Mercurial > routeflapper

comparison info/routeflapper.texi @ 0:48d06780cf77

Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
initial version
author Carl Byington <carl@five-ten-sg.com>
date Tue, 13 May 2008 14:03:10 -0700
parents
children
comparison
equal deleted inserted replaced
-1:000000000000 0:48d06780cf77
1 routeflapper
2 Packages
3
4 The various source and binary packages are available at SGMLS_Attribute=ARRAY(0x8b71cc0), @uref{1http://www.five-ten-sg.com/routeflapper/packages/}
5 The most recent documentation is available at SGMLS_Attribute=ARRAY(0x8b45ae8), @uref{1http://www.five-ten-sg.com/routeflapper/}
6
7
8 A SGMLS_Attribute=ARRAY(0x8b45a04), @uref{1Mercurial} source
9 code repository for this project is available at SGMLS_Attribute=ARRAY(0x8b4c5fc), @uref{1http://hg.five-ten-sg.com/routeflapper/}.
10 2008-04-12
11
12 @node routeflapper
13 @subsubsection routeflapper
14
15
16 @unnumberedsubsubsec Name
17 routeflapper --- detects suspicious routes
18 @unnumberedsubsubsec Synopsis
19 Synopsis
20 routeflapper-c-d n\nn@unnumberedsubsubsec Description
21
22 routeflapper is a daemon that monitors BGP
23 updates and SMTP connections to discover whether SMTP connections are
24 coming from ip addresses whose best route is suspicious.
25
26 The routeflapper.conf(5) file specifies the syslog files
27 to be monitored, and the regular expressions (regex(7)) to be applied to new lines in those files.
28
29 The discussion has focused on syslog files, but any ascii text
30 file can be used, so long as some other process appends lines to that
31 file, and those lines containing bgp updates can be matched
32 with some regular expression.
33
34 Considering syslog files in particular, these are normally rotated
35 via logrotate. routeflapper properly detects and
36 handles this case by closing the old file, and reopening the newly
37 created file.\nn@unnumberedsubsubsec Options
38 @table @asis
39
40 @item -c
41 Load the configuration file, print a cannonical form
42 of the configuration on stdout, and exit.
43
44
45 @item -d n
46 Set the debug level to n.
47
48 @end table
49 \nn@unnumberedsubsubsec Usage
50
51 routeflapper -d 2\nn@unnumberedsubsubsec Configuration
52
53 The configuration file is documented in routeflapper.conf(5). Any change to the config file will cause it to be
54 reloaded within three minutes.
55 \nn@unnumberedsubsubsec Introduction
56
57 Consider the hypothetical case of a spammer who is connected via a
58 provider that does not filter BGP routing announcements. The spammer
59 then has some options to announce ip address space to be used for
60 sending spam. Note that we only consider cases where the spammer
61 simply wants to anonymously use some ip address space. This is very
62 different from the case where the attacker wants to use some specific
63 address space belonging to another organization in order to impersonate
64 some service provided by that other organization.
65
66
67 They can announce a more specific route, for example a /24, inside a
68 larger block. For example, consider 169.232.0.0/16. If the spammer
69 pokes around, they can probably find an unused /24 in there. So they
70 announce 169.232.240.0/24 and then send spam from that block. There
71 are two problems with this scheme. First, the announcement of such a
72 smaller block may be filtered out by many BGP routers, reducing their
73 reachability to their spam targets. Second, they may have made a
74 mistake, and that /24 is actually in use by some UCLA service that
75 will notice their hijack.
76
77
78 They can announce a less specific route, for example a /16, covering
79 some individual smaller blocks. For example, they could announce
80 52.129.0.0/16. The spammer could then avoid the four existing
81 announcements inside that block, and instead spam from
82 52.129.128.0/17. That gives them 32K ip addresses to work with. The
83 advantage here is that their announcement of a large block won't be
84 filtered out by as many (if any) BGP routers, giving them better reachability
85 to their spam targets. And they know they won't interfere with any
86 existing use of that address space, since there was no previous BGP
87 announcement of that /17 or any subset of it.
88
89
90 Or they can simply announce a prefix that is not assigned to anyone.
91 For example, they could simply start announcing 185.10.0.0/16. This
92 has many of the same advantages as the previous scheme, but some BGP
93 routers may be configured to drop such bogon announcements.
94
95
96 In each of these cases, the spammer can use BGP to announce some
97 address space, then send spam from those addresses, and then withdraw
98 the route annoucement. This would make it difficult for the recipient of
99 such spam to determine who actually sent it.
100
101
102 In a paper from 2006 published at SGMLS_Attribute=ARRAY(0x8b728e8), @uref{1 http://www-static.cc.gatech.edu/~feamster/publications/p396-ramachandran.pdf
103 }, Ramachandran and Feamster claim evidence for the statement
104 that spammers are using such short-lived bogus BGP route announcements
105 to send spam from hijacked parts of the IPv4 address space.
106
107
108 The question is, are spammers actually doing this today, or is this
109 just a hypothetical spam tactic that they could use in the future? To
110 help answer that question, this package monitors BGP annoucements,
111 classifies some of them as suspicious, and logs instances of SMTP
112 connections from suspicious prefixes.
113
114
115 We track the history of the AS adjacency graph, by computing the union
116 of all AS adjacent pairs over all the announced prefixes. For example,
117 137.169.0.0/16 is currently announced here with an AS path of '22298
118 19080 3549 6517 14981', so we add (22298,19080) (19080,3549)
119 (3549,6517) and (6517,14981) as valid adjacent AS pairs.
120
121
122 We track the history of the origin AS for each announced prefix. Both
123 the origin AS and AS adjacency pairs are tracked over a timescale of
124 100 hours, with an exponential decay half-life of 100 hours.
125
126
127 A prefix announcement is suspicious if the origin AS is not in the
128 historical AS set for that prefix at least 20% of the time, or if the
129 AS path contains any adjacent AS pair that is not in the historical AS
130 adjacency graph at least 40% of the time.
131
132
133 SGMLS_Attribute=ARRAY(0x8b4c728), @uref{1PHAS} is another
134 system that attempts to detect address space hijacking, but it is not
135 correlated with SMTP connections or spam attempts.
136
137
138 SGMLS_Attribute=ARRAY(0x8b72f78), @uref{1IAR} is
139 another system that attempts to detect address space hijacking, but it
140 is not correlated with SMTP connections or spam attempts. IAR uses
141 methods detailed in SGMLS_Attribute=ARRAY(0x8b4c794), @uref{1PGBGP}
142 to detect suspicious routes. One problem with PGBGP as applied to our
143 hypothetical spammer problem, is that PGBGP is primarily looking for
144 hijacks where the attacker actually wants some specific ip address
145 space, either for a denial of service, or to impersonate the actual
146 owner. Our hypothetical spammer does not care about that - they only
147 care about sending spam anonymously. In particular, PGBGP ignores
148 super-prefix hijacks, but it seems likely that that is the preferred
149 method for our hypothetical spammer. However, the PGBGP paper does provide
150 useful data on the required timescale to avoid most of the normal AS
151 origin changes.
152 \nn@unnumberedsubsubsec TODO
153
154 None.
155 \nn@unnumberedsubsubsec Copyright
156
157 Copyright (C) 2008 by 510 Software Group <carl@@five-ten-sg.com>
158
159
160 This program is free software; you can redistribute it and/or modify it
161 under the terms of the GNU General Public License as published by the
162 Free Software Foundation; either version 3, or (at your option) any
163 later version.
164
165
166 You should have received a copy of the GNU General Public License along
167 with this program; see the file COPYING. If not, please write to the
168 Free Software Foundation, 675 Mass Ave, Cambridge, MA 02139, USA.
169 \nn@unnumberedsubsubsec Version
170
171 1.0.1
172 2008-04-12
173
174 @node routeflapper.conf
175 @subsubsection routeflapper.conf
176
177
178 @unnumberedsubsubsec Name
179 routeflapper.conf --- configuration file for routeflapper
180 @unnumberedsubsubsec Synopsis
181 Synopsis
182 routeflapper.conf\nn@unnumberedsubsubsec Description
183
184 The routeflapper.conf configuration file is
185 specified by this partial bnf description. The entire config file
186 is case sensitive. All the keywords are lower case.
187
188
189 @example
190 CONFIG := @{FILE@}+
191 FILE := "file" FILENAME "@{" PATTERN+ "@};"
192 PATTERN := PATH | ANNOUNCE | WITHDRAW | IP
193 PATH := "path" REGEX "@{" INDEXPATH '@}' ";"
194 ANNOUNCE := "path" REGEX "@{" INDEXVAL INDEXLEN '@}' ";"
195 WITHDRAW := "path" REGEX "@{" INDEXVAL INDEXLEN '@}' ";"
196 IP := "path" REGEX "@{" INDEXIP '@}' ";"
197 INDEXPATH := "index_path" REGEX-INTEGER-VALUE ";"
198 INDEXVAL := "index_value" REGEX-INTEGER-VALUE ";"
199 INDEXLEN := "index_length" REGEX-INTEGER-VALUE ";"
200 INDEXIP := "index_ip" REGEX-INTEGER-VALUE ";"
201
202 @end example
203 \nn@unnumberedsubsubsec Sample
204
205 @example
206 file "/var/log/bgp" @{
207 path " rcvd UPDATE w.* path (([0-9]| )*[0-9])" @{
208 index_path 1;
209 @};
210 announce " rcvd (([0-9]|\.)*)/([0-9]*)$" @{
211 index_value 1;
212 index_length 3;
213 @};
214 withdraw " rcvd UPDATE about (([0-9]|\.)*)/([0-9]*) -- withdrawn" @{
215 index_value 1;
216 index_length 3;
217 @};
218 @};
219
220 file "/var/log/maillog" @{
221 ip "NOQUEUE: connect from.* \[(.*)\]" @{
222 index_ip 1;
223 @};
224 @};
225
226 @end example
227 \nn@unnumberedsubsubsec Version
228
229 1.0.1
230