Here's how we developed a methodology and open source tools to make it easier to detect route prefix hijacks.

Introduction

As part of the French Internet Resilience Observatory initiative, ANSSI monitors Internet BGP activity since 2011. The main goal is to detect routing anomalies, such as prefix hijacks, that impact French network operators. Some of these anomalies can have harmful effects on Internet resilience .



Such routing anomalies are sometimes difficult to detect as they can be totally legitimate. They must therefore be carefully monitored. For example, a DDoS mitigation provider may announce its client's prefixes. In order to distinguish between legitimate and abnormal routing anomalies, we developed a methodology - described in detail in our report - that we are constantly improving.



While the methodology and the data were already available to anyone, the implementation was not. A few weeks ago we released two open source tools that make it easier to detect prefix hijacks. They both use data provided by the route collectors operated by the RIPE NCC Routing Information Service (RIS).

How Does It Work?

Overview

MaBo is our MRT parser and TaBi our BGP hijack detection tool. They work closely together. MaBo translates the raw BGP messages contained in the MRT files to an intermediate representation using a human readable JSON format. It is then used by TaBi to emulate a global Routing Information Base (RIB) and detect routing anomalies.

MaBo

MaBo was one of the first tools created by the Observatory team in 2011. At first, it was an educational programme developed to learn the BGP protocol, and the MRT format, in depth. Undeniably, it is always a good idea to implement a protocol on its own to better understand it. MaBo is written in the OCaml programming language, which offers very good properties regarding security and safety of execution.



In fact, it is really important to be able to recover the parsing in case of malformed BGP messages. We are quite satisfied with the robustness of this parser as it is able to handle the large volume of data that we analyse every day. It has also evolved to become our "Swiss Army Knife" for MRT files, allowing us for example to list prefixes announced by a given ASN as demonstrated below.



bash$ wget -c http://data.ris.ripe.net/rrc01/latest-bview.gz

bash$ mabo prefixes --asn-list <(echo 202214) latest-bview.gz

202214 185.50.64.0/22

202214 185.50.66.0/24

202214 185.50.67.0/24

202214 2a01:a6a0::/32



The first command downloads a BGP table dump from the RIS route collector 01 (RRC01) located in London and the second launches MaBo to list prefixes originating from AS202214.

TaBi

TaBi is both a Python module and a standalone application. Its main goal is to detect BGP prefix hijack events. It acts as a very large route collector, collecting BGP updates from a large number of peers and storing them in a constrained amount of memory. In fact, as most anomalies are often localised, it is important to get the BGP updates from a lot of peers all over the Internet in order to have a better chance of detecting the routes in conflicts.



Internally, it works by storing the BGP updates in a specialised data structure called a radix tree , which associates a prefix with its originating ASN for a given peer. This data structure allows fast detection of prefix hijacks, i.e. routes with the same length prefix or less specific prefix but originating from a different ASN. In the literature, these events are sometimes called Multiple Origin AS (MOAS) or sub-MOAS.



At the moment, it is still a low-level network tool, and does not offer a fancy web interface, but to our knowledge, it is the first tool able to detect such events that was released as open source.



$ tabi -m live rrc01 -a <(echo 3462) results latest-bview.gz | head -n 1 | json_pp

{

"collector" : "rrc01",

"peer_as" : 29611,

"asn" : 3462,

"peer_ip" : "2001:7f8:4::73ab:1",

"timestamp" : 1451606400,

"announce" : {

"as_path" : "29611 3356 9680",

"type" : "F",

"asn" : 9680,

"prefix" : "1.35.128.0/24"

},

"conflict_with" : {

"asn" : 3462,

"prefix" : "1.35.0.0/16"

}

}



This example shows the first conflicting route for the prefixes announced by AS3462.

Use cases

Technically, we regularly mirror all the MRT files available from RIS and use MaBo to parse them. They are then pushed into our MapReduce cluster so that TaBi can work on it in parallel. More details are covered in the presentation we gave at NSC in 2014.



Today, we use these tools to generate daily reports of BGP anomalies. As we focus our work on French operators only, we use our understanding of the French Internet ecosystem to analyse the events targeting ASes in France. That being said, we think other people can benefit from our work and reproduce this kind of analysis for their prefixes. That is why TaBi can be used as a Python module, because we would like users to create new tools around it.

Towards true real-time detection

Recently, the RIPE NCC has announced their intention to upgrade RIS to a newer infrastructure allowing real-time BGP message streaming . We were excited about this new feature because it offers new opportunities to network operators who want to react super-quickly when their prefixes are being hijacked.



Last month, while participating in the CAIDA BGP hackathon , we were able to get access to this new system and have been able to develop a proof-of-concept around TaBi to detect hijacks on prefixes of interest. Moreover, we worked with the PEERING research team , who were also present at the hackathon, to announce prefixes using their testbed in order to simulate a controlled route conflict. This was very interesting because we could measure the latency of the detection mechanism and were particularly impressed because the event was detected within a few seconds following the announcements.



Another team even demonstrated a BGP hijack defence mechanism announcing automatically deaggregated prefixes in response to hijacks detected by our PoC. This is very promising and we believe even more powerful tools can be built. The code, which is not production-ready yet, has been made available on the event github repository . We welcome people to build on this code and if you would like further information, we invite you to leave a comment below.