Technology Of OSPF Topology Discovery And Abnormity Detection

Intra-domain routing system is an important part of the Internet, which is used to exchange NLRI(Network Layer Reachable Information) in an AS (Autonomous System). OSPF(Open Shortest Path First), the most widely used intra-domain routing protocol, is deployed in MAN(Metropolitan Area Network) and LAN(Local Area Network) popularly. So monitoring on OSPF will be helpful for network operators to manage and maintain intra-domain routing system. However, the OSPF is difficult to be monitored for the complexity of its operation. Thus, how to manage and monitor the OSPF routing more effectively has become a hot issue.In this paper, according to the actual needs, we design and implement an OSPF routing monitor system which has three functions, including construction of topology, abnormity detecting and attack detecting, on the basis of a detailed analysis of the OSPF protocol.Regarding construction of topology, the key point is data collection and arrangement of topology presentation. The system can build topology with the OSPF packets captured in the network or the OSPF data stored in the router database, and deploy routers based on the hierarchy principle of OSPF and the ratio of each area'routers.Regarding abnormity detecting, the most important factor is how to analyze various types of LSA(Link State Advertisement). The system adopts a passive mechanism to monitor the changes of LSAs. In this way, abnormity information can be gathered easily from the system deployed between two routers in the OSPF network.For attack detecting, the analysis of the OSPF packet changes after attack is crucial. The system can detect some typical OSPF attacks, including Hello packet attack, sequence add 1 attack, maximal age attack and maximal sequence attack. The system can detect routing attack while monitor abnormal changes without any other modifications.In addition, the system can display the captured data and abnormal data using pie chart or bar graph. Pie charts can reflect the proportion of various types of data, and bar graphs can show the changes in real-time.Our experiments show that the system can construct network topology correctly in the laboratory's environment, monitor the abnormities and attacks in time with three representative examples. The results are shown with visual graphics which include packet proportion and changes of traffic flow. Finally, we compare the system with other similar ones in three aspects: real-time data capturing, construction of topology and abnormity/attack detecting, and give an reasonable evaluation to the performance of the system.