On Detection of Anomalous Routing Dynamics in BGP

1
On Detection of Anomalous Routing Dynamics in BGP

• Ke Zhang
• Feb 19

2
Outline

• Brief introduction on BGP
• Known BGP anomalous routing behavior
• NIDES/STAT algorithm
• Our statistical detector
• Experiments
• Experiment results
• Classification of detected routing anomalies
• Conclusions

3
Introduction to BGP

• Todays Internet is roughly hierarchical
  structure
• Divided by Autonomous System(AS)
• BGP is the de facto inter-AS routing protocol
• To exchange inter-domain routing information
• Each AS, the originator, advertises its own
  networks to its neighboring ASs, the neighboring
  ASs will propagate those advertisements to the
  rest of the Internet
• I tell you, you tell your friends, and so on
• Send Update Messages to peers

4
Introduction to BGP
Path Vector Routing Protocol A BGP route lists a
prefix (destination) and the path of ASs to reach
that prefix
169.237.0.0/16 nets
AS 6192
AS Z
AS X
AS Y
5
BGP Update Messages

• Route Announcement
• Advertise a single route to the peer
• protocol time A peer ip peer AS
  prefix AS_PATH origin next hop local
  pref med community
• Example
• BGP4MP987438764A193.0.0.563333198.41.0.0/243
  333 1103 8297 6453 1239 6245IGP193.0.0.5600
• Route withdrawal
• protocol time W peer ip peer AS
  prefix
• Example
• BGP4MP987438821W193.0.0.563333198.41.0.0/24
  

6
BGP Routing Anomalies

• Slow convergence
• Route oscillation

7
BGP Slow Convergence

• Redundant update messages due to propagation
  delay

AS4
S6
AS2
169.237.0.0/16
AS8
AS1
AS7
AS3
AS5
AS1 169.237.0.0/16 9, 8 3,5,7,8 2,4,6,7,8
Withdrawal
AS9
8
BGP route oscillation

• A burst of announcements of two or more
  alternative paths
• Example path 1, 2, 1, 2
• BGP4MP993089500A193.0.0.563333192.36.148.0/24
  3333 1755 8674IGP193.0.0.5600
• BGP4MP993089758A193.0.0.563333192.36.148.0/24
  3333 1103 8933 2603 8674IGP193.0.0.5600
• BGP4MP993089902A193.0.0.563333192.36.148.0/24
  3333 1755 8674IGP193.0.0.5600
• BGP4MP993090305A193.0.0.563333192.36.148.0/24
  3333 1103 8933 2603 8674IGP193.0.0.5600
• BGP4MP993090580A193.0.0.563333192.36.148.0/24
  3333 1755 8674IGP193.0.0.5600

9
Statistical BGP anomaly detection

• Motivation
• BGP sub-optimal routing may cause global
  instability over the whole internet and degrade
  the performance.
• Develop a systematic approach to consistently
  label a set of BGP events as normal or anomalous.
• Why choose statistical detection technique?
• Compare the current data with historical data and
  identify the significant changes.
• Capable of discovering the unknown anomalies
• It is hard to use signature based detection
  methods
• BGP routing behavior varies from different
  observation point
• The parameters for signatures are hard to
  determine

10
NIDES/STAT

• Basic idea of NIDES/STAT
• Long term profile training learn the expected
  behavior of the system
• Short term testing Compare the observed behavior
  with the expected behavior in the long-term
  profile. If the deviation is very significant and
  greater than a predefined threshold, an alarm is
  raised.

11
Long-term profileC-training

• k bins
• Expected Distribution, P1 P2 ... Pk , where
  
• Training time months

12
Long-term ProfileQ-training

• Divide long term data into n segments
• For each segment
• k bins, samples fall into bin
• samples in total ( )

13
Q-distribution

• Deviation
• Example
• Qmax
• the largest value among all Q value
• Q Distribution
• 0, Qmax) is equally divided into 31 bins and the
  last bin is Qmax, ?)
• distribute all Q values into the 32 bins

14
Threshold

• Predefined threshold, ?
• If Prob(Qgtq) lt ?, raise alarm

15
NIDES/STAT

• In practice, NIDES/STAT use exponentially
  weighted sums to track the values of Q in order
  to establish an empirical probability
  distribution for Q.
• Q calculation for intensity measures

• t the time that has elapsed between the nth and
  (n1)st audit record
• r a decay factor (half-life time)

16
NIDES/STAT

• Let denotes the relative frequency with which
  belongs to the interval. In our
  experiment, there are 32 values for , with
• For the interval, let denote the
  sum of and all other values that are
  smaller than or equal to in magnitude.
• For the m interval, let be the value such
  that the probability that a normally distributed
  variable with mean 0 and variance 1 is larger
  than s in absolute value equals .

is the cumulative normal distribution function
of an variable
17
Two Measures

• Inter-arrival time between BGP messages
• Decay factor (r) is 300 seconds
• Number of distinct AS paths observed within a
  fixed period of time
• Decay factor (r) is 300 seconds

18
Q Graph
19
S Graph
20
Experiments

• System Overview

compare
warning
21
Experiments

• Data Source
• BGP log from RIPE(Réseaux IP Européens)
• 8 prefixes
• 3 selected prefixes
• 5 prefixes for popular site yahoo, google,
  microsoft, realnetworks, terralycos
• Two observation point
• AS3333(RIPE)
• AS2914(Verio)

22
Experiment Results
23
Experiment Results
24
Classification of Anomalies
25
Classification of Anomalies

• C1 a sequence of distinctive ASpaths without
  withdrawal inside, and ends with a stable AS path
• C2 a sequence of non-distinctive ASpaths without
  withdrawal inside, and ends with a stable AS
  path.
• C3 a sequence of distinctive ASpaths with
  transient withdraw in the middle, ends with a
  stable AS path.
• C4 a sequence of non-distinctive ASpaths with
  transient withdraw in the middle, ends with a
  stable AS path
• C5 a sequence of distinctive ASpaths without
  withdrawal inside, and ends with a stable
  withdrawal
• C6 a sequence of non-distinctive ASpaths without
  withdrawal inside, and ends with a stable
  withdrawal.
• C7 a sequence of distinctive ASpaths with
  transient withdraw in the middle, ends with a
  stable withdrawal
• C8 a sequence of non-distinctive ASpaths with
  transient withdraw in the middle, ends with a
  stable withdrawal

26
Experiment Results
Distribution of each class
27
Anomalies Founded
  Duplicate the consecutive updates contain
exactly the same information. all the route
attributes, including ASPATH, MED, local
preference, aggregator, are identical.

• BGP4MP995563513A 129.250.0.232
  291455.0.0.0/83549 1239 568IGP206.251.0.850
  035492116 35499840
• BGP4MP995563541A 129.250.0.232
  291455.0.0.0/83549 1239 568IGP206.251.0.850
  035492116 35499840
• BGP4MP995563708A 129.250.0.232
  291455.0.0.0/83549 1239 568IGP206.251.0.850
  035492116 35499840

28
Anomalies Founded

• SPATH the consecutive updates have identical
  ASPATH attribute, but one or more of other
  attributes (such as MED, local preference,
  etc) are different.

BGP4MP1030092375A129.250.0.2322914207.188.0.0
/192914 5054 5054 5054 5054IGP 129.250.0.2320
432914410 29142000 29143000 BGP4MP1030092483
A129.250.0.2322914207.188.0.0/192914 5054
5054 5054 5054IGP 129.250.0.2320542914410
29142000 29143000 BGP4MP1030092959A129.250.0.
2322914207.188.0.0/192914 5054 5054 5054
5054IGP 129.250.0.2320432914410 29142000
29143000 BGP4MP1030093016A129.250.0.23229142
07.188.0.0/192914 5054 5054 5054
5054IGP 129.250.0.2320422914410 29142000
29143000
29
Anomalies Founded

• ASPATH Oscillation rapidly alternating
  announcements of two or more different AS_PATH
  attribute in a short period of time.

BGP4MP1017433043A193.0.0.563333192.153.247.0/
243333 9057 3356 3561 19836 IGP193.0.0.5600
BGP4MP1017433183A193.0.0.563333192.153.247.0/
243333 9057 3356 1239 11840 IGP193.0.0.5600
BGP4MP1017433213A193.0.0.563333192.153.247.0/
243333 9057 3356 3561 19836 IGP193.0.0.5600
BGP4MP1017433243A193.0.0.563333192.153.247.0/
243333 9057 3356 701 11840 IGP193.0.0.5600 B
GP4MP1017433270A193.0.0.563333192.153.247.0/2
43333 9057 3356 3561 19836 IGP193.0.0.5600
30
Anomalies Founded

• transient route flap A stable route is replaced
  by a transient route, and changes back after a
  short period of time.

BGP4MP1013447888A193.0.0.563333207.188.0.0/19
3333 9057 2914 5054IGP193.0.0.5600
BGP4MP1013514246A193.0.0.563333207.188.0.0
/193333 1103 3549 2914 5054IGP193.0.0.5600 B
GP4MP1013514359A193.0.0.563333207.188.0.0/19
3333 9057 2914 5054IGP193.0.0.5600
31
Lessons and Conclusion

• Lessons
• why some suspicious routing behaviors detected
  from one prefix yet not detected from the other
  prefix?
• Exmaple some transient flap and SPATH anomalies
  are detected from realnetworks, but not detected
  from google.
• Reason the long-term profile of google is
  somehow contaminated.

32
Lessons and Conclusions

• Conclusions
• BGP routing anomalies detector can effectively
  detect the anomalous(suspicious) routing
  behavior
• Need to develop more measures
• long-term profile training need careful
  consideration