detecting bgp instability using rqa
TRANSCRIPT
Detecting BGP Instability Using RQATo be presented in IEEE IPCCC 2015
Bahaa Al-MusawiPhD candidate
SupervisorsDr. Philip Branch and Prof. Grenville Armitage
[email protected] for Advanced Internet Architectures (CAIA)
Swinburne University of Technology
http://caia.swin.edu.au [email protected] 06 November 2015 2 CAIA Seminar
Outline
• BGP
• BGP Instability
• Modeling BGP as a dynamical system
• Recurrence Quantification Analysis (RQA)
• Results and Discussions
• Conclusions
http://caia.swin.edu.au [email protected] 06 November 2015 3 CAIA Seminar
Border Gateway Protocol (BGP)• The Internet: decentralised network, 10k+ of
Autonomous Systems (ASes)
• BGP is the Internet’s default Inter-domain routing protocol
An example of routing topology
http://caia.swin.edu.au [email protected] 06 November 2015 4 CAIA Seminar
Border Gateway Protocol (BGP)
• BGP4 is last revision (RFC4271)
• BGP supports Classless Inter-domain Routing (CIDR),
ex. prefix 192.2.2.0/24 192.2.2.1-192.2.2.255
• BGP is a path vector protocol
http://caia.swin.edu.au [email protected] 06 November 2015 5 CAIA Seminar
Outline
• BGP
• BGP Instability
• Modeling BGP as a dynamical system
• Recurrence Quantification Analysis (RQA)
• Results and Discussions
• Conclusions
http://caia.swin.edu.au [email protected] 06 November 2015 6 CAIA Seminar
BGP Instability• Routing instability--fluctuation in topology information
and network reachability
• BGP instability--fluctuations in the number of BGP updates and/or path length for an AS
• BGP instability-- hardware failure, misconfiguration, hijacking, software bugs, faulty equipment, and DoS attacks.
• Instability-- performance, processing load, and distribution balance of traffic load for BGP speakers
http://caia.swin.edu.au [email protected] 06 November 2015 7 CAIA Seminar
BGP Instability• Theoretically-- no BGP updates are sent when there is
no change in topology and/or policies
• In the real world-- many ASes are unstable causing propagation of many abnormal BGP updates
• Challenge-- distinguishing abnormal BGP updates from a serious attack
http://caia.swin.edu.au [email protected] 06 November 2015 8 CAIA Seminar
BGP Instability• 40K anomalous route events were reported in the 12
months from May 2011
• 20% of the hijacking and misconfigurations lasted less than 10 minutes
• They are able to pollute 90% of the Internet in less than 2 minutes
• These statistics demonstrate the need for a real-time detection of BGP instability
http://caia.swin.edu.au [email protected] 06 November 2015 9 CAIA Seminar
Outline
• BGP
• BGP Instability
• Modeling BGP as a dynamical system
• Recurrence Quantification Analysis (RQA)
• Results and Discussions
• Conclusions
http://caia.swin.edu.au [email protected] 06 November 2015 10 CAIA Seminar
Modeling• A dynamical system is defined by a phase space, a
time evolution law, and continuous or discrete time
• In phase space, all possible states of a system are represented
• The phase space parameters: embedding dimension and time delay
http://caia.swin.edu.au [email protected] 06 November 2015 11 CAIA Seminar
Type of motion• Type of motions in dynamical systems: stable, noisy,
and chaotic
• Estimating the type of motion is a difficult task when only a series of data is available
Lyapunov exponents estimation for AS10102
http://caia.swin.edu.au [email protected] 06 November 2015 12 CAIA Seminar
BGP Periodicity• BGP data is complex, noisy, and voluminous
• One possible source of periodicity is the Minimal Route Advertisement Interval (MRAI)
• MRAI-- minimum amount of time between two subsequent advertisements to a particular destination
• Active ASes: show reasonably periodic behaviour in terms of sending BGP updates
http://caia.swin.edu.au [email protected] 06 November 2015 13 CAIA Seminar
BGP Periodicity
Unsynchronised aggregation of different periodic updates
Periodicity of unstable ASes
http://caia.swin.edu.au [email protected] 06 November 2015 14 CAIA Seminar
Determinism and non-linearity• Determinism and linearity properties-- helps to select
an appropriate method to predict system behaviour
• We use Delay Vector Variance (DVV) method
• DVV requires the proper selection of time delay and embedding dimension
http://caia.swin.edu.au [email protected] 06 November 2015 15 CAIA Seminar
Determinism and non-linearity
Estimation of determinism and non-linearity
http://caia.swin.edu.au [email protected] 06 November 2015 16 CAIA Seminar
Modeling outcomesBGP messages sent from BGP speakers have been characterized as:
1.Deterministic
2.Stable
3.Non-linear
http://caia.swin.edu.au [email protected] 06 November 2015 17 CAIA Seminar
Outline
• BGP
• BGP Instability
• Modeling BGP as a dynamical system
• Recurrence Quantification Analysis (RQA)
• Results and Discussions
• Conclusions
http://caia.swin.edu.au [email protected] 06 November 2015 18 CAIA Seminar
Recurrence Quantification Analysis (RQA)• RQA is an advanced nonlinear analysis technique
based on a phase plane trajectory
• RQA provides several measures of complexity such as1. Recurrence Rate (RR): measures the percentage of
recurrent points in the phase space
2. Trapping Time (TT): measures how long the system remains in a specific state
http://caia.swin.edu.au [email protected] 06 November 2015 19 CAIA Seminar
Recurrence Quantification Analysis (RQA)• Based on BGP instability, we use two BGP features:
1. Total number of BGP update
2. Average length of AS-PATH
• Calculate RQA measurements for the two BGP features over time
http://caia.swin.edu.au [email protected] 06 November 2015 20 CAIA Seminar
Outline
• BGP
• BGP Instability
• Modeling BGP as a dynamical system
• Recurrence Quantification Analysis (RQA)
• Results and Discussions
• Conclusions
http://caia.swin.edu.au [email protected] 06 November 2015 21 CAIA Seminar
Results and Discussions• Recent incidents of BGP instability was observed on
the 12th of July 2015 by Telekom Malaysia (TMnet)
• AS4788 accidentally announced approximately 179,000 prefixes to Level3
• TMnet caused significant packet loss and slow Internet service around the world
http://caia.swin.edu.au [email protected] 06 November 2015 22 CAIA Seminar
Results and Discussions
Instability detection for BGP volume feature at AS10102
http://caia.swin.edu.au [email protected] 06 November 2015 23 CAIA Seminar
Results and Discussions
Rapid detection for instability with RQA
http://caia.swin.edu.au [email protected] 06 November 2015 24 CAIA Seminar
Results and Discussions
Instability detection for average AS-PATH length feature at AS10102
http://caia.swin.edu.au [email protected] 06 November 2015 25 CAIA Seminar
Results and Discussions
Anomalous behaviour for MRAI in AS10102
http://caia.swin.edu.au [email protected] 06 November 2015 26 CAIA Seminar
Conclusions• We model a BGP speaker as a dynamical system
• BGP speakers show stable, deterministic, and nonlinear behaviour
• Two possibilities for recurrence behaviour: MRAI and the unsynchronised aggregation updates for active ASes
• RQA can rapidly identify BGP instability without the need for a long BGP history
• RQA can also detect hidden anomalous behaviour which might otherwise pass without observation
http://caia.swin.edu.au [email protected] 06 November 2015 27 CAIA Seminar
Questions