As part of a broader organisational restructure, data networking research at Swinburne University of Technology has moved from the Centre for Advanced Internet Architecture (CAIA) to the Internet For Things (I4T) Research Lab.

Although CAIA no longer exists, this website reflects CAIA's activities and outputs between March 2002 and February 2017, and is being maintained as a service to the broader data networking research community.

Rapid detection of BGP anomalies

Introduction

The Border Gateway Protocol (BGP) is the Internet's default inter-domain routing protocol that manages connectivity among Autonomous Systems (ASes) RFC 4271. It maintains and exchanges network reachability information between Autonomous Systems (ASes) which are organized in a hierarchical fashion. BGP was developed at a time when information provided by an AS could be assumed to be accurate. Consequently, it includes few security mechanisms and so is vulnerable to different types of events such as hijacking, misconfiguration, and link failure. These events have threatened Internet performance and reliability. Although they happen rarely, these attacks have threatened BGP's stability. Instability affects performance, processing load, and distribution balance of traffic load for BGP speakers.

The past twenty years have seen many events that have threatened BGP's stability. The Pakistan Telecom incident is an example of BGP misconfiguration. In response to a censorship order from its government, the major Internet Service Provider (ISP) in Pakistan advertised an unauthorised YouTube prefix causing many ASes to lose access to the site. Another example of BGP misconfiguration was recently caused by Telekom Malaysia (TMnet) which caused significant network problems for the global routing system. TMnet (AS4788) accidentally announced approximately 179,000 prefixes to Level3, the global crossing AS, leading to significant packet loss and slow Internet service around the world. The panix.com domain incident is an example of hijacking. On 22 January 2006 the AS27506 hijacked the panix.com domain causing loss of connectivity to this domain for several hours. In addition to many reported events, other types of events remain unreported or even unnoticed.

Recent statistics show approximately 20% of hijacking and misconfigurations lasted less than 10 minutes, but with the ability to pollute 90% of the Internet in less than 2 minutes. These statistics demonstrate the need for a real-time detection of BGP anomalies. Rapid detecting of BGP anomalies enables network operators to protect their network from the worst consequence of the anomalous behaviour which leads to improve Internet reliability.

The outcome of this project includes the following:

  • A Real-time BGP Anomaly Detection Tool (RBADT), a tool that can be used by Internet Service Provider's (ISP) operator to rapidly (in seconds) detect BGP anomalies.
  • A new version of BGP Replay Tool (BRT) v0.1, a tool developed by team members to replay past BGP events using data downloaded from local log files or public BGP repositories such as RouteViews project and RIPE NCC.



Project Members

Acknowledgements

This project has been made possible in part by "APNIC Internet Operations Research Grant" under the ISIF Asia 2016 grant scheme ISIF Asia 2016 grant recipients.


Last Updated: Monday 10-Oct-2016 10:07:51 AEDT | Maintained by: Bahaa Al-Musawi (balmusawi@swin.edu.au) | Authorised by: Grenville Armitage (garmitage@swin.edu.au)