Monitoring Route Changes

BGP Series Part 2: Monitoring Route Changes Young Xu, Product Marketing Analyst

2

•  May 5th 2016 •  Intro to Autonomous Systems, the BGP protocol and

how routes are advertised and learned

BGP Webinar Series

•  June 16th 2016 •  How to visualize, diagnose and set alerts to detect

BGP hijacks and leaks

How BGP Works

Detecting Hijacks & Leaks

•  May 24th 2016 •  Explore data from routing change events and

learn how to detect BGP changes with alerts

Monitoring Route Changes

Optimizing AS Paths

•  July 26th 2016 •  Tips and tricks for using routing data to improve how

traffic flows into or out of your network

3

About ThousandEyes ThousandEyes delivers visibility into every network your organization relies on.

Founded by network experts; strong

investor backing

Relied on for "critical operations by leading enterprises

Recognized as "an innovative "

new approach

27 Fortune 500 5 top 5 SaaS Companies

4 top 6 US Banks

4

45 monitors on 30+ networks

See inbound routing to your prefixes

Collecting BGP Data

Establish a BGP multi-hop session with ThousandEyes

See outbound routing

to key services and endpoints

Public Monitors Private Monitors

Your BGP speaker

ThousandEyes collector

5

Visualizing BGP Routing

Origin AS (Comcast)

Public vantage points

Upstream ISP (Level3)

Upstream ISP (NTT)

Github prefix

6

Visualizing Routing Changes

Withdrawn routes to Level3 New or updated

routes via Comcast

7

Inside à Out Visibility: Private BGP Monitors

Amazon

8

•  Routes change in two ways: 1.  AS Path vector changes

–  Doesn’t change the destination prefix –  Can change with new routes, withdrawn

routes or updated route preferences 2.  A more specific prefix appears or

disappears –  Changes the destination prefix –  Covered and covering prefixes can be

used to maintain multiple routing policies in the routing table

–  Routes can be quickly changed as needed

How Routes Change

9

•  Policy and Peering Changes –  Commercial relationships –  DDoS mitigation –  Equipment failures – Maintenance

•  Routing misconfigurations –  Attribute confusion

–  Prepending errors –  Route flapping

•  Route hijacking and leaks – Others advertising your prefix – Or a more specific prefix

Types of BGP Changes

10

•  Options to influence inbound routing to your network include: –  Introducing new routes

–  Advertising new routes –  Introducing a more specific prefix with a different route

–  Withdrawing routes –  Changing BGP attributes in route advertisements

–  AS path prepending –  Multi-exit discriminator (MED) –  Communities (e.g. NO-EXPORT); BGP conditional advertisements

•  Both the origin AS and upstream ISPs can make peering changes –  Monitor reachability and make sure that new routes are correct and propagated

•  Look for: One-time AS path change, new providers or prefixes –  Example: First Horizon changed ISPs by introducing a covered prefix.

lswfk.share.thousandeyes.com

Policy and Peering Changes

11

•  Coordinated handover from upstream ISP TW Telecom to Level 3

Policy and Peering Changes: First Horizon

Time: 22:30 CDT Prefix: 198.72.78.0/23

Time: 22:45 CDT Prefix: 198.72.78.0/24

Changes in TW routes

Level 3 routes to new covered prefix

Severe packet loss issues, due to delay between withdrawn TW routes and new Level 3 routes

12

•  BGP is commonly used to shift traffic to scrubbing centers of DDoS mitigation providers during an attack

•  Look for: Mitigation provider’s AS either appearing directly upstream from Origin AS or becoming Origin AS –  Example: Discover changed their upstream providers from AT&T

and Sprint to Prolexic. ugkspyenl.share.thousandeyes.com

DDoS Mitigation

13

DDoS Mitigation: Discover

Sprint

AT&T

Withdrawn routes to

AT&T, Sprint

New routes through Prolexic

Prolexic

14

•  Failures can occur on links or interfaces in upstream providers – May re-route on its own or may require intervention

•  Look for: Issues isolated within specific ISPs and subsequent routing changes –  Example: When upstream ISP Verizon experienced severe issues,

First Data made a BGP change and dropped Verizon. qoeaud.share.thousandeyes.com

Equipment Failures

15

Equipment Failures: First Data New routes

through AT&T

Withdrawn routes to Verizon

16

•  Common misconfigurations include: –  BGP attribute confusion

–  AS path prepending errors –  Route flapping –  Route leaks

•  Look for: Unexpected ASes, routes or route changes –  Example: Country Financial mistyped an AS when prepending the

AS path. tetuntn.share.thousandeyes.com

Routing Misconfigurations

17

Routing Misconfigurations: Country Financial

Access2Go (correct ISP)

Mistyped AS (Jaguar Comms.) prepended to AS path

No routes to AS 15011 led to terminal paths and loops

18

•  When routes alternate or are advertised and withdrawn in rapid sequence –  Usually from equipment or configuration errors – Often causes packet loss and performance degradation

•  Look for: Repeating spikes or elevated levels of route changes over time –  Example: Ancestry’s upstream ISP XO Communications

experienced a route flap. imjlgyfuk.share.thousandeyes.com

Route Flapping

19

Route Flapping: Ancestry

All routes to XO withdrawn Routes to XO

re-advertised

Route flap led to convergence delay issues, where traffic had already

entered the network but no longer had the routes to leave

20

Tuning Your BGP Alerts Scenario Threshold Peering Changes, Route Flaps

Path Changes > 1 Reachability < 100%

DDoS Mitigation Activation

Origin ASN in ___ Prefix not in ___ Next Hop ASN in ___

Prepending Errors Next Hop ASN not in ___

Prefix Hijacking, Leaks Origin ASN not in ___ Covered Prefix exists

Join us in Part 3 for a discussion on detecting BGP hijacks and leaks

See what you’re missing.

Watch the webinar:

www.thousandeyes.com/webinars/monitoring-route-changes