Mercurial > routeflapper

annotate xml/routeflapper.in @ 0:48d06780cf77

Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
initial version
author Carl Byington <carl@five-ten-sg.com>
date Tue, 13 May 2008 14:03:10 -0700
parents
children 47f787af96c1
Ignore whitespace changes - Everywhere: Within whitespace: At end of lines:
rev   line source
0
48d06780cf77 initial version
Carl Byington <carl@five-ten-sg.com>
parents:
diff changeset
1 <reference>
48d06780cf77 initial version
Carl Byington <carl@five-ten-sg.com>
parents:
diff changeset
2 <title>@PACKAGE@</title>
48d06780cf77 initial version
Carl Byington <carl@five-ten-sg.com>
parents:
diff changeset
3 <partintro>
48d06780cf77 initial version
Carl Byington <carl@five-ten-sg.com>
parents:
diff changeset
4 <title>Packages</title>
48d06780cf77 initial version
Carl Byington <carl@five-ten-sg.com>
parents:
diff changeset
5
48d06780cf77 initial version
Carl Byington <carl@five-ten-sg.com>
parents:
diff changeset
6 <para>The various source and binary packages are available at <ulink
48d06780cf77 initial version
Carl Byington <carl@five-ten-sg.com>
parents:
diff changeset
7 url="http://www.five-ten-sg.com/@PACKAGE@/packages/">http://www.five-ten-sg.com/@PACKAGE@/packages/</ulink>
48d06780cf77 initial version
Carl Byington <carl@five-ten-sg.com>
parents:
diff changeset
8 The most recent documentation is available at <ulink
48d06780cf77 initial version
Carl Byington <carl@five-ten-sg.com>
parents:
diff changeset
9 url="http://www.five-ten-sg.com/@PACKAGE@/">http://www.five-ten-sg.com/@PACKAGE@/</ulink>
48d06780cf77 initial version
Carl Byington <carl@five-ten-sg.com>
parents:
diff changeset
10 </para>
48d06780cf77 initial version
Carl Byington <carl@five-ten-sg.com>
parents:
diff changeset
11
48d06780cf77 initial version
Carl Byington <carl@five-ten-sg.com>
parents:
diff changeset
12 <para>A <ulink
48d06780cf77 initial version
Carl Byington <carl@five-ten-sg.com>
parents:
diff changeset
13 url="http://www.selenic.com/mercurial/wiki/">Mercurial</ulink> source
48d06780cf77 initial version
Carl Byington <carl@five-ten-sg.com>
parents:
diff changeset
14 code repository for this project is available at <ulink
48d06780cf77 initial version
Carl Byington <carl@five-ten-sg.com>
parents:
diff changeset
15 url="http://hg.five-ten-sg.com/@PACKAGE@/">http://hg.five-ten-sg.com/@PACKAGE@/</ulink>.
48d06780cf77 initial version
Carl Byington <carl@five-ten-sg.com>
parents:
diff changeset
16 </para>
48d06780cf77 initial version
Carl Byington <carl@five-ten-sg.com>
parents:
diff changeset
17
48d06780cf77 initial version
Carl Byington <carl@five-ten-sg.com>
parents:
diff changeset
18 </partintro>
48d06780cf77 initial version
Carl Byington <carl@five-ten-sg.com>
parents:
diff changeset
19
48d06780cf77 initial version
Carl Byington <carl@five-ten-sg.com>
parents:
diff changeset
20 <refentry id="@PACKAGE@.1">
48d06780cf77 initial version
Carl Byington <carl@five-ten-sg.com>
parents:
diff changeset
21 <refentryinfo>
48d06780cf77 initial version
Carl Byington <carl@five-ten-sg.com>
parents:
diff changeset
22 <date>2008-04-12</date>
48d06780cf77 initial version
Carl Byington <carl@five-ten-sg.com>
parents:
diff changeset
23 </refentryinfo>
48d06780cf77 initial version
Carl Byington <carl@five-ten-sg.com>
parents:
diff changeset
24
48d06780cf77 initial version
Carl Byington <carl@five-ten-sg.com>
parents:
diff changeset
25 <refmeta>
48d06780cf77 initial version
Carl Byington <carl@five-ten-sg.com>
parents:
diff changeset
26 <refentrytitle>@PACKAGE@</refentrytitle>
48d06780cf77 initial version
Carl Byington <carl@five-ten-sg.com>
parents:
diff changeset
27 <manvolnum>1</manvolnum>
48d06780cf77 initial version
Carl Byington <carl@five-ten-sg.com>
parents:
diff changeset
28 <refmiscinfo>@PACKAGE@ @VERSION@</refmiscinfo>
48d06780cf77 initial version
Carl Byington <carl@five-ten-sg.com>
parents:
diff changeset
29 </refmeta>
48d06780cf77 initial version
Carl Byington <carl@five-ten-sg.com>
parents:
diff changeset
30
48d06780cf77 initial version
Carl Byington <carl@five-ten-sg.com>
parents:
diff changeset
31 <refnamediv id='name.1'>
48d06780cf77 initial version
Carl Byington <carl@five-ten-sg.com>
parents:
diff changeset
32 <refname>@PACKAGE@</refname>
48d06780cf77 initial version
Carl Byington <carl@five-ten-sg.com>
parents:
diff changeset
33 <refpurpose>detects suspicious routes</refpurpose>
48d06780cf77 initial version
Carl Byington <carl@five-ten-sg.com>
parents:
diff changeset
34 </refnamediv>
48d06780cf77 initial version
Carl Byington <carl@five-ten-sg.com>
parents:
diff changeset
35
48d06780cf77 initial version
Carl Byington <carl@five-ten-sg.com>
parents:
diff changeset
36 <refsynopsisdiv id='synopsis.1'>
48d06780cf77 initial version
Carl Byington <carl@five-ten-sg.com>
parents:
diff changeset
37 <title>Synopsis</title>
48d06780cf77 initial version
Carl Byington <carl@five-ten-sg.com>
parents:
diff changeset
38 <cmdsynopsis>
48d06780cf77 initial version
Carl Byington <carl@five-ten-sg.com>
parents:
diff changeset
39 <command>@PACKAGE@</command>
48d06780cf77 initial version
Carl Byington <carl@five-ten-sg.com>
parents:
diff changeset
40 <arg><option>-c</option></arg>
48d06780cf77 initial version
Carl Byington <carl@five-ten-sg.com>
parents:
diff changeset
41 <arg><option>-d <replaceable class="parameter">n</replaceable></option></arg>
48d06780cf77 initial version
Carl Byington <carl@five-ten-sg.com>
parents:
diff changeset
42 </cmdsynopsis>
48d06780cf77 initial version
Carl Byington <carl@five-ten-sg.com>
parents:
diff changeset
43 </refsynopsisdiv>
48d06780cf77 initial version
Carl Byington <carl@five-ten-sg.com>
parents:
diff changeset
44
48d06780cf77 initial version
Carl Byington <carl@five-ten-sg.com>
parents:
diff changeset
45 <refsect1 id='description.1'>
48d06780cf77 initial version
Carl Byington <carl@five-ten-sg.com>
parents:
diff changeset
46 <title>Description</title>
48d06780cf77 initial version
Carl Byington <carl@five-ten-sg.com>
parents:
diff changeset
47
48d06780cf77 initial version
Carl Byington <carl@five-ten-sg.com>
parents:
diff changeset
48 <para><command>@PACKAGE@</command> is a daemon that monitors BGP
48d06780cf77 initial version
Carl Byington <carl@five-ten-sg.com>
parents:
diff changeset
49 updates and SMTP connections to discover whether SMTP connections are
48d06780cf77 initial version
Carl Byington <carl@five-ten-sg.com>
parents:
diff changeset
50 coming from ip addresses whose best route is suspicious. </para>
48d06780cf77 initial version
Carl Byington <carl@five-ten-sg.com>
parents:
diff changeset
51
48d06780cf77 initial version
Carl Byington <carl@five-ten-sg.com>
parents:
diff changeset
52 <para>The <citerefentry> <refentrytitle>@PACKAGE@.conf</refentrytitle>
48d06780cf77 initial version
Carl Byington <carl@five-ten-sg.com>
parents:
diff changeset
53 <manvolnum>5</manvolnum> </citerefentry> file specifies the syslog files
48d06780cf77 initial version
Carl Byington <carl@five-ten-sg.com>
parents:
diff changeset
54 to be monitored, and the regular expressions (<citerefentry>
48d06780cf77 initial version
Carl Byington <carl@five-ten-sg.com>
parents:
diff changeset
55 <refentrytitle>regex</refentrytitle> <manvolnum>7</manvolnum>
48d06780cf77 initial version
Carl Byington <carl@five-ten-sg.com>
parents:
diff changeset
56 </citerefentry>) to be applied to new lines in those files. </para>
48d06780cf77 initial version
Carl Byington <carl@five-ten-sg.com>
parents:
diff changeset
57
48d06780cf77 initial version
Carl Byington <carl@five-ten-sg.com>
parents:
diff changeset
58 <para>The discussion has focused on syslog files, but any ascii text
48d06780cf77 initial version
Carl Byington <carl@five-ten-sg.com>
parents:
diff changeset
59 file can be used, so long as some other process appends lines to that
48d06780cf77 initial version
Carl Byington <carl@five-ten-sg.com>
parents:
diff changeset
60 file, and those lines containing bgp updates can be matched
48d06780cf77 initial version
Carl Byington <carl@five-ten-sg.com>
parents:
diff changeset
61 with some regular expression.</para>
48d06780cf77 initial version
Carl Byington <carl@five-ten-sg.com>
parents:
diff changeset
62
48d06780cf77 initial version
Carl Byington <carl@five-ten-sg.com>
parents:
diff changeset
63 <para>Considering syslog files in particular, these are normally rotated
48d06780cf77 initial version
Carl Byington <carl@five-ten-sg.com>
parents:
diff changeset
64 via logrotate. <command>@PACKAGE@</command> properly detects and
48d06780cf77 initial version
Carl Byington <carl@five-ten-sg.com>
parents:
diff changeset
65 handles this case by closing the old file, and reopening the newly
48d06780cf77 initial version
Carl Byington <carl@five-ten-sg.com>
parents:
diff changeset
66 created file.</para>
48d06780cf77 initial version
Carl Byington <carl@five-ten-sg.com>
parents:
diff changeset
67 </refsect1>
48d06780cf77 initial version
Carl Byington <carl@five-ten-sg.com>
parents:
diff changeset
68
48d06780cf77 initial version
Carl Byington <carl@five-ten-sg.com>
parents:
diff changeset
69 <refsect1 id='options.1'>
48d06780cf77 initial version
Carl Byington <carl@five-ten-sg.com>
parents:
diff changeset
70 <title>Options</title>
48d06780cf77 initial version
Carl Byington <carl@five-ten-sg.com>
parents:
diff changeset
71 <variablelist>
48d06780cf77 initial version
Carl Byington <carl@five-ten-sg.com>
parents:
diff changeset
72 <varlistentry>
48d06780cf77 initial version
Carl Byington <carl@five-ten-sg.com>
parents:
diff changeset
73 <term>-c</term>
48d06780cf77 initial version
Carl Byington <carl@five-ten-sg.com>
parents:
diff changeset
74 <listitem>
48d06780cf77 initial version
Carl Byington <carl@five-ten-sg.com>
parents:
diff changeset
75 <para>
48d06780cf77 initial version
Carl Byington <carl@five-ten-sg.com>
parents:
diff changeset
76 Load the configuration file, print a cannonical form
48d06780cf77 initial version
Carl Byington <carl@five-ten-sg.com>
parents:
diff changeset
77 of the configuration on stdout, and exit.
48d06780cf77 initial version
Carl Byington <carl@five-ten-sg.com>
parents:
diff changeset
78 </para>
48d06780cf77 initial version
Carl Byington <carl@five-ten-sg.com>
parents:
diff changeset
79 </listitem>
48d06780cf77 initial version
Carl Byington <carl@five-ten-sg.com>
parents:
diff changeset
80 </varlistentry>
48d06780cf77 initial version
Carl Byington <carl@five-ten-sg.com>
parents:
diff changeset
81 <varlistentry>
48d06780cf77 initial version
Carl Byington <carl@five-ten-sg.com>
parents:
diff changeset
82 <term>-d <replaceable class="parameter">n</replaceable></term>
48d06780cf77 initial version
Carl Byington <carl@five-ten-sg.com>
parents:
diff changeset
83 <listitem>
48d06780cf77 initial version
Carl Byington <carl@five-ten-sg.com>
parents:
diff changeset
84 <para>
48d06780cf77 initial version
Carl Byington <carl@five-ten-sg.com>
parents:
diff changeset
85 Set the debug level to <replaceable class="parameter">n</replaceable>.
48d06780cf77 initial version
Carl Byington <carl@five-ten-sg.com>
parents:
diff changeset
86 </para>
48d06780cf77 initial version
Carl Byington <carl@five-ten-sg.com>
parents:
diff changeset
87 </listitem>
48d06780cf77 initial version
Carl Byington <carl@five-ten-sg.com>
parents:
diff changeset
88 </varlistentry>
48d06780cf77 initial version
Carl Byington <carl@five-ten-sg.com>
parents:
diff changeset
89 </variablelist>
48d06780cf77 initial version
Carl Byington <carl@five-ten-sg.com>
parents:
diff changeset
90 </refsect1>
48d06780cf77 initial version
Carl Byington <carl@five-ten-sg.com>
parents:
diff changeset
91
48d06780cf77 initial version
Carl Byington <carl@five-ten-sg.com>
parents:
diff changeset
92 <refsect1 id='usage.1'>
48d06780cf77 initial version
Carl Byington <carl@five-ten-sg.com>
parents:
diff changeset
93 <title>Usage</title>
48d06780cf77 initial version
Carl Byington <carl@five-ten-sg.com>
parents:
diff changeset
94 <para><command>@PACKAGE@</command> -d 2</para>
48d06780cf77 initial version
Carl Byington <carl@five-ten-sg.com>
parents:
diff changeset
95 </refsect1>
48d06780cf77 initial version
Carl Byington <carl@five-ten-sg.com>
parents:
diff changeset
96
48d06780cf77 initial version
Carl Byington <carl@five-ten-sg.com>
parents:
diff changeset
97 <refsect1 id='configuration.1'>
48d06780cf77 initial version
Carl Byington <carl@five-ten-sg.com>
parents:
diff changeset
98 <title>Configuration</title>
48d06780cf77 initial version
Carl Byington <carl@five-ten-sg.com>
parents:
diff changeset
99 <para>
48d06780cf77 initial version
Carl Byington <carl@five-ten-sg.com>
parents:
diff changeset
100 The configuration file is documented in <citerefentry>
48d06780cf77 initial version
Carl Byington <carl@five-ten-sg.com>
parents:
diff changeset
101 <refentrytitle>@PACKAGE@.conf</refentrytitle> <manvolnum>5</manvolnum>
48d06780cf77 initial version
Carl Byington <carl@five-ten-sg.com>
parents:
diff changeset
102 </citerefentry>. Any change to the config file will cause it to be
48d06780cf77 initial version
Carl Byington <carl@five-ten-sg.com>
parents:
diff changeset
103 reloaded within three minutes.
48d06780cf77 initial version
Carl Byington <carl@five-ten-sg.com>
parents:
diff changeset
104 </para>
48d06780cf77 initial version
Carl Byington <carl@five-ten-sg.com>
parents:
diff changeset
105 </refsect1>
48d06780cf77 initial version
Carl Byington <carl@five-ten-sg.com>
parents:
diff changeset
106
48d06780cf77 initial version
Carl Byington <carl@five-ten-sg.com>
parents:
diff changeset
107 <refsect1 id='introduction.1'>
48d06780cf77 initial version
Carl Byington <carl@five-ten-sg.com>
parents:
diff changeset
108 <title>Introduction</title>
48d06780cf77 initial version
Carl Byington <carl@five-ten-sg.com>
parents:
diff changeset
109 <para>
48d06780cf77 initial version
Carl Byington <carl@five-ten-sg.com>
parents:
diff changeset
110 Consider the hypothetical case of a spammer who is connected via a
48d06780cf77 initial version
Carl Byington <carl@five-ten-sg.com>
parents:
diff changeset
111 provider that does not filter BGP routing announcements. The spammer
48d06780cf77 initial version
Carl Byington <carl@five-ten-sg.com>
parents:
diff changeset
112 then has some options to announce ip address space to be used for
48d06780cf77 initial version
Carl Byington <carl@five-ten-sg.com>
parents:
diff changeset
113 sending spam. Note that we only consider cases where the spammer
48d06780cf77 initial version
Carl Byington <carl@five-ten-sg.com>
parents:
diff changeset
114 simply wants to anonymously use some ip address space. This is very
48d06780cf77 initial version
Carl Byington <carl@five-ten-sg.com>
parents:
diff changeset
115 different from the case where the attacker wants to use some specific
48d06780cf77 initial version
Carl Byington <carl@five-ten-sg.com>
parents:
diff changeset
116 address space belonging to another organization in order to impersonate
48d06780cf77 initial version
Carl Byington <carl@five-ten-sg.com>
parents:
diff changeset
117 some service provided by that other organization.
48d06780cf77 initial version
Carl Byington <carl@five-ten-sg.com>
parents:
diff changeset
118 </para>
48d06780cf77 initial version
Carl Byington <carl@five-ten-sg.com>
parents:
diff changeset
119
48d06780cf77 initial version
Carl Byington <carl@five-ten-sg.com>
parents:
diff changeset
120 <para>
48d06780cf77 initial version
Carl Byington <carl@five-ten-sg.com>
parents:
diff changeset
121 They can announce a more specific route, for example a /24, inside a
48d06780cf77 initial version
Carl Byington <carl@five-ten-sg.com>
parents:
diff changeset
122 larger block. For example, consider 169.232.0.0/16. If the spammer
48d06780cf77 initial version
Carl Byington <carl@five-ten-sg.com>
parents:
diff changeset
123 pokes around, they can probably find an unused /24 in there. So they
48d06780cf77 initial version
Carl Byington <carl@five-ten-sg.com>
parents:
diff changeset
124 announce 169.232.240.0/24 and then send spam from that block. There
48d06780cf77 initial version
Carl Byington <carl@five-ten-sg.com>
parents:
diff changeset
125 are two problems with this scheme. First, the announcement of such a
48d06780cf77 initial version
Carl Byington <carl@five-ten-sg.com>
parents:
diff changeset
126 smaller block may be filtered out by many BGP routers, reducing their
48d06780cf77 initial version
Carl Byington <carl@five-ten-sg.com>
parents:
diff changeset
127 reachability to their spam targets. Second, they may have made a
48d06780cf77 initial version
Carl Byington <carl@five-ten-sg.com>
parents:
diff changeset
128 mistake, and that /24 is actually in use by some UCLA service that
48d06780cf77 initial version
Carl Byington <carl@five-ten-sg.com>
parents:
diff changeset
129 will notice their hijack.
48d06780cf77 initial version
Carl Byington <carl@five-ten-sg.com>
parents:
diff changeset
130 </para>
48d06780cf77 initial version
Carl Byington <carl@five-ten-sg.com>
parents:
diff changeset
131
48d06780cf77 initial version
Carl Byington <carl@five-ten-sg.com>
parents:
diff changeset
132 <para>
48d06780cf77 initial version
Carl Byington <carl@five-ten-sg.com>
parents:
diff changeset
133 They can announce a less specific route, for example a /16, covering
48d06780cf77 initial version
Carl Byington <carl@five-ten-sg.com>
parents:
diff changeset
134 some individual smaller blocks. For example, they could announce
48d06780cf77 initial version
Carl Byington <carl@five-ten-sg.com>
parents:
diff changeset
135 52.129.0.0/16. The spammer could then avoid the four existing
48d06780cf77 initial version
Carl Byington <carl@five-ten-sg.com>
parents:
diff changeset
136 announcements inside that block, and instead spam from
48d06780cf77 initial version
Carl Byington <carl@five-ten-sg.com>
parents:
diff changeset
137 52.129.128.0/17. That gives them 32K ip addresses to work with. The
48d06780cf77 initial version
Carl Byington <carl@five-ten-sg.com>
parents:
diff changeset
138 advantage here is that their announcement of a large block won't be
48d06780cf77 initial version
Carl Byington <carl@five-ten-sg.com>
parents:
diff changeset
139 filtered out by as many (if any) BGP routers, giving them better reachability
48d06780cf77 initial version
Carl Byington <carl@five-ten-sg.com>
parents:
diff changeset
140 to their spam targets. And they know they won't interfere with any
48d06780cf77 initial version
Carl Byington <carl@five-ten-sg.com>
parents:
diff changeset
141 existing use of that address space, since there was no previous BGP
48d06780cf77 initial version
Carl Byington <carl@five-ten-sg.com>
parents:
diff changeset
142 announcement of that /17 or any subset of it.
48d06780cf77 initial version
Carl Byington <carl@five-ten-sg.com>
parents:
diff changeset
143 </para>
48d06780cf77 initial version
Carl Byington <carl@five-ten-sg.com>
parents:
diff changeset
144
48d06780cf77 initial version
Carl Byington <carl@five-ten-sg.com>
parents:
diff changeset
145 <para>
48d06780cf77 initial version
Carl Byington <carl@five-ten-sg.com>
parents:
diff changeset
146 Or they can simply announce a prefix that is not assigned to anyone.
48d06780cf77 initial version
Carl Byington <carl@five-ten-sg.com>
parents:
diff changeset
147 For example, they could simply start announcing 185.10.0.0/16. This
48d06780cf77 initial version
Carl Byington <carl@five-ten-sg.com>
parents:
diff changeset
148 has many of the same advantages as the previous scheme, but some BGP
48d06780cf77 initial version
Carl Byington <carl@five-ten-sg.com>
parents:
diff changeset
149 routers may be configured to drop such bogon announcements, again
48d06780cf77 initial version
Carl Byington <carl@five-ten-sg.com>
parents:
diff changeset
150 potentially reducing their reachability to their spam targets.
48d06780cf77 initial version
Carl Byington <carl@five-ten-sg.com>
parents:
diff changeset
151 </para>
48d06780cf77 initial version
Carl Byington <carl@five-ten-sg.com>
parents:
diff changeset
152
48d06780cf77 initial version
Carl Byington <carl@five-ten-sg.com>
parents:
diff changeset
153 <para>
48d06780cf77 initial version
Carl Byington <carl@five-ten-sg.com>
parents:
diff changeset
154 In each of these cases, the spammer can use BGP to announce some
48d06780cf77 initial version
Carl Byington <carl@five-ten-sg.com>
parents:
diff changeset
155 address space, then send spam from those addresses, and then withdraw
48d06780cf77 initial version
Carl Byington <carl@five-ten-sg.com>
parents:
diff changeset
156 the route annoucement. This would make it difficult for the recipient of
48d06780cf77 initial version
Carl Byington <carl@five-ten-sg.com>
parents:
diff changeset
157 such spam to determine who actually sent it.
48d06780cf77 initial version
Carl Byington <carl@five-ten-sg.com>
parents:
diff changeset
158 </para>
48d06780cf77 initial version
Carl Byington <carl@five-ten-sg.com>
parents:
diff changeset
159
48d06780cf77 initial version
Carl Byington <carl@five-ten-sg.com>
parents:
diff changeset
160 <para>
48d06780cf77 initial version
Carl Byington <carl@five-ten-sg.com>
parents:
diff changeset
161 In a paper from 2006 published at <ulink
48d06780cf77 initial version
Carl Byington <carl@five-ten-sg.com>
parents:
diff changeset
162 url="http://www-static.cc.gatech.edu/~feamster/publications/p396-ramachandran.pdf">
48d06780cf77 initial version
Carl Byington <carl@five-ten-sg.com>
parents:
diff changeset
163 http://www-static.cc.gatech.edu/~feamster/publications/p396-ramachandran.pdf
48d06780cf77 initial version
Carl Byington <carl@five-ten-sg.com>
parents:
diff changeset
164 </ulink>, Ramachandran and Feamster claim evidence for the statement
48d06780cf77 initial version
Carl Byington <carl@five-ten-sg.com>
parents:
diff changeset
165 that spammers are using such short-lived bogus BGP route announcements
48d06780cf77 initial version
Carl Byington <carl@five-ten-sg.com>
parents:
diff changeset
166 to send spam from hijacked parts of the IPv4 address space.
48d06780cf77 initial version
Carl Byington <carl@five-ten-sg.com>
parents:
diff changeset
167 </para>
48d06780cf77 initial version
Carl Byington <carl@five-ten-sg.com>
parents:
diff changeset
168
48d06780cf77 initial version
Carl Byington <carl@five-ten-sg.com>
parents:
diff changeset
169 <para>
48d06780cf77 initial version
Carl Byington <carl@five-ten-sg.com>
parents:
diff changeset
170 The question is, are spammers actually doing this today, or is this
48d06780cf77 initial version
Carl Byington <carl@five-ten-sg.com>
parents:
diff changeset
171 just a hypothetical spam tactic that they could use in the future? To
48d06780cf77 initial version
Carl Byington <carl@five-ten-sg.com>
parents:
diff changeset
172 help answer that question, this package monitors BGP annoucements,
48d06780cf77 initial version
Carl Byington <carl@five-ten-sg.com>
parents:
diff changeset
173 classifies some of them as suspicious, and logs instances of SMTP
48d06780cf77 initial version
Carl Byington <carl@five-ten-sg.com>
parents:
diff changeset
174 connections from suspicious prefixes.
48d06780cf77 initial version
Carl Byington <carl@five-ten-sg.com>
parents:
diff changeset
175 </para>
48d06780cf77 initial version
Carl Byington <carl@five-ten-sg.com>
parents:
diff changeset
176
48d06780cf77 initial version
Carl Byington <carl@five-ten-sg.com>
parents:
diff changeset
177 <para>
48d06780cf77 initial version
Carl Byington <carl@five-ten-sg.com>
parents:
diff changeset
178 We track the history of the AS adjacency graph, by computing the union
48d06780cf77 initial version
Carl Byington <carl@five-ten-sg.com>
parents:
diff changeset
179 of all AS adjacent pairs over all the announced prefixes. For example,
48d06780cf77 initial version
Carl Byington <carl@five-ten-sg.com>
parents:
diff changeset
180 137.169.0.0/16 is currently announced here with an AS path of '22298
48d06780cf77 initial version
Carl Byington <carl@five-ten-sg.com>
parents:
diff changeset
181 19080 3549 6517 14981', so we add (22298,19080) (19080,3549)
48d06780cf77 initial version
Carl Byington <carl@five-ten-sg.com>
parents:
diff changeset
182 (3549,6517) and (6517,14981) as valid adjacent AS pairs.
48d06780cf77 initial version
Carl Byington <carl@five-ten-sg.com>
parents:
diff changeset
183 We also track the history of the origin AS for each announced prefix. Both
48d06780cf77 initial version
Carl Byington <carl@five-ten-sg.com>
parents:
diff changeset
184 the origin AS and the AS adjacency pairs are tracked via the following
48d06780cf77 initial version
Carl Byington <carl@five-ten-sg.com>
parents:
diff changeset
185 algorithm that runs every hour.
48d06780cf77 initial version
Carl Byington <carl@five-ten-sg.com>
parents:
diff changeset
186 </para>
48d06780cf77 initial version
Carl Byington <carl@five-ten-sg.com>
parents:
diff changeset
187
48d06780cf77 initial version
Carl Byington <carl@five-ten-sg.com>
parents:
diff changeset
188 <para>
48d06780cf77 initial version
Carl Byington <carl@five-ten-sg.com>
parents:
diff changeset
189 For each prefix, (prefix[*] *= 0.99) to exponentially decay the current
48d06780cf77 initial version
Carl Byington <carl@five-ten-sg.com>
parents:
diff changeset
190 prefix origin counts. Then, for each prefix, if the prefix is announced,
48d06780cf77 initial version
Carl Byington <carl@five-ten-sg.com>
parents:
diff changeset
191 (prefix[current.origin]++) increments the hourly count for the current origin.
48d06780cf77 initial version
Carl Byington <carl@five-ten-sg.com>
parents:
diff changeset
192 The decay factor of 0.99 gives the counts a half life of about 69 hours.
48d06780cf77 initial version
Carl Byington <carl@five-ten-sg.com>
parents:
diff changeset
193 The same is done with the hourly counts for each observed AS adjacent pair.
48d06780cf77 initial version
Carl Byington <carl@five-ten-sg.com>
parents:
diff changeset
194 </para>
48d06780cf77 initial version
Carl Byington <carl@five-ten-sg.com>
parents:
diff changeset
195
48d06780cf77 initial version
Carl Byington <carl@five-ten-sg.com>
parents:
diff changeset
196 <para>
48d06780cf77 initial version
Carl Byington <carl@five-ten-sg.com>
parents:
diff changeset
197 A prefix announcement is suspicious if the prefix[origin] count is less
48d06780cf77 initial version
Carl Byington <carl@five-ten-sg.com>
parents:
diff changeset
198 than 3.0, or if the AS path contains any adjacent AS pair with a count
48d06780cf77 initial version
Carl Byington <carl@five-ten-sg.com>
parents:
diff changeset
199 less than 3.0.
48d06780cf77 initial version
Carl Byington <carl@five-ten-sg.com>
parents:
diff changeset
200 </para>
48d06780cf77 initial version
Carl Byington <carl@five-ten-sg.com>
parents:
diff changeset
201
48d06780cf77 initial version
Carl Byington <carl@five-ten-sg.com>
parents:
diff changeset
202 <para>
48d06780cf77 initial version
Carl Byington <carl@five-ten-sg.com>
parents:
diff changeset
203 <ulink url="http://phas.netsec.colostate.edu/">PHAS</ulink> is another
48d06780cf77 initial version
Carl Byington <carl@five-ten-sg.com>
parents:
diff changeset
204 system that attempts to detect address space hijacking, but it is not
48d06780cf77 initial version
Carl Byington <carl@five-ten-sg.com>
parents:
diff changeset
205 correlated with SMTP connections or spam attempts.
48d06780cf77 initial version
Carl Byington <carl@five-ten-sg.com>
parents:
diff changeset
206 </para>
48d06780cf77 initial version
Carl Byington <carl@five-ten-sg.com>
parents:
diff changeset
207
48d06780cf77 initial version
Carl Byington <carl@five-ten-sg.com>
parents:
diff changeset
208 <para>
48d06780cf77 initial version
Carl Byington <carl@five-ten-sg.com>
parents:
diff changeset
209 <ulink url="http://cs.unm.edu/~karlinjf/IAR/index.php">IAR</ulink> is
48d06780cf77 initial version
Carl Byington <carl@five-ten-sg.com>
parents:
diff changeset
210 another system that attempts to detect address space hijacking, but it
48d06780cf77 initial version
Carl Byington <carl@five-ten-sg.com>
parents:
diff changeset
211 is not correlated with SMTP connections or spam attempts. IAR uses
48d06780cf77 initial version
Carl Byington <carl@five-ten-sg.com>
parents:
diff changeset
212 methods detailed in <ulink
48d06780cf77 initial version
Carl Byington <carl@five-ten-sg.com>
parents:
diff changeset
213 url="http://www.cs.unm.edu/~treport/tr/06-06/pgbgp3.pdf">PGBGP</ulink>
48d06780cf77 initial version
Carl Byington <carl@five-ten-sg.com>
parents:
diff changeset
214 to detect suspicious routes. One problem with PGBGP as applied to our
48d06780cf77 initial version
Carl Byington <carl@five-ten-sg.com>
parents:
diff changeset
215 hypothetical spammer problem, is that PGBGP is primarily looking for
48d06780cf77 initial version
Carl Byington <carl@five-ten-sg.com>
parents:
diff changeset
216 hijacks where the attacker actually wants some specific ip address
48d06780cf77 initial version
Carl Byington <carl@five-ten-sg.com>
parents:
diff changeset
217 space, either for a denial of service, or to impersonate the actual
48d06780cf77 initial version
Carl Byington <carl@five-ten-sg.com>
parents:
diff changeset
218 owner. Our hypothetical spammer does not care about that - they only
48d06780cf77 initial version
Carl Byington <carl@five-ten-sg.com>
parents:
diff changeset
219 care about sending spam anonymously. In particular, PGBGP ignores
48d06780cf77 initial version
Carl Byington <carl@five-ten-sg.com>
parents:
diff changeset
220 super-prefix hijacks, but it seems likely that that is the preferred
48d06780cf77 initial version
Carl Byington <carl@five-ten-sg.com>
parents:
diff changeset
221 method for our hypothetical spammer. However, the PGBGP paper does provide
48d06780cf77 initial version
Carl Byington <carl@five-ten-sg.com>
parents:
diff changeset
222 useful data on the required timescale to avoid most of the normal AS
48d06780cf77 initial version
Carl Byington <carl@five-ten-sg.com>
parents:
diff changeset
223 origin changes.
48d06780cf77 initial version
Carl Byington <carl@five-ten-sg.com>
parents:
diff changeset
224 </para>
48d06780cf77 initial version
Carl Byington <carl@five-ten-sg.com>
parents:
diff changeset
225 </refsect1>
48d06780cf77 initial version
Carl Byington <carl@five-ten-sg.com>
parents:
diff changeset
226
48d06780cf77 initial version
Carl Byington <carl@five-ten-sg.com>
parents:
diff changeset
227 <refsect1 id='todo.1'>
48d06780cf77 initial version
Carl Byington <carl@five-ten-sg.com>
parents:
diff changeset
228 <title>TODO</title>
48d06780cf77 initial version
Carl Byington <carl@five-ten-sg.com>
parents:
diff changeset
229 <para>
48d06780cf77 initial version
Carl Byington <carl@five-ten-sg.com>
parents:
diff changeset
230 None.
48d06780cf77 initial version
Carl Byington <carl@five-ten-sg.com>
parents:
diff changeset
231 </para>
48d06780cf77 initial version
Carl Byington <carl@five-ten-sg.com>
parents:
diff changeset
232 </refsect1>
48d06780cf77 initial version
Carl Byington <carl@five-ten-sg.com>
parents:
diff changeset
233
48d06780cf77 initial version
Carl Byington <carl@five-ten-sg.com>
parents:
diff changeset
234 <refsect1 id='copyright.1'>
48d06780cf77 initial version
Carl Byington <carl@five-ten-sg.com>
parents:
diff changeset
235 <title>Copyright</title>
48d06780cf77 initial version
Carl Byington <carl@five-ten-sg.com>
parents:
diff changeset
236 <para>
48d06780cf77 initial version
Carl Byington <carl@five-ten-sg.com>
parents:
diff changeset
237 Copyright (C) 2008 by 510 Software Group &lt;carl@five-ten-sg.com&gt;
48d06780cf77 initial version
Carl Byington <carl@five-ten-sg.com>
parents:
diff changeset
238 </para>
48d06780cf77 initial version
Carl Byington <carl@five-ten-sg.com>
parents:
diff changeset
239 <para>
48d06780cf77 initial version
Carl Byington <carl@five-ten-sg.com>
parents:
diff changeset
240 This program is free software; you can redistribute it and/or modify it
48d06780cf77 initial version
Carl Byington <carl@five-ten-sg.com>
parents:
diff changeset
241 under the terms of the GNU General Public License as published by the
48d06780cf77 initial version
Carl Byington <carl@five-ten-sg.com>
parents:
diff changeset
242 Free Software Foundation; either version 3, or (at your option) any
48d06780cf77 initial version
Carl Byington <carl@five-ten-sg.com>
parents:
diff changeset
243 later version.
48d06780cf77 initial version
Carl Byington <carl@five-ten-sg.com>
parents:
diff changeset
244 </para>
48d06780cf77 initial version
Carl Byington <carl@five-ten-sg.com>
parents:
diff changeset
245 <para>
48d06780cf77 initial version
Carl Byington <carl@five-ten-sg.com>
parents:
diff changeset
246 You should have received a copy of the GNU General Public License along
48d06780cf77 initial version
Carl Byington <carl@five-ten-sg.com>
parents:
diff changeset
247 with this program; see the file COPYING. If not, please write to the
48d06780cf77 initial version
Carl Byington <carl@five-ten-sg.com>
parents:
diff changeset
248 Free Software Foundation, 675 Mass Ave, Cambridge, MA 02139, USA.
48d06780cf77 initial version
Carl Byington <carl@five-ten-sg.com>
parents:
diff changeset
249 </para>
48d06780cf77 initial version
Carl Byington <carl@five-ten-sg.com>
parents:
diff changeset
250 </refsect1>
48d06780cf77 initial version
Carl Byington <carl@five-ten-sg.com>
parents:
diff changeset
251
48d06780cf77 initial version
Carl Byington <carl@five-ten-sg.com>
parents:
diff changeset
252 <refsect1 id='version.1'>
48d06780cf77 initial version
Carl Byington <carl@five-ten-sg.com>
parents:
diff changeset
253 <title>Version</title>
48d06780cf77 initial version
Carl Byington <carl@five-ten-sg.com>
parents:
diff changeset
254 <para>
48d06780cf77 initial version
Carl Byington <carl@five-ten-sg.com>
parents:
diff changeset
255 @VERSION@
48d06780cf77 initial version
Carl Byington <carl@five-ten-sg.com>
parents:
diff changeset
256 </para>
48d06780cf77 initial version
Carl Byington <carl@five-ten-sg.com>
parents:
diff changeset
257 </refsect1>
48d06780cf77 initial version
Carl Byington <carl@five-ten-sg.com>
parents:
diff changeset
258 </refentry>
48d06780cf77 initial version
Carl Byington <carl@five-ten-sg.com>
parents:
diff changeset
259
48d06780cf77 initial version
Carl Byington <carl@five-ten-sg.com>
parents:
diff changeset
260
48d06780cf77 initial version
Carl Byington <carl@five-ten-sg.com>
parents:
diff changeset
261 <refentry id="@PACKAGE@.conf.5">
48d06780cf77 initial version
Carl Byington <carl@five-ten-sg.com>
parents:
diff changeset
262 <refentryinfo>
48d06780cf77 initial version
Carl Byington <carl@five-ten-sg.com>
parents:
diff changeset
263 <date>2008-04-12</date>
48d06780cf77 initial version
Carl Byington <carl@five-ten-sg.com>
parents:
diff changeset
264 </refentryinfo>
48d06780cf77 initial version
Carl Byington <carl@five-ten-sg.com>
parents:
diff changeset
265
48d06780cf77 initial version
Carl Byington <carl@five-ten-sg.com>
parents:
diff changeset
266 <refmeta>
48d06780cf77 initial version
Carl Byington <carl@five-ten-sg.com>
parents:
diff changeset
267 <refentrytitle>@PACKAGE@.conf</refentrytitle>
48d06780cf77 initial version
Carl Byington <carl@five-ten-sg.com>
parents:
diff changeset
268 <manvolnum>5</manvolnum>
48d06780cf77 initial version
Carl Byington <carl@five-ten-sg.com>
parents:
diff changeset
269 <refmiscinfo>@PACKAGE@ @VERSION@</refmiscinfo>
48d06780cf77 initial version
Carl Byington <carl@five-ten-sg.com>
parents:
diff changeset
270 </refmeta>
48d06780cf77 initial version
Carl Byington <carl@five-ten-sg.com>
parents:
diff changeset
271
48d06780cf77 initial version
Carl Byington <carl@five-ten-sg.com>
parents:
diff changeset
272 <refnamediv id='name.5'>
48d06780cf77 initial version
Carl Byington <carl@five-ten-sg.com>
parents:
diff changeset
273 <refname>@PACKAGE@.conf</refname>
48d06780cf77 initial version
Carl Byington <carl@five-ten-sg.com>
parents:
diff changeset
274 <refpurpose>configuration file for @PACKAGE@</refpurpose>
48d06780cf77 initial version
Carl Byington <carl@five-ten-sg.com>
parents:
diff changeset
275 </refnamediv>
48d06780cf77 initial version
Carl Byington <carl@five-ten-sg.com>
parents:
diff changeset
276
48d06780cf77 initial version
Carl Byington <carl@five-ten-sg.com>
parents:
diff changeset
277 <refsynopsisdiv id='synopsis.5'>
48d06780cf77 initial version
Carl Byington <carl@five-ten-sg.com>
parents:
diff changeset
278 <title>Synopsis</title>
48d06780cf77 initial version
Carl Byington <carl@five-ten-sg.com>
parents:
diff changeset
279 <cmdsynopsis>
48d06780cf77 initial version
Carl Byington <carl@five-ten-sg.com>
parents:
diff changeset
280 <command>@PACKAGE@.conf</command>
48d06780cf77 initial version
Carl Byington <carl@five-ten-sg.com>
parents:
diff changeset
281 </cmdsynopsis>
48d06780cf77 initial version
Carl Byington <carl@five-ten-sg.com>
parents:
diff changeset
282 </refsynopsisdiv>
48d06780cf77 initial version
Carl Byington <carl@five-ten-sg.com>
parents:
diff changeset
283
48d06780cf77 initial version
Carl Byington <carl@five-ten-sg.com>
parents:
diff changeset
284 <refsect1 id='description.5'>
48d06780cf77 initial version
Carl Byington <carl@five-ten-sg.com>
parents:
diff changeset
285 <title>Description</title>
48d06780cf77 initial version
Carl Byington <carl@five-ten-sg.com>
parents:
diff changeset
286 <para>The <command>@PACKAGE@.conf</command> configuration file is
48d06780cf77 initial version
Carl Byington <carl@five-ten-sg.com>
parents:
diff changeset
287 specified by this partial bnf description. The entire config file
48d06780cf77 initial version
Carl Byington <carl@five-ten-sg.com>
parents:
diff changeset
288 is case sensitive. All the keywords are lower case.
48d06780cf77 initial version
Carl Byington <carl@five-ten-sg.com>
parents:
diff changeset
289 </para>
48d06780cf77 initial version
Carl Byington <carl@five-ten-sg.com>
parents:
diff changeset
290
48d06780cf77 initial version
Carl Byington <carl@five-ten-sg.com>
parents:
diff changeset
291 <literallayout class="monospaced"><![CDATA[
48d06780cf77 initial version
Carl Byington <carl@five-ten-sg.com>
parents:
diff changeset
292 CONFIG := {FILE}+
48d06780cf77 initial version
Carl Byington <carl@five-ten-sg.com>
parents:
diff changeset
293 FILE := "file" FILENAME "{" PATTERN+ "};"
48d06780cf77 initial version
Carl Byington <carl@five-ten-sg.com>
parents:
diff changeset
294 PATTERN := PATH | ANNOUNCE | WITHDRAW | IP
48d06780cf77 initial version
Carl Byington <carl@five-ten-sg.com>
parents:
diff changeset
295 PATH := "path" REGEX "{" INDEXPATH '}' ";"
48d06780cf77 initial version
Carl Byington <carl@five-ten-sg.com>
parents:
diff changeset
296 ANNOUNCE := "path" REGEX "{" INDEXVAL INDEXLEN '}' ";"
48d06780cf77 initial version
Carl Byington <carl@five-ten-sg.com>
parents:
diff changeset
297 WITHDRAW := "path" REGEX "{" INDEXVAL INDEXLEN '}' ";"
48d06780cf77 initial version
Carl Byington <carl@five-ten-sg.com>
parents:
diff changeset
298 IP := "path" REGEX "{" INDEXIP '}' ";"
48d06780cf77 initial version
Carl Byington <carl@five-ten-sg.com>
parents:
diff changeset
299 INDEXPATH := "index_path" REGEX-INTEGER-VALUE ";"
48d06780cf77 initial version
Carl Byington <carl@five-ten-sg.com>
parents:
diff changeset
300 INDEXVAL := "index_value" REGEX-INTEGER-VALUE ";"
48d06780cf77 initial version
Carl Byington <carl@five-ten-sg.com>
parents:
diff changeset
301 INDEXLEN := "index_length" REGEX-INTEGER-VALUE ";"
48d06780cf77 initial version
Carl Byington <carl@five-ten-sg.com>
parents:
diff changeset
302 INDEXIP := "index_ip" REGEX-INTEGER-VALUE ";"]]></literallayout>
48d06780cf77 initial version
Carl Byington <carl@five-ten-sg.com>
parents:
diff changeset
303 </refsect1>
48d06780cf77 initial version
Carl Byington <carl@five-ten-sg.com>
parents:
diff changeset
304
48d06780cf77 initial version
Carl Byington <carl@five-ten-sg.com>
parents:
diff changeset
305 <refsect1 id='sample.5'>
48d06780cf77 initial version
Carl Byington <carl@five-ten-sg.com>
parents:
diff changeset
306 <title>Sample</title>
48d06780cf77 initial version
Carl Byington <carl@five-ten-sg.com>
parents:
diff changeset
307 <literallayout class="monospaced"><![CDATA[
48d06780cf77 initial version
Carl Byington <carl@five-ten-sg.com>
parents:
diff changeset
308 file "/var/log/bgp" {
48d06780cf77 initial version
Carl Byington <carl@five-ten-sg.com>
parents:
diff changeset
309 path " rcvd UPDATE w.* path (([0-9]| )*[0-9])" {
48d06780cf77 initial version
Carl Byington <carl@five-ten-sg.com>
parents:
diff changeset
310 index_path 1;
48d06780cf77 initial version
Carl Byington <carl@five-ten-sg.com>
parents:
diff changeset
311 };
48d06780cf77 initial version
Carl Byington <carl@five-ten-sg.com>
parents:
diff changeset
312 announce " rcvd (([0-9]|\.)*)/([0-9]*)$" {
48d06780cf77 initial version
Carl Byington <carl@five-ten-sg.com>
parents:
diff changeset
313 index_value 1;
48d06780cf77 initial version
Carl Byington <carl@five-ten-sg.com>
parents:
diff changeset
314 index_length 3;
48d06780cf77 initial version
Carl Byington <carl@five-ten-sg.com>
parents:
diff changeset
315 };
48d06780cf77 initial version
Carl Byington <carl@five-ten-sg.com>
parents:
diff changeset
316 withdraw " rcvd UPDATE about (([0-9]|\.)*)/([0-9]*) -- withdrawn" {
48d06780cf77 initial version
Carl Byington <carl@five-ten-sg.com>
parents:
diff changeset
317 index_value 1;
48d06780cf77 initial version
Carl Byington <carl@five-ten-sg.com>
parents:
diff changeset
318 index_length 3;
48d06780cf77 initial version
Carl Byington <carl@five-ten-sg.com>
parents:
diff changeset
319 };
48d06780cf77 initial version
Carl Byington <carl@five-ten-sg.com>
parents:
diff changeset
320 };
48d06780cf77 initial version
Carl Byington <carl@five-ten-sg.com>
parents:
diff changeset
321
48d06780cf77 initial version
Carl Byington <carl@five-ten-sg.com>
parents:
diff changeset
322 file "/var/log/maillog" {
48d06780cf77 initial version
Carl Byington <carl@five-ten-sg.com>
parents:
diff changeset
323 ip "NOQUEUE: connect from.* \[(.*)\]" {
48d06780cf77 initial version
Carl Byington <carl@five-ten-sg.com>
parents:
diff changeset
324 index_ip 1;
48d06780cf77 initial version
Carl Byington <carl@five-ten-sg.com>
parents:
diff changeset
325 };
48d06780cf77 initial version
Carl Byington <carl@five-ten-sg.com>
parents:
diff changeset
326 };]]></literallayout>
48d06780cf77 initial version
Carl Byington <carl@five-ten-sg.com>
parents:
diff changeset
327 </refsect1>
48d06780cf77 initial version
Carl Byington <carl@five-ten-sg.com>
parents:
diff changeset
328
48d06780cf77 initial version
Carl Byington <carl@five-ten-sg.com>
parents:
diff changeset
329 <refsect1 id='version.5'>
48d06780cf77 initial version
Carl Byington <carl@five-ten-sg.com>
parents:
diff changeset
330 <title>Version</title>
48d06780cf77 initial version
Carl Byington <carl@five-ten-sg.com>
parents:
diff changeset
331 <para>
48d06780cf77 initial version
Carl Byington <carl@five-ten-sg.com>
parents:
diff changeset
332 @VERSION@
48d06780cf77 initial version
Carl Byington <carl@five-ten-sg.com>
parents:
diff changeset
333 </para>
48d06780cf77 initial version
Carl Byington <carl@five-ten-sg.com>
parents:
diff changeset
334 </refsect1>
48d06780cf77 initial version
Carl Byington <carl@five-ten-sg.com>
parents:
diff changeset
335
48d06780cf77 initial version
Carl Byington <carl@five-ten-sg.com>
parents:
diff changeset
336 </refentry>
48d06780cf77 initial version
Carl Byington <carl@five-ten-sg.com>
parents:
diff changeset
337 </reference>