Modern routers should be able to support many new functions to meet the needs of customers. To achieve such flexibility, programmable packet processors have replaced traditional fixed-function custom logic in the data path of routers. This programmability introduces new vulnerabilities in these systems that can lead to new types of network attacks.
We propose a monitoring subsystem which functions in parallel with the processing core of the router and aids in the detection of such attacks. Upon detection, our system has the ability to restore the router’s operation to a different, but functionally equivalent state.