1 / 72

ELISHA: On Detection and Analysis of BGP Anomalous Dynamics

ELISHA: On Detection and Analysis of BGP Anomalous Dynamics. S. Felix Wu Computer Science Department University of California, Davis wu@cs.ucdavis.edu http://www.cs.ucdavis.edu/~wu/. “BGP”. Border Gateway Protocol the inter-domain routing protocol for the Internet. “BGP”. AS6192.

bian
Download Presentation

ELISHA: On Detection and Analysis of BGP Anomalous Dynamics

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. ELISHA: On Detection and Analysis of BGP Anomalous Dynamics S. Felix Wu Computer Science Department University of California, Davis wu@cs.ucdavis.edu http://www.cs.ucdavis.edu/~wu/ Visualization and Monitoring of Network Traffic, Dagstuhl, Germany

  2. “BGP” • Border Gateway Protocol • the inter-domain routing protocol for the Internet Visualization and Monitoring of Network Traffic, Dagstuhl, Germany

  3. “BGP” AS6192 UCDavis: 169.237/16 • Autonomous System (AS): • A set of routers owned by one single system administrative domain • Address Prefix: • Example: • AS6192 consists of routers in UC Davis • UC Davis owns 169.237/16 Visualization and Monitoring of Network Traffic, Dagstuhl, Germany

  4. “BGP” AS6192 UCDavis: 169.237/16 • How would I let the whole world know about 169.237/16? • I announce that I owned 169.237/16 • More importantly, how would anybody else in the Internet know how to send (or route, forward) a IP packet to 169.237/16? • Others would know how to send packets to 169.237/16 Visualization and Monitoring of Network Traffic, Dagstuhl, Germany

  5. Peering ASes UCDavis: 169.237/16 AS6192 AS11423 (UC) AS11537 (CENIC) AS513 Peering is a local/decentralized trust based on a business contract! Visualization and Monitoring of Network Traffic, Dagstuhl, Germany

  6. AS6192 an AS Path: 169.237/166192 UCDavis: 169.237/16 AS6192 AS11423 (UC) AS11537 (CENIC) AS513 Visualization and Monitoring of Network Traffic, Dagstuhl, Germany

  7. AS6192  AS11423 an AS Path: 169.237/16114236192 UCDavis: 169.237/16 AS6192 AS11423 (UC) AS11537 (CENIC) AS513 Visualization and Monitoring of Network Traffic, Dagstuhl, Germany

  8. AS11423  AS11537 UCDavis: 169.237/16 AS6192 AS11423 (UC) AS11537 (CENIC) AS513 an AS Path: 169.237/1611537114236192 Visualization and Monitoring of Network Traffic, Dagstuhl, Germany

  9. AS11537  AS513 UCDavis: 169.237/16 AS6192 AS11423 (UC) AS11537 (CENIC) AS513 an AS Path: 169.237/1651311537114236192 Visualization and Monitoring of Network Traffic, Dagstuhl, Germany

  10. Packet Forwarding UCDavis: 169.237/16 AS6192 AS11423 (UC) AS11537 (CENIC) AS513 an AS Path: 169.237/1651311537114236192 Visualization and Monitoring of Network Traffic, Dagstuhl, Germany

  11. The Scale of the “Internet” • 31344Autonomous Systems • 294340 IP Address Prefixes announced • Every single prefix, and their “dynamics”, must be propagated to every single AS. • Every single AS must maintain the routing table such that it knows how to route the traffic toward any one of the 294340 prefixes to the right destination. • BGP is the protocol to support the exchange of routing information for ALL prefixes in ALL ASes. Visualization and Monitoring of Network Traffic, Dagstuhl, Germany

  12. The “Internet” ASes Prefixes Visualization and Monitoring of Network Traffic, Dagstuhl, Germany

  13. The “Internet” Visualization and Monitoring of Network Traffic, Dagstuhl, Germany

  14. The “Internet” Visualization and Monitoring of Network Traffic, Dagstuhl, Germany

  15. The Dynamics of “Internet” • Link/node failures • Software malfunctions • Implementation related • Policy configuration • Topology changes • Other “interesting” dynamics • (that we can not explain well yet…) Visualization and Monitoring of Network Traffic, Dagstuhl, Germany

  16. BGP Observation Points(e.g. RIPE AS12654) “Get the real BGP data” Each peer will tell us, at any moment of time, how to reach each of the 294340 prefixes! RIPE … Internet Visualization and Monitoring of Network Traffic, Dagstuhl, Germany

  17. Multiple BGP Observation Points Oregon RIPE UC Davis Internet Visualization and Monitoring of Network Traffic, Dagstuhl, Germany

  18. The Dynamics of “Internet” Visualization and Monitoring of Network Traffic, Dagstuhl, Germany

  19. Visualization and Monitoring of Network Traffic, Dagstuhl, Germany

  20. BGP • Do we really understand the problems within BGP or inter-domain routing? • Do we really understand the problems in BGP operations today or in the past? Visualization and Monitoring of Network Traffic, Dagstuhl, Germany

  21. Examining BGP anomalies is an expensive process even with the right tools! • Given an ocean of BGP updates events: • Can we identify, maybe in a probabilistic sense,a much smaller subset (or the most important subset) of these events for the network operators to investigate? Visualization and Monitoring of Network Traffic, Dagstuhl, Germany

  22. Statistical Anomalies raw events 0 0 5 10 15 20 25 30 “But, which feature(s) to profile??” functionF long term profile quantify the anomalies threshold control alarm generation Visualization and Monitoring of Network Traffic, Dagstuhl, Germany

  23. K = 4, T = 240 Visualization and Monitoring of Network Traffic, Dagstuhl, Germany

  24. K = 2, T = 600 Visualization and Monitoring of Network Traffic, Dagstuhl, Germany

  25. Visualization and Monitoring of Network Traffic, Dagstuhl, Germany

  26. Examining BGP anomalies is an expensive process even with the right tools! “Anomaly” as something we can’t explain… • Given an ocean of BGP updates events: • Can we identify, maybe in a probabilistic sense,a much smaller subset (or the most important subset) of these events for the network operators to investigate? Can we “explain” every piece of information? Visualization and Monitoring of Network Traffic, Dagstuhl, Germany

  27. Main Challenges • We have too much information (maybe…) • We don’t have all the information we need… • ISPs are not sharing a lot… • We even don’t know how information is generated (meta-information) • BGP policy, router venders/versions Visualization and Monitoring of Network Traffic, Dagstuhl, Germany

  28. Main Challenges • We have too much information (maybe…) • We don’t have all the information we need… • ISPs are not sharing a lot… • We even don’t know how information is generated (meta-information) • BGP policy, router venders/versions • (forming) Hypothesis Testing Visualization and Monitoring of Network Traffic, Dagstuhl, Germany

  29. Examining BGP anomalies is an expensive process even with the right tools! “Anomaly” as something we can’t explain… • Given an ocean of BGP updates events: • Can we identify, maybe in a probabilistic sense,a much smaller subset (or the most important subset) of these events for the network operators to investigate? Can we “explain” every piece of information? Visualization and Monitoring of Network Traffic, Dagstuhl, Germany

  30. Examining BGP anomalies is an expensive process even with the right tools! “Anomaly” as something we can’t explain… • Given an ocean of BGP updates events: • Can we identify, maybe in a probabilistic sense,a much smaller subset (or the most important subset) of these events for the network operators to investigate? Can we “explain” every piece of information? What do I really want to see? Visualization and Monitoring of Network Traffic, Dagstuhl, Germany

  31. Origin AS Changes (OASC) 12654 • Ownership: UCDavis (AS-6192) owns 169.237/16 and AS-6192 is the origin AS • Current • AS Path: 2914209114236192 • for prefix: 169.237/16 • New • AS Path: 2914301127381 • even worse: 169.237.6/24 • Which route path to use? • Legitimate or Abnormal?? 2914 3011 209 273 11423 81 6192 169.237/16 169.237.6/24 Visualization and Monitoring of Network Traffic, Dagstuhl, Germany

  32. Internet Global Failures • AS7007 falsely de-aggregates 65000+ network prefixes in 1997 and the east coast Internet was down for 12 hours. 169.237/16 142.7.6/24 204.5.68/24 …. AS6192 AS11423 (UC) Black Hole AS11537 (CENIC) AS513 Visualization and Monitoring of Network Traffic, Dagstuhl, Germany

  33. Active BGP Entries Visualization and Monitoring of Network Traffic, Dagstuhl, Germany

  34. Active BGP Entries 1997, AS 7007, 60K+ prefixes 2001, AS 15412, 30K+ prefixes 2004, AS 9121, 100K+ prefixes 2008, AS 17557, 1 prefix Visualization and Monitoring of Network Traffic, Dagstuhl, Germany

  35. Active BGP Entries Visualization and Monitoring of Network Traffic, Dagstuhl, Germany

  36. BGP MOAS/OASC EventsIMW’2001, DSOM’2003, ANM’2008, GlobeCom/CSET’2009 Max: 10226 (9177 from a single AS) Visualization and Monitoring of Network Traffic, Dagstuhl, Germany

  37. BGP OASC • The case of April 2001 • First analysis (2001) • We thought we have solved the problem in 2003 (DSOM’2003). Visualization and Monitoring of Network Traffic, Dagstuhl, Germany

  38. BGP OASC • The case of April 2001 • First analysis (2001) • We thought we have solved the problem in 2003 (DSOM’2003). • We missed something! Visualization and Monitoring of Network Traffic, Dagstuhl, Germany

  39. Real-Time OASC Detection • Low level events: BGP Route Updates • High level events: OASC • 1000+ per day and max 10226 per day • per 3-minutes window in real-time demo • IP address blocks • Origin AS in BGP Update Messages • Different Types of OASC Events Visualization and Monitoring of Network Traffic, Dagstuhl, Germany

  40. “Normal” Visualization and Monitoring of Network Traffic, Dagstuhl, Germany

  41. AS81 punched a “hole” on 169.237/16 yesterday AS-6192 victim yesterday 169.237/16 today 169.237/16 169.237.6/24 offender today AS-81 Visualization and Monitoring of Network Traffic, Dagstuhl, Germany

  42. OASC Event Types • Using different colors to represent types of OASC events • C type: CSS, CSM, CMS, CMM • H type: H • B type: B • O type: OS, OM Visualization and Monitoring of Network Traffic, Dagstuhl, Germany

  43. AS15412 in April, 2001 Visualization and Monitoring of Network Traffic, Dagstuhl, Germany

  44. April 6, 2001 AS15412 caused 40K+ MOAS/OASC events within 2 weeks… Visualization and Monitoring of Network Traffic, Dagstuhl, Germany

  45. April 7-10, 2001 04/07/2001 all 04/07/2001 15412 04/08/2001 all 04/08/2001 15412 04/09/2001 all 04/09/2001 15412 04/10/2001 all 04/10/2001 15412 Visualization and Monitoring of Network Traffic, Dagstuhl, Germany

  46. April 11-14, 2001 04/11/2001 all 04/11/2001 15412 04/12/2001 all 04/12/2001 15412 04/13/2001 all 04/13/2001 15412 04/14/2001 all 04/14/2001 15412 Visualization and Monitoring of Network Traffic, Dagstuhl, Germany

  47. April 18-19, 2001 – Again?? 04/18/2001 all 04/18/2001 15412 04/19/2001 all 04/19/2001 15412 Visualization and Monitoring of Network Traffic, Dagstuhl, Germany

  48. April 18-19, 2001 – Again?? 04/18/2001 all 04/18/2001 15412 04/19/2001 all 04/19/2001 15412 AS15412 made two similar mistakes. They spent about 6 days to fix the first instance, and one day for the second instance. Visualization and Monitoring of Network Traffic, Dagstuhl, Germany

  49. Hypothesis AS15412 made two similar mistakes. They spent about 6 days to fix the first instance, and one day for the second instance. Visualization and Monitoring of Network Traffic, Dagstuhl, Germany

  50. 1997, AS 7007, 60K+ prefixes 2001, AS 15412, 30K+ prefixes 2004, AS 9121, 100K+ prefixes 2008, AS 17557, 1 prefix?? HINT: We “visually” detected this problem! Visualization and Monitoring of Network Traffic, Dagstuhl, Germany

More Related