BGP: Border Gateway Protocol

BGP layer 7 routing

Introduction

This tutorial discusses the plugin bgpDecode.

Preparation

First, restore T2 into a pristine state by removing all unnecessary or older plugins from the plugin folder ~/.tranalyzer/plugins:

t2build -e -y

Are you sure you want to empty the plugin folder '/home/wurst/.tranalyzer/plugins' (y/N)? yes
Plugin folder emptied

Then compile the core (tranalyzer2) and the following plugins:

t2build tranalyzer2 basicFlow bgpDecode txtSink

...
BUILD SUCCESSFUL

If you did not create a separate data and results directory yet, please do it now in another bash window, that facilitates your workflow:

mkdir ~/data ~/results

The sample PCAP used in this tutorial can be downloaded here: test.pcap.

Please save it in your ~/data folder.

Now you are all set for analyzing BGP traffic!

bgpDecode

Let’s look at the plugin configuration first:

bgpDecode

vi src/bgpDecode.h

...
/* ========================================================================== */
/* ------------------------ USER CONFIGURATION FLAGS ------------------------ */
/* ========================================================================== */

#define BGP_DEBUG        0 // activate debug output
#define BGP_IP_FORMAT    1 // 0: hex, 1: IP, 2: int
#define BGP_AS_FORMAT    0 // 0: ASPLAIN, 1: ASDOT, 2: ASDOT+
#define BGP_NOTIF_FORMAT 0 // 0: uint8, 1: string (code only)
#define BGP_TRAD_BOGONS  1 // flag traditional bogons

#define BGP_OUTPUT_RT    1 // output routing tables

#if BGP_OUTPUT_RT == 1
#define BGP_ORIG_ID      0 // output originator id
#define BGP_AGGR         0 // output aggregator
#define BGP_CLUSTER      0 // output cluster list
#define BGP_COMMUNITIES  0 // output communities
#define BGP_MASK_FORMAT  1 // 0: hex, 1: IP, 2: int
#define BGP_AS_PATH_AGGR 0 // aggregate repetitions of the same AS
#endif // BGP_OUTPUT_RT

// Experimental
#define BGP_RT           1 // store routing information in a hashtable (required for MOAS detection)
#define BGP_DEBUG_RT     0 // activate debug output for routing information
#define BGP_RT_MASK      0 // use the mask as part of the key for the routing table

#define BGP_ASIZE      512 // Size of arrays for update records

/* +++++++++++++++++++++ ENV / RUNTIME - conf Variables +++++++++++++++++++++ */

#define BGP_SUFFIX      "_bgp.txt"
#define BGP_ANOM_SUFFIX "_bgp_anomalies.txt"
#define BGP_MOAS_SUFFIX "_bgp_moas.txt"

/* ========================================================================== */
/* ------------------------- DO NOT EDIT BELOW HERE ------------------------- */
/* ========================================================================== */
...

Run t2 on the supplied pcap.

t2 -r ~/test_data/data/test.pcap -w ~/results/

First, let’s have a look at the aggregated flags!

tawk -V bgpStat=0x8501 -V bgpAFlgs=0x0160 -V bgpPAttr=0x000000ff

The bgpStat column with value 0x8501 is to be interpreted as follows:

   bit | bgpStat | Description
   =============================================================================
     0 | 0x0001  | Flow is BGP
     8 | 0x0100  | IAT for update or keep-alive < 0
    10 | 0x0400  | Atomic Aggregate
    15 | 0x8000  | Malformed packet (snaplen)


The bgpAFlgs column with value 0x0160 is to be interpreted as follows:

   bit | bgpAFlgs | Description
   =============================================================================
     5 | 0x0020   | Multiple Origin AS (same prefix announced by more than one origin AS)
     6 | 0x0040   | AS prepended more than 10 times in AS path (average AS path length is between 4 and 5)
     8 | 0x0100   | Route for more specific prefix advertised


The bgpPAttr column with value 0x000000ff is to be interpreted as follows:

   bit | bgpPAttr    | Description
   =============================================================================
     0 | 0x0000 0001 | ORIGIN
     1 | 0x0000 0002 | AS_PATH
     2 | 0x0000 0004 | NEXT_HOP
     3 | 0x0000 0008 | MULTI_EXIT_DISC (MED)
     4 | 0x0000 0010 | LOCAL_PREF
     5 | 0x0000 0020 | ATOMIC_AGGREGATE
     6 | 0x0000 0040 | AGGREGATOR
     7 | 0x0000 0080 | COMMUNITIES

The absence of the Aggregated bgpCaps line tells us there are no capability flags set.

Second, let’s extract all BGP flows from the flow file:

tawk 'bitsanyset($bgpStat, 0x0001)' ~/results/test_flows.txt | tcol

%dir  flowInd  flowStat            timeFirst          timeLast           duration    numHdrDesc  numHdrs  hdrDesc       srcMac             dstMac             ethType  ethVlanID  srcIP          srcIPCC  srcIPOrg           srcPort  dstIP        dstIPCC  dstIPOrg           dstPort  l4Proto  dstPortClassN  dstPortClass  bgpStat  bgpAFlgs  bgpMsgT  bgpNOpen_Upd_Notif_KeepAl_RteRefr  bgpVersion  bgpSrcAS_dstAS  bgpSrcId_dstId   bgpHTime  bgpCaps  bgpPAttr    bgpNAdver  bgpNWdrwn  bgpMaxAdver  bgpAvgAdver  bgpMaxWdrwn  bgpAvgWdrwn  bgpAdvPref  bgpWdrnPref  bgpNIGP_EGP_INC  bgpMinASPLen  bgpMaxASPLen  bgpAvgASPLen  bgpMaxNPrepAS  bgpMinIatUp  bgpMaxIatUp  bgpAvgIatUp  bgpMinIatKA  bgpMaxIatKA  bgpAvgIatKA  bgpNotifCode_Subcode
A     1        0x0400000000004000  1408728456.284444  1408728713.990284  257.705840  1           3        eth:ipv4:tcp  d4:ca:6d:e4:8f:07  02:e4:64:fc:26:00  0x0800              82.197.169.69  ch       "Silvan Gebhardt"  59556    172.16.69.2  05       "Private network"  179      6        179            bgp           0x8501   0x0160    0x14     0_332_0_6_0                        0           0_0             0.0.0.0_0.0.0.0  0         0x0000   0x000000ff  470        57         21           1.440727     5            0.171687     0x00fed000  0x00f00000   265_2_61         1             22            5.654655      15             0.000000     20.933496    1.269217     0.000000     54.003614    49.674990    0_0

Only one flow!

Let’s now have a look at the different files created by the plugin:

ls ~/results

test_bgp_anomalies.txt  test_bgp_moas.txt  test_bgp.txt  test_flows.txt  test_headers.txt

Here is a quick summary of what you’ll find in each file:

  • test_bgp.txt: the routing tables (all the routes advertised)
  • test_bgp_anomalies.txt: all the anomalies encountered (bogons, blackholes, loops, private/reserved ASN, …)
  • test_bgp_moas.txt: all networks with multiple origins AS (MOAS)

In the following sections, we will look into each file and experiment with the supporting scripts!

BGP AS connection file

First, let’s look at the advertised routes:

head ~/results/test_bgp.txt | tcol

%NLRI                           AS  NextHop          MED  LocPref  Origin      OriginatorID  OriginAS  UpstreamAS  DestAS  Aggregator            ASPath                             ASPathLen  MaxNPrepAS  ClusterList  ClusterListLen  Communities                                                                                                WithdrawnRoutes  flowIndex  Packet  Record  Timestamp
103.31.109.0/24                 0   213.144.128.177  1    100      INCOMPLETE  0.0.0.0       45786     4761        13030   0:0.0.0.0             13030;7473;4761;45786              4          0                        0               13030:1;13030:1022;13030:7212;13030:51902                                                                  185.56.88.0/22   1          2       1       1408728457.838732
200.16.16.0/20                  0   213.144.128.177  1    100      INCOMPLETE  0.0.0.0       27790     3597        13030   0:0.0.0.0             13030;3257;18747;11014;3597;27790  12         6                        0               3257:4000;3257:8126;3257:50002;3257:50120;3257:51100;3257:51103;13030:1;13030:3257;13030:7173;13030:51203                   1          3       1       1408728457.851349
202.70.64.0/21;202.70.88.0/21   0   213.144.128.177  1    100      IGP         0.0.0.0       23752     6453        13030   0:0.0.0.0             13030;2828;6453;23752              4          0                        0               13030:2;13030:2828;13030:7215;13030:51903                                                                                   1          3       2       1408728457.851349
165.98.159.0/24                 0   213.144.128.177  1    100      IGP         0.0.0.0       27742     23520       13030   27742:250.160.35.200  13030;23520;27742                  3          0                        0               13030:1;13030:1021;13030:7167;13030:51901;23520:10000;23520:10040                                                           1          3       3       1408728457.851349
194.31.36.0/23;194.31.38.0/24   0   213.144.128.177  1    100      IGP         0.0.0.0       198431    50481       13030   198431:1.36.31.194    13030;3549;3356;50481;198431       5          0                        0               3549:2722;3549:31276;13030:2;13030:3549;13030:7179;13030:51202                                                              1          3       4       1408728457.851349
165.98.12.0/22;190.124.38.0/24  0   213.144.128.177  1    100      IGP         0.0.0.0       27742     23520       13030   0:0.0.0.0             13030;3257;23520;27742             4          0                        0               3257:4000;3257:8126;3257:50002;3257:50120;3257:51100;3257:51103;13030:1;13030:3257;13030:7173;13030:51203                   1          3       5       1408728457.851349
195.54.176.0/23                 0   213.144.128.177  1    100      IGP         0.0.0.0       51147     28917       13030   0:0.0.0.0             13030;3549;174;28917;51147         5          0                        0               3549:2352;3549:30840;13030:2;13030:3549;13030:7214;13030:51701                                                              1          3       6       1408728457.851349
185.47.232.0/22                 0   213.144.128.177  1    100      IGP         0.0.0.0       16024     3209        13030   0:0.0.0.0             13030;3209;16024                   5          2                        0               13030:1;13030:1017;13030:4005;13030:7179;13030:51000;13030:51202                                                            1          3       7       1408728457.851349
64.29.130.0/24                  0   213.144.128.177  1    100      IGP         0.0.0.0       23342     4436        13030   0:0.0.0.0             13030;3549;2914;4436;23342         6          1                        0               2914:410;2914:1002;2914:2000;2914:3000;3549:2714;3549:31276;13030:2;13030:3549;13030:7179;13030:51202                       1          3       8       1408728457.851349

Let’s look into the supporting scripts to see what we can do with this file!

bgpDecode

cd scripts

ls

asn2cn  asn2cn.txt  asn.txt  bgp2ng  bgpMOAScn  bgpR

Let’s start with the bgpR script!

./bgpR -h

Usage:
    bgpR [OPTION...] file_bgp.txt

Optional arguments:
    -t            keep the timestamp

    -p            generate the plots

    -d            directed graph
    -s            max one edge between nodes
    -u            no links to self node

    -l            label edges with the flowIndex
    -n            color nodes
    -e            color edges

    -f FMT        output format (gif, png, ps, svg, svgz) [default: 'png']
    -o DIR        output folder [default: '.']

    -y            do not ask for confirmation before executing an action

    -h, --help    Show this help, then exit
./bgpR ~/results/test_bgp.txt -n -e -p -u -o ~/results

Generating '/home/wurst/results/test_bgp_s.txt'... OK
Sorting '/home/wurst/results/test_bgp_s.txt'... OK
Generating '/home/wurst/results/test_bgp_mpath.txt'... OK
Generating '/home/wurst/results/test_bgp_conf.txt'... OK
Generating 'as' plot... OK
Generating 'cn' plot... OK
Generating 'cont' plot... OK
ls ~/results

test_bgp_anomalies.txt  test_bgp_as.png  test_bgp_cn.png    test_bgp_cont.dot  test_bgp_moas.txt   test_bgp_s.txt  test_flows.txt
test_bgp_as.dot         test_bgp_cn.dot  test_bgp_conf.txt  test_bgp_cont.png  test_bgp_mpath.txt  test_bgp.txt    test_headers.txt

Plenty of new files! Let’s start by looking at the pictures!

First, we have the connections between AS in ~/results/test_bgp_as.png

feh ~/results/test_bgp_as.png

Connection between AS

Looks quite messy! Let’s start again with the -s option to only have one link between nodes! This time, we’ll look into the connections between countries!

./bgpR ~/results/test_bgp.txt -n -e -p -u -o ~/results

Generating '/home/wurst/results/test_bgp_s.txt'... OK
Sorting '/home/wurst/results/test_bgp_s.txt'... OK
Generating '/home/wurst/results/test_bgp_mpath.txt'... OK
Generating '/home/wurst/results/test_bgp_conf.txt'... OK
Generating 'as' plot... OK
Generating 'cn' plot... OK
Generating 'cont' plot... OK

feh ~/results/test_bgp_cn.png

Connection between countries

Just to be thorough, let’s have a look at the connections between continents:

feh ~/results/test_bgp_cn.png

Connection between continents

For a more precise idea of the continents, refer to the documentation of the plugin:

t2doc bgpDecode

BGP continents

What are the other files?

test_bgp_s.txt: the file used to generate the previous pictures (based on test_bgp.txt, but with one network per line) test_bgp_mpath.txt: all networks with more than one path test_bgp_conf.txt: possible configuration errors (AS prepended N times, followed by AS number N)

The test_bgp_conf.txt file is empty, so let’s look into the test_bgp_mpath.txt file! It reports the number of distinct paths for all networks which have more than one path:

tcol ~/results/test_bgp_mpath.txt

%Network          NumberOfDifferentPaths  MinPathLen  MaxPathLen  RangePathLen  MeanPathLen  MedianPathLen  StdDevPathLen  ModePathLen  MOAS
2.93.180.0/24     7                       3           7           4             5.28571      5              1.25357        7
202.70.88.0/21    7                       3           9           6             5.42857      6              2.0702         9
103.31.109.0/24   7                       3           6           3             5.28571      4.5            1.25357        6
2.93.1.0/24       6                       5           7           2             6            6              0.894427       7
2.93.97.0/24      5                       5           7           2             6            6              1              7
2.93.146.0/24     5                       5           7           2             6            6              1              7
202.70.64.0/21    5                       3           7           4             4.8          5              1.64317        7
188.75.52.0/22    5                       4           7           3             5.6          5.5            1.34164        7
179.191.0.0/21    5                       5           7           2             5.8          6              0.83666        7
176.221.72.0/21   5                       5           18          13            10.8         11.5           4.91935        18
128.73.165.0/24   5                       5           10          5             7.6          7.5            2.30217        10
185.56.88.0/22    4                       4           6           2             5.25         5              0.957427       6
185.22.144.0/22   4                       5           10          5             7.5          7.5            2.38048        10
176.15.113.0/24   4                       5           7           2             6.25         6              0.957427       7
41.154.231.0/24   3                       4           5           1             4.66667      4.5            0.57735        5
41.154.230.0/24   3                       4           5           1             4.66667      4.5            0.57735        5
41.154.229.0/24   3                       4           5           1             4.66667      4.5            0.57735        5
41.154.228.0/24   3                       4           5           1             4.66667      4.5            0.57735        5
2.93.28.0/24      3                       5           7           2             6            6              1              7
202.123.88.0/24   3                       4           7           3             5.66667      5.5            1.52753        7
195.54.176.0/23   3                       3           5           2             4.33333      4              1.1547         5

Ok, time to look into the test_bgp_anomalies.txt file!

BGP anomaly file

The test_bgp_anomalies.txt file contains a list of anomalies. Refer to the table below to extract a specific anomaly:

Bogons advertisement: awk '/^BOGON/' test_bgp_anomalies.txt
Prefix more specific than /24: awk '/^SPEC24/' test_bgp_anomalies.txt
Prefix less specific than /8: awk '/^SPEC8/' test_bgp_anomalies.txt
Possible blackhole: awk '/^BLACKHOLE/' test_bgp_anomalies.txt
Possible loop: awk '/^LOOP/' test_bgp_anomalies.txt
AS number prepended more than 10 times in AS path: awk '/^NPREPAS/' test_bgp_anomalies.txt
Private/Reserved AS numbers: awk '/^PRIVAS/' test_bgp_anomalies.txt
More specific prefix to existing network awk '/^MSPEC/' test_bgp_anomalies.txt
Multiple Origin AS (MOAS) Reported in test_bgp_moas.txt, discussed in the next section

Let’s peek into the test_bgp_anomalies.txt file to see how it looks:

tcol ~/results/test_bgp_anomalies.txt

%Anomaly  flowInd  PktNum  RecNum  ASorNet        RepsOrMask  NewMask
MSPEC     1        68      3       177.12.200.0   22          24
MSPEC     1        115     1       179.191.0.0    21          22
MSPEC     1        191     3       179.191.0.0    21          22
MSPEC     1        214     5       187.111.32.0   20          21
NPREPAS   1        215     2       9121           15
MSPEC     1        238     4       176.111.120.0  21          22

BGP networks with multiple origins AS (MOAS)

Networks with multiple origins AS (MOAS) are reported in the test_bgp_moas.txt file. Let’s look into it!

tcol ~/results/test_bgp_moas.txt

%Network        Mask    OldOrigAS    NewOrigAS    flowInd    PktNum    RecNum
112.215.16.0    24      17885        24203        1          169       7

This tells us that the network 112.215.16.0/24 was advertised first by AS 17885 and later by AS 24203.

Would it not be nice to know which countries those AS operate in? Let’s try the bgpMOAScn script:

./bgpMOAScn ~/results/test_bgp_moas.txt

Generating '/home/wurst/results/test_bgp_moas_cn.txt'... OK

Let’s look at the new file!

tcol ~/results/test_bgp_moas_cn.txt

%Network      Mask  OldOrigAS  NewOrigAS  OldCountry  NewCountry  flowInd  PktNum  RecNum
112.215.16.0  24    17885      24203      ID          ID          1        169     7

Nice, the country of the AS was added! We can now see that both AS originate from the same country, namely Indonesia.

Conclusion

Don’t forget to reset the plugin configuration for the next tutorial.

t2conf bgpDecode --reset && t2build bgpDecode

Have fun analyzing!