Download Anomaly Detection in Inter-Domain Routing Information

U NIVERSITY OF P ISA
P H D T HESIS P ROPOSAL
Anomaly Detection in Inter-Domain
Routing Information
Ph.D. Student:
Massimiliano B ERTOLUCCI
October 3, 2016
Supervisor:
Prof. Laura R ICCI
Dr. Enrico Gregori
1
Chapter 1
Introduction
The Internet is a complex system of interconnections among computer networks positioned all over the world. The network of networks making up
the Internet, in the last few decades, has evolved from a small U.S network - i.e ARPANET, 1969 [18]- to the current worldwide network, which
is composed by thousands and thousands of private, public, academic and
business networks. The winning key of this growth has been the development of a set of protocols which enable multiple separate networks to
join into a network of networks, the Internet. The Internet carries an extensive range of services, such as the web, electronic mail, telephony services,
peer-to-peer networks and more. Nowadays the Internet reaches 20 billion
devices connected [27], and thanks to it, it is possible to do things such as
communicating with people from the other side of the world, retrieving any
kind of information at any time, managing the light, the temperature and
the security of our own house remotely, and many of the things that just a
couple of decades ago would have been impossible. Today the Internet is
still growing, driven by greater and greater amounts of on-line information,
commerce, entertainment, streaming video on-demand, social networking
and so on.
The Internet can be viewed as an ecosystem composed by Autonomous
Systems (ASes) that compete and co-operate with one another in order to
guarantee the global connectivity to end users. In this context, the term
compete means that different ASes could have the same core business therefore they could compete the same customers. At the same time, each AS
only manages a little section of the IP addresses on Internet and, in order
to guarantee the global connectivity, all ASes must exchange routing information to select the right routes. The direct consequence of this is that the
decision on how the packets flow through the Internet is made in a decentralised way.
BGP [32] is the inter-domain routing protocol used for routing packages
among ASes and, since the version 4 it deploys a Classless Inter-Domain
Routing (CIDR) in order to decrease the size of routing table.
BGP was created when the number of ASes involved was much smaller
than now and for this reason it was not developed with a perspective of
security. Consequently, the BGP protocol does not have any mechanism of
security against deliberate or accidental errors. The trust between the ASes
is the basis of this protocol. The reachability information exchange among
one another is always considered right by all ASes. As a result, faulty, not
well configured or deliberately malicious sources can disrupt overall Internet behaviour by injecting bogus routing information into the BGP distributed routing table. Bogus information can create, change or delete some
2
Chapter 1. Introduction
routing information producing different effects on routing behaviour. For
example, a network can became unreachable due to the deletion of one or
more segments of routing information.
Until today, the use of an unsafe protocol like BGP makes the Internet vulnerable to different anomalies. In particular, BGP is vulnerable to a
number of damaging attacks, often arisen from operator misconfiguration
which can have serious global consequences. Recent reports have highlighted incidents of massive Internet traffic interception executed by routing BGP paths across the globe, affecting banks, governments, etc.. The
potential impact of these attacks can range from massive eavesdropping to
identify spoofing or selective content modification.
A famous example is the incident happened in the 1997 [26] when a
small ISP originated the first class-C subnet of every IP prefix1 . This created
reachability problems for every network and crashed routers around the
world by overflowing their route tables.
In the 2006, Con Edison originated many prefixes it did not own, causing outages for several networks2 .
Another important example is the BGP hijacking [2]. BGP hijacking
(sometimes referred to as IP hijacking, prefix hijacking or route hijacking)
is the illegitimate takeover of groups of IP addresses through the propagation of bogus information. Researchers and network operators have documented and studied BGP hijacks that impact network reachability. Such
events either create a traffic black hole or illicitly use the victim’s address
block (e.g. to execute spamming campaigns).
A major case happens on February [34, 40], 2008, when YouTube, the
popular video sharing web site, became unreachable to most people on the
Internet. The Pakistan government had ordered all its ISPs to block access
to YouTube. To accomplish this, Pakistan Telecom’s AS 17557 launched a
subprefix hijack by originating the subprefix 208.65.153.0/24 of YouTube’s
prefix 208.65.153.0/22 to its customer ASes in Pakistan. This meant traffic
destined for YouTube’s servers in AS 36561 would instead be forwarded
to the longer IP prefix originated by Pakistan Telecom’s AS 17557, where
traffic could then be dropped.
For 18 minutes, on April 8, 2010 [14], China Telecom’s (AS 23724), announced approximately 50,000 prefixes registered to other ASes demonstrating that large scale traffic interception can also occur on the Internet
[14]. China Telecom is the 11th largest ISP on the Internet and maintains
multiple ASes partitioning their resources into different geographic regions
(e.g., provinces) and types (e.g., data centers vs. regional networks). Many
of these ASes are found as customers of AS 4134 in the AS-graph and can
be further identified using whois data. Indeed, the erroneous BGP updates
originate from AS 23724 which is actually an AS owned by China Telecom
and is located in Beijing. Using traceroute, Renesys Corporation was also
able to show that network traffic was able to pass into China Telecom’s
network and back out to the intended destination. Finally, as reported by
Renesys Corporation in November of 20133 , there is evidence that traffic
interception events are growing more frequent, but there are no validates
methods to immediately detect them or evaluate their impact. Although
1
http://seclists.org/nanog/1997/Apr/444
http://research.dyn.com/2006/01/coned-steals-the-net/
3
http://research.dyn.com/2013/11/mitm-Internet-hijacking/
2
Chapter 1. Introduction
3
the vulnerability of the BGP protocol is well known and widely studied,
nowadays there are no validation methods to immediately detect them or
evaluate their impact.
Because of their complex dynamics, and the number of different actors
involved on a global scale, devising effective methodologies for the detection and characterization of traffic interception events requires empirical
and timely data.
The aim of this proposal is to define a set of methodologies for the detection of inter-domain routing anomalies both in a off-line and in a real-time
context and to apply them for the development of a set of tools within the
Isolario4 project. Our main idea is to apply solutions that are, in some cases,
adopted in different contexts, such as machine learning, lexical representation of natural language, stigmergy and so on, in our context.
We will investigate the following issues:
• model identification: two models have been currently adopted for
the representation of the BGP data, the Graph and the Route Automaton model. The Graph model tends to oversimplify the real situation, whereas the elaboration of so high amount of data produced by
Route Automaton in a real-time context is challenging. The first issue
that needs to be investigated is the identification of the most suitable
model in according to the application context (off-line or real-time).
• Stigmergy: this is a mechanism of indirect and distributed coordination. It has been used as an analysis tool to recognise the normal from
the anomalous activities. We believe that a stigmergic approach can
be a useful tool to highlight the route anomalies in a routing interdomain context.
• Centrality indexes: we think that the use of a centrality index in a
routing graph and how these values shift over the time can be useful
to highlight some routes anomalies. We will investigate some variation based on the Current Flow Betweenness where the degree of all
indices depends on how the information flows on the network.
• Machine learning: we will investigate how to automatically find a
good predictor based on the past routing histories. We believe that
this approach can be a useful tool to timely detect any form of anomaly
such as misconfigurations and hijacking attacks.
4
https://www.isolario.it/
4
Chapter 2
State of the Art
The Internet is the most incisive technology of the information age and,
thanks to the explosion of mobile device and wireless communication, it
is becoming more and more important for human society. During the last
decades, the Internet has evolved from a small network (i.e ARPANET) to
the current complex network. Internet can be defined as a complex system of interconnections among computer networks that use an Internet
Protocol Suite to link billions of devices worldwide. Despite its increasing
widespread, the knowledge about its real structure is still incomplete. This
is an important issue because it is impossible to detect structural problems
of the network unless an outage occur. To address this problem, several researches started to investigate the Internet topological perspectives at any
level such as the physical level, overlay level and network level. Often each
of these topological levels is modelled as a graph to describe the relationships between the entities and to improve the efficiency of the analysis of
this complex structure.
The network level is very important to understand and to perform the
analysis about inter-domain relationships existent on the Internet, and it
can be divided in four different levels of abstraction:
1. IP interface level: each node of the graph represents an IP interface
of the network, while the edges are the connections between pairs
of interfaces. This representation can be obtained by gathering the
results achieved by Traceroute probes.
2. Router level: each node of the graph represents a router, while each
edge represents the connection between them. To get this representation, a heuristic method is generally used to aggregate IP interfaces.
3. PoP level: each node represents a collection of routers located in the
same Points of Present (PoPs), while the edges are the connections
between pairs of PoPs. To obtain this level, a reverse DNS lookups technique is used or the peculiar characteristics of IP interfaces at IP interface level are looked for.
4. AS level: each node represents an Autonomous System (AS), an organization or part of it that manages one or more blocks of IP prefixes, while each edge represents one business relationships between
two adjacent ASes, established through the Border Gateway Protocol
(BGP - ver4). In order to obtain an accurate topology of this level, data
is typically gathered via Route Collectors or by IP-to-AS methods to
infer an AS from the IP interface level.
2.1. Towards the Autonomous System Architecture
5
Even if all these levels of abstraction have been widely studied in the recent past by a rich community of researchers, due to the poor knowledge of
the real Internet characteristics, we are still far from obtaining a real topological representation of the network. Indeed, the real Internet structure
is not driven merely by scientific metric but mostly by economic and geographic factors and the main problem of the partial knowledge is due to
the reluctance of ISPs to provide their internal routing information. Last
consideration is the main reason of why we will focus on AS level.
In this section we will focus on how the Internet’s AS structure is composed and why it has taken this form. A forwards we face the problem of
detecting of anomalous events in the routing Internet.
2.1
Towards the Autonomous System Architecture
In the recent past, several researchers have proposed different approaches
in order to obtain major information on the topological structure of the Internet. Although these different approaches have improved the amount of
useful information that describes the route packets, nowadays we have to
accept that the real topological structure of the Internet is incomplete. To
explain this data incompleteness it is necessary to understand how the Internet is composed and how it works.
As already mentioned, the Internet is a network composed by distinct
thousands of networks joined with the same exterior routing protocol. All
the different networks that build the Internet are grouped under the administrative control of about 55,000 different Autonomous Systems (ASes) [10].
Autonomous System design. The idea at the basis of AS design consists
in providing an additional tool to aggregate, in a hierarchical way, the routing information to improve the scalability of the system. Moreover, AS
architecture decouples the routing inter-domain between different ASes.
Each AS can used one or more of the existent inter-domain routing protocol in autonomy way respect to other. Indeed, the main key of the AS
architecture is autonomy.
An AS [31] is an organization that manages a set of routers, using an
interior Border Gateway Protocol (iBGP) to choose how to route packets
within the AS, and an exterior Border Routing Protocol (eBGP) to choose
how to route packets to other ASes.
An AS manages a set of IP addresses and it is identified by a global
identification number called AS Number (ASN). Both ASN and block of IP
addresses are assigned by appropriate Regional Internet Registries (RIRs)
in relation of their country, for instance ARIN for the U.S. and Canada, and
RIPE [6] for Europe, Central Asia and the Middle East.
In detail, the ASN is a number of 16 or 32 bits that identify uniquely each
AS. For instance, the companies Youtube, Facebook, and Google are all ASes
and theirs ASNs are respectively 36561, 32934, 36384. At the same time,
together with ASN, groups of one or more IP prefix block are assigned to
each AS.
The IP prefix block represents an address subspace of Internet and it is
usually expressed by a compact representation of sequential IP addresses
called CIDR notation. The CIDR notation is a pattern which matches the
6
Chapter 2. State of the Art
first n binary bits of an IP address. The syntax of this notation is a dotteddecimal address, followed by a slash, then a number from 0 to 32, i.e.,
a.b.c.d/n. The last number is inversely proportional to the size of the block
addresses. Indeed, the last number identify the length of the prefix that
is fixed. For example, a.b.c.d/32 prefix block p represents only one IP ad0
dress a.b.c.d, while a.b.c.0/24 prefix block p is a block of 256 sequential IP
addresses that start from a.b.c.0 to a.b.c.255. Moreover, if the prefix a.b.c is
the same for both two IP prefix blocks, the first prefix block is more constricting than the second one. It is easy to show that the first prefix block
a.b.c.d/32 is contained inside the second one a.b.c.d/24 prefix block. If two
prefix have a set of destinations overlap, the prefix describing a smaller set
of destinations (a longer prefix, e.g /32) is said to be more specific than a IP
prefix describing a larger set of destinations (a shorted prefix, e.g /24). Vice
0
versa it is said to be less specific. In other words, the prefixes p and p exhibit
0
a subset relationship p ⊂ p .
The structure of any AS. Each AS usually has a hardware infrastructure
composed by computers, routers and other devices connected together in
a private network. Network administrators of ASes are able to control the
company network: by deciding the topology of the network and which
routing policy to use within. This development is usually driven by the
company policies designed to improve the efficiency of the resources and
reduce the cost for the company. Furthermore, it acts in complete independence with respect to the other ASes.
The choice of the internal routing algorithm and the route packets are
carefully selected because they have a direct impact on the performance of
all routing system of the company. All routers are usually configured by
hand. The network administrators often use different traffic engineering
methods to increase the routing speed. Among the most important internal routing protocols used today by administrators, there are the Routing
Information Protocol (RIP) and the Open Shortest Path First (OSPF).
Each AS tends to hide to other ASes how their own networks are managed and organized. This aspect represents the main reason of the lack of
topological information of the Internet and of the difficulty to describe the
complete structure of the Internet network.
The ASes have a crucial role in the routing packets on the Internet. An
AS manages in autonomous way the routing table that allows the communication from any Internet end host to internal AS end host and vice versa.
An AS has one or more routers called border routers used to connect the
internal network to the Internet world. These routers must have all necessary information to address any Internet packet. To make up the fundamental routing table, each AS exchanges routing and reachability information
among one another with the same exterior routing protocol.
Today, it is not possible to maintain all routing information of the Internet in a single centralized point, because it requires the resolution of several
challenges in term of amount of memory, maintaining a high speed of routing. To overcome this limitation a distributed routing algorithm was used
and is currently still used. The distributed algorithms are responsible to
send all or some portion of its routing table only to its neighbours. Each AS
has a partial knowledge of the whole address system of the Internet, but
they cooperate with one another in order to find the right route to follow.
2.2. Overview of BGP protocol
7
Often the routes found are not the best, but the use of such limited knowledge, and consequently a limited use of the amount of memory, permits a
fast decision routing.
The standard protocol used to exchange the aforementioned information, and widely accepted by all ASes, is the Border Gateway Protocol (BGP).
Thanks to the exterior routing protocol among ASes, a single centralized
point of routing packets is not necessary. As a result, the decision of how
to route packets is completely decentralized. Indeed, how a route is found
depends on how the ASes are connected one another and what type of relationship exist among them.
The AS classification. Each AS can establish one or more neighbourhood
relationships with different ASes. The neighbourhood relationships are
driven by the business. An AS decides to connect with another AS if it
has a convenience, in economy terms. As a consequence, the economy aspect is most important to describe and explain the relationships between
ASes and relative feasible routes existences. For this reason, the ecosystem
of all ASes will describe in major details in the section 2.3.
The ASes are usually classified according to their connectivity and operating policy [22]:
Stub AS: it is an AS that is connected to only another AS. A vast number
of ASes falls in this type. From the point of view of these ASes, only
one connection with another AS is required to reach the Internet. The
latter, usually called Internet Service Provider (ISP), provides (usually
sells) access to the Internet. Stub ASes are often required to commit to
a minimum volume of bandwidth.
Transit AS: it is an AS that provides connections through itself to other
ASes. It has two or more connections to others ASes and communicates both local and transit traffic. The transit service is typically priced
per megabit per second per month.
Multi homed AS: it is an AS that has two or more connections to other
ASes. This can be done in order to increase reliability or performance,
or to reduce cost. However, unlike a transit AS, this type of AS would
not provide transit traffic from one AS to another AS.
2.2
Overview of BGP protocol
The Internet can be viewed as an ecosystem composed by autonomous
players that compete and co-operate with one and another in order to guarantee the global connectivity to end users. The direct consequence of this is
that the decision on how the packets flow through the Internet is made in a
decentralised way.
As just explained before, BGP is the main protocol used for routing
packets among ASes.
Currently, BGP version 4 is the accepted standard for Internet routing
and it is de facto the inter-domain routing protocol that maintains and exchanges routing information among ASes. In this proposal, the acronym
BGP refer to the version 4 of the BGP protocol.
8
Chapter 2. State of the Art
The BGP protocol is often classified as a Path Vector protocol and, as any
Distance Vector algorithm, knows only about its neighbours. Border routers
of each AS are directly connected with one or more border routers of other
ASes. Adjacent BGP routers exchange all or a portion of reachability information on the respective networks. As a result, we can consider the ASes
as the unit of routing policy in the Internet.
Usually, BGP is referred as eBGP to distinguish it from iBGP used within
the same AS. There are some differences between eBGP and iBGP, but the
important ones are that iBGP routers do not need to be directly connected
and the way how the routes received from a router and propagated to other
routers are different.
BGP nodes use TCP to establish the communication among them and to
exchange all messages. As referred in [32], BGP uses 4 messages:
• Open Message. After a TCP connection is established between two
BGP systems, they exchange BGP open messages to create a BGP connection between them.
• Update Message. BGP systems send update messages to exchange
network reachability information. They use this information to construct a graph that describes the relationships among all known ASes.
• Keepalive Message. BGP systems exchange keepalive messages to
determine whether a link or host has failed or is no longer available. Keepalive messages are exchanged often enough so that the hold
timer does not expire. These messages consist only of the BGP header.
• Notification Message. BGP systems send notification messages when
an error condition is detected. After the message is sent, the BGP
session and the TCP connection between the BGP systems are closed.
Notification messages consist of the BGP header plus the error code
and subcode, and data that describes the error.
All of these messages use a fixed-size header which includes a type field
that indicates what the type of the message.
The primary function of the exchange of such messages is to propagate
the Network Layer Reachability Information (NLRI) creating network paths
without loops. To achieve that, the BGP routers use the UPDATE message
either announcing or withdrawing a list non-empty of routes made up of
IP prefixes and several attributes.
In details, from the table 2.1 we can see a list of mandatory attributes
present in the UPDATE message. Let us give a brief description of all these
attributes. Origin is a mandatory attribute that defines the origin of the the
associated routing information. It can specify if the NLRI is product by AS
or not. The NLRI attribute is a set of IP prefix blocks having a length and a
IP prefix (CIDR notation, e.g /25, 204.149.16.128). AS-Path is a mandatory
attribute that is composed of a sequence of AS Numbers. The Next-Hop
is a mandatory attribute that defines the IP address where will send the
UPDATE message.
Although all these attributes are very important for a correct exchange
of routing information, in the following we are going to analyse only a subset of them. For simplicity we imagine an example of UPDATE messages
like 10.0.0/24 222 333 444. We can split this message in two part, the fist
2.2. Overview of BGP protocol
Attributes
Origin
NLRI Prefix
AS-Path
Next-Hop
9
Example
IGP 1
10.0.0.0/22, 10.0.1.0/24
111 222 333 444
10.0.0.2
TABLE 2.1: List of attributes of a UPDATE massage
one is the IP prefix, whereas the second one is an important attribute called
AS-PATH.
The AS-PATH can be defined as the most interesting mandatory path
attribute and it contains a sequence of ASes numbers which is a feasible
route to reach any address contained in the given IP prefix. This attribute
is originated by the AS Border Router (ASBR) that owns the announced
prefixed and it is modified every time another ASBR propagates the route
on the Internet. This simple message shows that, in order to communicate
with any address contained in the IP prefix block, the data passes through
the ASes 222, 333 and stops in the AS 444. The AS 444 represents the first
AS that has announced the UPDATE message. From only this message, we
cannot say it such IP prefix belongs to the AS 444. The AS might be either
the owner or a spokesperson for the owner. In the latter case, the AS 444
knows how to reach the real owner but does not want to show it. The ASBR
that received this message, on the basis of its own criteria, selects the best
way to reach prefix 10.0.0/24. If the path of this message results the best,
the ASBR will then propagate the UPDATE message by prepending its AS
number in the AS-PATH attribute. By considering the previous example,
if the AS Number of AS is 111 the UPDATE message propagate will be
10.0.0/24 111 222 333 444.
Moreover, the AS-PATH has a fundamental role in the prevention of
routing loops. Indeed, it is possible to use the AS-PATH attribute to prune
routing loops by excluding from the final phase of the decision process all
those route that carry an AS-PATH attribute where is present the AS number of the local system. For instance, we suppose that the previous UPDATE
message is received by a BGP router of the AS 333. The full AS-PATH of
such message is analysed in order to find the number 333. The presence
of this number in the AS-PATH attribute means that the acceptance of this
route involves the creation of a loop in the path. As a consequence, in this
case the route is discarded to prevent a routing loop.
2.2.1
Decision Process of the BGP protocol
Such operations described above are computed locally by the Decision Process (DP) of each router. For each new UPDATE message received each BGP
speaker2 has a local DP to decide the (local) routing according to policy. The
DP selects routes by applying the policies in the local Policy Information
Base (PIB). The result of this process is a set of routes locally used by the
speaker and advertised to other routers.
When BGP speaker receives a new UPDATE message, its own local DP
determines a degree of preference of each routes based on preconfigured
2
We identify with the term BGP speaker the BGP routers that speak the BGP language
10
Chapter 2. State of the Art
policy information. Moreover, this phase will determine whether the route
is eligible or ineligible (e.g existence of loops).
For sake of reading, we list the major criteria used by the DP in order to
select the best path for each AS:
1. Weight is a specific parameter that defines a degree of preference path.
The path with the highest weight is usually preferred.
2. If Weight is not set, choose the route with the highest local preference.
3. Choose routes that this router originated.
4. Since the AS-PATH attribute respects a number of transversal ASes,
it provides a natural way to compare two equivalent paths and therefore to choose the best route. In general, given two different routes,
the preferred route is the one where the AS-PATH is shorter.
5. Choose more specific routes. In general, given two or more overlapping routes, the preferred route is that where the block prefix is more
specific.
F IGURE 2.1: Ex. Loop prevention
F IGURE 2.2: Ex. Decision based by
length of paths
F IGURE 2.3: Ex. More specific path
In the figures 2.1, 2.2 and 2.3 we show an example of three different scenarios from the point of view of the AS 2222 when three different UPDATE
messages are received. The figure 2.1 shows the rejection of the path from
AS 2222 avoiding a loop. It is worth noting that the AS number 2222 is contained inside the received message. The figure 2.2 shows the rejection of the
path from AS 2222 selecting the best path of his point of view. Note that,
the best path selected is the shortest in term of ASes to get through. Last
scenario in figure 2.3 shows that the AS 2222 accepts the new path because
it is more specific than that it already has. In this case we can see that we
have two rules with the same prefix but with different lengths (/17 ⊂ /16).
2.3
Inter-AS economic relationships
The BGP protocol has had a great success because it is a policy-based interdomain routing protocol. The highly flexibility of the protocol allows accuracy policies of outbound route filters in according to economic agreement
2.3. Inter-AS economic relationships
11
established among the parties. In this section we will analyse the business
relationships at the basis of interaction and linking between different ASes.
Two ASes enter in communication if and only if exist a business relationship between them. The communication among ASes carries out an
important role to define the routes of the packets on Internet with the aforementioned external protocol BGP. A generic router BGP exchanges all or
a portion of network reachability information with its neighbours. The
knowledge of reachability that a router of a generic AS must communicate to others is accurately filtered depending on the type of the economic
agreement established among them. Despite the large number of possible
economic agreements, inter-AS relationships can be categorized into three
main classes:
provider-to-customer (p2c) | customer-to-provider (c2p). The provider announces to the customer the necessary routes to reach every Internet
destination. The provider obtains all the routes from its customers,
providers and peers (if any) plus the routes owned by the provider
itself. The core business of these provides are usually the sale of the
Internet service to the customers. In order to provide this service, the
providers accurately select a subset of these route according to their
model business. The customers, on the other hand, announces back
only its own IP routes (eventually obtained from its customers).
provider-to-provider (p2p). The provides reciprocally provide access to each
their customer. In other words, each of the ASes announces the routes
obtained from its customers to the other ASes. The relationship is typically free-of-charge with each side deriving about the same benefit
from the reciprocally arrangement.
sibling-to-sibling (s2s). Each sibling acts as a provider for the other by announcing its all routes. The different ASes typically belong to the
same organization.
F IGURE 2.4: Inter-AS economic relationships
12
Chapter 2. State of the Art
In figure 2.4, a representation of the feasible business relationships among
the ASes above described is shown. The figure identifies the typical announcement exchange according to the type of the relationship occurring
between the ASes.
Sometime, in the real world, ASes may also exchange messages containing routes which violate the business relationship agreement. In detail, an
AS sends to its neighbours an announce that it should not be sent because it
violates the commercial agreement between them. Theses bogus announces
are then propagated through the Internet. When occurs that we talk about
of the violation of the valley-free principle described in [9]. The valley
free principle is the one of the most important concept related to the BGP
routing path. The valley-free principle defines patterns of routing paths
that allow the Internet AS to minimize their routing costs through selective announcement of BGP routes. After traversing a provider-to-customer
(p2c) or peer-to-peer (p2p) edge, the AS path cannot traverse a customerto-provider (c2p) or p2p edge.
Formally, an AS path is valley-free if and only if the following conditions
hold true:
• A p2c edge can be followed by only p2c or s2s edges.
• A p2p edge can be followed by only p2p or s2s edges.
The human error in defined BGP export policies on ASBR is typically the
most common cause of valley-free principle violation.
2.4
Inferring the Internet AS-level topology
The knowledge of the Internet AS-level topology, together with its economical and geographical characterization, could be useful for many different
users and goals. For example, Internet governance and network operators
could exploit the topology to assess the resilience of the Internet AS-level
in response to attacks. Moreover, this knowledge could be used to identify
critical failures points in the Internet structure which may be crucial for political, economical, commercial and strategical purposes about the Internet
AS-level ecosystem [12, 13].
Due to the distributed nature of the Internet, there not exists trusted
third-party repositories containing an up-to-date available Internet AS-level
topology that can be downloaded. The only available repositories are the
Internet Routing Registry databases, but it is still difficult to distinguish
fresh and complete connectivity information from stale or mistaken one,
since they are manually maintained on a voluntary basis [7]. Researchers,
thus, tried to infer the AS-level topology by exploiting collateral effects of
the BGP protocol. Specifically, the AS_PATH attribute can be used to extract
AS connectivity information. To infer the AS-level topology researchers
exploited BGP data made available by route collector (RC) projects such as
Route Views and RIPE-RIS, which collects BGP data from routers belonging
to ASes willing to participate [28]. Researchers started to infer an Internet
AS-level topology from these data and used this topology as the basis for
their research studies, without concerning too much on its completeness
[8, 39]. Recently, there have been efforts to analyse the (in)completeness of
2.5. An overview of BGP Vulnerabilities
13
data obtained through BGP RC projects [29, 35], however there have not
been any study to quantify it.
Several sources are used to collect raw data about BGP routes. They
fall into four categories [41]: BGP route collectors, route servers, looking
glasses, and the Internet Routing Registry (IRR) databases. A BGP route
collector receives BGP messages from its ASes, but it does not advertise any
prefixes back to them. Periodically or in real time, the collector dumps its
full routing tables and routing updates received from its feeders. A collector
has a point of view of the Internet from each AS connected with it. The
more feeders a collector has, the more topological information it can collect.
RouteViews and RIPE RIS are two major measurement projects that deploy
collectors and make BGP trace data publicly available.
Route servers, instead, are routers made publicly accessible by some ISP
networks to help troubleshoot network problems. Users can interact with a
route server with particular commands. Unlike BGP route collectors, route
servers do not provide routing updates, nor do they provide an archive of
past data.
Looking glasses are accessible remotely through a web interface for running a very limited set of commands on routers. They allow users to check
the route to a particular prefix, but do not allow downloading entire routing tables, nor do they provide routing updates. A looking glass is usually owned and operated by organizations or network operators and acts
as read-only portal.
Finally, the IRR are distributed databases with the purpose of ensuring the stability and consistency of Internet-wide routing by sharing information between network operators. The IRR actually consists of several
databases where network operators publish their routing policies and routing announcements so that other network operators can use this data. The
databases that form the IRR are manually maintained by operators, mostly
on a voluntary basis. Information therein may be incorrect, incomplete, or
out-dated.
During the past, there has been an increase related to studying and modelling the AS-level topology. Some of the most well-known activities include the definition of measurements to infer the Internet’s AS connectivity
graph to describe its properties [8], building topology generators to produce graph or other specific structures to model the AS connectivity graph
[16, 15], studying the effectiveness for detection/prevention of attacks on
the network infrastructure. This proposal aims to focus on the problem of
anomalies detection and inferring the AS-level topology. The incompleteness of the BGP data currently makes previous tasks really big challenges.
2.5
An overview of BGP Vulnerabilities
BGP protocol was created when the number of ASes involved was much
smaller than now and for this reason it was not developed with a perspective of security. Consequently, it does not have any mechanism of security
against deliberate or accidental errors. The trust between the ASes is the
basis of this protocol. The reachability information exchanged among one
another is always considered correct by all ASes. As a result, faulty, not well
configured or deliberately malicious sources, can disrupt overall Internet
14
Chapter 2. State of the Art
behaviour by injecting bogus routing information into the BGP distributed
routing table. Bogus information can create, change or delete some routing
information producing different effects on routing behaviour. For example, a network can became unreachable due to the deletion of one or more
pieces of routing information. Instead, a change of routing information can
produce a delay by a longer than a necessary path. Finally, the creation of
new routing information makes an AS network visible even when it does
not. Summing up, a fake announcement produced by any AS can produce
a fragmentation of the Internet network and also cause routing information
problems for other networks through the propagation of theses bogus announcement to the Internet. These bogus information can cause a communication failure and today, considering the increase amount of applications
on Internet, this represents a crucial aspect that has to be faced. The sources
of these bogus routing informations can be either outsiders or true ASes.
In the following we will present some international incident widely
known. Then, for each one, we will examine the cause which have led the
disturb of the normal activity on Internet.
AS 7007 Incident. The most known incident of misconfiguration of
routes was the case MAI Network Services (AS7007) on April 25 1997 [26].
The AS 7007 flooded in the Internet incorrect advertisements that cover essentially the entire Internet. A part of the entire route table accidentally
leaked outside of AS7007 creating a routing black hole. As a result, AS7007
quickly disrupted reachability to many networks for several hours.
The case of Pakistan Telecom. Another classic and widely popularized incident is a a few years ago by a Pakistan service provider (2008) [34,
40]. The Pakistan government wanted to block access to YouTube internally.
The service provides Pakistan Telecom (AS17557), in response to government order, started advertising a route for 208.65.153.0/24 to its provider
PCCW (AS 3491). In details, the route announced is a more specific route
than the ones usually used by YouTube (208.65.152.0/22). This route somehow leaked outside of Pakistan, and was carried by many service providers
across the Internet. As a consequence, most routers would choose to send
traffic to Pakistan Telecom for this slice of YouTube’s network. As a result,
a part of YouTube was out of reach from a part of the Internet. It is easy to
identify in this scenario that the announcement of illegitimate routes are the
basis of this incident. In this case, PCCW (3491) accepts this wrong route
then propagated in the rest of the world. It is worth noting that since it was
a more specific route it represented the best route for many AS.
2.5.1
The identification of vulnerability.
In the following we define the three main vulnerabilities recognized and
suggested by Murphy [23]:
1. BGP protocol does not have any strong mechanism against the integrity and source entity violation of the messages exchange between
ASes. For instance, any device in the middle of the connection between two ASes can secretly send or alter the messages.
2. BGP does not have any mechanism to validate an AS’s authority to
announce reachability information. For instance an AS can announce
an IP prefix of other ASes.
2.5. An overview of BGP Vulnerabilities
15
3. BGP does not have any mechanism to ensure the authenticity of the
path attribute announced by an AS. For instance an AS can send a
UPDATE message with a bogus information.
These vulnerabilities are the fundamental risk situations present in the interdomain routing system. Moreover, they provide an open door from attacks
on the Internet by spiteful persons.
As a result of these vulnerabilities, the BGP protocol is subject to the
following attacks:
• confidentiality violations: All BGP messages exchange among ASes are
written down in clear text, so eavesdropping is a possible attack against
routing data confidentiality.
• replay: The same message can be sent more than once.
• message insertion: The use of clear message and the use of a TCP connection give the opportunity to insert any BGP message.
• message deletion: Again, the use of a TCP connection give the opportunity to delete any BGP message.
• message modification: A modification that was syntactically correct and
did not change the length of the TCP payload would in general not be
detectable.
• man-in-the-middle: BGP does not provide any mechanism of authentication so as a man-in-the-middle attack is child’s play.
• denial of service: A bogus information can represent a denial of service
on the BGP routing protocol.
2.5.2
Understanding the BGP anomalies
It is easy to take down portions of the Internet by announcing illegitimate
routes to those parts. The disruption of the Internet routing can occur either
as a result of accidental misconfiguration (e.g policy violation) by network
operators or malicious route announcements. In the following, we are going to present a classification of the set of anomalies within inter-domain
routing. We can define an inter-domain anomaly as an unexpected event
respects the BGP specification [32] that occur in one or more attributes of a
BGP message or also a direct incorrect UPDATE/WITHDRAWAL message.
We have separated the anomalies in accordance to the feasible cause.
Anomaly type
Path Loops
AS padding
Private AS
Example
3561 26821 3561 2747
3561 26821 27474 27474 27474
65533 3561 26821,3561 2747
TABLE 2.2: Example of path anomaly present in the ASPath attribute.
This first classification considers the anomaly voluntarily produced by
ASes.
16
Chapter 2. State of the Art
• Non origin AS padding. It is a technique to achieve some control over
the path selection of upstream domains. The idea is to inject into
the AS-PATH attribute, the AS number more one time, so to create
a bad path (e.g second row in the table 2.2). Moreover, these rules are
set manually by administrator and thus the misconfiguration of some
router can generated a fake path.
• Path Loops. As describe in Section 2.2, a fundamental motivations of a
path vector protocol, such as BGP, is the prevention of routing loops.
Nevertheless, some loops can be found in AS-Path attribute as the
BGP data shown. Indeed, a number of ASes do not implement the
check of filtering loops (e.g first row in the table 2.2).
• Private AS announcements. The IANA reserved a well defined set of AS
numbers (64512- 65535) that should not be announced in the Internet.
However, some of them are erroneously announced in the Internet
(e.g third row in the table 2.2).
F IGURE 2.5: Example of MOAS
In the following, we present a set of anomalies involuntarily produced
by ASes. Sometime these routing anomaly are labelled as misconfiguration
to distinguish from the anomalies above describe.
• Route Export Anomalies. The contract between domains must be satisfied. Export anomalies often involve accidental leakage of routes and
incorrect announcements in violation of the policies.
• Violation of the Valley-Free property. An AS is willing to advertise a
path for which it does not obtain revenue, violating the valley-free
property (cap. 2.3).
Before to explain the lasts anomalies, we will present the Origin AS conflict. A Multiple Origin Autonomous System (MOAS) conflict occurs when
more than one AS claims to be the owner of a given prefix p. More precisely, we suppose a prefix p and two route like p = (AS1, AS2, AS3) and
p = (AS4, AS5, AS6). We say a MOAS conflict occurs if AS6 6= AS3 [42].
In fig. 2.5 we can see a simple event of MOAS where two AS that say to
be to owner of the prefix 10.0.0.0/24. This conflict can be produced by the
normal activities trough a traffic engineering, or by the misconfiguration of
some router so as also by malicious activities such as IP Hijacking.
2.5. An overview of BGP Vulnerabilities
17
Finally, in the following we present the main anomalies voluntarily produced by either malicious agent outsiders or true ASes: the IP Hijacking.
The IP hijacking is an attack to steal IP addresses belonging to other networks.
• Hijack a prefix with (or without) its AS. A full IP prefix belonging to
AS victim is announced by another AS in order to carry out some
malicious intent. This type of attack has the same characteristics of
an anomaly MOAS. An attacker can decide to hide its true identity by
not adding its AS number to AS-Path. Moreover it can also add other
AS numbers such as the AS number owner of the IP prefix.
• Hijack a subnet of a prefix with (or without) its AS. A subnet of the IP prefix belonging to AS victim is announced by another AS. In fig. 2.6,2.7
we can show the inter-domain routing before and after that a IP hijacking attack occur. In fig. 2.6, we represent with edges the right
direction in which the packets through the network. An attacker, in
the example AS 7007, propagates different BGP announces in order
to receive traffic destined to the victim, in the example AS 877. In fig.
2.7, we can see how things change.
F IGURE 2.6: Ex. Hijacking (Before)
2.5.3
F IGURE 2.7: Ex. Hijacking (After)
Possible damages.
All the anomalies above presented may lead to different damages on the
whole routing information of the Internet. For simplicity’s sake, we are
going to list the feasible damages [23]:
1. Starvation: a node receives a traffic data destined to a part of the network. That node cannot known how to delivery the traffic.
2. Network congestion: a network node is carrying more data than it can
handle. As a consequence, typical effects produced are the queueing
delay, packet loss, etc.
3. Blackhole: a network node is carrying with a large amount of packets that cannot handle. This case produces a portion of the Internet
unreachable because many/most/all packets are dropped.
4. Delay: data traffic pass through a longer and more indirect route increasing the delay.a
18
Chapter 2. State of the Art
5. Looping: the data is never delivered for the existence of the loops.
6. Eavesdrop: the data traffic pass through some node that would otherwise not see the traffic, affording an opportunity.
7. Partition: a portion of the Internet is partitioned from the rest of the
network or it believes that.
8. Cut: a portion of Internet has no route to reach some network or it
believes that.
9. Churn: The forwarding in the network changes at a rapid pace, resulting in large variations in the data delivery patterns (and adversely
affecting congestion control techniques).
10. Instability: BGP becomes unstable in such a way that convergence on
a global forwarding state is not achieved.
11. Overload: The BGP messages themselves become a significant portion
of the traffic the network carries.
12. Resource exhaustion: The BGP messages themselves cause exhaustion
of critical router resources, such as table space.
13. Address-spoofing: Data traffic is forwarded through some router or network that is spoofing the legitimate address, thus enabling an active
attack by affording the opportunity to modify the data.
2.6
Current concerns in routing anomaly detection
To improve the security of BGP, several methods have been proposed, which
fall into three categories: cryptographic based prevention, anomaly mitigation,
and anomaly detection [37].
Cryptographic Based Prevention. The cryptographic technique provides
a secure communication channel among the BGP speakers in order to guarantee the authentication of routing announcements. It usually uses the Public Key Infrastructure (PKI) to verify the identity of any entity via digital
signatures. Due to its complexity it consumes significant router resources,
which makes it unsuitable.
The most well-known approach is called the Secure Border Gateway
Protocol (S-BGP) [17] and operates as follows. S-BGP implements security by validating path attributes in BGP UPDATE messages. During the
propagation of an UPDATE message, each member on the path appends its
information to the message and cryptographically signs the result before
passing it along. Unfortunately, this solution requires a public key infrastructure that assigns public keys to all participating ASes.
Another solution is ASRAP (Autonomous System Routing Authority
Protocol) [11] which does not require modifications to the existing protocol
and can be deployed incrementally. Similar to S-BGP, this protocol allows
AS to verify routing updates. Unlike S-BGP, however, the UPDATE messages themselves are not modified. Instead, each participating AS has to
2.6. Current concerns in routing anomaly detection
19
provide an ASRAP service that can be queried by others to verify transmitted routing updates. The weak point of this solution is that, AS administrators have to install such services and maintain an additional database,
initially without receiving any obvious benefit.
Ng et al. [25] propose secure origin BGP (soBGP) where the origin of any
BGP advertisement can be verified and authenticated, preventing origin
advertisement by unauthorized ASes. Furthermore, soBGP ensures that the
final destination in an advertised path is actually within the AS to which the
packets are routed. soBGP uses certificates and a new SECURITY message
to carry security information within the BGP protocol and ensure above
properties.
A comparison between S-BGP and soBGP has been proposed in [43].
Authors explain that S-BGP is far more complete than soBGP, because it
provides clear security requirements that work well theoretically. However,
S-BGP is too complex and it suffers of slow performance and convergence.
Although soBGP is lightweight and overcomes some of these performance
issues and it provides full path authentication.
The most recent and promising solutions to overcome BGP’s vulnerabilities are the Resource Public Key Infrastructure (RPKI) [5] and BGSEC [19].
RPKI is a hierarchical public key infrastructure designed to certify ownership of IP prefixes by ASes implemented by the Regional Internet Registries
(RIRs). Using the RPKI and a chain of valid certificates from a trust anchor,
network operators can determine if the AS originating an IP prefix has been
authorized to do so. BGSEC uses the RPKI to manage cryptographic keys
which are used by ASes deploying the protocol to sign and validate BGP
routing announcements.
Anomaly Mitigation. The anomaly mitigation technique consists in removing or demoting any suspect route once it has been found. The main problem is that the deletion of a right route may disturb the routing system.
Anomaly Detection. In this proposal, we focus our attention to the third
category, the anomaly detection technique, which identifies the suspect routes
and for each one raises an alarm. The identification of anomaly can be done
in three different ways: those based on the control-plane, those based on the
data-plane and finally those based on their combination.
Detection techniques from the Control-plane involves the creation of
some models that represent the expected behaviour of a network. The core
idea of these techniques is to compare the current view of the network with
the model and if they have some differences, it raises an alert. The complexity and accuracy of the model is the key element to obtain good anomaly detection. Typically, the use of this methodology produces a large amount of
events detected with a high number of false positive. As a consequence, we
need a manual analysis by an human operator in order to identify the real
anomaly events regarding to routine traffic engineering. Moreover another
important issue of this methodology is that it requires timely information of
all new feasible routes in the Internet. Instead such data made from several
BGP Route collectors collect BGP data and make them publicly available on
web providing a (batch) view of Internet (e.g RIPE releases BGP UPDATE
20
Chapter 2. State of the Art
messages every 15 minutes [6]). For instance, both RIPE and RISE offer binary dump of BGP UPDATE messages exchanged by their routers, as well
as snapshots of their routing tables.
On the contrary, the detection techniques from the Data-plane produce
an active action such as traceroute commands between an observer and the
source in order to find any significant topology changes. The way how
these elements are measured, as well as their diversity, ensures a good detection. These techniques can result faster than those based on Controlplane. However the scalability of this approach is challenging and as a
result it is not possible to do a global analysis.
With a hybrid approach it is possible identify the anomaly routing with
a Control-plane approach and then it triggers a Data-plane approach to obtain different measures of topological network. The use of a hybrid approach can improve accuracy in the anomaly detection.
21
Chapter 3
Proposal
Internet is a vulnerable network due to the usage of Until today, the use
of an unsafe protocol like BGP, makes the internet vulnerable to different
anomalies. BGP is vulnerable to a number of damaging attacks, which can
have serious global consequences, often arisen from operator misconfigurations. A famous example is the incident happened in the 1997 in which
a small ISP originated the first class-C subnet of every IP prefix1 . This created reachability problems for every network and crashed routers around
the world by overflowing their route tables. In the 2006, Con Edison originated many prefixes it did not own, causing outages for several networks2 .
Although the vulnerability of the BGP protocol is well known and widely
studied, nowadays there are no validated methods to immediately detect
them or evaluate their impact.
The main goal of this thesis proposal is to define a set of methodologies
for the detection of inter-domain routing anomalies [cap. 2.1] both in a offline and in a real-time context. We believe that the Isolario system (Section
3.1) can be a useful tool to identify anomaly events both in a off-line and
a real-time context. Our main idea is to apply solutions that are, in some
cases, adopted in other different contexts, such as machine learning, lexical
representation of natural language, stigmergy and so on in a new context.
This chapter is structured as follows. First, we will to introduce the
Isolario tools which we are going to use because they are needed, in our
opinion, to detect any anomaly path immediately. Finally we will present
our ideas to face these issues.
3.1
Isolario: a real-time environment
From the point of view of an AS, these anomalies may represent an economic damage. Often this damage is proportional to the time elapsed from
the beginning of the anomaly to its termination. Despite the identification
of the anomalies as quickly as possible is the target of a several companies,
the approaches used recently still result slow leaving the critical communication exposed. To overcome the slowness of this process it is necessary to
have some tools to enable the real-time monitoring of BGP routing information.
Recently Isolario, a real-time BGP collector, has been developed at Institute of Informatics and Telematics of CNR, Pisa. Isolario increases the number of ASes feeding and the principle of the project is based on the paradigm
Do-ut-des, which defines a reciprocal convenience of the interested parties.
1
2
http://seclists.org/nanog/1997/Apr/444
http://research.dyn.com/2006/01/coned-steals-the-net/
22
Chapter 3. Proposal
The project offers to network administrators different services in exchange
for sharing their routing information. The Isolario’s service could be useful
to manage the network in real-time and also to look for network issues with
a historical routing data. Isolario is a distributed system devised to collect,
parse, and elaborate BGP data sent from the AS Border Routers (ASBRs) of
its participants also called feeders. From a high level perspective Isolario on
the one side must establish and maintain a BGP session with the feeders collecting routing information, on the other side, it must provide a responsive
service through the input request of its users. The design of Isolario follows
a modular philosophy therefore the system can be logically split in three
main parts: i)Web Core, ii) System Core and iii) Enhanced Route Collectors
(ERCs). In order to allow the deployment part system in distinct machines
possibly geographically dispersed in the world, components communicate
with one another with a TCP connection.
The web core is the part that proposes useful services to Isolario users
passing through a simple web page. When a user selects an available service on the web page, the browser web creates a dedicated WebSocket session with the web core back-end that manages the service request and provides the data as soon as possible.
The system core component then handles that request. This component
is composed by a set of service modules to satisfy both historical and realtime data requests. The historic services fetch data from the Historic Data
Storage and Retrieval System (HDSRS) opportunely developed to provide
a fast access to stored routing data. Instead the real-time services dispatch
the user requests and filter the messages to the relative modules located
in different ERCs component. Moreover it manages the data aggregation
coming from two or more distinct ERCs (if required).
Finally the task made by the ERCs is to establish and maintain active
BGP sessions with the set of feeders. The novelty of this project is represented by Man In the Middle (MIM) module. This module provides a BGP
data streaming between each feeder and the Route Collector Engine (RCE)
module which stores all received data and the whole Routing Information
Base (RIB) into several files at different interval time. The MIM is accurately
designed in order to inject the incoming messages into the system as soon
as possible.
3.2
Identifying anomaly routes: some proposals
Although the vulnerability of the BGP protocol is well known and widely
studied, nowadays there are no validated methods to immediately detect
them or evaluate their impact. In this section we are going to describe different possible approaches for the detection of inter-domain routing anomalies both in a off-line and in a real-time context.
3.2.1
Different models to represent BGP data
Recently, a new formal model has been proposed to describe BGP data. A
common way to describe the Internet topology at AS level is the use of the
Graph model. Thanks to this model, the ASes sre represented with nodes,
while with the edges model the relationships between them. To improve
3.2. Identifying anomaly routes: some proposals
23
the accuracy of the model, the used data to describe the topology comes
from BGP routing table. As described in [36, 15], the network graph adequately shows the connectivity between the ASes (Upstream, Peering) but
tends to oversimplify the real routing situation. In the real internet world
the routing paths are selected on a pre-prefix basis. The granularity of the
graph model does not allow to show these details, therefore it cannot diagnose policy violations, such as route leaking, or complex anomalies as
hijacking attacks. The main intuition of the work in [36, 15] considers the
BGP announces, and more specifically the IP prefix with the AS-PATH attribute, as well as a formal language with syntactic role that defines the
normal routing path. Therefore, a bogus route creates a contradiction to
existing announcements. In details, AS paths towards prefix (e.g 444 333
222 111 10.0.0.0/24) represent words of the Finite Route Language L (FRL)
P
where the alphabet is composed by a set of ASes AS and a set of all preQ
P
Q
fixes . The phrases of this language can be defined as r = wp ∈ ∗AS ×
P∗
Q
representing an arbitrary concatenation of ASes AS to a prefix . In this
language all the feasible phrases identify all the admissible routes. Obviously, this language can be extended so as to make it possible to create new
routes.
Moreover, given that Finite Route Language, it is possible to create a Route
Automaton able to accept any reasonable correct route and to discard all
P
Q
other routes. The Route Automaton is defined as M = (Q, AS ∪ , δ, q0 , F )
P
Q
with Q a finite set of state, δ : Q × AS ∪ → Q transition function, q0 ∈ Q
the start state and F ⊂ Q a set of terminal states.
In [15, 37] also describe how to deploy this model in practice in order to
analyse BGP data to detect route leak and interception data. In both cases
they before formally construct a complete description of the issue identifying the patter and then uses to match the anomalies.
In figure 3.1 we can see the comparison between the graph model and
the finite state automaton with the same BGP data. The values corresponding to the automaton are the result of a minimization of the automaton in
order to reduce the states number. Despite the reduction, it is worth notice that the transitions number remain still much higher than the edges
number. It is reasonable to expect that a so high transitions number is challenging in a real-rime context.
BGP data
Graph
Automaton
600.216 IP, 52.396 ASes
652.612 nodes
302.598 states
2.875.026 AS paths
725.425 edges
10.355.671 transitions
TABLE 3.1: Comparison between Automaton and Graph
The first approach to investigate may be the identification model more
suitable in according to the application context. For instance, in a historical
context, where it is preferable a more accuracy of the events detected, may
prefer the automaton rather the graph model because it provides a rigorous formalism to implement patterns of research. Instead, in a real-time
context, where the efficiency in term of response times, may prefer a more
slim model.
24
Chapter 3. Proposal
3.2.2
Different Approaches to look for Anomalies
Section 2.6 described the main concerns existing to identify the routing
anomalies. As above said, the detection techniques from the control-plane
are based on the comparison of two different data representations described
by some models. This detection methods typically detects the Multiple Origin AS (MOAS) conflicts, where a single prefix is originated by multiple
ASes. We believe that different approaches are possibles in order to identify
more over anomalies types and/or to improve the accuracy of the obtained
results. We new present three different ideas we plan to investigate during
the thesis: Stigmergy, Current Flow, Machine Learning.
3.2.3
A novel Stigmergic Approach
Stigmergy is a mechanism of indirect coordination and it was originally articulated in the study of social insects [30]. In the last years, the study of
stigmergy has characterised a number of different research fields. For instance, the stigmergy study has been proposed as a model of analysing
some robotics systems, multi-agent systems and communication in computer networks [33].
Recently, stigmergic approaches are proposed for monitoring elderly
people living alone in their own homes. The new approach detects behavioural deviations of the routine indoor activities. More specifically, a
complex system of indoor localization creates a spatio-temporal tracks used
by marker-based stigmergy in order to recognise the normal activities of
the entities [3]. At a second level of processing, similarity evaluation is performed between stigmergic marks over different time periods in order to
assess deviations.
In a context as a inter-domain routing, we think that a normal routing
can be recognised so as to identify any route anomaly thanks to a stigmergic
approach. We plan to analyse this approach in more details, in order to:
1. To understand how to handle BGP data, in order to be able to use the
new stigmergic technology.
2. To identify the similarity functions with one or more patterns in relation to different anomalies and or known attacks.
3. To estimate the goodness of this solution in term of time and resources
required for the computation.
4. To understand if this solution is feasible in a real-time context.
3.2.4
Exploiting centrality indexes
The identification of the most central nodes of a graph is a fundamental
task of data analysis. The current flow betweenness [24, 4] is a centrality
index which considers how the information flows along all the paths of
a graph. The main intuition of this centrality derived from considering a
graph as a electric circuit where the edges represents the resistors and the
nodes are the point of junction between two or more resistors. Finding the
exact value of the current flow betweenness is computationally expensive
3.2. Identifying anomaly routes: some proposals
25
for large graphs, so the definition of algorithms returning an approximation
of this measure is mandatory.
Duckweed [20, 21] is a new distributed approach that provides an approximation for the current flow betweenness centrality exploiting the Kirchoff’s law of current conservation. This computational model is suitable
for a distributed execution of the algorithm because the computation is described from the point of view of the node and requires only its local knowledge.
The centrality indexes are expected to provide a ranking which identifies the most important nodes in a network. We are not interesting in an
anomaly routing context to identify the most important nodes but we can
exploited this information to obtain how these values shift over the time.
Any value index changed in the topological graph indicates some route
changes. Last consideration suggests that the feasible anomalies may be
recognised identify some index change pattern.
Moreover, we may understand an approximation of the impact of traffic
interception on the Internet by looking for all indexes changed. To address
this solution we plan to investigate following points:
1. to adapt the existent algorithm Duckweed in a dynamic context where
is possible recompute the index when a route change occur.
2. To identify the similarity functions with one or more patterns in relation to different anomalies and or attacks known.
3. To estimate the goodness of this solution in term of time and resources
required for the computation.
4. To understand if this solution is adaptable in a real-time context.
3.2.5
Machine Learning Approach
Machine learning looks for to tell how to automatically find a good predictor based on past experiences. Researchers have in a recent past used the
machine learning techniques to detect unusual patterns in datasets from a
variety of fields. In [1], for instance, describes how these techniques can
be used to classify and detect BGP anomalies. The BGP anomaly detection
classifier is a machine learning model that learns how to change its internal
structure based on external feedback.
In details, BGP anomalies are UPDATE BGP messages that show unusual patterns, also referred to as outliers. Hourly or Daily statistics and
features are extracted from the parse of such BGP data. A feature is a measurable property of the system that may be observed. They then are used
as a input for classification models. In the first phase, the machine learning
tool may provide unsatisfactory anomalies classification models but providing a sufficient and related set of features it can improve the classification of the data with the least error rate. The paper shows the recognition of
three anomalies come from the spread of three worms Slammer, Nimda and
Code Red I using both Support Vector Machine (SVM) and Hidden Markov
Models (HMMs).
We believe that this approach can be a useful tool in a real-time context
in order to timely detect any other form of anomaly such as misconfiguration and hijacking attack. [38]
26
Chapter 3. Proposal
Massimilano Bertolucci’s pubblications
• Static and Dynamic Big Data Partitioning on Apache Spark, M. Bertolucci,
E. Carlini, P. Dazzi, A. Lulli, L. Ricci, Proceedings of PARCO 2015,
pages 489–498, Advances in Parallel Computing 27, IOS Press 2016
• Current flow betweenness centrality with Apache Spark, Bertolucci M.,
Lulli A. ,Ricci L., Proceedings of 16th International Conference on
Algorithms and Architectures for Parallel Processing (ICA3PP 2016),
Spain, December 2016.
27
Bibliography
[1]
Nabil M Al-Rousan and Ljiljana Trajković. “Machine learning models
for classification of BGP anomalies”. In: 2012 IEEE 13th International
Conference on High Performance Switching and Routing. IEEE. 2012, pp. 103–
108.
[2]
Hitesh Ballani, Paul Francis, and Xinyang Zhang. “A study of prefix hijacking and interception in the Internet”. In: ACM SIGCOMM
Computer Communication Review. Vol. 37. 4. ACM. 2007, pp. 265–276.
[3]
Paolo Barsocchi et al. “Monitoring elderly behavior via indoor positionbased stigmergy”. In: Pervasive and Mobile Computing 23 (2015), pp. 26–
42.
[4]
Ulrik Brandes and Daniel Fleischer. Centrality measures based on current flow. Springer, 2005.
[5]
Randy Bush and Rob Austein. “The RPKI/Router Protocol”. In: work
in progress (Internet Draft) (2011).
[6]
RIPE Network Coordination Center. RIPE Routing Information Service.
2014.
[7]
Hyunseok Chang et al. “Towards Capturing Representative AS-level
Internet Topologies”. In: Comput. Netw. 44.6 (2004), pp. 737–755.
[8]
Michalis Faloutsos, Petros Faloutsos, and Christos Faloutsos. “On Powerlaw Relationships of the Internet Topology”. In: Proceedings of the Conference on Applications, Technologies, Architectures, and Protocols for Computer Communication. SIGCOMM ’99. 1999, pp. 251–262.
[9]
Lixin Gao. “On inferring autonomous system relationships in the Internet”. In: IEEE/ACM Transactions on Networking (ToN) 9.6 (2001), pp. 733–
745.
[10]
Pietro Giardina et al. “Isolario: a Do-ut-des Approach to Improve the
Appeal of BGP Route Collecting”. In: ().
[11]
Geoffrey Goodell et al. “Working around BGP: An Incremental Approach to Improving Security and Accuracy in Interdomain Routing.” In: NDSS. 2003.
[12]
Enrico Gregori et al. “BGP and inter-AS economic relationships”. In:
International Conference on Research in Networking. Springer. 2011, pp. 54–
67.
[13]
Chris Hall et al. “Resilience of the internet interconnection ecosystem”. In: Economics of Information Security and Privacy III. Springer,
2013, pp. 119–148.
[14]
Rahul Hiran, Niklas Carlsson, and Phillipa Gill. “Characterizing largescale routing anomalies: A case study of the china telecom incident”.
In: International Conference on Passive and Active Network Measurement.
Springer. 2013, pp. 229–238.
28
BIBLIOGRAPHY
[15]
Ralph Holz et al. “HEAP: Reliable assessment of BGP subprefix hijacking attacks”. In: IEEE Journal on Selected Areas in Communication
34.6 (2016), pp. 1849–1861.
[16]
Cheng Jin, Qian Chen, and Sugih Jamin. “Inet: Internet topology generator”. In: (2000).
[17]
Stephen Kent, Charles Lynn, and Karen Seo. “Secure border gateway
protocol (S-BGP)”. In: IEEE Journal on Selected areas in Communications
18.4 (2000), pp. 582–592.
[18]
Barry M Leiner et al. “A brief history of the Internet”. In: ACM SIGCOMM Computer Communication Review 39.5 (2009), pp. 22–31.
[19]
Matthew Lepinski. “BGPSEC protocol specification”. In: (2015).
[20]
Alessandro Lulli et al. “Distributed Current Flow Betweenness Centrality”. In: Self-Adaptive and Self-Organizing Systems (SASO), 2015 IEEE
9th International Conference on. IEEE. 2015, pp. 71–80.
[21]
P. Dazzi A. Lulli L. Ricci M. Bertolucci E. Carlini. “Static and Dynamic
Big Data Partitioning on Apache Spark”. In: (2015), pp. 489–498.
[22]
Damien Magoni and Jean Jacques Pansiot. “Analysis of the autonomous
system network topology”. In: ACM SIGCOMM Computer Communication Review 31.3 (2001), pp. 26–37.
[23]
Sandra L. Murphy. BGP Security Vulnerabilities Analysis. RFC 4272.
2013.
[24]
Mark EJ Newman. “A measure of betweenness centrality based on
random walks”. In: Social networks 27.1 (2005), pp. 39–54.
[25]
James Ng et al. Extensions to BGP to support secure origin BGP (soBGP).
Tech. rep. Internet Draft, Apr, 2004.
[26]
Ola Nordström and Constantinos Dovrolis. “Beware of BGP attacks”.
In: ACM SIGCOMM Computer Communication Review 34.2 (2004), pp. 1–
8.
[27] Number of connected devices worldwide. http : / / www . statista .
com / statistics / 471264 / iot - number - of - connected devices-worldwide/.
[28]
Ricardo Oliveira et al. BGP Monitoring projects such as RouteViews and
RIPE RIS.
[29]
Ricardo Oliveira et al. “The (in)Completeness of the Observed Internet AS-level Structure”. In: IEEE/ACM Trans. Netw. 18.1 (2010), pp. 109–
122.
[30]
H Van Dyke Parunak. “A survey of environments and mechanisms
for human-human stigmergy”. In: International Workshop on Environments for Multi-Agent Systems. Springer. 2005, pp. 163–186.
[31]
E. Chen Q. Vohra. BGP Support for Four-octet AS Number Space. RFC
4893. 2007, pp. 1–8. URL: https://www.rfc-editor.org/rfc/
rfc4893.txt.
[32]
Y. Rekhter, T. Li, and S. Hares. RFC 4271: A Border Gateway Protocol 4 (BGP-4). Tech. rep. IETF, 2006. URL: www . ietf . org / rfc /
rfc4271.txt.
BIBLIOGRAPHY
29
[33]
Alessandro Ricci et al. “Cognitive Stigmergy: Towards a Framework
Based on Agents and Artifacts”. In: Environments for Multi-Agent Systems III: Third International Workshop, E4MAS 2006, Hakodate, Japan,
May 8, 2006, Selected Revised and Invited Papers. Ed. by Danny Weyns,
H. Van Dyke Parunak, and Fabien Michel. Springer Berlin Heidelberg, 2007, pp. 124–140.
[34]
NCC RIPE. YouTube Hijacking: A RIPE NCC RIS case study (2008). 2009.
[35]
Matthew Roughan et al. “10 lessons from 10 years of measuring and
modeling the internet’s autonomous systems”. In: IEEE Journal on Selected Areas in Communications 29.9 (2011), pp. 1810–1821.
[36]
Johann Schlamp et al. “CAIR: Using Formal Languages to Study Routing, Leaking, and Interception in BGP”. In: arXiv preprint arXiv:1605.00618
(2016).
[37]
Xingang Shi et al. “Detecting Prefix Hijackings in the Internet with
Argus”. In: Proceedings of the 2012 ACM Conference on Internet Measurement Conference. IMC ’12. ACM, 2012, pp. 15–28.
[38]
Taeshik Shon et al. “A machine learning framework for network anomaly
detection using SVM and GA”. In: Proceedings from the Sixth Annual
IEEE SMC Information Assurance Workshop. IEEE. 2005, pp. 176–183.
[39]
Walter Willinger, David Alderson, and John C Doyle. Mathematics and
the internet: A source of enormous confusion and great potential. Defense
Technical Information Center, 2009.
[40]
Yang Xiang et al. “Argus: An accurate and agile system to detecting
IP prefix hijacking”. In: 2011 19th IEEE International Conference on Network Protocols. IEEE. 2011, pp. 43–48.
[41]
Beichuan Zhang et al. “Collecting the Internet AS-level Topology”. In:
SIGCOMM Comput. Commun. Rev. 35.1 (2005), pp. 53–61. ISSN: 01464833.
[42]
Xiaoliang Zhao et al. “An analysis of BGP multiple origin AS (MOAS)
conflicts”. In: Proceedings of the 1st ACM SIGCOMM Workshop on Internet Measurement. ACM. 2001, pp. 31–35.
[43]
Rostom Zouaghi et al. Interdomain Routing Security (BGP-4) A Comparison between S-BGP and soBGP. 2009.