|
URL:
|
http://www.icir.org/vern/imw-2002/imw2002-papers/217.ps.gz
http://www.icir.org/vern/imw-2002/slides/217-slides.pdf
http://citeseerx.ist.psu.edu/viewdoc/summary?doi=10.1.1.12.8378
|
|
Entry Date:
|
2003-05-14
|
|
Abstract:
|
Despite BGP's critical importance as
the de-facto Internet inter-domain routing protocol,
there is little understanding of how BGP actually
performs under stressful conditions when dependable
routing is most needed. In this paper, we
examine BGP's behavior during one stressful period,
the Code Red/Nimda attack on September 18,
2001. The attack was correlated with a 30-fold increase
in the BGP update messages at a monitoring
point which peers with a number of Internet service
providers. Our examination of BGP's behavior during
the event concludes that BGP exhibited no significant
abnormality, and that over 40% of the observed
updates can be attributed to the monitoring
artifact in current BGP measurement settings. Our
analysis, however, does reveal several weak points
in both the protocol and its implementation, such
as BGP's sensitivity to the transport session reliability,
its inability to avoid the global propagation
of small local changes, and its certain implementation
features whose otherwise benign effects only get
amplified under stressful conditions. We also identify
areas for improvement in the current network
measurement and monitoring effort.
|
|
Datasets:
|
- BGP updates collected at RIPE RRC00 (12 peers) from Sep 10 to
Sep 30, 2001
- assign BGP updates to session resets by (1) looking in logs to find
time at which a peering session is re-established and (2) noting
updates that announce a given prefix for the first time in the
ensuing 25 minutes; the authors observed that most table transfers
finish in 10 minutes
|
|
Results:
|
- monitoring point experienced many session resets during worm attacks;
the authors attribute this to the susceptibility of multihop eBGP to
link problems, noting that RRC04 with direct BGP sessions didn't
experience a single reset on Sep 18th
- 40% of BGP updates during worm attacks were caused by session resets
at the monitoring point
- significant fraction of remaining BGP updates had no new AS paths
- majority of BGP updates with new AS path information were originated
by a small number of highly unstable edge networks (specifically,
prefixes belonging to cable modem, DSL, or dial-up providers)
- the authors conjecture that a flurry of implicit withdrawals announcing
different AS paths could result from session resets between two remote
ASes; a session failure causes one of the ASes to reannounce all prefixes
using an alternate AS path
|