| As organisations rely increasingly more on resources only available through interconnected networks, routers and other network-layer components are likely to become the focus of increased attention by malicious users or intruders. Several means are available to influence the routing function of network components, allowing an intruder to disrupt the flow of information or to gather information that would have otherwise been protected.;The system proposed in this thesis aims at detecting traffic diversion attacks by monitoring variations in the round-trip delay of packets injected at various locations in the network. To assess the feasibility of the proposed concept, specific hosts were configured to run a prototype program that regularly probes other hosts using special User Datagram Protocol (UDP) packets and records precise measurements of the round-trip time. Based on the behaviour of the delay, the program will raise an alarm to indicate a possible problem with the routing function of the network. The program also has the capability of recording the route taken by packets through the use of the Internet Protocol (IP) Record Route header option.;The limitations and accuracy of the prototype system were identified in a controlled environment. Trials were then made on a medium-size production network, and the measured return-trip time (RTT) was analysed. While most trials resulted in the expected RTT behaviour, some revealed the presence of network pathologies. Routing irregularities were also identified through the use of Record Route packets.;The detection system monitors the statistical behaviour of the measured delay and can adapt to changing network load conditions, but not to a sudden increase that would be the result of a traffic diversion attack. The system is able to detect the network problems identified in the trials, as well as a simulated traffic diversion attack. (Abstract shortened by UMI.). |
