Luận văn tốt nghiệp Kỹ thuật máy tính: Building monitoring tool for core network using BGP protocol

Monitoring BGP is an effective way to improve the security of interǦdomain routing In addition, Software-Defined Networking SDN appears with the idea to decouple the vertically coupled a

VIET NAM NATIONAL UNIVERSITY, HO CHI MINH CITY

HO CHI MINH CITY UNIVERSITY OF TECHNOLOGY

FACULTY OF COMPUTER SCIENCE & ENGINEERING

THESIS BUILIDING MONITORING TOOL FOR CORE NETWORK USING BGP PROTOCOL

MAJOR: COMPUTER ENGINEERING

INSTRUCTOR: PhD NGUYEN LE DUY LAI REVIEWER: PhD NGUYEN DUC THAI STUDENT : NGUYEN DINH TUAN ± 1552411

VO NAM HAI - 1652178

HO CHI MINH City, December 2021

ĈҤI HӐC QUӔC GIA TP.HCM CӜNG HÒA XÃ HӜI CHӪ 1*+Ƭ$9,ӊT NAM

75ѬӠ1*ĈҤI HӐC BÁCH KHOA

KHOA: Khoa hӑc và Kӻ thuұt Máy tính NHIӊM VӨ LUҰN ÁN TӔT NGHIӊP

BӜ MÔN: HӋ thӕng và Mҥng Chú ý: Sinh viên ph̫i dán tͥ này vào trang nh̭t cͯa b̫n thuy͇t trình

HӐ VÀ TÊN: Võ Nam Hҧi MSSV: 1652178 NGÀNH: Khoa hӑc Máy tính LӞP: _

The BGP protocol has become a fundamental part of the operation and performance

of the Internet As the de facto Internet interǦdomain routing protocol, the BGP

protocol has a number of vulnerabilities and weaknesses Monitoring BGP is an effective way to improve the security of interǦdomain routing In addition, Software-Defined Networking (SDN) appears with the idea to decouple the vertically coupled architecture and reconstruct the Internet as a modular structure and Border Gateway Protocol (BGP) participates in transitioning the existing networks to SDN Therefore,

it is obvious that we should undertake the BGP monitoring process when monitoring applications or those services that are offered being Internet the basis of its

communication

Tasks:

9 Get the background by studying the BGP protocol

9 List main challenges as far as BGP monitoring is concerned

9 Raise problems that can be evaluated according to the fundamental processes

of the BGP protocol

9 Define the monitoring metrics and functionality to monitor BGP routing

information on the routing device

9 Propose a monitoring platform and build a monitoring tool for the BGP network

9 Evaluate the real need for a possible monitoring scheme

Required results:

9 Report and demo of monitoring tool operations

3 Ngày giao nhiӋm vө luұn án: _/ _/ _

4 Ngày hoàn thành nhiӋm vө: _/ _/ _

5 Hӑ tên giҧng viên hѭӟng dүn: PhҫQKѭӟng dүn:

1) T.S NguyӉn Lê Duy Lai 100%

Nӝi dung và yêu cҫX/971ÿmÿѭӧc thông qua Bӝ môn

1Jj\WKiQJQăP

(Ký và ghi rõ h͕ tên) (Ký và ghi rõ h͕ tên)

NguyӉn Lê Duy Lai

PḪN DÀNH CHO KHOA, B͠ MÔN:

1Jѭӡi duyӋt (chҩPVѫEӝ):

ĈѫQYӏ: _

Ngày bҧo vӋ:

ĈLӇm tәng kӃt: _

1ѫLOѭXWUӳ luұn án: _

ĈҤI HӐC QUӔC GIA TP.HCM CӜNG HÒA XÃ HӜI CHӪ 1*+Ƭ$9,ӊT NAM

75ѬӠ1*ĈҤI HӐC BÁCH KHOA

KHOA: Khoa hӑc và Kӻ thuұt Máy tính NHIӊM VӨ LUҰN ÁN TӔT NGHIӊP

BӜ MÔN: HӋ thӕng và Mҥng Chú ý: Sinh viên ph̫i dán tͥ này vào trang nh̭t cͯa b̫n thuy͇t trình

HӐ VÀ TÊN: NguyӉQĈuQK7Xҩn MSSV: 1552411 NGÀNH: Khoa hӑc Máy tính LӞP: _

The BGP protocol has become a fundamental part of the operation and performance

of the Internet As the de facto Internet interǦdomain routing protocol, the BGP

protocol has a number of vulnerabilities and weaknesses Monitoring BGP is an effective way to improve the security of interǦdomain routing In addition, Software-Defined Networking (SDN) appears with the idea to decouple the vertically coupled architecture and reconstruct the Internet as a modular structure and Border Gateway Protocol (BGP) participates in transitioning the existing networks to SDN Therefore,

it is obvious that we should undertake the BGP monitoring process when monitoring applications or those services that are offered being Internet the basis of its

communication

Tasks:

9 Get the background by studying the BGP protocol

9 List main challenges as far as BGP monitoring is concerned

9 Raise problems that can be evaluated according to the fundamental processes

of the BGP protocol

9 Define the monitoring metrics and functionality to monitor BGP routing

information on the routing device

9 Propose a monitoring platform and build a monitoring tool for the BGP network

9 Evaluate the real need for a possible monitoring scheme

Required results:

9 Report and demo of monitoring tool operations

3 Ngày giao nhiӋm vө luұn án: _/ _/ _

4 Ngày hoàn thành nhiӋm vө: _/ _/ _

5 Hӑ tên giҧng viên hѭӟng dүn: PhҫQKѭӟng dүn:

2) T.S NguyӉn Lê Duy Lai 100%

Nӝi dung và yêu cҫX/971ÿmÿѭӧc thông qua Bӝ môn

1Jj\WKiQJQăP

(Ký và ghi rõ h͕ tên) (Ký và ghi rõ h͕ tên)

NguyӉn Lê Duy Lai

PḪN DÀNH CHO KHOA, B͠ MÔN:

1Jѭӡi duyӋt (chҩPVѫEӝ):

ĈѫQYӏ: _

Ngày bҧo vӋ:

ĈLӇm tәng kӃt: _

1ѫLOѭXWUӳ luұn án: _

75ѬӠ1*ĈҤI HӐC BÁCH KHOA CӜNG HÒA XÃ HӜI CHӪ 1*+Ƭ$9,ӊT NAM

ĈӅ tài: BUILIDING MONITORING TOOL FOR CORE NETWORK USING BGP PROTOCOL

3 Hӑ WrQQJѭӡLKѭӟng dүn/phҧn biӋn: NguyӉn Lê Duy Lai

4 Tәng quát vӅ bҧn thuyӃt minh:

on the routing devices are raised in such as peer_as, peer_ip, as_path, asn The thesis

presented how to design and build a monitoring tool for the BGP network following the Cooperative Information Sharing Model (CoISM) The implementation of the BGP Monitor tool helps in the identification of BGP IP prefix disputes and their categorization as BGP hijacking incidents BGP Monitor then analyses BGP communications that have been

archived in MRT files This tool is evaluated with the number of prefix counts and elapsed time for processing file dumps

†

9 3 câu hӓi SV phҧi trҧ lӡLWUѭӟc HӝLÿӗng:

a Why do BGP problems occur? Give some examples on BGP issues if someone starts to broadcast a duplicate address or simply one that overlaps with an existing subnet?

b In which ways a route hijacking can occur deliberately or by accident?

c How a serious hijack case can affect the entire Internet? (consequences of route hijacking)

ĈiQKJLiFKXQJEҵng chӳ: giӓi, khá, TB): ĈLӇm : 7.5 /10

Ký tên (ghi rõ hӑ tên)

NguyӉn Lê Duy Lai

75ѬӠ1*ĈҤ,+Ӑ&%È&+.+2$ CӜNG HÒA XÃ HӜI CHӪ NGHƬA VIӊT NAM

2 ĈӅ tài: Building Monitoring Tool For Core Network Using BGP Protocol

3 Hӑ tên ngѭӡi phҧn biӋn: NguyӉn Ĉӭc Thái

4 Tәng quát vӅ bҧn thuyӃt minh:

8 ĈӅ nghӏ: Ĉѭӧc bҧo vӋ R Bә sung thêm ÿӇ bҧo vӋ o Không ÿѭӧc bҧo vӋ o

9 3 câu hӓi SV phҧi trҧ lӡi trѭӟc Hӝi ÿӗng:

a Briefly describe BGP protocol, and provide the contribution of your work

b Show functionalities of the your software (monitoring tool) and describe them

c Prove that the your software works properly

COMMITMENT

The team warrants that everything presented in the report is the work of the team itself - except for the cited reference knowledge as well as the sample source code provided by the manufacturer itself, completely not copied from any other source If the commitment is contrary to the truth, the group would like to take all responsibility before the Dean of the Faculty and the School Rector

Nguyen Dinh Tuan, Vo Nam Hai

Besides our advisor, we would like to show gratitude to Ho Chi Minh City University of Technology for giving us the opportunity to learn great lessons of theory and practical experience And special thanks also give to the support and kindness from lecturers in Computer Science and Engineering Department as well as Office for International Study Program - OISP of Ho Chi Minh City University of Technology

Therefore, it is obvious that we should undertake the BGP monitoring process when monitoring applications or those services that are offered being Internet the basis

of its communication

TABLE OF CONTENT

CHAPTER I: INTRODUCTION 8

I Introduce some BGP monitoring architectures and related tools: 20

II Problems that can be evaluated according to the fundamental processes of the BGP

LIST OF FIGURES

Figure 1 Example of AS paths on transit and peering links 9

Figure 8 Route validation procedure of inter-domain routing validator 31

Figure 11 Routing validation procedure in cooperative information sharing mode 35

Figure 13 Composition and deployment of CoISM 41

Figure 21 BGP4MP_STATE_CHANGE_AS4 Subtype 52

CHAPTER I:

INTRODUCTION

Contents

I Background:

Each Internet service provider controls prefixes, which are groups of contiguous

IP addresses that can be divided for its own or customers' requirements The BGP protocol [1] is used by the operators to connect to one other and build the Internet infrastructure The goal of this protocol is to transmit reachability information about prefixes between two operators, who are then referred to as AS and are assigned a unique number

Each AS notifies its peer that it is able to route traffic to its prefixes The following are the two types of interconnections:

‡3HHULQJDQDUUDQJHPHQWLQZKLFKHDFKSHHUEURDGFDVWVWKHSUHIL[HVLWPDQDJHVWRWKHothers If an ISP and a content broadcaster reach a peering arrangement, for example, their traffic will be exchanged directly;

‡Transport: a contract between a consumer and their transit provider In actuality, the client informs the operator of its prefixes so that the latter can distribute them In exchange, the latter promotes the remaining prefixes that make up the Internet

Figure 1 Example of AS paths on transit and peering links

Each peer in a BGP interconnection assigns an AS PATH to the prefixes it broadcasts The AS65540 router has learned the AS PATH 64510 64500 for prefix 192.0.2.0/24 in figure 1.1 A packet from the AS65540 will pass AS64510 before arriving at the AS64500 to reach IP address 192.0.2.1 The AS that manages the prefix

is found on the right side of the AS path list

In reality, the AS route associated with a prefix is indicated through a BGP message of the UPDATE type This BGP message is in charge of publicizing the routes

The AS65550 router has two routes to access prefix 192.0.2.0/24, as shown in Figure 1.1 One was discovered using a peering interconnection (blue), while the other was discovered through a transit interconnection (purple) In the absence of any further data, the shortest AS path is employed to decide the route It's the peering link in this case

For prefix ads, there is no reliable authentication technique As a result, a malicious AS can advertise a prefix that belongs to a different AS Prefix hijacking is the term for this Depending on the type of advertisement, the implications might range from mild to severe The victim network, for example, may become unavailable for all

or portion of the Internet Traffic meant for the victim network may be redirected to the network that has hijacked the prefixes as a result of this sort of occurrence

II Aim and Objectives:

1 BGP Protocol:

1.1 Introduction to the BGP protocol:

BGP (Border Gateway Protocol) is a fairly complex protocol used a lot on Interfaceernet and in multinational companies, is to connect very large networks or Autonomous-Systems Large companies can use BGP as a link between networks in different countries The purpose of the BGP protocols is to not only find a path to a particular network, but also allow administrators to find the ASs of the Networks Therefore, BGP is a very powerful and reliable routing protocol that makes it easy for administrators to apply routing policies.[3]

1.2 Autonomous System (AS):

AS (Autonomous system) is a set of devices that share a management policy that has one or more IGPs for controlling internal routing and one EGP for offline routing (inter-domain routing) AS has numbers from 1 to 65535 There are 2 forms:

- Single Home AS : AS has only one external connection

- Multi Home AS : AS has more than 1 external connection 2 types:

‡7UDQVLW$6XVHVFRPPXQLFDWLRQIURPRQH,63WRDQRWKHU

‡1RQ± transit: AS does not transmit directly between 2 different ISPs

Figure 2 Example of Autonomous System Structure

In the picture, our network would be one of the user networks of the AS 100 autonomous system

The ISP will then have one or more BGP routers with which it connects to other BGP routers from other AS (AS 200 and AS 300), as well as a structure composed of routers that do not necessarily apply the BGP protocol

The basic functions of a BGP router are:

x 7RDGYHUWLVH\RXUVXEVFULEHUV¶QHWZRUNV

x To propagate information on possible routes

x Based on this information, to choose the most convenient route for each particular traffic

,W LV LPSRUWDQW WR QRWH WKDW %*3 URXWHUV KDYH LQIRUPDWLRQ DERXW WKHLU XVHUV¶

networks in routing tables

By default, a router must share or announce the information contained in its routing table with its neighbouring nodes This is done based on sessions that are defined

between the BGP nodes Nodes connected by a session are called neighbouring nodes

However, we must clarify that filters are usually applied to the information emitted and received by a BGP router These filters are defined according to the routing and security policies that each ISP is willing to make

Here it is important to point out the radical difference between BGP and other routing protocols

While other protocols are usually driven by fairly simple routing policies that only consider the need to find the optimal route, BGP, as a result of the relationship between ISPs and the large volume of traffic, tends to work based on routing policies that can be very complex

In fact, these policies contemplate or can contemplate a quite considerable set of parameters Among them, to mention just a few, we have the weight and length of the route, the origin of the packages, favourite neighbouring router, etc

1.3 BGP Packet Type:

a) Open message: after a neighbor is configured, BGP sends an Open message to

find and establish neighbor relations When the Open message is accepted, a Keepalive message is returned to verify that the Open message has been accepted After Keepalive has been sent, they will continue to send an Update message, Notification message, and finally the Keepalive message will be exchanged between BGP Neighbor Include information such as BGP version, ASN, RIB, Hold time and Optional

b) Keepalive message: maintain neighbor relations The Keepalive message is sent

when needing to restart the hold timer value So the minimum holdtime value must be

3 Keepalive will not be sent if there is an Update message being sent, and if holtime =

0, Keepalive will never be sent

c) Update message: after the BGP router has become Neighbor, we will exchange

Update message It is used to broadcast routes in the routing table to the other party Contains information about new routes, downed routes, and path attributes

d) Notification message: When an error occurs in BGP, Router BGP will generate

a Notification Message to report the error

1.4 BGP State:

a) Idle State: is the initial state of Neighbor, Router searches for a route to Neighbor

In this state, the Router also listens for incoming connections from other BGP Neighbor

If successful, it switches to Connect state If it fails, stay in Idle mode, and keep searching for the way to Neighbor with twice the number of times

b) Connect State: The router switches from Idle state to Connect state if it finds a

way to Neighbor, and is connected to TCP If the TCP connection is successful, the Router sends Open message to Router Neighbor and switches to OpenSent state If it fails, the Router will switch to Active and wait for the connection to be successful

c) Active State: A Router goes into Active state if the initial TCP connection fails

In this state, the Router still re-initiates TCP connection with Router Neighbor If the TCP connection is successful, the Router sends Open message and switches to OpenSent state If that fails, return to Idle state

d) OpenSent State: in this state, Router waits for Open message from Router

Neighbor If it receives an Open message, the Router sends a Keepalive message and parameters such as the Keepalive timer, hold timer, and AS number The router switches

to OpenConfirm state If it fails, it will return the Notification message and return to Idle status

e) OpenConfirm State: In this state, BGP waits for a Keepalive or Notification

message from Router Neighbor If a Keepalive message is received, the Router is set to Established If the Notification is received, the Router will revert to Idle

f) Established State: It is the complete state of BGP connection with Router

Neighbor and it can exchange Update, Keepalive, Notification messages If an Update

or Keepalive message is received, routing information is communicated If the Notification is received, the Router will revert to Idle

Figure 3 Status in BGP

1.5 Order of routing priority in BGP:

- Choose the highest Weight (only works on cisco routers)

- Select the highest Local-pref (only works in the same AS)

- Select the origin route (with a next-hop of 0.0.0.0)

- Choose the shorter AS-path

- Select the route with the lowest Original (IGP -> EGP -> Incomplete)

- Choose the route with the lowest MED

- Choose a course from eBGP first then iBGP

- The iBGP route selects the route passing through the nearest neighbor

- If 2 routes are from eBGP, choose the earliest courses

- Select the route with the smaller BGP RouterID

1.6 Rules:

a) Synchronization Rule:

Route learned from iBGP will not be used (not best) and will not be advertised

to any other neighbor until the route is learned from IGP

Figure 4 Synchoronization Rules

* Solution :

- Full-mesh configuration

- Using Router Reflector (RR)

Router Reflector (RR): Router reflector is a method to replace full-mesh configuration between IBGP Peers in an autonomous system by electing a Router sub

in an AS to be the RR Server All other IBGP Clients only have to set Neighbor with

RR and when there is Update information they only send to RR and RR to broadcast Update routes and information to all other Clients in AS This makes the configuration simpler and more manageable than the full-mesh configuration

1.7 BGP Attributes:

a) The AS-path property

As an important property to determine the optimal path, there are 2 functions The first is that the shorter the AS-path, the more preferred by the router The second is

to prevent loops All routers must pass this property to all neighbors in every BGP update message AS includes:

- Public AS: from 1 to 64511

- Private AS: from 64512 to 65534

b) Weight property

This is an optional property, defined by Cisco and developed on Cisco devices Values from 0 to 65535 (16 bits), default = 32768 Router with higher Weight value will have priority for route selection This property is not advertised to neighboring routers

c) The Local-pref property

This is an optional attribute, only advertised in the same AS Values from 0 to 4.3 billion (32 bits), default = 100 The highest value chosen is the best route The Local-Preference property allows us to choose the most desired path out of an AS

d) Med properties

This is the property the AS uses to choose which router to go to the same destination in an AS Select the route to leave 1 AS 32bit value same as the LOCAL_PREF property Low values will have priority for route selection

e) Origin Properties

This is optional credit This property will contain the RouterID value of the Router that generated the path The purpose of this property is to prevent loops The values for the Origin property are:

- IGP: router learned by an IGP, has the value 0

- EGP: router learned by EGP, with value equal to 1

- Incomplete: This route is usually unidentifiable and is usually redistributed in BGP, with a value of 3

The lower value has the priority for the route selection

f) Next-hop Properties

The value of an IP address used to reach the broadcast router This value is kept when broadcasting That means a router must know the route to get to the next-hop For eBGP, next-hop is always the IP address of the neighboring router that is declared in the neighbor command In iBGP, the next-hop is constant

g) Community Properties

This is an optional attribute Used to provide policy to a group of routers traversing ASs If a router receives a routing update message with the Community property set, it will process the message properly If it doesn't understand this message,

it sends that attribute to the neighboring router for processing

Networks with the same policy are assigned the same community value for routing

Length 32 bits (4 octets), first 2 octets for AS Format: AS: NN (NN is defined

by the administrator)

2 BGP Hijacking:

BGP hijacking (also known as prefix hijacking, route hijacking, or IP hijacking)

is the unauthorized takeover of groups of IP addresses utilizing the Border Gateway Protocol's Internet routing tables (BGP)

BGP hijacking, like the TCP reset attack, entails breaking into an ongoing BGP connection, i.e., the attacker successfully impersonates one of the peers in the BGP session, and requires the same information as the reset attack A session hijacking attack,

on the other hand, may be designed to do more than merely taking down a session

between BGP peers For example, the goal may be to modify the peer's path to make eavesdropping, black holing, or traffic analysis easier [4]

III Thesis Organization:

The remainder of this thesis is organized as follows:

Chapter 2: Background and relative work

Chapter 3: Research methods

Chapter 4: Implementation & Evaluation

Chapter 5: Conclusion

Chapter 6: Reference

II Problems that can be evaluated according to the

fundamental processes of the BGP protocol 22

I Introduce some BGP monitoring architectures and related tools:

1 Internet Routing Registry

The Internet Routing Registry (IRR) is a database of Internet route objects for identifying and exchanging route and associated information needed in router configuration in order to minimize problems between Internet service providers Although the IRR's primary goal is to examine the influence of BGP routing policies on internet traffic, it may also be used to identify fraudulent BGP routes by examining AS policies IRR maintains a public database of routing policies Each participating AS can upload its BGP routing policies to the database and get the BGP routing policies of other ASes [5]

The main advantages of participating in IRR system:

- Assemblies of ASes that share routing rules can make router configuration and maintenance more efficient and error-free

- Malicious, fake BGP routes are easier to trace down, which improves stability and security

IRR, on the other hand, has certain disadvantages:

- The IRR database may not be up to date, and data accuracy is unknown

- In some cases, routing policy sharing is not possible, therefore these ASes or groups

of ASes are unable to participate in the IRR

- The privacy-protection requirement of ASes is ignored by IRR

- IRR's centralized information sharing mechanism may have a single-point failure issue, resulting in a large amount of access traffic

- In IRR, an AS has no method of controlling the policy-sharing scope and hence cannot profit from its policy-sharing behavior

Oregon RouteViews, MyASN, and Renesys GRADUS are three major BGP monitoring projects that use the same centralized information sharing architecture

- Publisher transmits BGP messages to brokers and acts as a BGP message collector

- A subscriber examines broker BGP communications

BGPMon is a sophisticated BGP monitoring application that employs the publish/subscribe approach to track and detect aberrant routing activity For monitoring operations, BGPMon provides a user-friendly graphical interface, commands, and visualization BGPMon, on the other hand, has various flaws, the most significant of which is that it is a third-party service This might cause issues with some ISPs' routing policies, resulting in disputes and infractions [6]

3 Inter-domain routing validator

A cooperative monitoring system is introduced by the Inter-domain routing validator (IRV) IRV presents a mechanism for coordinative routing validation and creates a decentralized query system that allows ASes to confirm BGP routes Each AS

in IRV deploys or designates an IRV server, which is responsible for responding to inquiries from other ASes' IRV servers An AS searches its IRV server to check incoming BGP data while exchanging BGP UPDATE messages [7]

IRV has a few drawbacks as well:

- When selecting a validation server, an IRV server uses the AS-PATH feature of BGP UPDATE messages as a heuristic Because it is impossible to declare that every system supports IRV, this option may result in a blind spot if the target AS does not have a functioning IRV server

- The communication cost of IRV can be substantial, especially when it grows in lockstep with BGP route growth

- IRV does not consider the inventive issue of ISPs

4 Prefix hijacking alert system

To "push information," a method of providing monitoring information for routing operations, the prefix hijacking alert system (PHAS) employs a unicast information sharing architecture The alerting mechanism is simple to use: when PHAS detects a prefix hijack, it sends a message to the prefix user

Because PHAS cannot tell which AS is impacted by the prefix hijack, it can't tell whether there are many ASes affected by the same prefix hijack This may result in recurrent hijacks, lowering the quality of prefix hijack detection [8]

II Problems that can be evaluated according to the

fundamental processes of the BGP protocol:

1 Adjacency problems

Things like the IP addresses of the nodes, the addresses of the autonomous systems (ASN), and even the TCP port 179 that utilizes the BGP protocol may be blocked by one of the devices during the process of starting a session between two BGP nodes

A systematic inspection of active sessions between BGP nodes can be used to monitor adjacency issues In reality, Pandora FMS offers a plugin that uses the SNMP protocol application to verify BGP sessions

2 Propagation problems

If the adjacencies are performing well, the next thing that may go wrong and should be watched is the information propagation

When the BGP node does not contain the network prefix in the BGP routing table,

an error might be triggered

This is conceivable because, unlike other routing protocols, a BGP router does not automatically incorporate the information of directly linked networks in its routing table; instead, it depends on how it is configured

As a result, having a procedure that checks if a network prefix is in the BGP routing table of the associated node is useful

The propagation process can thus fail at any point on the Internet, even though the prefix is listed in the routing table, therefore it may be worthwhile to verify the propagation on a regular basis There are various uses for this that, given network information, validate node propagation Naturally, the findings collected here should not

be merged with our platform's overall monitoring platform

On the other side, we know that internal propagation might cause issues, because our router may cease receiving route updates or receive more data than its physical capabilities enable it to manage

The router that integrates the contracted Internet service must be included in the monitoring platform; we refer to the router as equipment, and we refer to its memory, CPU usage percentage, and so on

At this point, SNMP may be a useful ally; we must check whether the right metrics for monitoring these scenarios are included in the object description (OID) and related database for each router model

Figure 5 shows an example of cooperative route validation Assume that AS A and C are the suppliers of AS E and F, respectively Only AS C is aware that AS F has the prefix 10.0.0.0/16 Malicious AS E advertises the prefix (10.0.0.0/16) to AS A in order to interrupt traffic destined for prefix 10.0.0.0/16 Because AS A does not know who owns the prefix 10.0.0.0/16, it is unable to identify AS E's hijacking activity while monitoring independently However, if AS A,B,C, and D form a coordinating community, AS A can send requests to B,C, and D to confirm AS E's advice AS C responds FALSE because it knows who owns the prefix 10.0.0.0/16 As a result, AS A

is capable of detecting the fraudulent advertising

Figure 6 Illustration of cooperative validation

Information exchange is at the heart of cooperative BGP monitoring ASes share information in order to validate BGP routes and notify users of fraudulent routes

However, there are three issues with cooperative BGP monitoring due to the lack of a global information perspective and a control center:

a) How can I choose a validation cooperator from a large number of BGP

monitors? Some information is required to validate a BGP route, such as prefix

ownership, BGP neighbor connection, and network topology It's impossible for a single BGP monitor to capture all of this data due to frequent modifications or commercial privacy protection

b) Where may I look for a victim of a fraudulent BGP route? When determining if

an AS is a fake BGP route victim, routing policy is also critical For security and cost concerns, AS does not disclose its routing policy However, a single BGP monitor is insufficient to determine which AS would be impacted by a fake routing Query flooding

or broadcasting may be a successful approach, but it comes at a high cost in terms of communication As a result, we must devise a more effective information-sharing framework for joint monitoring

c) How may AS's excitement for attending coordination be increased? Cooperative

monitoring is almost always a selfless act When an AS, for example, identifies a fake route and notifies other ASes, it is unlikely to profit from the detection As a result, we'll need to create an incentive feedback system to promote AS engagement

To address upon problems, our solution is based on two facts of BGP route

a) Locality BGP is a policy-based routing protocol, and each AS determines its own

routing policy For various reasons, when an AS gets a BGP route, it will not choose it

as the optimal route If an AS (such as X) does not pick a false route, the notice about the false route is invalid for X In this work, this fact is referred to as localization It is obvious that if monitoring data is invalid for an AS (such as X), it is not essential to deliver it to it Any of the Internet ASes can be classified into one of three groups based

on their location: infection, immunity, or isolation If an AS chooses the fake route as the best, it is included in the infection set An AS belongs to the immunity set if it can detect the bogus route Even if the route is true, an AS node is an element of the isolate set if it does not receive or pick the route according to its routing rules BGP monitor only needs to alert the infected node when a fake route is identified because of the locality In Figure 6, for example, when AS E advertises an NLRI for prefix P1 to AS

A, both A and B will choose E's advice as the optimal route based on the shortest path first rule AS A and B are infection nodes, respectively Because C is the owner of prefix P1, AS C is an immunity node, and when it gets NLRI announced by AS E, it recognizes

it as a prefix hijacking Finally, AS D is isolated since it is a client of C and C will not broadcast the incorrect route information to D

b) Correlation We discovered that most IRR routing regulations apply to an AS but

not to a single IP prefix after examining their policies Because routing hijacking attacks target routing policy configuration flaws, if an AS is targeted, all of its IP prefixes will

be compromised As a result, if monitoring data for prefix P1 is helpful to an AS (such

as Y), data for prefix P2, which is owned by the same AS, is likely to be beneficial to

Y Correlation is the term for the second fact If an AS (such as Z) is under prefix hijacking assault, all of its prefixes may be under attack, and all monitoring information regarding prefixes controlled by Z will result in the same infection, immunity, and isolation node categorization

Figure 7 Illustration of AS classification

We may draw two inferences from the examination of localization and

correlation For starters, we don't need to send fake route notifications to every AS due

of location Second, correlation may be utilized as a heuristic to narrow down the search area