BGP Anomaly Detection Bahaa Al-Musawi PhD candidate Supervisors: Dr. Philip Branch and Prof. Grenville Armitage [email protected]Centre for Advanced Internet Architectures (CAIA) Swinburne University of Technology http://caia.swin.edu.au [email protected]11 June 2015 2 CAIA Seminar Outline • BGP • BGP Anomalies • BGP Testbed • Summary
1. BGP Anomaly Detection Bahaa Al-Musawi PhD candidate
Supervisors: Dr. Philip Branch and Prof. Grenville Armitage
[email protected] Centre for Advanced Internet Architectures
(CAIA) Swinburne University of Technology http://caia.swin.edu.au
[email protected] 11 June 2015 2CAIA Seminar Outline BGP BGP
Anomalies BGP Testbed Summary
2. http://caia.swin.edu.au [email protected] 11 June 2015
3CAIA Seminar Outline BGP BGP Anomalies BGP Testbed Summary
http://caia.swin.edu.au [email protected] 11 June 2015 4CAIA
Seminar Border Gateway Protocol (BGP) The Internet is a
decentralized global network comprised of tens of thousands of
Autonomous Systems (ASes) BGP is the Internets default Inter-domain
routing protocol An example of routing topology
3. http://caia.swin.edu.au [email protected] 11 June 2015
5CAIA Seminar Border Gateway Protocol (BGP) BGP (RFC1105), BGP2
(RFC1163), BGP3 (RFC1267), and BGP4 with last revision (RFC4271)
BGP is a path vector protocol BGP supports Classless Inter-domain
Routing (CIDR), ex. prefix 192.2.2.0/24 192.2.2.1-192.2.2.255
http://caia.swin.edu.au [email protected] 11 June 2015 6CAIA
Seminar Connecting a new BGP router Border Gateway Protocol (BGP)
BGP is an incremental protocol Routing Information Base (RIB)
Updates
4. http://caia.swin.edu.au [email protected] 11 June 2015
7CAIA Seminar Announcing a new prefix by an AS Border Gateway
Protocol (BGP) BGP is an incremental protocol Routing Information
Base (RIB) Updates http://caia.swin.edu.au [email protected] 11
June 2015 8CAIA Seminar BGP Policies ASes are the unit of routing
policy in BGP ASes relationships: customer-provider and
peer-to-peer BGP routing policies: Business relationships Traffic
engineering Scalability Security related policies Number of
configuration lines in a single BGP router can range from hundreds
to thousands lines
5. http://caia.swin.edu.au [email protected] 11 June 2015
9CAIA Seminar Border Gateway Protocol (BGP) Growth of BGP Table
since 1994 from http://bgp.potaroo.net/ http://caia.swin.edu.au
[email protected] 11 June 2015 10CAIA Seminar BGP Weakness BGP
based on the trust between all its participants BGP does not employ
any authentication measures for advertising routes BGP is
vulnerable to different types of attacks 2005, TTNet announced more
than 100,000 incorrect routes 2006, AS27506 hijacked panix domain
2012, Dodo ISP incident
6. http://caia.swin.edu.au [email protected] 11 June 2015
11CAIA Seminar Outline BGP BGP Anomalies BGP Testbed Summary
http://caia.swin.edu.au [email protected] 11 June 2015 12CAIA
Seminar BGP Anomalies Anomalies are patterns in a data set that do
not follow expected behavior No BGP updates are sent when there is
no change in topology and/or policies for a network running BGP In
the real world, many ASes are unstable causing propagation of many
abnormal BGP updates Distinguishing abnormal BGP updates from a
serious attack is a challenge
7. http://caia.swin.edu.au [email protected] 11 June 2015
13CAIA Seminar Types of BGP Anomalies 1. Direct and Intended
Disruptions 2. Direct and Unintended Disruptions 3. Indirect
Attacks 4. Hardware Failure http://caia.swin.edu.au
[email protected] 11 June 2015 14CAIA Seminar 1. Direct and
Intended Disruptions This type of disruption refers to all types of
BGP hijacking which can appear in different scenarios such as
prefix and sub-prefix hijack.
8. http://caia.swin.edu.au [email protected] 11 June 2015
15CAIA Seminar 1. Direct and Intended Disruptions False Positive
Legitimate reasons for anomalous routing updates Multi-homing with
static link aggregation http://caia.swin.edu.au
[email protected] 11 June 2015 16CAIA Seminar 1. Direct and
Intended Disruptions Examples May 2005, AS174 hijacked one of
Google prefixes: lose connectivity to the google.com domain for
nearly an hour April 2011, Link Telecom incident: an attacker
hijacked AS12812 and its prefixes for a round 6 months
9. http://caia.swin.edu.au [email protected] 11 June 2015
17CAIA Seminar 2. Direct and Unintended Disruptions Refers to BGP
misconfiguration such as: Pakistan incident-2008: advertised an
invalid YouTube prefix causing many ASes to lose access to the site
Indosat incident-2014: propagated over 320,000 incorrect routes
Pakistan event 2008 http://caia.swin.edu.au [email protected]
11 June 2015 18CAIA Seminar 3. Indirect Disruptions Nimda-2001:
around 30 fold increase of BGP updates was observed Slammer-2003:
dramatic spikes in number of BGP updates Updates Messages During
Slammer Attack from 22-29 January 2003
10. http://caia.swin.edu.au [email protected] 11 June 2015
19CAIA Seminar 4. Hardware Failure Moscow blackout-2005: Several
hours Mediterranean cable-2008: > 20 countries Number of BGP
Updates during Moscow event http://caia.swin.edu.au
[email protected] 11 June 2015 20CAIA Seminar BGP Anomalies
Detection Techniques
11. http://caia.swin.edu.au [email protected] 11 June 2015
21CAIA Seminar BGP Anomalies Detection Techniques
http://caia.swin.edu.au [email protected] 11 June 2015 22CAIA
Seminar BGP Statistics The huge variance in the size of the
Internet is leading towards increasing instability of BGP 40K
anomalous route events were reported in the 12 months from May 2011
20% of the hijacking and misconfigurations lasted less than 10
minutes but with the ability to pollute 90% of the Internet in less
than 2 minutes
12. http://caia.swin.edu.au [email protected] 11 June 2015
23CAIA Seminar BGP Anomalies Key Requirements for a next generation
of BGP anomaly detection: Detect in near real-time different types
of BGP disruptions Identify type of BGP disruptions Locate the
source of disruption http://caia.swin.edu.au [email protected]
11 June 2015 24CAIA Seminar Outline BGP BGP Anomalies BGP Testbed
Summary
13. http://caia.swin.edu.au [email protected] 11 June 2015
25CAIA Seminar BGP Testbed Why BGP Testbed is important ? 1. Lack
of ground truth timestamps for available BGP anomalies events 2.
Enable examination of different types of BGP anomalies to help in
their identification 3. On available BGP testbeds such as the PEER
project, no hijacking or misconfiguration is allowed
http://caia.swin.edu.au [email protected] 11 June 2015 26CAIA
Seminar BGP Testbed Types of BGP testbed that have been used: 1.
Quagga 2. Swinburne/ ICT Cisco Labs 3. Virtual Internet Routing Lab
(VIRL)
14. http://caia.swin.edu.au [email protected] 11 June 2015
27CAIA Seminar Quagga Routing S/W package that provides TCP/IP
based routing services. Supports many routing protocols such as
RIP, OSPF, IS-IS, and BGP Simple BGP Topology on 9 VMs running
Quagga http://caia.swin.edu.au [email protected] 11 June 2015
28CAIA Seminar Quagga Difficult to manage large scale network
topology No Virtualization support No. of nodes is limited to H/W
specifications No chance to try other router OSs such as IOS and
Junos
15. http://caia.swin.edu.au [email protected] 11 June 2015
29CAIA Seminar Swinburne/ICT Cisco Labs Totally 265 Cisco routers
205 routers Cisco model 2811 60 routers Cisco model 2620XM
Swinburne offers a tool to manage configuration of devices
http://caia.swin.edu.au [email protected] 11 June 2015 30CAIA
Seminar Swinburne/ICT Cisco Labs Simple BGP topology
16. http://caia.swin.edu.au [email protected] 11 June 2015
31CAIA Seminar Swinburne/ICT Cisco Labs Time consuming to setup and
tear-down a network Limited availability of labs because of
teaching http://caia.swin.edu.au [email protected] 11 June 2015
32CAIA Seminar Managing connections Difficult to manage network
connections with a large scale network
17. http://caia.swin.edu.au [email protected] 11 June 2015
33CAIA Seminar Swinburne/ICT Cisco Labs Still difficult to manage
configuration of routers in a large scale network No Virtualization
capability No chance to try latest Cisco IOS versions or other
Routers OSs http://caia.swin.edu.au [email protected] 11 June
2015 34CAIA Seminar VIRL Cisco Software Virtual Internet Routing
Lab Uses VMMaestro, OpenStack, Autonetkit, and Ubuntu
18. http://caia.swin.edu.au [email protected] 11 June 2015
35CAIA Seminar VIRL Cisco Software Easy to setup and teardown a
network Portability and repeatability Virtualization capability
Simplified packet capture Deployment of different OSs Cisco IOS
such IOS,IOS XR, IOS XE, and NX-OS Servers such as Ubuntu and
FreeBSD http://caia.swin.edu.au [email protected] 11 June 2015
36CAIA Seminar VIRL Cisco Software 15 nodes running on VIRL
requires: 4 CPU cores 8 GB DRAM Internet Access My target network
is > 200 nodes which requires 40 CPU cores 512 GB DRAM What can
I do?
19. http://caia.swin.edu.au [email protected] 11 June 2015
37CAIA Seminar VIRL Cisco Software ASK ITS at Swinburne 10 nodes
each with 8 cores and 24 GB DRAM http://caia.swin.edu.au
[email protected] 11 June 2015 38CAIA Seminar Accessing 10
nodes at EN building
20. http://caia.swin.edu.au [email protected] 11 June 2015
39CAIA Seminar VIRL Supports graphml format
http://www.topology-zoo.org/ http://caia.swin.edu.au
[email protected] 11 June 2015 40CAIA Seminar Current/Future
Work Apply one of exist global network topologies Inject BGP
updates Create different anomalies and apply different approaches
to detecting them
21. http://caia.swin.edu.au [email protected] 11 June 2015
41CAIA Seminar Outline BGP BGP Anomalies BGP Testbed Summary
http://caia.swin.edu.au [email protected] 11 June 2015 42CAIA
Seminar Summary BGP is responsible for managing and exchanging
Network NLRI between ASes with guarantee of avoiding loops BGP is
vulnerable to different types of anomalies Key requirements for a
next generation of BGP anomalies detection Challenges of building
BGP testbed especially for large scale network VIRL offers a
variety of facilities and options with short time to setup and tear
down a network
22. http://caia.swin.edu.au [email protected] 11 June 2015
43CAIA Seminar Acknowledgment VIRL team at Cisco for providing free
license and support Simon Forsayeth from ITS / Swinburne University
for his help and support to make the use of 10 nodes possible with
VIRL http://caia.swin.edu.au [email protected] 11 June 2015
44CAIA Seminar Questions