BGP Link Evaluator

Transcript

1. BGP Link Reputation Evaluator An Algorithm based tool to identify

   legitimate or malicious/hijack BGP link Alfred Arouna1 Lionel Metongnon2 Pr. Marc Lobelle3 12Université d’Abomey-Calavi,23Université Catholique de Louvain [email protected],[email protected],[email protected] AfPIF 2017 - 22,23,24 August 2017 - Abidjan, Côte D’Ivoire

2. Disclamer • Ongoing study... • Community input to improve current

   result. • Code not yet ready for production (alpha release). • Code available at: https://bitbucket.org/alfredarouna/bgplink 0

3. Outline 1. Base Idea 2. Tools 3. Our proposal 4.

   Hypothesis & verification 5. Malaysia Telecom test cases results 6. Other tests cases results 7. Improvement (proposals) 1

4. Base Idea

5. Linkrank Challenge from CAIDA BGP Hackathon 1

6. Linkrank Challenge from CAIDA BGP Hackathon 1 1https://github.com/CAIDA/bgp-hackathon/wiki/ List-of-Challenges#linkrank-1 2

7. Tools

8. Tools available and missing components Tools available: 2https://bgpstream.caida.org/ 3https://bgplayjs.com/?section=bgplay 4https://www.team-cymru.org/Services/Bogons/fullbogons-ipv4.txt

   3

9. Tools available and missing components Tools available: • BGPStream2 (from

   CAIDA) framework to easily collect BGP records. 2https://bgpstream.caida.org/ 3https://bgplayjs.com/?section=bgplay 4https://www.team-cymru.org/Services/Bogons/fullbogons-ipv4.txt 3

10. Tools available and missing components Tools available: • BGPStream2 (from

    CAIDA) framework to easily collect BGP records. • BGPlayJs3 (from RIPE NCC) as user-friendly view and event animation. 2https://bgpstream.caida.org/ 3https://bgplayjs.com/?section=bgplay 4https://www.team-cymru.org/Services/Bogons/fullbogons-ipv4.txt 3

11. Tools available and missing components Tools available: • BGPStream2 (from

    CAIDA) framework to easily collect BGP records. • BGPlayJs3 (from RIPE NCC) as user-friendly view and event animation. • Updated list of bogon freely available4 (Team Cymru). 2https://bgpstream.caida.org/ 3https://bgplayjs.com/?section=bgplay 4https://www.team-cymru.org/Services/Bogons/fullbogons-ipv4.txt 3

12. Tools available and missing components Tools available: • BGPStream2 (from

    CAIDA) framework to easily collect BGP records. • BGPlayJs3 (from RIPE NCC) as user-friendly view and event animation. • Updated list of bogon freely available4 (Team Cymru). Missing components: 2https://bgpstream.caida.org/ 3https://bgplayjs.com/?section=bgplay 4https://www.team-cymru.org/Services/Bogons/fullbogons-ipv4.txt 3

13. Tools available and missing components Tools available: • BGPStream2 (from

    CAIDA) framework to easily collect BGP records. • BGPlayJs3 (from RIPE NCC) as user-friendly view and event animation. • Updated list of bogon freely available4 (Team Cymru). Missing components: An acceptable algorithm for link reputation evaluation. 2https://bgpstream.caida.org/ 3https://bgplayjs.com/?section=bgplay 4https://www.team-cymru.org/Services/Bogons/fullbogons-ipv4.txt 3

14. Tools available and missing components Tools available: • BGPStream2 (from

    CAIDA) framework to easily collect BGP records. • BGPlayJs3 (from RIPE NCC) as user-friendly view and event animation. • Updated list of bogon freely available4 (Team Cymru). Missing components: An acceptable algorithm for link reputation evaluation. 2https://bgpstream.caida.org/ 3https://bgplayjs.com/?section=bgplay 4https://www.team-cymru.org/Services/Bogons/fullbogons-ipv4.txt 3

15. algorithm noun Word used by programmers when they do not

    want to explain what they did. 4

16. algorithm noun Word used by programmers when they do not

    want to explain what they did. 4

17. Our proposal

18. Our proposal Before going further, what do we have: 5

19. Our proposal Before going further, what do we have: •

    Test case: Telekom Malaysia leak. • Metric: link weight. 5

20. Our proposal Before going further, what do we have: •

    Test case: Telekom Malaysia leak. • Metric: link weight. Will be interesting to have: 5

21. Our proposal Before going further, what do we have: •

    Test case: Telekom Malaysia leak. • Metric: link weight. Will be interesting to have: • New metrics: link bogon degree and link stability. • 5

22. Our proposal Before going further, what do we have: •

    Test case: Telekom Malaysia leak. • Metric: link weight. Will be interesting to have: • New metrics: link bogon degree and link stability. • Rename: link weight to link rank. 5

23. Our proposal Before going further, what do we have: •

    Test case: Telekom Malaysia leak. • Metric: link weight. Will be interesting to have: • New metrics: link bogon degree and link stability. • Rename: link weight to link rank. • New Objective: 5

24. Our proposal Before going further, what do we have: •

    Test case: Telekom Malaysia leak. • Metric: link weight. Will be interesting to have: • New metrics: link bogon degree and link stability. • Rename: link weight to link rank. • New Objective: • Algorithm to easily identify link with good/bad reputation. • Graphical view with intuitive color code: green to red. 5

25. Hypothesis & veri cation

26. Our approach (1/2) Hypothesis 6

27. Our approach (1/2) Hypothesis Links with good reputation: 6

28. Our approach (1/2) Hypothesis Links with good reputation: • does

    not carry bogon, • have positive stability, • are used by many AS. 6

29. Our approach (1/2) Hypothesis Links with good reputation: • does

    not carry bogon, • have positive stability, • are used by many AS. Veri cation (1/2) 6

30. Our approach (1/2) Hypothesis Links with good reputation: • does

    not carry bogon, • have positive stability, • are used by many AS. Veri cation (1/2) Developed an algorithm based on the hypothesis metrics: 6

31. Our approach (1/2) Hypothesis Links with good reputation: • does

    not carry bogon, • have positive stability, • are used by many AS. Veri cation (1/2) Developed an algorithm based on the hypothesis metrics: • bogon degree - bogonst(⟨A, B⟩), • link stability - stabilityt(⟨A, B⟩), • link rank - rankt(⟨A, B⟩). 6

32. Our algorithm... 7

33. Our approach (2/2) Veri cation (2/2) 5https://bgpmon.net/massive-route-leak-cause-internet-slowdown/ 6https://www.ripe.net/publications/news/industry-developments/ youtube-hijacking-a-ripe-ncc-ris-case-study 7http://www.sigcomm.org/sites/default/files/ccr/papers/2013/

    April/2479957-2479959.pdf 8

34. Our approach (2/2) Veri cation (2/2) Modified BGPlayJS to: 5https://bgpmon.net/massive-route-leak-cause-internet-slowdown/

    6https://www.ripe.net/publications/news/industry-developments/ youtube-hijacking-a-ripe-ncc-ris-case-study 7http://www.sigcomm.org/sites/default/files/ccr/papers/2013/ April/2479957-2479959.pdf 8

35. Our approach (2/2) Veri cation (2/2) Modified BGPlayJS to: •

    Draw each link instead of AS_PATH. • Use specific color (from green to red) based on link reputation cost. 5https://bgpmon.net/massive-route-leak-cause-internet-slowdown/ 6https://www.ripe.net/publications/news/industry-developments/ youtube-hijacking-a-ripe-ncc-ris-case-study 7http://www.sigcomm.org/sites/default/files/ccr/papers/2013/ April/2479957-2479959.pdf 8

36. Our approach (2/2) Veri cation (2/2) Modified BGPlayJS to: •

    Draw each link instead of AS_PATH. • Use specific color (from green to red) based on link reputation cost. Tested on three cases: 5https://bgpmon.net/massive-route-leak-cause-internet-slowdown/ 6https://www.ripe.net/publications/news/industry-developments/ youtube-hijacking-a-ripe-ncc-ris-case-study 7http://www.sigcomm.org/sites/default/files/ccr/papers/2013/ April/2479957-2479959.pdf 8

37. Our approach (2/2) Veri cation (2/2) Modified BGPlayJS to: •

    Draw each link instead of AS_PATH. • Use specific color (from green to red) based on link reputation cost. Tested on three cases: • Routes leak with Telekom Malaysia 5. • Censorship with Youtube hijack by Pakistan Telecom 6. • Malicious activities with Link Telecom incident7. 5https://bgpmon.net/massive-route-leak-cause-internet-slowdown/ 6https://www.ripe.net/publications/news/industry-developments/ youtube-hijacking-a-ripe-ncc-ris-case-study 7http://www.sigcomm.org/sites/default/files/ccr/papers/2013/ April/2479957-2479959.pdf 8

38. Three phases (1/3) 9

39. Three phases (2/3) 10

40. Three phases (3/3) 11

41. Malaysia Telecom test cases results

42. Test: Leak case (Telekom Malaysia) 12

43. Test: Leak case (Telekom Malaysia) 12

44. Test: Control case (Telekom Malaysia) 13

45. Test: Control case (Telekom Malaysia) 13

46. Leak and Control cases (Telekom Malaysia) 14

47. Leak and Control cases (Telekom Malaysia) Figure 1: Leak case

    reputation 14

48. Leak and Control cases (Telekom Malaysia) Figure 1: Leak case

    reputation • 08:43 to 10:45 UTC. • 14

49. Leak and Control cases (Telekom Malaysia) Figure 1: Leak case

    reputation • 08:43 to 10:45 UTC. • Most links have bad reputation. 14

50. Leak and Control cases (Telekom Malaysia) Figure 1: Leak case

    reputation • 08:43 to 10:45 UTC. • Most links have bad reputation. Figure 2: Control case reputation 14

51. Leak and Control cases (Telekom Malaysia) Figure 1: Leak case

    reputation • 08:43 to 10:45 UTC. • Most links have bad reputation. Figure 2: Control case reputation • 12:45 to 14:45 UTC. • 14

52. Leak and Control cases (Telekom Malaysia) Figure 1: Leak case

    reputation • 08:43 to 10:45 UTC. • Most links have bad reputation. Figure 2: Control case reputation • 12:45 to 14:45 UTC. • Mix of good and bad reputation. 14

53. Other tests cases results

54. Censorship test case (YouTube Hijack) 15

55. Censorship test case (YouTube Hijack) Figure 3: Hijack case reputation

    15

56. Censorship test case (YouTube Hijack) Figure 3: Hijack case reputation

    • 19:00 to 20:51 UTC. • 15

57. Censorship test case (YouTube Hijack) Figure 3: Hijack case reputation

    • 19:00 to 20:51 UTC. • Youtube links have bad reputation. 15

58. Censorship test case (YouTube Hijack) Figure 3: Hijack case reputation

    • 19:00 to 20:51 UTC. • Youtube links have bad reputation. Figure 4: Control case reputation 15

59. Censorship test case (YouTube Hijack) Figure 3: Hijack case reputation

    • 19:00 to 20:51 UTC. • Youtube links have bad reputation. Figure 4: Control case reputation • 21:05 to 22:56 UTC. • 15

60. Censorship test case (YouTube Hijack) Figure 3: Hijack case reputation

    • 19:00 to 20:51 UTC. • Youtube links have bad reputation. Figure 4: Control case reputation • 21:05 to 22:56 UTC. • Mix of good reputation and bad reputation. 15

61. Malicious activities test case (Link Telecom Hijack) 16

62. Malicious activities test case (Link Telecom Hijack) Figure 5: Leak

    case reputation 16

63. Malicious activities test case (Link Telecom Hijack) Figure 5: Leak

    case reputation • 08:00 to 10:00 UTC (August 24, 2011). • 16

64. Malicious activities test case (Link Telecom Hijack) Figure 5: Leak

    case reputation • 08:00 to 10:00 UTC (August 24, 2011). • Most links have bad reputation. 16

65. Malicious activities test case (Link Telecom Hijack) Figure 5: Leak

    case reputation • 08:00 to 10:00 UTC (August 24, 2011). • Most links have bad reputation. Figure 6: Control case reputation 16

66. Malicious activities test case (Link Telecom Hijack) Figure 5: Leak

    case reputation • 08:00 to 10:00 UTC (August 24, 2011). • Most links have bad reputation. Figure 6: Control case reputation • 08:00 to 10:00 UTC (September 9, 2011). • 16

67. Malicious activities test case (Link Telecom Hijack) Figure 5: Leak

    case reputation • 08:00 to 10:00 UTC (August 24, 2011). • Most links have bad reputation. Figure 6: Control case reputation • 08:00 to 10:00 UTC (September 9, 2011). • No event. 16

68. Improvement (proposals)

69. Improvement (proposals) 17

70. Improvement (proposals) • Better view 17

71. Improvement (proposals) • Better view • [Problem] Unclear view with

    BGPlayJS. • 17

72. Improvement (proposals) • Better view • [Problem] Unclear view with

    BGPlayJS. • [Proposal] Draw One line between links (using netJSON ?). 17

73. Improvement (proposals) • Better view • [Problem] Unclear view with

    BGPlayJS. • [Proposal] Draw One line between links (using netJSON ?). • Inputs flexibility 17

74. Improvement (proposals) • Better view • [Problem] Unclear view with

    BGPlayJS. • [Proposal] Draw One line between links (using netJSON ?). • Inputs flexibility • [Problem] Collectors and time interval are hard coded. • 17

75. Improvement (proposals) • Better view • [Problem] Unclear view with

    BGPlayJS. • [Proposal] Draw One line between links (using netJSON ?). • Inputs flexibility • [Problem] Collectors and time interval are hard coded. • [Proposal] Allow user to select collectors and time interval for analysis. 17

76. Improvement (proposals) • Better view • [Problem] Unclear view with

    BGPlayJS. • [Proposal] Draw One line between links (using netJSON ?). • Inputs flexibility • [Problem] Collectors and time interval are hard coded. • [Proposal] Allow user to select collectors and time interval for analysis. • More testing 17

77. Improvement (proposals) • Better view • [Problem] Unclear view with

    BGPlayJS. • [Proposal] Draw One line between links (using netJSON ?). • Inputs flexibility • [Problem] Collectors and time interval are hard coded. • [Proposal] Allow user to select collectors and time interval for analysis. • More testing • • 17

78. Improvement (proposals) • Better view • [Problem] Unclear view with

    BGPlayJS. • [Proposal] Draw One line between links (using netJSON ?). • Inputs flexibility • [Problem] Collectors and time interval are hard coded. • [Proposal] Allow user to select collectors and time interval for analysis. • More testing • [Problem] Only three test cases. • 17

79. Improvement (proposals) • Better view • [Problem] Unclear view with

    BGPlayJS. • [Proposal] Draw One line between links (using netJSON ?). • Inputs flexibility • [Problem] Collectors and time interval are hard coded. • [Proposal] Allow user to select collectors and time interval for analysis. • More testing • [Problem] Only three test cases. • [Proposal] Add more (well-known) BGP incidents. 17

80. Improvement (proposals) • Better view • [Problem] Unclear view with

    BGPlayJS. • [Proposal] Draw One line between links (using netJSON ?). • Inputs flexibility • [Problem] Collectors and time interval are hard coded. • [Proposal] Allow user to select collectors and time interval for analysis. • More testing • [Problem] Only three test cases. • [Proposal] Add more (well-known) BGP incidents. • Large scale algorithm 17

81. Improvement (proposals) • Better view • [Problem] Unclear view with

    BGPlayJS. • [Proposal] Draw One line between links (using netJSON ?). • Inputs flexibility • [Problem] Collectors and time interval are hard coded. • [Proposal] Allow user to select collectors and time interval for analysis. • More testing • [Problem] Only three test cases. • [Proposal] Add more (well-known) BGP incidents. • Large scale algorithm • • 17

82. Improvement (proposals) • Better view • [Problem] Unclear view with

    BGPlayJS. • [Proposal] Draw One line between links (using netJSON ?). • Inputs flexibility • [Problem] Collectors and time interval are hard coded. • [Proposal] Allow user to select collectors and time interval for analysis. • More testing • [Problem] Only three test cases. • [Proposal] Add more (well-known) BGP incidents. • Large scale algorithm • [Problem] BGP is large scale protocol vs limited resources. • 17

83. Improvement (proposals) • Better view • [Problem] Unclear view with

    BGPlayJS. • [Proposal] Draw One line between links (using netJSON ?). • Inputs flexibility • [Problem] Collectors and time interval are hard coded. • [Proposal] Allow user to select collectors and time interval for analysis. • More testing • [Problem] Only three test cases. • [Proposal] Add more (well-known) BGP incidents. • Large scale algorithm • [Problem] BGP is large scale protocol vs limited resources. • [Proposal] Use Massive Data/AI tools for link classification. 17

84. Thanks 17

85. Thanks Corrections / updates / comments would be appreciated 17