conventional STP under all known STP attacks. The results show significant
reduction in number of affected switches under the Non-DoS STP attacks when
the enhanced STP is used. For DoS STP attacks, the CPU utilization of switches in
handling STP topology changes can also be reduced by orders of magnitude.
The implementation on the Ethernet boundary switches were based on Linux
bridge implementation and bridge configuration tools. Experiments were run to

II
verify the design and to study the switches’ performance. The results show that
these new switches can provide better security for STP networks. This practical
implementation also demonstrates how kernel programming on Linux and some
modifications on configuration tools can be made to develop new switching
devices.
In the second part of the thesis, the problem of unknown impacts on networks
under DDoS attacks is addressed. A scale free network (constructed by 1000 nodes)
is investigated and the congestion level is measured. In the scale free network
which models the Internet, each node is assumed to have links with finite buffers.
Unlike previous works on complex networks, nodes under attacked are not
assumed to be removed. This will give more realistic results. The results show that
the scale free network becomes easily congested under DDoS attack. It is also
found that the robustness of the scale free network depends more on the number of
attackers than the degree of the victim node.

IV
Acknowledgements
I would like to express my gratitude to my supervisor, Dr. K. H. Yeung for his
expertise, constant encouragement and patience in his supervision since my
undergraduate study. With his inspiring advice and continuous support, I can tackle
many problems and difficulties that I met during the years of study and research.
Without his vast knowledge and skills and his assistance in academic writing, this
thesis would not appear in its present form. I especially thank him to inspire me the
meaning of life.
It is my pleasure to thank the Department of Electronic Engineering, City
University of Hong Kong. I thank the research fellow Dr. Zhi-xi, Wu for his kind
help and encouragement.
I thank my parents for providing me with the opportunity to pursue my studies.
Last of all, I thank my friend Janice for her hearty laughs and Adam for his enduring
support and tolerance.

V
To my parents
VI
Table of Content
ABSTRACT .......................................................................................................................................I
ACKNOWLEDGEMENTS...........................................................................................................IV
TABLE OF CONTENT..................................................................................................................VI
LIST OF TABLES ......................................................................................................................VIII
LIST OF FIGURES .......................................................................................................................IX
LIST OF FIGURES .......................................................................................................................IX
LIST OF LISTINGS ....................................................................................................................... X
LIST OF EQUATIONS .................................................................................................................XI
LIST OF PUBLICATIONS......................................................................................................... XII
CHAPTER 1 INTRODUCTION ............................................................................................... 1
1.1 NETWORK INFRASTRUCTURE SECURITY .......................................................................... 2
1.2 SPANNING -TREE PROTOCOL AND ITS WEAKNESS ............................................................ 3
1.3 DDOS ATTACK IN SCALE-FREE NETWORKS ...................................................................... 7
1.4 THESIS OVERVIEW ........................................................................................................... 9
CHAPTER 2 IMPROVING NETWORK INFRASTRUCTURE SECURITY BY
PARTITIONING NETWORKS USING SPANNING-TREE PROTOCOL ............................ 12
2.1 INTRODUCTION .............................................................................................................. 13
2.2 IMPROVING NETWORK INFRASTRUCTURE SECURITY BY PARTITIONING A STP NETWORK
14
2.3 IMPLEMENTATION AND EXPERIMENT............................................................................. 16
2.4 CHAPTER CONCLUSION ................................................................................................. 19
CHAPTER 3 SECURE SPANNING TREE PROTOCOL USING NETWORK
PARTITIONING ........................................................................................................................... 20
3.1 BACKGROUND ............................................................................................................... 21
3.2 IMPROVING NETWORK INFRASTRUCTURE SECURITY BY PARTITIONING A STP NETWORK
24
3.3 IMPLEMENTATION.......................................................................................................... 28
3.4 EVALUATION ON THE PROPOSED SOLUTION .................................................................. 30
3.4.1 Non-DoS attacks ...................................................................................................... 31
NUMERICAL EXAMPLES: .............................................................................................................. 34
3.4.2 DoS Attacks .............................................................................................................. 38
3.4.2.1 Flood of configuration message BPDUs claiming root role ......................................... 38
3.4.2.2 Flood of topology change notification BPDUs and flood of configuration message
BPDUs with TC flag on .................................................................................................................... 42
3.4.2.3 Flood of Configuration Message BPDUs with TC Flag on .......................................... 45
CHAPTER 4 THE DEVELOPMENT OF NOVEL SWITCHING DEVICES USING
EMBEDDED MICROPROCESSING SYSTEM RUNNING LINUX ...................................... 48
4.1 REVIEW OF LINUX BRIDGE ............................................................................................ 49
4.2 STP IMPLEMENTATION IN LINUX ................................................................................... 51
4.2.1 Spanning Tree Protocol implementation .................................................................. 51
4.2.2 Brctl – bridge administration tools .......................................................................... 55
4.3 AN EXAMPLE SHOWING HOW NOVEL SWITCHING DEVICES CAN BE DEVELOPED USING
LINUX BRIDGING CODE ............................................................................................................... 56
4.3.1 Steps to Customize the Bridging Code ..................................................................... 58
VII
4.3.2 Change to the Bridging Code ................................................................................... 59

4.3.3 Testing the Modified Codes ...................................................................................... 63
4.4 PORTING THE DESIGN TO AN EMBEDDED MICROPROCESSING SYSTEM .......................... 66
CHAPTER 5 INVESTIGATING DDOS ATTACKS IN THE INTERNET WITH
CONGESTED LINKS ................................................................................................................... 69
5.1 CHAPTER INTRODUCTION .............................................................................................. 70
5.2 BA MODEL WITH CONGESTED LINKS ............................................................................ 71
5.3 RESULTS AND DISCUSSION ON DDOS ATTACKS ............................................................ 72
CHAPTER 6 CONCLUSION AND FUTURE RESEARCH ................................................ 78
6.1 SUMMARY ..................................................................................................................... 79
6.2 FUTURE RESEARCH........................................................................................................ 81
REFERENCES ............................................................................................................................... 82
APPENDIX ..................................................................................................................................... 88
VIII
List of Tables
TABLE 2.1 RESULTS OF THE EXPERIMENTS. ........................................................................................ 19
TABLE 3.1 ALL KNOWN STP ATTACKS ....................................................................................... 30
TABLE 3.2 RESULTS OF VARIOUS ATTACK PROBABILITY OF NETWORK IN FIGURE 3.7 ...................... 37
IX
List of Figures
FIGURE 1.1 RANDOM NETWORK VURSES SCALE-FREE NETWORK ........................................................ 8
FIGURE 2.1 BOUNDARY SWITCHES PARTITION THE NON-NETWORK INFRASTRUCTURE (NNI) NETWORK
(THAT CONNECTS TO END COMPUTERS) FROM THE NETWORK INFRASTRUCTURE (NI) NETWORK. 15
FIGURE 2.2 THE TESTING NETWORK ................................................................................................. 18
FIGURE 3.1 A SWITCHING NETWORK WITH T TIERS OF SWITCHES. ..................................................... 25
FIGURE 3.2 SWITCHES AT TIER I ADVERTISE A PSEUDO ROOT ID OF PRid i AND A PSEUDO ROOT COST
PR cos t i TO THE LOWER TIER I+1. ........................................................................................ 26
FIGURE 3.3 STATE DIAGRAM OF SWITCH PORTS. ............................................................................... 27
FIGURE 3.4 FLOW OF STP OPERATIONS IN LINUX CODES. ................................................................. 28
FIGURE 3.5 EXPERIMENTAL SETUP TO TEST THE IMPLEMENTATION. ................................................. 29
FIGURE 3.6 A SIMPLE STP NETWORK ................................................................................................ 35
FIGURE 3.7 TYPICAL TOPOLOGY OF SWITCHING NETWORK ............................................................... 36
FIGURE 3.8 MODEL OF A SWITCH IN THE NETWORK EVALUATION OF FLOOD OF CONFIGURATION
MESSAGE BPDUS CLAIMING ROOT ROLE. ............................................................................. 39
FIGURE 3.9 RESULTS ON THE EVALUATION OF FLOOD OF CONFIGURATION MESSAGE BPDUS
CLAIMING ROOT ROLE. ........................................................................................................... 41
FIGURE 3.10 MODEL OF SWITCH SWi , j IN DOS EVALUATION OF FLOOD OF TOPOLOGY CHANGE ... 44
FIGURE 3.11 UTILIZATION OF SWITCHES IN DOS EVALUATION OF FLOOD OF TOPOLOGY CHANGE
NOTIFICATION BPDUS ............................................................................................................ 46
FIGURE 3.12 UTILIZATION OF SWITCHES IN DOS EVALUATION OF FLOOD OF CONFIGURATION ........ 46
FIGURE 4.1 FLOW OF STP OPERATIONS ............................................................................................ 52
FIGURE 4.2 NETWORK PARTITIONING BY NOVEL SWITCHING DEVICES .............................................. 56
FIGURE 4.3 SET UP THE EXPERIMENT................................................................................................ 64
FIGURE 4.4 RESULT OF THE EXPERIMENT A ..................................................................................... 65
FIGURE 4.5 SET UP OF EXPERIMENT B. ............................................................................................. 65
FIGURE 5.1 TIME EVOLUTION OF THE CONGESTED LINKS IN THE BA SCALE FREE NETWORKS OF SIZE
N=1000 WITH m0 = m = 3 , R=0.005, DEGREE OF VICTIM IS 6, NUMBER OF ATTACKER, NATT
= 1,3,4,5,6,10 20 AND 30. A) 3000 TIME STEP, B) 500 TIME STEP ............................................. 74
FIGURE 5.2 TIME EVOLUTION OF THE CONGESTED LINKS IN THE BA SCALE FREE NETWORKS OF SIZE
N=1000 WITH m0 = m = 3 , R=0.005, NATT = 10, DEGREE OF VICTIM IS 3,6,24,124. A) TIME
STEP= 3000, B) TIME STEP =20. ............................................................................................... 75
X
List of Listings
LISTING 4.1 PART OF LISTING OF LINUX/NET/BR_STP_BPDU.C .......................................................... 60
LISTING 4.2 PART OF LISTING OF LINUX/NET/BRIDGE/BR_STP.C ....................................................... 62
LISTING 4.3 PART OF LISTING OF BRCTL/LIBBRIDGE/LIBBRIDGE_DEVIF.C ....................................... 63
LISTING 4.4 PART OF LISTING OF BRCTL/BRCTL/BRCTL_CMD.C......................................................... 63
XI
List of Equations
Equation 3.1 .................................................................................................................................................. 29
Equation 3.2 .................................................................................................................................................. 29
Equation 3.3 .................................................................................................................................................. 29
Equation 3.4 .................................................................................................................................................. 29
Equation 3.5 .................................................................................................................................................. 30
Equation 3.6 .................................................................................................................................................. 30
Equation 3.7 .................................................................................................................................................. 36
Equation 3.8 .................................................................................................................................................. 36
Equation 3.9 .................................................................................................................................................. 37
Equation 3.10 ................................................................................................................................................ 40
Equation 3.11 ................................................................................................................................................ 41
Equation 3.12 ................................................................................................................................................ 41
Equation 3.13 ................................................................................................................................................ 43
XII
List of Publications
1. K. H. Yeung, F. Yan and T. C. Leung“Improving Network Infrastructure
Security by Partitioning Networks Running Spanning Tree Protocol,” Proc. Of
International Conference on Internet surveillance and Protection, Cap Esterel,
Côte d’Azur, France, August, 2006.
2. F. Yan and K. H. Yeung, “The Development of Novel Switching Devices by
Using Embedded Microprocessing System Running Linux,” International
Workshop on Security in Systems and Networks, Miami, USA, April 2008
3. F.Yan and K.H.Yeung, “Secure Spanning Tree Protocol using Network
Partitioning,” submitted to IET Communication
4. F.Yan and K.H.Yeung, “Outcome Based Teaching and Learning in
Undergraduate Engineering Projects: The Approach and a Case Study,” will be
submitted to Australasian Journal of Educational Technology
5. F.Yan, K. H. Yeung and Z.X.Wu, “Investigate DDoS Attack in the Internet
with Congested Link,” will be submitted to Physical Review Letters
6. F.Yan and K.H.Yeung, “Vehicular Networks: the Network on the Way,”
Proceedings of Global Information Infrastructure Symposium, International
Workshop on ITS for Ubiquitous Roads, 2007

1
Chapter 1
INTRODUCTION
2
1.1 Network Infrastructure Security

Network infrastructure refers to the framework of interdependent networks and
systems that provide many reliable functions, such as connectivity, routing and
switching capabilities and network access to users. As the foundation of the
information systems and services, the attacks on the network infrastructure could
have serious consequences on the security and economic vitality of society. Its
security issue has attracted governments and researchers’ attention. In the fiscal year
2006, $94 million USD is allocated to protecting against threats to information
technology infrastructure [OMB06].
A network may vary with network architecture, applications, equipment and
services provided. In common, core routers in layer 3 network, core switches in layer
2 network and core repeaters in layer 1 network are main network infrastructure
components. In the area of computer network, the research focuses on the malicious
attacks on routers, such as routing table poisoning attacks. All packets are forwarded
according to routing tables which are constructed by routing protocols and static
routes in the routers. The attacks interrupt, modify or fabricate the routing
information to infect routing tables. Many solutions [Wan99, BSJ97,G Ma88, JMo94,
AG02] worked out to routing table poisoning attacks.
In the wireless network many researches made efforts to prevent routing protocol
from attacks, such as the black hole attack. The malicious node claims that it has the
3
route to all destinations so that routing tables in the normal nodes are manipulated.
Some solutions [HWD02] are proposed to tackle the black hole attack.
With the development of various wireless network technologies, vehicular network
is another integrated application to these technologies. Since the characteristics of
vehicular network, high mobility and topology changing frequently, it challenges the
researchers to design suites of solutions that are more suitable for vehicular networks.
We made a survey on the vehicular network [YY07] research and presented it in
appendix of this thesis. The survey has 4 parts: safety message delivery , services,
security and performance evaluation .
In the area of complex networks, there has been much interest in examining
vulnerabilities and risk in network infrastructure,[C97,SP00, P01, C02, C04, LM05,
CP05, GM06]. Different from research works on computer networks, these
researches study the network topology more abstractly and consider networks of
large scale (usually the number of nodes is more than 1000).
Having discussed the security issues of different type of network infrastructure,
this thesis focuses on two issues: security of Spanning-tree protocol in switching
networks and DDoS attacks in complex networks.
1.2 Spanning -Tree Protocol and its weakness

Spanning-Tree Protocol (STP) is a protocol to eliminate loops in the local area
networks (LANs). STP creates a spanning tree among connected Ethernet switches in
the data link layer (Layer 2 in OSI model) and disables the links which are not part of
4
that tree. STP was first proposed by Radia Perlman in 1985 and developed at Digital
Equipment Corporation. In 1990, the IEEE published the first standard for the
protocol in 802.1d. Subsequent versions were published in 1998 and 2004 by IEEE
802.1 working group.
Bridge Protocol Data Unit (BPDU) are the frames exchanged among the switches
in a spanning tree network. There are two types of BPDUs: Configuration Message
BPDU (CM BPDU) and Topology Change Notification BPDU (TCN BPDU). CM
BPDUs are used for Spanning Tree computation and update topology information.
They are sent every 2 seconds regularly. TCN BPDUs are sent to announce changes
in the network topology, such as when the switches become unreachable, the cost of
a link changes or a new root switch appears.
Bridge ID is a field inside a BPDU frame. It has two parts, bridge priority which is
set by network administrators (default value is 32768, largest number in the bridge
priority) and MAC address which is supplied by the switch manufacturers.
The operation of STP includes the following steps. First, elect a single bridge
with lowest bridge id in the LANs to be the root bridge.Second, calculate the
shortest path from other bridges to the root bridge. Third, elect a designated bridge
for each segment, which is the bridge in that segment having the lowest root path
cost to the root bridge. The designed bridge will forward frames from that segment
toward the root bridge. For each bridge, choose a root port that has the shortest
5
path to the root bridge. Finally, select the ports to be included in the spanning tree,
and block other ports to prevent loop.
STP is considered secure traditionally because LANs which it operates in are
under the physical control within an access-restricted area. However STP has two
main pitfalls in the security: lack of authentication on its signaling message and the
root role changing easily. Some hackers make use of these weaknesses and affects
STP network maliciously. These attacks could caused the whole STP network not
functional and instable or leak the users’ data to hackers. All known STP attacks are
introduced as follows:
STP attacks
Single-homed root role claiming
The attacker generates a single BPDU message per hello time claiming root role.
As the attacker can get the real root’s bridge ID by using some monitor software to
capture, it is easy to generate a lower bridge ID than the real root’s bridge ID to
force the topology change.
Dual-homed root role claiming
The attackers crafts a single BPDU message per hello time per interface
claiming root role, targeting two different switches.
Internal Node role claiming

6
The attacker claims just an active role in the tree. In this attack, the station
listens at the interface that advertises better BPDUs (that is, smaller root path cost)
and advertises bogus BPDU messages through the other interface. In the bogus
messages, the original root bridge ID and other parameters are preserved but the
root path cost is incremented by a hop, and the source bridge ID is modified to be
bigger than the current root ID. This attack can be used for traffic snooping.
Tree Segmentation
This attack requires two or more colluding single-homed stations, each of which
carries out a single-homed root role-claiming attack, and all stations advertise the
same bridge ID, which is lower than the current root ID in order to claim the root
role.
Flood of Configuration Message BPDUs claiming root role
CM BPDUs claiming root role come from nonexistent bridges with bridge IDs
lower than the current root ID, thereby qualifying as candidates to be the new root
bridge. This forces the target switch to keep recalculating the algorithm.
Flood of Configuration Message BPDUs with TC flag on
CM BPDUs with TC flag on are sent from nonexistent bridges. These frames
make all switches to rapidly clean the entries in their forwarding table. The
switches frequently receiving these frames have to broadcast the receiving data
7
frame while their forwarding table is always empty so that the load of switches
increase and provide the chance for attack to sniffer data packets.
Flood of Topology Change Notification BPDUs
TCN BPDUs claiming to come from inexistent switches. These TCNs are
transmitted up the tree, until it reaches the Root. The Root will set a flag in
subsequent configuration messages to indicate all the bridges on the tree to
recalculate the algorithm.
1.3 DDoS attack in scale-free networks

Denial-of-service attack (DoS attack) is an attempt to make a computer resource
unavailable to its normal users. Distributed denial-of-service attack (DDoS attack) is
the advanced version of DoS attack. In DDoS attack multiple compromised nodes
consume the resources of the victim node so that the victim node can no longer
provide its intended service while its users can not use its service. The compromised
nodes obstruct the communication media between the normal users and the victim
node so that the congestion occurs in the network. The congestion affects not only
victim nodes and its users but also other nodes in the network. Many researchers
make great effort to study DDoS attack. One common method is to simulating DDoS
attack on the network model.
A scale-free network is a network model with a characteristic that its degree
distribution follows a particular mathematical function, a power law. This

8
distribution is not affected by the size of network. In scale-free networks, some
nodes have high degree and most nodes have low degree. The difference with
random networks can be demonstrated in the Figure 1.1. In the late 1990s, a
power-law degree distribution in many real world networks such as the World
Wide Web, the network of Autonomous system, some network of Internet routers.
These finding implies that a scale-free network can model the real network briefly.
Figure 1.1 Random network vurses scale-free network
BA model is introduced by Barabási and Albert in 1999 to generate a network
with a power-law degree distribution. There are two important general concepts in
this model: growth and preferential attachment. Growth means the size of number
increases over time. The preferential attachment means the more connected a node
9
is, the more new links connects to it. The model begins with an initial network of
m0 nodes ( m0 ≥ 2 ). Each new node is connected to m nodes ( m ≤ m0 ) in the
ki
existing network with a probability pi = , k i is the degree of i . This
∑k j j
connection probability indicates the preferential attachment concept. Finally a
network like scale-free network in Figure1.1 is created.
1.4 Thesis overview

The remainder of this thesis is organized as follows:
Chapter 2: In this chapter, the problem of attacks to STP is addressed. We
propose a novel solution that partitions a STP network into two tier of switching
networks in this chapter. The reason of the partitioning is to hide the STP operation
of the network infrastructure (i.e. higher tier switching network) from the lower
tier switching network (that connects to end computers). It is expected that after
the partitioning, the lower tier switching network and its connected end computers
cannot launch STP attacks to the network infrastructure. To realise the partitioning,
a new kind of Ethernet boundary switches is designed and implemented. These
boundary switches will on one hand participate in the normal STP operations of
both tiers of networks. On the other hand, the modified STP operations inside the
boundary switches actually partition the STP operations into a network
infrastructure region and a lower tier network region. Experiments on the
implemented boundary switches were also run. The results show that the boundary
switches were fully functional and could successfully stop STP attacks launched
10
from the lower tier network. In the next chapter, the solution extends to multiple
tiers and analysis of the solution is done.
Chapter 3: This chapter presents a modified STP to solve the security problems
of conventional spanning tree protocol. A network using the modified STP is
partitioned into many tiers. The security performance of the modified protocol is
studied and compared with that of the conventional STP under all known STP
attacks. The results show significant reduction in number of affected switches
under the Non-DoS STP attack when the modified STP is used. For DoS STP
attacks, the CPU utilization of switches in handling STP topology changes can be
reduced by orders of magnitude when the modified STP is used. The
implementation is introduced in the next chapter in detail.
Chapter 4: This chapter discusses the development of novel switching devices
using embedded microprocessing systems. It first reviews on basic Ethernet
Switch operations and the Spanning tree protocol (STP). It then gives a brief
analysis on Linux STP implementation and bridge configuration tools. The aim of
the analysis is to lay a foundation for latter discussion on how novel switching
devices can be developed based on the bridging codes. To facilitate the discussion,
a new kind of Ethernet switches (with modified STP operations) is used as an
example. This practical example demonstrates how kernel programming on Linux
and some modifications on configuration tools can be made to develop new
switching devices. Experiments on the newly developed switches are also reported.
11
The results show that these new switches can provide better security for STP
networks. At the end of the chapter, discussion on how to port the design to
embedded microprocessing systems is also given.
Chapter 5: In this chapter, we investigate DDoS attack in the Internet with
congested links. Two new methods, link with finite buffer and keeping attacked
node, are used to model the router and DDoS attack more realistic. The results
show robustness of networks depends on the number of attackers more than degree
of victim.
Chapter 6: This chapter summarises the thesis and presents several points of
research arising from this work which should be pursued.

12
Chapter 2
Improving Network Infrastructure Security by

Partitioning Networks Using Spanning-Tree
Protocol
Chapter Summary - In this chapter, the problem of attacks to STP is addressed.
The chapter proposes a novel solution that partitions a STP network into two tiers
of switching networks. The reason of the partitioning is to hide the STP operation
of the network infrastructure (i.e. higher tier switching network) from the lower tier
switching network (that connects to end computers). It is expected that after the
partitioning, the lower tier switching network and its connected end computers
cannot launch STP attacks to the network infrastructure. To realise the partitioning,
a new kind of Ethernet boundary switches is designed and implemented. These
boundary switches will on one hand participate in the normal STP operations of
both tiers of networks. On the other hand, the modified STP operations inside the
boundary switches actually partition the STP operations into a network
infrastructure region and a lower tier network region. Experiments on the
implemented boundary switches were also run. The results show that the boundary
switches were fully functional and could successfully stop STP attacks launched
from the lower tier network. In the next chapter, the solution extends to multiple
tiers and analysis on the solution is done.

13
2.1 Introduction
Although Spanning Tree Protocol (STP), IEEE 802.1D, has been used in
production networks for many years, it is not until recently that researchers start to
study its security performance. In [Mar03], an excellent discussion on attacks and
pitfalls of STP is given. As discussed, the pitfalls of STP are: 1) lack of
authentication in BPDU messages; 2) slow convergence of STP; 3) root role not fully
monitored; and 4) complex state machines (which require a lot of computation in a
switch) make the switches easier to be attacked. Due to these pitfalls, a network
running STP can easily be attacked, especially when an attacker can physically
access the network.
There are some previous works on enhancing the security of STP. In [SKB01], an
approach that tunes the cost of links for achieving STP stability is proposed. A set of
formula is provided for setting the port costs of the switches to provide STP stability.
Although this approach works well for the network topology under study, it does not
work under other network situations. Cisco proposed a technique called ROOT guard
and is discussed in [CISG]. ROOT guard successfully stops attacks like root role
claiming that is launched to the network. However, ROOT guard cannot stop other
network infrastructure attacks as discussed in [GMM03]. Another problem with
ROOT guard is that it is mutually exclusive with LOOP guard [CISL]. LOOP guard
is used for preventing loop when a link fails at one sending direction (not both).
When LOOP guard is enabled at a port, ROOT guard will always be disabled at the
port. BPDU guard ([CISB]) is another technique proposed by Cisco to enforce the
STP domain border. Switch port with BPDU guard being enabled will not accept
14
BPDU messages. If BPDU messages are received from the port, the BPDU guard
operation disables the port. Since BPDU guard does not allow new switches to be
connected to this kind of ports, it opposes the spirit of the STP design (as commented
by the author of [GMM03]).
A brief survey on the previous research shows that no existing solution completely
solves the security problems of STP. In this chapter, the security problem of STP is
proposed to be solved by partition a STP network into two tier of switching networks.
The solution will stop all STP attacks launched from the lower tier network (i.e.
network nearer to end computers) from affecting the higher tier network. It also does
not oppose the design spirit of STP (i.e. new switches can be added freely) and work
with existing STP techniques like LOOP guard.
2.2 Improving Network Infrastructure Security by Partitioning a

STP Network
The novel concept of partitioning a network infrastructure into a Network
Infrastructure (NI) network and a Non-Network Infrastructure (NNI) network was
first proposed in [Yeu05]. As shown in Figure 2.1, a STP network is partitioned into
two switched networks. New boundary switches running modified STP operations are
designed and used for connecting the two networks together. These boundary
switches also run STP, and cooperate with the switches in both NI and NNI networks
to prevent loops in the whole network. However, the boundary switches perform
additional functions compared with ordinary switches. First, it makes the switches in
the NNI network unaware of the STP details on the NI network. The details include
STP information like root ID and costs, and topology changes in the NI network.
Second, it makes the NI network unaffected by the topology changes in the NNI
15
network. Note that with such boundary switches, NI network can be protected from
STP attacks that are launched from the NNI network. On the other hand, new
switches can freely be added to both networks. This follows the design spirit of STP.
It is also expected that techniques like LOOP guard can remain to be used in the
boundary switches.
Figure 2.1 Boundary switches partition the Non-Network Infrastructure (NNI)

network (that connects to end computers) from the network infrastructure (NI)
network.
In each boundary switch, there are two kinds of ports: NI ports that connect to the
NI network, and NNI ports that connect to the NNI network. There is only one root
for both networks, and is always located inside the NI network. BPDU messages will
be sent from the root and eventually received by the NI ports of each boundary
switch. At the NI side, the boundary switch has exact behaviour as an ordinary switch.
At the NNI side, however, modification on STP operation is made. When BPDU
messages are received from the NI Ports and ready for passing to the NNI ports, the
16
boundary switch performs two modifications on the BPDU messages: 1) the root ID
will be changed to a constant value called Pseudo_root ID (the value of Pseudo_root
ID can be any value in the range: root ID<Pseudo_root ID<minimum ID values of
switches in NNI network. The Pseudo_root ID value, however, must be the same for
all boundary switches); and 2) the root path cost is reset to another constant value
called Pseudo_root_path_cost. Note that in doing this, the boundary switches give a
consistent but virtual view to the switches in the NNI network that the root of the
STP network has a root ID of Pseudo_root ID and the path cost from the boundary
switches to the root is Pseudo_root_path_cost. To prevent STP operation of the NI
network from being affected by the NNI network, the boundary switches will only
accept switches with ID worse than Pseudo_root ID from being connected to the NNI
ports. When BPDUs with invalid root IDs (i.e. smaller than Pseudo_root ID) are
received by the boundary switches from the NNI ports, the ports will be blocked.
Note that all the switches in the NI network should also be set with an ID lower than
Pseudo_root ID. The real root will then always be elected from the NI network, but
never from the NNI network.
2.3 Implementation and Experiment

The boundary switches discussed above have been implemented by modifying the
bridge codes of Linux kernel. PCs (with multiple Ethernet interfaces) running the
modified codes were connected to a testing network as shown in Figure 2.2. In the
network, there are six bridges with names Br1, Br2, …, Br6. Br1 and Br2 (with
bridge priority 0x2000) are bridges in the network infrastructure. Br5 and Br6 (with
bridge priority 0x3000) are bridges in the lower tier network. The boundary switches
17
in the network are Br3 and Br4 (with bridge priority 0x2710). In our testing, two
experiments were run. In the first experiment, Br3 and Br4 worked as normal bridges.
In the second experiment, modified bridge codes were run in Br3 and Br4 to make
them functioning as boundary switches. In both experiments, STP attacks were
launched from the computer connected to Br6. A STP attacking software named
“yersinia” (see [YER]) was run in the computer. The software generated 4000 STP
configuration messages per second to Br6, all with bridge IDs lower than the root ID
(i.e. 0x2000). This forced the bridges to re-run the STP algorithm frequently. After
that, ping tests from Br1/Br2 to Br4, Br5 & Br6 were made. The ping tests were to
check the percentage of packet loss due to the performance degradation of the
bridges (since the bridges might be busy in re-running the STP algorithm).
18
Figure 2.2 The testing network
Table 2.1 shows the results of the experiments. As shown, change of STP root
occurred when the network was not partitioned. A very high percentage in packet
drops was also observed during the ping tests. This concludes that the network
performance was severely affected due to the STP attack. The benefit of using the
proposed method is also observed clearly from the table (see last row in the table).
After the network infrastructure partitioning, the boundary switches successfully
stopped the STP attack to the network infrastructure. No packet loss was observed
when ping messages passed the unaffected bridges (i.e. Br1 to Br5). The boundary
switches (Br3 and Br4) had successfully isolated the source of STP attack, namely
19
Br6. In conclusion, the method proposed in this chapter can improve the network
infrastructure security of STP networks.

! ! !

" # $# %# &# '# #

( " %# %# %# %# %# #
Table 2.1 Results of the experiments.
2.4 Chapter Conclusion

This chapter proposed a new solution to secure STP network. The results show that
after the network infrastructure partitioning, the boundary switches successfully stopped
the STP attack to the network infrastructure.

20
Chapter 3
Secure Spanning Tree Protocol using Network

Partitioning
Chapter Summary - This chapter presents a modified STP to solve the security
problems of conventional spanning tree protocol. A network using the modified STP
is partitioned into many tiers. The security performance of the modified protocol is
studied and compared with that of the conventional STP under all known STP attacks.
The results show significant reduction in number of affected switches under the Non-
DoS STP attack when the modified STP is used. For DoS STP attacks, the CPU
utilization of switches in handling STP topology changes can be reduced by many
orders of magnitude when the modified STP is used. The implementation is
introduced in the Chapter 4 in detail.

21
3.1 Background
With society’s increasing reliance on computer networks, even minor disruptions
in a network may be unacceptable in the future. This calls for many previous
researches on switching networks. For example, minimization of end-to-end delay
time in switching networks is discussed in [DC07]. In [EM06], analysis of output
queued switches is given. To provide undisrupted service, switching networks are
required to be on one hand fault tolerant [FH06], and on the other hand free from
attacks by malicious attackers. These two requirements are both important in
providing an undisrupted service by a switching network.
Spanning Tree Protocol (STP), IEEE 802.1D [IEEE], is a protocol to improve the
fault tolerance of switching networks. Although STP has been used in production
networks for many years, it is until recently that researchers start to study its security
performance. In [Gmm03], an excellent discussion on attacks and pitfalls of STP is
given. As discussed, the pitfalls of STP are: 1) lack of authentication in Bridge
Protocol Data Unit (BPDU) messages; 2) slow convergence of STP; 3) root role not
fully monitored; and 4) complex state machines (which require a lot of computation
in a switch) make the switches easier to be attacked. Due to these pitfalls, a network
running STP can easily be attacked, especially when an attacker can physically
access the network.
There are some previous works on enhancing the security of STP. In [SKB01], an
approach that tunes the cost of links for achieving STP stability is proposed. A set of
formulae is provided for setting the port costs of the switches to provide STP stability.
22
Although this approach works well for the network topology under study, it does not
work under other network situations.
Cisco proposed a technique called ROOT guard and is discussed in [CISR]. ROOT
guard successfully stops attacks like root role claiming that is launched to the
network. However, it is a Cisco’s proprietary technique so it may not be used widely
by other vendors. What’s more important, ROOT guard cannot stop other network
infrastructure attacks as discussed in [Gmm03], for example, flood of configuration
message BPDUs with TC flag on attack and flood of topology change notification
BPDUs attack. Another problem with ROOT guard is that it is mutually exclusive
with LOOP guard [CISL]. LOOP guard is used for preventing loop when a link fails
at one sending direction (not both). When LOOP guard is enabled at a port, ROOT
guard will always be disabled at the port. Besides, ROOT guard still allows end users
to access infrastructure information, like root id of the network. It is easier for
attackers to attack a network when this information is known.
BPDU guard ([CISB]) is another patent taken out by Cisco to enforce the STP
domain border. Switch ports with BPDU guard being enabled will not accept BPDU
messages. If BPDU messages are received from one of these ports, the BPDU guard
operation will disable the port. Since BPDU guard does not allow new switches to be
connected to these ports, it opposes the spirit of the STP design (as commented by
the author of [Gmm03]). In addition, it is not an open standard and other parties
cannot use the technique freely.
A brief survey on the previous research shows that no existing solution completely
solves the security problems of STP. In this chapter, the security problem of STP is
23
proposed to be solved by partition a STP network into many tiers of switching
networks. The solution will stop all STP attacks launched from the lower tier
networks (i.e. networks nearer to end computers) from affecting the higher tier
networks. It also does not oppose the design spirit of STP (i.e. new switches can be
added freely). At last, the solution works with existing STP techniques like LOOP
guard.
The rest of this chapter is organized as follows. In section 3.2 the proposed
solution is discussed. To prove that the solution is feasible, implementation based on
the proposed method has been made. This is reported in section 3.3. In section 3.4,
we evaluate the security performance of the proposed solution by comparing it to that
of the conventional spanning tree protocol. The chapter then concludes in section 3.5.
24
3.2 Improving Network Infrastructure Security by

Partitioning a STP Network
The novel concept of partitioning a network infrastructure into two tiers was first
proposed in [YL06]. In this chapter, we extend the idea by partitioning a switching
network into multiple tiers. As shown in Figure 3.1, a STP network is composed by
many switches. Every switch has a set of parameters in the spanning tree protocol,
such as bridge id and root id. Let α i , j be the bridge id of the jth switch in tier i, and
the switch is denoted as SWi , j . Let value β i, j be the smallest bridge id received in
BPDUs by SWi , j . Let Rid be the root id in the network. When the topology reaches a
stabilized state, the switch with smallest bridge id will be elected as the root bridge
and this bridge id will become the root id. We assume switch 1 in the tier 1, be the
root bridge that Rid = α 1,1 = β i , j < α i , j , for all i ≠ 1,j ≠ 1. For any switch, if it
receives a smaller bridge id than the current root id, it will change the root id to the
new smallest value. So if SW x , y claims to be the new root by advertising a Rid equals
to β x , y and β x , y < α 11 . then all the switches will be affected and all switches will
assume the new root as SW x , y .

25
Figure 3.1 A switching network with t tiers of switches.
In our proposed solution, a spanning tree protocol topology is built in a layered
fashion. To see how this is built, see Figure 3.2. As shown in the figure a switch in
the network ( SW i , j is used as an example) has two kinds of ports: Higher Tier (HT)
ports that connect to a higher tier network, and Lower Tier (LT) ports that connect to
a lower tier network. For switches in tier 1, HT ports connect only to the other
switches in tier 1 since tier 1 is the highest tier. One of the switches in tier1 will be
elected as the root bridge (e.g., SW1,1 in our discussion) and other switches in the tier
will find a fastest path to the root via their HT ports. The HT ports, therefore, perform
conventional STP operations as normal. This is the same for all HT ports in all lower
tier switches. On LT ports, however, a modified spanning tree operation is run. The
modification is that a pseudo root id, denoted as PRid i for tier i, is advertised out to
the LT ports. Note that the pseudo root id must be the same for all switches in the
same tier. There are two reasons of advertising a pseudo root id. Firstly, it is to
26
protect the switch information of the root (e.g., from the MAC address of the root id
an attacker can learn the manufacturer of the root switch).
Figure 3.2 Switches at tier i advertise a Pseudo root id of PRid i and a Pseudo root
cost PR cos t i to the lower tier i+1.
Secondly, the root switch can be kept in the first tier if the pseudo root ids are
selected carefully so that PRid i < PRid i +1 for all i. In doing so if a root id better than
the pseudo root of a tier is received from a LT port, it can be considered as an
abnormal condition. That port can be blocked in order to protect the network.
27
(1) Port enabled, by management or initialization

(2) Port disabled, by management or failure
(3) Algorithm selects as Designated or Root Port
(4) Algorithm selects as Alternate Port
(5) Protocol timer expiry (Forwarding Timer)
(6) Abnormal advertisement detected (for LT ports only)
Figure 3.3 State diagram of switch ports.
As shown in Figure 3.2 a pseudo root cost, denoted as PR cos t i for tier i, is also
advertised out by LT ports. Similar to pseudo root id, the purpose of pseudo is to hide
the real cost of path to the root (which can be used to learn the topology of the
network). Normally PR cos t i < PR cos t i +1 for all i.
Figure 3.3 shows the state diagram on ports of a switch running the modified STP
operations. The diagram is the same as given in [IEEE] with the only exception that
for LT ports, a new rule (6) is added. This rule is not used for HT ports. The new rule
enhances the security of STP by checking whether the information trying to change
current topology in the BPDUs on a LT port. If these cases are detected, the BPDUs
are considered as sending from the attacker, so the port will be blocked. During the
28
checking, a rate limit on the Topology Change Notification (TCN) is set to protect
the switch from flooding of TCN attack. In a normal network, TCNs are received at a
very low rate. If the rate of receiving TCNs are beyond the rate limit, the situation is
regarded as abnormal and that port will be blocked.
3.3 Implementation
The switch function discussed above has been implemented in Linux kernel. In
the following we only discuss the implementation of STP in Linux. For further
details on how bridge or switch is implemented in Linux, please refer to reference
[Ben05].
br_stp_bpdu.c net_bridge_port *p
br_stp_handle_bpdu
u
br_received_config_bpdu br_received_tcn_bpdu
br_reply br_topology_chang
br_config_bpdu_generation e_acknowledge
br_transmit_config
br_stp.cbr_stp_bpdu.cbr_send_bpdu
dev.c dev_queue_xmit
Figure 3.4 Flow of STP operations in Linux codes.

29
Figure 3.5 Experimental setup to test the implementation.
When STP is enabled on the bridge, BPDUs are generated. BPDUs are also
accepted on any enabled port. Figure 3.4 shows the key routines in processing
BPDUs in Linux kernel. Br_stp_bpdu.c and br_stp.c are two main c files to
implement the operations of STP. Br_stp_bpdu.c takes care of received BPDUs and
sends the update config BPDUs or Topology Change Notification BPDUs to
hardware via dev.c. On the other hand br_stp.c generates BPDUs according to the
algorithm of STP. From these two c files, it is found that functions
br_stp_handle_bpdu and br_transmit_config can be modified to implement the new
STP operations as discussed above: Function br_stp_handle_bpdu can be changed to
block the abnormal BPDU and function br_transmit_config can be changed to
generate PRid i and PR cos t i .
We have implemented the modified spanning tree protocol on Linux based
computers as well as Linksys boardband routers wrt54g [LIN]. The implementations
[YY08] were tested in an experimental network as shown in Figure 3.5. All the six
switches were computers running the modified Linux codes. The switch
30
implemented by the broadband router also ran our modified codes. The two PCs
acted as the attacking sources to the network.
All known STP attacks were launched to the network. The experimental results
show that the proposed solution can stop all STP attacks launched from the lower tier
networks. The details of implementation are reported in the next chapter.
Category of STP Attacks STP Attacks
Non-DoS Single-homed Root role Claming

Dual-homed Root Role Claiming
Internal Node role Claiming

Tree Segmentation
DoS flood of configuration message BPDUs
with TC flag on
flood of topology change notification

BPDUs
flood of configuration message BPDUs

claiming root role
Table 3.1 ALL KNOWN STP ATTACKS
3.4 Evaluation on the Proposed Solution

The proposed solution can stop all known attacks of STP as given in [Gmm03].
These attacks to spanning tree protocol can be divided into 2 categories: Non-DoS
and DoS attacks (see Table 3.1). Based on the different nature of these two categories
of attacks, different evaluation methods can be used to evaluate the security
performance of the proposed solution. This is discussed in the following.
In the category of Non-DoS attacks, a station or switch maliciously claims to be an
active role in the STP topology. This category of attacks includes single-homed root
role claiming, dual-homed root role claiming, internal node role claiming and tree
31
segmentation. The effect of such attacks to a network is reflected by the number of
switches that will change their STP states when being attacked. Therefore, the
number of switches compromised by the malicious information can be used as the
performance index of a STP network. A mathematical model will be set up to
calculate this index when single switch attack is launched to a network.
DoS attacks are launched by sending a steady flood of bogus BPDUs to a network.
This forces continuous spanning tree recalculation, thereby creates a DoS condition
due to the limited computational power of the switches [4]. There are several DoS
attacks: flood of configuration message BPDUs with TC flag on, flood of topology
change notification BPDUs, and flood of configuration message BPDUs claiming
root role. Since the purpose of a DoS attack is to stop connectivity. The utilization of
switches’ processors under the attack is chosen as the performance indicator of a
network. The performance indicators of conventional STP network and the proposed
networks will be studied and reported in this charater.
3.4.1 Non-DoS attacks

Assume at any time there is one single source of attack. For conventional STP, all
switches are affected, or the number of affected switches equal ∑n

i =1
i , where ni is
the number of switch in tier i. In our proposal design the number of affected switches
can be obtained as described below.
Let matrix Ci = [ c1 c2 … c p … c n i
] be the attack states of switches in tier i.
c p is a Boolean value, and stands for the state of pth switch in the tier i . A 1 stands
32
for the corresponding switch being attacked and 0 stands for not being attacked. So
Ci is called a one-zero matrix. Note that we only consider one single source of
attack. Without loss of generality, assume the one and only one switch being attacked
be SWr , s . Therefore, there is only one “1” in all C i ’s.
Let matrix
 m11 m12 L m1nx 

m O 
 21 
M i,x =  M m pq  be the connections among switches in
 
mni 1 mni nx 
tier i and switches in tier x.

m pq stands for the connection between pth switch in
the tier i and qth switch in the tier x. A Boolean value 1 stands for a direct connection
between the two switches, and 0 stands for no connection. We assume that the state
of connection with the switch itself is 1. So the matrix M i , x is also a one-zero
matrix.
′
Let matrix Ci represents the complete attack state of switches in tier i. This
includes attacked switch ( if i = r ) plus all affected switches in tier i. Note that
switches in tier i will be affected only when the attack is launched at tier i, or above.
′
For an attack to a switch in tier r which is higher than tier I, or r ≤ i, Ci can be obtain
from
33
′
Ci = Cr o M r,r o M r ,r +1 o … o M r ,i o … o M r +1, r +1 o … o M r +1,i o … M i ,i .
( Equation 3.1 )
where o denotes a Boolean product. Equation 3.1 is obtained based on two facts.
Firstly, an attack launched at tier r will affect all switches at tiers r or lower only.
Switches at higher tiers than r are not affected. This is because the higher tier
switches will block the ports connecting tier r once an attack is detected. Secondly,
not all switches in tier r or below will be affected. Instead, only those switches that
have connections (directly or indirectly though intermediate switches) to the switches
being attacked will be affected.
Next, let matrix Di = [ d , d

1 2 , .. d p … d ni ] be the numerical representation of
′
Ci ,or d p has a decimal value as give by
1 when c p = 1
dp =  …………(Equation 3.2)
0 when c p = 0
Note that d p is a number while c p is a Boolean value. As shown below , Di will
be used to calculate the number of affected switches in the network. Let Lu be the
number of affected switches in tier u. Lu is obtained as
nu
Lu = ∑ d p ………………..(Equation 3.3)
p =1
Let K r ,s be the number of affected switches when SWr , s is attacked. K r ,s is
obtained as
34
K r ,s = ∑L
u =1
u …………………….(Equation 3.4)
Further let Br , s be the probability that, given that one switch is attacked, switch
SWr , s is the one being attacked. Br , s depends on the physical location of the switch
and the number of people owning the access right of the switch, and how easy the
switch is accessed both physically and remotely. Let µ be the mean number attacked
switches of the network. It is easy to obtain µ as:
r =t , s = nr
µ= ∑
r =1, s =1
Br , s * K r ,s ……………………….(Equation 3.5)
Let σ be the standard deviation of K r ,s , and it is given as:
r =t , s = nri
σ= ∑ (K
r =1, s =1
r ,s − µ ) 2 Br , s ………………(Equation 3.6)
Based on µ we can know how effective an attack is to the network. A
large µ shows that an attack to the network will affect most part of the network.
Therefore the network is not secure. A smaller µ means a securer network. However,
if µ is low but σ is high, it shows part of the network is not well designed. There
exist weak points that when these points are attacked the whole network will be
significantly affected.
Numerical Examples:
To see how the analysis described above works, consider a STP network as shown
in Figure 3.6. The connections shown in the diagram can be represented by the
following matrixes:
35
M 1,1 = [1 1]
1 0
M 1, 2 =  
0 1 
M 2, 2 = [1 1]
SW1,1 SW1, 2
SW2,1 SW2, 2
Figure 3.6 A Simple STP Network
Assume that B1,1 = 0.1, B1, 2 = 0.1, B2,1 = 0.4, B2, 2 = 0.4, and SW1,1 is the root
bridge of the network.
If SW1,1 is attacked directly, then C1 = [1 0] , C 2 = [0 0] . From Equation 3.1 we
get
′
C1 = C1 o M 1,1 = [1 1]
′
C 2 = C1 o M 1,1 o M 1, 2 o M 2, 2 = [1 1]
Then using equation (2) we obtain
D1 = [1 1] , D2 = [1 1]
From Equations 3.3 and 3.4, the number of affected switch when SW1,1 is attacked,
K 1,1 = 4.
36
Similarly, we can find K 1, 2 equals 4, K 2,1 and K 2, 2 both equal to 2. Finally from
Equations 3.5 and 3.6, we obtain:
i = t , j = ni
µ= ∑
i =1, j =1
Bi , j * K i , j = 2.4
i =t , j = ni
σ= ∑ (K
i =1, j =1
i, j − µ ) 2 Bi , j = 0.8
SW 1 ,1 SW1, 2
SW2,1 SW2, 2 SW2,3 SW2, 4 SW2,5 SW2,6
Figure 3.7 Typical topology of switching network

37
Conventional Proposed
STP STP
Ca Attack probabilities of the case. µ σ µ σ
ses
1 Uniform 8 0 2. 1.
75 8
2 B1,1 = B1, 2 = 0.05, 8 0 2. 2.
2 15
B2,1 = B2, 2 = B2,3 = B2, 4 = B2,5 = B2, 6 = 0.15
3 B1,1 = B1, 2 = 0.25, 8 0 4. 1.

5 49
B2,1 = B2, 2 = B2,3 = B2, 4 = B2,5 = B2, 6 = 1/12
( ≈ 0.0833 )
4 B1, 2 = 0.5, 8 0 5 3.
46
B1,1 = B2,1 = B2, 2 = B2,3 = B2, 4 = B2,5 = B2, 6
= 1/14 ( ≈ 0.0714 )
5 B2, 4 = 0.5, 8 0 2 2.
45
B1,1 = B1, 2 = B2,1 = B2, 2 = B2,3 = B 2, 5 = B 2, 6
= 1/14 ( ≈ 0.0714 )
Table 3.2 Results of various attack probability of network in Figure 3.7
The µ is smaller than the µ of conventional STP, which is equal to 4 (since
attack at any one of the four switches affects all four switches). In other words, when
this network is attacked, on the average the number of switches affected when our
solution is used is 40% less than that of conventional STP. This is a significant
improvement.
Secondly, a typical network topology for production networks (see [CNP]) is used
to show the security enhancement of our proposed method. Figure 3.7 shows the
connections of the switches under study. These five cases represent five typical
security situations of networks. Case1 represents all the switches having the same
probabilities of being attacked. Case2 represents a well-designed network where

38
switches in tier 1 are more secure than those in tier 2. Case3 represents a poorly-
designed network where switches in tier 1 are more vulnerable than those in tier 2.
Case 4 represents a network where one switch in tier 1 is most vulnerable (i.e. a
single weak point in tier 1). Case 5 represents a network where one switch in tier 2 is
most vulnerable.
The comparison of µ shows fewer switches in the network are affected by
running our proposed STP than running conventional STP under all five cases. The
µ in Case 3 and 4 are not as good as the µ in other cases because switches in tier1
are not protected well in these two cases. σ represents how wide is the spreading of
affected switches. The largest µ and σ happens in Case 4, where one switch in the
first tier has high attack probability. It shows the higher tier has more influence to the
whole network. If one switch in the higher tier is easily attacked, the whole network
is dangerous and fragile. But note that even with this poor design, the value of µ (5)
is still much better than that of conventional STP (which is 8).
3.4.2 DoS Attacks
3.4.2.1 Flood of configuration message BPDUs claiming root

role
In this study, we assume there is no data traffic in the network. This is because
when a STP network is under an attack, all ports of all switches in the network will
be at the STP listening state. Since all the ports are at listening state, no port is
blocked in any switch and no data frame will be forwarded. We further assume the
attack generates BPDUs at a fix rate and a fix inter-arrival time, and the bridge ids of
39
attacking BPDUs are random. For any switch SWi , j in the network, it can be
modeled as shown in Figure 3.8.
Figure 3.8 Model of a Switch in the Network evaluation of Flood of Configuration

Message BPDUs Claiming Root Role.
In the model, we let λi , j ,k be the arrival rate of receiving BPDU to the k th port of
SWi , j . Each input queue is the queue for a frame to wait for reception by a port.
Let the service rate of each input queue be α , and α > λi , j ,k for a stable system.
When a BPDU frame is received by a port, it enters the BPDU queue. In the queue,
a BPDU is waiting to be processed by the STP operation. Let λi , j be the BPDU
zi , j
arrival rate to the BPDU queue and λi , j = ∑λ

k =1
i, j,k , where Z i , j is the number of
ports of SWi , j . Let λc be the hello BPDU arrival rate as generated by the hello
process. Let the service rate of BPDU queue be µ , where µ > λi , j for a stable
40
system. When a BPDU leaves the BPDU queue, it is processed by the BPDU
decision process. This process determines whether a BPDU should be sent to the
output queues or not. If the advertised root ID by the BPDU is better than the known
root ID, the BPDU will be sent out to the output queues. Let β i , j , k be the BPDU
arrival rate to the output queues and β i , j , k = p λi , j + λc , where p is the probability
that the root of the spanning tree should be changed. Let the service rate of the output
queues be the same as that of the input queues, i.e. the service rate equals α . If port k
connects to another switch, β i , j , k becomes the arrival rate to the connected port of
that next switch.
The utilization of server in the BPDU queue of switch SWi , j , denoted as ρ i , j ,
reflects the CPU load of the switch in handling BPDUs. A high utilization means that
the CPU is busy in performing STP operations. We will compare the utilization of
these servers in all switches in our proposed method to those of the switches in
conventional STP network.
In the normal situation (i.e. not under attack).
Z i , j λc + λc
ρ i, j = , …………………………………(Equation 3.7)
µ
where Z i , j is the number of connected ports of SWi , j .
Next, consider the situation when the network running conventional spanning tree
protocol is under flood of configuration message BPDUs claiming root role attack.
We first need to calculate p . Recall that if a and b are integers that are randomly
selected from fixed integers bounds, we have P [a > b] = P [b > a]. Therefore, P [the
41
advertized root id of attack BPDU> the known root id of switch] = P[the advertized
1
1−
root id of attack BPDU < the known root of switch] = p = 2 64 (note that the
2
1
probability that the two root ids are the same is ). Having obtained p, we have,
2 64
Z i , j ( pλ a + λ c )
ρ i, j = …………………………..(Equation 3.8)
µ
where λ a is the attacking BPDU arrival rate.
Next, we attempt to obtain ρ i , j when our proposed method is used. When a
network using the proposed method is attacked, higher tiers of switches are not
attacked because all the BDPUs claiming root that are sent from the lower tiers are
blocked. So if SW f , g is the switch being attacked, then we have
 Zi, j λc + λc
 i< f or i ≥ f , c j in Ci equals 0
ρ i, j = µ .(Equation 3.9)
 Y ( pλ + λ )
 i, j a c
i ≥ f c j in Ci equals 1
 µ
Figure 3.9 Results on the evaluation of Flood of Configuration Message BPDUs

Claiming Root Role.
42
Yi , j SWi , j
where is the number of unblocked ports in connected to lower tiers. In
SWi , j
Equation 3.9, the first condition represents the case when some ports in
connect to the switches are not attacked. The second condition represents the case
SWi , j
when some ports in connect to the switches are attacked.Figure 3.9 shows the
numerical results when the network shown in Figure 3.7 is studied. We assume the
SW2,1
attack is launched at , and λc =0.5, µ =100000. The results in Figure 3.9
shows the CPU utilization ρ of switches in tier1 and switches except the directly
SW2,1
attacked switch ( ) in tier 2 are significantly improved (can be more than 3
orders of magnitudes) after using our modified STPs. Note that no improvement can
be obtained for the directly attacked switch
3.4.2.2 Flood of topology change notification BPDUs and flood of

configuration message BPDUs with TC flag on
To study “flood of Topology Change Notification BPDUs” attack (and “flood of
Configuration Message BPDU with TC flag on” attack discussed in the next section),
a slightly modified model as shown in Figure 3.10 is used. In this model, a stable
spanning tree is assumed to be formed in the network.
ωi , j ,k
Let be the arrival rate of receiving topology change notification BPDUs
th SWi , j
(TCN) to the k port of . In each input queue, a TCN decision process is
introduced in our proposed method to control the rate of receiving topology change
ωi , j ,k
notification BPDUs. A limited rate, ξ , is set in this process. If > ξ , the extra
frames will be dropped. Note that this TCN decision process is not found in
43
ωi , j
conventional STP. Let be the arrival rate of the TCN to the BPDU queue and
ωi , j ∑ω i , j ,k
SW
= k =1 . Let ω c be the rate of TCN generation by i , j itself. Let ω a be rate
of the attacking TCN generated. According to the principle of TCN operation, when
a switch needs to signal a topology change, it starts to send TCNs on its root port. Let
SWi , j β ω
, and i , j , h = i, j + ω c . For other ports k!h,
th
the h port be the root port of
β i , j ,k SW f , g
= 0. Also let switch to be the switch being attacked.
When the network running conventional spanning tree protocol is under flood of
topology change attack,

44
ρ i, j =
…….(Equation 3.10)
Figure 3.10 Model of Switch SWi , j in DoS Evaluation of Flood of Topology

Change
Notification BPDUs and Flood of Configuration Message BPDUs with TC Flag
on.Similarly, the ρ i, j when our proposed method is used can also be obtained.
Because all the BDPUs claiming root from the lower tiers are blocked; therefore:
45
ρ i, j =
ωa + ωi, j + ωc
 if SWi, j on the route of switches from
 µ
 switch SWf,g to root of network ………..(Equation 3.11)
 ω +ω
 i, j c
otherwise
 µ
Figure 3.11 shows the numerical results when the network shown in Figure 3.7 is
studied. We assume SW1,1 is the root and SW2,1 is the directly attacked switch. We
also assume ω c =10 −5 and µ =100000.
As shown, the CPU utilization of switches in tier 1 when modified STP is used is
smaller than that of conventional STP by more than 8 orders of magnitudes under
most of the attacking rates. The ρ maintains at a very low value that shows the
affect of attack does not spread to the higher tier along the route of attacker to root.
3.4.2.3 Flood of Configuration Message BPDUs with TC Flag on

The same model as shown in Figure 3.10 can be used to study this type of DoS
attack. Here let ω i , j ,k be the arrival rate of receiving configuration message BPDUs
with TC flag (TC) on to the k th port of SWi , j . When the network running
46
conventional spanning tree protocol is under flood of configuration message BPDUs
with TC flag attack,
 ω a + ωi , j if SWi, j is on the route of switches


= 
ρ i, j µ from SWf,g to root of network
 ωi , j otherwise
 µ
………..(Equation 3.12)
Figure 3.11 Utilization of switches in DoS evaluation of Flood of Topology

Change Notification BPDUs
Figure 3.12 Utilization of switches in DoS evaluation of Flood of Configuration

Message BPDUs with TC Flag on.
47
ρ i, j
Similarly, when our proposed method is used can be obtained as:
ρ i, j =

ωa + ωi , j if SWi, j on the route of switches

 µ from SWf,g to root of network and i > g …(Equation 3.13)

 ωi , j otherwise
 µ

Figure 3.12 shows the numerical results when the network shown in Figure 3.7
SW1,1 SW2,1
is studied. We assume is the root and is attached directly. We also
assume ω c = 10 and µ =100000. Similar observations as in Figure 11 can be

−5
made in this figure.

We have presented a secure spanning tree protocol that partitions the network into
several tiers. This protocol works well because it is designed to solve the problem of
conventional STP from its fundamental pitfalls. Based on the implementation we can
prove that the new protocol is workable. Based on the results of performance
evaluation we can conclude that the new protocol can significantly enhance the
security of a STP network. Further research of the work includes the extensions of
the proposed protocol to other network situations like metropolitan Ethernet networks
and others.
48
Chapter 4
The Development of Novel Switching Devices

Using Embedded Microprocessing System
Running Linux
Chapter Summary - This chapter discusses the development of novel switching
devices using embedded microprocessing systems. It first reviews on basic Ethernet
Switch operations and the Spanning tree protocol (STP). It then gives a brief analysis
on Linux STP implementation and bridge configuration tools. The aim of the analysis
is to lay a foundation for latter discussion on how novel switching devices can be
developed based on the bridging codes. To facilitate the discussion, a new kind of
Ethernet switches (with modified STP operations) proposed by the authors is used as
an example. This practical example demonstrates how kernel programming on Linux
and some modifications on configuration tools can be made to develop new
switching devices. Experiments on the newly developed switches are also reported.
The results show that these new switches can provide better security for STP
networks. At the end of the chapter, discussion on how to port the design to
embedded miscroprocessing systems is also given

49
4.1 Review of Linux Bridge

As a popular open source platform, Linux is widely used as the operating system
for the implementation of university projects. Additionally, hardware with micro-
processors running Linux are also designed by a lot of manufacturers. For example,
Linksys Broadband router with Linux based OS is well accepted by the market.
Research on performance evaluation of Linux bridge is also reported in [Yu04]. The
result shows that the performance of Linux bridge is comparable to that of a
commercial Ethernet switch (Catalyst 2950) on a single port basis, when the Linux
CPU occupancy is below 56%. All these only show the competitive power of Linux.
However, lack of documentations and difficulty in understanding the source codes
of Linux internals obstruct the progress of research based on Linux. This is
particularly true for network research. There are not many books that discuss Linux
network internals (e.g. like [WRB05]). Discussion on how Linux network codes can
be used in research projects is also rare in the literature. This motivates the writing of
this charater – a chapter that clearly shows how Linux networking codes can be used
to develop novel devices running on embedded microprocessing system.
A bridge or switch is a device that operates at the data link layer. It connects two or
more Ethernet segments together in a protocol independent way. Frames are
forwarded based on Ethernet addresses, rather than IP addresses. Bridge reads the
source MAC address of each received frame and records the port on which the MAC
address was received. This process is called learning in which the bridge learns
which addresses belong to the devices connected to each port. This forwarding
information is stored in a Content Addressable Memory (CAM) table. To keep these

50
entries in the table up to date, each entry has a time stamp. When the activity time of
an entry expires, then this entry is deleted. This activity time is updated each time
when the bridge receives a frame with the same MAC address it had previously
learned. If a frame with a previously unknown source address arrives, bridge adds it
to the forwarding table and the activity time is initialized. The main purpose of the
bridge is to forward data frames to appropriate segments of a LAN. If a frame is
received with address which could be found in the forwarding table, the bridge sends
this frame out to the port associated with the address. Otherwise, the bridge copies
this frame and floods to all interfaces except the one that the frame is received from.
Transparent bridging represents an easy way to merge LANs, but it can be used
only on loop-free topologies. If a topology consists of one or more loops, a problem
called broadcast storm will appear. This problem will immediately bring a network
down. The algorithm used by bridges to find the loop-free topology is Spanning Tree
Protocol (STP). STP is defined by the 802.1D standard [IEEE].
When STP is running in a bridge, bridges are identified by a unique bridge id. A
special type of frames called Bridge Protocol Data Units (BPDU) are then exchanged
by the bridges. With the exchange of BPDUs, the bridges complete the following
tasks:
• Elect a single bridge with lowest bridge id in the LANs, to be the root
bridge.
• Calculate the shortest path from other bridges to the root bridge.
51
• Elect a designated bridge for each segment, which is the bridge in that
segment having the lowest root path cost to the root bridge. The designed
bridge will forward frames from that segment toward the root bridge.
• For each bridge, choose a root port that has the shortest path to the root
bridge.
• Select the ports to be included in the spanning tree, and block other ports to
prevent loop.
4.2 STP implementation in Linux

The bridge function discussed above has been implemented in Linux kernel.
Usually the source code of bridge module can be found under the directory of
root/net/bridge. In the following we only discuss the implementation of STP in Linux.
For further details on how bridge is implemented in Linux, please refer to reference
[Ben05].
4.2.1 Spanning Tree Protocol implementation

When STP is enabled on the bridge, BPDUs are generated. BPDUs are also
accepted on any enabled port. Figure 4.1 shows the key routines in processing
BPDUs. Br_stp_bpdu.c and br_stp.c are two main c files to implement the operations
of STP. Br_stp_bpdu.c takes care of received BPDUs from br_input.c and sends the
update config BPDUs or Topology Change Notification BPDUs to hardware via
dev.c. On the other hand br_stp.c generates BPDUs according to the algorithm of
STP. Due to limited space, we only discuss some main functions of STP. The details
about root selection or port selection could be found in [WRB05].

52
br_stp_bpud.c net_bridge_port *p
br_stp_handle_bpdu
u
br_received_config_bpdu br_received_tcn_bpdu
br_reply br_topology_change_
br_config_bpdu_generation acknowledge
br_stp.c br_transmit_config
br_stp_bpud.cbr_send_bpdu
dev.c dev_queue_xmit
Figure 4.1 Flow of STP operations
br_stp_handle_bpdu:
This function checks whether the header of an inbound frame matches the STP. If
not, the frame will be dropped. If the frame is a configuration message BPDU, it
assigns an array to store the information (except header). Then it calls
br_received_config_bpdu. If the frame is a tcn bpdu, br_received_tcn_bpdu is
invoked instead.
br_received_config_bpdu
This function checks whether it itself is the root bridge or not. When a new
configuration message is better than the current information (a result of calling
br_supersedes_port_info), then the following things happen:

53
First, the invocation of br_record_config_information causes the data of the
configuration BPDU to be written to the net_bridge_port structure. Next, it selects
the root ports and designated ports. This action could cause the information structures
of the bridge and its ports to change. Subsequently, the state of a port is recognized.
The hello timer is stopped, as the bridge was the root bridge before the new
information was stored. If a change to the topology is discovered in additional, then
the topology_change_timer is stopped, the timer of tcn is started, and a topology-
change message is sent (br_transmit_tcn).
If the input port was marked as the root port, then the timeout values of the
configuration message BPDU are added to the net_bridge structure and a
configuration message BPDU is generated by br_config_bpdu_generaton). In
addition, the function
br_topology_change_acknowledged is invoked, if the topology_change_ack flag
was set in the configuration message BPDU.
In contrast, if nothing changes in response to the configuration message BPDU,
then br_reply is invoked, provided that the input port is the designated port. This
means that a configuration message with locally stored values is sent.
br_config_bpdu_generation
The BPDU is generated depends on the STP algorithm,
br_root_selection
will be called if the received BPDU has a lower bridge_id than the current root id.
54
br_designated_port_selection
will be called if the BPDU arriving on this port is better than the BPDU stored in
the net_bridge_port sturture.
br_reply
It calls br_transmit_config.
br_transmit_config
The corresponding values are filled in new BPDU from the net_bridge structure,
then the br_send_config_bpdu is invoked and the hold timer is started.
br_received_tcn_bpdu
If the port that received a BPDU is a designated port, then the function
br_topology_change_detection is invoked.br_topology_change_acknowledge is
used to send a configuration message with the topology_change_ack field set over
the input port.
br_topology_change_detection
If the bridge is the root of the tree topology, then the topology_change field in the
net_bridge structure is set to one, and the topology_change timer is started. Unless
the topology change has been detected, all other bridges use the br_transmit_tcn
function to send a TCN BPDU over their root ports and start their TCN timers.
55
Finally, it is marked that the topology change was detected, to limit the number of
TCN BPDU’s announcing the same topology change.
br_topology_change_acknowledged:
The marking for a topology change is reset, and the TCN timer is stopped. This
function is invoked by br_received_config_bpdu, if the flag topology_change_ack is
set in incoming configuration message.
4.2.2 Brctl – bridge administration tools

Brctl is used to set up, maintain, and inspect the Ethernet bridge configuration in
the Linux kernel. The implementation of brctl consists of 3 c files. The first one is
brctl_cmd.c which defines the syntax of brctl command. The second one is
libbridge_if.c which includes function about add or delete a bridge. The third one is
libbridge_devif.c which has functions to change the value of port of bridge, cost of
path or hello timer.

56
4.3 An Example Showing How Novel Switching Devices

can be Developed Using Linux Bridging Code
Figure 4.2 Network partitioning by novel switching devices
The novel concept of partitioning a network infrastructure into a Network
Infrastructure (NI) network and a Non-Network Infrastructure (NNI) network was
first proposed in [Yeu05]. The reason of the partitioning is to protect the network
infrastructure from being attacked by the computers that are connected to the lower
tier network. As shown in Figure 4.2, a STP network is partitioned into two switched
networks. New boundary switches [YFL06] running modified STP operations are
designed and used for connecting the two networks together. These boundary
switches also run STP, and cooperate with the switches in both NI and NNI networks
to prevent loops in the whole NI and NNI network. However, the boundary switches
perform additional functions compared with ordinary switches. First, it makes the
switches in the NNI network unaware of the STP details on the NI network. The
details include STP information like root ID and costs, and topology changes in the
57
NI network. Second, it makes the NI network unaffected by the topology changes in
the NNI network. Note that with such boundary switches, NI network can be
protected from STP attacks that are launched from the NNI network. On the other
hand, new switches can freely be added to both networks. This follows the design
spirit of STP.
In each boundary switch, there are two kinds of ports: NI ports that connect to
the NI network, and NNI ports that connect to the NNI network. There is only one
root for both networks, and is always located inside the NI network. BPDU messages
will be sent from the root and eventually received by the NI ports of each boundary
switch. At the NI side, the boundary switch has exact behaviour as an ordinary switch.
At the NNI side, however, modification on STP operation is made. When BPDU
messages are received from the NI Ports and ready for passing to the NNI ports, the
boundary switch performs two modifications on the BPDU messages: 1) the root ID
will be changed to a constant value called Pseudo_root ID (the value of Pseudo_root
ID can be any value in the range: root ID<Pseudo_root ID<minimum ID values of
switches in NNI network. The Pseudo_root ID value, however, must be the same for
all boundary switches); and 2) the root path cost is reset to another constant value
called Pseudo_root_path_cost. Note that in doing this, the boundary switches give a
consistent but virtual view to the switches in the NNI network that the root of the
STP network has a root ID of Pseudo_root ID and the path cost from the boundary
switches to the root is Pseudo_root_path_cost. To prevent STP operation of the NI
network from being affected by the NNI network, the boundary switches will only
accept switches with ID worse than Pseudo_root ID from being connected to the NNI
58
ports. When BPDUs with invalid root IDs (i.e. smaller than Pseudo_root ID) are
received by the boundary switches from the NNI ports, the ports will be blocked.
Note that all the switches in the NI network should also be set with an ID lower than
Pseudo_root ID. The real root will then always be elected from the NI network, but
never from the NNI network.
In the following, we discuss how the boundary switches discussed above can be
implemented by modifying the bridging codes. However, it is out of scope of the
chapter to discuss why network partitioning with boundary switches can protect the
NI. Readers are referred to [6] for a detail discussion on the design with complete
experimental results reported.
4.3.1 Steps to Customize the Bridging Code

To implement the boundary switches discussed above, we need Linux computers
having two or more Ethernet interfaces. Then, the follow steps should be followed to
customize the bridging codes. We will usd Redhat distribution with kernel version
2.6.10 as an example.
step1. download and install kernel source.
rpm –ivh kernel-2.6.10.9src.rpm
rpmbuild –bp –target=i686 /usr/src/redhat/SPECS/kernel-2.6.10.spec
After that the kernel source is located in /usr/src/redhat/BUILD/kernel-2.6.10
/linux. We make a soft link so that future references to the path can be made easier.
ln –s /usr/src/redhat/BUILD/kernel-2.6.10/linux /root/dir-linux
59
step 2. configure the kernel and make first compilation. This step is to make sure
that the downloaded kernel source can be configured and compiled with no
problem.
cd /root/dir-linux
make xconfig
make
make modules_install
step 3. add your own code (see section B below)
step 4. compile and install new bridge module
cd /root/dir-linux
make
install bridge.ko /lib/modules/kernel/net/
modprobe bridge
step 5. test the new code (see section 4.3.2 below)
4.3.2 Change to the Bridging Code

To implement the new switches discussed above, we need to make four
modifications on the bridging code. Firstly, a new field kind, which could be 0 or 1(0
stands for NI port and 1 stands for NNI port), is added in the struct net_bridge_port.
The structure can be found in br.c.
Secondly, we need to make the bridge properly handles the incoming BPDUs. The
main operation is in the function br_stp_handle_bpdu as shown in Listing 4.1. In the
process of receiving BPDUs, buf[0] will be checked first (Listing 4.1-ф

1).
60
Listing 4.1 Part of listing of linux/net/br_stp_bpdu.c
If its value is BPDU_TYPE_CONFIG (that means it is only a configuration BPDU
without any topology change information), then the kind of port will be checked. If
the BPDUs comes from the NI port or the BPDUs comes from the NNI port and
root_id is larger than 0x2710, all the operation is the same as original one. (Listing
4.1- )
2). If BPDUs comes from the NNI port and root_id is smaller than 0x2710, this
port will be blocked. (Listing 4.1- 3)). If the value of buf[0] is BPDU_TYPE_TCN,
61
that means some topology change occurs, the port kind and root_id will be checked
too. Only if the BPDUs comes from the NI port or the BPDUs comes from the NNI
port and root_id is larger than 0x2710, these BPDUs will be received. (Listing 4.1- 4)).
Thirdly, modifications must be made in BPDUs being sent out to NNI ports. This
is done in function br_transmit_config as shown in Listing 4.2. According to Listing
4.1, br_transmit_config is found to be the last procedure before BPDUs are sent. In
the process of transmitting BPDUs, if the BPDUs are sent through the NNI port, the
bridge_prio of root_id will be changed to 0x2710, bridge_add will be changed to the
bridge’s own bridge address. And the cost of port is set to 0. (This bridge is not a root
bridge in the LAN by configuration see Listing 4.2- )

1 ). If the BPDUs are sent through
the NI port, all the operation is the same as the original one (Listing 4.2-)
2 ).
62
Listing 4.2 Part of listing of linux/net/bridge/br_stp.c
At last, a new command called set_port_kind should be defined in the brctl
program. The syntax of new command should conform to those of existing
commands (e.g. set_port_prio). The change is done in the libbridge_devif.c and
brctl_cmd.c. Listing 4.3 and Listing 4.4 shows how to create a new command in the
brctl.
63
Listing 4.3 Part of listing of brctl/libbridge/libbridge_devif.c
Listing 4.4 Part of listing of brctl/brctl/brctl_cmd.c
4.3.3 Testing the Modified Codes

To test the modified codes, we first check whether the boundary switches work
properly in a STP network. After that, we run two experiments to verify the modified
STP operations.
Experiment A is run to prove that when the boundary bridge receives BPDU from
NNI network which includes lower root_id than the Pseudo_root ID, this port will be
blocked.
64
This can be done by setting up four bridges as shown in Figure 4.3. As shown,
bridge 1b works as a boundary to separate NI network and NNI network. Bridge 1a
has been set as root with lowest bridge_id in the whole network. Then we change the
bridge priority of bridge 1d. In the original STP process, bridge 1d should be elected
as new root. But this is not the case in our experiment because bridge 1b has been
configured as a new boundary bridge.
Figure 4.3 Set up the Experiment
As shown in Figure 4.4, bridge 1b successfully protects the NI by blocking the two
ports connected to the NNI network. It is also observed that the root of the NI does
not change (eth3 is blocked because bridge 1d generates BPDUs with lower root_id,
eth0 is blocked because bridge 1c receives the new BPDU with lower root_id from
bridge 1d, and then updates its BDPU and sends them to bridge 1b).
65
Figure 4.4 Result of the Experiment A
Figure 4.5 Set up of Experiment B.
Experiment B is carried out to prove that when the topology changes in the NI
network, bridge in NNI network will not detect any change. Four bridges are used in
this experiment. As shown in Figure 4.5, bridge 2c (a Linksys wrt54g broadband
router see section IV below) works as a boundary switch to separate NI network and
66
NNI network. Bridge 2a has been set as root with lowest bridge_id in the whole
network. After that the bridge_prio of bridge 2b is changed to make the bridge
becomes the new root of the NI. The change, however, is not noticed by bridge 2d in
the NNI network. The result observed is that the root_id recognized by bridge 2d is
still the bridge id of the boundary switch (bridge 2c’s bridge id) instead of the
updated root_id of bridge 2b.
4.4 Porting the design to AN embedded Microprocessing

system
The beauty of using Linux as research and development platform is that the design
can easily be ported to embedded microprocessing systems. In the process of porting
the design, we have to first select the desired platform. There are many single borad
computers that support Linux in the market. Routerboard™ [WRB] is a family of
products that are mainly targeted for networking projects. Besides single board
computers, commercial broadband routers from vendors like Asus and LinkSys are
also very suitable for developing networking devices. The reason is that broadband
routers usually have multiple network interfaces that are usually needed in the
networking products. In the project discussed in this chapter, we have used Linksys
wrt54g as an example to illustrate how to port a design to a microprocessing system.
Linksys wrt54g is a commonly used product based on Linux kernel. In our project,
version 4 of Wrt54g is used. The platform of this router is BCM5352 @ 200MHz
with 4MB flash and 16MB RAM. The BCM5352 support 802.1Q VLAN which
allows flexible implementation of VLAN grouping and WAN port segregation. It is
noticeable that start from version 5.0, Wrt54g runs non-Linux OS, VxWorks, which
uses proprietary source codes instead of open source one.

67
To use the codes discussed in section 4.3 on a Wrt54g broadband router, we need
to do is to select a suitable Linux image. HyperWrt is the first option [WHW]. More
functions are added to the broadband router when HyperWrt is run, and it has nice
graphic web page interface which is similar to the official one. But it is not easy for
developers to make modifications on HyperWrt. The main reason is HyperWrt is
written based on the Linksys source code and only limited information of the code is
provided by Linksys. DD-wrt is the second option [WDW]. It is really good at
enhancing the wireless communication, such as wireless bridging, advanced QoS
controls for bandwidth allocation. Since wireless development is not the focus of this
project, DD-Wrt is also not suitable for us. The one we choose is OpenWrt [WOW].
It provides a useful tools OpenWrt Buildroot for developers to build a new firmware.
The usage and compilation of Openwrt can be found on its official website. The most
difficult thing of changing the code in the OpenWrt source code is to find all
dependency. Sometimes a header file will be duplicated in several places. We need to
modify all the same header file to make sure the success of compile.
Due to hardware limitation, the 4 LAN ports of Wrt54g have to be configured as
the same port kind, i.e. either NI or NNI. Usually they are set as NNI ports and the
WAN port of the router is set as NI port. We have successfully modified the bridging
codes of a Wrt54g router, and tested it in a STP network. We verified its operations
of STP and make it function as a boundary switch. More experimental results on the
modified Wrt54g can be found in [YFL06]. The results show that it really helps to
protect the NI from all kinds of STP attacks.

68

As reported in [Mar03], a Linux bridge has high performance which can be
comparable to a Cisco Catalyst 2950 switch. So it is promising and valuable to use
Linux bridge to support the research work on new networking devices. We have
shown in this chapter how this can be done in practice by using a novel kind of
Ethernet switches as an example. These switches on one hand participate in the STP
operations of a Layer 2 network. On the other hand they partition the network into
two tiers so as to protect the higher tier network infrastructure. As shown by the
results, Linux bridging codes can be used perfectly to support the research work. The
authors of this chapter hope that the chapter can give useful information for future
research and development work on new networking devices.

69
Chapter 5
Investigating DDoS Attacks in the Internet

with Congested Links
Chapter Summary - In this chapter, we investigate DDoS attack in the Internet
with congested links. Link with finite buffer and keeping attacked node are used to
model a router under DDoS attack. The results show that robustness of networks
depends on the number of attackers more than the degree of the victim.
70
5.1 Chapter Introduction

In recent years, complex networks have shown their high similarities to many
networks, such as the Internet, World Wide Web, social connection and electrical
power network [AJB99,WS98, BA99]. Many researchers have applied technique on
complex networks to study various problems including network structure [FLM01,
ZM04, PLW02], spreading dynamics [VVB02, DW04, Zan02] and cascading
reactions [ZX04][GKK01].
Distributed Denial of Service (DDoS) attack [MP04] is one of the unsolved
security problems of computer networks. The dynamic behavior of computer
networks under DDoS attack is also not well studied. Although some complex
network studies aim to study the robustness of complex networks [HK02], how
DDoS attack affects the congestion is still not investigated. It is purpose of this
chapter to investigate such dynamic behavior. Unlike the previous studies on attacks
to complex networks, this chapter does not assume that attacked nodes are removed
(as in the [GCABH05, CEAH00, XXC08]). This is because an attacked node usually
will not break down even if heavy congestion is found in an attacked node.
In previous studies, researchers usually use nodes with infinite buffers and links
without buffer to model the internet. The congestion is then observed by the number
of nodes with certain queue length in their buffers. However, in real routing nodes
(see [SWM07]), congestion happens on the links and buffer size of each link is finite
due to the physical constraint. To better reflect the real situations, nodes with a finite
link buffers (denoted by L) are used to study how DDoS attack affects the
performance of a network. All the simulations discussed following section are

71
presented for L=5. Other selections of values L do not change the qualitative
behaviors of results shown below. This is because Rc, the maximum value of packet
generation rate (denoted by R) that guarantees no congestion happens, will be
increased accordingly if L is increased.
5.2 BA Model with Congested Links

It is proposed that Internet at AS level behaves in a way similar to Barabási -Albert
(BA) scale-free network [AJB00]. Here we use BA scale-free network model to build
the topology of simulation. This model reproduced the inhomogeneous connectivity
distribution of many real networks as it has two elements common to real network:
growth and preferential attachment [BA99]. The network begins with m0 nodes.
New nodes are added to the network one at a time. Each new node is connected to m
of the existing nodes with a probability pi that is proportional to the number of links
that the existing node already has, pi = k i / ∑ j k j , where k i is the degree of node i.
Heavily linked nodes ("hubs") tend to quickly accumulate even more links, while
nodes with only a few links are unlikely to be chosen as the destination for a new link.
The new nodes have a "preference" to attach themselves to the already heavily linked
nodes. In the present network, the total network size N is 1000 and the parameters are
set to be m0 = m = 3 . The degree distribution of the generated BA network P(k),
which follows a power law P(k ) ~ k − γ with the exponent γ =3 in the large degree
limit.
Each node in the present network acts both roles of host and router at the same
time. The connection between nodes is full duplex, i.e., two links exist between any
connected nodes. Considering the finite buffer of link, we define that a link is
72
congested if its buffer is fully occupied by packets. The normal background traffic in
the network is implemented by a discrete time parallel update algorithm. At each
time step, the probability for node i to generate a packet is R. The destination of
generated packet is chosen uniformly at random from other N-1 nodes in the network.
Each new inserted packet is placed at the end of the queue of the link towards
destination. If the buffer of this link is full, the packet is discarded, i.e. no new packet
generates on that node. The packets in the link buffer are transmitted as first come as
serve. We assume that all links have the same bandwidth that one packet is sent every
time step. All packets are sent through shortest path routing algorithm. It is found that
almost 90% packets are transmitted along shortest path from source to destination in
the Internet [KFY03].
Besides background traffic flow, DDoS attack is modeled on the network. Natt
nodes are chosen as attacker randomly to attack one victim. The selection of victim
will be discussed in detail in the next section. When the node is attacked, we do not
remove the node or some link from the network and leave its links congested. This
operation is different with traditional study in complex network but it is more suitable
for the real network. When a router is suffering attack, it is not removed.
5.3 Results and Discussion on DDoS Attacks

For the network described in Part II, we seek the relation between number of
congested links and number of attack nodes, denoted as Natt, in a certain period of
time. The number of congested links, to some extent, measures the congestion of the
network, while the number of attack nodes represents severity of attack. The
calculation of the number of congested links is based on the global information on

73
links connecting all pairs of nodes. The natural expectation is that the more attack
nodes the network has, the faster the network congests.
First we implement an environment for the experiment. A scale-free network with
1000 nodes (N=1000) and average degree 6 is generated. In order to keep no
congestion in the network without attack, the probability a node to generate a packet
each time step should not exceed 0.005 (R<=0.005). Here we use the maximum
value R=0.005 while the victim nodes are chosen randomly. In Figure 5.1, we show
eight typical time evolution series of the amount of congested links under different
number of attack nodes in the above environment.
In Figure 5.1-a), we show the relation between the number of congested links
versus the time step. The different lines indicate different number of attack nodes
(Natt= 1,3,4,5,6,10,20,30). From the Figure 5.1-a), we could see that all eight lines
reach the similar congestion level after 500 time steps. It shows one attack node with
multiple than one attack nodes have the same effects to the network. This founding
indicates DoS and DDoS attack will cause the same level of congestion of a network.
74
Figure 5.1a)
Figure 5.1b)
Figure 5.1 Time evolution of the congested links in the BA scale free networks of
size N=1000 with m0 = m = 3 , R=0.005, degree of victim is 6, number of attacker,
Natt = 1,3,4,5,6,10 20 and 30. a) 3000 time step, b) 500 time step
Although all eight lines are close in the latter period of experiment (after 500s), we
find a difference obviously among the lines in the first 200 time steps. So we focus
these data in the first 500 time steps (see Figure 5.1-b). The lines in Figure 5.1-b)
could be categorized into two groups, Natt=1,3,4,5 and Natt=6,10,20,30. In each
groups, the number of congested links are similar at the same time step. It indicates
75
that there exists a threshold on the minimum number of attack nodes so that the
network can be attacked successfully.
Figure 5.2a)
Figure 5.2b)
Figure 5.2 Time evolution of the congested links in the BA scale free networks of
size N=1000 with m0 = m = 3 , R=0.005, Natt = 10, degree of victim is 3,6,24,124.
a) time step= 3000, b) time step =20.
For the study of the relation between the number of congested links and degree of
the victim node, we try four different victim degrees with the condition that the scale-
free network with m=m0, the probability a node to generate a packet each time step
76
(R), the number of attack nodes (Natt) are unchanged. In Figure 5.2, the scale-free
network shows a similar behavior on the number of congested links given that victim
nodes (with four different degrees) are attacked.
In Figure 5.2-a), we show the relation between the number of congested links
versus the time step. The different lines show different degree of victim nodes
(victim degree = 3,6,24,124). From the Figure 5.2-a), we could see that all four lines
reach the similar congestion level after 100 time steps. It shows the trend of network
congestion is similar whether the degree of victim is high or low. It clearly shows
that choosing the nodes with the highest degree is not an efficient way to attack the
BA scale-free network.
Although all four lines are close in the latter period of experiment (after 100s), at
the beginning the number of congested links are various under different degrees of
victim nodes. In the first 20 time steps, the lower the degree of victim nodes, the
more the number of congested links. The result is out of our expectation. Victim
nodes with high degree possess more links to the rest of the network and shorten the
paths to the other nodes. When attackers launch attack these packets reach the victim
nodes with high degree faster than those with low degree. In other words, at the same
time more packet are removed from the network and less packets are left in the
network. Since various perspectives, the result is different with the results shown in a
similar work [10], which focuses on the traffic sent from neighbors only.
The whole trend of network congestion is similar whether the degree of victim is
high or low. But in the first 20 time steps, the difference is obvious that the lower the
degree of victim, the more congested links. The reason is that when 10 attackers
77
generate packets to launch attack, these packets go to high degree victim faster than
low degree victim. In other words, at the same time more packets are removed from
the network. The result is interesting and different with the results shown in a similar
work [10], which focuses on the traffic sent from neighbors only.

In this chapter, the robustness of scale free network under DDoS attack is studied.
From the simulation, it is found the robustness of networks depends on the number of
attackers more than degree of victim. The scale free network is vulnerable to DDoS
attack because congested links increases fast when attacks launch. Two new methods,
link with finite buffer and keeping attacked node, are used to model the router and
DDoS attack more realistic. An interesting area for future studies is a solution to
reduce the damage of DDoS attack.

78
Chapter 6
Conclusion and Future Research
Chapter Summary - This chapter summaries the thesis and presents future work from
this research.
79
6.1 Summary
This thesis studies the STP security issue and investigates the impact of DDoS
attacks on the congestion in the network.
We introduce a new STP defense mechanism: STP network partitioning approach.
The essence of the approach is to hide STP information of higher tiers to the lower
tiers closer to the end users. Based on the idea of partitioning, we designed a new
Ethernet boundary switches. These switches running enhanced STP are installed
between higher tiers and lower ties. They changed the STP information from higher
tiers and checked the STP information from lower tiers to defense all attacks
launched from lower tiers.
To implement the Ethernet boundary switches, we took advantage of bridge
implementation and bridge configuration tools in Linux. The Ethernet boundary
switches based on the Linux system were tested by several experiments. These
experiments were run to verify the design and to study the switches’ performance.
The experimental results show that security of STP network is enhanced. This
implementation itself shows that bridge modules in Linux can be a tool to study
switching network.
After that, we analyzed the security performance of enhanced STP by modeling
the switches operations theoretically. The results show that enhanced STP reduces
the number of affected switches for the non-DoS STP attack. For DoS STP attack, it
reduces the CPU utilization of switches in handling STP topology changes.
In the investigation of DDoS attacks, we focus on the network congestion caused
by the attacks. A scale-free network was created to simulate the effect of congestion
80
under DDoS attack. The results show that the scale-free network is vulnerable to
DDoS attack and the robustness of scale-free network depends more on the number
of attackers than the degree of the victim node. The results imply that protecting or
attacking the node with the highest degree may not be an efficient way to defense or
to affact the whole network.

81
6.2 Future Research

There are some possible future researches based on the above work.
On STP security issue:
As the development and variation of STP, we may extend the modified STP from
single STP to rapid and multiple STP. The modified STP may be used not only in the
wired local area networks but also in wireless networks or metropolitan area
networks. Since no rapid and multiple STP algorithms exist in open source, we could
implement these modules on Linux system first. On the analysis on the modified
STP, it is possible to investigate other performance metrics, such as convergence
time. Short convergence time implies high efficiency in recovery. More modification
on STP could be done to reduce convergence time.
On DDoS attacks:
We investigated the congestion under DDoS attacks in the scale-free network. We
may extend the method to other network models, such as small world network or
Heuristically Optimized Trade-offs (HOT) model. Besides investigating the network
performance under DDoS attacks, we may design some algorithms to defense DDoS
attacks in the complex network. As current solutions are only developed in the
computer network, we can test them in the complex network or design some new
solutions.
82
References
[AG02] A. Chakrabarti and G. Manimaran, “Secure Link State Routing
Protocol,” Technical Report, Dept. ECpE, Iowa State University,
2002.
[AJB00] R. Albert, H. Jeong, and A.-L. Baraba´si, Attack and error.
“Tolerance of complex networks,” Nature, 406, Page(s): 378-382,
2000.
[AJB99] R. Albert, H. Jeong and A.-L. Baraba´si, “Internet: Diameter of the
World-Wide Web,” Nature, 401, Page(s): 130-131, 1999.
[BA99] A.-L. Baraba´si and R. Albert, “Emergence of scaling in random
networks,” Science 286, Page(s): 509-512,1999.
[Ben05] Christian Benvenuti, Understanding Linux Network Internals, Oreilly,
2005.
[BSJ97] B. R. Smith, S. Murthy, and J. J. Garcia-Luna-Aceves, “Securing
Distance-Vector Routing Protocols,” Proc. SNDSS, Page(s): 85–92,
Feb. 1997.
[CEAH00] R.Cohen, K.Erez, D.ben-Avraham and S. Havlin, “Resilience of the
Internet to random breakdowns,” Physical Review Letters, 85, 4626,
2000.
[CISB] Cisco document, Spanning Tree Portfast BPDU Guard Enhancement,
http://www.cisco.com/warp/public/473/65.html.
[CISG] Cisco document, Spanning Tree Protocol Root Guard Enhancement,

83
http://www.cisco.com/en/US/tech/tk389/tk621/technologies_tech_not
e09186a.
[CISL] Cisco documents, Cisco Spanning-Tree Protocol Enhancements
using LOOP Guard and BPDU Skew DetectionFeatures,
e09186a0080094640.shtml.
[CISR] Cisco document, Spanning Tree Protocol Root Guard Enhancement,
e09186a00800ae96b.shtml.
[CNP] Wayne Lewis, Cisco Networking Academy Program, CCNP 3:
Multilayer Switching, chapter 1, Cisco Press, 2005
[DC07] J.-W.Dai and L.-F.Chiang, “Hierarchical wireless mobile MPLS
mechanism using foreign tracking agent based on M/G/1 with
capacity c queueing model,” IET Communications, Volume 1, Issue 5,
Page(s):903-908, Oct 2007.
[DW04] P. S. Dodds and D. J. Watts, “Universal Behavior in a Generalized
Model of Contagion,” Physical Review Letter, 92: 218701, 2004.
[EM06] I. Elhanany and B. Matthews, “On the performance of output queued
cell switches with non-uniformly distributed bursty arrivals,” IEE
Proceedings, Communications, Volume 153, Issue 2, Page(s): 201-
204, April 2006.

84
[FH06] X. Fu and D. Hogrefe, “Modelling soft-state protocols with SDL,”
IEE Proceedings, Communications, Volume 153, Issue 3, Page(s):
365-375, June 2006.
[FLM01] S.Fortunato, V. Latora, M. and Marchiori., “Method to find
community structures based on information centrality,” Physical
Review Letter,70, 056104, 2001.
[GCABH05]L.K.Gallos,R.Cohen,P.Argyrakis, A.Bunde and S.Havlin, “Stability
and Toplogy of Scale-Free Networkds under Attack and Defense
Strategies,” Physical Review Letters,94,188701, 2005.
[GKK01] K-I Goh, B. Kahng and D. Kim, “Universal behavior of load
distribution in scale-free networks,” Physical Review Letter,
87:278701, 2001.
[GMa88] G. Malkin, “RIP Version 2,” RFC 2453, Nov. 1998. RFC 1058, June
1988.
[Gmm03] Guillermo Mario Marro, Attacks at the Data Link Layer, MSc thesis,
University of California at Davis, 2003
[HK02] P. Holme, B. J. Kim, “Vertex overload breakdown in evolving
networks,” Physical Review E, 65:056109, 2002.
[IEEE] 802.1D 1998 IEEE standard,
http://www.ieee802.org/1/pages/802.1D.html.
[JMo94] J. Moy, “OSPF Version 2,” RFC 1583, Mar. 1994.
[KFY03] D.Krioukov, K.Fall, and X.Yang, "Compact routing on Internet-like
graphs," Tech. Report IRB-TR-03-010, Intel Research, 2003.

85
[LIN] http:// www.linksys.com/
[MP04] J. Mirkovic and P. Reiher,”A taxonomy of DDoS attack and DDoS
defense mechanisms”ACM SIGCOMM Computer Communication
Review, v.34 n.2, 2004.
[OMB06] Homeland security. URL: http://www.whitehouse.
gov/omb/pdf/Homeland-06.pdf.
[PLW06] Z. F. Pan, X. Li, X. F. Wang, “Generalized local-world models for
weighted networks,” Physical Review E, 73:056109, 2006.
[SKB01] K. Segaric, P. Knezevic and B. Blaskovic, “An approach to build
stable spanning tree topology,” EUROCON'2001, International
Conference on Trends in Communications, Vol. 2, Page(s):400 – 403,
July 2001.
[SWM07] N. Stringfield, R. White and S. McKee, Cisco Express Forwarding,
Cisco Press, Indianapolis, 2007
[VVB02] D. Volchenkov, L. Volchenkova, and Ph. Balanchard, Epidemic
Spreading In A Variety Of. Scale Free Networks, Physical Review E,
66,046137, 2002.
[Wan99] F. Wang et al., “Intrusion Detection for Link State Routing Protocol
through Integrated Network Management,” Proc. ICCCN, Page(s):
694–99,1999.
[WDW] www.dd-wrt.com
[WHW] www.hyperwrt.org
[WOW] www.openwrt.org
86
[WRB] www.routerboard.com
[WRB05] Klaus Whrle, Frank Pahlke Hartmut Ritter, Daniel Muller Marc
Bechler, The linux networking architecture, Prentice Hall, 2005.
[WS98] D.J. Watts and S.H. Strogatz, “Collective dynamics of 'small-world'
networks,” Nature 393, Page(s):440-442, 1998.
[WX04] X.F.Wang and J.Xu, “Cascading failures in coupled map lattices,”
Physical Review E, 70:056113, 2004.
[XXC08] S.XIAO, G. Xiao and T. H. Cheng, “Tolerance of intentional attacks
in complex communication networks”IEEE Communications
Magazine, Page(s):146-152, January 2008.
[YER] http://yersinia.sourceforge.net/
[Yeu05] K. H. Yeung, “Building Secure Network Infrastructure,” IPSI
Conference, Bled, Slovenia, December, 2005.
[YFL06] K. H. Yeung, F. Yan and T. C. Leung, “Improving Network
Infrastructure Security by Partitioning Networks Running Spanning
Tree Protocol,” Proc. Of International Conference on Internet
surveillance and Protection, Cap Esterel, Côte d’Azur, France,
August 2006.
[YY07] F.Yan and K.H.Yeung, “Vehicular Networks: the Network on the
Way,” Proceedings of Global Information Infrastructure Symposium,
International Workshop on ITS for Ubiquitous Roads, 2007.

87
[YL06] K. H. Yeung and T.C. Leung, “Building Secure Network
Infrastructure for LANs,” The IPSI Transactions on Advanced
Research, Volume 2, Number 2, Page(s): 32-37, July 2006.
[Yu04] James T. Yu “Performance evaluation of Linux Bridge”,
Telecommunications System Management Conference Louisville,
Kentucky, 2004.
[YY08] F. Yan and K. H. Yeung, “The Development of Novel Switching
Devices by Using Embedded Microprocessing System Running
Linux,” International Workshop on Security in Systems and
Networks, Miami, USA, April 2008.
[Zan02] D.H. Zanette, “Dynamics of rumor propagation on small-world
networks,” Physical Review E, 65:041908, 2002.
[ZM04] S.Zhou and R-J. Mondragon, “Accurately modeling the interent
topology,” Physical Review E, 70:066108, 2004.

88
Appendix
During the study period, a survey on vehicular networks has been done. The
survey was reported in a paper presented at proceedings of Global Information
Infrastructure Symposium, International Workshop on ITS for Ubiquitous Roads,
2007 .This paper is now included below as an appendix of the thesis.

89
90
91
92

Mphil Ee b23398103f

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Mphil Ee b23398103f

Uploaded by

Copyright:

Available Formats

Copyright Warning

Use of this thesis/dissertation/project is for the purpose of

Anyone who consults this thesis/dissertation/project is

Network Infrastructure Security – A Design of

Two problems of network infrastructure security are addressed in this thesis.

second one is Distributed Denial of Service (DDoS) attack.

Although STP is widely used in switching networks, it is vulnerable to STP attacks.

of Ethernet boundary switches is designed and implemented. These boundary

the STP operations between tiers.

To quantify the security performance of the enhanced STP protocol,

handling STP topology changes can also be reduced by orders of magnitude.

The implementation on the Ethernet boundary switches were based on Linux

bridge implementation and bridge configuration tools. Experiments were run to

implementation also demonstrates how kernel programming on Linux and some

modifications on configuration tools can be made to develop new switching

attackers than the degree of the victim node.

expertise, constant encouragement and patience in his supervision since my

It is my pleasure to thank the Department of Electronic Engineering, City

help and encouragement.

I thank my parents for providing me with the opportunity to pursue my studies.

support and tolerance.

4.3.2 Change to the Bridging Code ................................................................................... 59

Security by Partitioning Networks Running Spanning Tree Protocol,” Proc. Of

International Conference on Internet surveillance and Protection, Cap Esterel,

Côte d’Azur, France, August, 2006.

2. F. Yan and K. H. Yeung, “The Development of Novel Switching Devices by

Using Embedded Microprocessing System Running Linux,” International

Workshop on Security in Systems and Networks, Miami, USA, April 2008

3. F.Yan and K.H.Yeung, “Secure Spanning Tree Protocol using Network

Partitioning,” submitted to IET Communication

4. F.Yan and K.H.Yeung, “Outcome Based Teaching and Learning in

Undergraduate Engineering Projects: The Approach and a Case Study,” will be

submitted to Australasian Journal of Educational Technology

5. F.Yan, K. H. Yeung and Z.X.Wu, “Investigate DDoS Attack in the Internet

with Congested Link,” will be submitted to Physical Review Letters

6. F.Yan and K.H.Yeung, “Vehicular Networks: the Network on the Way,”

Proceedings of Global Information Infrastructure Symposium, International

Workshop on ITS for Ubiquitous Roads, 2007

1.1 Network Infrastructure Security

switching capabilities and network access to users. As the foundation of the

2006, $94 million USD is allocated to protecting against threats to information

technology infrastructure [OMB06].

A network may vary with network architecture, applications, equipment and

AG02] worked out to routing table poisoning attacks.

With the development of various wireless network technologies, vehicular network

is another integrated application to these technologies. Since the characteristics of

We made a survey on the vehicular network [YY07] research and presented it in

security and performance evaluation .

vulnerabilities and risk in network infrastructure,[C97,SP00, P01, C02, C04, LM05,

CP05, GM06]. Different from research works on computer networks, these

large scale (usually the number of nodes is more than 1000).

Having discussed the security issues of different type of network infrastructure,

this thesis focuses on two issues: security of Spanning-tree protocol in switching

networks and DDoS attacks in complex networks.

1.2 Spanning -Tree Protocol and its weakness

802.1 working group.

a link changes or a new root switch appears.

priority) and MAC address which is supplied by the switch manufacturers.

and block other ports to prevent loop.

STP is considered secure traditionally because LANs which it operates in are

Single-homed root role claiming

force the topology change.

Dual-homed root role claiming

" # $# %# &# '# #