0
|
1 routeflapper
|
|
2 Packages
|
|
3
|
|
4 The various source and binary packages are available at SGMLS_Attribute=ARRAY(0x8b71cc0), @uref{1http://www.five-ten-sg.com/routeflapper/packages/}
|
|
5 The most recent documentation is available at SGMLS_Attribute=ARRAY(0x8b45ae8), @uref{1http://www.five-ten-sg.com/routeflapper/}
|
|
6
|
|
7
|
|
8 A SGMLS_Attribute=ARRAY(0x8b45a04), @uref{1Mercurial} source
|
|
9 code repository for this project is available at SGMLS_Attribute=ARRAY(0x8b4c5fc), @uref{1http://hg.five-ten-sg.com/routeflapper/}.
|
|
10 2008-04-12
|
|
11
|
|
12 @node routeflapper
|
|
13 @subsubsection routeflapper
|
|
14
|
|
15
|
|
16 @unnumberedsubsubsec Name
|
|
17 routeflapper --- detects suspicious routes
|
|
18 @unnumberedsubsubsec Synopsis
|
|
19 Synopsis
|
|
20 routeflapper-c-d n\nn@unnumberedsubsubsec Description
|
|
21
|
|
22 routeflapper is a daemon that monitors BGP
|
|
23 updates and SMTP connections to discover whether SMTP connections are
|
|
24 coming from ip addresses whose best route is suspicious.
|
|
25
|
|
26 The routeflapper.conf(5) file specifies the syslog files
|
|
27 to be monitored, and the regular expressions (regex(7)) to be applied to new lines in those files.
|
|
28
|
|
29 The discussion has focused on syslog files, but any ascii text
|
|
30 file can be used, so long as some other process appends lines to that
|
|
31 file, and those lines containing bgp updates can be matched
|
|
32 with some regular expression.
|
|
33
|
|
34 Considering syslog files in particular, these are normally rotated
|
|
35 via logrotate. routeflapper properly detects and
|
|
36 handles this case by closing the old file, and reopening the newly
|
|
37 created file.\nn@unnumberedsubsubsec Options
|
|
38 @table @asis
|
|
39
|
|
40 @item -c
|
|
41 Load the configuration file, print a cannonical form
|
|
42 of the configuration on stdout, and exit.
|
|
43
|
|
44
|
|
45 @item -d n
|
|
46 Set the debug level to n.
|
|
47
|
|
48 @end table
|
|
49 \nn@unnumberedsubsubsec Usage
|
|
50
|
|
51 routeflapper -d 2\nn@unnumberedsubsubsec Configuration
|
|
52
|
|
53 The configuration file is documented in routeflapper.conf(5). Any change to the config file will cause it to be
|
|
54 reloaded within three minutes.
|
|
55 \nn@unnumberedsubsubsec Introduction
|
|
56
|
|
57 Consider the hypothetical case of a spammer who is connected via a
|
|
58 provider that does not filter BGP routing announcements. The spammer
|
|
59 then has some options to announce ip address space to be used for
|
|
60 sending spam. Note that we only consider cases where the spammer
|
|
61 simply wants to anonymously use some ip address space. This is very
|
|
62 different from the case where the attacker wants to use some specific
|
|
63 address space belonging to another organization in order to impersonate
|
|
64 some service provided by that other organization.
|
|
65
|
|
66
|
|
67 They can announce a more specific route, for example a /24, inside a
|
|
68 larger block. For example, consider 169.232.0.0/16. If the spammer
|
|
69 pokes around, they can probably find an unused /24 in there. So they
|
|
70 announce 169.232.240.0/24 and then send spam from that block. There
|
|
71 are two problems with this scheme. First, the announcement of such a
|
|
72 smaller block may be filtered out by many BGP routers, reducing their
|
|
73 reachability to their spam targets. Second, they may have made a
|
|
74 mistake, and that /24 is actually in use by some UCLA service that
|
|
75 will notice their hijack.
|
|
76
|
|
77
|
|
78 They can announce a less specific route, for example a /16, covering
|
|
79 some individual smaller blocks. For example, they could announce
|
|
80 52.129.0.0/16. The spammer could then avoid the four existing
|
|
81 announcements inside that block, and instead spam from
|
|
82 52.129.128.0/17. That gives them 32K ip addresses to work with. The
|
|
83 advantage here is that their announcement of a large block won't be
|
|
84 filtered out by as many (if any) BGP routers, giving them better reachability
|
|
85 to their spam targets. And they know they won't interfere with any
|
|
86 existing use of that address space, since there was no previous BGP
|
|
87 announcement of that /17 or any subset of it.
|
|
88
|
|
89
|
|
90 Or they can simply announce a prefix that is not assigned to anyone.
|
|
91 For example, they could simply start announcing 185.10.0.0/16. This
|
|
92 has many of the same advantages as the previous scheme, but some BGP
|
|
93 routers may be configured to drop such bogon announcements.
|
|
94
|
|
95
|
|
96 In each of these cases, the spammer can use BGP to announce some
|
|
97 address space, then send spam from those addresses, and then withdraw
|
|
98 the route annoucement. This would make it difficult for the recipient of
|
|
99 such spam to determine who actually sent it.
|
|
100
|
|
101
|
|
102 In a paper from 2006 published at SGMLS_Attribute=ARRAY(0x8b728e8), @uref{1 http://www-static.cc.gatech.edu/~feamster/publications/p396-ramachandran.pdf
|
|
103 }, Ramachandran and Feamster claim evidence for the statement
|
|
104 that spammers are using such short-lived bogus BGP route announcements
|
|
105 to send spam from hijacked parts of the IPv4 address space.
|
|
106
|
|
107
|
|
108 The question is, are spammers actually doing this today, or is this
|
|
109 just a hypothetical spam tactic that they could use in the future? To
|
|
110 help answer that question, this package monitors BGP annoucements,
|
|
111 classifies some of them as suspicious, and logs instances of SMTP
|
|
112 connections from suspicious prefixes.
|
|
113
|
|
114
|
|
115 We track the history of the AS adjacency graph, by computing the union
|
|
116 of all AS adjacent pairs over all the announced prefixes. For example,
|
|
117 137.169.0.0/16 is currently announced here with an AS path of '22298
|
|
118 19080 3549 6517 14981', so we add (22298,19080) (19080,3549)
|
|
119 (3549,6517) and (6517,14981) as valid adjacent AS pairs.
|
|
120
|
|
121
|
|
122 We track the history of the origin AS for each announced prefix. Both
|
|
123 the origin AS and AS adjacency pairs are tracked over a timescale of
|
|
124 100 hours, with an exponential decay half-life of 100 hours.
|
|
125
|
|
126
|
|
127 A prefix announcement is suspicious if the origin AS is not in the
|
|
128 historical AS set for that prefix at least 20% of the time, or if the
|
|
129 AS path contains any adjacent AS pair that is not in the historical AS
|
|
130 adjacency graph at least 40% of the time.
|
|
131
|
|
132
|
|
133 SGMLS_Attribute=ARRAY(0x8b4c728), @uref{1PHAS} is another
|
|
134 system that attempts to detect address space hijacking, but it is not
|
|
135 correlated with SMTP connections or spam attempts.
|
|
136
|
|
137
|
|
138 SGMLS_Attribute=ARRAY(0x8b72f78), @uref{1IAR} is
|
|
139 another system that attempts to detect address space hijacking, but it
|
|
140 is not correlated with SMTP connections or spam attempts. IAR uses
|
|
141 methods detailed in SGMLS_Attribute=ARRAY(0x8b4c794), @uref{1PGBGP}
|
|
142 to detect suspicious routes. One problem with PGBGP as applied to our
|
|
143 hypothetical spammer problem, is that PGBGP is primarily looking for
|
|
144 hijacks where the attacker actually wants some specific ip address
|
|
145 space, either for a denial of service, or to impersonate the actual
|
|
146 owner. Our hypothetical spammer does not care about that - they only
|
|
147 care about sending spam anonymously. In particular, PGBGP ignores
|
|
148 super-prefix hijacks, but it seems likely that that is the preferred
|
|
149 method for our hypothetical spammer. However, the PGBGP paper does provide
|
|
150 useful data on the required timescale to avoid most of the normal AS
|
|
151 origin changes.
|
|
152 \nn@unnumberedsubsubsec TODO
|
|
153
|
|
154 None.
|
|
155 \nn@unnumberedsubsubsec Copyright
|
|
156
|
|
157 Copyright (C) 2008 by 510 Software Group <carl@@five-ten-sg.com>
|
|
158
|
|
159
|
|
160 This program is free software; you can redistribute it and/or modify it
|
|
161 under the terms of the GNU General Public License as published by the
|
|
162 Free Software Foundation; either version 3, or (at your option) any
|
|
163 later version.
|
|
164
|
|
165
|
|
166 You should have received a copy of the GNU General Public License along
|
|
167 with this program; see the file COPYING. If not, please write to the
|
|
168 Free Software Foundation, 675 Mass Ave, Cambridge, MA 02139, USA.
|
|
169 \nn@unnumberedsubsubsec Version
|
|
170
|
|
171 1.0.1
|
|
172 2008-04-12
|
|
173
|
|
174 @node routeflapper.conf
|
|
175 @subsubsection routeflapper.conf
|
|
176
|
|
177
|
|
178 @unnumberedsubsubsec Name
|
|
179 routeflapper.conf --- configuration file for routeflapper
|
|
180 @unnumberedsubsubsec Synopsis
|
|
181 Synopsis
|
|
182 routeflapper.conf\nn@unnumberedsubsubsec Description
|
|
183
|
|
184 The routeflapper.conf configuration file is
|
|
185 specified by this partial bnf description. The entire config file
|
|
186 is case sensitive. All the keywords are lower case.
|
|
187
|
|
188
|
|
189 @example
|
|
190 CONFIG := @{FILE@}+
|
|
191 FILE := "file" FILENAME "@{" PATTERN+ "@};"
|
|
192 PATTERN := PATH | ANNOUNCE | WITHDRAW | IP
|
|
193 PATH := "path" REGEX "@{" INDEXPATH '@}' ";"
|
|
194 ANNOUNCE := "path" REGEX "@{" INDEXVAL INDEXLEN '@}' ";"
|
|
195 WITHDRAW := "path" REGEX "@{" INDEXVAL INDEXLEN '@}' ";"
|
|
196 IP := "path" REGEX "@{" INDEXIP '@}' ";"
|
|
197 INDEXPATH := "index_path" REGEX-INTEGER-VALUE ";"
|
|
198 INDEXVAL := "index_value" REGEX-INTEGER-VALUE ";"
|
|
199 INDEXLEN := "index_length" REGEX-INTEGER-VALUE ";"
|
|
200 INDEXIP := "index_ip" REGEX-INTEGER-VALUE ";"
|
|
201
|
|
202 @end example
|
|
203 \nn@unnumberedsubsubsec Sample
|
|
204
|
|
205 @example
|
|
206 file "/var/log/bgp" @{
|
|
207 path " rcvd UPDATE w.* path (([0-9]| )*[0-9])" @{
|
|
208 index_path 1;
|
|
209 @};
|
|
210 announce " rcvd (([0-9]|\.)*)/([0-9]*)$" @{
|
|
211 index_value 1;
|
|
212 index_length 3;
|
|
213 @};
|
|
214 withdraw " rcvd UPDATE about (([0-9]|\.)*)/([0-9]*) -- withdrawn" @{
|
|
215 index_value 1;
|
|
216 index_length 3;
|
|
217 @};
|
|
218 @};
|
|
219
|
|
220 file "/var/log/maillog" @{
|
|
221 ip "NOQUEUE: connect from.* \[(.*)\]" @{
|
|
222 index_ip 1;
|
|
223 @};
|
|
224 @};
|
|
225
|
|
226 @end example
|
|
227 \nn@unnumberedsubsubsec Version
|
|
228
|
|
229 1.0.1
|
|
230 |