CMPS 376 - Lab 7

Lab 7 - BGP Configuration Errors

Due: Friday at 11:55pm

Origin change events in BGP signify that a certain autonomous system (AS) has claimed authority over a block of IP addresses that were previously unallocated or previously belonged to another AS. The "new owner" will advertise the prefix(es) as belonging to it by advertising routes with the smallest possible distance metric. This will then cause other routers in the BGP subnet to change their routing tables, even if the change was not a legitimate change.

There are several types of origin change events:

B-type: The AS announces a more specific prefix (longer subnet mask, e.g. more network bits) out of an IP block it already owns.
H-type: An AS announces it owns a more specific prefix out of a block belonging to a *different* AS. This is also called "hole punching".
C-type: An AS (or group of autonomous systems) announces it owns a block previously owned by another AS. There are several subtypes based on how many autonomous systems own the block:
- CSM: Owner changed from a single AS to multiple AS
- CSS: Owner changed from a single AS to another single AS.
- CMS: Owner changed from multiple AS to a single AS.
- CMM: Owner changed from multiple AS to other multiple AS.
O-type: An AS (or group of autonomous systems) announces it owns a block that was previously unallocated. Again, there are subtypes based on how many autonomous systems own the block:
- OS: Owner is now a single AS.
- OM: Owner is now a group of autonomous systems.

A small number of origin change events occur normally as addresses are allocated or exchanged, but occasionally there will be a large number of origin change events related to a configuration error made by a router's administrator. When this happens, there will be a large number of origin change events resulting from the error that are typically followed by a large number of origin change events to correct the error.

Read the following papers, found at the UC Davis SecVis website, on how origin changes occur and how visualization techniques can be applied to detect abnormal origin changes:

Visual Data Analysis for Detecting Flaws and Intruders in Computer Network Systems, Soon Tee Teoh, TJ Jankun-Kelly, Kwan-Liu Ma, and Felix Wu. IEEE Computer Graphics and Applications, special issue on Visual Analytics, 24(5), September/October 2004, pp. 27-35. [UC Davis pdf] [IEEE Download]
Visual-based Anomaly Detection for BGP Origin AS Change Events, Soon Tee Teoh, Kwan-Liu Ma, and S. Felix Wu, in Proceedings of the 14th IFIP/IEEE Workshop on Distributed Systems: Operations and Management, October 20-22 2003. [UC Davis pdf] [CiteSeerX listing]

Download and read each paper. The questions in the writeup are based on the contents of the papers. You do not have to download their visualization tool for this lab. There are also other network and security related tools on the SecVis website that you may find interesting, so feel free to peruse it.

Lab Writeup

When might one have a legitimate origin change from unallocated addresses to an AS (O type events)?
Describe how the claim ownership of owned IP addresses (C type) events differ from the claim ownership of unallocated addresses (O type) events.
Describe what the hole punching (H type) event is.
Why do some origin change events come in pairs and some do not? For example, the CSM (C type single AS to multiple AS) events are followed by CMS (C type multiple AS to single AS) events in the April 2001 event, so these events are paired.