On the impact of route monitor selection

2006

In this paper we introduce a new metric for analyzing the behavior of ASPATH values in the Border Gateway Protocol (BGP) routing protocol. We base our metric on the edit distance algorithm, an algorithm used for approximate string matching. We modify this basic algorithm by adding features that embed BGP domain knowledge. This allows us to perform meaningful comparisons of ASPATH values contained in BGP update messages. We call our modified metric ASPATH Edit Distance(AED). We illustrate the application of this metric to characterize ASPATH changes at a global scale using the example of a major Internet routing anomaly. At the other end of the spectrum we illustrate how this metric can be used to quantify and model the behavior of ASPATH values for individual Autonomous Systems. AED provides us with an important measure with which we can study the behavior of ASPATHS in the Internet. With sufficient refinement, AED can be suitably adapted and used alongside other metrics in BGP routing anomaly detection algorithms and tools.

ACM SIGCOMM Computer Communication Review, 2004

This paper presents a methodology for identifying the autonomous system (or systems) responsible when a routing change is observed and propagated by BGP. The origin of such a routing instability is deduced by examining and correlating BGP updates for many prefixes gathered at many observation points. Although interpreting BGP updates can be perplexing, we find that we can pinpoint the origin to either a single AS or a session between two ASes in most cases. We verify our methodology in two phases. First, we perform simulations on an AS topology derived from actual BGP updates using routing policies that are compatible with inferred peering/customer/provider relationships. In these simulations, in which network and router behavior are "ideal", we inject inter-AS link failures and demonstrate that our methodology can effectively identify most origins of instability. We then develop several heuristics to cope with the limitations of the actual BGP update propagation process and monitoring infrastructure, and apply our methodology and evaluation techniques to actual BGP updates gathered at hundreds of observation points. This approach of relying on data from BGP simulations as well as from measurements enables us to evaluate the inference quality achieved by our approach under ideal situations and how it is correlated with the actual quality and the number of observation points.

Microprocessors and Microsystems, 2007

For an Internet Service Provider (ISP), the knowledge of which interdomain paths could be traversed by its BGP announcements -and thus traffic flows -is essential to predict the impact of network faults, to develop effective traffic engineering and peering strategies, and to assess the quality of upstream providers. However, current methodologies do not provide this information. We present methodologies to discover how the BGP announcements for an ISP's prefix are propagated through the Internet using withdrawals and specially crafted AS-sets. The techniques allow an ISP to determine which paths could be traversed in the presence of network faults or different routing policies on the ISP's part and to deduce the routing policies of other ISPs with respect to its network. We validate our techniques through experimentation in the IPv6 and IPv4 Internet, showing that they can be safely and effectively applied in real-world situations. *

Computer Networks, 2021

Despite the robust structure of the Internet, it is still susceptible to disruptive routing updates that prevent network traffic from reaching its destination. Our research shows that BGP announcements that are associated with disruptive updates tend to occur in groups of relatively high frequency, followed by periods of infrequent activity. We hypothesize that we may use these bursty characteristics to detect anomalous routing incidents. In this work, we use manually verified ground truth metadata and volume of announcements as a baseline measure, and propose a burstiness measure that detects prior anomalous incidents with high recall and better precision than the volume baseline. We quantify the burstiness of inter-arrival times around the date and times of four large-scale incidents: the Indosat hijacking event in April 2014, the Telecom Malaysia leak in June 2015, the Bharti Airtel Ltd. hijack in November 2015, and the MainOne leak in November 2018; and three smaller scale incidents that led to traffic interception: the Belarusian traffic direction in February 2013, the Icelandic traffic direction in July 2013, and the Russian telecom that hijacked financial services in April 2017. Our method leverages the burstiness of disruptive update messages to detect these incidents. We describe limitations, open challenges, and how this method can be used for routing anomaly detection.

2006

Abstract BGP Monitoring projects such as RouteViews and RIPE RIS provide valuable data for networking research. Prior efforts, such as understanding BGP dynamics, have mined the BGP data collected by RouteViews and RIPE to make general inferences about the Internet routing. Ideally one would like to have the collected BGP data covering the entire Internet.

2014

Several works over the past few years have shown that the Internet AS-level topology is partially hidden from the current Internet measurement infrastructures. Most have focused on the incompleteness of the connectivity extracted from BGP data. A few have analysed the connectivity collected by traceroute measurement infrastructures showing the amount of connections introduced by traceroute campaigns. None, however, have investigated in detail the underlying rationale, i.e. the economic nature of the Internet. In this paper we fill this gap by analysing five traceroute infrastructures, found to be active in October 2013, with the p2c-distance metric, which is specifically designed to capture the complex economic dynamics that rule the Internet. We found that the traceroute infrastructures that currently run topology discovery measurements (Ark, DIMES and Portolan), together with BGP route collectors, are able to reveal the full connectivity of 23.50% of the Internet core ASes. This is a considerable improvement given that the BGP infrastructure alone is able to cover only 15.90% of the Internet core. This percentage could be increased up to 48.48% if the remaining two infrastructures (Dasu/Ono and RIPE Atlas) performed topology discovery campaigns. We also found that the placement of traceroute probes is not optimal from a topology discovery perspective, as it causes several probes to provide only redundant connectivity information. We show that the same number of traceroute probes optimally deployed, would be able to completely reveal the full AS connectivity of the Internet core.

2003

Traceroute is widely used to detect routing problems, characterize end-to-end paths, and discover the Internet topology. Providing an accurate list of the Autonomous Systems (ASes) along the forwarding path would make traceroute even more valuable to researchers and network operators. However, conventional approaches to mapping traceroute hops to AS numbers are not accurate enough. Address registries are often incomplete and out-of-date. BGP routing tables provide a better IP-to-AS mapping, though this approach has significant limitations as well. Based on our extensive measurements, about 10% of the traceroute paths have one or more hops that do not map to a unique AS number, and around 15% of the traceroute AS paths have an AS loop. In addition, some traceroute AS paths have extra or missing AS hops due to Internet eXchange Points, sibling ASes managed by the same institution, and ASes that do not advertise routes to their infrastructure. Using the BGP tables as a starting point, we propose techniques for improving the IP-to-AS mapping as an important step toward an AS-level traceroute tool. Our algorithms draw on analysis of traceroute probes, reverse DNS lookups, BGP routing tables, and BGP update messages collected from multiple locations. We also discuss how the improved IP-to-AS mapping allows us to home in on cases where the BGP and traceroute AS paths differ for legitimate reasons.

2004

Detecting network path anomalies generally requires examining large volumes of traffic data to find misbehavior. We observe that wide-area services, such as peerto-peer systems and content distribution networks, exhibit large traffic volumes, spread over large numbers of geographically-dispersed endpoints. This makes them ideal candidates for observing wide-area network behavior. Specifically, we can combine passive monitoring of wide-area traffic to detect anomalous network behavior, with active probes from multiple nodes to quantify and characterize the scope of these anomalies.

2014 IEEE International Conference on Communications (ICC), 2014

BGP hijacking is a well known threat to the Internet routing infrastructure. There has been considerable interest in developing tools that detect prefix hijacking but such systems usually identify a large number of events, many of them being due to some benign BGP engineering practice or misconfiguration. Ramachandran et al. [1] and later Hu et al. [2] also correlated suspicious routing events with spam and claimed to have found evidence of spammer temporarily stealing prefixes to send spam. In an effort to study at large scale the existence and the prevalence of malicious BGP hijacks in the Internet we developed a system which (i) identifies hijacks using BGP, traceroute and IRR data and (ii) investigates traffic originating from the reported networks with spam and netflow data. In this paper we present a real case where suspicious BGP announcements coincided with spam and web scam traffic from corresponding networks. Through this case study we show that a correlation of suspicious routing events with malicious activities is insufficient to evidence harmful BGP hijacks. We thus question previously reported cases and conclude that identifying malicious BGP hijacks requires additional data sources as well as feedback from network owners in order to reach decisive conclusions.

2004

BGP, the de facto inter-domain routing protocol, is the core component of current Internet infrastructure. BGP traffic deserves thorough exploration, since abnormal BGP routing dynamics could impair global Internet connectivity and stability. In this paper, two methods, signature-based detection and statistics-based detection, are designed and implemented to detect BGP anomalous routing dynamics in BGP UPDATEs. Signature-based detection utilizes a set of fixed patterns to search and identify routing anomalies. For the statistics-based detection, we devise five measures to model BGP UPDATEs traffic. In the training phase, the detector is trained to learn the expected behaviors of BGP from the historical long-term BGP UPDATEs dataset. It then examines the test dataset to detect “anomalies” in the testing phase. An anomaly is flagged when the tested behavior significantly differs from the expected behaviors. We have applied these two approaches to examine the BGP data collected by RIPE-NCC servers for a number of IP prefixes. Through manual analysis, we specify possible causes of some detected anomalies. Finally, comparing the two approaches, we highlight the advantages and limitations of each. While our evaluation is still preliminary, we have demonstrated that, by combining both signature-based and statistics-based anomaly detection approaches, our system can effectively and accurately identify certain BGP events that are worthy of further investigation.