Topology-Agnostic Runtime Detection of OSPF Routing Attacks

Open Shortest Path First (OSPF) is one of the most widely deployed interior gateway routing protocols on the Internet. It allows routers to calculate their routing tables within a cluster of networks - an autonomous system (AS). An attacker that leverages OSPF to attack an AS may have a catastrophic effect on it. A single malicious router within an AS can poison the routing tables of all other routers of that AS by sending false routing messages, thereby subverting the entire routing process. Finding attacks on the routing protocol is a demanding task as the exact nature of the attack may be unknown. In this work we present a machine learning-based attack detection scheme that is based on topology-agnostic features. The topology-agnostic features allow the trained algorithm to find attacks on a broad range of topologies, as well as networks with dynamic topologies. We validate the algorithm both on synthetic AS topologies and on real-world ISP topology and traffic. We show that the presented algorithm achieves high detection accuracy within a very short detection time, while false error rate remains low.