Hireโ Young Call Girls in Tilak nagar (Delhi) โ๏ธ 9205541914 โ๏ธ Independent Esc...
ย
BGP Anomaly Detection
1. BGP Anomaly Detection
Bahaa Al-Musawi
PhD candidate
Supervisors: Dr. Philip Branch and Prof.
Grenville Armitage
balmusawi@swin.edu.au
Centre for Advanced Internet Architectures (CAIA)
Swinburne University of Technology
http://caia.swin.edu.au balmusawi@swin.edu.au 11 June 2015 2CAIA Seminar
Outline
โข BGP
โข BGP Anomalies
โข BGP Testbed
โข Summary
2. http://caia.swin.edu.au balmusawi@swin.edu.au 11 June 2015 3CAIA Seminar
Outline
โข BGP
โข BGP Anomalies
โข BGP Testbed
โข Summary
http://caia.swin.edu.au balmusawi@swin.edu.au 11 June 2015 4CAIA Seminar
Border Gateway Protocol (BGP)
โข The Internet is a decentralized global network
comprised of tens of thousands of Autonomous
Systems (ASes)
โข BGP is the Internetโs default Inter-domain routing
protocol
An example of routing topology
3. http://caia.swin.edu.au balmusawi@swin.edu.au 11 June 2015 5CAIA Seminar
Border Gateway Protocol (BGP)
โข BGP (RFC1105), BGP2 (RFC1163), BGP3
(RFC1267), and BGP4 with last revision (RFC4271)
โข BGP is a path vector protocol
โข BGP supports Classless Inter-domain Routing (CIDR),
ex. prefix 192.2.2.0/24 192.2.2.1-192.2.2.255
http://caia.swin.edu.au balmusawi@swin.edu.au 11 June 2015 6CAIA Seminar
Connecting a new BGP router
Border Gateway Protocol (BGP)
โข BGP is an incremental protocol
โข Routing Information Base (RIB)
โข Updates
4. http://caia.swin.edu.au balmusawi@swin.edu.au 11 June 2015 7CAIA Seminar
Announcing a new prefix by an AS
Border Gateway Protocol (BGP)
โข BGP is an incremental protocol
โข Routing Information Base (RIB)
โข Updates
http://caia.swin.edu.au balmusawi@swin.edu.au 11 June 2015 8CAIA Seminar
BGP Policies
โข ASes are the unit of routing policy in BGP
โข ASes relationships: customer-provider and peer-to-peer
โข BGP routing policies:
โข Business relationships
โข Traffic engineering
โข Scalability
โข Security related policies
โข Number of configuration lines in a single BGP router
can range from hundreds to thousands lines
5. http://caia.swin.edu.au balmusawi@swin.edu.au 11 June 2015 9CAIA Seminar
Border Gateway Protocol (BGP)
Growth of BGP Table since 1994 from http://bgp.potaroo.net/
http://caia.swin.edu.au balmusawi@swin.edu.au 11 June 2015 10CAIA Seminar
BGP Weakness
โข BGP based on the trust between all its participants
โข BGP does not employ any authentication measures for
advertising routes
โข BGP is vulnerable to different types of attacks
โข 2005, TTNet announced more than 100,000 incorrect routes
โข 2006, AS27506 hijacked panix domain
โข 2012, Dodo ISP incident
6. http://caia.swin.edu.au balmusawi@swin.edu.au 11 June 2015 11CAIA Seminar
Outline
โข BGP
โข BGP Anomalies
โข BGP Testbed
โข Summary
http://caia.swin.edu.au balmusawi@swin.edu.au 11 June 2015 12CAIA Seminar
BGP Anomalies
โข Anomalies are patterns in a data set that do not follow
expected behavior
โข No BGP updates are sent when there is no change in
topology and/or policies for a network running BGP
โข In the real world, many ASes are unstable causing
propagation of many abnormal BGP updates
โข Distinguishing abnormal BGP updates from a serious
attack is a challenge
7. http://caia.swin.edu.au balmusawi@swin.edu.au 11 June 2015 13CAIA Seminar
Types of BGP Anomalies
1. Direct and Intended Disruptions
2. Direct and Unintended Disruptions
3. Indirect Attacks
4. Hardware Failure
http://caia.swin.edu.au balmusawi@swin.edu.au 11 June 2015 14CAIA Seminar
1. Direct and Intended Disruptions
โข This type of disruption refers to all types of BGP
hijacking which can appear in different scenarios such
as prefix and sub-prefix hijack.
8. http://caia.swin.edu.au balmusawi@swin.edu.au 11 June 2015 15CAIA Seminar
1. Direct and Intended Disruptions
โข False Positive
โข Legitimate reasons for anomalous routing updates
โข Multi-homing with static link aggregation
http://caia.swin.edu.au balmusawi@swin.edu.au 11 June 2015 16CAIA Seminar
1. Direct and Intended Disruptions
โข Examples
โข May 2005, AS174 hijacked one of Google prefixes: lose connectivity to
the google.com domain for nearly an hour
โข April 2011, Link Telecom incident: an attacker hijacked AS12812 and its
prefixes for a round 6 months
9. http://caia.swin.edu.au balmusawi@swin.edu.au 11 June 2015 17CAIA Seminar
2. Direct and Unintended Disruptions
โข Refers to BGP misconfiguration such as:
โข Pakistan incident-2008: advertised an invalid YouTube prefix causing
many ASes to lose access to the site
โข Indosat incident-2014: propagated over 320,000 incorrect routes
Pakistan event 2008
http://caia.swin.edu.au balmusawi@swin.edu.au 11 June 2015 18CAIA Seminar
3. Indirect Disruptions
โข Nimda-2001: around 30 fold increase of BGP updates
was observed
โข Slammer-2003: dramatic spikes in number of BGP
updates
Updates Messages During Slammer Attack from 22-29 January 2003
10. http://caia.swin.edu.au balmusawi@swin.edu.au 11 June 2015 19CAIA Seminar
4. Hardware Failure
โข Moscow blackout-2005: Several hours
โข Mediterranean cable-2008: > 20 countries
Number of BGP Updates during Moscow event
http://caia.swin.edu.au balmusawi@swin.edu.au 11 June 2015 20CAIA Seminar
BGP Anomalies Detection Techniques
11. http://caia.swin.edu.au balmusawi@swin.edu.au 11 June 2015 21CAIA Seminar
BGP Anomalies Detection Techniques
http://caia.swin.edu.au balmusawi@swin.edu.au 11 June 2015 22CAIA Seminar
BGP Statistics
โข The huge variance in the size of the Internet is leading
towards increasing instability of BGP
โข 40K anomalous route events were reported in the 12
months from May 2011
โข 20% of the hijacking and misconfigurations lasted less
than 10 minutes but with the ability to pollute 90% of
the Internet in less than 2 minutes
12. http://caia.swin.edu.au balmusawi@swin.edu.au 11 June 2015 23CAIA Seminar
BGP Anomalies
Key Requirements for a next generation of BGP anomaly
detection:
โข Detect in near real-time different types of BGP disruptions
โข Identify type of BGP disruptions
โข Locate the source of disruption
http://caia.swin.edu.au balmusawi@swin.edu.au 11 June 2015 24CAIA Seminar
Outline
โข BGP
โข BGP Anomalies
โข BGP Testbed
โข Summary
13. http://caia.swin.edu.au balmusawi@swin.edu.au 11 June 2015 25CAIA Seminar
BGP Testbed
Why BGP Testbed is important ?
1. Lack of ground truth timestamps for available BGP
anomalies events
2. Enable examination of different types of BGP
anomalies to help in their identification
3. On available BGP testbeds such as the PEER project,
no hijacking or misconfiguration is allowed
http://caia.swin.edu.au balmusawi@swin.edu.au 11 June 2015 26CAIA Seminar
BGP Testbed
Types of BGP testbed that have been used:
1. Quagga
2. Swinburne/ ICT Cisco Labs
3. Virtual Internet Routing Lab (VIRL)
14. http://caia.swin.edu.au balmusawi@swin.edu.au 11 June 2015 27CAIA Seminar
Quagga
โข Routing S/W package that provides TCP/IP based
routing services.
โข Supports many routing protocols such as RIP, OSPF,
IS-IS, and BGP
Simple BGP Topology on 9 VMs running Quagga
http://caia.swin.edu.au balmusawi@swin.edu.au 11 June 2015 28CAIA Seminar
Quagga
โข Difficult to manage large scale network topology
โข No Virtualization support
โข No. of nodes is limited to H/W specifications
โข No chance to try other router OSs such as IOS and
Junos
15. http://caia.swin.edu.au balmusawi@swin.edu.au 11 June 2015 29CAIA Seminar
Swinburne/ICT Cisco Labs
โข Totally 265 Cisco routers
โข 205 routers Cisco model 2811
โข 60 routers Cisco model 2620XM
โข Swinburne offers a tool to manage configuration of
devices
http://caia.swin.edu.au balmusawi@swin.edu.au 11 June 2015 30CAIA Seminar
Swinburne/ICT Cisco Labs
Simple BGP topology
16. http://caia.swin.edu.au balmusawi@swin.edu.au 11 June 2015 31CAIA Seminar
Swinburne/ICT Cisco Labs
โข Time consuming to setup and tear-down a network
โข Limited availability of labs because of teaching
http://caia.swin.edu.au balmusawi@swin.edu.au 11 June 2015 32CAIA Seminar
Managing connections
โข Difficult to manage network connections with a large
scale network
17. http://caia.swin.edu.au balmusawi@swin.edu.au 11 June 2015 33CAIA Seminar
Swinburne/ICT Cisco Labs
โข Still difficult to manage configuration of routers in a
large scale network
โข No Virtualization capability
โข No chance to try latest Cisco IOS versions or other
Routers OSs
http://caia.swin.edu.au balmusawi@swin.edu.au 11 June 2015 34CAIA Seminar
VIRL Cisco Software
โข Virtual Internet Routing Lab
โข Uses VMMaestro, OpenStack, Autonetkit, and Ubuntu
18. http://caia.swin.edu.au balmusawi@swin.edu.au 11 June 2015 35CAIA Seminar
VIRL Cisco Software
โข Easy to setup and teardown a network
โข Portability and repeatability
โข Virtualization capability
โข Simplified packet capture
โข Deployment of different OSs
โข Cisco IOS such IOS,IOS XR, IOS XE, and NX-OS
โข Servers such as Ubuntu and FreeBSD
http://caia.swin.edu.au balmusawi@swin.edu.au 11 June 2015 36CAIA Seminar
VIRL Cisco Software
15 nodes running on VIRL requires:
โข 4 CPU cores
โข 8 GB DRAM
โข Internet Access
My target network is > 200 nodes which requires
โข 40 CPU cores
โข 512 GB DRAM
What can I do?
19. http://caia.swin.edu.au balmusawi@swin.edu.au 11 June 2015 37CAIA Seminar
VIRL Cisco Software
โข ASK ITS at Swinburne
โข 10 nodes each with 8 cores and 24 GB DRAM
http://caia.swin.edu.au balmusawi@swin.edu.au 11 June 2015 38CAIA Seminar
Accessing 10 nodes at EN building
20. http://caia.swin.edu.au balmusawi@swin.edu.au 11 June 2015 39CAIA Seminar
VIRL Supports graphml format
http://www.topology-zoo.org/
http://caia.swin.edu.au balmusawi@swin.edu.au 11 June 2015 40CAIA Seminar
Current/Future Work
โข Apply one of exist global network topologies
โข Inject BGP updates
โข Create different anomalies and apply different
approaches to detecting them
21. http://caia.swin.edu.au balmusawi@swin.edu.au 11 June 2015 41CAIA Seminar
Outline
โข BGP
โข BGP Anomalies
โข BGP Testbed
โข Summary
http://caia.swin.edu.au balmusawi@swin.edu.au 11 June 2015 42CAIA Seminar
Summary
โข BGP is responsible for managing and exchanging
Network NLRI between ASes with guarantee of
avoiding loops
โข BGP is vulnerable to different types of anomalies
โข Key requirements for a next generation of BGP
anomalies detection
โข Challenges of building BGP testbed especially for
large scale network
โข VIRL offers a variety of facilities and options with short
time to setup and tear down a network
22. http://caia.swin.edu.au balmusawi@swin.edu.au 11 June 2015 43CAIA Seminar
Acknowledgment
โข VIRL team at Cisco for providing free license and
support
โข Simon Forsayeth from ITS / Swinburne University for
his help and support to make the use of 10 nodes
possible with VIRL
http://caia.swin.edu.au balmusawi@swin.edu.au 11 June 2015 44CAIA Seminar
Questions