The BGP Monitoring and Alarming System to Detect and

Prevent Anomaly IP Prefix Advertisement

Je-Kuk Yun Beomseok Hong Yanggon Kim
Towson University Towson University Towson University
8000 York Rd, Towson, 8000 York Rd, Towson, 8000 York Rd, Towson,
MD, 21093 U.S.A. MD, 21093 U.S.A. MD, 21093 U.S.A.
443-827-7391, 1 443-834-3578, 1 410-704-3782, 1
[email protected] [email protected] ykim@ towson.edu

ABSTRACT
The Border Gateway Protocol (BGP) is the routing protocol that
1. INTRODUCTION
The BGP is an External Gateway Protocol (EGP), and is the
enables large IP networks to form a single Internet. The main
routing protocol that enables large IP networks to form a single
objective of BGP is to exchange Network Layer Reachability
Internet. The main objective of BGP is to exchange Network
Information (NLRI) between Autonomous Systems (ASes) so that
Layer Reachability Information (NLRI) between Autonomous
a BGP speaker can announce their IP prefix and find a path to the
Systems (ASes) so that a BGP speaker is aware of locations of
destination of packets. However, a BGP hijacker can pretend to
other BGP routers and ultimately finds a destination to a certain
be any third BGP speaker because BGP itself doesn’t have the
router [1]. However, when designing BGP, its vulnerabilities were
functionality of validating BGP messages. In order to solve this
hardly considered [2].
problem, BGP speaker needs to validate messages coming from
other BGP speakers. In this paper, we propose the BGP Unfortunately, the lack of consideration of BGP vulnerabilities
Monitoring and Alarm System (BGPMAS) which monitors occasionally causes severe failure of Internet service provision.
incoming announcements and starts to make sounds of the alarm Such a failure called prefix hijacking occurred on the 25th of
if the BGPMAS detects an invalid announcement. In addition, the April in 1997 by a misconfigured router that advertised incorrect
BGPMAS provides AS administrators with web service to show prefixes and announced AS 7007 as an origin of them. As a result,
where the invalid message is coming from so that the it created a routing black hole for almost two hours [3]. Similar
administrators can rapidly deal with the IP prefix hijacking by events occurred on the 22nd January in 2006, when Con Edison
ignoring the malicious BGP router’s prefix. In order to set this (AS 27506) stole several important prefixes by misconfiguring
environment, the BGPMAS needs to be connected to the BGP them [4], and on Christmas Eve 2004 TTNet in Turkey (AS 9121)
router and the AS administrator needs the Alarm Application advertised the entire prefixes on the Internet so that every route
(AA) which will make sounds of the alarm and the AA receives a come to them rather than to correct destinations [5]. The most
signal from the BGPMAS when the BGPMAS detect an invalid well-known incident of prefix hijacking was YouTube hijacking
announcement. As a result, the BGP routers can easily have the by Pakistan Telecom on the 24th of the February in 2008, when in
RPKI-based origin validation function with the BGPMAS. response to government order to block YouTube access within
their country, Pakistan Telecom advertised a more specific prefix
Categories and Subject Descriptors than YouTube prefix. One router believes the Pakistan Telecom
C.2.0 [Computer-Communication Networks]: General— regarded the incorrect prefix as a more specific prefix, and
Security and Protection; C.2.2 [Computer-Communication advertised it to the others. As a result, the YouTube was not
Networks]: Network Protocols—Routing protocols; C.2.5 accessible from some ASes for a while [6]. Such a prefix
[Computer-Communication Networks]: Local and Wide-Area hijacking happens constantly on the Internet by mis-
Networks—Internet announcement or intentionally advertising malicious prefixes.
In order to deal with the prefix hijacking and mis-announced
General Terms prefix, in a faster way, several solutions have been developed
Security such as PHAS, S-BGP, pgBGP, and RPKI-based origin validation.
Prefix Hijack Alert System (PHAS) is a system that detects an
attempt to hijack prefixes, owned by other BGP routers, with
Keywords BGP routing data collected by BGP collectors and it notifies
BGP, border gateway protocol, interdomain routing, network prefix owners of the hijack attempt through a reliable manner.
security, networks, routing However, PHAS does not guarantee to detect anomaly
advertisements [7]. S-BGP is checks whether BGP update
messages are sent by the authorized BGP speaker, but S-BGP is
hard to be deployed due to computation cost [8]. pgBGP validates
Permission to make digital or hard copies of all or part of this work for BGP update messages by using its historical routing data where
personal or classroom use is granted without fee provided that copies are recent routing information is considered as normal and new
not made or distributed for profit or commercial advantage and that routing information that deviate from the trusted database are
copies bear this notice and the full citation on the first page. To copy considered as anomalous. After a time new routing information is
otherwise, or republish, to post on servers or to redistribute to lists,
added to the trusted database and inactive information is removed
requires prior specific permission and/or a fee.
RACS’13, October 1–4, 2013, Montreal, QC, Canada. [9]. Origin validation based on Resource Public Key
Copyright 2013 ACM 978-1-4503-2348-2/13/10 …$15.00. Infrastructure (RPKI) is a promising solution to prefix hijacking

232
so far and it provides the ability to validate BGP routes advertised 2.3 BGP-SRx
from other ASes by Route Origin Authorizations (ROAs) [10]. BGP-SRx, developed by the National Institute of Standards and
RPKI-based Origin validation is implemented in Cisco IOS & Technology (NIST), consists of the SRx Server, the SRx API, and
IOS-XR for Cisco hardware routers, Juniper Junos for Juniper the Quagga SRx [13]. SRx provides a proxy with APIs, which
hardware routers, and BGP-SRx for Quagga software routers. allows the proxy to be embedded on the router and communicate
Despite that several solutions has been suggested so far, it is still with the SRx Server. The Quagga SRx is a software router on
difficult to deploy those solutions in the real-world networks. To which the proxy is embedded. The SRx Server is connected to the
say nothing of drawbacks of PHAS, S-BGP and pgBGP, AS RPKI validation cache, so the SRx Server can validate BGP
administrators face the dilemma of replacing old BGP routers announcements by comparing the BGP announcements to ROAs
with RPKI-based BGP routers due to the price of BGP routers and in the RPKI validation cache.
tasks of reconfiguration for routing information. The price of BGP
routers may be a burden to AS administrators to change their 3. BGP Threats and Solution
routers. Even if they purchase a new router or they can apply the In this section we introduce well-known threats, IP hijacking and
origin validation to their routers without replacing their router, AS mis-announced routes. In addition, we discuss how the origin
administrators should reconfigure all neighbors they had and validation is operated in order to prevent the well-known threats.
prefixes they originated. To mitigate the burden on the AS
administrators, we suggest the BGP Monitoring and Alarm 3.1 IP hijacking
System (BGPMAS). Once BGP routers are connected to each other, the BGP routers
fully trust other routers. If a BGP router intentionally originates a
In this paper, we describe two main problems of BGP and bogus prefix to neighbors, the neighbors that receive the
solution in the Section 3. In the section 4 we introduce the announcements trust the prefix and their traffic is hijacked by the
BGPMAS and discuss analysis of the BGPMAS. Lastly we hijacking router.
conclude s the paper in the section 5.
Figure 1 shows that AS 500 is trying to hijack the traffic heading
for AS 400. AS 400 announces 10.40.0.0/16 to neighbors and
2. Related research traffic in AS 100 is going to 10.40.0.0. However, if AS 500
We discuss the withdrawn routes and the opaque extended announces a bogus prefix, 10.40.0.0/17, to AS 100, then the
community in this section. When an invalid message is detected, traffic in AS 100 goes to AS 500 because 10.40.0.0/17 is more
BGP routers should not only remove the invalid prefix but also specific than 10.40.0.0/16. As a result, AS 100 takes the
notify neighbors of the invalid message’s information such as IP 10.40.0.0/17 as the destination.
prefix and ASN. In order to remove the prefix, the withdrawn
routes can be used. However, the withdrawn routes should be sent
by the originator [2]. Therefore, the withdrawn routes cannot be
used to notify neighbors of the invalid prefix. On the other hand,
the opaque message is working in progress to notify neighbors of
the invalid prefix [11].

2.1 Withdrawn Routes

An update message is used not only to announce IP prefix but
also to withdraw IP prefix. In order to remove IP prefix, the
update message needs to include the withdrawn routes length and
the withdrawn routes [12]. The withdrawn routes length indicates
the total length of the withdrawn routes. The withdrawn routes
contain sets of IP prefixes that need to be removed. If a BGP
router receives the update message including withdrawn routes,
then the BGP router removes the routes indicated in the update
message. Only the BGP router who originates the prefix can also
create the withdrawn routes. Suppose a hijacker creates an invalid
message and announces the message to neighbors. Then, even
though a BGP router detects the invalid message, the BGP router
cannot create the withdrawn routes because the BGP router is not
the router who originated the invalid message. Therefore, we
cannot use the withdrawn routes to notify neighbors of the invalid
update message.

2.2 Opaque extended community

The BGP opaque extended community is used to notify neighbors
of the validation state of update messages [11]. There are three
validation states: valid, not found, and invalid. This validation
states can be delivered inside an AS through an iBGP connection.
Figure 1. IP prefix hijacking.

233
3.2 Mis-announced route 4.1 Architecture
BGP doesn’t validate announcements, so if an AS administrator Figure 2 shows the architecture of the BGPMAS. The BGPMAS
unintentionally mis-types the length of prefix or IP address, then consists of the Extended Quagga SRx (ex-Quagga-SRx), Data
any routers receive the announcements trust the mis-typed the Agent (DA), Alarm Server, and Web Service Agent (WSA). The
length of prefix or IP address. As a result of this, traffic in the ex-Quagga-SRx receives update messages through BGP
routers that received the wrong announcements goes to the wrong connection. Then, the ex-Quagga-SRx sends update message
destination. information such as ASN, prefix, and max length to the SRx
Server.
3.3 Origin Validation
Many researches have been conducted to solve IP hijacking such
as Secure BGP (S-BGP) [8], Secure Origin BGP (SO-BGP) [12],
Pretty Secure BGP (psBGP) [9], Pretty Good BGP (pgBGP) [14],
and so on. Secure Inter-Domain Routing (SIDR) working group
completed Resource Public Key Infrastructure (RPKI) [15]. In
order to prevent IP hijacking, the only BGP speaker that has been
authorized by the IANA should originate its prefixes. Therefore,
BGP speakers should be authorized by the IANA

Figure 3. The architecture of the BGPMAS.

The SRx compares the update message information to the ROAs
and returns the result of validation to the ex-Quagga-SRx. The
Data Agent receives the result of BGP update message from the
ex-BGP-SRx. If the result is invalid, the Alarm Server notifies the
AA of the invalid update message. Then, the AA makes sounds of
the alarm, and BGP router administrators can check the invalid
update message through the web interface.

4.1.1 The Extended Quagga SRx

The Quagga-SRx is connected to a BGP router via iBGP. Once
the Quagga-SRx receives update messages, the Quagga-SRx
sends a query to the SRx server and receives the result of the
update messages. We extended the existing Quagga-SRx so that
the Quagga-SRx saves the validation results of the update
Figure 2. The hierarchy of RPKI. messages in the database.
Figure 2 shows how the IANA hierarchically authorizes BGP
speakers. The IANA manages an officially verifiable database of 4.1.2 The Data Agent (DA)
the authorized IP prefixes and AS numbers. Therefore, BGP The Data Agent maintains and manages the validation results of
routers need to periodically retrieve the collection of the IP update messages.
prefixes and AS numbers, called Route Origin Authorizations
(ROAs) [10] that consist of IP prefix, ASN, and maxLength. 4.1.3 The Alarm Server
When a BGP router originates its prefix, the length of the When an invalid prefix is detected in the database, the Alarm
accompanying prefix must be an integer less than or equal to the Server makes sounds of the alarm through the AA to warn AS
maxLength. Otherwise, the prefix is considered as invalid. For administrators. The Alarm server sends signal to the AA through
example, if the IP prefix is 10.30.0.0/16 and the maxLength is 19, TCP by using IP address and port.
then the BGP speaker is authorized to originate 10.30.0.0/17,
10.30.0.0/18, or 10,30,0.0/19, not but 10.30.0.0/20. 4.1.4 The Web Service Agent (WSA)
The WSA provides AS administrators with a web interface which
4. BGPMAS displays the validation result of update messages. Figure 3 shows
In this section, we introduce the BGPMAS and describe how the the table of the validation results including prefix, as_path,
BGPMAS operates with neighbors, SRx Server, and the AA. nexthop, as number, and validation value.

234
 After detecting the bogus announcement, the Ex-Quagga-SRx
saves the bogus announcement in the database. The Server
monitors the database and automatically makes sounds of the
alarms when the bogus announcement is discovered in the
database. Once the sound of the alarm is made in AS 200, the AS
200 administrator can realize that there is a bogus prefix in the
BGP router. In addition, the AS 200 administrator can check the
bogus prefix through the webpage that is provided by the
BGPMAS. As a result of this, the AS 200 administrator can
ignore the bogus prefix in short time.

4.3 Analysis of the BGPMAS

AS administrators need to purchase RPKI-enabled BGP routers to
secure their AS. However, the costs may be a burden to AS
Figure 4. Web interface of the WSA. administrators to change their routers. Even if they purchase a
new router or they can apply the origin validation to their routers
4.1.5 The Alarm Application (AA) without replacing their router, AS administrators should
The AA is required to be installed in the AS that wants to receive reconfigure all neighbors they had and prefixes they originated.
the alarm service. When invalid message is detected by the
BGPMAS, the AA receives a signal from the Alarm Server. As a
result, the AS administrator doesn’t need to monitor a BGP Table 1. The number of Neighbors and Prefixes in whole AS
routing table all the time to protect IP hijacking.
Minimum Maximum Average
4.2 Simulation of the BGPMAS
Figure 5 shows a topology that includes five ASes and each router Neighbor 1 3955 5.56
in ASes doesn’t have any capability of validating BGP update Prefix(IPv4) 0 4808 11.42
announcements. Through this topology, we explain how the AS
200 administrator can detect a bogus announcement with the AA Prefix(IPv6) 0 422 0.32
instead of installing a RPKI-enabled BGP router in AS 200. AS
500 originates 10.50.0.0/16 and the announcement is forwarded to Total 1 6103 17.30
the neighbors, AS 300, AS 200, AS 400, and AS 100. Suppose AS
400 hijacks the traffic heading for AS 500 by originating
To estimate the intensity of the reconfiguration tasks, we
10.50.0.0/17 to AS 200. Then, R1 receives the bogus
collected the number of neighbors and the number of prefixes that
announcement and the Ex-Quagga-SRx sends a query to the SRx
originated from each AS the 25th of May in 2013, and we
Server to validate the bogus announcement.
evaluated the average of the number of neighbors and prefixes
over the whole AS. BGP data was collected by RIPE Routing
Information Service (RIPE RIS) and 40993 ASes that have at
least one neighbor were used to figure out the average intensity of
reconfiguration tasks. Table 1 shows the result of our analysis
using collected data. The average number of neighbors for the
whole AS is 5.56, which means an AS has 5 or 6 neighbors on
average. The range of the number of neighbors for each AS is
from 1 to 3955. However, few ASes have 200 or more neighbors.
It means that most ASes have less than 200 neighbors. The
average number of IPv4 prefixes for the whole AS is 11.42 and
the range of the number of IPv4 prefixes for each AS is from 0 to
4808 but few ASes have 300 or more prefixes of IPv4. The
average number of IPv6 prefixes for the whole AS is 0.32 and the
range of the number of IPv6 prefixes for each AS is from 0 to 422
but few ASes have 30 or more prefixes of IPv4. Total in the Table
1 is a sum of neighbors and prefixes of both IPv4 and IPv6 for
each AS and signifies the number of imperative reconfiguration
tasks for each AS. The average number of total is 17.3, which
means reconfiguration task should be done by 17 times for an AS
on average. The range of the number of total is from 1 to 6103 but
most ASes have less than 300 tasks. We assume more than 20
tasks are irksome and onerous enough and the number of ASes
with 20 or more tasks are 5127, that is about one-eighth of ASes
we collected. Figure 6 shows the number of required command
lines for reconfiguration when the existing router is replaced with
a new RPKI-enabled router.

Figure 5. Simulation of the BGPMAS.

235
 [4] Rensys Blog, Con-Ed Steals the ’Net.
[Online]. Available:
http://www.renesys.com/blog/2006/01/coned_steals_the_net.
shtml
[5] Rensys Blog, Internet-Wide Catastrophe Last Year
[Online]. Available:
http://www.renesys.com/blog/2005/12/internetwide_nearcata
strophela.shtml
[6] Rensys Blog, Pakistan hijacks YouTube
[Online]. Available:
http://www.renesys.com/blog/2008/02/pakistan_hijacks_yout
ube_1.shtml
[7] Lad, M., Massey, D., Pei, D., Wu, Y., Zhang, B., and Zhang,
L. 2006. PHAS: A prefix hijack alert system. In Proceedings
of the 15th conference on USENIX Security Symposium -
Volume 15 (USENIX-SS'06), Vol. 15.
[8] Kent, S., Lynn, C., and Seo, K. 2000. Secure Border
Gateway Protocol (S-BGP). IEEE Journal on Selected Areas
in Communications. 18, 4 (Apr. 2000)
[9] Van Oorschot, P., Wan T., and Kranakis, E. 2007. On
Interdomain Routing Security and Pretty Secure BGP
(psBGP). ACM Transactions on Information and System
Security. 10, 3(July 2007).
[10] Lepinski, M., Kent, S., and Kong, D. 2012. A Profile for
Figure 6. The number of required command lines of Route Origin Authorizations (ROAs). Work in progress
reconfiguration. (Internet Draft), Feb 2012.
In conclusion, 5127 ASes (about one-eighth of all ASes) require [11] Mohapatra, P. 2013. BGP Prefix Origin Validation State
more than 20 command lines to replace their BGP routers. We Extended Community. draft-ietf-sidr-origin-validation-
assume that typing 20 or more command lines is bothering and signaling-02(Dec 2012).
enough to unintentionally make hijacking or mis-announcing
during the reconfiguration. [12] White, R. 2003. Securing BGP through secure origin BGP.
Internet Protocol Journal. 6, 3 (September 2003).
5. Conclusion [13] BGP Secure Routing Extension (BGP-SRx) by
In this paper we describe the design of the BGPMAS. The NIST ]Online]. Availble: http://www-x.antd.nist.gov/bgpsrx/
BGPMAS provides BGP routers with the ability to validate the [14] Karlin, J., Forrest, S., and Rexford, J. 2006. Pretty Good
prefix origin without replacing or reconfiguring their routers. AS BGP: Improving BGP by Cautiously Adopting Routes. In
administrators can easily have the RPKI-based origin validation IEEE International Conference on Network Protocols.
function by adding the BGPMAS to their router. The BGPMAS
[15] Manderson, T., Vegoda, L., and Kent, S. 2012. Resource
continually monitors prefixes of the AS in which the BGPMAS is
Public Key Infrastructure (RPKI) Objects Issued by
installed, and notify the administrators of hijacking attempts
IANA(Feb. 2012). [Online]. Available: http://www.rfc-
immediately. Hence, AS administrators can filter out malicious
editor.org/rfc/rfc6491.txt
prefixes in a timely manner. In addition to security on the
BGPMAS-enabled AS, the BGPMAS can let other ASes know
malicious prefixes through the alarm application. The BGPMAS
is economical because of no need to purchase a new RPKI-based
BGP routers and also useful because it, comparing to the new
BGP router, prevents unintentional mistakes during the
reconfiguration as well as spends less installation steps than
reconfiguration steps of the new BGP router.

6. REFERENCES
[1] Rekhter, Y. 2006. A Border Gateway Protocol 4 (BGP-4).
RFC 4271.
[2] Murphy, S. 2006. BGP Security Vulnerabilities Analysis.
RFC 4272.
[3] "7007 Explanation and Apology," Apr 1997, http:
//www.merit.edu/mail.archives/nanog/1997-04/msg00444.html.

236