Outline - Swincaia.swin.edu.au/talks/CAIA-TALK-150611A.pdf · • Moscow blackout-2005: Several...

BGP Anomaly DetectionBahaa Al-Musawi

PhD candidate Supervisors: Dr. Philip Branch and Prof.

Grenville Armitage

[email protected]

Centre for Advanced Internet Architectures (CAIA)Swinburne University of Technology

http://caia.swin.edu.au [email protected] 11 June 2015 2CAIA Seminar

Outline

• BGP

• BGP Anomalies

• BGP Testbed

• Summary


Outline

• BGP

• BGP Anomalies

• BGP Testbed

• Summary


Border Gateway Protocol (BGP)

• The Internet is a decentralized global network

comprised of tens of thousands of Autonomous

Systems (ASes)

• BGP is the Internet’s default Inter-domain routing

protocol

An example of routing topology



• BGP (RFC1105), BGP2 (RFC1163), BGP3

(RFC1267), and BGP4 with last revision (RFC4271)

• BGP is a path vector protocol

• BGP supports Classless Inter-domain Routing (CIDR),

ex. prefix 192.2.2.0/24 �192.2.2.1-192.2.2.255


Connecting a new BGP router


• BGP is an incremental protocol

• Routing Information Base (RIB)

• Updates


Announcing a new prefix by an AS


• BGP is an incremental protocol

• Routing Information Base (RIB)

• Updates


BGP Policies

• ASes are the unit of routing policy in BGP

• ASes relationships: customer-provider and peer-to-peer

• BGP routing policies:

• Business relationships

• Traffic engineering

• Scalability

• Security related policies

• Number of configuration lines in a single BGP router

can range from hundreds to thousands lines



Growth of BGP Table since 1994 from http://bgp.potaroo.net/


BGP Weakness

• BGP based on the trust between all its participants

• BGP does not employ any authentication measures for

advertising routes

• BGP is vulnerable to different types of attacks

• 2005, TTNet announced more than 100,000 incorrect routes

• 2006, AS27506 hijacked panix domain

• 2012, Dodo ISP incident


Outline

• BGP

• BGP Anomalies

• BGP Testbed

• Summary


BGP Anomalies

• Anomalies are patterns in a data set that do not follow

expected behavior

• No BGP updates are sent when there is no change in

topology and/or policies for a network running BGP

• In the real world, many ASes are unstable causing

propagation of many abnormal BGP updates

• Distinguishing abnormal BGP updates from a serious

attack is a challenge


Types of BGP Anomalies

1. Direct and Intended Disruptions

2. Direct and Unintended Disruptions

3. Indirect Attacks

4. Hardware Failure



• This type of disruption refers to all types of BGP

hijacking which can appear in different scenarios such

as prefix and sub-prefix hijack.



• False Positive

• Legitimate reasons for anomalous routing updates

• Multi-homing with static link aggregation



• Examples

• May 2005, AS174 hijacked one of Google prefixes: lose connectivity to the google.com domain for nearly an hour

• April 2011, Link Telecom incident: an attacker hijacked AS12812 and its prefixes for a round 6 months


2. Direct and Unintended Disruptions

• Refers to BGP misconfiguration such as:

• Pakistan incident-2008: advertised an invalid YouTube prefix causing many ASes to lose access to the site

• Indosat incident-2014: propagated over 320,000 incorrect routes

Pakistan event 2008


3. Indirect Disruptions

• Nimda-2001: around 30 fold increase of BGP updates

was observed

• Slammer-2003: dramatic spikes in number of BGP

updates

Updates Messages During Slammer Attack from 22-29 January 2003


4. Hardware Failure

• Moscow blackout-2005: Several hours

• Mediterranean cable-2008: > 20 countries

Number of BGP Updates during Moscow event


BGP Anomalies Detection Techniques


BGP Anomalies Detection Techniques


BGP Statistics

• The huge variance in the size of the Internet is leading

towards increasing instability of BGP

• 40K anomalous route events were reported in the 12

months from May 2011

• 20% of the hijacking and misconfigurations lasted less

than 10 minutes but with the ability to pollute 90% of

the Internet in less than 2 minutes


BGP Anomalies

Key Requirements for a next generation of BGP anomaly

detection:

• Detect in near real-time different types of BGP disruptions

• Identify type of BGP disruptions

• Locate the source of disruption


Outline

• BGP

• BGP Anomalies

• BGP Testbed

• Summary


BGP Testbed

Why BGP Testbed is important ?

1. Lack of ground truth timestamps for available BGP

anomalies events

2. Enable examination of different types of BGP

anomalies to help in their identification

3. On available BGP testbeds such as the PEER project,

no hijacking or misconfiguration is allowed


BGP Testbed

Types of BGP testbed that have been used:

1. Quagga

2. Swinburne/ ICT Cisco Labs

3. Virtual Internet Routing Lab (VIRL)


Quagga

• Routing S/W package that provides TCP/IP based

routing services.

• Supports many routing protocols such as RIP, OSPF,

IS-IS, and BGP

Simple BGP Topology on 9 VMs running Quagga


Quagga

• Difficult to manage large scale network topology

• No Virtualization support

• No. of nodes is limited to H/W specifications

• No chance to try other router OSs such as IOS and

Junos


Swinburne/ICT Cisco Labs

• Totally 265 Cisco routers

• 205 routers Cisco model 2811

• 60 routers Cisco model 2620XM

• Swinburne offers a tool to manage configuration of

devices



Simple BGP topology



• Time consuming to setup and tear-down a network

• Limited availability of labs because of teaching


Managing connections

• Difficult to manage network connections with a large

scale network



• Still difficult to manage configuration of routers in a

large scale network

• No Virtualization capability

• No chance to try latest Cisco IOS versions or other

Routers OSs


VIRL Cisco Software

• Virtual Internet Routing Lab

• Uses VMMaestro, OpenStack, Autonetkit, and Ubuntu


VIRL Cisco Software

• Easy to setup and teardown a network

• Portability and repeatability

• Virtualization capability

• Simplified packet capture

• Deployment of different OSs

• Cisco IOS such IOS,IOS XR, IOS XE, and NX-OS

• Servers such as Ubuntu and FreeBSD


VIRL Cisco Software

15 nodes running on VIRL requires:

• 4 CPU cores

• 8 GB DRAM

• Internet Access

My target network is > 200 nodes which requires

• 40 CPU cores

• 512 GB DRAM

What can I do?


VIRL Cisco Software

• ASK ITS at Swinburne

• 10 nodes each with 8 cores and 24 GB DRAM


Accessing 10 nodes at EN building


VIRL Supports graphml format

http://www.topology-zoo.org/


Current/Future Work

• Apply one of exist global network topologies

• Inject BGP updates

• Create different anomalies and apply different

approaches to detecting them


Outline

• BGP

• BGP Anomalies

• BGP Testbed

• Summary


Summary

• BGP is responsible for managing and exchanging

Network NLRI between ASes with guarantee of

avoiding loops

• BGP is vulnerable to different types of anomalies

• Key requirements for a next generation of BGP

anomalies detection

• Challenges of building BGP testbed especially for

large scale network

• VIRL offers a variety of facilities and options with short

time to setup and tear down a network


Acknowledgment

• VIRL team at Cisco for providing free license and

support

• Simon Forsayeth from ITS / Swinburne University for

his help and support to make the use of 10 nodes

possible with VIRL


Questions

Date post:	30-Mar-2018
Category:	Documents
Upload:	dophuc
View:	214 times
Download:	0 times

Outline - Swincaia.swin.edu.au/talks/CAIA-TALK-150611A.pdf · • Moscow blackout-2005: Several...

Documents