1 / 31

BGP-lens: Patterns and Anomalies in Internet Routing Updates

BGP-lens: Patterns and Anomalies in Internet Routing Updates. B. Aditya Prakash 1 , Nicholas Valler 2 , David Andersen 1 , Michalis Faloutsos 2 , Christos Faloutsos 1 1 Carnegie Mellon University 2 UC-Riverside KDD 2009, Paris. Introduction. Each Row is an update.

marlis
Download Presentation

BGP-lens: Patterns and Anomalies in Internet Routing Updates

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. BGP-lens: Patterns and Anomalies in Internet Routing Updates B. Aditya Prakash1, Nicholas Valler2, David Andersen1, Michalis Faloutsos2, Christos Faloutsos1 1Carnegie Mellon University 2UC-Riverside KDD 2009, Paris

  2. Introduction Each Row is an update • Border Gateway Protocol (BGP) • Internet Routing Protocol • Router sending messages to each other • Keeps path information up-to-date • Ideal Setting - no BGP updates • Really – many updates • link failures, router restarts, malicious behavior

  3. Introduction contd. Question: Find patterns/anomalies? • Challenges: • Millions of updates sent over network • Data has multiple dimensions • Noisy Measurements • Impossible for human to sift through updates Automated Tool needed!

  4. The Data • Data from Datapository.net • Abilene Network 18 million update messages – over two years!

  5. Our Approach • Look at a simpletime-series • Focus on just the time • # of updates received every b seconds (bin size) • Specific Problem we are tackling • Given such time-series • Report patterns and anomalies • Also find suspicious entities (paths, ASes etc.) time b secs 2 Bin: 0 1 … 6 Count: 4 2 …

  6. Real data: Washington Router Bin Size = 600s Very Bursty! # of Updates Traditional Tools like FFT, auto-regression don’t work  Bin number (‘Time’)

  7. Outline • Introduction and Problem Statement • Techniques • Temporal Analysis • Frequency Analysis • BGP-lens at work • Conclusions

  8. Temporal Analysis Bin size: 10s • First Cut: Take log-linear plot • emphasizes small values over high values

  9. But: Bin size is important!

  10. Bin size: 600s ‘Clotheslines’

  11. Clotheslines Q1: Why Clotheslines? • Near consecutive updates over long time-period • Can be Route Flapping • advertise/withdraw same path frequently • important to identify Q2: How to automate this discovery?

  12. Proposal: Marginals to Rescue • PDF of volume of updates • Number of time-bins with volume Extremes == Height of the clotheslines!

  13. Marginals to Rescue • PDF of volume of updates • Number of time-bins with volume

  14. Algorithm - Clotheslines Details! • For marginals plot use the median filtering approach to determine ‘outliers’; • For each time interval found, report the most consistent IPs/ASes etc. High Level Idea only – details in paper!

  15. Outline • Introduction and Problem Statement • Techniques • Temporal Analysis • Frequency Analysis • BGP-lens at work • Conclusions

  16. Low Freq. High energy Low energy ‘Tornado’ does not touch down High Freq. time -> Signal

  17. In real data… E2

  18. E2 ~ 8 hrs ~ 20,000 updates!

  19. Why Prolonged Spike? • Bursts of short duration • Can represent malicious behavior • Or simple router restarts! • Exact cause hard to find – but important for system-administrators

  20. Algorithm – Prolonged Spikes Details! • Basic idea: find tornados from scalogram • Find suitable starting point at higher levels • Extend downward as much as possible • The finest scale where tornado stops • the shortest time period to look for a prolonged spike • Again, details in paper!

  21. Scalability

  22. BGP-lens: User Interface optional • # of suspicious events sysadmin wants to check duration: length of events to be checked (think daily vs weekly vs monthly)

  23. Outline • Introduction and Problem Statement • Techniques • Temporal Analysis • Frequency Analysis • BGP-lens at work • Conclusions

  24. BGP-lens at Work • We found real events too . examples- Event 1: 50-clothesline • Prefix and Origin-AS pointed to Alabama Supercomputing Net • When contacted sysadmins • attributed changes to route flapping • “the route for 207.157.115.0/24 was appearing and disappearing in [the] IGP routing table ... [which] may have caused BGP to flap.” • Anomaly went undetected and unresolved for 30 days!

  25. Results from real data Event 2 Prolonged Spike • May 12th 2006 – 8hr spike • Most persistent IPs/ASes • Primary and middle schools in a large district in a country • Two more spikes Jan18-19, 2006 and Aug 1

  26. Conclusions • Studied huge real data (~18 million updates) • Developed two new techniques • effective • spots subtle phenomena like clotheslines and prolonged spikes • scalable • BGP-lens: a user-friendly tool • provides reasonable defaults • provides easy-to-use knobs • leads like IPs/ASes

  27. Thank You! • Any questions? • www.cs.cmu.edu/~badityap • We thank NSF, USA for their support. • Author-Reel!

  28. Extra - Frequency Analysis • Data is self-similar! • we used the entropy-plot measure • also called the b-model [26] • Corresponds to b-model of 75-25 • Multi-resolution techniques needed!

  29. Extra - FFT

  30. Extra – Marginals for 10sec

  31. Extra – Prolonged Spike Algorithm

More Related