This Article 
 Bibliographic References 
 Add to: 
An Online Mechanism for BGP Instability Detection and Analysis
November 2009 (vol. 58 no. 11)
pp. 1470-1484
Shivani Deshpande, BlueCoat Systems, Sunnyvale
Marina Thottan, Bell Labs, Alcatel-Lucent, Murray Hill
Tin Kam Ho, Bell Labs, Alcatel-Lucent, Murray Hill
Biplab Sikdar, Rensselaer Polytechnic Institute, Troy
The importance of Border Gateway Protocol (BGP) as the primary interAutonomous System (AS) routing protocol that maintains the connectivity of the Internet imposes stringent stability requirements on its route selection process. Accidental and malicious activities such as misconfigurations, failures, and worm attacks can induce severe BGP instabilities leading to data loss, extensive delays, and loss of connectivity. In this work, we propose an online instability detection architecture that can be implemented by individual routers. We use statistical pattern recognition techniques for detecting the instabilities, and the algorithm is evaluated using real Internet data for a diverse set of events including misconfiguration, node failures, and several worm attacks. The proposed scheme is based on adaptive segmentation of feature traces extracted from BGP update messages and exploiting the temporal and spatial correlations in the traces for robust detection of the instability events. Furthermore, we use route change information to pinpoint the culprit ASes where the instabilities have originated.

[1] U. Appel and A. Brandt, “Adaptive Sequential Segmentation of Piecewise Stationary Time Series,” Information Sciences, vol. 29, pp.27-56, 1983.
[2] H. Akaike, “Information Theory As an Extension of the Maximum Likelihood Principle,” Proc. Int'l Symp. Information Theory (ISIT), pp. 267-281, 1973.
[3] T. Chan, G. Golub, and R. LeVeque, “Algorithms for Computing the Sample Variance: Analysis and Recommendations,” The Am. Statistician, vol. 37, no. 3, pp. 242-247, Aug. 1983.
[4] J. Cowie, A. Ogleski, B. Premore, and Y. Yuan, “Global Routing Instabilities during Code Red II and Nimda Worm Propagation,” technical report, Renesys Corporation, Dec. 2001.
[5] S. Deshpande, M. Thottan, and B. Sikdar, “Early Detection of BGP Instabilities Resulting from Internet Worm Attacks,” Proc. IEEE GLOBECOM, pp. 2266-2270, Nov. 2004.
[6] A. Feldmann, O. Maennel, Z. Mao, A. Berger, and B. Maggs, “Locating Internet Routing Instabilities,” ACM SIGCOMM Computer Comm. Rev., vol. 34, no. 4, pp. 205-218, Aug. 2004.
[7] T.K. Ho, “Mirage: Interactive Tools for Pattern Discovery,” Proc. Int'l Conf. Pattern Recognition (ICPR), pp. 509-512, Aug. 2004.
[8] X. Hu and M. Mao, “Accurate Real-Time Identification of IP Prefix Hijacking,” Proc. IEEE Symp. Security and Privacy, pp. 3-17, May 2007.
[9] Y. Huang, N. Feamster, A. Lakhina, and J. Xu, “Diagnosing Network Disruptions with Network-Wide Analysis,” Proc. ACM SIGMETRICS, pp. 61-72, June 2007.
[10] C. Labovitz, A. Ahuja, A. Bose, and F. Jahanian, “Delayed Internet Routing Convergence,” Proc. ACM SIGCOMM, Aug. 2000.
[11] M. Lad, X. Zhao, B. Zhang, D. Masey, and L. Zhang, “Analysis of BGP Update Surge during the Slammer Worm Attack,” Proc. Fifth Int'l Workshop Distributed Computing (IWDC), 2003.
[12] M. Lad, D. Massey, D. Pei, W. Wu, B. Zhang, and L. Zhang, “PHAS: A Prefix Hijack Alert System,” Proc. USENIX Security Symp., 2006.
[13] North American Network Operators Group Mailing List,, 2009.
[14] North American Network Operators Group Mailing List, “oof. Panix Sidelined by Incompetence. . . Again,” http://www.merit. edu/mail.archives/nanog/ 2006-01msg00483.html, 2009.
[15] Y. Rekhter and T. Li, “A Border Gateway Protocol 4 (BGP-4),” RFC 1771, IETF, Mar. 1995.
[16] Réseaux IP Européens Network Coordination Center, , 2009.
[17] M. Roughan, T. Griffin, M. Mao, A. Greenberg, and B. Freeman, “Combining Routing and Traffic Data for Detection of IP Forwarding Anomalies,” Proc. ACM SIGCOMM NeTs Workshop, Aug. 2004.
[18] “The SSFNet Project,” http:/, 2009.
[19] S. Teoh, S. Ranjan, A. Nucci, and C.-N. Chuah, “BGP Eye: A New Visualization Tool for Real-Time Detection and Analysis of BGP Anomalies,” Proc. Int'l Workshop Visualization for Computer Security, Nov. 2006.
[20] S. Teoh, K. Zhang, S. Tseng, K. Ma, and F. Wu, “Combining Visual and Automated Data Mining for Near-Real-Time Anomaly Detection and Analysis in BGP,” Proc. ACM Visualization and Data Mining for Computer Security (VizSEC/DMSEC), Oct. 2004.
[21] R. Wagner and M. Fisher, “The String to String Correction Problem,” J. ACM, vol. 21, no. 1, pp. 168-173, 1974.
[22] H. Wang, K. Chang, D. Chiu, and C. Lui, “Characterizing the Performance and Stability Issues of the AS Path Prepending Method: Taxonomy, Measurement Study and Analysis,” Proc. ACM SIGCOMM Workshop, Apr. 2005.
[23] J. Wang, X. Chen, and W. Gao, “Online Selecting Discriminative Tracking Features Using Particle Filter,” Proc. IEEE Conf. Computer Vision and Pattern Recognition, pp. 1037-1042, June 2005.
[24] L. Wang, X. Zhao, D. Pei, R. Bush, D. Massey, A. Mankin, S.F. Wu, and L. Zhang, “Observation and Analysis of BGP Behavior under Stress,” Proc. ACM Internet Measurement Workshop (IMW), Nov. 2002.
[25] T. Wong, V. Jacobson, and C. Alaettinoglu, “Internet Routing Anomaly Detection and Visualization,” Proc. IEEE Int'l Conf. Dependable Systems and Networks (DSN), pp. 172-181, 2005.
[26] J. Wu, Z. Mao, J. Rexford, and J. Wang, “Finding a Needle in a Haystack: Pinpointing Significant BGP Routing Changes in an IP Network,” Proc. Networked Systems Design and Implementation (NSDI), May 2005.
[27] K. Xu, J. Chandrashekhar, and Z. Zhang, “A First Step towards Understanding Inter-Domain Routing Dynamics,” Proc. ACM SIGCOMM Mining Network Data (MineNet) Workshop, Aug. 2005.
[28] J. Zhang, J. Rexford, and J. Feigenbaum, “Learning-Based Anomaly Detection in BGP Updates,” Proc. ACM SIGCOMM Mining Network Data (MineNet) Workshop, 2005.
[29] Z. Zhang, Y. Zhang, Y. Hu, Z. Mao, and R. Bush, “iSPY: Detecting IP Prefix Hijacking on My Own,” Proc. ACM SIGCOMM, Aug. 2008.
[30] C. Zheng, L. Ji, D. Pei, J. Wang, and P. Francis, “A Light-Weight Distributed Scheme for Detecting IP Prefix Hijacks in Real-Time,” Computer Comm. Rev., vol. 37, no. 4, pp. 277-288, Oct. 2007.

Index Terms:
BGP, anomaly detection, routing instability, statistical pattern recognition.
Shivani Deshpande, Marina Thottan, Tin Kam Ho, Biplab Sikdar, "An Online Mechanism for BGP Instability Detection and Analysis," IEEE Transactions on Computers, vol. 58, no. 11, pp. 1470-1484, Nov. 2009, doi:10.1109/TC.2009.91
Usage of this product signifies your acceptance of the Terms of Use.