CMPS 376 - Lab 6

Lab 6 - BGP Visualization and a Simple Shell Daemon

Due: Thursday by 5pm

Part 1: BGP Change Origin AS visualization

Origin change events in BGP signify that a certain AS has claimed authority over IPs previously unallocated or previously belonging to another AS. A small number of these changes occur normally, but occasionally there will be a large number of origin change events. The Elisha tool is a visualization technique to allow an administrator to visually see when an unusual number of change events are occuring. You do not need to run the tool to answer these questions, just read the second listed paper (it has the most details on the use of the tool). I do encourage you do download the tool at home and play around with it just to see how complex data can be visualized.

Elisha (zip file containing a Windows exe)

Papers from the SecVis website:

Visual Data Analysis for Detecting Flaws and Intruders in Computer Network Systems, Soon Tee Teoh, TJ Jankun-Kelly, Kwan-Liu Ma, and Felix Wu. IEEE Computer Graphics and Applications, special issue on Visual Analytics, 24(5), September/October 2004, pp. 27-35. [pdf]
Visual-based Anomaly Detection for BGP Origin AS Change Events, Soon Tee Teoh, Kwan-Liu Ma, and S. Felix Wu, in Proceedings of the 14th IFIP/IEEE Workshop on Distributed Systems: Operations and Management, October 20-22. [pdf]

Questions Part 1:

When might one have a legitimate origin change from unallocated addresses to an AS?
Why do some origin change events come in pairs (CSM "sky blue" followed by CMS "yellow" as mentioned in the second paper for the April 2001 event) and some do not?

Part 2: Simple Shell Daemon

In Lab 5, one hinderance to having multiple simultaneous connections was how to interact with more than one connection. One way around this issue is to bind another program to each connection to handle the user's requests. In this part of the lab, we will look at how three programs work together to provide a small shell over telnet. The three programs are s_daemon, s_sh and s_tlnt; written by Marc Thomas.

s_daemon.c is the server program. It accepts and manages connections. It also spawns the simple shell program, s_sh.c, to interact with each connection. It is similar to daemon.c from Lab 4 except it spawns a new program for the children. It uses pipes to communicate with s_sh and select() has been expanded to watch both the sockets and pipes. See the function dialog_with_telnet() for these changes. The command to start s_daemon is:

s_daemon [-log]

The optional log option will create a log, similar to daemon.c.

s_sh.c is a very simple shell. A shell is used to interact with the system. It parses commands and command options, runs them and displays the results. This program can parse a few commands such as cd, dir and pwd. It also supports one * or ? wildcard per line. The comments section at the top of the file lists more details on the capacity of this shell program.

s_tlnt.c is a simple telnet client. Some interesting things to look at in the s_tlnt.c code are process_esc() and the commandmode jump target in main(). The process_esc() function interprets basic VT100/ANSI escape sequences. VT100 and ANSI are standards to control the placement of the cursor on a text screen, colors, reverse colors, blinking text, clearing the screen and other such functionality needed to create basic text-based graphical interfaces. If you use Pine, you've seen VT100 and ANSI in use. The commandmode jump target can be reached by pressing CTRL-T (the "escape character") while the program is running. This is the s_tlnt prompt. Your connection will still be active in the background while you give commands to the s_tlnt program. You can "close" an active connection, "return" to an active connection, "open" a new connection, set s_tlnt parameters, access a "help" screen and see the "status" at the s_tlnt prompt. The command to start s_tlnt is:

s_tlnt [-v] [-snoopy] hostname port

The v option will turn on verbose, which will give you detailed information about the execution of the program. You can also set "verbose" or "noverbose" at the s_tlnt prompt. The snoopy option activates transparent mode, which gives information about telnet arbitration and shows all control and 8bit characters. You can set "snoopy" or "nosnoopy" at the s_tlnt prompt. The hostname is the name of the host and the port is the port number given by s_daemon when you ran it.

Part 2 Questions:

Try running the command s_tlnt -v -snoopy helios 23. What do you see?
How does what you see for Question 1 differ from what you see when you connect to s_daemon's port number?
When connected to s_daemon with s_tlnt, type CTRL-T to reach the s_tlnt prompt and use "close" to end the connection. What do you see in the s_daemon screen?