annotate man/routeflapper.1 @ 0:48d06780cf77

initial version
author Carl Byington <carl@five-ten-sg.com>
date Tue, 13 May 2008 14:03:10 -0700
parents
children
Ignore whitespace changes - Everywhere: Within whitespace: At end of lines:
rev   line source
0
48d06780cf77 initial version
Carl Byington <carl@five-ten-sg.com>
parents:
diff changeset
1 .\"Generated by db2man.xsl. Don't modify this, modify the source.
48d06780cf77 initial version
Carl Byington <carl@five-ten-sg.com>
parents:
diff changeset
2 .de Sh \" Subsection
48d06780cf77 initial version
Carl Byington <carl@five-ten-sg.com>
parents:
diff changeset
3 .br
48d06780cf77 initial version
Carl Byington <carl@five-ten-sg.com>
parents:
diff changeset
4 .if t .Sp
48d06780cf77 initial version
Carl Byington <carl@five-ten-sg.com>
parents:
diff changeset
5 .ne 5
48d06780cf77 initial version
Carl Byington <carl@five-ten-sg.com>
parents:
diff changeset
6 .PP
48d06780cf77 initial version
Carl Byington <carl@five-ten-sg.com>
parents:
diff changeset
7 \fB\\$1\fR
48d06780cf77 initial version
Carl Byington <carl@five-ten-sg.com>
parents:
diff changeset
8 .PP
48d06780cf77 initial version
Carl Byington <carl@five-ten-sg.com>
parents:
diff changeset
9 ..
48d06780cf77 initial version
Carl Byington <carl@five-ten-sg.com>
parents:
diff changeset
10 .de Sp \" Vertical space (when we can't use .PP)
48d06780cf77 initial version
Carl Byington <carl@five-ten-sg.com>
parents:
diff changeset
11 .if t .sp .5v
48d06780cf77 initial version
Carl Byington <carl@five-ten-sg.com>
parents:
diff changeset
12 .if n .sp
48d06780cf77 initial version
Carl Byington <carl@five-ten-sg.com>
parents:
diff changeset
13 ..
48d06780cf77 initial version
Carl Byington <carl@five-ten-sg.com>
parents:
diff changeset
14 .de Ip \" List item
48d06780cf77 initial version
Carl Byington <carl@five-ten-sg.com>
parents:
diff changeset
15 .br
48d06780cf77 initial version
Carl Byington <carl@five-ten-sg.com>
parents:
diff changeset
16 .ie \\n(.$>=3 .ne \\$3
48d06780cf77 initial version
Carl Byington <carl@five-ten-sg.com>
parents:
diff changeset
17 .el .ne 3
48d06780cf77 initial version
Carl Byington <carl@five-ten-sg.com>
parents:
diff changeset
18 .IP "\\$1" \\$2
48d06780cf77 initial version
Carl Byington <carl@five-ten-sg.com>
parents:
diff changeset
19 ..
48d06780cf77 initial version
Carl Byington <carl@five-ten-sg.com>
parents:
diff changeset
20 .TH "ROUTEFLAPPER" 1 "2008-04-12" "" ""
48d06780cf77 initial version
Carl Byington <carl@five-ten-sg.com>
parents:
diff changeset
21 .SH NAME
48d06780cf77 initial version
Carl Byington <carl@five-ten-sg.com>
parents:
diff changeset
22 routeflapper \- detects suspicious routes
48d06780cf77 initial version
Carl Byington <carl@five-ten-sg.com>
parents:
diff changeset
23 .SH "SYNOPSIS"
48d06780cf77 initial version
Carl Byington <carl@five-ten-sg.com>
parents:
diff changeset
24 .ad l
48d06780cf77 initial version
Carl Byington <carl@five-ten-sg.com>
parents:
diff changeset
25 .hy 0
48d06780cf77 initial version
Carl Byington <carl@five-ten-sg.com>
parents:
diff changeset
26 .HP 13
48d06780cf77 initial version
Carl Byington <carl@five-ten-sg.com>
parents:
diff changeset
27 \fBrouteflapper\fR [\fB\-c\fR] [\fB\-d\ \fIn\fR\fR]
48d06780cf77 initial version
Carl Byington <carl@five-ten-sg.com>
parents:
diff changeset
28 .ad
48d06780cf77 initial version
Carl Byington <carl@five-ten-sg.com>
parents:
diff changeset
29 .hy
48d06780cf77 initial version
Carl Byington <carl@five-ten-sg.com>
parents:
diff changeset
30
48d06780cf77 initial version
Carl Byington <carl@five-ten-sg.com>
parents:
diff changeset
31 .SH "DESCRIPTION"
48d06780cf77 initial version
Carl Byington <carl@five-ten-sg.com>
parents:
diff changeset
32
48d06780cf77 initial version
Carl Byington <carl@five-ten-sg.com>
parents:
diff changeset
33 .PP
48d06780cf77 initial version
Carl Byington <carl@five-ten-sg.com>
parents:
diff changeset
34 \fBrouteflapper\fR is a daemon that monitors BGP updates and SMTP connections to discover whether SMTP connections are coming from ip addresses whose best route is suspicious\&.
48d06780cf77 initial version
Carl Byington <carl@five-ten-sg.com>
parents:
diff changeset
35
48d06780cf77 initial version
Carl Byington <carl@five-ten-sg.com>
parents:
diff changeset
36 .PP
48d06780cf77 initial version
Carl Byington <carl@five-ten-sg.com>
parents:
diff changeset
37 The \fBrouteflapper\&.conf\fR(5) file specifies the syslog files to be monitored, and the regular expressions (\fBregex\fR(7)) to be applied to new lines in those files\&.
48d06780cf77 initial version
Carl Byington <carl@five-ten-sg.com>
parents:
diff changeset
38
48d06780cf77 initial version
Carl Byington <carl@five-ten-sg.com>
parents:
diff changeset
39 .PP
48d06780cf77 initial version
Carl Byington <carl@five-ten-sg.com>
parents:
diff changeset
40 The discussion has focused on syslog files, but any ascii text file can be used, so long as some other process appends lines to that file, and those lines containing bgp updates can be matched with some regular expression\&.
48d06780cf77 initial version
Carl Byington <carl@five-ten-sg.com>
parents:
diff changeset
41
48d06780cf77 initial version
Carl Byington <carl@five-ten-sg.com>
parents:
diff changeset
42 .PP
48d06780cf77 initial version
Carl Byington <carl@five-ten-sg.com>
parents:
diff changeset
43 Considering syslog files in particular, these are normally rotated via logrotate\&. \fBrouteflapper\fR properly detects and handles this case by closing the old file, and reopening the newly created file\&.
48d06780cf77 initial version
Carl Byington <carl@five-ten-sg.com>
parents:
diff changeset
44
48d06780cf77 initial version
Carl Byington <carl@five-ten-sg.com>
parents:
diff changeset
45 .SH "OPTIONS"
48d06780cf77 initial version
Carl Byington <carl@five-ten-sg.com>
parents:
diff changeset
46
48d06780cf77 initial version
Carl Byington <carl@five-ten-sg.com>
parents:
diff changeset
47 .TP
48d06780cf77 initial version
Carl Byington <carl@five-ten-sg.com>
parents:
diff changeset
48 \-c
48d06780cf77 initial version
Carl Byington <carl@five-ten-sg.com>
parents:
diff changeset
49 Load the configuration file, print a cannonical form of the configuration on stdout, and exit\&.
48d06780cf77 initial version
Carl Byington <carl@five-ten-sg.com>
parents:
diff changeset
50
48d06780cf77 initial version
Carl Byington <carl@five-ten-sg.com>
parents:
diff changeset
51 .TP
48d06780cf77 initial version
Carl Byington <carl@five-ten-sg.com>
parents:
diff changeset
52 \-d \fIn\fR
48d06780cf77 initial version
Carl Byington <carl@five-ten-sg.com>
parents:
diff changeset
53 Set the debug level to \fIn\fR\&.
48d06780cf77 initial version
Carl Byington <carl@five-ten-sg.com>
parents:
diff changeset
54
48d06780cf77 initial version
Carl Byington <carl@five-ten-sg.com>
parents:
diff changeset
55 .SH "USAGE"
48d06780cf77 initial version
Carl Byington <carl@five-ten-sg.com>
parents:
diff changeset
56
48d06780cf77 initial version
Carl Byington <carl@five-ten-sg.com>
parents:
diff changeset
57 .PP
48d06780cf77 initial version
Carl Byington <carl@five-ten-sg.com>
parents:
diff changeset
58 \fBrouteflapper\fR \-d 2
48d06780cf77 initial version
Carl Byington <carl@five-ten-sg.com>
parents:
diff changeset
59
48d06780cf77 initial version
Carl Byington <carl@five-ten-sg.com>
parents:
diff changeset
60 .SH "CONFIGURATION"
48d06780cf77 initial version
Carl Byington <carl@five-ten-sg.com>
parents:
diff changeset
61
48d06780cf77 initial version
Carl Byington <carl@five-ten-sg.com>
parents:
diff changeset
62 .PP
48d06780cf77 initial version
Carl Byington <carl@five-ten-sg.com>
parents:
diff changeset
63 The configuration file is documented in \fBrouteflapper\&.conf\fR(5)\&. Any change to the config file will cause it to be reloaded within three minutes\&.
48d06780cf77 initial version
Carl Byington <carl@five-ten-sg.com>
parents:
diff changeset
64
48d06780cf77 initial version
Carl Byington <carl@five-ten-sg.com>
parents:
diff changeset
65 .SH "INTRODUCTION"
48d06780cf77 initial version
Carl Byington <carl@five-ten-sg.com>
parents:
diff changeset
66
48d06780cf77 initial version
Carl Byington <carl@five-ten-sg.com>
parents:
diff changeset
67 .PP
48d06780cf77 initial version
Carl Byington <carl@five-ten-sg.com>
parents:
diff changeset
68 Consider the hypothetical case of a spammer who is connected via a provider that does not filter BGP routing announcements\&. The spammer then has some options to announce ip address space to be used for sending spam\&. Note that we only consider cases where the spammer simply wants to anonymously use some ip address space\&. This is very different from the case where the attacker wants to use some specific address space belonging to another organization in order to impersonate some service provided by that other organization\&.
48d06780cf77 initial version
Carl Byington <carl@five-ten-sg.com>
parents:
diff changeset
69
48d06780cf77 initial version
Carl Byington <carl@five-ten-sg.com>
parents:
diff changeset
70 .PP
48d06780cf77 initial version
Carl Byington <carl@five-ten-sg.com>
parents:
diff changeset
71 They can announce a more specific route, for example a /24, inside a larger block\&. For example, consider 169\&.232\&.0\&.0/16\&. If the spammer pokes around, they can probably find an unused /24 in there\&. So they announce 169\&.232\&.240\&.0/24 and then send spam from that block\&. There are two problems with this scheme\&. First, the announcement of such a smaller block may be filtered out by many BGP routers, reducing their reachability to their spam targets\&. Second, they may have made a mistake, and that /24 is actually in use by some UCLA service that will notice their hijack\&.
48d06780cf77 initial version
Carl Byington <carl@five-ten-sg.com>
parents:
diff changeset
72
48d06780cf77 initial version
Carl Byington <carl@five-ten-sg.com>
parents:
diff changeset
73 .PP
48d06780cf77 initial version
Carl Byington <carl@five-ten-sg.com>
parents:
diff changeset
74 They can announce a less specific route, for example a /16, covering some individual smaller blocks\&. For example, they could announce 52\&.129\&.0\&.0/16\&. The spammer could then avoid the four existing announcements inside that block, and instead spam from 52\&.129\&.128\&.0/17\&. That gives them 32K ip addresses to work with\&. The advantage here is that their announcement of a large block won't be filtered out by as many (if any) BGP routers, giving them better reachability to their spam targets\&. And they know they won't interfere with any existing use of that address space, since there was no previous BGP announcement of that /17 or any subset of it\&.
48d06780cf77 initial version
Carl Byington <carl@five-ten-sg.com>
parents:
diff changeset
75
48d06780cf77 initial version
Carl Byington <carl@five-ten-sg.com>
parents:
diff changeset
76 .PP
48d06780cf77 initial version
Carl Byington <carl@five-ten-sg.com>
parents:
diff changeset
77 Or they can simply announce a prefix that is not assigned to anyone\&. For example, they could simply start announcing 185\&.10\&.0\&.0/16\&. This has many of the same advantages as the previous scheme, but some BGP routers may be configured to drop such bogon announcements\&.
48d06780cf77 initial version
Carl Byington <carl@five-ten-sg.com>
parents:
diff changeset
78
48d06780cf77 initial version
Carl Byington <carl@five-ten-sg.com>
parents:
diff changeset
79 .PP
48d06780cf77 initial version
Carl Byington <carl@five-ten-sg.com>
parents:
diff changeset
80 In each of these cases, the spammer can use BGP to announce some address space, then send spam from those addresses, and then withdraw the route annoucement\&. This would make it difficult for the recipient of such spam to determine who actually sent it\&.
48d06780cf77 initial version
Carl Byington <carl@five-ten-sg.com>
parents:
diff changeset
81
48d06780cf77 initial version
Carl Byington <carl@five-ten-sg.com>
parents:
diff changeset
82 .PP
48d06780cf77 initial version
Carl Byington <carl@five-ten-sg.com>
parents:
diff changeset
83 In a paper from 2006 published at http://www\-static\&.cc\&.gatech\&.edu/~feamster/publications/p396\-ramachandran\&.pdf : \fIhttp://www-static.cc.gatech.edu/~feamster/publications/p396-ramachandran.pdf\fR, Ramachandran and Feamster claim evidence for the statement that spammers are using such short\-lived bogus BGP route announcements to send spam from hijacked parts of the IPv4 address space\&.
48d06780cf77 initial version
Carl Byington <carl@five-ten-sg.com>
parents:
diff changeset
84
48d06780cf77 initial version
Carl Byington <carl@five-ten-sg.com>
parents:
diff changeset
85 .PP
48d06780cf77 initial version
Carl Byington <carl@five-ten-sg.com>
parents:
diff changeset
86 The question is, are spammers actually doing this today, or is this just a hypothetical spam tactic that they could use in the future? To help answer that question, this package monitors BGP annoucements, classifies some of them as suspicious, and logs instances of SMTP connections from suspicious prefixes\&.
48d06780cf77 initial version
Carl Byington <carl@five-ten-sg.com>
parents:
diff changeset
87
48d06780cf77 initial version
Carl Byington <carl@five-ten-sg.com>
parents:
diff changeset
88 .PP
48d06780cf77 initial version
Carl Byington <carl@five-ten-sg.com>
parents:
diff changeset
89 We track the history of the AS adjacency graph, by computing the union of all AS adjacent pairs over all the announced prefixes\&. For example, 137\&.169\&.0\&.0/16 is currently announced here with an AS path of '22298 19080 3549 6517 14981', so we add (22298,19080) (19080,3549) (3549,6517) and (6517,14981) as valid adjacent AS pairs\&.
48d06780cf77 initial version
Carl Byington <carl@five-ten-sg.com>
parents:
diff changeset
90
48d06780cf77 initial version
Carl Byington <carl@five-ten-sg.com>
parents:
diff changeset
91 .PP
48d06780cf77 initial version
Carl Byington <carl@five-ten-sg.com>
parents:
diff changeset
92 We track the history of the origin AS for each announced prefix\&. Both the origin AS and AS adjacency pairs are tracked over a timescale of 100 hours, with an exponential decay half\-life of 100 hours\&.
48d06780cf77 initial version
Carl Byington <carl@five-ten-sg.com>
parents:
diff changeset
93
48d06780cf77 initial version
Carl Byington <carl@five-ten-sg.com>
parents:
diff changeset
94 .PP
48d06780cf77 initial version
Carl Byington <carl@five-ten-sg.com>
parents:
diff changeset
95 A prefix announcement is suspicious if the origin AS is not in the historical AS set for that prefix at least 20% of the time, or if the AS path contains any adjacent AS pair that is not in the historical AS adjacency graph at least 40% of the time\&.
48d06780cf77 initial version
Carl Byington <carl@five-ten-sg.com>
parents:
diff changeset
96
48d06780cf77 initial version
Carl Byington <carl@five-ten-sg.com>
parents:
diff changeset
97 .PP
48d06780cf77 initial version
Carl Byington <carl@five-ten-sg.com>
parents:
diff changeset
98 PHAS: \fIhttp://phas.netsec.colostate.edu/\fR is another system that attempts to detect address space hijacking, but it is not correlated with SMTP connections or spam attempts\&.
48d06780cf77 initial version
Carl Byington <carl@five-ten-sg.com>
parents:
diff changeset
99
48d06780cf77 initial version
Carl Byington <carl@five-ten-sg.com>
parents:
diff changeset
100 .PP
48d06780cf77 initial version
Carl Byington <carl@five-ten-sg.com>
parents:
diff changeset
101 IAR: \fIhttp://cs.unm.edu/~karlinjf/IAR/index.php\fR is another system that attempts to detect address space hijacking, but it is not correlated with SMTP connections or spam attempts\&. IAR uses methods detailed in PGBGP: \fIhttp://www.cs.unm.edu/~treport/tr/06-06/pgbgp3.pdf\fR to detect suspicious routes\&. One problem with PGBGP as applied to our hypothetical spammer problem, is that PGBGP is primarily looking for hijacks where the attacker actually wants some specific ip address space, either for a denial of service, or to impersonate the actual owner\&. Our hypothetical spammer does not care about that \- they only care about sending spam anonymously\&. In particular, PGBGP ignores super\-prefix hijacks, but it seems likely that that is the preferred method for our hypothetical spammer\&. However, the PGBGP paper does provide useful data on the required timescale to avoid most of the normal AS origin changes\&.
48d06780cf77 initial version
Carl Byington <carl@five-ten-sg.com>
parents:
diff changeset
102
48d06780cf77 initial version
Carl Byington <carl@five-ten-sg.com>
parents:
diff changeset
103 .SH "TODO"
48d06780cf77 initial version
Carl Byington <carl@five-ten-sg.com>
parents:
diff changeset
104
48d06780cf77 initial version
Carl Byington <carl@five-ten-sg.com>
parents:
diff changeset
105 .PP
48d06780cf77 initial version
Carl Byington <carl@five-ten-sg.com>
parents:
diff changeset
106 None\&.
48d06780cf77 initial version
Carl Byington <carl@five-ten-sg.com>
parents:
diff changeset
107
48d06780cf77 initial version
Carl Byington <carl@five-ten-sg.com>
parents:
diff changeset
108 .SH "COPYRIGHT"
48d06780cf77 initial version
Carl Byington <carl@five-ten-sg.com>
parents:
diff changeset
109
48d06780cf77 initial version
Carl Byington <carl@five-ten-sg.com>
parents:
diff changeset
110 .PP
48d06780cf77 initial version
Carl Byington <carl@five-ten-sg.com>
parents:
diff changeset
111 Copyright (C) 2008 by 510 Software Group <carl@five\-ten\-sg\&.com>
48d06780cf77 initial version
Carl Byington <carl@five-ten-sg.com>
parents:
diff changeset
112
48d06780cf77 initial version
Carl Byington <carl@five-ten-sg.com>
parents:
diff changeset
113 .PP
48d06780cf77 initial version
Carl Byington <carl@five-ten-sg.com>
parents:
diff changeset
114 This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation; either version 3, or (at your option) any later version\&.
48d06780cf77 initial version
Carl Byington <carl@five-ten-sg.com>
parents:
diff changeset
115
48d06780cf77 initial version
Carl Byington <carl@five-ten-sg.com>
parents:
diff changeset
116 .PP
48d06780cf77 initial version
Carl Byington <carl@five-ten-sg.com>
parents:
diff changeset
117 You should have received a copy of the GNU General Public License along with this program; see the file COPYING\&. If not, please write to the Free Software Foundation, 675 Mass Ave, Cambridge, MA 02139, USA\&.
48d06780cf77 initial version
Carl Byington <carl@five-ten-sg.com>
parents:
diff changeset
118
48d06780cf77 initial version
Carl Byington <carl@five-ten-sg.com>
parents:
diff changeset
119 .SH "VERSION"
48d06780cf77 initial version
Carl Byington <carl@five-ten-sg.com>
parents:
diff changeset
120
48d06780cf77 initial version
Carl Byington <carl@five-ten-sg.com>
parents:
diff changeset
121 .PP
48d06780cf77 initial version
Carl Byington <carl@five-ten-sg.com>
parents:
diff changeset
122 1\&.0\&.1
48d06780cf77 initial version
Carl Byington <carl@five-ten-sg.com>
parents:
diff changeset
123