Upload File

bgp anomaly detection

22
BGP Anomaly Detection Bahaa Al-Musawi PhD candidate Supervisors: Dr. Philip Branch and Prof. Grenville Armitage [email protected] Centre for Advanced Internet Architectures (CAIA) Swinburne University of Technology http://caia.swin.edu.au [email protected] 11 June 2015 2 CAIA Seminar Outline BGP BGP Anomalies BGP Testbed Summary

Upload: bahaa-musawi

Post on 16-Aug-2015

30 views

Category:

Internet


0 download

Report

TRANSCRIPT

  1. 1. BGP Anomaly Detection Bahaa Al-Musawi PhD candidate Supervisors: Dr. Philip Branch and Prof. Grenville Armitage [email protected] Centre for Advanced Internet Architectures (CAIA) Swinburne University of Technology http://caia.swin.edu.au [email protected] 11 June 2015 2CAIA Seminar Outline BGP BGP Anomalies BGP Testbed Summary
  2. 2. http://caia.swin.edu.au [email protected] 11 June 2015 3CAIA Seminar Outline BGP BGP Anomalies BGP Testbed Summary http://caia.swin.edu.au [email protected] 11 June 2015 4CAIA Seminar Border Gateway Protocol (BGP) The Internet is a decentralized global network comprised of tens of thousands of Autonomous Systems (ASes) BGP is the Internets default Inter-domain routing protocol An example of routing topology
  3. 3. http://caia.swin.edu.au [email protected] 11 June 2015 5CAIA Seminar Border Gateway Protocol (BGP) BGP (RFC1105), BGP2 (RFC1163), BGP3 (RFC1267), and BGP4 with last revision (RFC4271) BGP is a path vector protocol BGP supports Classless Inter-domain Routing (CIDR), ex. prefix 192.2.2.0/24 192.2.2.1-192.2.2.255 http://caia.swin.edu.au [email protected] 11 June 2015 6CAIA Seminar Connecting a new BGP router Border Gateway Protocol (BGP) BGP is an incremental protocol Routing Information Base (RIB) Updates
  4. 4. http://caia.swin.edu.au [email protected] 11 June 2015 7CAIA Seminar Announcing a new prefix by an AS Border Gateway Protocol (BGP) BGP is an incremental protocol Routing Information Base (RIB) Updates http://caia.swin.edu.au [email protected] 11 June 2015 8CAIA Seminar BGP Policies ASes are the unit of routing policy in BGP ASes relationships: customer-provider and peer-to-peer BGP routing policies: Business relationships Traffic engineering Scalability Security related policies Number of configuration lines in a single BGP router can range from hundreds to thousands lines
  5. 5. http://caia.swin.edu.au [email protected] 11 June 2015 9CAIA Seminar Border Gateway Protocol (BGP) Growth of BGP Table since 1994 from http://bgp.potaroo.net/ http://caia.swin.edu.au [email protected] 11 June 2015 10CAIA Seminar BGP Weakness BGP based on the trust between all its participants BGP does not employ any authentication measures for advertising routes BGP is vulnerable to different types of attacks 2005, TTNet announced more than 100,000 incorrect routes 2006, AS27506 hijacked panix domain 2012, Dodo ISP incident
  6. 6. http://caia.swin.edu.au [email protected] 11 June 2015 11CAIA Seminar Outline BGP BGP Anomalies BGP Testbed Summary http://caia.swin.edu.au [email protected] 11 June 2015 12CAIA Seminar BGP Anomalies Anomalies are patterns in a data set that do not follow expected behavior No BGP updates are sent when there is no change in topology and/or policies for a network running BGP In the real world, many ASes are unstable causing propagation of many abnormal BGP updates Distinguishing abnormal BGP updates from a serious attack is a challenge
  7. 7. http://caia.swin.edu.au [email protected] 11 June 2015 13CAIA Seminar Types of BGP Anomalies 1. Direct and Intended Disruptions 2. Direct and Unintended Disruptions 3. Indirect Attacks 4. Hardware Failure http://caia.swin.edu.au [email protected] 11 June 2015 14CAIA Seminar 1. Direct and Intended Disruptions This type of disruption refers to all types of BGP hijacking which can appear in different scenarios such as prefix and sub-prefix hijack.
  8. 8. http://caia.swin.edu.au [email protected] 11 June 2015 15CAIA Seminar 1. Direct and Intended Disruptions False Positive Legitimate reasons for anomalous routing updates Multi-homing with static link aggregation http://caia.swin.edu.au [email protected] 11 June 2015 16CAIA Seminar 1. Direct and Intended Disruptions Examples May 2005, AS174 hijacked one of Google prefixes: lose connectivity to the google.com domain for nearly an hour April 2011, Link Telecom incident: an attacker hijacked AS12812 and its prefixes for a round 6 months
  9. 9. http://caia.swin.edu.au [email protected] 11 June 2015 17CAIA Seminar 2. Direct and Unintended Disruptions Refers to BGP misconfiguration such as: Pakistan incident-2008: advertised an invalid YouTube prefix causing many ASes to lose access to the site Indosat incident-2014: propagated over 320,000 incorrect routes Pakistan event 2008 http://caia.swin.edu.au [email protected] 11 June 2015 18CAIA Seminar 3. Indirect Disruptions Nimda-2001: around 30 fold increase of BGP updates was observed Slammer-2003: dramatic spikes in number of BGP updates Updates Messages During Slammer Attack from 22-29 January 2003
  10. 10. http://caia.swin.edu.au [email protected] 11 June 2015 19CAIA Seminar 4. Hardware Failure Moscow blackout-2005: Several hours Mediterranean cable-2008: > 20 countries Number of BGP Updates during Moscow event http://caia.swin.edu.au [email protected] 11 June 2015 20CAIA Seminar BGP Anomalies Detection Techniques
  11. 11. http://caia.swin.edu.au [email protected] 11 June 2015 21CAIA Seminar BGP Anomalies Detection Techniques http://caia.swin.edu.au [email protected] 11 June 2015 22CAIA Seminar BGP Statistics The huge variance in the size of the Internet is leading towards increasing instability of BGP 40K anomalous route events were reported in the 12 months from May 2011 20% of the hijacking and misconfigurations lasted less than 10 minutes but with the ability to pollute 90% of the Internet in less than 2 minutes
  12. 12. http://caia.swin.edu.au [email protected] 11 June 2015 23CAIA Seminar BGP Anomalies Key Requirements for a next generation of BGP anomaly detection: Detect in near real-time different types of BGP disruptions Identify type of BGP disruptions Locate the source of disruption http://caia.swin.edu.au [email protected] 11 June 2015 24CAIA Seminar Outline BGP BGP Anomalies BGP Testbed Summary
  13. 13. http://caia.swin.edu.au [email protected] 11 June 2015 25CAIA Seminar BGP Testbed Why BGP Testbed is important ? 1. Lack of ground truth timestamps for available BGP anomalies events 2. Enable examination of different types of BGP anomalies to help in their identification 3. On available BGP testbeds such as the PEER project, no hijacking or misconfiguration is allowed http://caia.swin.edu.au [email protected] 11 June 2015 26CAIA Seminar BGP Testbed Types of BGP testbed that have been used: 1. Quagga 2. Swinburne/ ICT Cisco Labs 3. Virtual Internet Routing Lab (VIRL)
  14. 14. http://caia.swin.edu.au [email protected] 11 June 2015 27CAIA Seminar Quagga Routing S/W package that provides TCP/IP based routing services. Supports many routing protocols such as RIP, OSPF, IS-IS, and BGP Simple BGP Topology on 9 VMs running Quagga http://caia.swin.edu.au [email protected] 11 June 2015 28CAIA Seminar Quagga Difficult to manage large scale network topology No Virtualization support No. of nodes is limited to H/W specifications No chance to try other router OSs such as IOS and Junos
  15. 15. http://caia.swin.edu.au [email protected] 11 June 2015 29CAIA Seminar Swinburne/ICT Cisco Labs Totally 265 Cisco routers 205 routers Cisco model 2811 60 routers Cisco model 2620XM Swinburne offers a tool to manage configuration of devices http://caia.swin.edu.au [email protected] 11 June 2015 30CAIA Seminar Swinburne/ICT Cisco Labs Simple BGP topology
  16. 16. http://caia.swin.edu.au [email protected] 11 June 2015 31CAIA Seminar Swinburne/ICT Cisco Labs Time consuming to setup and tear-down a network Limited availability of labs because of teaching http://caia.swin.edu.au [email protected] 11 June 2015 32CAIA Seminar Managing connections Difficult to manage network connections with a large scale network
  17. 17. http://caia.swin.edu.au [email protected] 11 June 2015 33CAIA Seminar Swinburne/ICT Cisco Labs Still difficult to manage configuration of routers in a large scale network No Virtualization capability No chance to try latest Cisco IOS versions or other Routers OSs http://caia.swin.edu.au [email protected] 11 June 2015 34CAIA Seminar VIRL Cisco Software Virtual Internet Routing Lab Uses VMMaestro, OpenStack, Autonetkit, and Ubuntu
  18. 18. http://caia.swin.edu.au [email protected] 11 June 2015 35CAIA Seminar VIRL Cisco Software Easy to setup and teardown a network Portability and repeatability Virtualization capability Simplified packet capture Deployment of different OSs Cisco IOS such IOS,IOS XR, IOS XE, and NX-OS Servers such as Ubuntu and FreeBSD http://caia.swin.edu.au [email protected] 11 June 2015 36CAIA Seminar VIRL Cisco Software 15 nodes running on VIRL requires: 4 CPU cores 8 GB DRAM Internet Access My target network is > 200 nodes which requires 40 CPU cores 512 GB DRAM What can I do?
  19. 19. http://caia.swin.edu.au [email protected] 11 June 2015 37CAIA Seminar VIRL Cisco Software ASK ITS at Swinburne 10 nodes each with 8 cores and 24 GB DRAM http://caia.swin.edu.au [email protected] 11 June 2015 38CAIA Seminar Accessing 10 nodes at EN building
  20. 20. http://caia.swin.edu.au [email protected] 11 June 2015 39CAIA Seminar VIRL Supports graphml format http://www.topology-zoo.org/ http://caia.swin.edu.au [email protected] 11 June 2015 40CAIA Seminar Current/Future Work Apply one of exist global network topologies Inject BGP updates Create different anomalies and apply different approaches to detecting them
  21. 21. http://caia.swin.edu.au [email protected] 11 June 2015 41CAIA Seminar Outline BGP BGP Anomalies BGP Testbed Summary http://caia.swin.edu.au [email protected] 11 June 2015 42CAIA Seminar Summary BGP is responsible for managing and exchanging Network NLRI between ASes with guarantee of avoiding loops BGP is vulnerable to different types of anomalies Key requirements for a next generation of BGP anomalies detection Challenges of building BGP testbed especially for large scale network VIRL offers a variety of facilities and options with short time to setup and tear down a network
  22. 22. http://caia.swin.edu.au [email protected] 11 June 2015 43CAIA Seminar Acknowledgment VIRL team at Cisco for providing free license and support Simon Forsayeth from ITS / Swinburne University for his help and support to make the use of 10 nodes possible with VIRL http://caia.swin.edu.au [email protected] 11 June 2015 44CAIA Seminar Questions

Anomaly Detection Survey

Anomaly Detection Systems

Anomaly Detection using Outlier Detection Schemes

Anomaly Detection and Mitigation. Outline DoS and DDoS Anomaly Detection and Mitigation Systems Cisco DDoS Anomaly Detection and Mitigation Solutions

Anomaly detection final

Anomaly detection- Credit Card Fraud Detection

L14. Anomaly Detection

Comparing Machine Learning Algorithms for BGP Anomaly

Survey Anomaly Detection

Anomaly detection char10

Anomaly Detection Techniques

Bgp Anomaly Detection In An Isp

Credit Card Fraud Detection - Anomaly Detection

Anomaly Detection RapidMiner

BGP Anomaly Detection

Online Nonparametric Anomaly Detection in High-Dimensional ... · 13/2/2018 · Online Nonparametric Anomaly Detection in High-Dimensional Datasets Online Nonparametric Anomaly Detection

Deep Learning based Anomaly Detection in€¦ · Deep Learning based Anomaly Detection in Multivariate Time-Series Data 1. Background Anomaly detection, also known as outlier detection,

Improving anomaly detection in BGP time-series data by new ... · Improving anomaly detection in BGP time-series data by new guide features and moderated feature selection algorithm

Spacecraft anomaly detection via transformer ...€¦ · measures, anomaly detection is important and necessary to warn operation engineer of anomalies. Current anomaly detection

Visual-based Anomaly Detection for BGP Origin AS Change (OASC)

Visual-based Anomaly Detection for BGP Origin AS Change ...€¦ · BGP paths leading to critical DNS servers and to filter out “unusual” routes potentially being falsely injected

rapid detection of bgp anomalies 1505199569 · PDF fileRapid Detection of BGP Anomalies ... Outline §BGP Anomalies ... BGP Anomalies §A single BGP update is categorised as an anomalous

Anomaly Detection Tutorial

Anomaly Detection Technology Using BigGraph€¦ · Anomaly Detection Technology Using BigGraph ... detection Several anomaly detection techniques have been developed and applied

Comparison of Unsupervised Anomaly Detection Techniques · a RapidMiner [10] Extension Anomaly Detection was developed that contains several unsupervised anomaly detection techniques

Probabilistic Anomaly Detection in Dynamic Systemspapers.nips.cc/paper/805-probabilistic-anomaly-detection-in... · Probabilistic Anomaly Detection in Dynamic Systems 827 model (HMM)

Visual Analytic Approach for Anomaly Detection in BGP

Anomaly Detection: Principles, Benchmarking, Explanation ...web.engr.oregonstate.edu/~tgd/...anomaly-detection... · Towards a Theory of Anomaly Detection [Siddiqui, et al.; UAI 2016]

Network Traffic Anomaly Detection and Characterizationcs.northwestern.edu/~ajb200/anomaly detection paper 1.0.pdf · Network Traffic Anomaly Detection and Characterization Aaron Beach

A Comparative Analysis of BGP Anomaly Detection and Robustness

Anomaly Detection in Predictive Maintenance - KNIME · Anomaly Detection in Predictive Maintenance Anomaly Detection with Time Series Analysis

09 anomaly detection

Anomaly Detection

BGP Anomaly Detection and Robustness-NANOG-43 New...traffic back during a prefix hijack.” Josh Karlin, Stephanie Forrest, and Jennifer Rexford, “Pretty Good BGP: Improving BGP

Unsupervised Anomaly Detection in Large Datacenters › ~mgabel › papers › MSc Thesis - Final.pdf · 2014-06-14 · Unsupervised Anomaly Detection ... Unsupervised Anomaly Detection