Rapid detection of BGP anomalies
Centre for Advanced Internet Architectures (CAIA), Swinburne University of Technology
The Border Gateway Protocol (BGP) is the most widely used inter-domain system routing protocol. BGP is vulnerable to different types of attacks such as hijacking, misconfiguration, and Denial of Service (DoS) attacks.
Although they happen rarely, these attacks have threatened BGP's stability. Instability affects performance, processing load, and distribution balance of traffic load for BGP speakers. Recent statistics show approximately 20% of hijacking and misconfigurations lasted less than 10 minutes, but with the ability to pollute 90% of the Internet in less than 2 minutes. These statistics demonstrate the need for a real-time detection of BGP anomalies.
Rapid detection of BGP anomalies is the topic of this research proposal. The past twenty years have seen many events that have threatened BGP’s stability. The Pakistan Telecom incident is an example of BGP misconfiguration. In response to a censorship order from its government, the major Internet Service Provider (ISP) in Pakistan advertised an unauthorized YouTube prefix causing many ASes to lose access to the site. Another example of BGP misconfiguration was recently caused by Telekom Malaysia (TMnet) which caused significant network problems for the global routing system. TMnet (AS4788) accidentally announced approximately 179,000 prefixes to Level3, the global crossing AS, leading to significant packet loss and slow Internet service around the world. The panix.com domain incident is an example of hijacking. On 22 January 2006 the AS27506 hijacked the panix.com domain causing loss of connectivity to this domain for several hours. In addition to many reported events, other types of events remain unreported or even unnoticed.
This research aimed to explore a new technique that quickly detects different sources of anomalies. The approach was based on the use of Recurrence Quantification Analysis (RQA) to detect BGP anomalies. RQA was a way of extracting hidden information from statistics of dynamic systems. In our work we have used RQA to successfully rapidly detect BGP instability caused by a high volume of BGP updates as well as hidden abnormal behaviour that may otherwise have passed without observation. The theoretical concepts that used were studied and discussed during the past two years as a part of a PhD project funded by the Higher Committee for Education Development in Iraq (HCED). Future PhD work was funded by the HCED and the Cisco URP program.
However, in this project we were asking ISIF to fund the development of software that make use of our research. These were Real-time BGP Anomaly Detection Tool (RBADT), a tool that can be used by ISP’s operator to rapidly (in seconds) detect BGP anomalies and a new version of the BGP Replay Tool (BRT) v0.1, a tool developed by team members to replay past BGP events using data downloaded from Route Views project and RIPE. Rapid detection of BGP anomalies helped ISP operators to mitigate the propagation of BGP anomalies which lead to improve Internet reliability. The evaluation of the RBADT used the Virtual Internet Routing Lab (VIRL) as a control testbed and the new version of the BRT. These tools and their technical reports were published on Swinburne University's Centre for Advanced Internet Architectures.