1. Field of the Invention
The present invention relates generally to an improved data processing system, and in particular to a computer implemented method, data processing system, and computer program product for discovering an unauthorized router in a network.
2. Description of the Related Art
Distributed network data processing systems are becoming more and more prevalent in businesses and in homes. Typically, a network data processing system contains a network with a medium used to provide communications links between various devices and computers connected within that network. This medium includes wires providing communications links with other devices, such as a router providing routing of data between the different devices on the network. One protocol used to transmit data within a network is the transmission control protocol/internet protocol (TCP/IP). This protocol is used on the Internet and also may be implemented in other networks, such as an intranet, a local area network (LAN), or a wide area network (WAN). TCP provides transport functions to ensure that the total amount of bytes sent is received correctly at the other end. IP is used to accept packets from TCP and adds a header to deliver the packet to a data link layer protocol. An IP address is used by every client and server in the network to send data between the different systems.
A router is a device that determines the proper path for data to travel between different networks (i.e., separate logical subnets). The router forwards data packets to the next device along this path. A router may create or maintain a table of the available routes and their conditions and use this information to determine the best route for a given packet.
In the world of security, an unauthorized router in an organization's network is known as a rogue router. These unauthorized routers are not monitored, nor are the machines on the router's subnets. Organizations do not want unauthorized routers running on their networks since there are a number of security concerns associated with these routers. A client device in the network may become a rogue router even if the user does not have malicious intent. For example, if the user connects a laptop computer to the client device and uses a modem to access e-mail via the Internet, the modem becomes an unauthorized router. The user's laptop can even serve as a router if the operating system on the laptop includes a router function, and the function is enabled. This scenario creates security problems since the user's laptop comprises a weaker firewall than an authorized router. Consequently, it is desirable for a network security administrator to be able to detect unauthorized routers and cease their operation.
When a packet is sent from one computer to another, it traverses zero or more routers. The sequence of routers that a packet traverses is termed its route, or path. The traversal of one router is called a hop. In the current art, the traceroute utility may be used to detect routers in the network by recording the route through the distributed network between a source machine and a specified destination machine. If the destination machine is active and a monitoring tool in the source machine is in a position to ping the destination machine's IP address, it is possible to detect the router(s) between the source machine and the destination machine. The traceroute command operates by sending a series of packets (using the Internet Control Message Protocol or ICMP) to the target destination machine. A first packet is constructed with a limited Time-To-Live (TTL) value that is designed to be exceeded by the first router that receives the packet for the first hop. For instance, the TTL value in the first packet has a value of 1. When the first router encounters the packet with the TTL value of 1, the first router is obligated to send an ICMP Time Exceeded message (type 11) back to the sending source machine. The sending source machine also sends other packets comprising a Time-To-Live (TTL) value of 2 for the second hop, then a Time-To-Live (TTL) value of 3 for the third hop, etc. Consequently, each router in the path will respond with a type 11 packet between the sending source machine and the destination machine. When the final destination machine responds to a packet, the process stops.
While the traceroute utility may be used for detecting routers in the network, a problem with the traceroute utility is that a network administrator is unable to discover whether a machine is routing if the routed subnet is not known or if the machines on the router's subnet are silent or down. Thus, utilities in the current art such as traceroute only allow for discovering if a machine is a router if the source machine knows the IP addresses of the subnet or the IP addresses of the machines in the subnet.