The document discusses BGP anomalies and the need for a BGP testbed to study anomaly detection techniques. It summarizes the types of BGP anomalies, such as direct disruptions from hijacking or misconfigurations. The author proposes building a large-scale BGP testbed using VIRL software to inject anomalies and evaluate detection methods in a repeatable way. The testbed would help address challenges around validating anomaly detection in the complex, global BGP routing system.
Bahaa Al-Musawi presented on BGP anomaly detection. He discussed how BGP works and its vulnerabilities. Four types of BGP anomalies were described: direct intended disruptions, direct unintended disruptions, indirect attacks, and hardware failures. Al-Musawi emphasized the need for a testbed to examine BGP anomalies in order to aid detection. He demonstrated how the VIRL software provides a useful virtual testbed for building and analyzing large scale BGP networks.
The document discusses measuring the performance and reliability of IPv6 connections compared to IPv4. It analyzes data from 2011 and 2015-2016 on connection failure rates and round-trip times. In 2011, IPv6 connections using 6to4 and Teredo tunnels had high failure rates of 10-20% and 5.3% respectively, while unicast was lower at 5.3%. By 2015, 6to4 failure dropped to 9% while unicast was between 1.5-4%. Round-trip time analyses found 13% of unicast IPv6 connections were over 10ms faster than IPv4 in 2015-2016, while 32% were over 10ms slower. The document provides online maps showing average connection reliability and
MUM Laos 2017 - Choosing Mikrotik for Your NetworkFaisal Reza
This document discusses choosing the appropriate MikroTik device for a network. It recommends first understanding the network requirements such as size, traffic levels, applications and desired features. The key device characteristics to consider are processing power, memory, interface types and speeds, wireless standards and expansion slots. Case studies provide examples of choosing devices for a hotel chain with remote sites connecting over VPN and an engineering company connecting two buildings with wireless. The document stresses matching the device capabilities to the network needs.
Multipathed, Multiplexed, Multilateral Transport Protocols - Decoupling trans...APNIC
Multipathed, Multiplexed, Multilateral Transport Protocols - Decoupling transport protocols from what's below, by Catherine Pearce.
A presentation given at APRICOT 2016’s APOPS Plenary 1 session on 22 February 2016.
This document summarizes the IPv6 implementation at XS4ALL, a Dutch internet service provider. It discusses XS4ALL's history with IPv6 including their early 6bone allocation. It describes their technical setup for IPv6 including PPPoE dual-stack deployment and DHCPv6 prefix delegation. It also covers experiences such as CPE compatibility issues and the challenges of supporting IPv6 in services and load balancers. The document encourages other organizations to start IPv6 deployment and cooperate with the IPv6 community.
IOT and System Platform From Concepts to CodeAndy Robinson
This presentation was delivered at the Wonderware Software Users Conference in 2015. In this presentation I cover fundamental concepts related to IOT as well as specific applications using Wonderware System Platform.
Public briefing from Unicon's IAM team on observations and highlights about Apereo/Jasig CAS, Internet 2 Shibboleth, and Internet 2 Grouper. Unicon Open Source Support development progress and intentions for the next quarter are also shared. http://www.unicon.net/support
Bahaa Al-Musawi presented on BGP anomaly detection. He discussed how BGP works and its vulnerabilities. Four types of BGP anomalies were described: direct intended disruptions, direct unintended disruptions, indirect attacks, and hardware failures. Al-Musawi emphasized the need for a testbed to examine BGP anomalies in order to aid detection. He demonstrated how the VIRL software provides a useful virtual testbed for building and analyzing large scale BGP networks.
The document discusses measuring the performance and reliability of IPv6 connections compared to IPv4. It analyzes data from 2011 and 2015-2016 on connection failure rates and round-trip times. In 2011, IPv6 connections using 6to4 and Teredo tunnels had high failure rates of 10-20% and 5.3% respectively, while unicast was lower at 5.3%. By 2015, 6to4 failure dropped to 9% while unicast was between 1.5-4%. Round-trip time analyses found 13% of unicast IPv6 connections were over 10ms faster than IPv4 in 2015-2016, while 32% were over 10ms slower. The document provides online maps showing average connection reliability and
MUM Laos 2017 - Choosing Mikrotik for Your NetworkFaisal Reza
This document discusses choosing the appropriate MikroTik device for a network. It recommends first understanding the network requirements such as size, traffic levels, applications and desired features. The key device characteristics to consider are processing power, memory, interface types and speeds, wireless standards and expansion slots. Case studies provide examples of choosing devices for a hotel chain with remote sites connecting over VPN and an engineering company connecting two buildings with wireless. The document stresses matching the device capabilities to the network needs.
Multipathed, Multiplexed, Multilateral Transport Protocols - Decoupling trans...APNIC
Multipathed, Multiplexed, Multilateral Transport Protocols - Decoupling transport protocols from what's below, by Catherine Pearce.
A presentation given at APRICOT 2016’s APOPS Plenary 1 session on 22 February 2016.
This document summarizes the IPv6 implementation at XS4ALL, a Dutch internet service provider. It discusses XS4ALL's history with IPv6 including their early 6bone allocation. It describes their technical setup for IPv6 including PPPoE dual-stack deployment and DHCPv6 prefix delegation. It also covers experiences such as CPE compatibility issues and the challenges of supporting IPv6 in services and load balancers. The document encourages other organizations to start IPv6 deployment and cooperate with the IPv6 community.
IOT and System Platform From Concepts to CodeAndy Robinson
This presentation was delivered at the Wonderware Software Users Conference in 2015. In this presentation I cover fundamental concepts related to IOT as well as specific applications using Wonderware System Platform.
Public briefing from Unicon's IAM team on observations and highlights about Apereo/Jasig CAS, Internet 2 Shibboleth, and Internet 2 Grouper. Unicon Open Source Support development progress and intentions for the next quarter are also shared. http://www.unicon.net/support
The Border Gateway Protocol (BGP) is the default
Internet routing protocol that manages connectivity among
Autonomous Systems (ASes). Although BGP disruptions are
rare, when they occur the consequences can be very damaging.
Consequently there has been considerable effort aimed at
understanding what is normal and abnormal BGP traffic and,
in so doing, enable potentially disruptive anomalous traffic to
be identified quickly. In this paper, we make two contributions.
We show that over time BGP messages from BGP speakers
have deterministic, recurrence and non-linear properties, then
build on this insight to introduce the idea of using Recurrence
Quantification Analysis (RQA) to detect BGP instability. RQA
can be used to provide rapid identification of traffic anomalies
that can lead to BGP instability. Furthermore, RQA is able to
detect abnormal behaviours that may pass without observation.
BRT is a tool to replay past BGP updates with time stamp. Comparing with other BGP replay and inject tools, BGP replay tool does not require kernel modification at host’s OS and support different BGP attributes. The evaluation of this tool has been done using Virtual Internet Routing Lab (VIRL) as a controlled testbed.
The document discusses the Internet Society's Deploy360 program which provides resources to help with the transition to IPv6. It aims to engage network operators, developers, and other stakeholders through an online knowledge repository, social media, speaking events, and hands-on educational conferences. The program helps explain why IPv6 is needed as IPv4 addresses run out, and provides information on IPv6 deployment, measurements showing its increasing adoption, transition technologies, and next steps stakeholders can take to incorporate IPv6.
This document proposes a Recurrence Quantification Analysis (RQA) scheme to detect Border Gateway Protocol (BGP) anomalies in real-time. It models BGP speakers as dynamic systems and uses RQA, a nonlinear analysis technique based on phase plane concepts, to measure characteristics of BGP traffic that can identify anomalies. The scheme is evaluated using a BGP controlled testbed and real-world anomaly events. An open-source real-time BGP anomaly detection tool is also presented.
Affan Basalamah outlines a plan to implement SDN technology at Institut Teknologi Bandung (ITB) without disrupting the production network. He discusses upgrading ITB's core, datacenter, edge, access and wireless networks to support both production and experimental SDN networks. This will allow SDN research and development activities to be conducted using the campus network infrastructure. Basalamah also describes potential SDN/NFV labs, testbeds and collaboration opportunities between universities in Indonesia.
The document provides guidance on preparing for the VCAP5-CIA certification exam. It introduces the presenter and provides an overview of the exam objectives, resources for preparation, and details on setting up labs. Specifically, it outlines Objective 3.1 on managing provider VDCs, Objective 3.2 on managing vCloud Director network resources, and begins discussing Objective 3.3 on managing organization VDCs. Links and guidelines are provided for creating and managing various network resource types like provider VDCs, network pools, and external networks.
Implementation ans analysis_of_quic_for_mqttPuneet Kumar
The document discusses implementing and analyzing QUIC for MQTT. It describes integrating the QUIC transport protocol with the MQTT application layer protocol to address some shortcomings of TCP for IoT communication. The researchers implemented customized QUIC server and client agents for MQTT that reduced overhead during connection establishment and improved latency in lossy networks compared to MQTT over TCP. Evaluation of the system showed that MQTT over QUIC performed better than MQTT over TCP for metrics like head-of-line blocking, half-open connections, and connection migration.
The document provides an update on IPv6 deployment globally and in the APNIC region. It finds that while IPv6 deployment is increasing steadily, progress varies significantly between regions, economies, and network operators. Some mobile network operators and cable TV providers have been very active adopters of IPv6. The growth of mobile broadband and shift to all-IP networks is driving more adoption, though overall deployment levels are still relatively low in many parts of the world. APNIC is actively engaged in promoting IPv6 deployment through training, resources and its annual conference.
This presentation will cover the architectures for deploying high density zones, residential community services and show how both of these converge for user authentication using Passpoint technologies, how the arrival of ANDSF network selection servers and clients can be used to direct users to the best connection at any time and how SON solutions are needed to manage this ever growing mix of deployment options Service Providers are facing, making it more and more complex for users to know where to connect.
This document discusses the risks of using unsecured WiFi networks and summarizes techniques that attackers use. It notes that 15-20% of WiFi networks are unprotected and vulnerabilities like session hijacking allow complete compromise of connections. The document outlines tools that attackers use like evil twin attacks, wireless handshake collection, WPS PIN cracking, and cloud-based password cracking. It recommends using a VPN or SSH connection for public WiFi to protect confidential information and browsing activity.
This document provides updates on CAS, Shibboleth, and Grouper from a briefing held on July 9, 2015. It summarizes recent releases and versions of each, upcoming events, community highlights, trends in identity and access management, and Unicon's contributions and support for the open source projects.
This document summarizes Academia Sinica Computing Centre's experience transitioning their network to support IPv6. It discusses upgrading their backbone routers to support IPv6, developing an IPv6 addressing plan and allocating address space. It also covers transitioning customer networks, managing and monitoring IPv6 traffic and services, and security considerations. It provides an overview of Academia Sinica's IPv6 network status, including their participation in the 6bone test network and running a multicast testbed.
Fighting against DDoS specially with volumetric attack is always challenging for an ISP or transit provider. There isn't any single solution which help us to filter out bad traffic; it's require collaboration with upstream and related organization. Beside this fining out the target is also time consuming; where most the the provider struggles. In this presentation I talk about my experience implementing few community based effort which help me to better fight against volumetric DDoS attack.
The document discusses community tools for mitigating DDoS attacks, including three tools from Team Cymru: Bogon Filter, Flow Sonar, and UTRS (Unwanted Traffic Removal Service). Bogon Filter blocks traffic from bogon addresses that should not be routed on the internet. Flow Sonar is a network monitoring tool that can help identify DDoS attacks. UTRS leverages BGP to distribute filtering rules during a DDoS attack to cooperating networks to block traffic at its source.
Lao Digital Week 2024: It's time to deploy IPv6APNIC
APNIC Development Director Che-Hoo Cheng presents on the importance of deploying IPv6 at the Lao Digital Week 2024, held in Vientiane, Lao PDR from 10 to 14 January 2024.
This document summarizes a presentation about experimental infrastructures for future internet projects. It describes the architecture of the German node, which includes a datacenter and mobile testbed. The mobile testbed consists of WiFi and cellular nodes that are controlled by an Evolved Packet Core and IP Multimedia Subsystem. The presentation demonstrates a scenario using these infrastructures, where a doctor receives a WebRTC call while moving and changes between different access networks and devices. It also describes how this showcase was built using Generic Enablers from FIWARE, including the Service Capability, Connectivity and Control enabler and Orion Context Broker.
Public briefing from Unicon's IAM team on observations and highlights about Apereo/Jasig CAS, Internet 2 Shibboleth, and Internet 2 Grouper. Unicon Open Source Support development progress and intentions for the next quarter are also shared. http://www.unicon.net/support
Discover the benefits of outsourcing SEO to Indiadavidjhones387
"Discover the benefits of outsourcing SEO to India! From cost-effective services and expert professionals to round-the-clock work advantages, learn how your business can achieve digital success with Indian SEO solutions.
The Border Gateway Protocol (BGP) is the default
Internet routing protocol that manages connectivity among
Autonomous Systems (ASes). Although BGP disruptions are
rare, when they occur the consequences can be very damaging.
Consequently there has been considerable effort aimed at
understanding what is normal and abnormal BGP traffic and,
in so doing, enable potentially disruptive anomalous traffic to
be identified quickly. In this paper, we make two contributions.
We show that over time BGP messages from BGP speakers
have deterministic, recurrence and non-linear properties, then
build on this insight to introduce the idea of using Recurrence
Quantification Analysis (RQA) to detect BGP instability. RQA
can be used to provide rapid identification of traffic anomalies
that can lead to BGP instability. Furthermore, RQA is able to
detect abnormal behaviours that may pass without observation.
BRT is a tool to replay past BGP updates with time stamp. Comparing with other BGP replay and inject tools, BGP replay tool does not require kernel modification at host’s OS and support different BGP attributes. The evaluation of this tool has been done using Virtual Internet Routing Lab (VIRL) as a controlled testbed.
The document discusses the Internet Society's Deploy360 program which provides resources to help with the transition to IPv6. It aims to engage network operators, developers, and other stakeholders through an online knowledge repository, social media, speaking events, and hands-on educational conferences. The program helps explain why IPv6 is needed as IPv4 addresses run out, and provides information on IPv6 deployment, measurements showing its increasing adoption, transition technologies, and next steps stakeholders can take to incorporate IPv6.
This document proposes a Recurrence Quantification Analysis (RQA) scheme to detect Border Gateway Protocol (BGP) anomalies in real-time. It models BGP speakers as dynamic systems and uses RQA, a nonlinear analysis technique based on phase plane concepts, to measure characteristics of BGP traffic that can identify anomalies. The scheme is evaluated using a BGP controlled testbed and real-world anomaly events. An open-source real-time BGP anomaly detection tool is also presented.
Affan Basalamah outlines a plan to implement SDN technology at Institut Teknologi Bandung (ITB) without disrupting the production network. He discusses upgrading ITB's core, datacenter, edge, access and wireless networks to support both production and experimental SDN networks. This will allow SDN research and development activities to be conducted using the campus network infrastructure. Basalamah also describes potential SDN/NFV labs, testbeds and collaboration opportunities between universities in Indonesia.
The document provides guidance on preparing for the VCAP5-CIA certification exam. It introduces the presenter and provides an overview of the exam objectives, resources for preparation, and details on setting up labs. Specifically, it outlines Objective 3.1 on managing provider VDCs, Objective 3.2 on managing vCloud Director network resources, and begins discussing Objective 3.3 on managing organization VDCs. Links and guidelines are provided for creating and managing various network resource types like provider VDCs, network pools, and external networks.
Implementation ans analysis_of_quic_for_mqttPuneet Kumar
The document discusses implementing and analyzing QUIC for MQTT. It describes integrating the QUIC transport protocol with the MQTT application layer protocol to address some shortcomings of TCP for IoT communication. The researchers implemented customized QUIC server and client agents for MQTT that reduced overhead during connection establishment and improved latency in lossy networks compared to MQTT over TCP. Evaluation of the system showed that MQTT over QUIC performed better than MQTT over TCP for metrics like head-of-line blocking, half-open connections, and connection migration.
The document provides an update on IPv6 deployment globally and in the APNIC region. It finds that while IPv6 deployment is increasing steadily, progress varies significantly between regions, economies, and network operators. Some mobile network operators and cable TV providers have been very active adopters of IPv6. The growth of mobile broadband and shift to all-IP networks is driving more adoption, though overall deployment levels are still relatively low in many parts of the world. APNIC is actively engaged in promoting IPv6 deployment through training, resources and its annual conference.
This presentation will cover the architectures for deploying high density zones, residential community services and show how both of these converge for user authentication using Passpoint technologies, how the arrival of ANDSF network selection servers and clients can be used to direct users to the best connection at any time and how SON solutions are needed to manage this ever growing mix of deployment options Service Providers are facing, making it more and more complex for users to know where to connect.
This document discusses the risks of using unsecured WiFi networks and summarizes techniques that attackers use. It notes that 15-20% of WiFi networks are unprotected and vulnerabilities like session hijacking allow complete compromise of connections. The document outlines tools that attackers use like evil twin attacks, wireless handshake collection, WPS PIN cracking, and cloud-based password cracking. It recommends using a VPN or SSH connection for public WiFi to protect confidential information and browsing activity.
This document provides updates on CAS, Shibboleth, and Grouper from a briefing held on July 9, 2015. It summarizes recent releases and versions of each, upcoming events, community highlights, trends in identity and access management, and Unicon's contributions and support for the open source projects.
This document summarizes Academia Sinica Computing Centre's experience transitioning their network to support IPv6. It discusses upgrading their backbone routers to support IPv6, developing an IPv6 addressing plan and allocating address space. It also covers transitioning customer networks, managing and monitoring IPv6 traffic and services, and security considerations. It provides an overview of Academia Sinica's IPv6 network status, including their participation in the 6bone test network and running a multicast testbed.
Fighting against DDoS specially with volumetric attack is always challenging for an ISP or transit provider. There isn't any single solution which help us to filter out bad traffic; it's require collaboration with upstream and related organization. Beside this fining out the target is also time consuming; where most the the provider struggles. In this presentation I talk about my experience implementing few community based effort which help me to better fight against volumetric DDoS attack.
The document discusses community tools for mitigating DDoS attacks, including three tools from Team Cymru: Bogon Filter, Flow Sonar, and UTRS (Unwanted Traffic Removal Service). Bogon Filter blocks traffic from bogon addresses that should not be routed on the internet. Flow Sonar is a network monitoring tool that can help identify DDoS attacks. UTRS leverages BGP to distribute filtering rules during a DDoS attack to cooperating networks to block traffic at its source.
Lao Digital Week 2024: It's time to deploy IPv6APNIC
APNIC Development Director Che-Hoo Cheng presents on the importance of deploying IPv6 at the Lao Digital Week 2024, held in Vientiane, Lao PDR from 10 to 14 January 2024.
This document summarizes a presentation about experimental infrastructures for future internet projects. It describes the architecture of the German node, which includes a datacenter and mobile testbed. The mobile testbed consists of WiFi and cellular nodes that are controlled by an Evolved Packet Core and IP Multimedia Subsystem. The presentation demonstrates a scenario using these infrastructures, where a doctor receives a WebRTC call while moving and changes between different access networks and devices. It also describes how this showcase was built using Generic Enablers from FIWARE, including the Service Capability, Connectivity and Control enabler and Orion Context Broker.
Public briefing from Unicon's IAM team on observations and highlights about Apereo/Jasig CAS, Internet 2 Shibboleth, and Internet 2 Grouper. Unicon Open Source Support development progress and intentions for the next quarter are also shared. http://www.unicon.net/support
Discover the benefits of outsourcing SEO to Indiadavidjhones387
"Discover the benefits of outsourcing SEO to India! From cost-effective services and expert professionals to round-the-clock work advantages, learn how your business can achieve digital success with Indian SEO solutions.
Ready to Unlock the Power of Blockchain!Toptal Tech
Imagine a world where data flows freely, yet remains secure. A world where trust is built into the fabric of every transaction. This is the promise of blockchain, a revolutionary technology poised to reshape our digital landscape.
Toptal Tech is at the forefront of this innovation, connecting you with the brightest minds in blockchain development. Together, we can unlock the potential of this transformative technology, building a future of transparency, security, and endless possibilities.
HijackLoader Evolution: Interactive Process HollowingDonato Onofri
CrowdStrike researchers have identified a HijackLoader (aka IDAT Loader) sample that employs sophisticated evasion techniques to enhance the complexity of the threat. HijackLoader, an increasingly popular tool among adversaries for deploying additional payloads and tooling, continues to evolve as its developers experiment and enhance its capabilities.
In their analysis of a recent HijackLoader sample, CrowdStrike researchers discovered new techniques designed to increase the defense evasion capabilities of the loader. The malware developer used a standard process hollowing technique coupled with an additional trigger that was activated by the parent process writing to a pipe. This new approach, called "Interactive Process Hollowing", has the potential to make defense evasion stealthier.
1. BGP Anomaly Detection
Bahaa Al-Musawi
PhD candidate
Supervisors: Dr. Philip Branch and Prof.
Grenville Armitage
balmusawi@swin.edu.au
Centre for Advanced Internet Architectures (CAIA)
Swinburne University of Technology
http://caia.swin.edu.au balmusawi@swin.edu.au 11 June 2015 2CAIA Seminar
Outline
• BGP
• BGP Anomalies
• BGP Testbed
• Summary
2. http://caia.swin.edu.au balmusawi@swin.edu.au 11 June 2015 3CAIA Seminar
Outline
• BGP
• BGP Anomalies
• BGP Testbed
• Summary
http://caia.swin.edu.au balmusawi@swin.edu.au 11 June 2015 4CAIA Seminar
Border Gateway Protocol (BGP)
• The Internet is a decentralized global network
comprised of tens of thousands of Autonomous
Systems (ASes)
• BGP is the Internet’s default Inter-domain routing
protocol
An example of routing topology
3. http://caia.swin.edu.au balmusawi@swin.edu.au 11 June 2015 5CAIA Seminar
Border Gateway Protocol (BGP)
• BGP (RFC1105), BGP2 (RFC1163), BGP3
(RFC1267), and BGP4 with last revision (RFC4271)
• BGP is a path vector protocol
• BGP supports Classless Inter-domain Routing (CIDR),
ex. prefix 192.2.2.0/24 192.2.2.1-192.2.2.255
http://caia.swin.edu.au balmusawi@swin.edu.au 11 June 2015 6CAIA Seminar
Connecting a new BGP router
Border Gateway Protocol (BGP)
• BGP is an incremental protocol
• Routing Information Base (RIB)
• Updates
4. http://caia.swin.edu.au balmusawi@swin.edu.au 11 June 2015 7CAIA Seminar
Announcing a new prefix by an AS
Border Gateway Protocol (BGP)
• BGP is an incremental protocol
• Routing Information Base (RIB)
• Updates
http://caia.swin.edu.au balmusawi@swin.edu.au 11 June 2015 8CAIA Seminar
BGP Policies
• ASes are the unit of routing policy in BGP
• ASes relationships: customer-provider and peer-to-peer
• BGP routing policies:
• Business relationships
• Traffic engineering
• Scalability
• Security related policies
• Number of configuration lines in a single BGP router
can range from hundreds to thousands lines
5. http://caia.swin.edu.au balmusawi@swin.edu.au 11 June 2015 9CAIA Seminar
Border Gateway Protocol (BGP)
Growth of BGP Table since 1994 from http://bgp.potaroo.net/
http://caia.swin.edu.au balmusawi@swin.edu.au 11 June 2015 10CAIA Seminar
BGP Weakness
• BGP based on the trust between all its participants
• BGP does not employ any authentication measures for
advertising routes
• BGP is vulnerable to different types of attacks
• 2005, TTNet announced more than 100,000 incorrect routes
• 2006, AS27506 hijacked panix domain
• 2012, Dodo ISP incident
6. http://caia.swin.edu.au balmusawi@swin.edu.au 11 June 2015 11CAIA Seminar
Outline
• BGP
• BGP Anomalies
• BGP Testbed
• Summary
http://caia.swin.edu.au balmusawi@swin.edu.au 11 June 2015 12CAIA Seminar
BGP Anomalies
• Anomalies are patterns in a data set that do not follow
expected behavior
• No BGP updates are sent when there is no change in
topology and/or policies for a network running BGP
• In the real world, many ASes are unstable causing
propagation of many abnormal BGP updates
• Distinguishing abnormal BGP updates from a serious
attack is a challenge
7. http://caia.swin.edu.au balmusawi@swin.edu.au 11 June 2015 13CAIA Seminar
Types of BGP Anomalies
1. Direct and Intended Disruptions
2. Direct and Unintended Disruptions
3. Indirect Attacks
4. Hardware Failure
http://caia.swin.edu.au balmusawi@swin.edu.au 11 June 2015 14CAIA Seminar
1. Direct and Intended Disruptions
• This type of disruption refers to all types of BGP
hijacking which can appear in different scenarios such
as prefix and sub-prefix hijack.
8. http://caia.swin.edu.au balmusawi@swin.edu.au 11 June 2015 15CAIA Seminar
1. Direct and Intended Disruptions
• False Positive
• Legitimate reasons for anomalous routing updates
• Multi-homing with static link aggregation
http://caia.swin.edu.au balmusawi@swin.edu.au 11 June 2015 16CAIA Seminar
1. Direct and Intended Disruptions
• Examples
• May 2005, AS174 hijacked one of Google prefixes: lose connectivity to
the google.com domain for nearly an hour
• April 2011, Link Telecom incident: an attacker hijacked AS12812 and its
prefixes for a round 6 months
9. http://caia.swin.edu.au balmusawi@swin.edu.au 11 June 2015 17CAIA Seminar
2. Direct and Unintended Disruptions
• Refers to BGP misconfiguration such as:
• Pakistan incident-2008: advertised an invalid YouTube prefix causing
many ASes to lose access to the site
• Indosat incident-2014: propagated over 320,000 incorrect routes
Pakistan event 2008
http://caia.swin.edu.au balmusawi@swin.edu.au 11 June 2015 18CAIA Seminar
3. Indirect Disruptions
• Nimda-2001: around 30 fold increase of BGP updates
was observed
• Slammer-2003: dramatic spikes in number of BGP
updates
Updates Messages During Slammer Attack from 22-29 January 2003
10. http://caia.swin.edu.au balmusawi@swin.edu.au 11 June 2015 19CAIA Seminar
4. Hardware Failure
• Moscow blackout-2005: Several hours
• Mediterranean cable-2008: > 20 countries
Number of BGP Updates during Moscow event
http://caia.swin.edu.au balmusawi@swin.edu.au 11 June 2015 20CAIA Seminar
BGP Anomalies Detection Techniques
11. http://caia.swin.edu.au balmusawi@swin.edu.au 11 June 2015 21CAIA Seminar
BGP Anomalies Detection Techniques
http://caia.swin.edu.au balmusawi@swin.edu.au 11 June 2015 22CAIA Seminar
BGP Statistics
• The huge variance in the size of the Internet is leading
towards increasing instability of BGP
• 40K anomalous route events were reported in the 12
months from May 2011
• 20% of the hijacking and misconfigurations lasted less
than 10 minutes but with the ability to pollute 90% of
the Internet in less than 2 minutes
12. http://caia.swin.edu.au balmusawi@swin.edu.au 11 June 2015 23CAIA Seminar
BGP Anomalies
Key Requirements for a next generation of BGP anomaly
detection:
• Detect in near real-time different types of BGP disruptions
• Identify type of BGP disruptions
• Locate the source of disruption
http://caia.swin.edu.au balmusawi@swin.edu.au 11 June 2015 24CAIA Seminar
Outline
• BGP
• BGP Anomalies
• BGP Testbed
• Summary
13. http://caia.swin.edu.au balmusawi@swin.edu.au 11 June 2015 25CAIA Seminar
BGP Testbed
Why BGP Testbed is important ?
1. Lack of ground truth timestamps for available BGP
anomalies events
2. Enable examination of different types of BGP
anomalies to help in their identification
3. On available BGP testbeds such as the PEER project,
no hijacking or misconfiguration is allowed
http://caia.swin.edu.au balmusawi@swin.edu.au 11 June 2015 26CAIA Seminar
BGP Testbed
Types of BGP testbed that have been used:
1. Quagga
2. Swinburne/ ICT Cisco Labs
3. Virtual Internet Routing Lab (VIRL)
14. http://caia.swin.edu.au balmusawi@swin.edu.au 11 June 2015 27CAIA Seminar
Quagga
• Routing S/W package that provides TCP/IP based
routing services.
• Supports many routing protocols such as RIP, OSPF,
IS-IS, and BGP
Simple BGP Topology on 9 VMs running Quagga
http://caia.swin.edu.au balmusawi@swin.edu.au 11 June 2015 28CAIA Seminar
Quagga
• Difficult to manage large scale network topology
• No Virtualization support
• No. of nodes is limited to H/W specifications
• No chance to try other router OSs such as IOS and
Junos
15. http://caia.swin.edu.au balmusawi@swin.edu.au 11 June 2015 29CAIA Seminar
Swinburne/ICT Cisco Labs
• Totally 265 Cisco routers
• 205 routers Cisco model 2811
• 60 routers Cisco model 2620XM
• Swinburne offers a tool to manage configuration of
devices
http://caia.swin.edu.au balmusawi@swin.edu.au 11 June 2015 30CAIA Seminar
Swinburne/ICT Cisco Labs
Simple BGP topology
16. http://caia.swin.edu.au balmusawi@swin.edu.au 11 June 2015 31CAIA Seminar
Swinburne/ICT Cisco Labs
• Time consuming to setup and tear-down a network
• Limited availability of labs because of teaching
http://caia.swin.edu.au balmusawi@swin.edu.au 11 June 2015 32CAIA Seminar
Managing connections
• Difficult to manage network connections with a large
scale network
17. http://caia.swin.edu.au balmusawi@swin.edu.au 11 June 2015 33CAIA Seminar
Swinburne/ICT Cisco Labs
• Still difficult to manage configuration of routers in a
large scale network
• No Virtualization capability
• No chance to try latest Cisco IOS versions or other
Routers OSs
http://caia.swin.edu.au balmusawi@swin.edu.au 11 June 2015 34CAIA Seminar
VIRL Cisco Software
• Virtual Internet Routing Lab
• Uses VMMaestro, OpenStack, Autonetkit, and Ubuntu
18. http://caia.swin.edu.au balmusawi@swin.edu.au 11 June 2015 35CAIA Seminar
VIRL Cisco Software
• Easy to setup and teardown a network
• Portability and repeatability
• Virtualization capability
• Simplified packet capture
• Deployment of different OSs
• Cisco IOS such IOS,IOS XR, IOS XE, and NX-OS
• Servers such as Ubuntu and FreeBSD
http://caia.swin.edu.au balmusawi@swin.edu.au 11 June 2015 36CAIA Seminar
VIRL Cisco Software
15 nodes running on VIRL requires:
• 4 CPU cores
• 8 GB DRAM
• Internet Access
My target network is > 200 nodes which requires
• 40 CPU cores
• 512 GB DRAM
What can I do?
19. http://caia.swin.edu.au balmusawi@swin.edu.au 11 June 2015 37CAIA Seminar
VIRL Cisco Software
• ASK ITS at Swinburne
• 10 nodes each with 8 cores and 24 GB DRAM
http://caia.swin.edu.au balmusawi@swin.edu.au 11 June 2015 38CAIA Seminar
Accessing 10 nodes at EN building
20. http://caia.swin.edu.au balmusawi@swin.edu.au 11 June 2015 39CAIA Seminar
VIRL Supports graphml format
http://www.topology-zoo.org/
http://caia.swin.edu.au balmusawi@swin.edu.au 11 June 2015 40CAIA Seminar
Current/Future Work
• Apply one of exist global network topologies
• Inject BGP updates
• Create different anomalies and apply different
approaches to detecting them
21. http://caia.swin.edu.au balmusawi@swin.edu.au 11 June 2015 41CAIA Seminar
Outline
• BGP
• BGP Anomalies
• BGP Testbed
• Summary
http://caia.swin.edu.au balmusawi@swin.edu.au 11 June 2015 42CAIA Seminar
Summary
• BGP is responsible for managing and exchanging
Network NLRI between ASes with guarantee of
avoiding loops
• BGP is vulnerable to different types of anomalies
• Key requirements for a next generation of BGP
anomalies detection
• Challenges of building BGP testbed especially for
large scale network
• VIRL offers a variety of facilities and options with short
time to setup and tear down a network
22. http://caia.swin.edu.au balmusawi@swin.edu.au 11 June 2015 43CAIA Seminar
Acknowledgment
• VIRL team at Cisco for providing free license and
support
• Simon Forsayeth from ITS / Swinburne University for
his help and support to make the use of 10 nodes
possible with VIRL
http://caia.swin.edu.au balmusawi@swin.edu.au 11 June 2015 44CAIA Seminar
Questions