CleanBGP: Verifying the consistency of BGP data

Copyright © 2008 IEEEBGP data contains artifacts introduced by the measurement infrastructure which can substantially affect analysis. This is especially important in operational systems where "crying wolf" will result in an operator ignoring alarms. In this paper, we investigate the causes of measurement artifacts in BGP data - cross-checking and using properties of the data to infer the presence of an artifact and minimize its impact. We have developed a prototype tool, CleanBGP, which detects and corrects the effects of artifacts in BGP data, which we believe should be used prior to the analysis of such data. CleanBGP provides the user with an understanding of the artifacts present, a mechanism to remove their effects, and consequently the limitations of results can be fully quantified.Ashley Flavel, Olaf Maennely, Belinda Chiera, Matthew Roughan and Nigel Bea

Security analysis of network neighbors

Tese de mestrado em Segurança Informática, apresentada à Universidade de Lisboa, através da Faculdade de Ciências, 2010O presente trabalho aborda um problema comum a muitos dos actuais fornecedores de serviços Internet (ISPs): mitigação eficiente de tráfego malicioso na sua rede. Este tráfego indesejado impõe um desperdício de recursos de rede o que leva a uma consequente degradação da qualidade de serviço. Cria também um ambiente inseguro para os clientes, minando o potencial oferecido pela Internet e abrindo caminho para actividades criminosas graves. Algumas das principais condicionantes na criação de sistemas capazes de resolver estes problemas são: a enorme quantidade de tráfego a ser analisado, o facto da Internet ser inerentemente anónima e a falta de incentivo para os operadores de redes de trânsito em bloquear este tipo de tráfego. No âmbito de um ISP de média escala, este trabalho concentra-se em três áreas principais: origens de tráfego malicioso, classificação de segurança de redes vizinhas ao ISP e políticas de intervenção. Foram colectados dados de rede considerando, determinados tipos de tráfego malicioso: varrimento de endereços e inundação de fluxos de ligações; assim como informação de acessibilidades rede: mensagens de actualização de BGP disponibilizadas pelo RIPE Routing Information Service. Analisámos o tráfego malicioso em busca de padrões de rede, o que nos permitiu compreender que é maioritariamente originário de um subconjunto muito pequeno de ASes na Internet. No âmbito de um ISP e de acordo com um conjunto de métricas de segurança, definimos uma expressão de correlação para quantificar os riscos de segurança associados a conexões com redes vizinhas, a qual denominámos Risk Score. Finalmente, propusemos técnicas para concretização das tarefas de rede necessárias à redução de tráfego malicioso de forma eficiente, se possível em cooperação com redes vizinhas / ASes. Não temos conhecimento de qualquer publicação existente que correlacione as características de tráfego malicioso de varrimento de endereços e inundação de fluxos de ligações, com informação de acessibilidades de rede no âmbito de um ISP, de forma a classificar a segurança das vizinhanças de rede, com o propósito de decidir filtrar o tráfego de prefixos específicos de um AS ou bloquear todo o tráfego proveniente de um AS. Acreditamos que os resultados apresentados neste trabalho podem ser aplicados imediatamente em cenários reais, permitindo criar ambientes de rede mais seguros e escaláveis, desta forma melhorando as condições de rede necessárias ao desenvolvimento de novos serviços.This thesis addresses a common issue to many of current Internet Service Providers (ISPs): efficient mitigation of malicious traffic flowing through their network. This unwanted traffic imposes a waste of network resources, leading to a degradation of quality of service. It also creates an unsafe environment for users, therefore mining the Internet potential and opening way for severe criminal activity. Some of the main constraints of creating systems that may tackle these problems are the enormous amount of traffic to be analyzed, the fact that the Internet is inherently untraceable and the lack of incentive for transit networks to block this type of traffic. Under the scope of a mid scale ISP, this thesis focuses on three main areas: the origins of malicious traffic, security classification of ISP neighbors and intervention policies. We collected network data from particular types of malicious traffic: address scans and flow floods; and network reachability information: BGP update messages from RIPE Routing Information Service (RIS). We analyzed the malicious traffic looking for network patterns, which allowed us to understand that most of it originates from a very small subset of Internet ASes. We defined a correlation expression to quantify the security risks of neighbor connections within an ISP scope according to a set of security metrics that we named Risk Score. We finally proposed techniques to implement the network tasks required to mitigate malicious traffic efficiently, if possible in cooperation with other neighbors/ASes. We are not aware of any work been done that correlates the malicious traffic characteristics of address scans and flow flood attacks, with network reachability information of an ISP network, to classify the security of neighbor connections in order to decide to filter traffic from specific prefixes of an AS, or to block all traffic from an AS. It is our belief, the findings presented in this thesis can be immediately applied to real world scenarios, enabling more secure and scalable network environments, therefore opening way for better deployment environments of new services

Une architecture parallèle distribuée et tolérante aux pannes pour le protocole interdomaine BGP au cœur de l’Internet

L’augmentation du nombre d’usagers de l’Internet a entraîné une croissance exponentielle dans les tables de routage. Cette taille prévoit l’atteinte d’un million de préfixes dans les prochaines années. De même, les routeurs au cœur de l’Internet peuvent facilement atteindre plusieurs centaines de connexions BGP simultanées avec des routeurs voisins. Dans une architecture classique des routeurs, le protocole BGP s’exécute comme une entité unique au sein du routeur. Cette architecture comporte deux inconvénients majeurs : l’extensibilité (scalabilité) et la fiabilité. D’un côté, la scalabilité de BGP est mesurable en termes de nombre de connexions et aussi par la taille maximale de la table de routage que l’interface de contrôle puisse supporter. De l’autre côté, la fiabilité est un sujet critique dans les routeurs au cœur de l’Internet. Si l’instance BGP s’arrête, toutes les connexions seront perdues et le nouvel état de la table de routage sera propagé tout au long de l’Internet dans un délai de convergence non trivial. Malgré la haute fiabilité des routeurs au cœur de l’Internet, leur résilience aux pannes est augmentée considérablement et celle-ci est implantée dans la majorité des cas via une redondance passive qui peut limiter la scalabilité du routeur. Dans cette thèse, on traite les deux inconvénients en proposant une nouvelle approche distribuée de BGP pour augmenter sa scalabilité ainsi que sa fiabilité sans changer la sémantique du protocole. L’architecture distribuée de BGP proposée dans la première contribution est faite pour satisfaire les deux contraintes : scalabilité et fiabilité. Ceci est accompli en exploitant adéquatement le parallélisme et la distribution des modules de BGP sur plusieurs cartes de contrôle. Dans cette contribution, les fonctionnalités de BGP sont divisées selon le paradigme « maître-esclave » et le RIB (Routing Information Base) est dupliqué sur plusieurs cartes de contrôle. Dans la deuxième contribution, on traite la tolérance aux pannes dans l’architecture élaborée dans la première contribution en proposant un mécanisme qui augmente la fiabilité. De plus, nous prouvons analytiquement dans cette contribution qu’en adoptant une telle architecture distribuée, la disponibilité de BGP sera augmentée considérablement versus une architecture monolithique. Dans la troisième contribution, on propose une méthode de partitionnement de la table de routage que nous avons appelé DRTP pour diviser la table de BGP sur plusieurs cartes de contrôle. Cette contribution vise à augmenter la scalabilité de la table de routage et la parallélisation de l’algorithme de recherche (Best Match Prefix) en partitionnant la table de routage sur plusieurs nœuds physiquement distribués.The increasing number of end users has led to an exponential growth in the Internet routing table. The routing table is expected to reach a size of one million prefixes within the coming few years. Besides, current core routers may easily attain hundreds of connected BGP peers simultaneously. In classical monolithic architecture, the BGP protocol runs as a single entity inside the router. This architecture suffers from two drawbacks: scalability and reliability. BGP scalability can be measured in terms of the number of connected peers that can be handled and the size of the routing table. On the other hand, the reliability is a critical issue in core routers. If the BGP instance inside the router fails, all peers’ connections will shutdown and the new reachability state will be propagated across the Internet in a non trivial convergence delay. Although, in current core routers, the resiliency is increased considerably, it’s mainly implemented via a primary-backup redundancy scheme which limits the BGP scalability. In this thesis we address the two mentioned BGP drawbacks by proposing a novel distributed approach to increase both scalability and reliability of BGP without changing the semantic of the protocol. The BGP distributed architecture in the first paper is built to satisfy both requirements: scalability and reliability by adequately exploiting parallelism and module separation. In our model, BGP functionalities are split in a master-slave manner and the RIB (Routing Information Base) is replicated to multiple controller cards, to form a cluster of parallel computing entities. In the second paper, we address the fault tolerance of BGP within the distributed architecture presented in the first paper. We prove analytically that, by adopting the distributed architecture of BGP the availability of BGP will be increased considerably versus a monolithic architecture. In the third paper we propose a distributed parallel scheme called DRTP to partition the BGP routing table on multiple controller cards. DRTP aims at increasing the BGP scalability and the parallelization of the Best Match Prefix algorithm

Autonomes Netzwerkmanagement für ein dynamisches Routing unter Berücksichtigung von Qualitätsanforderungen

This PhD thesis is focused on the question: how can an autonomously working routing management be designed to allow the transmission of application data while considering quality requirements. To answer this the focus is on a dynamic routing, whose decisions depend on the current distribution of available link capacities in the network. The presented new solution contains three protocols which work in a completely autonomous way. They are used to cluster the network and place automatically management instances, to assign addresses in the network as well as to distribute continuously routing data among the network nodes. Based on this, all routing tables are kept up to date, so that they represent the current paths as well as they also describe the available QoS specific capacity for each known route. By the help of this data, the routing algorithm, which is applied in this PhD thesis, allows the transmission of data from different applications while considering their quality requirements. In this context, each needed routing decision is influenced by the currently existing load situation in the network.Despite the introduced complex signaling, the overall system remains compatible to IPv4/v6. Therefore, it can be used for the transmission of audiovisual data in today’s networks. In such a scenario the scalability of the resulting overall system is supported by the data aggregations which are used within the signaling of the routing management.The practical part of the work is divided into two areas. The first one describes the software “Homer Conferencing”. It is usable as standalone solution for video conferences and test environment for audiovisual streams. By its help, qualitative differences in transmissions can be presented. Additionally, the software provides graphical dialogs for quantitative measurements of the data streams and packet losses. The second practical part contains the implementation of the routing management and applies all protocols on packet level. This was used as base for the accomplished quantitative evaluations. They show the caused signaling overhead as well as the resulting benefit of the introduced routing management for selected base topologies of IP networks.Im Fokus dieser Dissertation steht die Frage, wie ein autonom ablaufendes Routingmanagement aussehen kann, um in Netzwerken die Übertragung von Anwendungsdaten unter Berücksichtigung von Qualitätsanforderungen zu ermöglichen. Dabei steht ein dynamisches Routing im Vordergrund, dessen Entscheidungen von der momentanen Verteilung von verfügbaren Linkkapazitäten im Netzwerk abhängen. Die vorgestellte neuwertige Lösung enthält drei vollständig autonom ablaufende Protokolle. Sie dienen zur Netzwerkunterteilung und automatischen Platzierung von Managementinstanzen, zur Adresszuweisung im Netzwerk sowie zur kontinuierlichen Verteilung von Routingdaten unter den Netzwerkknoten. Dadurch werden alle Routingtabellen aktuell gehalten, sodass sie die momentanen Pfade sowie auch die für jede bekannte Route verfügbaren QoS spezifischen Eigenschaften beschreiben. Mit Hilfe dieser Daten ist der in dieser Dissertation eingesetzte Routingalgorithmus in der Lage, die Übertragung von Daten von unterschiedlichen Anwendungen unter Beachtung ihrer Qualitätsanforderungen zu ermöglichen. Dabei beeinflusst die aktuell vorliegende Lastsituation im Netzwerk jede notwendige Routingentscheidung.Trotz der eingeführten komplexen Signalisierungen bleibt das Gesamtsystem kompatibel zu IPv4/v6 und kann somit für die Übertragung von audiovisuellen Daten in heutigen Netzwerken eingesetzt werden. Dabei profitiert die Skalierbarkeit des resultierenden Gesamtsystems von den innerhalb der Signalisierungen des Routingmanagements verwendeten Datenaggregationen.Der praktische Teil dieser Arbeit ist zweigeteilt. Der erste Teil beschreibt die Software „Homer Conferencing“. Sie ist als eigenständige Lösung für Videokonferenzen und Testumgebung für audiovisuelle Ströme einsetzbar. Mit ihrer Hilfe können qualitative Unterschiede in Übertragungen audiovisuell vorgeführt werden. Die Software bietet zusätzlich grafische Dialoge zur quantitativen Bemessung der Datenströme und Paketverluste. Der zweite praktische Teil beinhaltet die Implementierung des Routingmanagements und setzt die Protokolle auf Paketebene vollständig um. Dies diente als Basis für die durchgeführten quantitativen Evaluierungen. Sie stellen für ausgewählte Basistopologien von IP-Netzwerken den verursachten Signalisierungsaufwand sowie den resultierenden Nutzen beim Einsatz des vorgestellten Routingmanagements dar