Using Bursty Announcements for Detection of BGP Routing Anomalies

by Pablo Moriano
The Internet, although extremely robust, is notoriously vulnerable to attack by means of the Border Gateway Protocol (BGP). BGP exchange messages are assumed to be trustworthy. In other words, the reachability information shared between autonomous systems (ASes) is assumed to be correct without any verification. Despite the fact that the latest version of the BGP protocol was released in 2006, there are no inherent protection mechanisms against participants advertising false routes.
Anomaly detection approaches rely on measuring the control-plane (using BGP feeds) or the data-plane (exploring reachability of IP addresses in suspicious announced routes), or a combination of both. Anomaly detection does not require changes in the protocol itself. They primarily are used in detecting anomalies based on passive or active measurements in order to alert operators for mitigation and response. Anomaly detection approaches are reactive because they identify harm after disruptive updates have polluted some detectable threshold of ASes with fake announcements.
In our paper, Using Bursty Announcements for Early Detection ofBGP Routing Anomalies, we propose a detection method that aims to identify incipient incidents before diffusion and harm, by identifying a routing event as it emerges. Our goal is to identify events prior to the state-of-the-art detection method, BGPmon. To do this, we use control-plane data collected by the RouteViews and served by BGPStream. The key observation in our anomaly detection method is that there are bursty BGP announcements before new routes are adopted by neighbor ASes. We characterize bursty announcements through statistical analysis of inter-arrival times. We conduct a case-based systematic analysis of the changes of inter-arrival times that are associated with three well-know anomalous events.
Specifically, we evaluated the proposed method by studying three different large-scale routing incidents, i.e., Indosat in April 2014, Telecom Malaysia in June 2015, and Bharti Airtel Ltd. in November 2015. Our approach allows for statistically significant differentiation between normal behavior and disruption or anomalous changes during the incidents. 
Currently, the authors are exploring whether significant changes in the burstiness of update messages also occur for MITM BGP hijacks. In these more subtle incidents, the bogus AS is able to redirect traffic but allowing original destination AS to receive the intended traffic. For the incidents, the volume of updates messages have been seen considerable lower than for the case of large-scale incidents, which posits an additional challenge.