Lab 7 - BGP Configuration Errors
Due: Friday at 5:00pm
Origin change events in BGP signify that a certain AS has claimed authority
over a block of IP addresses that were previously unallocated or previously
belonged to another AS. The "new owner" will advertise the routes as belonging
to it (e.g. with the smallest possible distance). There are several types of
origin change events:
- B-type: The AS announces a more specific prefix (longer subnet mask) out
of an IP block it already owns.
- H-type: An AS announces it owns a more specific prefix out of a block
belonging to a *different* AS. This is also called "hole punching".
- C-type: An AS (or group of autonomous systems) announces it owns a block
previously owned by another AS. There are several subtypes based on how many
autonomous systems own the block:
- CSM: Owner changed from a single AS to multiple AS
- CSS: Owner changed from a single AS to another single AS.
- CMS: Owner changed from multiple AS to a single AS.
- CMM: Owner changed from multiple AS to other multiple AS.
- O-type: An AS (or group of autonomous systems) announces it owns a block
that was previously unallocated. Again, there are subtypes based on how many
autonomous systems own the block:
- OS: Owner is now a single AS.
- OM: Owner is now a group of autonomous systems.
A small number of origin change events occur normally as
addresses are allocated or exchanged, but occasionally there will be a large
number of origin change events related to a configuration error made by a
router's administrator. When this happens, there will be a large number of
origin change events resulting from the error that are typically followed by
a large number of origin change events to correct the error.
The Elisha tool is a visualization technique
developed at UC Davis to allow an administrator to visually see when an
unusual number of change events are occuring. It contains historical data
about BGP origin change events that happened in 2000 and 2001.
Start up VMWare Workstation and launch the XP image. Once it is running,
download the following zip file from UC Davis:
Elisha.zip
(zip file containing a Windows exe)
Extract the files to a folder on the desktop. I will show you how to run the
tool at the start of lab since there are several options that need to be
selected to run the tool correctly. You do not need to run the tool in order
to answer the writeup questions, but you do need to read the papers about
the tool.
Papers about the tool can be found at the
UC Davis SecVis website:
- Visual Data Analysis for Detecting Flaws and Intruders in Computer Network
Systems, Soon Tee Teoh, TJ Jankun-Kelly, Kwan-Liu Ma, and Felix Wu. IEEE
Computer Graphics and Applications, special issue on Visual Analytics, 24(5),
September/October 2004, pp. 27-35.
[pdf]
- Visual-based Anomaly Detection for BGP Origin AS Change Events, Soon Tee
Teoh, Kwan-Liu Ma, and S. Felix Wu, in Proceedings of the 14th IFIP/IEEE
Workshop on Distributed Systems: Operations and Management, October 20-22.
[pdf]
Download and read each paper. The questions in the writeup are based on the
contents of the papers. There are also other network and security related
tools on the SecVis website that you may find interesting, so feel free to
peruse it.
Lab Writeup
- When might one have a legitimate origin change from unallocated addresses
to an AS (O type events)?
- Describe how the claim ownership of owned IP addresses (C type) events
differ from the claim ownership of unallocated addresses (O type) events.
- Describe what the hole punching (H type) event is.
- Why do some origin change events come in pairs and some do not? For
example, the CSM (C type single AS to multiple AS) events are followed by
CMS (C type multiple AS to single AS) events in the April 2001 event, so these
events are paired.