A computer network is a collection of interconnected computing devices that exchange data and share resources. In a packet-based network, such as the Internet, the computing devices communicate data by dividing the data into small blocks called packets, which are individually routed across the network from a source device to a destination device. The destination device extracts the data from the packets and assembles the data into its original form. Dividing the data into packets enables the source device to resend only those individual packets that may be lost during transmission.
Certain devices, referred to as routers, maintain routing information that describes routes through the network. A “route” can generally be defined as a path between two locations on the network. Upon receiving an inbound packet, the router examines information within the packet and forwards the packet in accordance with the routing information.
Large computer networks, such as the Internet, often include many routers grouped into administrative domains called “autonomous systems.” In order to maintain an accurate representation of the network, routers periodically exchange routing information. In particular, a conventional router typically issues a communication in accordance with a routing protocol to “announce” network destinations that are reachable through that router. These “destination announcements” typically take the form of a set of routes that specifies network destinations that can be reached through the announcing router. The routing protocols generally fall into two categories. Routers located at the edges of different autonomous systems generally use exterior routing protocols to announce routes to reachable destinations, and to find out about routes to other destinations outside of their autonomous system. One example of an exterior routing protocol is the Border Gateway Protocol (BGP). Routers within an autonomous system generally utilize interior routing protocols to advertise and compute routes to reachable destinations within the autonomous system. One example of an interior routing protocol is the Intermediate System to Intermediate System (ISIS) protocol, which is an interior gateway routing protocol for IP networks for communicating link-state information within an autonomous system. Other examples of interior routing protocols include the Open Shortest Path First (OSPF), and the Routing Information Protocol (RIP). Routers within an autonomous system may also make use of exterior routing protocols such as BGP in order to inform other routers in the same autonomous system about routes to destinations outside of the autonomous system.
Conventional routers often maintain the routing information in the form of one or more routing tables or other data structures. The form and contents of the routing tables often depends on the routing algorithm implemented by the router. Typically, after exchanging routing information, the router processes the information and selects a route to each network destination. In instances where multiple routes exist to a common destination, the router may select one of the routes based on a variety of criteria, such as the routing protocol by which the route was learned, metric values advertised in the routing protocols, the speed of links along the routes, number of hops between source and destination, proximity of next hops to the router, and the like. When sharing information with peer routers, the router announces those network destinations and routes selected by the router, and does not announce “non-selected” routes.
Devices attached to a network may be susceptible to a network attack, such as a denial of service (DOS) attack, which occurs when a malicious party directs a high volume of packets to the device in an attempt to sabotage network operation. The high traffic volume can overwhelm the device, leaving it unable to process the inbound packets. For example, in one type of DOS attack, a perpetrator sends a large number of “ping” requests to network multicast or broadcast addresses, which are special addresses used to broadcast messages to multiple other devices on the network. When sending the requests, the perpetrator spoofs the source address of a device targeted by the attack. In response to the requests, the other network devices reply to the targeted device, thereby inundating the targeted device with packets. Such attacks may be directed to any device attached to the network, including but not limited to routing devices.
Conventional approaches for prevention of network attacks typically rely on application of packet filters. For example, a router may apply source address filters to restrict which source network addresses a device or a network of devices attached to the router can use to send packets, thereby reducing the susceptibility to devices ability to launch attacks using a false source address. In many cases, a router may configure source address filters to be applied to an inbound packet stream from a peer router based on the destinations advertised by that peer router. In other words, the router may configure one or more source address filters to permit only those packets having source addresses that match the reachable destinations announced by that peer router. In this manner, source address filters may be applied in a manner that maintains packet forwarding for valid source addresses while dropping potentially spoofed source addresses.
However, in some situations, a peer router may erroneously configure source address filters to drop packets having legitimate source addresses. For example, when a router selects one of multiple routes to a network destination, only the selected routes are advertised to the peer routers. The peer routers receiving the routing information specifying the selected routes configure the source address filters to accept packets from sources along those routes, and drop packets originating from valid sources along the non-selected routes. As a result, a system administrator may configure the peer routes to avoid the use of source address filters, which leads to compromised network security and increased vulnerability to network attacks.