SlideShare a Scribd company logo

BGP Anomaly Detection

University of Kufa
University of Kufa

The document discusses BGP anomalies and the need for a BGP testbed to study anomaly detection techniques. It summarizes the types of BGP anomalies, such as direct disruptions from hijacking or misconfigurations. The author proposes building a large-scale BGP testbed using VIRL software to inject anomalies and evaluate detection methods in a repeatable way. The testbed would help address challenges around validating anomaly detection in the complex, global BGP routing system.

1 of 22
Download to read offline
BGP Anomaly Detection Bahaa Al-Musawi PhD candidate Supervisors: Dr. Philip Branch and Prof. Grenville Armitage balmusawi@swin.edu.au Centre for Advanced Internet Architectures (CAIA) Swinburne University of Technology http://caia.swin.edu.au balmusawi@swin.edu.au 11 June 2015 2CAIA Seminar Outline • BGP • BGP Anomalies • BGP Testbed • Summary
http://caia.swin.edu.au balmusawi@swin.edu.au 11 June 2015 3CAIA Seminar Outline • BGP • BGP Anomalies • BGP Testbed • Summary http://caia.swin.edu.au balmusawi@swin.edu.au 11 June 2015 4CAIA Seminar Border Gateway Protocol (BGP) • The Internet is a decentralized global network comprised of tens of thousands of Autonomous Systems (ASes) • BGP is the Internet’s default Inter-domain routing protocol An example of routing topology
http://caia.swin.edu.au balmusawi@swin.edu.au 11 June 2015 5CAIA Seminar Border Gateway Protocol (BGP) • BGP (RFC1105), BGP2 (RFC1163), BGP3 (RFC1267), and BGP4 with last revision (RFC4271) • BGP is a path vector protocol • BGP supports Classless Inter-domain Routing (CIDR), ex. prefix 192.2.2.0/24 192.2.2.1-192.2.2.255 http://caia.swin.edu.au balmusawi@swin.edu.au 11 June 2015 6CAIA Seminar Connecting a new BGP router Border Gateway Protocol (BGP) • BGP is an incremental protocol • Routing Information Base (RIB) • Updates
http://caia.swin.edu.au balmusawi@swin.edu.au 11 June 2015 7CAIA Seminar Announcing a new prefix by an AS Border Gateway Protocol (BGP) • BGP is an incremental protocol • Routing Information Base (RIB) • Updates http://caia.swin.edu.au balmusawi@swin.edu.au 11 June 2015 8CAIA Seminar BGP Policies • ASes are the unit of routing policy in BGP • ASes relationships: customer-provider and peer-to-peer • BGP routing policies: • Business relationships • Traffic engineering • Scalability • Security related policies • Number of configuration lines in a single BGP router can range from hundreds to thousands lines
http://caia.swin.edu.au balmusawi@swin.edu.au 11 June 2015 9CAIA Seminar Border Gateway Protocol (BGP) Growth of BGP Table since 1994 from http://bgp.potaroo.net/ http://caia.swin.edu.au balmusawi@swin.edu.au 11 June 2015 10CAIA Seminar BGP Weakness • BGP based on the trust between all its participants • BGP does not employ any authentication measures for advertising routes • BGP is vulnerable to different types of attacks • 2005, TTNet announced more than 100,000 incorrect routes • 2006, AS27506 hijacked panix domain • 2012, Dodo ISP incident
http://caia.swin.edu.au balmusawi@swin.edu.au 11 June 2015 11CAIA Seminar Outline • BGP • BGP Anomalies • BGP Testbed • Summary http://caia.swin.edu.au balmusawi@swin.edu.au 11 June 2015 12CAIA Seminar BGP Anomalies • Anomalies are patterns in a data set that do not follow expected behavior • No BGP updates are sent when there is no change in topology and/or policies for a network running BGP • In the real world, many ASes are unstable causing propagation of many abnormal BGP updates • Distinguishing abnormal BGP updates from a serious attack is a challenge
http://caia.swin.edu.au balmusawi@swin.edu.au 11 June 2015 13CAIA Seminar Types of BGP Anomalies 1. Direct and Intended Disruptions 2. Direct and Unintended Disruptions 3. Indirect Attacks 4. Hardware Failure http://caia.swin.edu.au balmusawi@swin.edu.au 11 June 2015 14CAIA Seminar 1. Direct and Intended Disruptions • This type of disruption refers to all types of BGP hijacking which can appear in different scenarios such as prefix and sub-prefix hijack.
http://caia.swin.edu.au balmusawi@swin.edu.au 11 June 2015 15CAIA Seminar 1. Direct and Intended Disruptions • False Positive • Legitimate reasons for anomalous routing updates • Multi-homing with static link aggregation http://caia.swin.edu.au balmusawi@swin.edu.au 11 June 2015 16CAIA Seminar 1. Direct and Intended Disruptions • Examples • May 2005, AS174 hijacked one of Google prefixes: lose connectivity to the google.com domain for nearly an hour • April 2011, Link Telecom incident: an attacker hijacked AS12812 and its prefixes for a round 6 months
http://caia.swin.edu.au balmusawi@swin.edu.au 11 June 2015 17CAIA Seminar 2. Direct and Unintended Disruptions • Refers to BGP misconfiguration such as: • Pakistan incident-2008: advertised an invalid YouTube prefix causing many ASes to lose access to the site • Indosat incident-2014: propagated over 320,000 incorrect routes Pakistan event 2008 http://caia.swin.edu.au balmusawi@swin.edu.au 11 June 2015 18CAIA Seminar 3. Indirect Disruptions • Nimda-2001: around 30 fold increase of BGP updates was observed • Slammer-2003: dramatic spikes in number of BGP updates Updates Messages During Slammer Attack from 22-29 January 2003
http://caia.swin.edu.au balmusawi@swin.edu.au 11 June 2015 19CAIA Seminar 4. Hardware Failure • Moscow blackout-2005: Several hours • Mediterranean cable-2008: > 20 countries Number of BGP Updates during Moscow event http://caia.swin.edu.au balmusawi@swin.edu.au 11 June 2015 20CAIA Seminar BGP Anomalies Detection Techniques
http://caia.swin.edu.au balmusawi@swin.edu.au 11 June 2015 21CAIA Seminar BGP Anomalies Detection Techniques http://caia.swin.edu.au balmusawi@swin.edu.au 11 June 2015 22CAIA Seminar BGP Statistics • The huge variance in the size of the Internet is leading towards increasing instability of BGP • 40K anomalous route events were reported in the 12 months from May 2011 • 20% of the hijacking and misconfigurations lasted less than 10 minutes but with the ability to pollute 90% of the Internet in less than 2 minutes
http://caia.swin.edu.au balmusawi@swin.edu.au 11 June 2015 23CAIA Seminar BGP Anomalies Key Requirements for a next generation of BGP anomaly detection: • Detect in near real-time different types of BGP disruptions • Identify type of BGP disruptions • Locate the source of disruption http://caia.swin.edu.au balmusawi@swin.edu.au 11 June 2015 24CAIA Seminar Outline • BGP • BGP Anomalies • BGP Testbed • Summary
http://caia.swin.edu.au balmusawi@swin.edu.au 11 June 2015 25CAIA Seminar BGP Testbed Why BGP Testbed is important ? 1. Lack of ground truth timestamps for available BGP anomalies events 2. Enable examination of different types of BGP anomalies to help in their identification 3. On available BGP testbeds such as the PEER project, no hijacking or misconfiguration is allowed http://caia.swin.edu.au balmusawi@swin.edu.au 11 June 2015 26CAIA Seminar BGP Testbed Types of BGP testbed that have been used: 1. Quagga 2. Swinburne/ ICT Cisco Labs 3. Virtual Internet Routing Lab (VIRL)
http://caia.swin.edu.au balmusawi@swin.edu.au 11 June 2015 27CAIA Seminar Quagga • Routing S/W package that provides TCP/IP based routing services. • Supports many routing protocols such as RIP, OSPF, IS-IS, and BGP Simple BGP Topology on 9 VMs running Quagga http://caia.swin.edu.au balmusawi@swin.edu.au 11 June 2015 28CAIA Seminar Quagga • Difficult to manage large scale network topology • No Virtualization support • No. of nodes is limited to H/W specifications • No chance to try other router OSs such as IOS and Junos
http://caia.swin.edu.au balmusawi@swin.edu.au 11 June 2015 29CAIA Seminar Swinburne/ICT Cisco Labs • Totally 265 Cisco routers • 205 routers Cisco model 2811 • 60 routers Cisco model 2620XM • Swinburne offers a tool to manage configuration of devices http://caia.swin.edu.au balmusawi@swin.edu.au 11 June 2015 30CAIA Seminar Swinburne/ICT Cisco Labs Simple BGP topology
http://caia.swin.edu.au balmusawi@swin.edu.au 11 June 2015 31CAIA Seminar Swinburne/ICT Cisco Labs • Time consuming to setup and tear-down a network • Limited availability of labs because of teaching http://caia.swin.edu.au balmusawi@swin.edu.au 11 June 2015 32CAIA Seminar Managing connections • Difficult to manage network connections with a large scale network
http://caia.swin.edu.au balmusawi@swin.edu.au 11 June 2015 33CAIA Seminar Swinburne/ICT Cisco Labs • Still difficult to manage configuration of routers in a large scale network • No Virtualization capability • No chance to try latest Cisco IOS versions or other Routers OSs http://caia.swin.edu.au balmusawi@swin.edu.au 11 June 2015 34CAIA Seminar VIRL Cisco Software • Virtual Internet Routing Lab • Uses VMMaestro, OpenStack, Autonetkit, and Ubuntu
http://caia.swin.edu.au balmusawi@swin.edu.au 11 June 2015 35CAIA Seminar VIRL Cisco Software • Easy to setup and teardown a network • Portability and repeatability • Virtualization capability • Simplified packet capture • Deployment of different OSs • Cisco IOS such IOS,IOS XR, IOS XE, and NX-OS • Servers such as Ubuntu and FreeBSD http://caia.swin.edu.au balmusawi@swin.edu.au 11 June 2015 36CAIA Seminar VIRL Cisco Software 15 nodes running on VIRL requires: • 4 CPU cores • 8 GB DRAM • Internet Access My target network is > 200 nodes which requires • 40 CPU cores • 512 GB DRAM What can I do?
http://caia.swin.edu.au balmusawi@swin.edu.au 11 June 2015 37CAIA Seminar VIRL Cisco Software • ASK ITS at Swinburne • 10 nodes each with 8 cores and 24 GB DRAM http://caia.swin.edu.au balmusawi@swin.edu.au 11 June 2015 38CAIA Seminar Accessing 10 nodes at EN building
http://caia.swin.edu.au balmusawi@swin.edu.au 11 June 2015 39CAIA Seminar VIRL Supports graphml format http://www.topology-zoo.org/ http://caia.swin.edu.au balmusawi@swin.edu.au 11 June 2015 40CAIA Seminar Current/Future Work • Apply one of exist global network topologies • Inject BGP updates • Create different anomalies and apply different approaches to detecting them
http://caia.swin.edu.au balmusawi@swin.edu.au 11 June 2015 41CAIA Seminar Outline • BGP • BGP Anomalies • BGP Testbed • Summary http://caia.swin.edu.au balmusawi@swin.edu.au 11 June 2015 42CAIA Seminar Summary • BGP is responsible for managing and exchanging Network NLRI between ASes with guarantee of avoiding loops • BGP is vulnerable to different types of anomalies • Key requirements for a next generation of BGP anomalies detection • Challenges of building BGP testbed especially for large scale network • VIRL offers a variety of facilities and options with short time to setup and tear down a network
http://caia.swin.edu.au balmusawi@swin.edu.au 11 June 2015 43CAIA Seminar Acknowledgment • VIRL team at Cisco for providing free license and support • Simon Forsayeth from ITS / Swinburne University for his help and support to make the use of 10 nodes possible with VIRL http://caia.swin.edu.au balmusawi@swin.edu.au 11 June 2015 44CAIA Seminar Questions

Recommended

BGP Anomaly Detection
BGP Anomaly DetectionBGP Anomaly Detection
BGP Anomaly Detection
University of Kufa
 
Measuring IPv6 ISP performance
Measuring IPv6 ISP performanceMeasuring IPv6 ISP performance
Measuring IPv6 ISP performance
APNIC
 
MUM Laos 2017 - Choosing Mikrotik for Your Network
MUM Laos 2017 - Choosing Mikrotik for Your NetworkMUM Laos 2017 - Choosing Mikrotik for Your Network
MUM Laos 2017 - Choosing Mikrotik for Your Network
Faisal Reza
 
Multipathed, Multiplexed, Multilateral Transport Protocols - Decoupling trans...
Multipathed, Multiplexed, Multilateral Transport Protocols - Decoupling trans...Multipathed, Multiplexed, Multilateral Transport Protocols - Decoupling trans...
Multipathed, Multiplexed, Multilateral Transport Protocols - Decoupling trans...
APNIC
 
Marco Hogewoning -XS4all
Marco Hogewoning -XS4allMarco Hogewoning -XS4all
Marco Hogewoning -XS4all
IPv6 Summit 2010
 
IOT and System Platform From Concepts to Code
IOT and System Platform From Concepts to CodeIOT and System Platform From Concepts to Code
IOT and System Platform From Concepts to Code
Andy Robinson
 
Unicon Nov 2014 IAM Briefing
Unicon Nov 2014 IAM BriefingUnicon Nov 2014 IAM Briefing
Unicon Nov 2014 IAM Briefing
John Gasper
 
BMP(BGP Monitoring Protocol)
BMP(BGP Monitoring Protocol)BMP(BGP Monitoring Protocol)
BMP(BGP Monitoring Protocol)
Shishio Tsuchiya
 

Recommended

BGP Anomaly Detection
BGP Anomaly DetectionBGP Anomaly Detection
BGP Anomaly Detection
University of Kufa
 
Measuring IPv6 ISP performance
Measuring IPv6 ISP performanceMeasuring IPv6 ISP performance
Measuring IPv6 ISP performance
APNIC
 
MUM Laos 2017 - Choosing Mikrotik for Your Network
MUM Laos 2017 - Choosing Mikrotik for Your NetworkMUM Laos 2017 - Choosing Mikrotik for Your Network
MUM Laos 2017 - Choosing Mikrotik for Your Network
Faisal Reza
 
Multipathed, Multiplexed, Multilateral Transport Protocols - Decoupling trans...
Multipathed, Multiplexed, Multilateral Transport Protocols - Decoupling trans...Multipathed, Multiplexed, Multilateral Transport Protocols - Decoupling trans...
Multipathed, Multiplexed, Multilateral Transport Protocols - Decoupling trans...
APNIC
 
Marco Hogewoning -XS4all
Marco Hogewoning -XS4allMarco Hogewoning -XS4all
Marco Hogewoning -XS4all
IPv6 Summit 2010
 
IOT and System Platform From Concepts to Code
IOT and System Platform From Concepts to CodeIOT and System Platform From Concepts to Code
IOT and System Platform From Concepts to Code
Andy Robinson
 
Unicon Nov 2014 IAM Briefing
Unicon Nov 2014 IAM BriefingUnicon Nov 2014 IAM Briefing
Unicon Nov 2014 IAM Briefing
John Gasper
 
BMP(BGP Monitoring Protocol)
BMP(BGP Monitoring Protocol)BMP(BGP Monitoring Protocol)
BMP(BGP Monitoring Protocol)
Shishio Tsuchiya
 
Detecting BGP Instability Using RQA
Detecting BGP Instability Using RQADetecting BGP Instability Using RQA
Detecting BGP Instability Using RQA
University of Kufa
 
BGP Replay Tool (BRT) V0.1
BGP Replay Tool (BRT) V0.1BGP Replay Tool (BRT) V0.1
BGP Replay Tool (BRT) V0.1
University of Kufa
 
IPv6 and Telecom: IPv4 Is FInally Running Out. Now What?
IPv6 and Telecom: IPv4 Is FInally Running Out. Now What?IPv6 and Telecom: IPv4 Is FInally Running Out. Now What?
IPv6 and Telecom: IPv4 Is FInally Running Out. Now What?
Deploy360 Programme (Internet Society)
 
IPv6 Development in ITB 2013
IPv6 Development in ITB 2013IPv6 Development in ITB 2013
IPv6 Development in ITB 2013
Affan Basalamah
 
Rapid Detection of BGP Anomalies
Rapid Detection of BGP AnomaliesRapid Detection of BGP Anomalies
Rapid Detection of BGP Anomalies
APNIC
 
How to Implement SDN Technology in ITB
How to Implement SDN Technology in ITBHow to Implement SDN Technology in ITB
How to Implement SDN Technology in ITB
SDNRG ITB
 
#vBrownbag EMEA VCAP5-CIA Objectives 3
#vBrownbag EMEA VCAP5-CIA Objectives 3#vBrownbag EMEA VCAP5-CIA Objectives 3
#vBrownbag EMEA VCAP5-CIA Objectives 3
Andrea Mauro
 
Implementation ans analysis_of_quic_for_mqtt
Implementation ans analysis_of_quic_for_mqttImplementation ans analysis_of_quic_for_mqtt
Implementation ans analysis_of_quic_for_mqtt
Puneet Kumar
 
Internet Measurements of the COVID-19 Pandemic
Internet Measurements of the COVID-19 PandemicInternet Measurements of the COVID-19 Pandemic
Internet Measurements of the COVID-19 Pandemic
RIPE NCC
 
ARM 7: IPv6 deployment - where are we now?
ARM 7: IPv6 deployment - where are we now?ARM 7: IPv6 deployment - where are we now?
ARM 7: IPv6 deployment - where are we now?
APNIC
 
Service Provider Wi-Fi
Service Provider Wi-FiService Provider Wi-Fi
Service Provider Wi-Fi
Cisco Canada
 
Myanmar Member Gathering
Myanmar Member GatheringMyanmar Member Gathering
Myanmar Member Gathering
APNIC
 
WiFi Insecurity2013
WiFi Insecurity2013WiFi Insecurity2013
WiFi Insecurity2013
Kurt Baumgartner
 
Unicon July 2015 IAM Briefing
Unicon July 2015 IAM BriefingUnicon July 2015 IAM Briefing
Unicon July 2015 IAM Briefing
John Gasper
 
ASCC Network Experience in IPv6
ASCC Network Experience in IPv6ASCC Network Experience in IPv6
ASCC Network Experience in IPv6
Ethern Lin
 
Community tools to fight against DDoS
Community tools to fight against DDoSCommunity tools to fight against DDoS
Community tools to fight against DDoS
Fakrul Alam
 
Community Tools to Fight Against DDoS
Community Tools to Fight Against DDoS Community Tools to Fight Against DDoS
Community Tools to Fight Against DDoS
Bangladesh Network Operators Group
 
Lao Digital Week 2024: It's time to deploy IPv6
Lao Digital Week 2024: It's time to deploy IPv6Lao Digital Week 2024: It's time to deploy IPv6
Lao Digital Week 2024: It's time to deploy IPv6
APNIC
 
fiware-lab-dev-4.pdf
fiware-lab-dev-4.pdffiware-lab-dev-4.pdf
fiware-lab-dev-4.pdf
ssuser8c74ba
 
Unicon June 2014 IAM Briefing
Unicon June 2014 IAM BriefingUnicon June 2014 IAM Briefing
Unicon June 2014 IAM Briefing
John Gasper
 
怎么办理(umiami毕业证书)美国迈阿密大学毕业证文凭证书实拍图原版一模一样
怎么办理(umiami毕业证书)美国迈阿密大学毕业证文凭证书实拍图原版一模一样怎么办理(umiami毕业证书)美国迈阿密大学毕业证文凭证书实拍图原版一模一样
怎么办理(umiami毕业证书)美国迈阿密大学毕业证文凭证书实拍图原版一模一样
rtunex8r
 
Discover the benefits of outsourcing SEO to India
Discover the benefits of outsourcing SEO to IndiaDiscover the benefits of outsourcing SEO to India
Discover the benefits of outsourcing SEO to India
davidjhones387
 

More Related Content

Similar to BGP Anomaly Detection

Detecting BGP Instability Using RQA
Detecting BGP Instability Using RQADetecting BGP Instability Using RQA
Detecting BGP Instability Using RQA
University of Kufa
 
BGP Replay Tool (BRT) V0.1
BGP Replay Tool (BRT) V0.1BGP Replay Tool (BRT) V0.1
BGP Replay Tool (BRT) V0.1
University of Kufa
 
IPv6 and Telecom: IPv4 Is FInally Running Out. Now What?
IPv6 and Telecom: IPv4 Is FInally Running Out. Now What?IPv6 and Telecom: IPv4 Is FInally Running Out. Now What?
IPv6 and Telecom: IPv4 Is FInally Running Out. Now What?
Deploy360 Programme (Internet Society)
 
IPv6 Development in ITB 2013
IPv6 Development in ITB 2013IPv6 Development in ITB 2013
IPv6 Development in ITB 2013
Affan Basalamah
 
Rapid Detection of BGP Anomalies
Rapid Detection of BGP AnomaliesRapid Detection of BGP Anomalies
Rapid Detection of BGP Anomalies
APNIC
 
How to Implement SDN Technology in ITB
How to Implement SDN Technology in ITBHow to Implement SDN Technology in ITB
How to Implement SDN Technology in ITB
SDNRG ITB
 
#vBrownbag EMEA VCAP5-CIA Objectives 3
#vBrownbag EMEA VCAP5-CIA Objectives 3#vBrownbag EMEA VCAP5-CIA Objectives 3
#vBrownbag EMEA VCAP5-CIA Objectives 3
Andrea Mauro
 
Implementation ans analysis_of_quic_for_mqtt
Implementation ans analysis_of_quic_for_mqttImplementation ans analysis_of_quic_for_mqtt
Implementation ans analysis_of_quic_for_mqtt
Puneet Kumar
 
Internet Measurements of the COVID-19 Pandemic
Internet Measurements of the COVID-19 PandemicInternet Measurements of the COVID-19 Pandemic
Internet Measurements of the COVID-19 Pandemic
RIPE NCC
 
ARM 7: IPv6 deployment - where are we now?
ARM 7: IPv6 deployment - where are we now?ARM 7: IPv6 deployment - where are we now?
ARM 7: IPv6 deployment - where are we now?
APNIC
 
Service Provider Wi-Fi
Service Provider Wi-FiService Provider Wi-Fi
Service Provider Wi-Fi
Cisco Canada
 
Myanmar Member Gathering
Myanmar Member GatheringMyanmar Member Gathering
Myanmar Member Gathering
APNIC
 
WiFi Insecurity2013
WiFi Insecurity2013WiFi Insecurity2013
WiFi Insecurity2013
Kurt Baumgartner
 
Unicon July 2015 IAM Briefing
Unicon July 2015 IAM BriefingUnicon July 2015 IAM Briefing
Unicon July 2015 IAM Briefing
John Gasper
 
ASCC Network Experience in IPv6
ASCC Network Experience in IPv6ASCC Network Experience in IPv6
ASCC Network Experience in IPv6
Ethern Lin
 
Community tools to fight against DDoS
Community tools to fight against DDoSCommunity tools to fight against DDoS
Community tools to fight against DDoS
Fakrul Alam
 
Community Tools to Fight Against DDoS
Community Tools to Fight Against DDoS Community Tools to Fight Against DDoS
Community Tools to Fight Against DDoS
Bangladesh Network Operators Group
 
Lao Digital Week 2024: It's time to deploy IPv6
Lao Digital Week 2024: It's time to deploy IPv6Lao Digital Week 2024: It's time to deploy IPv6
Lao Digital Week 2024: It's time to deploy IPv6
APNIC
 
fiware-lab-dev-4.pdf
fiware-lab-dev-4.pdffiware-lab-dev-4.pdf
fiware-lab-dev-4.pdf
ssuser8c74ba
 
Unicon June 2014 IAM Briefing
Unicon June 2014 IAM BriefingUnicon June 2014 IAM Briefing
Unicon June 2014 IAM Briefing
John Gasper
 

Similar to BGP Anomaly Detection (20)

Detecting BGP Instability Using RQA
Detecting BGP Instability Using RQADetecting BGP Instability Using RQA
Detecting BGP Instability Using RQA
 
BGP Replay Tool (BRT) V0.1
BGP Replay Tool (BRT) V0.1BGP Replay Tool (BRT) V0.1
BGP Replay Tool (BRT) V0.1
 
IPv6 and Telecom: IPv4 Is FInally Running Out. Now What?
IPv6 and Telecom: IPv4 Is FInally Running Out. Now What?IPv6 and Telecom: IPv4 Is FInally Running Out. Now What?
IPv6 and Telecom: IPv4 Is FInally Running Out. Now What?
 
IPv6 Development in ITB 2013
IPv6 Development in ITB 2013IPv6 Development in ITB 2013
IPv6 Development in ITB 2013
 
Rapid Detection of BGP Anomalies
Rapid Detection of BGP AnomaliesRapid Detection of BGP Anomalies
Rapid Detection of BGP Anomalies
 
How to Implement SDN Technology in ITB
How to Implement SDN Technology in ITBHow to Implement SDN Technology in ITB
How to Implement SDN Technology in ITB
 
#vBrownbag EMEA VCAP5-CIA Objectives 3
#vBrownbag EMEA VCAP5-CIA Objectives 3#vBrownbag EMEA VCAP5-CIA Objectives 3
#vBrownbag EMEA VCAP5-CIA Objectives 3
 
Implementation ans analysis_of_quic_for_mqtt
Implementation ans analysis_of_quic_for_mqttImplementation ans analysis_of_quic_for_mqtt
Implementation ans analysis_of_quic_for_mqtt
 
Internet Measurements of the COVID-19 Pandemic
Internet Measurements of the COVID-19 PandemicInternet Measurements of the COVID-19 Pandemic
Internet Measurements of the COVID-19 Pandemic
 
ARM 7: IPv6 deployment - where are we now?
ARM 7: IPv6 deployment - where are we now?ARM 7: IPv6 deployment - where are we now?
ARM 7: IPv6 deployment - where are we now?
 
Service Provider Wi-Fi
Service Provider Wi-FiService Provider Wi-Fi
Service Provider Wi-Fi
 
Myanmar Member Gathering
Myanmar Member GatheringMyanmar Member Gathering
Myanmar Member Gathering
 
WiFi Insecurity2013
WiFi Insecurity2013WiFi Insecurity2013
WiFi Insecurity2013
 
Unicon July 2015 IAM Briefing
Unicon July 2015 IAM BriefingUnicon July 2015 IAM Briefing
Unicon July 2015 IAM Briefing
 
ASCC Network Experience in IPv6
ASCC Network Experience in IPv6ASCC Network Experience in IPv6
ASCC Network Experience in IPv6
 
Community tools to fight against DDoS
Community tools to fight against DDoSCommunity tools to fight against DDoS
Community tools to fight against DDoS
 
Community Tools to Fight Against DDoS
Community Tools to Fight Against DDoS Community Tools to Fight Against DDoS
Community Tools to Fight Against DDoS
 
Lao Digital Week 2024: It's time to deploy IPv6
Lao Digital Week 2024: It's time to deploy IPv6Lao Digital Week 2024: It's time to deploy IPv6
Lao Digital Week 2024: It's time to deploy IPv6
 
fiware-lab-dev-4.pdf
fiware-lab-dev-4.pdffiware-lab-dev-4.pdf
fiware-lab-dev-4.pdf
 
Unicon June 2014 IAM Briefing
Unicon June 2014 IAM BriefingUnicon June 2014 IAM Briefing
Unicon June 2014 IAM Briefing
 

Recently uploaded

怎么办理(umiami毕业证书)美国迈阿密大学毕业证文凭证书实拍图原版一模一样
怎么办理(umiami毕业证书)美国迈阿密大学毕业证文凭证书实拍图原版一模一样怎么办理(umiami毕业证书)美国迈阿密大学毕业证文凭证书实拍图原版一模一样
怎么办理(umiami毕业证书)美国迈阿密大学毕业证文凭证书实拍图原版一模一样
rtunex8r
 
Discover the benefits of outsourcing SEO to India
Discover the benefits of outsourcing SEO to IndiaDiscover the benefits of outsourcing SEO to India
Discover the benefits of outsourcing SEO to India
davidjhones387
 
快速办理(新加坡SMU毕业证书)新加坡管理大学毕业证文凭证书一模一样
快速办理(新加坡SMU毕业证书)新加坡管理大学毕业证文凭证书一模一样快速办理(新加坡SMU毕业证书)新加坡管理大学毕业证文凭证书一模一样
快速办理(新加坡SMU毕业证书)新加坡管理大学毕业证文凭证书一模一样
3a0sd7z3
 
一比一原版(USYD毕业证)悉尼大学毕业证如何办理
一比一原版(USYD毕业证)悉尼大学毕业证如何办理一比一原版(USYD毕业证)悉尼大学毕业证如何办理
一比一原版(USYD毕业证)悉尼大学毕业证如何办理
k4ncd0z
 
办理毕业证(NYU毕业证)纽约大学毕业证成绩单官方原版办理
办理毕业证(NYU毕业证)纽约大学毕业证成绩单官方原版办理办理毕业证(NYU毕业证)纽约大学毕业证成绩单官方原版办理
办理毕业证(NYU毕业证)纽约大学毕业证成绩单官方原版办理
uehowe
 
Ready to Unlock the Power of Blockchain!
Ready to Unlock the Power of Blockchain!Ready to Unlock the Power of Blockchain!
Ready to Unlock the Power of Blockchain!
Toptal Tech
 
快速办理(Vic毕业证书)惠灵顿维多利亚大学毕业证完成信一模一样
快速办理(Vic毕业证书)惠灵顿维多利亚大学毕业证完成信一模一样快速办理(Vic毕业证书)惠灵顿维多利亚大学毕业证完成信一模一样
快速办理(Vic毕业证书)惠灵顿维多利亚大学毕业证完成信一模一样
3a0sd7z3
 
留学挂科(UofM毕业证)明尼苏达大学毕业证成绩单复刻办理
留学挂科(UofM毕业证)明尼苏达大学毕业证成绩单复刻办理留学挂科(UofM毕业证)明尼苏达大学毕业证成绩单复刻办理
留学挂科(UofM毕业证)明尼苏达大学毕业证成绩单复刻办理
uehowe
 
办理新西兰奥克兰大学毕业证学位证书范本原版一模一样
办理新西兰奥克兰大学毕业证学位证书范本原版一模一样办理新西兰奥克兰大学毕业证学位证书范本原版一模一样
办理新西兰奥克兰大学毕业证学位证书范本原版一模一样
xjq03c34
 
manuaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaal
manuaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaalmanuaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaal
manuaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaal
wolfsoftcompanyco
 
成绩单ps(UST毕业证)圣托马斯大学毕业证成绩单快速办理
成绩单ps(UST毕业证)圣托马斯大学毕业证成绩单快速办理成绩单ps(UST毕业证)圣托马斯大学毕业证成绩单快速办理
成绩单ps(UST毕业证)圣托马斯大学毕业证成绩单快速办理
ysasp1
 
办理毕业证(UPenn毕业证)宾夕法尼亚大学毕业证成绩单快速办理
办理毕业证(UPenn毕业证)宾夕法尼亚大学毕业证成绩单快速办理办理毕业证(UPenn毕业证)宾夕法尼亚大学毕业证成绩单快速办理
办理毕业证(UPenn毕业证)宾夕法尼亚大学毕业证成绩单快速办理
uehowe
 
Should Repositories Participate in the Fediverse?
Should Repositories Participate in the Fediverse?Should Repositories Participate in the Fediverse?
Should Repositories Participate in the Fediverse?
Paul Walk
 
HijackLoader Evolution: Interactive Process Hollowing
HijackLoader Evolution: Interactive Process HollowingHijackLoader Evolution: Interactive Process Hollowing
HijackLoader Evolution: Interactive Process Hollowing
Donato Onofri
 
存档可查的(USC毕业证)南加利福尼亚大学毕业证成绩单制做办理
存档可查的(USC毕业证)南加利福尼亚大学毕业证成绩单制做办理存档可查的(USC毕业证)南加利福尼亚大学毕业证成绩单制做办理
存档可查的(USC毕业证)南加利福尼亚大学毕业证成绩单制做办理
fovkoyb
 
Bengaluru Dreamin' 24 - Personal Branding
Bengaluru Dreamin' 24 - Personal BrandingBengaluru Dreamin' 24 - Personal Branding
Bengaluru Dreamin' 24 - Personal Branding
Tarandeep Singh
 

Recently uploaded (16)

怎么办理(umiami毕业证书)美国迈阿密大学毕业证文凭证书实拍图原版一模一样
怎么办理(umiami毕业证书)美国迈阿密大学毕业证文凭证书实拍图原版一模一样怎么办理(umiami毕业证书)美国迈阿密大学毕业证文凭证书实拍图原版一模一样
怎么办理(umiami毕业证书)美国迈阿密大学毕业证文凭证书实拍图原版一模一样
 
Discover the benefits of outsourcing SEO to India
Discover the benefits of outsourcing SEO to IndiaDiscover the benefits of outsourcing SEO to India
Discover the benefits of outsourcing SEO to India
 
快速办理(新加坡SMU毕业证书)新加坡管理大学毕业证文凭证书一模一样
快速办理(新加坡SMU毕业证书)新加坡管理大学毕业证文凭证书一模一样快速办理(新加坡SMU毕业证书)新加坡管理大学毕业证文凭证书一模一样
快速办理(新加坡SMU毕业证书)新加坡管理大学毕业证文凭证书一模一样
 
一比一原版(USYD毕业证)悉尼大学毕业证如何办理
一比一原版(USYD毕业证)悉尼大学毕业证如何办理一比一原版(USYD毕业证)悉尼大学毕业证如何办理
一比一原版(USYD毕业证)悉尼大学毕业证如何办理
 
办理毕业证(NYU毕业证)纽约大学毕业证成绩单官方原版办理
办理毕业证(NYU毕业证)纽约大学毕业证成绩单官方原版办理办理毕业证(NYU毕业证)纽约大学毕业证成绩单官方原版办理
办理毕业证(NYU毕业证)纽约大学毕业证成绩单官方原版办理
 
Ready to Unlock the Power of Blockchain!
Ready to Unlock the Power of Blockchain!Ready to Unlock the Power of Blockchain!
Ready to Unlock the Power of Blockchain!
 
快速办理(Vic毕业证书)惠灵顿维多利亚大学毕业证完成信一模一样
快速办理(Vic毕业证书)惠灵顿维多利亚大学毕业证完成信一模一样快速办理(Vic毕业证书)惠灵顿维多利亚大学毕业证完成信一模一样
快速办理(Vic毕业证书)惠灵顿维多利亚大学毕业证完成信一模一样
 
留学挂科(UofM毕业证)明尼苏达大学毕业证成绩单复刻办理
留学挂科(UofM毕业证)明尼苏达大学毕业证成绩单复刻办理留学挂科(UofM毕业证)明尼苏达大学毕业证成绩单复刻办理
留学挂科(UofM毕业证)明尼苏达大学毕业证成绩单复刻办理
 
办理新西兰奥克兰大学毕业证学位证书范本原版一模一样
办理新西兰奥克兰大学毕业证学位证书范本原版一模一样办理新西兰奥克兰大学毕业证学位证书范本原版一模一样
办理新西兰奥克兰大学毕业证学位证书范本原版一模一样
 
manuaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaal
manuaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaalmanuaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaal
manuaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaal
 
成绩单ps(UST毕业证)圣托马斯大学毕业证成绩单快速办理
成绩单ps(UST毕业证)圣托马斯大学毕业证成绩单快速办理成绩单ps(UST毕业证)圣托马斯大学毕业证成绩单快速办理
成绩单ps(UST毕业证)圣托马斯大学毕业证成绩单快速办理
 
办理毕业证(UPenn毕业证)宾夕法尼亚大学毕业证成绩单快速办理
办理毕业证(UPenn毕业证)宾夕法尼亚大学毕业证成绩单快速办理办理毕业证(UPenn毕业证)宾夕法尼亚大学毕业证成绩单快速办理
办理毕业证(UPenn毕业证)宾夕法尼亚大学毕业证成绩单快速办理
 
Should Repositories Participate in the Fediverse?
Should Repositories Participate in the Fediverse?Should Repositories Participate in the Fediverse?
Should Repositories Participate in the Fediverse?
 
HijackLoader Evolution: Interactive Process Hollowing
HijackLoader Evolution: Interactive Process HollowingHijackLoader Evolution: Interactive Process Hollowing
HijackLoader Evolution: Interactive Process Hollowing
 
存档可查的(USC毕业证)南加利福尼亚大学毕业证成绩单制做办理
存档可查的(USC毕业证)南加利福尼亚大学毕业证成绩单制做办理存档可查的(USC毕业证)南加利福尼亚大学毕业证成绩单制做办理
存档可查的(USC毕业证)南加利福尼亚大学毕业证成绩单制做办理
 
Bengaluru Dreamin' 24 - Personal Branding
Bengaluru Dreamin' 24 - Personal BrandingBengaluru Dreamin' 24 - Personal Branding
Bengaluru Dreamin' 24 - Personal Branding
 

BGP Anomaly Detection

  • 1. BGP Anomaly Detection Bahaa Al-Musawi PhD candidate Supervisors: Dr. Philip Branch and Prof. Grenville Armitage balmusawi@swin.edu.au Centre for Advanced Internet Architectures (CAIA) Swinburne University of Technology http://caia.swin.edu.au balmusawi@swin.edu.au 11 June 2015 2CAIA Seminar Outline • BGP • BGP Anomalies • BGP Testbed • Summary
  • 2. http://caia.swin.edu.au balmusawi@swin.edu.au 11 June 2015 3CAIA Seminar Outline • BGP • BGP Anomalies • BGP Testbed • Summary http://caia.swin.edu.au balmusawi@swin.edu.au 11 June 2015 4CAIA Seminar Border Gateway Protocol (BGP) • The Internet is a decentralized global network comprised of tens of thousands of Autonomous Systems (ASes) • BGP is the Internet’s default Inter-domain routing protocol An example of routing topology
  • 3. http://caia.swin.edu.au balmusawi@swin.edu.au 11 June 2015 5CAIA Seminar Border Gateway Protocol (BGP) • BGP (RFC1105), BGP2 (RFC1163), BGP3 (RFC1267), and BGP4 with last revision (RFC4271) • BGP is a path vector protocol • BGP supports Classless Inter-domain Routing (CIDR), ex. prefix 192.2.2.0/24 192.2.2.1-192.2.2.255 http://caia.swin.edu.au balmusawi@swin.edu.au 11 June 2015 6CAIA Seminar Connecting a new BGP router Border Gateway Protocol (BGP) • BGP is an incremental protocol • Routing Information Base (RIB) • Updates
  • 4. http://caia.swin.edu.au balmusawi@swin.edu.au 11 June 2015 7CAIA Seminar Announcing a new prefix by an AS Border Gateway Protocol (BGP) • BGP is an incremental protocol • Routing Information Base (RIB) • Updates http://caia.swin.edu.au balmusawi@swin.edu.au 11 June 2015 8CAIA Seminar BGP Policies • ASes are the unit of routing policy in BGP • ASes relationships: customer-provider and peer-to-peer • BGP routing policies: • Business relationships • Traffic engineering • Scalability • Security related policies • Number of configuration lines in a single BGP router can range from hundreds to thousands lines
  • 5. http://caia.swin.edu.au balmusawi@swin.edu.au 11 June 2015 9CAIA Seminar Border Gateway Protocol (BGP) Growth of BGP Table since 1994 from http://bgp.potaroo.net/ http://caia.swin.edu.au balmusawi@swin.edu.au 11 June 2015 10CAIA Seminar BGP Weakness • BGP based on the trust between all its participants • BGP does not employ any authentication measures for advertising routes • BGP is vulnerable to different types of attacks • 2005, TTNet announced more than 100,000 incorrect routes • 2006, AS27506 hijacked panix domain • 2012, Dodo ISP incident
  • 6. http://caia.swin.edu.au balmusawi@swin.edu.au 11 June 2015 11CAIA Seminar Outline • BGP • BGP Anomalies • BGP Testbed • Summary http://caia.swin.edu.au balmusawi@swin.edu.au 11 June 2015 12CAIA Seminar BGP Anomalies • Anomalies are patterns in a data set that do not follow expected behavior • No BGP updates are sent when there is no change in topology and/or policies for a network running BGP • In the real world, many ASes are unstable causing propagation of many abnormal BGP updates • Distinguishing abnormal BGP updates from a serious attack is a challenge
  • 7. http://caia.swin.edu.au balmusawi@swin.edu.au 11 June 2015 13CAIA Seminar Types of BGP Anomalies 1. Direct and Intended Disruptions 2. Direct and Unintended Disruptions 3. Indirect Attacks 4. Hardware Failure http://caia.swin.edu.au balmusawi@swin.edu.au 11 June 2015 14CAIA Seminar 1. Direct and Intended Disruptions • This type of disruption refers to all types of BGP hijacking which can appear in different scenarios such as prefix and sub-prefix hijack.
  • 8. http://caia.swin.edu.au balmusawi@swin.edu.au 11 June 2015 15CAIA Seminar 1. Direct and Intended Disruptions • False Positive • Legitimate reasons for anomalous routing updates • Multi-homing with static link aggregation http://caia.swin.edu.au balmusawi@swin.edu.au 11 June 2015 16CAIA Seminar 1. Direct and Intended Disruptions • Examples • May 2005, AS174 hijacked one of Google prefixes: lose connectivity to the google.com domain for nearly an hour • April 2011, Link Telecom incident: an attacker hijacked AS12812 and its prefixes for a round 6 months
  • 9. http://caia.swin.edu.au balmusawi@swin.edu.au 11 June 2015 17CAIA Seminar 2. Direct and Unintended Disruptions • Refers to BGP misconfiguration such as: • Pakistan incident-2008: advertised an invalid YouTube prefix causing many ASes to lose access to the site • Indosat incident-2014: propagated over 320,000 incorrect routes Pakistan event 2008 http://caia.swin.edu.au balmusawi@swin.edu.au 11 June 2015 18CAIA Seminar 3. Indirect Disruptions • Nimda-2001: around 30 fold increase of BGP updates was observed • Slammer-2003: dramatic spikes in number of BGP updates Updates Messages During Slammer Attack from 22-29 January 2003
  • 10. http://caia.swin.edu.au balmusawi@swin.edu.au 11 June 2015 19CAIA Seminar 4. Hardware Failure • Moscow blackout-2005: Several hours • Mediterranean cable-2008: > 20 countries Number of BGP Updates during Moscow event http://caia.swin.edu.au balmusawi@swin.edu.au 11 June 2015 20CAIA Seminar BGP Anomalies Detection Techniques
  • 11. http://caia.swin.edu.au balmusawi@swin.edu.au 11 June 2015 21CAIA Seminar BGP Anomalies Detection Techniques http://caia.swin.edu.au balmusawi@swin.edu.au 11 June 2015 22CAIA Seminar BGP Statistics • The huge variance in the size of the Internet is leading towards increasing instability of BGP • 40K anomalous route events were reported in the 12 months from May 2011 • 20% of the hijacking and misconfigurations lasted less than 10 minutes but with the ability to pollute 90% of the Internet in less than 2 minutes
  • 12. http://caia.swin.edu.au balmusawi@swin.edu.au 11 June 2015 23CAIA Seminar BGP Anomalies Key Requirements for a next generation of BGP anomaly detection: • Detect in near real-time different types of BGP disruptions • Identify type of BGP disruptions • Locate the source of disruption http://caia.swin.edu.au balmusawi@swin.edu.au 11 June 2015 24CAIA Seminar Outline • BGP • BGP Anomalies • BGP Testbed • Summary
  • 13. http://caia.swin.edu.au balmusawi@swin.edu.au 11 June 2015 25CAIA Seminar BGP Testbed Why BGP Testbed is important ? 1. Lack of ground truth timestamps for available BGP anomalies events 2. Enable examination of different types of BGP anomalies to help in their identification 3. On available BGP testbeds such as the PEER project, no hijacking or misconfiguration is allowed http://caia.swin.edu.au balmusawi@swin.edu.au 11 June 2015 26CAIA Seminar BGP Testbed Types of BGP testbed that have been used: 1. Quagga 2. Swinburne/ ICT Cisco Labs 3. Virtual Internet Routing Lab (VIRL)
  • 14. http://caia.swin.edu.au balmusawi@swin.edu.au 11 June 2015 27CAIA Seminar Quagga • Routing S/W package that provides TCP/IP based routing services. • Supports many routing protocols such as RIP, OSPF, IS-IS, and BGP Simple BGP Topology on 9 VMs running Quagga http://caia.swin.edu.au balmusawi@swin.edu.au 11 June 2015 28CAIA Seminar Quagga • Difficult to manage large scale network topology • No Virtualization support • No. of nodes is limited to H/W specifications • No chance to try other router OSs such as IOS and Junos
  • 15. http://caia.swin.edu.au balmusawi@swin.edu.au 11 June 2015 29CAIA Seminar Swinburne/ICT Cisco Labs • Totally 265 Cisco routers • 205 routers Cisco model 2811 • 60 routers Cisco model 2620XM • Swinburne offers a tool to manage configuration of devices http://caia.swin.edu.au balmusawi@swin.edu.au 11 June 2015 30CAIA Seminar Swinburne/ICT Cisco Labs Simple BGP topology
  • 16. http://caia.swin.edu.au balmusawi@swin.edu.au 11 June 2015 31CAIA Seminar Swinburne/ICT Cisco Labs • Time consuming to setup and tear-down a network • Limited availability of labs because of teaching http://caia.swin.edu.au balmusawi@swin.edu.au 11 June 2015 32CAIA Seminar Managing connections • Difficult to manage network connections with a large scale network
  • 17. http://caia.swin.edu.au balmusawi@swin.edu.au 11 June 2015 33CAIA Seminar Swinburne/ICT Cisco Labs • Still difficult to manage configuration of routers in a large scale network • No Virtualization capability • No chance to try latest Cisco IOS versions or other Routers OSs http://caia.swin.edu.au balmusawi@swin.edu.au 11 June 2015 34CAIA Seminar VIRL Cisco Software • Virtual Internet Routing Lab • Uses VMMaestro, OpenStack, Autonetkit, and Ubuntu
  • 18. http://caia.swin.edu.au balmusawi@swin.edu.au 11 June 2015 35CAIA Seminar VIRL Cisco Software • Easy to setup and teardown a network • Portability and repeatability • Virtualization capability • Simplified packet capture • Deployment of different OSs • Cisco IOS such IOS,IOS XR, IOS XE, and NX-OS • Servers such as Ubuntu and FreeBSD http://caia.swin.edu.au balmusawi@swin.edu.au 11 June 2015 36CAIA Seminar VIRL Cisco Software 15 nodes running on VIRL requires: • 4 CPU cores • 8 GB DRAM • Internet Access My target network is > 200 nodes which requires • 40 CPU cores • 512 GB DRAM What can I do?
  • 19. http://caia.swin.edu.au balmusawi@swin.edu.au 11 June 2015 37CAIA Seminar VIRL Cisco Software • ASK ITS at Swinburne • 10 nodes each with 8 cores and 24 GB DRAM http://caia.swin.edu.au balmusawi@swin.edu.au 11 June 2015 38CAIA Seminar Accessing 10 nodes at EN building
  • 20. http://caia.swin.edu.au balmusawi@swin.edu.au 11 June 2015 39CAIA Seminar VIRL Supports graphml format http://www.topology-zoo.org/ http://caia.swin.edu.au balmusawi@swin.edu.au 11 June 2015 40CAIA Seminar Current/Future Work • Apply one of exist global network topologies • Inject BGP updates • Create different anomalies and apply different approaches to detecting them
  • 21. http://caia.swin.edu.au balmusawi@swin.edu.au 11 June 2015 41CAIA Seminar Outline • BGP • BGP Anomalies • BGP Testbed • Summary http://caia.swin.edu.au balmusawi@swin.edu.au 11 June 2015 42CAIA Seminar Summary • BGP is responsible for managing and exchanging Network NLRI between ASes with guarantee of avoiding loops • BGP is vulnerable to different types of anomalies • Key requirements for a next generation of BGP anomalies detection • Challenges of building BGP testbed especially for large scale network • VIRL offers a variety of facilities and options with short time to setup and tear down a network
  • 22. http://caia.swin.edu.au balmusawi@swin.edu.au 11 June 2015 43CAIA Seminar Acknowledgment • VIRL team at Cisco for providing free license and support • Simon Forsayeth from ITS / Swinburne University for his help and support to make the use of 10 nodes possible with VIRL http://caia.swin.edu.au balmusawi@swin.edu.au 11 June 2015 44CAIA Seminar Questions