CN102394794A - Coordinated monitoring method for preventing BGP routing hijacking - Google Patents
Coordinated monitoring method for preventing BGP routing hijacking Download PDFInfo
- Publication number
- CN102394794A CN102394794A CN2011103438226A CN201110343822A CN102394794A CN 102394794 A CN102394794 A CN 102394794A CN 2011103438226 A CN2011103438226 A CN 2011103438226A CN 201110343822 A CN201110343822 A CN 201110343822A CN 102394794 A CN102394794 A CN 102394794A
- Authority
- CN
- China
- Prior art keywords
- prefix
- monitoring
- path
- session
- route
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Images
Abstract
The invention relates to a coordinated monitoring method for preventing BGP (Border Gateway Protocol) routing hijacking (including prefix hijacking and next hop hijacking). The technical scheme is that an AS (Application Server) participating the coordination utilizes an original or newly-set server to run the BGP, sets a BGP session for acquiring routing updating messages together with one or more internal routers, and simultaneously sets a coordinated monitoring session together with monitoring servers in a plurality of other ASs, and the coordinated monitoring method particularly consists of a routing updating monitoring method and a session state monitoring method. On a control plane, the routing updating messages acquired by the session are analyzed and monitored, and the BGP prefix hijacking and the next hop hijacking are detected; and on a data plane, the coordinated monitoring session states are maintained and detected to discover routing hijacking events of a coordinating network per se in real time. The present network management and measurement facilities in the AS, as well as data acquisition facilities set by a public routing data dissemination project, and are fully utilized to build the coordinating network for monitoring the BGP prefix hijacking and the next hop hijacking through coordination and integration of conventional network resources.
Description
Technical field
The present invention proposes the synergic monitoring method that a kind of strick precaution Border Gateway Protocol (BGP) route is kidnapped (comprising prefix hijack and next jumping abduction), belongs to the computer network security technology field.
Background technology
The Internet is the product that the computer technology and the communication technology merge each other; Since the mid-90 in 20th century; Along with the quick growth of network size and increasing based on the commercial application of the Internet, the Internet just progressively develops into and is the important information infrastructure of human society.In order to strengthen extensibility, the Internet has adopted the routing architecture of hierarchy type, and (Autonomous System AS) is divided into " in the territory " and " between the territory " two levels on the granularity in autonomous system.Autonomous system is defined as and operates under the unified strategy, outwards shows one group of routing device of consistent routing policy.Border Gateway Protocol (BGP) is current inter-domain routing protocol de facto standards, and it mainly acts on is that switching network can reach information between autonomous system.Route system based on BGP is the core infrastructures of the Internet, makes and is distributed in the worldwide network terminal, equipment can communicate through the Internet.
It is the current the most serious security threat that faces of BGP route system that route is kidnapped, and specifically is divided into prefix hijack and jumps abduction with next.Prefix hijack directly translates into the IP address space (victim network) that an AS (assailant AS) has declared to belong to another one AS (victim AS).In the course of internet development, the prefix hijack incident happens occasionally, and has seriously disturbed the normal operation of the Internet, influences bigger AS 7007 incidents that comprise 1997, and Google in 2005 is by the Cogent kidnapping accident, and YouTube incident in 2008 etc.The service that these incidents have all caused victim network to provide was interrupted more than two hours.The excessive unconditional trust between the bgp neighbor that has its source in of BGP prefix hijack.Each AS carries out the selection of optimum route according to the route of acquiring from neighbours AS, uses optimum routing forwarding data then, and can in fact can not judge the credibility of route.When prefix is kidnapped generation, gather project by means of routes such as RouteViews and RIPE-RIS, can find from route data that victim's network simultaneously by two or more different AS declarations, possesses obvious characteristics.Another kind has more concealed attack pattern and is called next jumping abduction, and the false title of assailant AS oneself is the immediate neighbor of victim AS.Owing to have only victim AS itself just to know the whether neighbours of oneself of assailant AS; And prefix hijack/next is jumped and kidnaps when taking place; The wrong route that assailant AS sends generally can not propagate into victim AS itself, so prefix hijack is jumped all extremely difficult detection of abduction with next.
Kidnap in order to take precautions against route, academia and industrial quarters have been made a large amount of effort, and current work mainly concentrates on two aspects.The one, to fragile BGP trust model,,, be the method that limits " what only allows to do " in itself for BGP provides comprehensive protection through the design safety protocol; The 2nd, to prefix hijack,, be the method that limits " what permits no. " in itself through route and data forwarding paths to particular network are monitored the safety that guarantees prefix.Aspect the security protocol Mechanism Design, still do not form an acceptable scheme on effect and cost at present, its reason is many-sided.One of which, most security protocol mechanism all need be revised Routing Protocol, dispose of a high price; Its two, calculating on the router and storage resources are all very limited, and the realization of security protocol often needs bigger expense; Its three, a lot of security mechanisms all need PKIX (Public Key Infrastructure, support PKI), and this extremely difficult realization on distributed the Internet in the network-wide basis; Its four, say on the driven machine that the security mechanism of current proposition often only could be benefited after the network-wide basis deployed, the operator that commercial interest drives often lacks power and goes to dispose.Equally, be devoted to detect the monitoring mechanism of prefix hijack and also do not promoted widely, its reason comprises following three aspects.The one; Mapping meeting between network prefix and the proclaimers AS is along with commercial relations change; A current not authority's mechanism or data source can provide accurately real-time mapping relations, have only the owner of network prefix itself to know just whether the variation of mapping relations is legal; The 2nd, owing to be the relation of vying each other in essence between the operator, the AS that observes prefix hijack does not notify the obligation of victim AS, often lacks to handle timely and control; The 3rd, when prefix is kidnapped generation; The network communication of other AS to the Internet of being held as a hostage is cut off to a great extent; Therefore, commonly usedly between the network manager pass through the means that Email etc. depends on the Internet and lost efficacy basically already even have AS to be ready to notify AS to the victim with this prefix kidnapping accident.
The proposition of the inventive method is based on following brass tacks:
(1) importance of routing safety becomes increasingly conspicuous, and route is kidnapped to take precautions against have demand and vast market widely.Correlative study shows that the distribution of internet traffic between network prefix is unbalanced, and a few subnetwork prefix has been carried a large portion flow in the Internet.(the Internet Content Provider of content supplier of online services such as internet hunt, video sharing and real-time news is provided; ICP) service quality seriously depends on route system, and can the flow that be embodied in the service that provides with ICP and be the destination correctly be routed to this ICP provides the network of service.The direct embodiment that route is kidnapped is exactly " flow absorption ", thereby assailant AS can reach the purpose of redirect traffic to self through the route of kidnapping victim network, therefore takes precautions against route and kidnaps particularly important for ICP.
(2) abduction is taken precautions against and need be worked in coordination with to route.The strick precaution that the BGP route is kidnapped exists a pair of natural, implacable contradiction.On the one hand, have only the owner of network prefix itself could differentiate that whether the route variation is owing to attack causes; On the other hand; The wrong route that the mechanism of BGP propagation route and the routing policy of Virtual network operator make the assailant initiate is difficult to propagate into victim AS itself; Therefore; The route propagation mechanism that depends on bgp protocol itself can not let the route of AS protection oneself not be held as a hostage, and must introduce the collaborative wrong route that lets the assailant initiate and can propagate into victim AS.
(3) route data is gathered project RouteViews and RIPE-RIS, and the issue route data supplies network academic research and uses towards the route Monitoring Service of whole Internet, with more than 400 autonomous system that spreads all over the world with set up bgp session.These autonomous systems have been set up and have been aimed at RouteViews and RIPE-RIS provides the network infrastructure of data, but self do not obtain targetedly effectively Network Security Service.Simultaneously, most AS have oneself in the Internet network measure, handling facility are monitored routing state in the territory and flow distribution, and the network equipment is managed.The synergic monitoring method that this method proposed through these are idle at ordinary times or utilance is very low among the collaborative AS facility to the BGP route hijack attack monitor; AS need not carry out extra investment just can obtain extra repayment, helps the promotion and application of this method.
Summary of the invention
The technical problem that the present invention will solve is through making full use of existing network management and Fundamentals of Measurement facility in a plurality of autonomous systems (AS); Structure is used to monitor the contract network that Border Gateway Protocol (BGP) route is kidnapped, to strengthen the fail safe of the Internet inter-domain routing system.
Technical scheme is: participate in collaborative AS and utilize server operation bgp protocol original or that newly set up; Set up the bgp session that is used to gather route updating packet with one or more internal routers; While is set up the synergic monitoring session with the monitor server among a plurality of other AS, specifically is made up of routing update monitoring method and session status monitoring method two parts.At control plane, analyze the route updating packet of monitoring acquisition conversation, detect the BGP prefix hijack and kidnap with next jumping; At datum plane, the state of synergic monitoring session is safeguarded and detected, find to be directed to the route kidnapping accident of contract network itself in real time.
The term of redetermination of the present invention has monitor, monitoring session, monitoring neighbours, inner neighbours and external neighbor etc.Monitor is each monitor server that AS set up of participating in making up the synergic monitoring network; The bgp session of setting up between the monitor that is used to communicate by letter is referred to as to monitor session; Correspondingly, two monitors of a monitoring session connection are called the monitoring neighbours; Whether according to being in the same AS, the bgp neighbor relation of monitor and other routers or monitor server is divided into inner neighbours and external neighbor.
Other symbols that the present invention uses and term are explained as follows:
Network prefix: a continuous IP address block is expressed as a network prefix in route system, is called for short prefix;
M
1, M
2... M
n: set up n monitor of monitoring session with autonomous system u, among the present invention the description of all methods all from the angle of autonomous system u, the monitor that hereinafter will not distinguished autonomous system and set up;
I
m: the prefix sets that monitor m attempts to protect refers to the directly all-network of declaration of ASm in the present invention;
Ipe
m: monitor m is used for setting up with external neighbor the IP address of monitoring session, because this address must possess the accessibility in the full the Internet scope, so AS m must declare to comprise the network prefix of this address in route system;
Ipi
m: monitor m is used for setting up with inner neighbours the IP address of bgp session, because this address only needs can reach in AS m inside, private network address is adopted in suggestion, and in route system, does not declare to comprise the address block of this address;
c
m: the collaborative prefix (cooperatingprefix) of monitor m, AS m declaration, ipe comprised
mPrefix in the minimum network prefix of address space;
G
m: the non-set that is used to make up the general prefix (general prefix) of contract network of AS m, the set of the prefix except collaborative prefix of monitor m declaration just, G
m=I
m-{ c
m.
1. routing update monitoring method
This method detects the route updating packet from the monitoring neighbours, i.e. the detection of " control plane " is jumped kidnapping accident to find the BGP prefix hijack that is directed to this autonomous system with next.
Symbol description and term definition that this method relates to are following:
R: a route, be a doublet r=(d, p), wherein d is a network prefix, p is the AS-Path attribute of route, refers to that specifically local autonomous system arrives the autonomous system sequence of the required process successively of network d, is designated as [v
kv
K-1... v
1v
0].Propagate among the BGP routing update ' Announcement ' and ' Withdrawal ' two types arranged; Be designated as ' A ' and ' W ' respectively; The routing update of ' A ' type is corresponding to the AS-Path attribute of non-NULL, and the routing update of ' W ' type is corresponding to the AS-Path attribute of sky.
R.origin: the autonomous system of declaration network d in route system, when
The time, r.origin=v
0
In r.firsthop: the route r communication process on the internet first of process be different from the autonomous system of r.origin;
The strategy of u: for I
uIn any prefix d, the strategy of u comprises the mapping relations strategy O between prefix and the proclaimers
u(d) and prefix and first jump the mapping relations strategy L between the AS
u(d).O
u(d) expression autonomous system u thinks the autonomous system set of having the right to declare prefix d, L
u(d) be allowed to direct autonomous system set of learning the route of prefix d from u among the AS neighbours of expression u, reflected the route output policy of u;
M
i[d]: from monitor M
iLocate the route of observed arrival prefix d;
OSet
u(d, t): at t constantly, u is from the observed the proclaimers's set to prefix d of each monitoring neighbours;
FSet
u(d, t): at t constantly, u jumps the set of autonomous system from first of the observed route to prefix d of each monitoring neighbours;
Prefix d is to M
iUnreachable (d ∈ I
u): monitoring neighbours M
iDo not go to the route of local autonomic system network d;
Prefix d accessibility forfeiture: show all monitoring neighbours M
i(1≤i≤n) does not go to the route of prefix d.
The detailed process of this detection method is: monitor server u receives monitoring neighbours M constantly at t
iSend about the route updating packet r of prefix d the time, carry out following steps:
(1) judges whether the prefix d that this route relates to is gathering I
uIn, if, the correlation of this route and this autonomous system then is described, continue (2--6), otherwise return;
(2) route r is carried out Context resolution, obtain this route corresponding A S-Path attribute r.p;
(3) if
This routing update is ' A ' type, this route is further resolved obtain r.origin attribute and r.firsthop attribute, and upgrade monitor M
iCorresponding information, M
i[d]=r;
(4) if
This routing update is ' W ' type, then
Simultaneously, mean M
iThe AS at place becomes unreachable to network prefix d, generates prefix d to M
iInaccessible alarm information;
(5) recomputate current time and jump set with next from the observed the proclaimers's set of each monitoring neighbours to prefix d,
(6) detect the consistency that the source autonomous system and first that newly receives is jumped autonomous system and predefine strategy, if r.origin does not belong to O
u(d), then generate the prefix hijack alarm, if r.firsthop does not belong to L
u(d), then generate next and jump the abduction alarm, if OSet
u(d t) is sky or FSet
u(d is empty t), then generates prefix d accessibility forfeiture alarm.
2. session status monitoring method
This method is monitored through the communications status to the synergic monitoring session of setting up between a plurality of monitors, takes precautions against the route abduction that is directed to synergic monitoring network itself.This method is operated on ' datum plane ', and whether the data path of monitoring in real time between this monitor and the monitoring neighbours is normal, and when detecting the synergic monitoring session failed, starts method for diagnosing faults, infers to cause failure reasons.
The synergic monitoring session connects two not monitors of direct neighbor usually, sets up outside connect (ebgp-multihop) of BGP in multi-hop step, in itself with common not difference of bgp session.From the purpose of service battery's general character, each side of bgp session need be for safeguarding two timers, KeepAlive and HoldDown.According to the regulation of Routing Protocol standard RFC4271, each Fang Jun of bgp session need send a KeepAlive message to the opposing party in duration is the interval of KeepAlive; If any side of bgp session does not receive the KeepAlive message in duration is the interval of HoldDown, then with this session replacement.Being provided with of acquiescence, KeepAlive and HoldDown timer be respectively 60 seconds and 180 seconds.BGP safeguards that for each session neighbour (Finite State Machine, FSM), each state machine has six state: Idle to an independent finite state machine, Connect, Active, OpenSent, OpenConfirm and Established.Synergic monitoring session is from wherein a side, and its state is in " UP " and if only if that state machine is in " Established " state, and thinks all that when state machine is in other five states session is to be in " DOWN " state.
Between monitor u and its monitoring neighbours v through being based upon c
uAnd c
vBetween monitoring session exchange about prefix set I
uAnd I
vRouting update, but as prefix c
uOr c
vWhen being held as a hostage, can make the inefficacy of monitoring conversation and causing this monitoring method.Simultaneously, the routing failure on u → v or any direction of v → u also possibly cause monitoring session and is interrupted.
The concrete reason that causes the synergic monitoring session failure can be summed up as following four kinds of situation: the routing failure on (1) u → v direction is called the forward path fault; (2) routing failure on v → u direction is called the back to path failure; (3) the collaborative prefix of u is held as a hostage from v; (4) the collaborative prefix of v is held as a hostage from u.The reason of monitoring session failure possibly be the combination in any of above four kinds of factors under the real network environment.
The session status monitoring method is judged the operating state of contract network through the state of synergic monitoring session, and will work in coordination with the prefix (c that is held as a hostage
uOr c
vBe held as a hostage) the monitoring conversation that causes with routing failure makes a distinction, and realizes the accurate report and the location of routing safety incident.
Symbol description and term definition that this method relates to are following:
T: length is the time window of T, is traditionally arranged to be 3 KeepAlive or 1 HoldDown at interval;
S
i: with monitoring neighbours M
iThe synergic monitoring session of setting up, wherein S
i.State the state that refers to this monitoring session, i.e. " DOWN " or " UP ", S
i.fp refer to that u is to M
iThe path, be called forward path, S
i.bp refer to from M
iTo the path of u, be called the back to the path;
Ebuf
i: monitor u is each monitoring neighbours M
iSafeguard a buffer memory, store in the nearest T time from M
iThe monitoring session on observed incident, comprise BGP KeepAlive, the message that BGP Notification, TCP connect to set up and cancel and be relevant to prefix
Icmp packet.Each event definition is (time, type, an original message) tlv triple, and the original message of storage is used for the network manager and carries out depth analysis;
Bp
i: monitor u passes through the synergic monitoring session from monitoring neighbours M
iThe collaborative prefix c that acquires, oneself use
uThe AS-Path attribute of route, in fact this is exactly S
i.bp;
Monitor u safeguards following three kinds of states for its visible arbitrary network prefix d: (1) h
d: monitor u safeguards the path change of nearest a period of time that neighbours internally acquire for each network prefix d, each element be (t, path), wherein t is the time that receives routing update, path is the AS-Path attribute in the route updating packet that receives; (2) newp
d: current time monitor u is used to go to the AS-Path attribute of the optimum route of network prefix d; (3) oldp
d: T before the time monitor u be used to go to the AS-Path attribute of the optimum route of network prefix d;
Stable (h
d): according to h
dIn the current local autonomous system of information calculations to the AS-Path attribute of objective network d, and this AS-Path attribute before the T time.Concrete computational process is following: (1) is with h
dIn element arrange with ascending order according to time mark; (2) time difference between adjacent two elements of calculating; (3) choose two adjacent elements that generate maximum time difference, the AS-Path attribute of the element of less timestamp is made as oldp
d(4) with newp
dBe made as the AS-Path attribute of the element that maximum time stabs in all elements; (5) stable (h
d)=(oldp
d, newp
d);
E: incident Candidate Set, each element are (oldp
d, newp
d), the path of expression network prefix d is by oldp
dBecome newp
d
C: the fault Candidate Set, its element (u v) represents the limit between autonomous system u and the v, when u=v, represents the inner link of autonomous system u, each element (u, v) with a counter (u, v) .counter is associated, and representes the incident number that this link is relevant;
F: the fault collection, the link or the node of fault taken place in affirmation, is the sub-set of C.
The session status monitoring method is made up of two independent parts, and a part is responsible for upgrading and safeguarding the various states that monitored, and is called session status and safeguards submethod; Another part is analyzed the reason that causes changing when detecting session status and change, and generates daily record and carry out the network debugging with the auxiliary network keeper, is called session failure diagnosis submethod.The session status monitoring method only reads and does not change the running status of Routing Protocol, is independent of Routing Protocol in realization, need not make amendment to the route agreement.
2.1 session status is safeguarded submethod
Session status safeguards that submethod uses raw socket to monitor on monitor, when t receives IP message p constantly, carry out following steps:
The first step, " agreement " of obtaining the IP message be field (the 10th byte of IP message) (Protocol), resolves the source address field p that obtains message
Src
In second step, if ' agreement ' field is 1, then p is an icmp packet, otherwise returns; If the type code of icmp packet (type) is 3; Then the announcement of this message is " target is unreachable " abnormality, and read error code (code) extracts the destination address of the IP data that successfully are not sent to destination address that comprise in its data division; Be designated as b, otherwise return; If there is external neighbor M in monitor
i, make
Then carry out following steps, otherwise return:
(1) if this ICMP is " network is unreachable " (type code 3, error code 0), then to ebuf
iThe middle adding (t, ' network is unreachable ', p);
(2) if this ICMP is " main frame is unreachable " (type code 3, error code 1), then to ebuf
iThe middle adding (t, ' main frame is unreachable ', p);
(3) if this ICMP is " unknown network " (type code 3, an error code 6), then to ebuf
iThe middle adding (t, ' network is unknown ', p);
(4) if this ICMP is " unknown main frame " (type code 3, an error code 7), then to ebuf
iThe middle adding (t, ' main frame is unknown ', p);
(5) if this ICMP is " port is unreachable " (type code 3, error code 3), then to ebuf
iThe middle adding (t, ' port is unreachable ', p);
(6) if this ICMP is " TTL is overtime " (type code 11, error code 0), then to ebuf
iThe middle adding (t, ' TTL is overtime ', p);
(7) scan ebuf from front to back
i, only preserve the incident that nearest T received in the time, return afterwards;
In the 3rd step, if ' agreement ' field be ' 6 ' (TCP), and ' destination interface ' (Destination port) field of TCP part (TCP the 3rd, 4 byte partly) is 179, and then p is a BGP message, otherwise returns;
In the 4th step, ' type (Type) ' field of parsing BGP message (the 19th byte of BGP part) is designated as type;
In the 5th step, if type is 1 or 3 or 4, this message is a BGP Open message, or the KeepAlive message, or the Notification message, then carries out following processing:
(1) if p
SrcBe the inside neighbours of this monitor, i.e. p
Src==ipi
u, then return;
(2) if p
SrcBe the external neighbor M of this monitor
i, promptly
Then at ebuf
iThe corresponding adding (t, ' BGPOpen ', p), or (t, ' BGP KeepAlive ', p), or (t, ' BGP Notification ', p);
(3) scan ebuf from front to back
i, only preserve the incident that nearest T received in the time, return afterwards;
In the 6th step, if type is 2, this message is BGP routing update (BGP Update) message, resolves the prefix list w that obtains cancelling
p, the prefix list a of declaration
p, and AS-Path attribute path
p
If the 7th step is p
SrcBe the inside neighbours of this monitor, i.e. p
Src=ipi
u, then carry out following processing:
(1) if
Then for arbitrary network prefix d ∈ w
p, to h
dMiddle its up-to-date variation of adding
Show the route of going to network prefix d from local autonomous system t constantly its path attribute become
(2) if
Then for arbitrary network prefix d ∈ a
p, to h
dMiddle its up-to-date variation (t, the path of adding
p), show the route of going to network prefix d from local autonomous system t constantly its path attribute become path
p
(3) for any network prefix d ∈ w that relates among the p
p∪ a
p, check and upgrade corresponding h
d, particularly, only keep the routing update that [t-T, t] received in the time, and former constantly last routing update that receives of t-T;
If the 8th step is p
SrcBe the external neighbor M of this monitor
i, promptly
Then carry out following processing:
(1) if
If c
u∈ w
p, then
Show M from the monitoring neighbours
iTo the path of local autonomous system u, promptly the back is cancelled to the path;
(2) if
If c
u∈ w
p, bp then
i=path
p, show M from the monitoring neighbours
iPath to local autonomous system u becomes path
p
2.2 session failure diagnosis submethod
Session failure diagnosis submethod detects a session status to be changed, i.e. S
i.State:s
i→ s
i' (s
i≠ s
i') time, carry out following steps:
The first step is judged s
i' state, if " DOWN ", then continue to carry out; Otherwise be " UP ", return;
In second step, preliminary judgement causes monitoring session S
iFailure reasons
(1) calculates S
iForward path before losing efficacy, monitoring session S
i(the monitoring neighbours M of opposite end
iOne side) the IP address is
(2) calculate S
iBack before losing efficacy to the path, S
i.bp=bp
i
(3) monitoring session S
i(the monitoring neighbours M of opposite end
iOne side) the IP address is
If
In the AS-Path attribute of up-to-date element do
S then
iInefficacy cause that by the forward path fault forward path is S
i.fp;
(4) if ebuf
iIn have the ICMP incident, show M
iCollaborative prefix unreachable, S
iInefficacy cause that by the forward path fault this forward path is S
i.fp;
(5) check
If declaration prefix
AS variation has taken place, S then
iInefficacy because the collaborative prefix in opposite end is held as a hostage causes;
The 3rd step is if the equal unmet of condition in second step then causes S
iFailure reasons comprises local collaborative prefix c
uBe held as a hostage, or the back is to path failure.At first initialization
Then for each visible network prefix d of u, further diagnostic monitoring session S according to the following steps
iFailure reasons:
(1) according to h
dCalculate newp
dAnd oldp
d, (oldp
d, newp
d)=stable (h
d);
(2) if newp
d≠ oldp
d, in the incident Candidate Set, add incoming event e:oldp
d→ newp
d, be designated as E ← E ∪ { (oldp
d, newp
d);
(3) for two AS-Path that relate among the incident e, newp
dAnd oldp
d, at first remove the appearance (AS Prepending) that repeats continuously among every AS-Path, obtain shape such as v
kv
K-1... v
1v
0AS-Path (for 0≤m<n≤k arbitrarily, v
m≠ v
n);
(4) in the fault Candidate Set, add ingress,
Corresponding counter (the v of new node more
m, v
m) .counter ← (v
m, v
m) .counter+1;
(5) in the fault Candidate Set, add the limit,
Upgrade the corresponding counter (v in limit
M+1, v
m) .counter ← (v
M+1, v
m) .counter+1;
The 4th step, with the element among the fault Candidate Set C according to the value of its associated counter with descending, carry out following steps then:
(2) for any one incident e:oldp among the E
d→ newp
d, if its oldp
dPerhaps newp
dAttribute comprises node or limit, and (x y), then removes it;
(3) incite somebody to action (x y) removes from C, if (x y) successfully removed one or more incidents from E, this link joined among the fault collection F, F ← F ∪ (x, y) };
In the 5th step, calculate node/limit and forward path S among the F
i.fp common factor F
Fp, and with the back to path S
i.bp common factor F
Bp
The 6th step, if
Then be the forward path fault, if
And ebuf
iIn no any BGP association message (only limiting to KeepAlive and Notification) in the 2T/3 time recently, then belong to afterwards to path failure, and return the fault collection F of non-NULL
FpOr F
BpIf above condition does not all satisfy, the local collaborative prefix of judgement is held as a hostage.
Adopt the present invention can reach following beneficial effect:
The present invention has made full use of the inner existing network management of AS, has measured facility; And public route data is issued the data acquisition facility that project is set up; Through working in coordination with and integrate existing Internet resources, make up monitoring BGP prefix hijack and jump the contract network of abduction with next.Adopt the present invention can obtain following effect:
(1) monitors the prefix hijack that is directed to this autonomic system network from control plane and jump kidnapping accident with next.Especially what deserves to be mentioned is that other routing safety monitoring method generally can only detect prefix hijack at present.From control plane these two types of incidents are detected that to have expense little, the characteristics that accuracy rate is high.
The communication of the bottom IP network that (2) the contract network operate as normal is relied on from datum plane is protected.The connective maintenance mechanism that is similar to bgp session is adopted in the synergic monitoring session, can guarantee not receive the interference of normal routing-events; Need not set up new stacking network and realize new stacking network agreement, dispose simple.Through condition monitoring to the synergic monitoring session, can diagnose the key node and the link that cause session status to interrupt, for the autonomous system keeper carries out the network debugging foundation is provided.
(3) because prefix hijack and next detection of jumping abduction are all carried out in this locality, do not exist the problem that security incident can't be notified victim's autonomous system that detects.The ISP that participates in public route data issuing service does not have the misgivings of data-privacy aspect, and directly benefits from the deployment of this method, has realized the unification of responsibility-power-benefit, helps the lasting expansion and the evolution of contract network scale.
Description of drawings
Fig. 1 is the deployment signal of the present invention in autonomous system;
Fig. 2 is the deployment signal of the present invention between autonomous system;
Fig. 3 is the route I/O strategy signal of monitor between inner neighbours and external neighbor;
Fig. 4 is a function module design of the present invention;
Fig. 5 has showed the concrete realization of this method on server;
Fig. 6 is quantity and the storage overhead that adopts the bgp update message that receives in per 3 minutes behind the present invention;
Fig. 7 is that an AS sets up the safe range that the synergic monitoring session can cover with the individual AS of 5n (1≤n≤11) respectively after adopting the present invention, to show the covering power of monitoring method of the present invention.
Embodiment
Fig. 1 is that monitor is at the inner interconnected sketch map of autonomous system (AS).From the purpose of backup, each monitor is preferably interconnected with two or above inside neighbours.The inner border router of AS exists multiple organizational form, comprises that employing iBGP is interconnected entirely, and Router Reflector and BGP are federal.According to the difference of mutual contact mode between the AS inner boundary router, the inside neighbours that monitor connected are also slightly different.(1) for the AS that adopts the complete interconnected border router of iBGP, shown in Fig. 1 (a), monitor need be with wherein two or above router be set up bgp session arbitrarily; (2) for the AS that adopts the route reflection deployment way; Shown in Fig. 1 (b), monitor need with wherein arbitrarily two or above Router Reflector (Route Reflector RR) sets up bgp session; And with monitor be configured to Router Reflector the client (Route Client, RC); (3) for the AS that adopts the federal deployment way of BGP, monitor only need add any federation wherein, and with this federation in any two or above router set up bgp session and get final product, connected mode identical with shown in Fig. 1 (a).
When monitor and inner neighbours are interconnected, when requiring monitor to set up bgp session, this method uses AS home address piece, and promptly this address block neither to outside autonomous system declaration, is also forbidden learning the route about this address block from outside autonomous system.This address block can be, but be not limited to privately owned address.Processing mode to the type address block is similar to the processing to AS internal router address, only propagates to provide this address block in the inner connectedness of whole AS through IGP in AS inside, still on the AS border, is filtered.The communication that can guarantee in this way between monitor and the inner neighbours is not held as a hostage.On implementation, autonomous system keeper can have multiple choices.For example, on border router, use route-map, filter-list, configuration means such as redistribute-list/prefix-list are filtered the address block that router uses; Perhaps, on border router, specific COMMUNITY attribute is filtered carrying out predefined COMMUNITY attribute on the route issue tense marker to BGP by IGRP.
Fig. 2 disposes signal between the territory of this method, deployment way has embodied the cooperative characteristics of this method between the territory, in the whole Internet scope, sees, thereby has disposed between the AS of monitor according to the interconnected peer-to-peer network that forms a monitor of self-defining strategy.Communicate based on TCP between the monitor, exchange mutual interested routing update.In principle, a monitor should be set up the synergic monitoring session with a plurality of monitors.
Different with the territory deployed is; In order to realize the communication between the monitor in the different AS territory; The network address that monitor is used for setting up with external neighbor the synergic monitoring session must be a routable on the Internet; In other words, the address block that comprises this address must and then be propagated in whole inter-domain routing system to AS neighbours' declaration, thereby has the accessibility in the network-wide basis.Usually, monitor only uses an address and outside all monitor neighbours to set up the synergic monitoring session, so that the state relation between a plurality of monitoring sessions during failure diagnosis.
Fig. 3 is the illustrative of I/O strategy under CISCO router form of monitor.
Each monitor neighbours inner with it in fact be within the compass of competency of same autonomous system, so the input and output strategy between them is simple relatively.Monitor need not add filtration ground and receive the route that all inner neighbours send over, and does not send any route to inner neighbours, the concrete configuration of monitor such as Fig. 3 first row secondary series; With other interconnected routers of monitor, promptly the inside neighbours of monitor need not add to monitor and filter all routes of ground output among the autonomous system u, and any route that the refusal monitor sends over, concrete configuration such as Fig. 3 first row the 3rd row.
For the monitor u and the v that are among the different AS, on u → v direction, u only limits to output about I
vThe route of prefix, simultaneously, v also only limits to input about I
vThe renewal of middle prefix.In like manner, v also only limits to output about I on v → u direction
uIn the route of prefix, u only imports about I
uThe routing update of middle prefix.To external neighbor output route the time, need be with the Local Preference in the route, Community and Med attribute all reset to sky or 0, and u and v concrete configuration are listed as with reference to the secondary series and the 3rd of figure 3 second row respectively.
Fig. 4 is the function module design of monitor, comprises the router/route software of bottom, management configuration module, monitor neighborhood configuration module, routing update monitoring modular, session status monitoring modular, network detection module and alarm module.The router of bottom/route software module specifically can adopt router device, also can adopt common server operating software router, and like Quagga, Zebra or XORP realize that it is used to upgrade with the interested separately network of monitor neighbours exchange.
Management configuration module realizes the function of two aspects.For any autonomous system u; At first; Autonomous system keeper need dispose monitor and carry out the necessary knowledge of synergic monitoring prefix hijack; Comprise the prefix sets that this autonomous system has, have direct-connected autonomous system neighbours, and each neighbour's prefix sets is given in declaration with this autonomous system.Moreover, also need dispose when this autonomous system monitor with other autonomous system in monitor when setting up session relationship, the supplementary that needs comprises security mechanism and the key of protecting session, and route input and output strategy.
The routing update monitoring modular is responsible for the BGP routing update from neighbours' monitor is checked, when finding to conflict with predefined knowledge existence, alarms to alarm module.The session status monitoring module is responsible for monitoring the state of the data communication between this monitor and the neighbours' monitor, when session is interrupted, alarms to alarm module.
Alarm module is from routing update monitoring module and session status monitoring modular receiving alarm information, and starts the network detection module warning information is confirmed, kidnaps when prefix and alarms to the autonomous system keeper after being identified.
The network detection module is used the current technological Ping that is widely used in topology probe, and TraceRoute and TCP Ping verify from datum plane the preliminary warning information of receiving.
Fig. 5 has showed the concrete realization of this method on server.Route software Quagga (http://www.quagga.net) that this realization employing is increased income and inner neighbours and external neighbor are set up the synergic monitoring session, and (Raw Socket) catches message through raw socket.Through optimization, routing update monitoring method and session status monitoring method have been merged to the message handling process.
Message to catching at first filters based on ' agreement '; Only keep ' ICMP ' and ' TCP ' type; If icmp packet is further resolved ' type of error ' and ' error code ', and the destination address of the IP message that causes based on the data division parsing of icmp packet makeing mistakes; If this destination address is certain external neighbor, then upgrade the corresponding ebuf of these neighbours; If this message is the TCP type, then further check whether BGP message of this message, if this message is the BGP message; Then need further to resolve the type (type) of this BGP message, when type is 2, this message is delivered to the routing update detection module detect the route abduction; Upgrade the back to the path by the session status monitoring method, if type is 1,3; 4, then directly deliver to the session status monitoring method and upgrade ebuf.
' vtysh ' that adopt Quagga self to provide to the state (communications status) of coordinated conversational on datum plane carries out; The order that this realization is adopted is that ' vtysh-e show bgp neighbors ' analyzes the state that extracts each monitoring session to the text that returns then.Periodic queries Quagga is to realize the real-time monitoring to session status, and polling cycle is made as 10s, when the state that detects the synergic monitoring session is not ' Established ', starts failure diagnosis.
Fig. 6 has showed the expense of synergic monitoring system.The data of using in the assessment come from the collector (route-views.routeviews.org) of the Oregon, America RouteViews of state university project, the BGP routing update that zero to 2010 is gathered from 39 ± 3 autonomous systems 31, on December 11: 59 when having chosen from January 1st, 2,010 zero.Particularly, suppose that monitor and this 39 ± 3 monitors of being assessed have set up the synergic monitoring session, mainly two indexs are assessed, the one, when T is made as 3 minutes of acquiescence, the BGP routing update quantity that monitor receives in T; The 2nd, when T is made as 3 minutes of acquiescence, the needed memory headroom of bgp update (in KB) that monitor storage T received in the time, the former mean value is 698.5/3 minutes, peak value 3661/3 minutes; The latter's mean value is 104KB, and peak value is 417KB.Consider flow in the core network now easily in Gb, and the internal memory of server, router reached more than the 2GB, these expenses can be born.
Fig. 7 shows when adopting three kinds of different strategies to choose the cooperation autonomous system of setting up the synergic monitoring session, the safe effect that can reach.Assessment has 33232 autonomous systems and 97485 limits that are connected different autonomous system based on real the Internet topology (being collected in the routing table of RouteViews project issue on January 1st, 2010).Suppose that u has disposed this synergic monitoring method, participated in the synergic monitoring network, when an AS kidnaps the prefix of u, just probably found by u.This method is defined as the AS set that the prefix of kidnapping u can be found by u for the safe range of u, and correspondingly, the size definition of safe range is the quantity of this type AS." randomized policy " is meant that u selects collaborative neighbours randomly; " the preferred connection " refers to that u always selects the collaborative neighbours of the maximum AS of the node number of degrees as oneself; " absolute utility " refers to that u always selects can be to the collaborative neighbours of the AS that oneself brings maximum safe range as oneself.Experiment shows that less than 35 o'clock, " absolute utility " strategy had significant advantage at collaborative neighbours' number of selecting, but after collaborative neighbours' number of choosing was above 45, the difference of three kinds of strategies on effect was also not obvious.The effect that this method is described is tactful and insensitive to choosing of node, allows the autonomous system keeper to choose the collaborative neighbours of this autonomous system neatly, has strengthened the flexibility of disposing.
Claims (5)
1. take precautions against the synergic monitoring method that the Border Gateway Protocol route is kidnapped; It is characterized in that; The technical scheme of this method is: participate in collaborative AS and utilize server operation bgp protocol original or that newly set up; Set up the bgp session that is used to gather route updating packet with one or more internal routers, the while is set up the synergic monitoring session with the monitor server among a plurality of other AS, specifically is made up of routing update monitoring method and session status monitoring method two parts.
2. the synergic monitoring method that strick precaution Border Gateway Protocol route according to claim 1 is kidnapped; It is characterized in that; The routing update monitoring method detects the route updating packet from the monitoring neighbours; The i.e. detection of " control plane " is jumped kidnapping accident to find the BGP prefix hijack that is directed to this autonomous system with next, and the detailed process of detection method is: monitor server u receives monitoring neighbours M constantly at t
iSend about the route updating packet r of prefix d the time, carry out following steps:
(1) judges whether the prefix d that this route relates to is gathering I
uIn, if, the correlation of this route and this autonomous system then is described, continue (2--6), otherwise return;
(2) route r is carried out Context resolution, obtain this route corresponding A S-Path attribute r.p;
(3) if
This routing update is ' A ' type, this route is further resolved obtain r.origin attribute and r.firsthop attribute, and upgrade monitor M
iCorresponding information, M
i[d]=r;
(4) if
This routing update is ' W ' type, then
Simultaneously, mean M
iThe AS at place becomes unreachable to network prefix d, generates prefix d to M
iInaccessible alarm information;
(5) recomputate current time and jump set with next from the observed the proclaimers's set of each monitoring neighbours to prefix d,
(6) detect the consistency that the source autonomous system and first that newly receives is jumped autonomous system and predefine strategy, if r.origin does not belong to O
u(d), then generate the prefix hijack alarm, if r.firsthop does not belong to L
u(d), then generate next and jump the abduction alarm, if OSet
u(d t) is sky or FSet
u(d is empty t), then generates prefix d accessibility forfeiture alarm.
3. the synergic monitoring method that strick precaution Border Gateway Protocol route according to claim 1 is kidnapped; It is characterized in that; The session status monitoring method is monitored through the communications status to the synergic monitoring session of setting up between a plurality of monitors; Strick precaution is directed to the route of synergic monitoring network itself and kidnaps, and this method is operated on ' datum plane ', and whether the data path of monitoring in real time between this monitor and the monitoring neighbours is normal; And when detecting the synergic monitoring session failed, start method for diagnosing faults, infer to cause failure reasons;
The session status monitoring method is made up of two independent parts, and a part is responsible for upgrading and safeguarding the various states that monitored, and is called session status and safeguards submethod; Another part is analyzed the reason that causes changing when detecting session status and change, and generates daily record and carry out the network debugging with the auxiliary network keeper, is called session failure diagnosis submethod;
The session status monitoring method only reads and does not change the running status of Routing Protocol, is independent of Routing Protocol in realization, need not make amendment to the route agreement.
4. the synergic monitoring method that strick precaution Border Gateway Protocol route according to claim 1 is kidnapped is characterized in that session status safeguards that submethod uses raw socket to monitor on monitor, when t receives IP message p constantly, carries out following steps:
The first step, " agreement " of obtaining the IP message be field (the 10th byte of IP message) (Protocol), resolves the source address field p that obtains message
Src
In second step, if ' agreement ' field is 1, then p is an icmp packet, otherwise returns; If the type code of icmp packet (type) is 3; Then the announcement of this message is " target is unreachable " abnormality, and read error code (code) extracts the destination address of the IP data that successfully are not sent to destination address that comprise in its data division; Be designated as b, otherwise return; If there is external neighbor M in monitor
i, make
Then carry out following steps, otherwise return;
(1) if this ICMP is " network is unreachable " (type code 3, error code 0), then to ebuf
iThe middle adding (t, ' network is unreachable ', p);
(2) if this ICMP is " main frame is unreachable " (type code 3, error code 1), then to ebuf
iThe middle adding (t, ' main frame is unreachable ', p);
(3) if this ICMP is " unknown network " (type code 3, an error code 6), then to ebuf
iThe middle adding (t, ' network is unknown ', p);
(4) if this ICMP is " unknown main frame " (type code 3, an error code 7), then to ebuf
iThe middle adding (t, ' main frame is unknown ', p);
(5) if this ICMP is " port is unreachable " (type code 3, error code 3), then to ebuf
iThe middle adding (t, ' port is unreachable ', p);
(6) if this ICMP is " TTL is overtime " (type code 11, error code 0), then to ebuf
iThe middle adding (t, ' TTL is overtime ', p);
(7) scan ebuf from front to back
i, only preserve the incident that nearest T received in the time, return afterwards;
In the 3rd step, if ' agreement ' field be ' 6 ' (TCP), and ' destination interface ' (Destination port) field of TCP part (TCP the 3rd, 4 byte partly) is 179, and then p is a BGP message, otherwise returns;
In the 4th step, ' type (Type) ' field of parsing BGP message (the 19th byte of BGP part) is designated as type;
In the 5th step, if type is 1 or 3 or 4, this message is a BGP Open message, or the KeepAlive message, or the Notification message, then carries out following processing:
(1) if p
SrcBe the inside neighbours of this monitor, i.e. p
Src==ipi
u, then return;
(2) if p
SrcBe the external neighbor M of this monitor
i, promptly
Then at ebuf
iThe corresponding adding (t, ' BGPOpen ', p), or (t, ' BGP KeepAlive ', p), or (t, ' BGP Notification ', p);
(3) scan ebuf from front to back
i, only preserve the incident that nearest T received in the time, return afterwards;
In the 6th step, if type is 2, this message is BGP routing update (BGP Update) message, resolves the prefix list w that obtains cancelling
p, the prefix list a of declaration
p, and AS-Path attribute path
p
If the 7th step is p
SrcBe the inside neighbours of this monitor, i.e. p
Src=ipi
u, then carry out following processing:
(1) if
Then for arbitrary network prefix d ∈ w
p, to h
dMiddle its up-to-date variation of adding
Show the route of going to network prefix d from local autonomous system t constantly its path attribute become
(2) if
Then for arbitrary network prefix d ∈ a
p, to h
dMiddle its up-to-date variation (t, the path of adding
p), show the route of going to network prefix d from local autonomous system t constantly its path attribute become path
p
(3) for any network prefix d ∈ w that relates among the p
p∪ a
p, check and upgrade corresponding h
d, particularly, only keep the routing update that [t-T, t] received in the time, and former constantly last routing update that receives of t-T;
If the 8th step is p
SrcBe the external neighbor M of this monitor
i, promptly
Then carry out following processing:
(1) if
If c
u∈ w
p, then
Show M from the monitoring neighbours
iTo the path of local autonomous system u, promptly the back is cancelled to the path;
5. the synergic monitoring method that strick precaution Border Gateway Protocol route according to claim 1 is kidnapped is characterized in that, session failure diagnosis submethod detects a session status to be changed, i.e. S
i.State:s
i→ s
i' (s
i≠ s
i') time, carry out following steps:
The first step is judged s
i' state, if " DOWN ", then continue to carry out; Otherwise be " UP ", return;
In second step, preliminary judgement causes monitoring session S
iFailure reasons
(1) calculates S
iForward path before losing efficacy, monitoring session S
i(the monitoring neighbours M of opposite end
iOne side) the IP address is
(2) calculate S
iBack before losing efficacy to the path, S
i.bp=bp
i
(3) monitoring session S
i(the monitoring neighbours M of opposite end
iOne side) the IP address is
If
In the AS-Path attribute of up-to-date element do
S then
iInefficacy cause that by the forward path fault forward path is S
i.fp;
(4) if ebuf
iIn have the ICMP incident, show M
iCollaborative prefix unreachable, S
iInefficacy cause that by the forward path fault this forward path is S
i.fp;
(5) check
If declaration prefix
AS variation has taken place, S then
iInefficacy because the collaborative prefix in opposite end is held as a hostage causes;
The 3rd step is if the equal unmet of condition in second step then causes S
iFailure reasons comprises local collaborative prefix c
uBe held as a hostage, or the back is to path failure.At first initialization
Then for each visible network prefix d of u, further diagnostic monitoring session S according to the following steps
iFailure reasons:
(1) according to h
dCalculate newp
dAnd oldp
d, (oldp
d, newp
d)=stable (h
d);
(2) if newp
d≠ oldp
d, in the incident Candidate Set, add incoming event e:oldp
d→ newp
d, be designated as E ← E ∪ { (oldp
d, newp
d);
(3) for two AS-Path that relate among the incident e, newp
dAnd oldp
d, at first remove the appearance (AS Prepending) that repeats continuously among every AS-Path, obtain shape such as v
kv
K-1... v
1v
0AS-Path (for 0≤m<n≤k arbitrarily, v
m≠ v
n);
(4) in the fault Candidate Set, add ingress,
Corresponding counter (the v of new node more
m, v
m) .counter ← (v
m, v
m) .counter+1;
(5) in the fault Candidate Set, add the limit,
Upgrade the corresponding counter (v in limit
M+1, v
m) .counter ← (v
M+1, v
m) .counter+1;
The 4th step, with the element among the fault Candidate Set C according to the value of its associated counter with descending, carry out following steps then:
(1) if
then from C, choose the highest element of Counter Value (x, y);
(2) for any one incident e:oldp among the E
d→ newp
d, if its oldp
dPerhaps newp
dAttribute comprises node or limit, and (x y), then removes it;
(3) incite somebody to action (x y) removes from C, if (x y) successfully removed one or more incidents from E, this link joined among the fault collection F, F ← F ∪ (x, y) };
In the 5th step, calculate node/limit and forward path S among the F
i.fp common factor F
Fp, and with the back to path S
i.bp common factor F
Bp
The 6th step, if
Then be the forward path fault, if
And ebuf
iIn no any BGP association message (only limiting to KeepAlive and Notification) in the 2T/3 time recently, then belong to afterwards to path failure, and return the fault collection F of non-NULL
FpOr F
BpIf above condition does not all satisfy, the local collaborative prefix of judgement is held as a hostage.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN2011103438226A CN102394794A (en) | 2011-11-04 | 2011-11-04 | Coordinated monitoring method for preventing BGP routing hijacking |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN2011103438226A CN102394794A (en) | 2011-11-04 | 2011-11-04 | Coordinated monitoring method for preventing BGP routing hijacking |
Publications (1)
Publication Number | Publication Date |
---|---|
CN102394794A true CN102394794A (en) | 2012-03-28 |
Family
ID=45862005
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN2011103438226A Pending CN102394794A (en) | 2011-11-04 | 2011-11-04 | Coordinated monitoring method for preventing BGP routing hijacking |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN102394794A (en) |
Cited By (18)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN103442008A (en) * | 2013-08-29 | 2013-12-11 | 中国科学院计算技术研究所 | System and method for detecting routing security |
CN105656724A (en) * | 2016-01-29 | 2016-06-08 | 佛山中科芯蔚科技有限公司 | Monitoring method and system of server |
CN106330693A (en) * | 2015-06-19 | 2017-01-11 | 中兴通讯股份有限公司 | Configuration method and device for autonomous system path (AS-PATH) of BGP (Border Gateway Protocol) routing |
CN103634166B (en) * | 2013-12-06 | 2017-05-03 | 北京奇虎科技有限公司 | Equipment survival detection method and equipment survival detection device |
CN106656792A (en) * | 2016-11-30 | 2017-05-10 | 中国人民解放军国防科学技术大学 | BGP (Border Gateway Protocol) routing trusted verification method based on SDN (Software Defined Network) architecture |
CN108886521A (en) * | 2016-02-22 | 2018-11-23 | 动态网络服务股份有限公司 | Method and apparatus for finding Global routing abduction |
CN110519262A (en) * | 2019-08-26 | 2019-11-29 | 赛尔网络有限公司 | A kind of traffic statistics analysis system and method based on BGP Route Distinguisher |
CN110971522A (en) * | 2018-09-30 | 2020-04-07 | 华为技术有限公司 | Method, equipment and system for determining route leakage |
CN111314285A (en) * | 2019-12-18 | 2020-06-19 | 北京邮电大学 | Method and device for detecting route prefix attack |
CN111698189A (en) * | 2019-03-11 | 2020-09-22 | 华为技术有限公司 | BGP route identification method, device and equipment |
CN111835791A (en) * | 2020-07-30 | 2020-10-27 | 哈尔滨工业大学 | BGP security event rapid detection system |
CN111917577A (en) * | 2020-07-29 | 2020-11-10 | 云南诺寻科科技有限公司 | BGP routing information acquisition method, BGP routing information acquisition device, computer equipment and storage medium |
CN113271286A (en) * | 2020-02-14 | 2021-08-17 | 华为技术有限公司 | Method, equipment and system for realizing BGP (Border gateway protocol) anomaly detection |
CN113328990A (en) * | 2021-04-21 | 2021-08-31 | 北京邮电大学 | Internet route hijacking detection method based on multiple filtering and electronic equipment |
CN113572685A (en) * | 2020-04-29 | 2021-10-29 | 华为技术有限公司 | Information reporting method, information processing method, device and equipment |
CN115277418A (en) * | 2022-07-31 | 2022-11-01 | 深圳市风云实业有限公司 | BGP network operation and maintenance system |
CN115412427A (en) * | 2022-08-30 | 2022-11-29 | 梅州科捷电路有限公司 | Router safety monitoring early warning system |
WO2023284547A1 (en) * | 2021-07-16 | 2023-01-19 | 华为技术有限公司 | Fault detection method, apparatus and system |
Citations (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
WO2002033870A2 (en) * | 2000-10-17 | 2002-04-25 | Wanwall, Inc. | Methods and apparatus for protecting against overload conditions on nodes of a distributed network |
CN101471824A (en) * | 2007-12-29 | 2009-07-01 | 中国科学院计算技术研究所 | System and method for monitoring abnormity of BGP network |
-
2011
- 2011-11-04 CN CN2011103438226A patent/CN102394794A/en active Pending
Patent Citations (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
WO2002033870A2 (en) * | 2000-10-17 | 2002-04-25 | Wanwall, Inc. | Methods and apparatus for protecting against overload conditions on nodes of a distributed network |
CN101471824A (en) * | 2007-12-29 | 2009-07-01 | 中国科学院计算技术研究所 | System and method for monitoring abnormity of BGP network |
Non-Patent Citations (2)
Title |
---|
《软件学报》 20101031 刘欣等 "Co-Monitor:检测前缀劫持的协作监测机制" 全文 1-5 第21卷, 第10期 * |
刘欣等: ""Co-Monitor:检测前缀劫持的协作监测机制"", 《软件学报》 * |
Cited By (34)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN103442008A (en) * | 2013-08-29 | 2013-12-11 | 中国科学院计算技术研究所 | System and method for detecting routing security |
CN103442008B (en) * | 2013-08-29 | 2016-08-31 | 上海瀛联体感智能科技有限公司 | A kind of routing safety detecting system and detection method |
CN103634166B (en) * | 2013-12-06 | 2017-05-03 | 北京奇虎科技有限公司 | Equipment survival detection method and equipment survival detection device |
CN106330693A (en) * | 2015-06-19 | 2017-01-11 | 中兴通讯股份有限公司 | Configuration method and device for autonomous system path (AS-PATH) of BGP (Border Gateway Protocol) routing |
CN106330693B (en) * | 2015-06-19 | 2021-01-26 | 中兴通讯股份有限公司 | BGP routing autonomous domain PATH AS-PATH configuration method and device |
CN105656724A (en) * | 2016-01-29 | 2016-06-08 | 佛山中科芯蔚科技有限公司 | Monitoring method and system of server |
CN108886521A (en) * | 2016-02-22 | 2018-11-23 | 动态网络服务股份有限公司 | Method and apparatus for finding Global routing abduction |
US11394745B2 (en) | 2016-02-22 | 2022-07-19 | Dynamic Network Services, Inc. | Methods and apparatus for finding global routing hijacks |
CN108886521B (en) * | 2016-02-22 | 2021-09-10 | 动态网络服务股份有限公司 | Method and apparatus for finding global route hijacking |
CN106656792B (en) * | 2016-11-30 | 2019-06-28 | 中国人民解放军国防科学技术大学 | A kind of BGP routing trust authentication method based on SDN framework |
CN106656792A (en) * | 2016-11-30 | 2017-05-10 | 中国人民解放军国防科学技术大学 | BGP (Border Gateway Protocol) routing trusted verification method based on SDN (Software Defined Network) architecture |
CN110971522A (en) * | 2018-09-30 | 2020-04-07 | 华为技术有限公司 | Method, equipment and system for determining route leakage |
US11799774B2 (en) | 2018-09-30 | 2023-10-24 | Huawei Technologies Co., Ltd. | Method, device, and system for determining route leak |
US11936551B2 (en) | 2019-03-11 | 2024-03-19 | Huawei Technologies Co., Ltd. | BGP route identification method, apparatus, and device |
CN111698189A (en) * | 2019-03-11 | 2020-09-22 | 华为技术有限公司 | BGP route identification method, device and equipment |
CN111698189B (en) * | 2019-03-11 | 2021-12-14 | 华为技术有限公司 | BGP route identification method, device and equipment |
CN110519262B (en) * | 2019-08-26 | 2022-07-12 | 赛尔网络有限公司 | Traffic statistical analysis system and method based on BGP routing identification |
CN110519262A (en) * | 2019-08-26 | 2019-11-29 | 赛尔网络有限公司 | A kind of traffic statistics analysis system and method based on BGP Route Distinguisher |
CN111314285A (en) * | 2019-12-18 | 2020-06-19 | 北京邮电大学 | Method and device for detecting route prefix attack |
CN111314285B (en) * | 2019-12-18 | 2021-04-06 | 北京邮电大学 | Method and device for detecting route prefix attack |
CN113271286A (en) * | 2020-02-14 | 2021-08-17 | 华为技术有限公司 | Method, equipment and system for realizing BGP (Border gateway protocol) anomaly detection |
CN113271286B (en) * | 2020-02-14 | 2022-07-29 | 华为技术有限公司 | Method, equipment and system for realizing BGP (Border gateway protocol) anomaly detection |
CN113572685B (en) * | 2020-04-29 | 2023-03-10 | 华为技术有限公司 | Information reporting method, information processing method, device and equipment |
CN113572685A (en) * | 2020-04-29 | 2021-10-29 | 华为技术有限公司 | Information reporting method, information processing method, device and equipment |
US11916783B2 (en) | 2020-04-29 | 2024-02-27 | Huawei Technologies Co., Ltd. | Information reporting method, information processing method, apparatus, and device |
CN111917577B (en) * | 2020-07-29 | 2024-03-05 | 云南诺寻科科技有限公司 | BGP route information acquisition method, device, computer equipment and storage medium |
CN111917577A (en) * | 2020-07-29 | 2020-11-10 | 云南诺寻科科技有限公司 | BGP routing information acquisition method, BGP routing information acquisition device, computer equipment and storage medium |
CN111835791A (en) * | 2020-07-30 | 2020-10-27 | 哈尔滨工业大学 | BGP security event rapid detection system |
CN111835791B (en) * | 2020-07-30 | 2022-10-28 | 哈尔滨工业大学 | BGP security event rapid detection system |
CN113328990B (en) * | 2021-04-21 | 2022-09-09 | 北京邮电大学 | Internet route hijacking detection method based on multiple filtering and electronic equipment |
CN113328990A (en) * | 2021-04-21 | 2021-08-31 | 北京邮电大学 | Internet route hijacking detection method based on multiple filtering and electronic equipment |
WO2023284547A1 (en) * | 2021-07-16 | 2023-01-19 | 华为技术有限公司 | Fault detection method, apparatus and system |
CN115277418A (en) * | 2022-07-31 | 2022-11-01 | 深圳市风云实业有限公司 | BGP network operation and maintenance system |
CN115412427A (en) * | 2022-08-30 | 2022-11-29 | 梅州科捷电路有限公司 | Router safety monitoring early warning system |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN102394794A (en) | Coordinated monitoring method for preventing BGP routing hijacking | |
Giotsas et al. | Detecting peering infrastructure outages in the wild | |
CN101505230B (en) | Event triggered traceroute for optimized routing in a computer network | |
Shaikh et al. | OSPF Monitoring: Architecture, Design, and Deployment Experience. | |
Oliveira et al. | The (in) completeness of the observed Internet AS-level structure | |
Zhu et al. | Feedback based routing | |
US8161152B2 (en) | Methods and systems for monitoring network routing | |
EP2434688B1 (en) | Method and system for analyzing alarm root cause | |
CN109309621A (en) | Method and the network equipment based on Service Level Agreement selection next-hop | |
US20070047464A1 (en) | Routing configuration validation apparatus and methods | |
CN106992891B (en) | A kind of routing configuration method for detecting abnormality and system for ospf network | |
US20020103631A1 (en) | Traffic engineering system and method | |
US20150333966A2 (en) | Determining thenetwork topology of a communication network | |
CN1663176A (en) | Identifying network routers and paths | |
CN100550859C (en) | A kind of autonomic system network routing topology constructing method | |
TW200511002A (en) | Reliable fault resolution in a cluster | |
US20080192650A1 (en) | Method and Node for Locating a Network User | |
CN104954367A (en) | Internet omnidirectional cross-domain DDoS (distributed denial of service) attack defense method | |
CN108449210B (en) | Network routing fault monitoring system | |
CN112468592B (en) | Terminal online state detection method and system based on electric power information acquisition | |
Xiang et al. | Argus: An accurate and agile system to detecting IP prefix hijacking | |
Sapegin et al. | On the extent of correlation in BGP updates in the Internet and what it tells us about locality of BGP routing events | |
CN1607790A (en) | Method and system for the centralized collection of link state routing protocol data | |
Lad et al. | An algorithmic approach to identifying link failures | |
Varga et al. | Integration of service-level monitoring with fault management for end-to-end multi-provider ethernet services |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
C06 | Publication | ||
PB01 | Publication | ||
C10 | Entry into substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
C02 | Deemed withdrawal of patent application after publication (patent law 2001) | ||
WD01 | Invention patent application deemed withdrawn after publication |
Application publication date: 20120328 |