BGP-lens: Patterns and Anomalies in Internet Routing Updates B. Aditya Prakash 1, Nicholas Valler 2, David Andersen 1, Michalis Faloutsos 2, Christos Faloutsos.

Slides:

Advertisements

Similar presentations

ABSTRACT Due to the Internets sheer size, complexity, and various routing policies, it is difficult if not impossible to locate the causes of large volumes.

Advertisements

Data Mining Challenges for Network Management Nick Feamster, Georgia Tech Dave Andersen, CMU (joint with Jay Lepreau and Emulab)

Multihoming and Multi-path Routing

End to End Routing Behavior in the Internet Vern Paxson Network Research Group Lawrence Berkeley National Laboratory University of California, Berkeley.

Comparing IPv4 and IPv6 from the perspective of BGP dynamic activity Geoff Huston APNIC February 2012.

SIMPLE Presence Traffic Optimization and Server Scalability Vishal Kumar Singh Henning Schulzrinne Markus Isomaki Piotr Boni IETF 67, San Diego.

1 Aman Shaikh: June 02 UCSC INFOCOM 2002 Avoiding Instability during Graceful Shutdown of OSPF Aman Shaikh, UCSC Joint work with Rohit Dube, Xebeo Communications.

Routing Security Capabilities draft-zhao-opsec-routing-capabilities-02.txt OPSEC WG, IETF #66.

1 BGP Anomaly Detection in an ISP Jian Wu (U. Michigan) Z. Morley Mao (U. Michigan) Jennifer Rexford (Princeton) Jia Wang (AT&T Labs)

1 Interdomain Routing Protocols. 2 Autonomous Systems An autonomous system (AS) is a region of the Internet that is administered by a single entity and.

The need for BGP AfNOG Workshops Philip Smith. “Keeping Local Traffic Local”

© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public 1 Version 4.0 Introduction to Dynamic Routing Protocol Routing Protocols and Concepts – Chapter.

1 Measurement of Highly Active Prefixes in BGP Ricardo V. Oliveira, Rafit Izhak-Ratzin, Beichuan Zhang, Lixia Zhang GLOBECOM’05.

Chapter 4: Network Layer 4. 1 Introduction 4.2 Virtual circuit and datagram networks 4.3 What’s inside a router 4.4 IP: Internet Protocol –Datagram format.

CMU SCS Mining Billion-node Graphs Christos Faloutsos CMU.

DYNAMICS OF PREFIX USAGE AT AN EDGE ROUTER Kaustubh Gadkari, Dan Massey and Christos Papadopoulos 1.

1 Finding a Needle in a Haystack: Pinpointing Significant BGP Routing Changes in an IP Network Jian Wu (University of Michigan) Z. Morley Mao (University.

1 BGP Security -- Zhen Wu. 2 Schedule Tuesday –BGP Background –" Detection of Invalid Routing Announcement in the Internet" –Open Discussions Thursday.

CMU SCS Data Mining Meets Systems: Tools and Case Studies Christos Faloutsos SCS CMU.

Learning-Based Anomaly Detection in BGP Updates Jian Zhang Jennifer Rexford Joan Feigenbaum.

A Routing Control Platform for Managing IP Networks Jennifer Rexford Princeton University

RD-CSY /09 Distance Vector Routing Protocols.

14 – Inter/Intra-AS Routing

Lecture Week 3 Introduction to Dynamic Routing Protocol Routing Protocols and Concepts.

Border Gateway Protocol (BGP4) Rizwan Rehman, CCS, DU.

CCNP Network Route OSPF Part -I OSPF: Open Shortest Path First Concept of OSPF: 1. It is a link state routing protocol. 2. There are basically only 2 ISIS.

Transport Layer 3-1 Chapter 4 Network Layer Computer Networking: A Top Down Approach 6 th edition Jim Kurose, Keith Ross Addison-Wesley March 2012  CPSC.

EQ-BGP: an efficient interdomain QoS routing protocol Andrzej Bęben Institute of Telecommunications Warsaw University of Technology,

Introduction to Routing and Routing Protocols By Ashar Anwar.

1 Computer Communication & Networks Lecture 22 Network Layer: Delivery, Forwarding, Routing (contd.)

© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public ITE PC v4.0 Chapter 1 1 Introduction to Dynamic Routing Protocol Routing Protocols and Concepts.

Dynamic Routing Chapter 9. powered by DJ 1. C HAPTER O BJECTIVES At the end of this Chapter you will be able to:  Explain Dynamic Routing  Identify.

Introduction to Dynamic Routing Protocol

Objectives: Chapter 5: Network/Internet Layer  How Networks are connected Network/Internet Layer Routed Protocols Routing Protocols Autonomous Systems.

David Wetherall Professor of Computer Science & Engineering Introduction to Computer Networks Hierarchical Routing (§5.2.6)

1 Routing Table  The seven fields Mask: for finding (sub)network address of the destination l Host-specific routing: (/32) l Default routing:

Network Anomography Yin Zhang – University of Texas at Austin Zihui Ge and Albert Greenberg – AT&T Labs Matthew Roughan – University of Adelaide IMC 2005.

Interdomain Routing Security. How Secure are BGP Security Protocols? Some strange assumptions? – Focused on attracting traffic from as many Ases as possible.

More on Internet Routing A large portion of this lecture material comes from BGP tutorial given by Philip Smith from Cisco (ftp://ftp- eng.cisco.com/pfs/seminars/APRICOT2004.

1 Route Optimization for Large Scale Network Mobility Assisted by BGP Feriel Mimoune, Farid Nait-Abdesselam, Tarik Taleb and Kazuo Hashimoto GLOBECOM 2007.

T. S. Eugene Ngeugeneng at cs.rice.edu Rice University1 COMP/ELEC 429/556 Introduction to Computer Networks Inter-domain routing Some slides used with.

Detection of Routing Loops and Analysis of Its Causes Sue Moon Dept. of Computer Science KAIST Joint work with Urs Hengartner, Ashwin Sridharan, Richard.

Network Layer4-1 Intra-AS Routing r Also known as Interior Gateway Protocols (IGP) r Most common Intra-AS routing protocols: m RIP: Routing Information.

TCOM 509 – Internet Protocols (TCP/IP) Lecture 06_a Routing Protocols: RIP, OSPF, BGP Instructor: Dr. Li-Chuan Chen Date: 10/06/2003 Based in part upon.

1 A Framework for Measuring and Predicting the Impact of Routing Changes Ying Zhang Z. Morley Mao Jia Wang.

Detecting Selective Dropping Attacks in BGP Mooi Chuah Kun Huang November 2006.

CCNA 2 Week 6 Routing Protocols. Copyright © 2005 University of Bolton Topics Static Routing Dynamic Routing Routing Protocols Overview.

© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public ITE PC v4.0 Chapter 1 1 Introduction to Dynamic Routing Protocol Routing Protocols and Concepts.

Distance Vector Routing Protocols Dynamic Routing.

CS 4396 Computer Networks Lab BGP. Inter-AS routing in the Internet: (BGP)

Rate-Based Channel Assignment Algorithm for Multi-Channel Multi- Rate Wireless Mesh Networks Sok-Hyong Kim and Young-Joo Suh Department of Computer Science.

Exploiting Network Structure for Proactive Spam Mitigation Shobha Venkataraman * Joint work with Subhabrata Sen §, Oliver Spatscheck §, Patrick Haffner.

© 2008 Frans Ekman Mobility Models for Mobile Ad Hoc Network Simulations Frans Ekman Supervisor: Jörg Ott Instructor: Jouni Karvo.

1 7-Jan-16 S Ward Abingdon and Witney College Dynamic Routing CCNA Exploration Semester 2 Chapter 3.

4: Network Layer4b-1 OSPF (Open Shortest Path First) r “open”: publicly available r Uses Link State algorithm m LS packet dissemination m Topology map.

Transport Layer3-1 Network Layer Every man dies. Not every man really lives.

BGP Routing Stability of Popular Destinations Jennifer Rexford, Jia Wang, Zhen Xiao, and Yin Zhang AT&T Labs—Research Florham Park, NJ All flaps are not.

RIP Routing Protocol. 2 Routing Recall: There are two parts to routing IP packets: 1. How to pass a packet from an input interface to the output interface.

Improving Fault Tolerance in AODV Matthew J. Miller Jungmin So.

Border Gateway Protocol. Intra-AS v.s. Inter-AS Intra-AS Inter-AS.

Centralized vs Distributed Routing

BGP 1. BGP Overview 2. Multihoming 3. Configuring BGP.

Jian Wu (University of Michigan)

BGP-lens: Patterns and Anomalies in Internet Routing Updates

COMPUTER NETWORKS CS610 Lecture-42 Hammad Khalid Khan.

Identifying problematic inter-domain routing issues

COMP/ELEC 429/556 Introduction to Computer Networks

2005 – A BGP Year in Review February 2006 Geoff Huston

Visualization of Temporal Difference of BGP Routing Information

Chapter 4: Network Layer

Presentation transcript:

BGP-lens: Patterns and Anomalies in Internet Routing Updates B. Aditya Prakash 1, Nicholas Valler 2, David Andersen 1, Michalis Faloutsos 2, Christos Faloutsos 1 1 Carnegie Mellon University 2 UC-Riverside KDD 2009, Paris

Introduction Border Gateway Protocol (BGP) – Internet Routing Protocol – Router sending messages to each other – Keeps path information up-to-date Ideal Setting - no BGP updates Really – many updates – link failures, router restarts, malicious behavior 2 TimepeerASoriginASprefix :39:42ATTSPRINT / :39:43VERIZONAOL / :39:46WASHATLA /24 …. Each Row is an update

Introduction contd. Question: Find patterns/anomalies? Challenges: – Millions of updates sent over network – Data has multiple dimensions – Noisy Measurements – Impossible for human to sift through updates 3 Automated Tool needed!

The Data TimepeerASoriginASprefix :39:42ATTSPRINT / :39:43VERIZONAOL / :39:46WASHATLA /24 …. Data from Datapository.net Abilene Network 4 18 million update messages – over two years!

Our Approach Look at a simple time-series Focus on just the time # of updates received every b seconds (bin size) Specific Problem we are tackling – Given such time-series – Report patterns and anomalies Also find suspicious entities (paths, ASes etc.) 5 Time :39: :39: :39: :40:01 …. TimepeerASoriginASprefix :39:42ATTSPRINT / :39:43VERIZONAOL / :39:46WASHATLA /24 …. b secs time Bin: 01 2 … Count: 42 6 …

Real data: Washington Router Very Bursty! Traditional Tools like FFT, auto-regression don’t work  6 # of Updates Bin number (‘Time’) Bin Size = 600s

Outline Introduction and Problem Statement Techniques – Temporal Analysis – Frequency Analysis BGP-lens at work Conclusions 7

Temporal Analysis First Cut: Take log-linear plot – emphasizes small values over high values 8 Bin size: 10s

9 But: Bin size is important!

10 ‘Clotheslines’ Bin size: 600s

Clotheslines Q1: Why Clotheslines? – Near consecutive updates over long time-period – Can be Route Flapping advertise/withdraw same path frequently important to identify Q2: How to automate this discovery? 11

Proposal: Marginals to Rescue PDF of volume of updates – Number of time-bins with volume Extremes == Height of the clotheslines! 12

Marginals to Rescue PDF of volume of updates – Number of time-bins with volume 13

Algorithm - Clotheslines For marginals plot use the median filtering approach to determine ‘outliers’; For each time interval found, report the most consistent IPs/ASes etc. High Level Idea only – details in paper! 14

Outline Introduction and Problem Statement Techniques – Temporal Analysis – Frequency Analysis BGP-lens at work Conclusions 15

16 Low Freq. High Freq. High energyLow energy ‘Tornado’ does not touch down time -> Signal

In real data… 17 E2

18 E2 ~ 20,000 updates! ~ 8 hrs

Why Prolonged Spike? Bursts of short duration Can represent malicious behavior – Or simple router restarts! Exact cause hard to find – but important for system-administrators 19

Algorithm – Prolonged Spikes Basic idea: find tornados from scalogram Find suitable starting point at higher levels Extend downward as much as possible The finest scale where tornado stops – the shortest time period to look for a prolonged spike Again, details in paper! 20

Scalability 21

BGP-lens: User Interface 22 # of suspicious events sysadmin wants to check duration: length of events to be checked (think daily vs weekly vs monthly) optional

Outline Introduction and Problem Statement Techniques – Temporal Analysis – Frequency Analysis BGP-lens at work Conclusions 23

BGP-lens at Work We found real events too. examples- Event 1: 50-clothesline – Prefix and Origin-AS pointed to Alabama Supercomputing Net – When contacted sysadmins attributed changes to route flapping “the route for /24 was appearing and disappearing in [the] IGP routing table... [which] may have caused BGP to flap.” – Anomaly went undetected and unresolved for 30 days! 24

Results from real data 25 Event 2 Prolonged Spike – May 12 th 2006 – 8hr spike – Most persistent IPs/ASes Primary and middle schools in a large district in a country – Two more spikes Jan18-19, 2006 and Aug 1

Conclusions Studied huge real data (~18 million updates) Developed two new techniques – effective spots subtle phenomena like clotheslines and prolonged spikes – scalable BGP-lens: a user-friendly tool provides reasonable defaults provides easy-to-use knobs leads like IPs/ASes 26

Thank You! Any questions? – We thank NSF, USA for their support. Author-Reel! 27

Extra - Frequency Analysis Data is self-similar! – we used the entropy-plot measure – also called the b-model [26] – Corresponds to b-model of – Multi-resolution techniques needed! 28

Extra - FFT 29

Extra – Marginals for 10sec 30

Extra – Prolonged Spike Algorithm 31