Recommended
Recommended
More Related Content
Similar to BGP Anomaly Detection
Similar to BGP Anomaly Detection (20)
Recently uploaded
Recently uploaded (20)
BGP Anomaly Detection
- 1. BGP Anomaly Detection Bahaa Al-Musawi PhD candidate Supervisors: Dr. Philip Branch and Prof. Grenville Armitage balmusawi@swin.edu.au Centre for Advanced Internet Architectures (CAIA) Swinburne University of Technology http://caia.swin.edu.au balmusawi@swin.edu.au 11 June 2015 2CAIA Seminar Outline โข BGP โข BGP Anomalies โข BGP Testbed โข Summary
- 2. http://caia.swin.edu.au balmusawi@swin.edu.au 11 June 2015 3CAIA Seminar Outline โข BGP โข BGP Anomalies โข BGP Testbed โข Summary http://caia.swin.edu.au balmusawi@swin.edu.au 11 June 2015 4CAIA Seminar Border Gateway Protocol (BGP) โข The Internet is a decentralized global network comprised of tens of thousands of Autonomous Systems (ASes) โข BGP is the Internetโs default Inter-domain routing protocol An example of routing topology
- 3. http://caia.swin.edu.au balmusawi@swin.edu.au 11 June 2015 5CAIA Seminar Border Gateway Protocol (BGP) โข BGP (RFC1105), BGP2 (RFC1163), BGP3 (RFC1267), and BGP4 with last revision (RFC4271) โข BGP is a path vector protocol โข BGP supports Classless Inter-domain Routing (CIDR), ex. prefix 192.2.2.0/24 192.2.2.1-192.2.2.255 http://caia.swin.edu.au balmusawi@swin.edu.au 11 June 2015 6CAIA Seminar Connecting a new BGP router Border Gateway Protocol (BGP) โข BGP is an incremental protocol โข Routing Information Base (RIB) โข Updates
- 4. http://caia.swin.edu.au balmusawi@swin.edu.au 11 June 2015 7CAIA Seminar Announcing a new prefix by an AS Border Gateway Protocol (BGP) โข BGP is an incremental protocol โข Routing Information Base (RIB) โข Updates http://caia.swin.edu.au balmusawi@swin.edu.au 11 June 2015 8CAIA Seminar BGP Policies โข ASes are the unit of routing policy in BGP โข ASes relationships: customer-provider and peer-to-peer โข BGP routing policies: โข Business relationships โข Traffic engineering โข Scalability โข Security related policies โข Number of configuration lines in a single BGP router can range from hundreds to thousands lines
- 5. http://caia.swin.edu.au balmusawi@swin.edu.au 11 June 2015 9CAIA Seminar Border Gateway Protocol (BGP) Growth of BGP Table since 1994 from http://bgp.potaroo.net/ http://caia.swin.edu.au balmusawi@swin.edu.au 11 June 2015 10CAIA Seminar BGP Weakness โข BGP based on the trust between all its participants โข BGP does not employ any authentication measures for advertising routes โข BGP is vulnerable to different types of attacks โข 2005, TTNet announced more than 100,000 incorrect routes โข 2006, AS27506 hijacked panix domain โข 2012, Dodo ISP incident
- 6. http://caia.swin.edu.au balmusawi@swin.edu.au 11 June 2015 11CAIA Seminar Outline โข BGP โข BGP Anomalies โข BGP Testbed โข Summary http://caia.swin.edu.au balmusawi@swin.edu.au 11 June 2015 12CAIA Seminar BGP Anomalies โข Anomalies are patterns in a data set that do not follow expected behavior โข No BGP updates are sent when there is no change in topology and/or policies for a network running BGP โข In the real world, many ASes are unstable causing propagation of many abnormal BGP updates โข Distinguishing abnormal BGP updates from a serious attack is a challenge
- 7. http://caia.swin.edu.au balmusawi@swin.edu.au 11 June 2015 13CAIA Seminar Types of BGP Anomalies 1. Direct and Intended Disruptions 2. Direct and Unintended Disruptions 3. Indirect Attacks 4. Hardware Failure http://caia.swin.edu.au balmusawi@swin.edu.au 11 June 2015 14CAIA Seminar 1. Direct and Intended Disruptions โข This type of disruption refers to all types of BGP hijacking which can appear in different scenarios such as prefix and sub-prefix hijack.
- 8. http://caia.swin.edu.au balmusawi@swin.edu.au 11 June 2015 15CAIA Seminar 1. Direct and Intended Disruptions โข False Positive โข Legitimate reasons for anomalous routing updates โข Multi-homing with static link aggregation http://caia.swin.edu.au balmusawi@swin.edu.au 11 June 2015 16CAIA Seminar 1. Direct and Intended Disruptions โข Examples โข May 2005, AS174 hijacked one of Google prefixes: lose connectivity to the google.com domain for nearly an hour โข April 2011, Link Telecom incident: an attacker hijacked AS12812 and its prefixes for a round 6 months
- 9. http://caia.swin.edu.au balmusawi@swin.edu.au 11 June 2015 17CAIA Seminar 2. Direct and Unintended Disruptions โข Refers to BGP misconfiguration such as: โข Pakistan incident-2008: advertised an invalid YouTube prefix causing many ASes to lose access to the site โข Indosat incident-2014: propagated over 320,000 incorrect routes Pakistan event 2008 http://caia.swin.edu.au balmusawi@swin.edu.au 11 June 2015 18CAIA Seminar 3. Indirect Disruptions โข Nimda-2001: around 30 fold increase of BGP updates was observed โข Slammer-2003: dramatic spikes in number of BGP updates Updates Messages During Slammer Attack from 22-29 January 2003
- 10. http://caia.swin.edu.au balmusawi@swin.edu.au 11 June 2015 19CAIA Seminar 4. Hardware Failure โข Moscow blackout-2005: Several hours โข Mediterranean cable-2008: > 20 countries Number of BGP Updates during Moscow event http://caia.swin.edu.au balmusawi@swin.edu.au 11 June 2015 20CAIA Seminar BGP Anomalies Detection Techniques
- 11. http://caia.swin.edu.au balmusawi@swin.edu.au 11 June 2015 21CAIA Seminar BGP Anomalies Detection Techniques http://caia.swin.edu.au balmusawi@swin.edu.au 11 June 2015 22CAIA Seminar BGP Statistics โข The huge variance in the size of the Internet is leading towards increasing instability of BGP โข 40K anomalous route events were reported in the 12 months from May 2011 โข 20% of the hijacking and misconfigurations lasted less than 10 minutes but with the ability to pollute 90% of the Internet in less than 2 minutes
- 12. http://caia.swin.edu.au balmusawi@swin.edu.au 11 June 2015 23CAIA Seminar BGP Anomalies Key Requirements for a next generation of BGP anomaly detection: โข Detect in near real-time different types of BGP disruptions โข Identify type of BGP disruptions โข Locate the source of disruption http://caia.swin.edu.au balmusawi@swin.edu.au 11 June 2015 24CAIA Seminar Outline โข BGP โข BGP Anomalies โข BGP Testbed โข Summary
- 13. http://caia.swin.edu.au balmusawi@swin.edu.au 11 June 2015 25CAIA Seminar BGP Testbed Why BGP Testbed is important ? 1. Lack of ground truth timestamps for available BGP anomalies events 2. Enable examination of different types of BGP anomalies to help in their identification 3. On available BGP testbeds such as the PEER project, no hijacking or misconfiguration is allowed http://caia.swin.edu.au balmusawi@swin.edu.au 11 June 2015 26CAIA Seminar BGP Testbed Types of BGP testbed that have been used: 1. Quagga 2. Swinburne/ ICT Cisco Labs 3. Virtual Internet Routing Lab (VIRL)
- 14. http://caia.swin.edu.au balmusawi@swin.edu.au 11 June 2015 27CAIA Seminar Quagga โข Routing S/W package that provides TCP/IP based routing services. โข Supports many routing protocols such as RIP, OSPF, IS-IS, and BGP Simple BGP Topology on 9 VMs running Quagga http://caia.swin.edu.au balmusawi@swin.edu.au 11 June 2015 28CAIA Seminar Quagga โข Difficult to manage large scale network topology โข No Virtualization support โข No. of nodes is limited to H/W specifications โข No chance to try other router OSs such as IOS and Junos
- 15. http://caia.swin.edu.au balmusawi@swin.edu.au 11 June 2015 29CAIA Seminar Swinburne/ICT Cisco Labs โข Totally 265 Cisco routers โข 205 routers Cisco model 2811 โข 60 routers Cisco model 2620XM โข Swinburne offers a tool to manage configuration of devices http://caia.swin.edu.au balmusawi@swin.edu.au 11 June 2015 30CAIA Seminar Swinburne/ICT Cisco Labs Simple BGP topology
- 16. http://caia.swin.edu.au balmusawi@swin.edu.au 11 June 2015 31CAIA Seminar Swinburne/ICT Cisco Labs โข Time consuming to setup and tear-down a network โข Limited availability of labs because of teaching http://caia.swin.edu.au balmusawi@swin.edu.au 11 June 2015 32CAIA Seminar Managing connections โข Difficult to manage network connections with a large scale network
- 17. http://caia.swin.edu.au balmusawi@swin.edu.au 11 June 2015 33CAIA Seminar Swinburne/ICT Cisco Labs โข Still difficult to manage configuration of routers in a large scale network โข No Virtualization capability โข No chance to try latest Cisco IOS versions or other Routers OSs http://caia.swin.edu.au balmusawi@swin.edu.au 11 June 2015 34CAIA Seminar VIRL Cisco Software โข Virtual Internet Routing Lab โข Uses VMMaestro, OpenStack, Autonetkit, and Ubuntu
- 18. http://caia.swin.edu.au balmusawi@swin.edu.au 11 June 2015 35CAIA Seminar VIRL Cisco Software โข Easy to setup and teardown a network โข Portability and repeatability โข Virtualization capability โข Simplified packet capture โข Deployment of different OSs โข Cisco IOS such IOS,IOS XR, IOS XE, and NX-OS โข Servers such as Ubuntu and FreeBSD http://caia.swin.edu.au balmusawi@swin.edu.au 11 June 2015 36CAIA Seminar VIRL Cisco Software 15 nodes running on VIRL requires: โข 4 CPU cores โข 8 GB DRAM โข Internet Access My target network is > 200 nodes which requires โข 40 CPU cores โข 512 GB DRAM What can I do?
- 19. http://caia.swin.edu.au balmusawi@swin.edu.au 11 June 2015 37CAIA Seminar VIRL Cisco Software โข ASK ITS at Swinburne โข 10 nodes each with 8 cores and 24 GB DRAM http://caia.swin.edu.au balmusawi@swin.edu.au 11 June 2015 38CAIA Seminar Accessing 10 nodes at EN building
- 20. http://caia.swin.edu.au balmusawi@swin.edu.au 11 June 2015 39CAIA Seminar VIRL Supports graphml format http://www.topology-zoo.org/ http://caia.swin.edu.au balmusawi@swin.edu.au 11 June 2015 40CAIA Seminar Current/Future Work โข Apply one of exist global network topologies โข Inject BGP updates โข Create different anomalies and apply different approaches to detecting them
- 21. http://caia.swin.edu.au balmusawi@swin.edu.au 11 June 2015 41CAIA Seminar Outline โข BGP โข BGP Anomalies โข BGP Testbed โข Summary http://caia.swin.edu.au balmusawi@swin.edu.au 11 June 2015 42CAIA Seminar Summary โข BGP is responsible for managing and exchanging Network NLRI between ASes with guarantee of avoiding loops โข BGP is vulnerable to different types of anomalies โข Key requirements for a next generation of BGP anomalies detection โข Challenges of building BGP testbed especially for large scale network โข VIRL offers a variety of facilities and options with short time to setup and tear down a network
- 22. http://caia.swin.edu.au balmusawi@swin.edu.au 11 June 2015 43CAIA Seminar Acknowledgment โข VIRL team at Cisco for providing free license and support โข Simon Forsayeth from ITS / Swinburne University for his help and support to make the use of 10 nodes possible with VIRL http://caia.swin.edu.au balmusawi@swin.edu.au 11 June 2015 44CAIA Seminar Questions