Lab 7 - BGP Configuration Errors
Due: Friday at 11:55pm
Origin change events in BGP signify that a certain autonomous system (AS) has
claimed authority over a block of IP addresses that were previously
unallocated or previously belonged to another AS. The "new owner" will
advertise the prefix(es) as belonging to it by advertising routes with the
smallest possible distance metric. This will then cause other routers in the
BGP subnet to change their routing tables, even if the change was not a
legitimate change.
There are several types of origin change events:
- B-type: The AS announces a more specific prefix (longer subnet mask,
e.g. more network bits) out of an IP block it already owns.
- H-type: An AS announces it owns a more specific prefix out of a block
belonging to a *different* AS. This is also called "hole punching".
- C-type: An AS (or group of autonomous systems) announces it owns a block
previously owned by another AS. There are several subtypes based on how many
autonomous systems own the block:
- CSM: Owner changed from a single AS to multiple AS
- CSS: Owner changed from a single AS to another single AS.
- CMS: Owner changed from multiple AS to a single AS.
- CMM: Owner changed from multiple AS to other multiple AS.
- O-type: An AS (or group of autonomous systems) announces it owns a block
that was previously unallocated. Again, there are subtypes based on how many
autonomous systems own the block:
- OS: Owner is now a single AS.
- OM: Owner is now a group of autonomous systems.
A small number of origin change events occur normally as addresses are
allocated or exchanged, but occasionally there will be a large number of
origin change events related to a configuration error made by a router's
administrator. When this happens, there will be a large number of origin
change events resulting from the error that are typically followed by a large
number of origin change events to correct the error.
Read the following papers, found at the
UC Davis SecVis website,
on how origin changes occur and how visualization techniques can be applied
to detect abnormal origin changes:
- Visual Data Analysis for Detecting Flaws and Intruders in Computer Network
Systems, Soon Tee Teoh, TJ Jankun-Kelly, Kwan-Liu Ma, and Felix Wu. IEEE
Computer Graphics and Applications, special issue on Visual Analytics, 24(5),
September/October 2004, pp. 27-35.
[UC Davis pdf]
[IEEE Download]
- Visual-based Anomaly Detection for BGP Origin AS Change Events, Soon Tee
Teoh, Kwan-Liu Ma, and S. Felix Wu, in Proceedings of the 14th IFIP/IEEE
Workshop on Distributed Systems: Operations and Management, October 20-22 2003.
[UC Davis pdf]
[CiteSeerX listing]
Download and read each paper. The questions in the writeup are based on the
contents of the papers. You do not have to download their visualization tool
for this lab. There are also other network and security related tools on the
SecVis website that you may find interesting, so feel free to peruse it.
Lab Writeup
- When might one have a legitimate origin change from unallocated addresses
to an AS (O type events)?
- Describe how the claim ownership of owned IP addresses (C type) events
differ from the claim ownership of unallocated addresses (O type) events.
- Describe what the hole punching (H type) event is.
- Why do some origin change events come in pairs and some do not? For
example, the CSM (C type single AS to multiple AS) events are followed by
CMS (C type multiple AS to single AS) events in the April 2001 event, so these
events are paired.