Mercurial > routeflapper
comparison info/routeflapper.texi @ 0:48d06780cf77
initial version
author | Carl Byington <carl@five-ten-sg.com> |
---|---|
date | Tue, 13 May 2008 14:03:10 -0700 |
parents | |
children |
comparison
equal
deleted
inserted
replaced
-1:000000000000 | 0:48d06780cf77 |
---|---|
1 routeflapper | |
2 Packages | |
3 | |
4 The various source and binary packages are available at SGMLS_Attribute=ARRAY(0x8b71cc0), @uref{1http://www.five-ten-sg.com/routeflapper/packages/} | |
5 The most recent documentation is available at SGMLS_Attribute=ARRAY(0x8b45ae8), @uref{1http://www.five-ten-sg.com/routeflapper/} | |
6 | |
7 | |
8 A SGMLS_Attribute=ARRAY(0x8b45a04), @uref{1Mercurial} source | |
9 code repository for this project is available at SGMLS_Attribute=ARRAY(0x8b4c5fc), @uref{1http://hg.five-ten-sg.com/routeflapper/}. | |
10 2008-04-12 | |
11 | |
12 @node routeflapper | |
13 @subsubsection routeflapper | |
14 | |
15 | |
16 @unnumberedsubsubsec Name | |
17 routeflapper --- detects suspicious routes | |
18 @unnumberedsubsubsec Synopsis | |
19 Synopsis | |
20 routeflapper-c-d n\nn@unnumberedsubsubsec Description | |
21 | |
22 routeflapper is a daemon that monitors BGP | |
23 updates and SMTP connections to discover whether SMTP connections are | |
24 coming from ip addresses whose best route is suspicious. | |
25 | |
26 The routeflapper.conf(5) file specifies the syslog files | |
27 to be monitored, and the regular expressions (regex(7)) to be applied to new lines in those files. | |
28 | |
29 The discussion has focused on syslog files, but any ascii text | |
30 file can be used, so long as some other process appends lines to that | |
31 file, and those lines containing bgp updates can be matched | |
32 with some regular expression. | |
33 | |
34 Considering syslog files in particular, these are normally rotated | |
35 via logrotate. routeflapper properly detects and | |
36 handles this case by closing the old file, and reopening the newly | |
37 created file.\nn@unnumberedsubsubsec Options | |
38 @table @asis | |
39 | |
40 @item -c | |
41 Load the configuration file, print a cannonical form | |
42 of the configuration on stdout, and exit. | |
43 | |
44 | |
45 @item -d n | |
46 Set the debug level to n. | |
47 | |
48 @end table | |
49 \nn@unnumberedsubsubsec Usage | |
50 | |
51 routeflapper -d 2\nn@unnumberedsubsubsec Configuration | |
52 | |
53 The configuration file is documented in routeflapper.conf(5). Any change to the config file will cause it to be | |
54 reloaded within three minutes. | |
55 \nn@unnumberedsubsubsec Introduction | |
56 | |
57 Consider the hypothetical case of a spammer who is connected via a | |
58 provider that does not filter BGP routing announcements. The spammer | |
59 then has some options to announce ip address space to be used for | |
60 sending spam. Note that we only consider cases where the spammer | |
61 simply wants to anonymously use some ip address space. This is very | |
62 different from the case where the attacker wants to use some specific | |
63 address space belonging to another organization in order to impersonate | |
64 some service provided by that other organization. | |
65 | |
66 | |
67 They can announce a more specific route, for example a /24, inside a | |
68 larger block. For example, consider 169.232.0.0/16. If the spammer | |
69 pokes around, they can probably find an unused /24 in there. So they | |
70 announce 169.232.240.0/24 and then send spam from that block. There | |
71 are two problems with this scheme. First, the announcement of such a | |
72 smaller block may be filtered out by many BGP routers, reducing their | |
73 reachability to their spam targets. Second, they may have made a | |
74 mistake, and that /24 is actually in use by some UCLA service that | |
75 will notice their hijack. | |
76 | |
77 | |
78 They can announce a less specific route, for example a /16, covering | |
79 some individual smaller blocks. For example, they could announce | |
80 52.129.0.0/16. The spammer could then avoid the four existing | |
81 announcements inside that block, and instead spam from | |
82 52.129.128.0/17. That gives them 32K ip addresses to work with. The | |
83 advantage here is that their announcement of a large block won't be | |
84 filtered out by as many (if any) BGP routers, giving them better reachability | |
85 to their spam targets. And they know they won't interfere with any | |
86 existing use of that address space, since there was no previous BGP | |
87 announcement of that /17 or any subset of it. | |
88 | |
89 | |
90 Or they can simply announce a prefix that is not assigned to anyone. | |
91 For example, they could simply start announcing 185.10.0.0/16. This | |
92 has many of the same advantages as the previous scheme, but some BGP | |
93 routers may be configured to drop such bogon announcements. | |
94 | |
95 | |
96 In each of these cases, the spammer can use BGP to announce some | |
97 address space, then send spam from those addresses, and then withdraw | |
98 the route annoucement. This would make it difficult for the recipient of | |
99 such spam to determine who actually sent it. | |
100 | |
101 | |
102 In a paper from 2006 published at SGMLS_Attribute=ARRAY(0x8b728e8), @uref{1 http://www-static.cc.gatech.edu/~feamster/publications/p396-ramachandran.pdf | |
103 }, Ramachandran and Feamster claim evidence for the statement | |
104 that spammers are using such short-lived bogus BGP route announcements | |
105 to send spam from hijacked parts of the IPv4 address space. | |
106 | |
107 | |
108 The question is, are spammers actually doing this today, or is this | |
109 just a hypothetical spam tactic that they could use in the future? To | |
110 help answer that question, this package monitors BGP annoucements, | |
111 classifies some of them as suspicious, and logs instances of SMTP | |
112 connections from suspicious prefixes. | |
113 | |
114 | |
115 We track the history of the AS adjacency graph, by computing the union | |
116 of all AS adjacent pairs over all the announced prefixes. For example, | |
117 137.169.0.0/16 is currently announced here with an AS path of '22298 | |
118 19080 3549 6517 14981', so we add (22298,19080) (19080,3549) | |
119 (3549,6517) and (6517,14981) as valid adjacent AS pairs. | |
120 | |
121 | |
122 We track the history of the origin AS for each announced prefix. Both | |
123 the origin AS and AS adjacency pairs are tracked over a timescale of | |
124 100 hours, with an exponential decay half-life of 100 hours. | |
125 | |
126 | |
127 A prefix announcement is suspicious if the origin AS is not in the | |
128 historical AS set for that prefix at least 20% of the time, or if the | |
129 AS path contains any adjacent AS pair that is not in the historical AS | |
130 adjacency graph at least 40% of the time. | |
131 | |
132 | |
133 SGMLS_Attribute=ARRAY(0x8b4c728), @uref{1PHAS} is another | |
134 system that attempts to detect address space hijacking, but it is not | |
135 correlated with SMTP connections or spam attempts. | |
136 | |
137 | |
138 SGMLS_Attribute=ARRAY(0x8b72f78), @uref{1IAR} is | |
139 another system that attempts to detect address space hijacking, but it | |
140 is not correlated with SMTP connections or spam attempts. IAR uses | |
141 methods detailed in SGMLS_Attribute=ARRAY(0x8b4c794), @uref{1PGBGP} | |
142 to detect suspicious routes. One problem with PGBGP as applied to our | |
143 hypothetical spammer problem, is that PGBGP is primarily looking for | |
144 hijacks where the attacker actually wants some specific ip address | |
145 space, either for a denial of service, or to impersonate the actual | |
146 owner. Our hypothetical spammer does not care about that - they only | |
147 care about sending spam anonymously. In particular, PGBGP ignores | |
148 super-prefix hijacks, but it seems likely that that is the preferred | |
149 method for our hypothetical spammer. However, the PGBGP paper does provide | |
150 useful data on the required timescale to avoid most of the normal AS | |
151 origin changes. | |
152 \nn@unnumberedsubsubsec TODO | |
153 | |
154 None. | |
155 \nn@unnumberedsubsubsec Copyright | |
156 | |
157 Copyright (C) 2008 by 510 Software Group <carl@@five-ten-sg.com> | |
158 | |
159 | |
160 This program is free software; you can redistribute it and/or modify it | |
161 under the terms of the GNU General Public License as published by the | |
162 Free Software Foundation; either version 3, or (at your option) any | |
163 later version. | |
164 | |
165 | |
166 You should have received a copy of the GNU General Public License along | |
167 with this program; see the file COPYING. If not, please write to the | |
168 Free Software Foundation, 675 Mass Ave, Cambridge, MA 02139, USA. | |
169 \nn@unnumberedsubsubsec Version | |
170 | |
171 1.0.1 | |
172 2008-04-12 | |
173 | |
174 @node routeflapper.conf | |
175 @subsubsection routeflapper.conf | |
176 | |
177 | |
178 @unnumberedsubsubsec Name | |
179 routeflapper.conf --- configuration file for routeflapper | |
180 @unnumberedsubsubsec Synopsis | |
181 Synopsis | |
182 routeflapper.conf\nn@unnumberedsubsubsec Description | |
183 | |
184 The routeflapper.conf configuration file is | |
185 specified by this partial bnf description. The entire config file | |
186 is case sensitive. All the keywords are lower case. | |
187 | |
188 | |
189 @example | |
190 CONFIG := @{FILE@}+ | |
191 FILE := "file" FILENAME "@{" PATTERN+ "@};" | |
192 PATTERN := PATH | ANNOUNCE | WITHDRAW | IP | |
193 PATH := "path" REGEX "@{" INDEXPATH '@}' ";" | |
194 ANNOUNCE := "path" REGEX "@{" INDEXVAL INDEXLEN '@}' ";" | |
195 WITHDRAW := "path" REGEX "@{" INDEXVAL INDEXLEN '@}' ";" | |
196 IP := "path" REGEX "@{" INDEXIP '@}' ";" | |
197 INDEXPATH := "index_path" REGEX-INTEGER-VALUE ";" | |
198 INDEXVAL := "index_value" REGEX-INTEGER-VALUE ";" | |
199 INDEXLEN := "index_length" REGEX-INTEGER-VALUE ";" | |
200 INDEXIP := "index_ip" REGEX-INTEGER-VALUE ";" | |
201 | |
202 @end example | |
203 \nn@unnumberedsubsubsec Sample | |
204 | |
205 @example | |
206 file "/var/log/bgp" @{ | |
207 path " rcvd UPDATE w.* path (([0-9]| )*[0-9])" @{ | |
208 index_path 1; | |
209 @}; | |
210 announce " rcvd (([0-9]|\.)*)/([0-9]*)$" @{ | |
211 index_value 1; | |
212 index_length 3; | |
213 @}; | |
214 withdraw " rcvd UPDATE about (([0-9]|\.)*)/([0-9]*) -- withdrawn" @{ | |
215 index_value 1; | |
216 index_length 3; | |
217 @}; | |
218 @}; | |
219 | |
220 file "/var/log/maillog" @{ | |
221 ip "NOQUEUE: connect from.* \[(.*)\]" @{ | |
222 index_ip 1; | |
223 @}; | |
224 @}; | |
225 | |
226 @end example | |
227 \nn@unnumberedsubsubsec Version | |
228 | |
229 1.0.1 | |
230 |