Presentation is loading. Please wait.

Presentation is loading. Please wait.

BGP-lens: Patterns and Anomalies in Internet Routing Updates B. Aditya Prakash 1, Nicholas Valler 2, David Andersen 1, Michalis Faloutsos 2, Christos Faloutsos.

Published byAnastasia Avice Ramsey Modified over 9 years ago

Similar presentations

Presentation on theme: "BGP-lens: Patterns and Anomalies in Internet Routing Updates B. Aditya Prakash 1, Nicholas Valler 2, David Andersen 1, Michalis Faloutsos 2, Christos Faloutsos."— Presentation transcript:

1 BGP-lens: Patterns and Anomalies in Internet Routing Updates B. Aditya Prakash 1, Nicholas Valler 2, David Andersen 1, Michalis Faloutsos 2, Christos Faloutsos 1 1 Carnegie Mellon University 2 UC-Riverside KDD 2009, Paris

2 Introduction Border Gateway Protocol (BGP) – Internet Routing Protocol – Router sending messages to each other – Keeps path information up-to-date Ideal Setting - no BGP updates Really – many updates – link failures, router restarts, malicious behavior 2 TimepeerASoriginASprefix 2005-02-17 12:39:42ATTSPRINT204.29.119.0/24 2005-02-17 12:39:43VERIZONAOL204.29.80.0/24 2005-02-17 12:39:46WASHATLA204.29.79.0/24 …. Each Row is an update

3 Introduction contd. Question: Find patterns/anomalies? Challenges: – Millions of updates sent over network – Data has multiple dimensions – Noisy Measurements – Impossible for human to sift through updates 3 Automated Tool needed!

4 The Data TimepeerASoriginASprefix 2005-02-17 12:39:42ATTSPRINT204.29.119.0/24 2005-02-17 12:39:43VERIZONAOL204.29.80.0/24 2005-02-17 12:39:46WASHATLA204.29.79.0/24 …. Data from Datapository.net Abilene Network 4 18 million update messages – over two years!

5 Our Approach Look at a simple time-series Focus on just the time # of updates received every b seconds (bin size) Specific Problem we are tackling – Given such time-series – Report patterns and anomalies Also find suspicious entities (paths, ASes etc.) 5 Time 2005-02-17 12:39:42 2005-02-17 12:39:43 2005-02-17 12:39:46 2005-02-17 12:40:01 …. TimepeerASoriginASprefix 2005-02-17 12:39:42ATTSPRINT204.29.119.0/24 2005-02-17 12:39:43VERIZONAOL204.29.80.0/24 2005-02-17 12:39:46WASHATLA204.29.79.0/24 …. b secs time Bin: 01 2 … Count: 42 6 …

6 Real data: Washington Router Very Bursty! Traditional Tools like FFT, auto-regression don’t work  6 # of Updates Bin number (‘Time’) Bin Size = 600s

7 Outline Introduction and Problem Statement Techniques – Temporal Analysis – Frequency Analysis BGP-lens at work Conclusions 7

8 Temporal Analysis First Cut: Take log-linear plot – emphasizes small values over high values 8 Bin size: 10s

9 9 But: Bin size is important!

10 10 ‘Clotheslines’ Bin size: 600s

11 Clotheslines Q1: Why Clotheslines? – Near consecutive updates over long time-period – Can be Route Flapping advertise/withdraw same path frequently important to identify Q2: How to automate this discovery? 11

12 Proposal: Marginals to Rescue PDF of volume of updates – Number of time-bins with volume Extremes == Height of the clotheslines! 12

13 Marginals to Rescue PDF of volume of updates – Number of time-bins with volume 13

14 Algorithm - Clotheslines For marginals plot use the median filtering approach to determine ‘outliers’; For each time interval found, report the most consistent IPs/ASes etc. High Level Idea only – details in paper! 14

15 Outline Introduction and Problem Statement Techniques – Temporal Analysis – Frequency Analysis BGP-lens at work Conclusions 15

16 16 Low Freq. High Freq. High energyLow energy ‘Tornado’ does not touch down time -> Signal

17 In real data… 17 E2

18 18 E2 ~ 20,000 updates! ~ 8 hrs

19 Why Prolonged Spike? Bursts of short duration Can represent malicious behavior – Or simple router restarts! Exact cause hard to find – but important for system-administrators 19

20 Algorithm – Prolonged Spikes Basic idea: find tornados from scalogram Find suitable starting point at higher levels Extend downward as much as possible The finest scale where tornado stops – the shortest time period to look for a prolonged spike Again, details in paper! 20

21 Scalability 21

22 BGP-lens: User Interface 22 # of suspicious events sysadmin wants to check duration: length of events to be checked (think daily vs weekly vs monthly) optional

23 Outline Introduction and Problem Statement Techniques – Temporal Analysis – Frequency Analysis BGP-lens at work Conclusions 23

24 BGP-lens at Work We found real events too. examples- Event 1: 50-clothesline – Prefix and Origin-AS pointed to Alabama Supercomputing Net – When contacted sysadmins attributed changes to route flapping “the route for 207.157.115.0/24 was appearing and disappearing in [the] IGP routing table... [which] may have caused BGP to flap.” – Anomaly went undetected and unresolved for 30 days! 24

25 Results from real data 25 Event 2 Prolonged Spike – May 12 th 2006 – 8hr spike – Most persistent IPs/ASes Primary and middle schools in a large district in a country – Two more spikes Jan18-19, 2006 and Aug 1

26 Conclusions Studied huge real data (~18 million updates) Developed two new techniques – effective spots subtle phenomena like clotheslines and prolonged spikes – scalable BGP-lens: a user-friendly tool provides reasonable defaults provides easy-to-use knobs leads like IPs/ASes 26

27 Thank You! Any questions? www.cs.cmu.edu/~badityap – We thank NSF, USA for their support. Author-Reel! 27

28 Extra - Frequency Analysis Data is self-similar! – we used the entropy-plot measure – also called the b-model [26] – Corresponds to b-model of 75-25 – Multi-resolution techniques needed! 28

29 Extra - FFT 29

30 Extra – Marginals for 10sec 30

31 Extra – Prolonged Spike Algorithm 31

Download ppt "BGP-lens: Patterns and Anomalies in Internet Routing Updates B. Aditya Prakash 1, Nicholas Valler 2, David Andersen 1, Michalis Faloutsos 2, Christos Faloutsos."

Similar presentations

ABSTRACT Due to the Internets sheer size, complexity, and various routing policies, it is difficult if not impossible to locate the causes of large volumes.

ABSTRACT Due to the Internets sheer size, complexity, and various routing policies, it is difficult if not impossible to locate the causes of large volumes.
Data Mining Challenges for Network Management Nick Feamster, Georgia Tech Dave Andersen, CMU (joint with Jay Lepreau and Emulab)

Data Mining Challenges for Network Management Nick Feamster, Georgia Tech Dave Andersen, CMU (joint with Jay Lepreau and Emulab)
Multihoming and Multi-path Routing

Multihoming and Multi-path Routing
End to End Routing Behavior in the Internet Vern Paxson Network Research Group Lawrence Berkeley National Laboratory University of California, Berkeley.

End to End Routing Behavior in the Internet Vern Paxson Network Research Group Lawrence Berkeley National Laboratory University of California, Berkeley.
Comparing IPv4 and IPv6 from the perspective of BGP dynamic activity Geoff Huston APNIC February 2012.

Comparing IPv4 and IPv6 from the perspective of BGP dynamic activity Geoff Huston APNIC February 2012.
SIMPLE Presence Traffic Optimization and Server Scalability Vishal Kumar Singh Henning Schulzrinne Markus Isomaki Piotr Boni IETF 67, San Diego.

SIMPLE Presence Traffic Optimization and Server Scalability Vishal Kumar Singh Henning Schulzrinne Markus Isomaki Piotr Boni IETF 67, San Diego.
1 Aman Shaikh: June 02 UCSC INFOCOM 2002 Avoiding Instability during Graceful Shutdown of OSPF Aman Shaikh, UCSC Joint work with Rohit Dube, Xebeo Communications.

1 Aman Shaikh: June 02 UCSC INFOCOM 2002 Avoiding Instability during Graceful Shutdown of OSPF Aman Shaikh, UCSC Joint work with Rohit Dube, Xebeo Communications.
Routing Security Capabilities draft-zhao-opsec-routing-capabilities-02.txt OPSEC WG, IETF #66.

Routing Security Capabilities draft-zhao-opsec-routing-capabilities-02.txt OPSEC WG, IETF #66.
1 BGP Anomaly Detection in an ISP Jian Wu (U. Michigan) Z. Morley Mao (U. Michigan) Jennifer Rexford (Princeton) Jia Wang (AT&T Labs)

1 BGP Anomaly Detection in an ISP Jian Wu (U. Michigan) Z. Morley Mao (U. Michigan) Jennifer Rexford (Princeton) Jia Wang (AT&T Labs)
1 Interdomain Routing Protocols. 2 Autonomous Systems An autonomous system (AS) is a region of the Internet that is administered by a single entity and.

1 Interdomain Routing Protocols. 2 Autonomous Systems An autonomous system (AS) is a region of the Internet that is administered by a single entity and.
The need for BGP AfNOG Workshops Philip Smith. “Keeping Local Traffic Local”

The need for BGP AfNOG Workshops Philip Smith. “Keeping Local Traffic Local”
© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public 1 Version 4.0 Introduction to Dynamic Routing Protocol Routing Protocols and Concepts – Chapter.

© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public 1 Version 4.0 Introduction to Dynamic Routing Protocol Routing Protocols and Concepts – Chapter.
1 Measurement of Highly Active Prefixes in BGP Ricardo V. Oliveira, Rafit Izhak-Ratzin, Beichuan Zhang, Lixia Zhang GLOBECOM’05.

1 Measurement of Highly Active Prefixes in BGP Ricardo V. Oliveira, Rafit Izhak-Ratzin, Beichuan Zhang, Lixia Zhang GLOBECOM’05.
Chapter 4: Network Layer 4. 1 Introduction 4.2 Virtual circuit and datagram networks 4.3 What’s inside a router 4.4 IP: Internet Protocol –Datagram format.

Chapter 4: Network Layer 4. 1 Introduction 4.2 Virtual circuit and datagram networks 4.3 What’s inside a router 4.4 IP: Internet Protocol –Datagram format.
CMU SCS Mining Billion-node Graphs Christos Faloutsos CMU.

CMU SCS Mining Billion-node Graphs Christos Faloutsos CMU.
DYNAMICS OF PREFIX USAGE AT AN EDGE ROUTER Kaustubh Gadkari, Dan Massey and Christos Papadopoulos 1.

DYNAMICS OF PREFIX USAGE AT AN EDGE ROUTER Kaustubh Gadkari, Dan Massey and Christos Papadopoulos 1.
1 Finding a Needle in a Haystack: Pinpointing Significant BGP Routing Changes in an IP Network Jian Wu (University of Michigan) Z. Morley Mao (University.

1 Finding a Needle in a Haystack: Pinpointing Significant BGP Routing Changes in an IP Network Jian Wu (University of Michigan) Z. Morley Mao (University.
1 BGP Security -- Zhen Wu. 2 Schedule Tuesday –BGP Background – Detection of Invalid Routing Announcement in the Internet –Open Discussions Thursday.

1 BGP Security -- Zhen Wu. 2 Schedule Tuesday –BGP Background –" Detection of Invalid Routing Announcement in the Internet" –Open Discussions Thursday.
CMU SCS Data Mining Meets Systems: Tools and Case Studies Christos Faloutsos SCS CMU.

CMU SCS Data Mining Meets Systems: Tools and Case Studies Christos Faloutsos SCS CMU.
Learning-Based Anomaly Detection in BGP Updates Jian Zhang Jennifer Rexford Joan Feigenbaum.

Learning-Based Anomaly Detection in BGP Updates Jian Zhang Jennifer Rexford Joan Feigenbaum.

Similar presentations

Ads by Google