BGP Anomaly Detection Bahaa Al-Musawi PhD candidate Supervisors: Dr. Philip Branch and Prof. Grenville Armitage [email protected] Centre for Advanced Internet Architectures (CAIA) Swinburne University of Technology
BGP Anomaly DetectionBahaa Al-Musawi
PhD candidate Supervisors: Dr. Philip Branch and Prof.
Grenville Armitage
Centre for Advanced Internet Architectures (CAIA)Swinburne University of Technology
http://caia.swin.edu.au [email protected] 11 June 2015 2 CAIA Seminar
Outline
• BGP
• BGP Anomalies
• BGP Testbed
• Summary
http://caia.swin.edu.au [email protected] 11 June 2015 3 CAIA Seminar
Outline
• BGP
• BGP Anomalies
• BGP Testbed
• Summary
http://caia.swin.edu.au [email protected] 11 June 2015 4 CAIA Seminar
Border Gateway Protocol (BGP)• The Internet is a decentralized global network
comprised of tens of thousands of Autonomous Systems (ASes)
• BGP is the Internet’s default Inter-domain routing protocol
An example of routing topology
http://caia.swin.edu.au [email protected] 11 June 2015 5 CAIA Seminar
Border Gateway Protocol (BGP)
• BGP (RFC1105), BGP2 (RFC1163), BGP3 (RFC1267), and
BGP4 with last revision (RFC4271)
• BGP is a path vector protocol
• BGP supports Classless Inter-domain Routing (CIDR), ex.
prefix 192.2.2.0/24 192.2.2.1-192.2.2.255
http://caia.swin.edu.au [email protected] 11 June 2015 6 CAIA Seminar
Connecting a new BGP router
Border Gateway Protocol (BGP)• BGP is an incremental protocol
• Routing Information Base (RIB)
• Updates
http://caia.swin.edu.au [email protected] 11 June 2015 7 CAIA Seminar
Announcing a new prefix by an AS
Border Gateway Protocol (BGP)• BGP is an incremental protocol
• Routing Information Base (RIB)
• Updates
http://caia.swin.edu.au [email protected] 11 June 2015 8 CAIA Seminar
BGP Policies• ASes are the unit of routing policy in BGP
• ASes relationships: customer-provider and peer-to-peer
• BGP routing policies:• Business relationships
• Traffic engineering
• Scalability
• Security related policies
• Number of configuration lines in a single BGP router can range from hundreds to thousands lines
http://caia.swin.edu.au [email protected] 11 June 2015 9 CAIA Seminar
Border Gateway Protocol (BGP)
Growth of BGP Table since 1994 from http://bgp.potaroo.net/
http://caia.swin.edu.au [email protected] 11 June 2015 10 CAIA Seminar
BGP Weakness• BGP based on the trust between all its participants
• BGP does not employ any authentication measures for advertising routes
• BGP is vulnerable to different types of attacks• 2005, TTNet announced more than 100,000 incorrect routes
• 2006, AS27506 hijacked panix domain
• 2012, Dodo ISP incident
http://caia.swin.edu.au [email protected] 11 June 2015 11 CAIA Seminar
Outline
• BGP
• BGP Anomalies
• BGP Testbed
• Summary
http://caia.swin.edu.au [email protected] 11 June 2015 12 CAIA Seminar
BGP Anomalies• Anomalies are patterns in a data set that do not follow
expected behavior
• No BGP updates are sent when there is no change in topology and/or policies for a network running BGP
• In the real world, many ASes are unstable causing propagation of many abnormal BGP updates
• Distinguishing abnormal BGP updates from a serious attack is a challenge
http://caia.swin.edu.au [email protected] 11 June 2015 13 CAIA Seminar
Types of BGP Anomalies1. Direct and Intended Disruptions
2. Direct and Unintended Disruptions
3. Indirect Attacks
4. Hardware Failure
http://caia.swin.edu.au [email protected] 11 June 2015 14 CAIA Seminar
1. Direct and Intended Disruptions• This type of disruption refers to all types of BGP hijacking
which can appear in different scenarios such as prefix and sub-prefix hijack.
http://caia.swin.edu.au [email protected] 11 June 2015 15 CAIA Seminar
1. Direct and Intended Disruptions• False Positive
• Legitimate reasons for anomalous routing updates
• Multi-homing with static link aggregation
http://caia.swin.edu.au [email protected] 11 June 2015 16 CAIA Seminar
1. Direct and Intended Disruptions• Examples
• May 2005, AS174 hijacked one of Google prefixes: lose connectivity to the google.com domain for nearly an hour
• April 2011, Link Telecom incident: an attacker hijacked AS12812 and its prefixes for a round 6 months
http://caia.swin.edu.au [email protected] 11 June 2015 17 CAIA Seminar
2. Direct and Unintended Disruptions• Refers to BGP misconfiguration such as:
• Pakistan incident-2008: advertised an invalid YouTube prefix causing many ASes to lose access to the site
• Indosat incident-2014: propagated over 320,000 incorrect routes
Pakistan event 2008
http://caia.swin.edu.au [email protected] 11 June 2015 18 CAIA Seminar
3. Indirect Disruptions• Nimda-2001: around 30 fold increase of BGP updates
was observed
• Slammer-2003: dramatic spikes in number of BGP updates
Updates Messages During Slammer Attack from 22-29 January 2003
http://caia.swin.edu.au [email protected] 11 June 2015 19 CAIA Seminar
4. Hardware Failure• Moscow blackout-2005: Several hours
• Mediterranean cable-2008: > 20 countries
Number of BGP Updates during Moscow event
http://caia.swin.edu.au [email protected] 11 June 2015 20 CAIA Seminar
BGP Anomalies Detection Techniques
http://caia.swin.edu.au [email protected] 11 June 2015 21 CAIA Seminar
BGP Anomalies Detection Techniques
http://caia.swin.edu.au [email protected] 11 June 2015 22 CAIA Seminar
BGP Statistics• The huge variance in the size of the Internet is leading
towards increasing instability of BGP
• 40K anomalous route events were reported in the 12 months from May 2011
• 20% of the hijacking and misconfigurations lasted less
than 10 minutes but with the ability to pollute 90% of
the Internet in less than 2 minutes
http://caia.swin.edu.au [email protected] 11 June 2015 23 CAIA Seminar
BGP Anomalies
Key Requirements for a next generation of BGP anomaly detection:
• Detect in near real-time different types of BGP disruptions
• Identify type of BGP disruptions
• Locate the source of disruption
http://caia.swin.edu.au [email protected] 11 June 2015 24 CAIA Seminar
Outline
• BGP
• BGP Anomalies
• BGP Testbed
• Summary
http://caia.swin.edu.au [email protected] 11 June 2015 25 CAIA Seminar
BGP Testbed
Why BGP Testbed is important ?
1.Lack of ground truth timestamps for available BGP anomalies events
2.Enable examination of different types of BGP anomalies to help in their identification
3.On available BGP testbeds such as the PEER project, no hijacking or misconfiguration is allowed
http://caia.swin.edu.au [email protected] 11 June 2015 26 CAIA Seminar
BGP Testbed
Types of BGP testbed that have been used:
1.Quagga
2.Swinburne/ ICT Cisco Labs
3.Virtual Internet Routing Lab (VIRL)
http://caia.swin.edu.au [email protected] 11 June 2015 27 CAIA Seminar
Quagga• Routing S/W package that provides TCP/IP based
routing services.
• Supports many routing protocols such as RIP, OSPF, IS-IS, and BGP
Simple BGP Topology on 9 VMs running Quagga
http://caia.swin.edu.au [email protected] 11 June 2015 28 CAIA Seminar
Quagga
• Difficult to manage large scale network topology
• No Virtualization support
• No. of nodes is limited to H/W specifications
• No chance to try other router OSs such as IOS and Junos
http://caia.swin.edu.au [email protected] 11 June 2015 29 CAIA Seminar
Swinburne/ICT Cisco Labs
• Totally 265 Cisco routers• 205 routers Cisco model 2811
• 60 routers Cisco model 2620XM
• Swinburne offers a tool to manage configuration of devices
http://caia.swin.edu.au [email protected] 11 June 2015 30 CAIA Seminar
Swinburne/ICT Cisco Labs
Simple BGP topology
http://caia.swin.edu.au [email protected] 11 June 2015 31 CAIA Seminar
Swinburne/ICT Cisco Labs
• Time consuming to setup and tear-down a network
• Limited availability of labs because of teaching
http://caia.swin.edu.au [email protected] 11 June 2015 32 CAIA Seminar
Managing connections
• Difficult to manage network connections with a large scale network
http://caia.swin.edu.au [email protected] 11 June 2015 33 CAIA Seminar
Swinburne/ICT Cisco Labs
• Still difficult to manage configuration of routers in a large scale network
• No Virtualization capability
• No chance to try latest Cisco IOS versions or other Routers OSs
http://caia.swin.edu.au [email protected] 11 June 2015 34 CAIA Seminar
VIRL Cisco Software
• Virtual Internet Routing Lab
• Uses VMMaestro, OpenStack, Autonetkit, and Ubuntu
http://caia.swin.edu.au [email protected] 11 June 2015 35 CAIA Seminar
VIRL Cisco Software
• Easy to setup and teardown a network
• Portability and repeatability
• Virtualization capability
• Simplified packet capture
• Deployment of different OSs• Cisco IOS such IOS,IOS XR, IOS XE, and NX-OS
• Servers such as Ubuntu and FreeBSD
http://caia.swin.edu.au [email protected] 11 June 2015 36 CAIA Seminar
VIRL Cisco Software15 nodes running on VIRL requires:
• 4 CPU cores
• 8 GB DRAM
• Internet Access
My target network is > 200 nodes which requires• 40 CPU cores
• 512 GB DRAM
What can I do?
http://caia.swin.edu.au [email protected] 11 June 2015 37 CAIA Seminar
VIRL Cisco Software• ASK ITS at Swinburne
• 10 nodes each with 8 cores and 24 GB DRAM
http://caia.swin.edu.au [email protected] 11 June 2015 38 CAIA Seminar
Accessing 10 nodes at EN building
http://caia.swin.edu.au [email protected] 11 June 2015 39 CAIA Seminar
VIRL Supports graphml format
http://www.topology-zoo.org/
http://caia.swin.edu.au [email protected] 11 June 2015 40 CAIA Seminar
Current/Future Work• Apply one of exist global network topologies
• Inject BGP updates
• Create different anomalies and apply different approaches to detecting them
http://caia.swin.edu.au [email protected] 11 June 2015 41 CAIA Seminar
Outline
• BGP
• BGP Anomalies
• BGP Testbed
• Summary
http://caia.swin.edu.au [email protected] 11 June 2015 42 CAIA Seminar
Summary• BGP is responsible for managing and exchanging Network
NLRI between ASes with guarantee of avoiding loops
• BGP is vulnerable to different types of anomalies
• Key requirements for a next generation of BGP anomalies detection
• Challenges of building BGP testbed especially for large scale network
• VIRL offers a variety of facilities and options with short time to setup and tear down a network
http://caia.swin.edu.au [email protected] 11 June 2015 43 CAIA Seminar
Acknowledgment• VIRL team at Cisco for providing free license and
support
• Simon Forsayeth from ITS / Swinburne University for his help and support to make the use of 10 nodes possible with VIRL