CMPS 376 - Lab 7

Lab 7 - BGP Configuration Errors

Due: Tuesday May 26, 2009 by 1:00pm

Origin change events in BGP signify that a certain AS has claimed authority over IPs previously unallocated or previously belonging to another AS. A small number of these changes occur normally, but occasionally there will be a large number of origin change events related to a configuration error made by a router's administrator. The Elisha tool is a visualization technique developed at UC Davis to allow an administrator to visually see when an unusual number of change events are occuring. It contains historical data about BGP origin change events that happened in 2000 and 2001.

Start up VMWare Workstation and launch the XP image. Once it is running, download the following zip file from UC Davis: Elisha.zip (zip file containing a Windows exe)

Extract the files to a folder on the desktop. I will show you how to run the tool at the start of lab since there are several options that need to be selected to run the tool correctly. You do not need to run the tool in order to answer the writeup questions, but you do need to read the papers about the tool.

Papers about the tool can be found at the UC Davis SecVis website:

Visual Data Analysis for Detecting Flaws and Intruders in Computer Network Systems, Soon Tee Teoh, TJ Jankun-Kelly, Kwan-Liu Ma, and Felix Wu. IEEE Computer Graphics and Applications, special issue on Visual Analytics, 24(5), September/October 2004, pp. 27-35. [pdf]
Visual-based Anomaly Detection for BGP Origin AS Change Events, Soon Tee Teoh, Kwan-Liu Ma, and S. Felix Wu, in Proceedings of the 14th IFIP/IEEE Workshop on Distributed Systems: Operations and Management, October 20-22. [pdf]

Download and read each paper. The questions in the writeup are based on the contents of the papers. There are also other network and security related tools on the SecVis website that you may find interesting, so feel free to peruse it.

Lab Writeup

When might one have a legitimate origin change from unallocated addresses to an AS (O type events)?
Describe how the claim ownership of owned IP addresses (C type) events differ from the claim ownership of unallocated addresses (O type) events.
Describe what the hole punching (H type) event is.
Why do some origin change events come in pairs and some do not? For example, the CSM (C type single AS to multiple AS) events are followed by CMS (C type multiple AS to single AS) events in the April 2001 event, so these events are paired.