Professional Documents
Culture Documents
!
Submitted to
Department of Electronic Engineering
in Partial Fulfillment of the Requirements
for the Degree of Master of Philosophy
by
Yan Fan
June 2008
I
Abstract
The first one is the security problem of Spanning-Tree Protocol (STP), and the
In this thesis, we solve this problem of STP by proposing an enhanced STP. The
proposed solution partitions a STP network into multiple tiers of switching networks.
The reason of the partitioning is to hide the STP operations of the network
infrastructure (i.e. higher tiers switching networks) from the lower tiers of switching
networks (those are closer to end computers). To realise the partitioning, a new kind
switches will on one hand participate in the normal STP operations. On the other
hand, the enhanced STP operations inside the boundary switches actually partition
performance evaluation on the new switches is studied and compared with that of
the conventional STP under all known STP attacks. The results show significant
reduction in number of affected switches under the Non-DoS STP attacks when
the enhanced STP is used. For DoS STP attacks, the CPU utilization of switches in
verify the design and to study the switches’ performance. The results show that
these new switches can provide better security for STP networks. This practical
devices.
In the second part of the thesis, the problem of unknown impacts on networks
under DDoS attacks is addressed. A scale free network (constructed by 1000 nodes)
is investigated and the congestion level is measured. In the scale free network
which models the Internet, each node is assumed to have links with finite buffers.
Unlike previous works on complex networks, nodes under attacked are not
assumed to be removed. This will give more realistic results. The results show that
the scale free network becomes easily congested under DDoS attack. It is also
found that the robustness of the scale free network depends more on the number of
Acknowledgements
I would like to express my gratitude to my supervisor, Dr. K. H. Yeung for his
undergraduate study. With his inspiring advice and continuous support, I can tackle
many problems and difficulties that I met during the years of study and research.
Without his vast knowledge and skills and his assistance in academic writing, this
thesis would not appear in its present form. I especially thank him to inspire me the
meaning of life.
University of Hong Kong. I thank the research fellow Dr. Zhi-xi, Wu for his kind
Last of all, I thank my friend Janice for her hearty laughs and Adam for his enduring
To my parents
VI
Table of Content
ABSTRACT .......................................................................................................................................I
ACKNOWLEDGEMENTS...........................................................................................................IV
TABLE OF CONTENT..................................................................................................................VI
LIST OF TABLES ......................................................................................................................VIII
LIST OF FIGURES .......................................................................................................................IX
LIST OF FIGURES .......................................................................................................................IX
LIST OF LISTINGS ....................................................................................................................... X
LIST OF EQUATIONS .................................................................................................................XI
LIST OF PUBLICATIONS......................................................................................................... XII
CHAPTER 1 INTRODUCTION ............................................................................................... 1
1.1 NETWORK INFRASTRUCTURE SECURITY .......................................................................... 2
1.2 SPANNING -TREE PROTOCOL AND ITS WEAKNESS ............................................................ 3
1.3 DDOS ATTACK IN SCALE-FREE NETWORKS ...................................................................... 7
1.4 THESIS OVERVIEW ........................................................................................................... 9
CHAPTER 2 IMPROVING NETWORK INFRASTRUCTURE SECURITY BY
PARTITIONING NETWORKS USING SPANNING-TREE PROTOCOL ............................ 12
2.1 INTRODUCTION .............................................................................................................. 13
2.2 IMPROVING NETWORK INFRASTRUCTURE SECURITY BY PARTITIONING A STP NETWORK
14
2.3 IMPLEMENTATION AND EXPERIMENT............................................................................. 16
2.4 CHAPTER CONCLUSION ................................................................................................. 19
CHAPTER 3 SECURE SPANNING TREE PROTOCOL USING NETWORK
PARTITIONING ........................................................................................................................... 20
3.1 BACKGROUND ............................................................................................................... 21
3.2 IMPROVING NETWORK INFRASTRUCTURE SECURITY BY PARTITIONING A STP NETWORK
24
3.3 IMPLEMENTATION.......................................................................................................... 28
3.4 EVALUATION ON THE PROPOSED SOLUTION .................................................................. 30
3.4.1 Non-DoS attacks ...................................................................................................... 31
NUMERICAL EXAMPLES: .............................................................................................................. 34
3.4.2 DoS Attacks .............................................................................................................. 38
3.4.2.1 Flood of configuration message BPDUs claiming root role ......................................... 38
3.4.2.2 Flood of topology change notification BPDUs and flood of configuration message
BPDUs with TC flag on .................................................................................................................... 42
3.4.2.3 Flood of Configuration Message BPDUs with TC Flag on .......................................... 45
3.5 CHAPTER CONCLUSION ................................................................................................. 47
CHAPTER 4 THE DEVELOPMENT OF NOVEL SWITCHING DEVICES USING
EMBEDDED MICROPROCESSING SYSTEM RUNNING LINUX ...................................... 48
4.1 REVIEW OF LINUX BRIDGE ............................................................................................ 49
4.2 STP IMPLEMENTATION IN LINUX ................................................................................... 51
4.2.1 Spanning Tree Protocol implementation .................................................................. 51
4.2.2 Brctl – bridge administration tools .......................................................................... 55
4.3 AN EXAMPLE SHOWING HOW NOVEL SWITCHING DEVICES CAN BE DEVELOPED USING
LINUX BRIDGING CODE ............................................................................................................... 56
4.3.1 Steps to Customize the Bridging Code ..................................................................... 58
VII
List of Tables
TABLE 2.1 RESULTS OF THE EXPERIMENTS. ........................................................................................ 19
TABLE 3.1 ALL KNOWN STP ATTACKS ....................................................................................... 30
TABLE 3.2 RESULTS OF VARIOUS ATTACK PROBABILITY OF NETWORK IN FIGURE 3.7 ...................... 37
IX
List of Figures
FIGURE 1.1 RANDOM NETWORK VURSES SCALE-FREE NETWORK ........................................................ 8
FIGURE 2.1 BOUNDARY SWITCHES PARTITION THE NON-NETWORK INFRASTRUCTURE (NNI) NETWORK
(THAT CONNECTS TO END COMPUTERS) FROM THE NETWORK INFRASTRUCTURE (NI) NETWORK. 15
FIGURE 2.2 THE TESTING NETWORK ................................................................................................. 18
FIGURE 3.1 A SWITCHING NETWORK WITH T TIERS OF SWITCHES. ..................................................... 25
FIGURE 3.2 SWITCHES AT TIER I ADVERTISE A PSEUDO ROOT ID OF PRid i AND A PSEUDO ROOT COST
PR cos t i TO THE LOWER TIER I+1. ........................................................................................ 26
FIGURE 3.3 STATE DIAGRAM OF SWITCH PORTS. ............................................................................... 27
FIGURE 3.4 FLOW OF STP OPERATIONS IN LINUX CODES. ................................................................. 28
FIGURE 3.5 EXPERIMENTAL SETUP TO TEST THE IMPLEMENTATION. ................................................. 29
FIGURE 3.6 A SIMPLE STP NETWORK ................................................................................................ 35
FIGURE 3.7 TYPICAL TOPOLOGY OF SWITCHING NETWORK ............................................................... 36
FIGURE 3.8 MODEL OF A SWITCH IN THE NETWORK EVALUATION OF FLOOD OF CONFIGURATION
MESSAGE BPDUS CLAIMING ROOT ROLE. ............................................................................. 39
FIGURE 3.9 RESULTS ON THE EVALUATION OF FLOOD OF CONFIGURATION MESSAGE BPDUS
CLAIMING ROOT ROLE. ........................................................................................................... 41
FIGURE 3.10 MODEL OF SWITCH SWi , j IN DOS EVALUATION OF FLOOD OF TOPOLOGY CHANGE ... 44
FIGURE 3.11 UTILIZATION OF SWITCHES IN DOS EVALUATION OF FLOOD OF TOPOLOGY CHANGE
NOTIFICATION BPDUS ............................................................................................................ 46
FIGURE 3.12 UTILIZATION OF SWITCHES IN DOS EVALUATION OF FLOOD OF CONFIGURATION ........ 46
FIGURE 4.1 FLOW OF STP OPERATIONS ............................................................................................ 52
FIGURE 4.2 NETWORK PARTITIONING BY NOVEL SWITCHING DEVICES .............................................. 56
FIGURE 4.3 SET UP THE EXPERIMENT................................................................................................ 64
FIGURE 4.4 RESULT OF THE EXPERIMENT A ..................................................................................... 65
FIGURE 4.5 SET UP OF EXPERIMENT B. ............................................................................................. 65
FIGURE 5.1 TIME EVOLUTION OF THE CONGESTED LINKS IN THE BA SCALE FREE NETWORKS OF SIZE
N=1000 WITH m0 = m = 3 , R=0.005, DEGREE OF VICTIM IS 6, NUMBER OF ATTACKER, NATT
= 1,3,4,5,6,10 20 AND 30. A) 3000 TIME STEP, B) 500 TIME STEP ............................................. 74
FIGURE 5.2 TIME EVOLUTION OF THE CONGESTED LINKS IN THE BA SCALE FREE NETWORKS OF SIZE
N=1000 WITH m0 = m = 3 , R=0.005, NATT = 10, DEGREE OF VICTIM IS 3,6,24,124. A) TIME
STEP= 3000, B) TIME STEP =20. ............................................................................................... 75
X
List of Listings
LISTING 4.1 PART OF LISTING OF LINUX/NET/BR_STP_BPDU.C .......................................................... 60
LISTING 4.2 PART OF LISTING OF LINUX/NET/BRIDGE/BR_STP.C ....................................................... 62
LISTING 4.3 PART OF LISTING OF BRCTL/LIBBRIDGE/LIBBRIDGE_DEVIF.C ....................................... 63
LISTING 4.4 PART OF LISTING OF BRCTL/BRCTL/BRCTL_CMD.C......................................................... 63
XI
List of Equations
Equation 3.1 .................................................................................................................................................. 29
Equation 3.2 .................................................................................................................................................. 29
Equation 3.3 .................................................................................................................................................. 29
Equation 3.4 .................................................................................................................................................. 29
Equation 3.5 .................................................................................................................................................. 30
Equation 3.6 .................................................................................................................................................. 30
Equation 3.7 .................................................................................................................................................. 36
Equation 3.8 .................................................................................................................................................. 36
Equation 3.9 .................................................................................................................................................. 37
Equation 3.10 ................................................................................................................................................ 40
Equation 3.11 ................................................................................................................................................ 41
Equation 3.12 ................................................................................................................................................ 41
Equation 3.13 ................................................................................................................................................ 43
XII
List of Publications
1. K. H. Yeung, F. Yan and T. C. Leung“Improving Network Infrastructure
Chapter 1
INTRODUCTION
2
systems that provide many reliable functions, such as connectivity, routing and
information systems and services, the attacks on the network infrastructure could
have serious consequences on the security and economic vitality of society. Its
security issue has attracted governments and researchers’ attention. In the fiscal year
services provided. In common, core routers in layer 3 network, core switches in layer
2 network and core repeaters in layer 1 network are main network infrastructure
components. In the area of computer network, the research focuses on the malicious
attacks on routers, such as routing table poisoning attacks. All packets are forwarded
according to routing tables which are constructed by routing protocols and static
routes in the routers. The attacks interrupt, modify or fabricate the routing
information to infect routing tables. Many solutions [Wan99, BSJ97,G Ma88, JMo94,
In the wireless network many researches made efforts to prevent routing protocol
from attacks, such as the black hole attack. The malicious node claims that it has the
3
route to all destinations so that routing tables in the normal nodes are manipulated.
Some solutions [HWD02] are proposed to tackle the black hole attack.
vehicular network, high mobility and topology changing frequently, it challenges the
researchers to design suites of solutions that are more suitable for vehicular networks.
appendix of this thesis. The survey has 4 parts: safety message delivery , services,
In the area of complex networks, there has been much interest in examining
researches study the network topology more abstractly and consider networks of
networks (LANs). STP creates a spanning tree among connected Ethernet switches in
the data link layer (Layer 2 in OSI model) and disables the links which are not part of
4
that tree. STP was first proposed by Radia Perlman in 1985 and developed at Digital
Equipment Corporation. In 1990, the IEEE published the first standard for the
protocol in 802.1d. Subsequent versions were published in 1998 and 2004 by IEEE
Bridge Protocol Data Unit (BPDU) are the frames exchanged among the switches
in a spanning tree network. There are two types of BPDUs: Configuration Message
BPDU (CM BPDU) and Topology Change Notification BPDU (TCN BPDU). CM
BPDUs are used for Spanning Tree computation and update topology information.
They are sent every 2 seconds regularly. TCN BPDUs are sent to announce changes
in the network topology, such as when the switches become unreachable, the cost of
Bridge ID is a field inside a BPDU frame. It has two parts, bridge priority which is
set by network administrators (default value is 32768, largest number in the bridge
The operation of STP includes the following steps. First, elect a single bridge
with lowest bridge id in the LANs to be the root bridge.Second, calculate the
shortest path from other bridges to the root bridge. Third, elect a designated bridge
for each segment, which is the bridge in that segment having the lowest root path
cost to the root bridge. The designed bridge will forward frames from that segment
toward the root bridge. For each bridge, choose a root port that has the shortest
5
path to the root bridge. Finally, select the ports to be included in the spanning tree,
under the physical control within an access-restricted area. However STP has two
main pitfalls in the security: lack of authentication on its signaling message and the
root role changing easily. Some hackers make use of these weaknesses and affects
STP network maliciously. These attacks could caused the whole STP network not
functional and instable or leak the users’ data to hackers. All known STP attacks are
introduced as follows:
STP attacks
The attacker generates a single BPDU message per hello time claiming root role.
As the attacker can get the real root’s bridge ID by using some monitor software to
capture, it is easy to generate a lower bridge ID than the real root’s bridge ID to
The attackers crafts a single BPDU message per hello time per interface
The attacker claims just an active role in the tree. In this attack, the station
listens at the interface that advertises better BPDUs (that is, smaller root path cost)
and advertises bogus BPDU messages through the other interface. In the bogus
messages, the original root bridge ID and other parameters are preserved but the
root path cost is incremented by a hop, and the source bridge ID is modified to be
bigger than the current root ID. This attack can be used for traffic snooping.
Tree Segmentation
This attack requires two or more colluding single-homed stations, each of which
carries out a single-homed root role-claiming attack, and all stations advertise the
same bridge ID, which is lower than the current root ID in order to claim the root
role.
CM BPDUs claiming root role come from nonexistent bridges with bridge IDs
lower than the current root ID, thereby qualifying as candidates to be the new root
bridge. This forces the target switch to keep recalculating the algorithm.
CM BPDUs with TC flag on are sent from nonexistent bridges. These frames
make all switches to rapidly clean the entries in their forwarding table. The
switches frequently receiving these frames have to broadcast the receiving data
7
frame while their forwarding table is always empty so that the load of switches
increase and provide the chance for attack to sniffer data packets.
TCN BPDUs claiming to come from inexistent switches. These TCNs are
transmitted up the tree, until it reaches the Root. The Root will set a flag in
the advanced version of DoS attack. In DDoS attack multiple compromised nodes
consume the resources of the victim node so that the victim node can no longer
provide its intended service while its users can not use its service. The compromised
nodes obstruct the communication media between the normal users and the victim
node so that the congestion occurs in the network. The congestion affects not only
victim nodes and its users but also other nodes in the network. Many researchers
make great effort to study DDoS attack. One common method is to simulating DDoS
nodes have high degree and most nodes have low degree. The difference with
random networks can be demonstrated in the Figure 1.1. In the late 1990s, a
power-law degree distribution in many real world networks such as the World
Wide Web, the network of Autonomous system, some network of Internet routers.
These finding implies that a scale-free network can model the real network briefly.
with a power-law degree distribution. There are two important general concepts in
this model: growth and preferential attachment. Growth means the size of number
increases over time. The preferential attachment means the more connected a node
9
is, the more new links connects to it. The model begins with an initial network of
ki
existing network with a probability pi = , k i is the degree of i . This
∑k j j
propose a novel solution that partitions a STP network into two tier of switching
networks in this chapter. The reason of the partitioning is to hide the STP operation
of the network infrastructure (i.e. higher tier switching network) from the lower
tier switching network (that connects to end computers). It is expected that after
the partitioning, the lower tier switching network and its connected end computers
cannot launch STP attacks to the network infrastructure. To realise the partitioning,
boundary switches will on one hand participate in the normal STP operations of
both tiers of networks. On the other hand, the modified STP operations inside the
implemented boundary switches were also run. The results show that the boundary
switches were fully functional and could successfully stop STP attacks launched
10
from the lower tier network. In the next chapter, the solution extends to multiple
Chapter 3: This chapter presents a modified STP to solve the security problems
partitioned into many tiers. The security performance of the modified protocol is
studied and compared with that of the conventional STP under all known STP
under the Non-DoS STP attack when the modified STP is used. For DoS STP
attacks, the CPU utilization of switches in handling STP topology changes can be
Switch operations and the Spanning tree protocol (STP). It then gives a brief
analysis on Linux STP implementation and bridge configuration tools. The aim of
the analysis is to lay a foundation for latter discussion on how novel switching
devices can be developed based on the bridging codes. To facilitate the discussion,
switching devices. Experiments on the newly developed switches are also reported.
11
The results show that these new switches can provide better security for STP
networks. At the end of the chapter, discussion on how to port the design to
congested links. Two new methods, link with finite buffer and keeping attacked
node, are used to model the router and DDoS attack more realistic. The results
show robustness of networks depends on the number of attackers more than degree
of victim.
Chapter 6: This chapter summarises the thesis and presents several points of
Chapter 2
The chapter proposes a novel solution that partitions a STP network into two tiers
of switching networks. The reason of the partitioning is to hide the STP operation
of the network infrastructure (i.e. higher tier switching network) from the lower tier
switching network (that connects to end computers). It is expected that after the
partitioning, the lower tier switching network and its connected end computers
cannot launch STP attacks to the network infrastructure. To realise the partitioning,
boundary switches will on one hand participate in the normal STP operations of
both tiers of networks. On the other hand, the modified STP operations inside the
implemented boundary switches were also run. The results show that the boundary
switches were fully functional and could successfully stop STP attacks launched
from the lower tier network. In the next chapter, the solution extends to multiple
2.1 Introduction
Although Spanning Tree Protocol (STP), IEEE 802.1D, has been used in
production networks for many years, it is not until recently that researchers start to
authentication in BPDU messages; 2) slow convergence of STP; 3) root role not fully
switch) make the switches easier to be attacked. Due to these pitfalls, a network
running STP can easily be attacked, especially when an attacker can physically
There are some previous works on enhancing the security of STP. In [SKB01], an
approach that tunes the cost of links for achieving STP stability is proposed. A set of
formula is provided for setting the port costs of the switches to provide STP stability.
Although this approach works well for the network topology under study, it does not
work under other network situations. Cisco proposed a technique called ROOT guard
and is discussed in [CISG]. ROOT guard successfully stops attacks like root role
claiming that is launched to the network. However, ROOT guard cannot stop other
ROOT guard is that it is mutually exclusive with LOOP guard [CISL]. LOOP guard
is used for preventing loop when a link fails at one sending direction (not both).
When LOOP guard is enabled at a port, ROOT guard will always be disabled at the
port. BPDU guard ([CISB]) is another technique proposed by Cisco to enforce the
STP domain border. Switch port with BPDU guard being enabled will not accept
14
BPDU messages. If BPDU messages are received from the port, the BPDU guard
operation disables the port. Since BPDU guard does not allow new switches to be
connected to this kind of ports, it opposes the spirit of the STP design (as commented
A brief survey on the previous research shows that no existing solution completely
solves the security problems of STP. In this chapter, the security problem of STP is
proposed to be solved by partition a STP network into two tier of switching networks.
The solution will stop all STP attacks launched from the lower tier network (i.e.
network nearer to end computers) from affecting the higher tier network. It also does
not oppose the design spirit of STP (i.e. new switches can be added freely) and work
first proposed in [Yeu05]. As shown in Figure 2.1, a STP network is partitioned into
two switched networks. New boundary switches running modified STP operations are
designed and used for connecting the two networks together. These boundary
switches also run STP, and cooperate with the switches in both NI and NNI networks
to prevent loops in the whole network. However, the boundary switches perform
additional functions compared with ordinary switches. First, it makes the switches in
the NNI network unaware of the STP details on the NI network. The details include
STP information like root ID and costs, and topology changes in the NI network.
Second, it makes the NI network unaffected by the topology changes in the NNI
15
network. Note that with such boundary switches, NI network can be protected from
STP attacks that are launched from the NNI network. On the other hand, new
switches can freely be added to both networks. This follows the design spirit of STP.
It is also expected that techniques like LOOP guard can remain to be used in the
boundary switches.
In each boundary switch, there are two kinds of ports: NI ports that connect to the
NI network, and NNI ports that connect to the NNI network. There is only one root
for both networks, and is always located inside the NI network. BPDU messages will
be sent from the root and eventually received by the NI ports of each boundary
switch. At the NI side, the boundary switch has exact behaviour as an ordinary switch.
At the NNI side, however, modification on STP operation is made. When BPDU
messages are received from the NI Ports and ready for passing to the NNI ports, the
16
boundary switch performs two modifications on the BPDU messages: 1) the root ID
switches in NNI network. The Pseudo_root ID value, however, must be the same for
all boundary switches); and 2) the root path cost is reset to another constant value
called Pseudo_root_path_cost. Note that in doing this, the boundary switches give a
consistent but virtual view to the switches in the NNI network that the root of the
STP network has a root ID of Pseudo_root ID and the path cost from the boundary
network from being affected by the NNI network, the boundary switches will only
accept switches with ID worse than Pseudo_root ID from being connected to the NNI
ports. When BPDUs with invalid root IDs (i.e. smaller than Pseudo_root ID) are
received by the boundary switches from the NNI ports, the ports will be blocked.
Note that all the switches in the NI network should also be set with an ID lower than
Pseudo_root ID. The real root will then always be elected from the NI network, but
bridge codes of Linux kernel. PCs (with multiple Ethernet interfaces) running the
modified codes were connected to a testing network as shown in Figure 2.2. In the
network, there are six bridges with names Br1, Br2, …, Br6. Br1 and Br2 (with
bridge priority 0x2000) are bridges in the network infrastructure. Br5 and Br6 (with
bridge priority 0x3000) are bridges in the lower tier network. The boundary switches
17
in the network are Br3 and Br4 (with bridge priority 0x2710). In our testing, two
experiments were run. In the first experiment, Br3 and Br4 worked as normal bridges.
In the second experiment, modified bridge codes were run in Br3 and Br4 to make
launched from the computer connected to Br6. A STP attacking software named
“yersinia” (see [YER]) was run in the computer. The software generated 4000 STP
configuration messages per second to Br6, all with bridge IDs lower than the root ID
(i.e. 0x2000). This forced the bridges to re-run the STP algorithm frequently. After
that, ping tests from Br1/Br2 to Br4, Br5 & Br6 were made. The ping tests were to
check the percentage of packet loss due to the performance degradation of the
bridges (since the bridges might be busy in re-running the STP algorithm).
18
Table 2.1 shows the results of the experiments. As shown, change of STP root
occurred when the network was not partitioned. A very high percentage in packet
drops was also observed during the ping tests. This concludes that the network
performance was severely affected due to the STP attack. The benefit of using the
proposed method is also observed clearly from the table (see last row in the table).
stopped the STP attack to the network infrastructure. No packet loss was observed
when ping messages passed the unaffected bridges (i.e. Br1 to Br5). The boundary
switches (Br3 and Br4) had successfully isolated the source of STP attack, namely
19
Br6. In conclusion, the method proposed in this chapter can improve the network
after the network infrastructure partitioning, the boundary switches successfully stopped
Chapter 3
Chapter Summary - This chapter presents a modified STP to solve the security
problems of conventional spanning tree protocol. A network using the modified STP
is partitioned into many tiers. The security performance of the modified protocol is
studied and compared with that of the conventional STP under all known STP attacks.
The results show significant reduction in number of affected switches under the Non-
DoS STP attack when the modified STP is used. For DoS STP attacks, the CPU
3.1 Background
With society’s increasing reliance on computer networks, even minor disruptions
in a network may be unacceptable in the future. This calls for many previous
required to be on one hand fault tolerant [FH06], and on the other hand free from
Spanning Tree Protocol (STP), IEEE 802.1D [IEEE], is a protocol to improve the
fault tolerance of switching networks. Although STP has been used in production
networks for many years, it is until recently that researchers start to study its security
Protocol Data Unit (BPDU) messages; 2) slow convergence of STP; 3) root role not
fully monitored; and 4) complex state machines (which require a lot of computation
in a switch) make the switches easier to be attacked. Due to these pitfalls, a network
running STP can easily be attacked, especially when an attacker can physically
There are some previous works on enhancing the security of STP. In [SKB01], an
approach that tunes the cost of links for achieving STP stability is proposed. A set of
formulae is provided for setting the port costs of the switches to provide STP stability.
22
Although this approach works well for the network topology under study, it does not
Cisco proposed a technique called ROOT guard and is discussed in [CISR]. ROOT
guard successfully stops attacks like root role claiming that is launched to the
by other vendors. What’s more important, ROOT guard cannot stop other network
message BPDUs with TC flag on attack and flood of topology change notification
BPDUs attack. Another problem with ROOT guard is that it is mutually exclusive
with LOOP guard [CISL]. LOOP guard is used for preventing loop when a link fails
at one sending direction (not both). When LOOP guard is enabled at a port, ROOT
guard will always be disabled at the port. Besides, ROOT guard still allows end users
BPDU guard ([CISB]) is another patent taken out by Cisco to enforce the STP
domain border. Switch ports with BPDU guard being enabled will not accept BPDU
messages. If BPDU messages are received from one of these ports, the BPDU guard
operation will disable the port. Since BPDU guard does not allow new switches to be
connected to these ports, it opposes the spirit of the STP design (as commented by
the author of [Gmm03]). In addition, it is not an open standard and other parties
A brief survey on the previous research shows that no existing solution completely
solves the security problems of STP. In this chapter, the security problem of STP is
23
networks. The solution will stop all STP attacks launched from the lower tier
networks (i.e. networks nearer to end computers) from affecting the higher tier
networks. It also does not oppose the design spirit of STP (i.e. new switches can be
added freely). At last, the solution works with existing STP techniques like LOOP
guard.
The rest of this chapter is organized as follows. In section 3.2 the proposed
the proposed method has been made. This is reported in section 3.3. In section 3.4,
of the conventional spanning tree protocol. The chapter then concludes in section 3.5.
24
The novel concept of partitioning a network infrastructure into two tiers was first
network into multiple tiers. As shown in Figure 3.1, a STP network is composed by
many switches. Every switch has a set of parameters in the spanning tree protocol,
such as bridge id and root id. Let α i , j be the bridge id of the jth switch in tier i, and
the switch is denoted as SWi , j . Let value β i, j be the smallest bridge id received in
BPDUs by SWi , j . Let Rid be the root id in the network. When the topology reaches a
stabilized state, the switch with smallest bridge id will be elected as the root bridge
and this bridge id will become the root id. We assume switch 1 in the tier 1, be the
root bridge that Rid = α 1,1 = β i , j < α i , j , for all i ≠ 1,j ≠ 1. For any switch, if it
receives a smaller bridge id than the current root id, it will change the root id to the
new smallest value. So if SW x , y claims to be the new root by advertising a Rid equals
to β x , y and β x , y < α 11 . then all the switches will be affected and all switches will
fashion. To see how this is built, see Figure 3.2. As shown in the figure a switch in
the network ( SW i , j is used as an example) has two kinds of ports: Higher Tier (HT)
ports that connect to a higher tier network, and Lower Tier (LT) ports that connect to
a lower tier network. For switches in tier 1, HT ports connect only to the other
switches in tier 1 since tier 1 is the highest tier. One of the switches in tier1 will be
elected as the root bridge (e.g., SW1,1 in our discussion) and other switches in the tier
will find a fastest path to the root via their HT ports. The HT ports, therefore, perform
conventional STP operations as normal. This is the same for all HT ports in all lower
tier switches. On LT ports, however, a modified spanning tree operation is run. The
modification is that a pseudo root id, denoted as PRid i for tier i, is advertised out to
the LT ports. Note that the pseudo root id must be the same for all switches in the
same tier. There are two reasons of advertising a pseudo root id. Firstly, it is to
26
protect the switch information of the root (e.g., from the MAC address of the root id
Figure 3.2 Switches at tier i advertise a Pseudo root id of PRid i and a Pseudo root
cost PR cos t i to the lower tier i+1.
Secondly, the root switch can be kept in the first tier if the pseudo root ids are
selected carefully so that PRid i < PRid i +1 for all i. In doing so if a root id better than
abnormal condition. That port can be blocked in order to protect the network.
27
As shown in Figure 3.2 a pseudo root cost, denoted as PR cos t i for tier i, is also
advertised out by LT ports. Similar to pseudo root id, the purpose of pseudo is to hide
the real cost of path to the root (which can be used to learn the topology of the
Figure 3.3 shows the state diagram on ports of a switch running the modified STP
operations. The diagram is the same as given in [IEEE] with the only exception that
for LT ports, a new rule (6) is added. This rule is not used for HT ports. The new rule
enhances the security of STP by checking whether the information trying to change
current topology in the BPDUs on a LT port. If these cases are detected, the BPDUs
are considered as sending from the attacker, so the port will be blocked. During the
28
checking, a rate limit on the Topology Change Notification (TCN) is set to protect
the switch from flooding of TCN attack. In a normal network, TCNs are received at a
very low rate. If the rate of receiving TCNs are beyond the rate limit, the situation is
3.3 Implementation
The switch function discussed above has been implemented in Linux kernel. In
the following we only discuss the implementation of STP in Linux. For further
[Ben05].
br_stp_bpdu.c net_bridge_port *p
br_stp_handle_bpdu
u
br_received_config_bpdu br_received_tcn_bpdu
br_reply br_topology_chang
br_config_bpdu_generation e_acknowledge
br_transmit_config
br_stp.cbr_stp_bpdu.cbr_send_bpdu
dev.c dev_queue_xmit
When STP is enabled on the bridge, BPDUs are generated. BPDUs are also
accepted on any enabled port. Figure 3.4 shows the key routines in processing
BPDUs in Linux kernel. Br_stp_bpdu.c and br_stp.c are two main c files to
implement the operations of STP. Br_stp_bpdu.c takes care of received BPDUs and
hardware via dev.c. On the other hand br_stp.c generates BPDUs according to the
[YY08] were tested in an experimental network as shown in Figure 3.5. All the six
switches were computers running the modified Linux codes. The switch
30
implemented by the broadband router also ran our modified codes. The two PCs
All known STP attacks were launched to the network. The experimental results
show that the proposed solution can stop all STP attacks launched from the lower tier
These attacks to spanning tree protocol can be divided into 2 categories: Non-DoS
and DoS attacks (see Table 3.1). Based on the different nature of these two categories
active role in the STP topology. This category of attacks includes single-homed root
role claiming, dual-homed root role claiming, internal node role claiming and tree
31
switches that will change their STP states when being attacked. Therefore, the
DoS attacks are launched by sending a steady flood of bogus BPDUs to a network.
This forces continuous spanning tree recalculation, thereby creates a DoS condition
due to the limited computational power of the switches [4]. There are several DoS
attacks: flood of configuration message BPDUs with TC flag on, flood of topology
root role. Since the purpose of a DoS attack is to stop connectivity. The utilization of
network. The performance indicators of conventional STP network and the proposed
the number of switch in tier i. In our proposal design the number of affected switches
Let matrix Ci = [ c1 c2 … c p … c n i
] be the attack states of switches in tier i.
c p is a Boolean value, and stands for the state of pth switch in the tier i . A 1 stands
32
for the corresponding switch being attacked and 0 stands for not being attacked. So
Ci is called a one-zero matrix. Note that we only consider one single source of
attack. Without loss of generality, assume the one and only one switch being attacked
Let matrix
between the two switches, and 0 stands for no connection. We assume that the state
matrix.
′
Let matrix Ci represents the complete attack state of switches in tier i. This
includes attacked switch ( if i = r ) plus all affected switches in tier i. Note that
switches in tier i will be affected only when the attack is launched at tier i, or above.
′
For an attack to a switch in tier r which is higher than tier I, or r ≤ i, Ci can be obtain
from
33
′
Ci = Cr o M r,r o M r ,r +1 o … o M r ,i o … o M r +1, r +1 o … o M r +1,i o … M i ,i .
( Equation 3.1 )
where o denotes a Boolean product. Equation 3.1 is obtained based on two facts.
Firstly, an attack launched at tier r will affect all switches at tiers r or lower only.
Switches at higher tiers than r are not affected. This is because the higher tier
switches will block the ports connecting tier r once an attack is detected. Secondly,
not all switches in tier r or below will be affected. Instead, only those switches that
′
Ci ,or d p has a decimal value as give by
1 when c p = 1
dp = …………(Equation 3.2)
0 when c p = 0
be used to calculate the number of affected switches in the network. Let Lu be the
nu
Lu = ∑ d p ………………..(Equation 3.3)
p =1
Let K r ,s be the number of affected switches when SWr , s is attacked. K r ,s is
obtained as
34
K r ,s = ∑L
u =1
u …………………….(Equation 3.4)
Further let Br , s be the probability that, given that one switch is attacked, switch
SWr , s is the one being attacked. Br , s depends on the physical location of the switch
and the number of people owning the access right of the switch, and how easy the
switch is accessed both physically and remotely. Let µ be the mean number attacked
r =t , s = nr
µ= ∑
r =1, s =1
Br , s * K r ,s ……………………….(Equation 3.5)
r =t , s = nri
σ= ∑ (K
r =1, s =1
r ,s − µ ) 2 Br , s ………………(Equation 3.6)
large µ shows that an attack to the network will affect most part of the network.
Therefore the network is not secure. A smaller µ means a securer network. However,
if µ is low but σ is high, it shows part of the network is not well designed. There
exist weak points that when these points are attacked the whole network will be
significantly affected.
Numerical Examples:
To see how the analysis described above works, consider a STP network as shown
in Figure 3.6. The connections shown in the diagram can be represented by the
following matrixes:
35
M 1,1 = [1 1]
1 0
M 1, 2 =
0 1
M 2, 2 = [1 1]
SW1,1 SW1, 2
SW2,1 SW2, 2
Assume that B1,1 = 0.1, B1, 2 = 0.1, B2,1 = 0.4, B2, 2 = 0.4, and SW1,1 is the root
get
′
C1 = C1 o M 1,1 = [1 1]
′
C 2 = C1 o M 1,1 o M 1, 2 o M 2, 2 = [1 1]
D1 = [1 1] , D2 = [1 1]
From Equations 3.3 and 3.4, the number of affected switch when SW1,1 is attacked,
K 1,1 = 4.
36
Similarly, we can find K 1, 2 equals 4, K 2,1 and K 2, 2 both equal to 2. Finally from
i = t , j = ni
µ= ∑
i =1, j =1
Bi , j * K i , j = 2.4
i =t , j = ni
σ= ∑ (K
i =1, j =1
i, j − µ ) 2 Bi , j = 0.8
SW 1 ,1 SW1, 2
Conventional Proposed
STP STP
Ca Attack probabilities of the case. µ σ µ σ
ses
1 Uniform 8 0 2. 1.
75 8
2 B1,1 = B1, 2 = 0.05, 8 0 2. 2.
2 15
B2,1 = B2, 2 = B2,3 = B2, 4 = B2,5 = B2, 6 = 0.15
attack at any one of the four switches affects all four switches). In other words, when
this network is attacked, on the average the number of switches affected when our
solution is used is 40% less than that of conventional STP. This is a significant
improvement.
Secondly, a typical network topology for production networks (see [CNP]) is used
to show the security enhancement of our proposed method. Figure 3.7 shows the
connections of the switches under study. These five cases represent five typical
security situations of networks. Case1 represents all the switches having the same
switches in tier 1 are more secure than those in tier 2. Case3 represents a poorly-
designed network where switches in tier 1 are more vulnerable than those in tier 2.
Case 4 represents a network where one switch in tier 1 is most vulnerable (i.e. a
single weak point in tier 1). Case 5 represents a network where one switch in tier 2 is
most vulnerable.
running our proposed STP than running conventional STP under all five cases. The
µ in Case 3 and 4 are not as good as the µ in other cases because switches in tier1
are not protected well in these two cases. σ represents how wide is the spreading of
affected switches. The largest µ and σ happens in Case 4, where one switch in the
first tier has high attack probability. It shows the higher tier has more influence to the
whole network. If one switch in the higher tier is easily attacked, the whole network
is dangerous and fragile. But note that even with this poor design, the value of µ (5)
when a STP network is under an attack, all ports of all switches in the network will
be at the STP listening state. Since all the ports are at listening state, no port is
blocked in any switch and no data frame will be forwarded. We further assume the
attack generates BPDUs at a fix rate and a fix inter-arrival time, and the bridge ids of
39
attacking BPDUs are random. For any switch SWi , j in the network, it can be
In the model, we let λi , j ,k be the arrival rate of receiving BPDU to the k th port of
SWi , j . Each input queue is the queue for a frame to wait for reception by a port.
Let the service rate of each input queue be α , and α > λi , j ,k for a stable system.
When a BPDU frame is received by a port, it enters the BPDU queue. In the queue,
zi , j
ports of SWi , j . Let λc be the hello BPDU arrival rate as generated by the hello
process. Let the service rate of BPDU queue be µ , where µ > λi , j for a stable
40
system. When a BPDU leaves the BPDU queue, it is processed by the BPDU
decision process. This process determines whether a BPDU should be sent to the
output queues or not. If the advertised root ID by the BPDU is better than the known
root ID, the BPDU will be sent out to the output queues. Let β i , j , k be the BPDU
that the root of the spanning tree should be changed. Let the service rate of the output
queues be the same as that of the input queues, i.e. the service rate equals α . If port k
connects to another switch, β i , j , k becomes the arrival rate to the connected port of
reflects the CPU load of the switch in handling BPDUs. A high utilization means that
the CPU is busy in performing STP operations. We will compare the utilization of
these servers in all switches in our proposed method to those of the switches in
Z i , j λc + λc
ρ i, j = , …………………………………(Equation 3.7)
µ
where Z i , j is the number of connected ports of SWi , j .
Next, consider the situation when the network running conventional spanning tree
protocol is under flood of configuration message BPDUs claiming root role attack.
We first need to calculate p . Recall that if a and b are integers that are randomly
selected from fixed integers bounds, we have P [a > b] = P [b > a]. Therefore, P [the
41
advertized root id of attack BPDU> the known root id of switch] = P[the advertized
1
1−
root id of attack BPDU < the known root of switch] = p = 2 64 (note that the
2
1
probability that the two root ids are the same is ). Having obtained p, we have,
2 64
Z i , j ( pλ a + λ c )
ρ i, j = …………………………..(Equation 3.8)
µ
network using the proposed method is attacked, higher tiers of switches are not
attacked because all the BDPUs claiming root that are sent from the lower tiers are
Zi, j λc + λc
i< f or i ≥ f , c j in Ci equals 0
ρ i, j = µ .(Equation 3.9)
Y ( pλ + λ )
i, j a c
i ≥ f c j in Ci equals 1
µ
Yi , j SWi , j
where is the number of unblocked ports in connected to lower tiers. In
SWi , j
Equation 3.9, the first condition represents the case when some ports in
connect to the switches are not attacked. The second condition represents the case
SWi , j
when some ports in connect to the switches are attacked.Figure 3.9 shows the
numerical results when the network shown in Figure 3.7 is studied. We assume the
SW2,1
attack is launched at , and λc =0.5, µ =100000. The results in Figure 3.9
shows the CPU utilization ρ of switches in tier1 and switches except the directly
SW2,1
attacked switch ( ) in tier 2 are significantly improved (can be more than 3
orders of magnitudes) after using our modified STPs. Note that no improvement can
Configuration Message BPDU with TC flag on” attack discussed in the next section),
a slightly modified model as shown in Figure 3.10 is used. In this model, a stable
ωi , j ,k
Let be the arrival rate of receiving topology change notification BPDUs
th SWi , j
(TCN) to the k port of . In each input queue, a TCN decision process is
introduced in our proposed method to control the rate of receiving topology change
ωi , j ,k
notification BPDUs. A limited rate, ξ , is set in this process. If > ξ , the extra
frames will be dropped. Note that this TCN decision process is not found in
43
ωi , j
conventional STP. Let be the arrival rate of the TCN to the BPDU queue and
ωi , j ∑ω i , j ,k
SW
= k =1 . Let ω c be the rate of TCN generation by i , j itself. Let ω a be rate
of the attacking TCN generated. According to the principle of TCN operation, when
a switch needs to signal a topology change, it starts to send TCNs on its root port. Let
SWi , j β ω
, and i , j , h = i, j + ω c . For other ports k!h,
th
the h port be the root port of
β i , j ,k SW f , g
= 0. Also let switch to be the switch being attacked.
When the network running conventional spanning tree protocol is under flood of
ρ i, j =
…….(Equation 3.10)
on.Similarly, the ρ i, j when our proposed method is used can also be obtained.
Because all the BDPUs claiming root from the lower tiers are blocked; therefore:
45
ρ i, j =
ωa + ωi, j + ωc
if SWi, j on the route of switches from
µ
switch SWf,g to root of network ………..(Equation 3.11)
ω +ω
i, j c
otherwise
µ
Figure 3.11 shows the numerical results when the network shown in Figure 3.7 is
studied. We assume SW1,1 is the root and SW2,1 is the directly attacked switch. We
As shown, the CPU utilization of switches in tier 1 when modified STP is used is
smaller than that of conventional STP by more than 8 orders of magnitudes under
most of the attacking rates. The ρ maintains at a very low value that shows the
affect of attack does not spread to the higher tier along the route of attacker to root.
attack. Here let ω i , j ,k be the arrival rate of receiving configuration message BPDUs
with TC flag (TC) on to the k th port of SWi , j . When the network running
46
………..(Equation 3.12)
ρ i, j
Similarly, when our proposed method is used can be obtained as:
ρ i, j =
ωa + ωi , j if SWi, j on the route of switches
µ from SWf,g to root of network and i > g …(Equation 3.13)
ωi , j otherwise
µ
Figure 3.12 shows the numerical results when the network shown in Figure 3.7
SW1,1 SW2,1
is studied. We assume is the root and is attached directly. We also
several tiers. This protocol works well because it is designed to solve the problem of
conventional STP from its fundamental pitfalls. Based on the implementation we can
prove that the new protocol is workable. Based on the results of performance
evaluation we can conclude that the new protocol can significantly enhance the
security of a STP network. Further research of the work includes the extensions of
the proposed protocol to other network situations like metropolitan Ethernet networks
and others.
48
Chapter 4
Switch operations and the Spanning tree protocol (STP). It then gives a brief analysis
on Linux STP implementation and bridge configuration tools. The aim of the analysis
is to lay a foundation for latter discussion on how novel switching devices can be
developed based on the bridging codes. To facilitate the discussion, a new kind of
Ethernet switches (with modified STP operations) proposed by the authors is used as
switching devices. Experiments on the newly developed switches are also reported.
The results show that these new switches can provide better security for STP
networks. At the end of the chapter, discussion on how to port the design to
processors running Linux are also designed by a lot of manufacturers. For example,
Linksys Broadband router with Linux based OS is well accepted by the market.
commercial Ethernet switch (Catalyst 2950) on a single port basis, when the Linux
CPU occupancy is below 56%. All these only show the competitive power of Linux.
particularly true for network research. There are not many books that discuss Linux
network internals (e.g. like [WRB05]). Discussion on how Linux network codes can
be used in research projects is also rare in the literature. This motivates the writing of
this charater – a chapter that clearly shows how Linux networking codes can be used
A bridge or switch is a device that operates at the data link layer. It connects two or
forwarded based on Ethernet addresses, rather than IP addresses. Bridge reads the
source MAC address of each received frame and records the port on which the MAC
address was received. This process is called learning in which the bridge learns
which addresses belong to the devices connected to each port. This forwarding
entries in the table up to date, each entry has a time stamp. When the activity time of
an entry expires, then this entry is deleted. This activity time is updated each time
when the bridge receives a frame with the same MAC address it had previously
learned. If a frame with a previously unknown source address arrives, bridge adds it
to the forwarding table and the activity time is initialized. The main purpose of the
received with address which could be found in the forwarding table, the bridge sends
this frame out to the port associated with the address. Otherwise, the bridge copies
this frame and floods to all interfaces except the one that the frame is received from.
Transparent bridging represents an easy way to merge LANs, but it can be used
called broadcast storm will appear. This problem will immediately bring a network
down. The algorithm used by bridges to find the loop-free topology is Spanning Tree
When STP is running in a bridge, bridges are identified by a unique bridge id. A
special type of frames called Bridge Protocol Data Units (BPDU) are then exchanged
by the bridges. With the exchange of BPDUs, the bridges complete the following
tasks:
• Elect a single bridge with lowest bridge id in the LANs, to be the root
bridge.
• Calculate the shortest path from other bridges to the root bridge.
51
• Elect a designated bridge for each segment, which is the bridge in that
segment having the lowest root path cost to the root bridge. The designed
bridge will forward frames from that segment toward the root bridge.
• For each bridge, choose a root port that has the shortest path to the root
bridge.
• Select the ports to be included in the spanning tree, and block other ports to
prevent loop.
Usually the source code of bridge module can be found under the directory of
For further details on how bridge is implemented in Linux, please refer to reference
[Ben05].
accepted on any enabled port. Figure 4.1 shows the key routines in processing
BPDUs. Br_stp_bpdu.c and br_stp.c are two main c files to implement the operations
of STP. Br_stp_bpdu.c takes care of received BPDUs from br_input.c and sends the
dev.c. On the other hand br_stp.c generates BPDUs according to the algorithm of
STP. Due to limited space, we only discuss some main functions of STP. The details
br_stp_bpud.c net_bridge_port *p
br_stp_handle_bpdu
u
br_received_config_bpdu br_received_tcn_bpdu
br_reply br_topology_change_
br_config_bpdu_generation acknowledge
br_stp.c br_transmit_config
br_stp_bpud.cbr_send_bpdu
dev.c dev_queue_xmit
br_stp_handle_bpdu:
This function checks whether the header of an inbound frame matches the STP. If
not, the frame will be dropped. If the frame is a configuration message BPDU, it
invoked instead.
br_received_config_bpdu
This function checks whether it itself is the root bridge or not. When a new
the root ports and designated ports. This action could cause the information structures
of the bridge and its ports to change. Subsequently, the state of a port is recognized.
The hello timer is stopped, as the bridge was the root bridge before the new
If the input port was marked as the root port, then the timeout values of the
then br_reply is invoked, provided that the input port is the designated port. This
br_config_bpdu_generation
br_root_selection
will be called if the received BPDU has a lower bridge_id than the current root id.
54
br_designated_port_selection
will be called if the BPDU arriving on this port is better than the BPDU stored in
br_reply
It calls br_transmit_config.
br_transmit_config
The corresponding values are filled in new BPDU from the net_bridge structure,
br_received_tcn_bpdu
If the port that received a BPDU is a designated port, then the function
br_topology_change_detection is invoked.br_topology_change_acknowledge is
used to send a configuration message with the topology_change_ack field set over
br_topology_change_detection
If the bridge is the root of the tree topology, then the topology_change field in the
net_bridge structure is set to one, and the topology_change timer is started. Unless
the topology change has been detected, all other bridges use the br_transmit_tcn
function to send a TCN BPDU over their root ports and start their TCN timers.
55
Finally, it is marked that the topology change was detected, to limit the number of
br_topology_change_acknowledged:
The marking for a topology change is reset, and the TCN timer is stopped. This
the Linux kernel. The implementation of brctl consists of 3 c files. The first one is
brctl_cmd.c which defines the syntax of brctl command. The second one is
libbridge_if.c which includes function about add or delete a bridge. The third one is
libbridge_devif.c which has functions to change the value of port of bridge, cost of
first proposed in [Yeu05]. The reason of the partitioning is to protect the network
infrastructure from being attacked by the computers that are connected to the lower
tier network. As shown in Figure 4.2, a STP network is partitioned into two switched
networks. New boundary switches [YFL06] running modified STP operations are
designed and used for connecting the two networks together. These boundary
switches also run STP, and cooperate with the switches in both NI and NNI networks
to prevent loops in the whole NI and NNI network. However, the boundary switches
perform additional functions compared with ordinary switches. First, it makes the
switches in the NNI network unaware of the STP details on the NI network. The
details include STP information like root ID and costs, and topology changes in the
57
the NNI network. Note that with such boundary switches, NI network can be
protected from STP attacks that are launched from the NNI network. On the other
hand, new switches can freely be added to both networks. This follows the design
spirit of STP.
In each boundary switch, there are two kinds of ports: NI ports that connect to
the NI network, and NNI ports that connect to the NNI network. There is only one
root for both networks, and is always located inside the NI network. BPDU messages
will be sent from the root and eventually received by the NI ports of each boundary
switch. At the NI side, the boundary switch has exact behaviour as an ordinary switch.
At the NNI side, however, modification on STP operation is made. When BPDU
messages are received from the NI Ports and ready for passing to the NNI ports, the
boundary switch performs two modifications on the BPDU messages: 1) the root ID
switches in NNI network. The Pseudo_root ID value, however, must be the same for
all boundary switches); and 2) the root path cost is reset to another constant value
called Pseudo_root_path_cost. Note that in doing this, the boundary switches give a
consistent but virtual view to the switches in the NNI network that the root of the
STP network has a root ID of Pseudo_root ID and the path cost from the boundary
network from being affected by the NNI network, the boundary switches will only
accept switches with ID worse than Pseudo_root ID from being connected to the NNI
58
ports. When BPDUs with invalid root IDs (i.e. smaller than Pseudo_root ID) are
received by the boundary switches from the NNI ports, the ports will be blocked.
Note that all the switches in the NI network should also be set with an ID lower than
Pseudo_root ID. The real root will then always be elected from the NI network, but
In the following, we discuss how the boundary switches discussed above can be
chapter to discuss why network partitioning with boundary switches can protect the
NI. Readers are referred to [6] for a detail discussion on the design with complete
having two or more Ethernet interfaces. Then, the follow steps should be followed to
customize the bridging codes. We will usd Redhat distribution with kernel version
2.6.10 as an example.
/linux. We make a soft link so that future references to the path can be made easier.
ln –s /usr/src/redhat/BUILD/kernel-2.6.10/linux /root/dir-linux
59
step 2. configure the kernel and make first compilation. This step is to make sure
that the downloaded kernel source can be configured and compiled with no
problem.
cd /root/dir-linux
make xconfig
make
make modules_install
cd /root/dir-linux
make
modprobe bridge
modifications on the bridging code. Firstly, a new field kind, which could be 0 or 1(0
stands for NI port and 1 stands for NNI port), is added in the struct net_bridge_port.
Secondly, we need to make the bridge properly handles the incoming BPDUs. The
without any topology change information), then the kind of port will be checked. If
the BPDUs comes from the NI port or the BPDUs comes from the NNI port and
root_id is larger than 0x2710, all the operation is the same as original one. (Listing
4.1- )
2). If BPDUs comes from the NNI port and root_id is smaller than 0x2710, this
port will be blocked. (Listing 4.1- 3)). If the value of buf[0] is BPDU_TYPE_TCN,
61
that means some topology change occurs, the port kind and root_id will be checked
too. Only if the BPDUs comes from the NI port or the BPDUs comes from the NNI
port and root_id is larger than 0x2710, these BPDUs will be received. (Listing 4.1- 4)).
Thirdly, modifications must be made in BPDUs being sent out to NNI ports. This
4.1, br_transmit_config is found to be the last procedure before BPDUs are sent. In
the process of transmitting BPDUs, if the BPDUs are sent through the NNI port, the
bridge’s own bridge address. And the cost of port is set to 0. (This bridge is not a root
the NI port, all the operation is the same as the original one (Listing 4.2-)
2 ).
62
brctl_cmd.c. Listing 4.3 and Listing 4.4 shows how to create a new command in the
brctl.
63
properly in a STP network. After that, we run two experiments to verify the modified
STP operations.
Experiment A is run to prove that when the boundary bridge receives BPDU from
NNI network which includes lower root_id than the Pseudo_root ID, this port will be
blocked.
64
This can be done by setting up four bridges as shown in Figure 4.3. As shown,
has been set as root with lowest bridge_id in the whole network. Then we change the
bridge priority of bridge 1d. In the original STP process, bridge 1d should be elected
as new root. But this is not the case in our experiment because bridge 1b has been
As shown in Figure 4.4, bridge 1b successfully protects the NI by blocking the two
ports connected to the NNI network. It is also observed that the root of the NI does
not change (eth3 is blocked because bridge 1d generates BPDUs with lower root_id,
eth0 is blocked because bridge 1c receives the new BPDU with lower root_id from
bridge 1d, and then updates its BDPU and sends them to bridge 1b).
65
Experiment B is carried out to prove that when the topology changes in the NI
network, bridge in NNI network will not detect any change. Four bridges are used in
router see section IV below) works as a boundary switch to separate NI network and
66
NNI network. Bridge 2a has been set as root with lowest bridge_id in the whole
network. After that the bridge_prio of bridge 2b is changed to make the bridge
becomes the new root of the NI. The change, however, is not noticed by bridge 2d in
the NNI network. The result observed is that the root_id recognized by bridge 2d is
still the bridge id of the boundary switch (bridge 2c’s bridge id) instead of the
the design, we have to first select the desired platform. There are many single borad
products that are mainly targeted for networking projects. Besides single board
computers, commercial broadband routers from vendors like Asus and LinkSys are
also very suitable for developing networking devices. The reason is that broadband
routers usually have multiple network interfaces that are usually needed in the
networking products. In the project discussed in this chapter, we have used Linksys
Linksys wrt54g is a commonly used product based on Linux kernel. In our project,
with 4MB flash and 16MB RAM. The BCM5352 support 802.1Q VLAN which
noticeable that start from version 5.0, Wrt54g runs non-Linux OS, VxWorks, which
To use the codes discussed in section 4.3 on a Wrt54g broadband router, we need
to do is to select a suitable Linux image. HyperWrt is the first option [WHW]. More
functions are added to the broadband router when HyperWrt is run, and it has nice
graphic web page interface which is similar to the official one. But it is not easy for
written based on the Linksys source code and only limited information of the code is
controls for bandwidth allocation. Since wireless development is not the focus of this
project, DD-Wrt is also not suitable for us. The one we choose is OpenWrt [WOW].
It provides a useful tools OpenWrt Buildroot for developers to build a new firmware.
The usage and compilation of Openwrt can be found on its official website. The most
difficult thing of changing the code in the OpenWrt source code is to find all
modify all the same header file to make sure the success of compile.
the same port kind, i.e. either NI or NNI. Usually they are set as NNI ports and the
WAN port of the router is set as NI port. We have successfully modified the bridging
codes of a Wrt54g router, and tested it in a STP network. We verified its operations
of STP and make it function as a boundary switch. More experimental results on the
modified Wrt54g can be found in [YFL06]. The results show that it really helps to
Linux bridge to support the research work on new networking devices. We have
shown in this chapter how this can be done in practice by using a novel kind of
Ethernet switches as an example. These switches on one hand participate in the STP
operations of a Layer 2 network. On the other hand they partition the network into
two tiers so as to protect the higher tier network infrastructure. As shown by the
results, Linux bridging codes can be used perfectly to support the research work. The
authors of this chapter hope that the chapter can give useful information for future
Chapter 5
with congested links. Link with finite buffer and keeping attacked node are used to
model a router under DDoS attack. The results show that robustness of networks
depends on the number of attackers more than the degree of the victim.
70
networks, such as the Internet, World Wide Web, social connection and electrical
reactions [ZX04][GKK01].
networks under DDoS attack is also not well studied. Although some complex
network studies aim to study the robustness of complex networks [HK02], how
DDoS attack affects the congestion is still not investigated. It is purpose of this
chapter to investigate such dynamic behavior. Unlike the previous studies on attacks
to complex networks, this chapter does not assume that attacked nodes are removed
(as in the [GCABH05, CEAH00, XXC08]). This is because an attacked node usually
will not break down even if heavy congestion is found in an attacked node.
In previous studies, researchers usually use nodes with infinite buffers and links
without buffer to model the internet. The congestion is then observed by the number
of nodes with certain queue length in their buffers. However, in real routing nodes
(see [SWM07]), congestion happens on the links and buffer size of each link is finite
due to the physical constraint. To better reflect the real situations, nodes with a finite
link buffers (denoted by L) are used to study how DDoS attack affects the
presented for L=5. Other selections of values L do not change the qualitative
behaviors of results shown below. This is because Rc, the maximum value of packet
(BA) scale-free network [AJB00]. Here we use BA scale-free network model to build
distribution of many real networks as it has two elements common to real network:
growth and preferential attachment [BA99]. The network begins with m0 nodes.
New nodes are added to the network one at a time. Each new node is connected to m
of the existing nodes with a probability pi that is proportional to the number of links
that the existing node already has, pi = k i / ∑ j k j , where k i is the degree of node i.
Heavily linked nodes ("hubs") tend to quickly accumulate even more links, while
nodes with only a few links are unlikely to be chosen as the destination for a new link.
The new nodes have a "preference" to attach themselves to the already heavily linked
nodes. In the present network, the total network size N is 1000 and the parameters are
which follows a power law P(k ) ~ k − γ with the exponent γ =3 in the large degree
limit.
Each node in the present network acts both roles of host and router at the same
time. The connection between nodes is full duplex, i.e., two links exist between any
connected nodes. Considering the finite buffer of link, we define that a link is
72
congested if its buffer is fully occupied by packets. The normal background traffic in
time step, the probability for node i to generate a packet is R. The destination of
generated packet is chosen uniformly at random from other N-1 nodes in the network.
Each new inserted packet is placed at the end of the queue of the link towards
destination. If the buffer of this link is full, the packet is discarded, i.e. no new packet
generates on that node. The packets in the link buffer are transmitted as first come as
serve. We assume that all links have the same bandwidth that one packet is sent every
time step. All packets are sent through shortest path routing algorithm. It is found that
almost 90% packets are transmitted along shortest path from source to destination in
Besides background traffic flow, DDoS attack is modeled on the network. Natt
nodes are chosen as attacker randomly to attack one victim. The selection of victim
will be discussed in detail in the next section. When the node is attacked, we do not
remove the node or some link from the network and leave its links congested. This
operation is different with traditional study in complex network but it is more suitable
for the real network. When a router is suffering attack, it is not removed.
congested links and number of attack nodes, denoted as Natt, in a certain period of
time. The number of congested links, to some extent, measures the congestion of the
network, while the number of attack nodes represents severity of attack. The
links connecting all pairs of nodes. The natural expectation is that the more attack
congestion in the network without attack, the probability a node to generate a packet
each time step should not exceed 0.005 (R<=0.005). Here we use the maximum
value R=0.005 while the victim nodes are chosen randomly. In Figure 5.1, we show
eight typical time evolution series of the amount of congested links under different
In Figure 5.1-a), we show the relation between the number of congested links
versus the time step. The different lines indicate different number of attack nodes
(Natt= 1,3,4,5,6,10,20,30). From the Figure 5.1-a), we could see that all eight lines
reach the similar congestion level after 500 time steps. It shows one attack node with
multiple than one attack nodes have the same effects to the network. This founding
indicates DoS and DDoS attack will cause the same level of congestion of a network.
74
Figure 5.1a)
Figure 5.1b)
Figure 5.1 Time evolution of the congested links in the BA scale free networks of
size N=1000 with m0 = m = 3 , R=0.005, degree of victim is 6, number of attacker,
Natt = 1,3,4,5,6,10 20 and 30. a) 3000 time step, b) 500 time step
Although all eight lines are close in the latter period of experiment (after 500s), we
find a difference obviously among the lines in the first 200 time steps. So we focus
these data in the first 500 time steps (see Figure 5.1-b). The lines in Figure 5.1-b)
groups, the number of congested links are similar at the same time step. It indicates
75
that there exists a threshold on the minimum number of attack nodes so that the
Figure 5.2a)
Figure 5.2b)
Figure 5.2 Time evolution of the congested links in the BA scale free networks of
size N=1000 with m0 = m = 3 , R=0.005, Natt = 10, degree of victim is 3,6,24,124.
a) time step= 3000, b) time step =20.
For the study of the relation between the number of congested links and degree of
the victim node, we try four different victim degrees with the condition that the scale-
free network with m=m0, the probability a node to generate a packet each time step
76
(R), the number of attack nodes (Natt) are unchanged. In Figure 5.2, the scale-free
network shows a similar behavior on the number of congested links given that victim
In Figure 5.2-a), we show the relation between the number of congested links
versus the time step. The different lines show different degree of victim nodes
(victim degree = 3,6,24,124). From the Figure 5.2-a), we could see that all four lines
reach the similar congestion level after 100 time steps. It shows the trend of network
congestion is similar whether the degree of victim is high or low. It clearly shows
that choosing the nodes with the highest degree is not an efficient way to attack the
BA scale-free network.
Although all four lines are close in the latter period of experiment (after 100s), at
the beginning the number of congested links are various under different degrees of
victim nodes. In the first 20 time steps, the lower the degree of victim nodes, the
more the number of congested links. The result is out of our expectation. Victim
nodes with high degree possess more links to the rest of the network and shorten the
paths to the other nodes. When attackers launch attack these packets reach the victim
nodes with high degree faster than those with low degree. In other words, at the same
time more packet are removed from the network and less packets are left in the
network. Since various perspectives, the result is different with the results shown in a
similar work [10], which focuses on the traffic sent from neighbors only.
The whole trend of network congestion is similar whether the degree of victim is
high or low. But in the first 20 time steps, the difference is obvious that the lower the
degree of victim, the more congested links. The reason is that when 10 attackers
77
generate packets to launch attack, these packets go to high degree victim faster than
low degree victim. In other words, at the same time more packets are removed from
the network. The result is interesting and different with the results shown in a similar
work [10], which focuses on the traffic sent from neighbors only.
From the simulation, it is found the robustness of networks depends on the number of
attackers more than degree of victim. The scale free network is vulnerable to DDoS
attack because congested links increases fast when attacks launch. Two new methods,
link with finite buffer and keeping attacked node, are used to model the router and
DDoS attack more realistic. An interesting area for future studies is a solution to
Chapter 6
Chapter Summary - This chapter summaries the thesis and presents future work from
this research.
79
6.1 Summary
This thesis studies the STP security issue and investigates the impact of DDoS
The essence of the approach is to hide STP information of higher tiers to the lower
tiers closer to the end users. Based on the idea of partitioning, we designed a new
Ethernet boundary switches. These switches running enhanced STP are installed
between higher tiers and lower ties. They changed the STP information from higher
tiers and checked the STP information from lower tiers to defense all attacks
switches based on the Linux system were tested by several experiments. These
experiments were run to verify the design and to study the switches’ performance.
The experimental results show that security of STP network is enhanced. This
implementation itself shows that bridge modules in Linux can be a tool to study
switching network.
the switches operations theoretically. The results show that enhanced STP reduces
the number of affected switches for the non-DoS STP attack. For DoS STP attack, it
by the attacks. A scale-free network was created to simulate the effect of congestion
80
under DDoS attack. The results show that the scale-free network is vulnerable to
DDoS attack and the robustness of scale-free network depends more on the number
of attackers than the degree of the victim node. The results imply that protecting or
attacking the node with the highest degree may not be an efficient way to defense or
As the development and variation of STP, we may extend the modified STP from
single STP to rapid and multiple STP. The modified STP may be used not only in the
wired local area networks but also in wireless networks or metropolitan area
networks. Since no rapid and multiple STP algorithms exist in open source, we could
implement these modules on Linux system first. On the analysis on the modified
time. Short convergence time implies high efficiency in recovery. More modification
On DDoS attacks:
may extend the method to other network models, such as small world network or
performance under DDoS attacks, we may design some algorithms to defense DDoS
attacks in the complex network. As current solutions are only developed in the
computer network, we can test them in the complex network or design some new
solutions.
82
References
[AG02] A. Chakrabarti and G. Manimaran, “Secure Link State Routing
2002.
2000.
2005.
Feb. 1997.
2000.
http://www.cisco.com/warp/public/473/65.html.
http://www.cisco.com/en/US/tech/tk389/tk621/technologies_tech_not
e09186a.
http://www.cisco.com/en/US/tech/tk389/tk621/technologies_tech_not
e09186a0080094640.shtml.
http://www.cisco.com/en/US/tech/tk389/tk621/technologies_tech_not
e09186a00800ae96b.shtml.
87:278701, 2001.
[GMa88] G. Malkin, “RIP Version 2,” RFC 2453, Nov. 1998. RFC 1058, June
1988.
[Gmm03] Guillermo Mario Marro, Attacks at the Data Link Layer, MSc thesis,
http://www.ieee802.org/1/pages/802.1D.html.
gov/omb/pdf/Homeland-06.pdf.
July 2001.
66,046137, 2002.
[Wan99] F. Wang et al., “Intrusion Detection for Link State Routing Protocol
694–99,1999.
[WDW] www.dd-wrt.com
[WHW] www.hyperwrt.org
[WOW] www.openwrt.org
86
[WRB] www.routerboard.com
[WRB05] Klaus Whrle, Frank Pahlke Hartmut Ritter, Daniel Muller Marc
[YER] http://yersinia.sourceforge.net/
August 2006.
Kentucky, 2004.
Appendix
During the study period, a survey on vehicular networks has been done. The