Bogon Analyses loginLogin

FAQ

Support BGPmon.net
Credits go to:
  • Marco Davids, for testing, feedback and help on logo
  • Bas Toonk, For being a great SysAdmin
  • Roel Derksen, For always taking the time to answer my MySQL query questions
  • BCNET For their support
  • RIPE's RIS project, For making their resources publicly available

Feed Recent Blog Posts
Issues with allocating from 1.0.0.0/8
Routing diff report, Rancid for BGP
Programming with the BGPmon.net Web Services API
New hardware for BGPmon.net server
The Vatican taking the lead in IPv6 rollout?

  • Where do you get your data?
  • How do I add all prefixes for my AS to the system?
  • What do the Codes mean?
  • What is a BGP MITM attack?
  • Does BGPmon detect this BGP MITM attack
  • What do you mean by auto-learning?
  • How does the AS path Regex work
  • Do I need to fill in a transit AS?
  • How about IPv6 support?
  • Does BGPmon support 4 byte AS numbers?
  • What is the Bogon AS announcement page?
  • What is the email notification level?
  • Can I change email notification for one specific prefix?
  • Is BGPmon reachable over IPv6?
  • Who wrote this?
  • How long have you been working on this?
  • How do I contact BGPmon.net?
  • What is the notify on withdraw feature?
  • How long does it take before BGPmon detects and alerts me?
  • What does an notification email look like?
  • How do I test the email functionality?
  • What if I have multiple upstream/transit providers?
  • What if my prefix is originated from multiple origin AS's?
  • I would like to support this work, Can I make a donation?

    • Where do you get your data?

    In stead of BGPmon setting up peerings with other networks, BGPmon leverages on the great work of RIPE's RIS project. BGPmon currently uses data from 9 different RIS collectors. These collectors are geographically dispersed over the world. Currently the majority of the collectors reside in Europe, but we also use two collectors based in the USA. One in Latin America (Sao Paulo, Brazil), one in Moscow and one in Otemachi, Japan. The RIS projects publishes the routing update data every 5 minutes. The IPv4 and IPv6 data come from over 100 peers, this greatly enhances the chances of detection.

    How do I add all prefixes for my AS to the system?

    Click on the my prefixes link and then use the Auto detect prefixes feature. Fill in your AS and submit the auto detect button. The system will then try to detect all the current/recent prefixes which are announced with your AS as Origin. You Can also add a regex for all these prefixes at the same time. The next step is to review the list of prefixes and change some attributes if necessary. If you don't want a specific prefix to be monitored, please empty that field so that it will not be added to the database. Of course you can also remove that prefix later.

    What do the Codes mean?

    In the My Update page you'll see that different kind of updates are marked as codes. This is done to distinguish between different kind of updates. The lower the value of the code the more likely it is that this is a 'suspicious' update. These are the code definitions:
    • Code 10: Origin AS and Prefix changed (more specific) Or Origin AS changed.
      IRR check: there was no valid route object found for this announcement, ie. route - originAS combination
    • Code 11: Origin AS and Prefix changed (more specific) Or Origin AS changed.
      IRR check: there was a valid route object found for this announcement
    • Code 12: Transit AS and Prefix changed (more specific)
    • Code 21: Possible MITM BGP attack (as shown @defcon), more specific and ASpath changed[1]
    • Code 22: More specific detected via known ASpath [1]
    • Code 23: Withdraw of More specific
    • Code 31: Transit AS changed (transit AS was not found in list you entered)
    • Code 41: ASpath Regex didn't match
    • Code 60: New prefix detected for your AS
    • Code 97: Withdraw of one of your prefixes (only if you enabled this)
    • Code 99: Any other kind of update
    [1] A table with all known recent/current AS paths is kept, this is a auto learning system.

    What is a BGP MITM attack?

    BGP Man In The Middle attack allows an attacker to redirect traffic for certain destinations to be redirect to an attacker using BGP. Although the concept is not new it did receive quite some attention after a demonstration given at DEFCON in August 2008. In this specific case traffic was redirected to the "attackers" server where it was analysed for interesting data and then forwarded to the original destination. Because of the way the attack works, The source AS well as transit AS did not "seem" to have changed. The tricky part is that this part of the AS path is actually Spoofed/Forged before it's appended with the attackers AS number.

    Does BGPmon detect this BGP MITM attack

    Yes it tries to detect and distinguish this from normal BGP updates. To start a successful widespread "attack" you'd have to announce a more specific route. This more specific would seem to originate from the same AS as the owners AS. However the ASpath would be different compared to any other routes from this AS. BGPmon has a auto learning system for known ASpaths in the global routing tables and will detect if this is a more specific from a unknown ASpath. If this is the case it's marked as code 21, BGP MITM attack. For a demo see: BGPmon detects DEFCONs BGP MITM attack You will have to Login with username demo@bgpmon.net and password demo.
    NOTE: To use this feature you have to monitor for more specifics! (i.e. do NOT enable "Ignore more specifics").

    What do you mean by auto-learning?

    The system holds a table with information about all the prefixes and aspaths in the BGP routing table. These database tables are updated every day, This allows the system to learn which prefixes are out there, how stable they are and for how long they have been there. This is used for the auto-discovery feature as well as the ASpath anomaly feature.

    How does the AS path Regex work

    The system The system allows you to add a regular expression to all the prefixes you are monitoring. The aspath from all updates for your prefix are compared to this regex. If the regex doesn't match it will generate an alarm with code 41. You will see some example regex lines in the my prefix page. If you have any other good examples please sent them by mail to me and I'll add them. The regex should be a regex which can be interpreted by perl, (=~). Before using your regex it's tested if it's a valid regex operation, if not the regex will be ignored. If you have perl on your system you can test your regex with a small script like this: 
    	my $regex = '271$';
	my $path = '111 123 456 271';
	if ($path =~ /$regex/) {
		print "match $1  $path\n";
	} else {
		print "no match\n";
	}
    in this case the regex 271$ is tested against the aspath. You can test your own regex in the same way and then add the regex to your prefix (without the 'quotes').
    Auto detect my Regex
    If you have lot's of peerings or upstreams it might be a lot of work to create the correct regex. To help you with this, BGPmon can autodetect all your peers and create a regex for you. To use this click on the autodetect button in the My Prefixes page

    Do I need to fill in a transit AS?

    No this is not required. If you do submit a transit as, we will monitor for that as well. Transit AS is the AS just before your AS in the AS path.

    How about IPv6 support?

    Yes! BGPmon now supports IPv6 prefixes as well. All IPv4 monitoring features should work for your IPv6 prefixes as well.
    Also see BGPmon now has full IPv6 support!

    Does BGPmon support 4 byte AS numbers?

    Yes! 4 bytes AS number are supported. This means that 4 bytes AS number will be recognized in the AS path, as well as support in the web application. 4 byte AS numbers in this application are represented as AS dot. For input you can use either ASplain or ASdot. For more info about 4 byte ASnumber please see this blog entry

    What is the Bogon AS announcement page?

    The Bogon AS announcement page shows a list of bgp advertisements which contain as bogon or private AS number as the origin AS. It gives you a nice idea of how often this actually happens. Which might be more then you thought.

    What is the email notification level?

    Updates are classified based on the attributes of the update. This classification is referred to as change code. The lower the change code the more likely it is that something suspicious happened. By setting your notification level you define which alarms you'd like to receive. It's an include filter, if you define the notification level to 31, you'll also receive the code 21,12, and 11 alarms. You can also choose to disable email notification, globally or per prefix

    Can I change email notification for one specific prefix?

    Yes you can. You can set a global level for email notification as well as per prefix. If no notification level for a prefix has been set, it will inherit the level from the global setting.

    Is BGPmon reachable over IPv6?

    Yes, of course!

    Who wrote this?

    BGPmon is written by Andree Toonk.

    How long have you been working on this?

    This software was written over the course of 1,5 years, mainly for private use and I used it to monitor the prefixes of our network as well as some popular website (top 150 from alexa.com) However given the more widespread interest I decided to make it available everyone interested. If you want to, give it a try! If you have any questions or feedback please let me know, andree@bgpmon.net

    How do I contact BGPmon.net?

    Please sent an email to info@BGPmon.net

    What is the notify on withdraw feature?

    This function can be useful to check the stability of your prefixes, network. You have the choice to enable the notify on withdraw feature for your prefixes or not. If this feature is enabled you'll be notified when BGPmon detects BGP withdraw messages for your prefix. If these withdraw messages are seen by more than let's say 5 peers then it usually means reachability to your prefixes is impacted. Once you received an email notifying you of this issue you can go to My Updates and check for the details. There you can also see when the prefix was reachable again (i.e. an update for your prefix was received) This may help you determine the impact of a outage. Please note that if only one peer saw the withdraw it's more likely to be a problem in a remote network than in yours.

    How long does it take before BGPmon detects and alerts me?

    Detection and notification will typically be be between 5 and 10 minutes.

    What does an notification email look like?

    BGPmon will send out one email per 5 minutes, This email contains all the relevant information for your prefixes. i.e. possible hijacks as well as withdrawals messages Notification emails look like this: 
    From: BGPmon Alert  <info@bgpmon.net>
To: foo@bar.net
Subject: BGPmon.net Notification 
Date: Tue, 07 Apr 2009 06:20:00 +0200 (CEST)

You received this email because you are subscribed to BGPmon.net.
For more details about these updates please visit:
http://bgpmon.net/showupdates.php

====================================================================
Possible Prefix Hijack (Code: 10)
====================================================================
Your prefix:          195.69.144.0/23: 
Update time:          2009-04-07 04:16 (UTC)
Detected by #peers:   3
Detected prefix:      195.69.144.0/23 
Announced by:         AS3549 (GBLX Global Crossing Ltd.)
Upstream AS:          AS5511 (OPENTRANSIT France Telecom - Orange)
ASpath:               19089 28625 28625 28625 28625 17379 5511 3549 
Mark as false alert:  http://bgpmon.net/fp.php?aid=12345678

====================================================================
Change of upstream AS (Code: 31)
====================================================================
Your prefix:          207.23.0.0/16: 
Update time:          2009-04-07 04:17 (UTC)
Detected by #peers:   1
Detected prefix:      207.23.0.0/16 
Announced by:         AS271 (BCNET-AS - BCnet)
Upstream AS:          AS852 (ASN852 - Telus Advanced Communications)
ASpath:               6453 852 271 
Mark as false alert:  http://bgpmon.net/fp.php?aid=12345679

====================================================================
Withdraw of Prefix (Code: 97)
====================================================================
Your prefix:          142.231.1.0/24: 
Update time:          2009-04-07 04:17 (UTC)
Detected by #peers:   17
Detected prefix:      142.231.1.0/24 
 
--------------------------------------------------------------
 *for questions regarding the change code or other question, please see:
http://bgpmon.net/faq.php


Latest BGPmon news: http://bgpmon.net/blog/
  * New version BGPmon.net
  * How accurate are the Internet Route Registries (IRR)
  * Long AS paths causing commotion

    How do I test the email functionality?

    If everything is running smoothly, and you did not receive messages for a while you start to wonder if the system is actually working. The easiest way to test if it's working is to add an AS to your ASpath of which you know it's not going to be there. For example add AS 0 to your regex filter, you should now receive an email within a few hours (depending on when we detect an update for your prefix), alerting you that there's an ASpath regex mismatch. Don't forget to remove this AS from your regex filter afterwards.
    Of course you can change other attributes as well, such as OriginAS (change it to a OriginAS that's not yours)

    What if I have multiple upstream/transit providers?

    No problem, you can add as many upstream ASns as you want. When you have a lot of upstreams, you can use the auto-detect feature to detect all upstreams for you.

    What if my prefix is originated from multiple origin AS's?

    No Problem, BGPmon.net allows ou to add additional origin ASns. You can use the auto-detect feature to detect additional origin ASN's. This is especially useful for people who do anycast.
    If you want to allow or any origin AS, then us 0 as orginAS. This is a wildcard and means that you will allow any AS as an originAS for this prefix.

    I would like to support this work, Can I make a donation?

    Yes BGPmon.net accepts donations via paypal. More information about how to donare can be found here http://bgpmon.net/donate.php



    Copyright ©2008 Questions or remarks: BGPmon