Router security defense technologies emerging in recent years could hardly detect and block the new booming threats with unknown signatures such as hardware Trojan, zero-day attacks, etc. We present a novel router defense technology, distributed router shadow, which builds a closed execution environment to deceive attacks entering into the router, thereby misleading the attackers into regarding it as the real attack target and executing the suspicious code to maximize the chances of detonating the system exploit; thus the original router is prevented from attacking and the suspicious code can be detected. Our experiment and analysis show that the router shadow can defend not only attacks with signature but also some new attacks without signature.