Detecting BGP Instability Using RQA

Detecting BGP Instability Using RQATo be presented in IEEE IPCCC 2015

Bahaa Al-MusawiPhD candidate

SupervisorsDr. Philip Branch and Prof. Grenville Armitage

[email protected] for Advanced Internet Architectures (CAIA)

Swinburne University of Technology

http://caia.swin.edu.au [email protected] 06 November 2015 2 CAIA Seminar

Outline

• BGP

• BGP Instability

• Modeling BGP as a dynamical system

• Recurrence Quantification Analysis (RQA)

• Results and Discussions

• Conclusions


Border Gateway Protocol (BGP)• The Internet: decentralised network, 10k+ of

Autonomous Systems (ASes)

• BGP is the Internet’s default Inter-domain routing protocol

An example of routing topology


Border Gateway Protocol (BGP)

• BGP4 is last revision (RFC4271)

• BGP supports Classless Inter-domain Routing (CIDR),

ex. prefix 192.2.2.0/24 192.2.2.1-192.2.2.255

• BGP is a path vector protocol


Outline

• BGP

• BGP Instability




• Conclusions


BGP Instability• Routing instability--fluctuation in topology information

and network reachability

• BGP instability--fluctuations in the number of BGP updates and/or path length for an AS

• BGP instability-- hardware failure, misconfiguration, hijacking, software bugs, faulty equipment, and DoS attacks.

• Instability-- performance, processing load, and distribution balance of traffic load for BGP speakers


BGP Instability• Theoretically-- no BGP updates are sent when there is

no change in topology and/or policies

• In the real world-- many ASes are unstable causing propagation of many abnormal BGP updates

• Challenge-- distinguishing abnormal BGP updates from a serious attack


BGP Instability• 40K anomalous route events were reported in the 12

months from May 2011

• 20% of the hijacking and misconfigurations lasted less than 10 minutes

• They are able to pollute 90% of the Internet in less than 2 minutes

• These statistics demonstrate the need for a real-time detection of BGP instability


Outline

• BGP

• BGP Instability




• Conclusions


Modeling• A dynamical system is defined by a phase space, a

time evolution law, and continuous or discrete time

• In phase space, all possible states of a system are represented

• The phase space parameters: embedding dimension and time delay


Type of motion• Type of motions in dynamical systems: stable, noisy,

and chaotic

• Estimating the type of motion is a difficult task when only a series of data is available

Lyapunov exponents estimation for AS10102


BGP Periodicity• BGP data is complex, noisy, and voluminous

• One possible source of periodicity is the Minimal Route Advertisement Interval (MRAI)

• MRAI-- minimum amount of time between two subsequent advertisements to a particular destination

• Active ASes: show reasonably periodic behaviour in terms of sending BGP updates


BGP Periodicity

Unsynchronised aggregation of different periodic updates

Periodicity of unstable ASes


Determinism and non-linearity• Determinism and linearity properties-- helps to select

an appropriate method to predict system behaviour

• We use Delay Vector Variance (DVV) method

• DVV requires the proper selection of time delay and embedding dimension


Determinism and non-linearity

Estimation of determinism and non-linearity


Modeling outcomesBGP messages sent from BGP speakers have been characterized as:

1.Deterministic

2.Stable

3.Non-linear


Outline

• BGP

• BGP Instability




• Conclusions


Recurrence Quantification Analysis (RQA)• RQA is an advanced nonlinear analysis technique

based on a phase plane trajectory

• RQA provides several measures of complexity such as1. Recurrence Rate (RR): measures the percentage of

recurrent points in the phase space

2. Trapping Time (TT): measures how long the system remains in a specific state


Recurrence Quantification Analysis (RQA)• Based on BGP instability, we use two BGP features:

1. Total number of BGP update

2. Average length of AS-PATH

• Calculate RQA measurements for the two BGP features over time


Outline

• BGP

• BGP Instability




• Conclusions


Results and Discussions• Recent incidents of BGP instability was observed on

the 12th of July 2015 by Telekom Malaysia (TMnet)

• AS4788 accidentally announced approximately 179,000 prefixes to Level3

• TMnet caused significant packet loss and slow Internet service around the world


Results and Discussions

Instability detection for BGP volume feature at AS10102



Rapid detection for instability with RQA



Instability detection for average AS-PATH length feature at AS10102



Anomalous behaviour for MRAI in AS10102


Conclusions• We model a BGP speaker as a dynamical system

• BGP speakers show stable, deterministic, and nonlinear behaviour

• Two possibilities for recurrence behaviour: MRAI and the unsynchronised aggregation updates for active ASes

• RQA can rapidly identify BGP instability without the need for a long BGP history

• RQA can also detect hidden anomalous behaviour which might otherwise pass without observation


Questions

Date post:	23-Jan-2017
Category:	Engineering
Upload:	bahaa-musawi
View:	59 times
Download:	2 times

Detecting BGP Instability Using RQA

Engineering