Download - Monitoring Route Changes
BGP Series Part 2: Monitoring Route Changes Young Xu, Product Marketing Analyst
2
• May 5th 2016 • Intro to Autonomous Systems, the BGP protocol and
how routes are advertised and learned
BGP Webinar Series
• June 16th 2016 • How to visualize, diagnose and set alerts to detect
BGP hijacks and leaks
How BGP Works
Detecting Hijacks & Leaks
• May 24th 2016 • Explore data from routing change events and
learn how to detect BGP changes with alerts
Monitoring Route Changes
Optimizing AS Paths
• July 26th 2016 • Tips and tricks for using routing data to improve how
traffic flows into or out of your network
3
About ThousandEyes ThousandEyes delivers visibility into every network your organization relies on.
Founded by network experts; strong
investor backing
Relied on for "critical operations by leading enterprises
Recognized as "an innovative "
new approach
27 Fortune 500 5 top 5 SaaS Companies
4 top 6 US Banks
4
45 monitors on 30+ networks
See inbound routing to your prefixes
Collecting BGP Data
Establish a BGP multi-hop session with ThousandEyes
See outbound routing
to key services and endpoints
Public Monitors Private Monitors
Your BGP speaker
ThousandEyes collector
5
Visualizing BGP Routing
Origin AS (Comcast)
Public vantage points
Upstream ISP (Level3)
Upstream ISP (NTT)
Github prefix
6
Visualizing Routing Changes
Withdrawn routes to Level3 New or updated
routes via Comcast
7
Inside à Out Visibility: Private BGP Monitors
Amazon
8
• Routes change in two ways: 1. AS Path vector changes
– Doesn’t change the destination prefix – Can change with new routes, withdrawn
routes or updated route preferences 2. A more specific prefix appears or
disappears – Changes the destination prefix – Covered and covering prefixes can be
used to maintain multiple routing policies in the routing table
– Routes can be quickly changed as needed
How Routes Change
9
• Policy and Peering Changes – Commercial relationships – DDoS mitigation – Equipment failures – Maintenance
• Routing misconfigurations – Attribute confusion
– Prepending errors – Route flapping
• Route hijacking and leaks – Others advertising your prefix – Or a more specific prefix
Types of BGP Changes
10
• Options to influence inbound routing to your network include: – Introducing new routes
– Advertising new routes – Introducing a more specific prefix with a different route
– Withdrawing routes – Changing BGP attributes in route advertisements
– AS path prepending – Multi-exit discriminator (MED) – Communities (e.g. NO-EXPORT); BGP conditional advertisements
• Both the origin AS and upstream ISPs can make peering changes – Monitor reachability and make sure that new routes are correct and propagated
• Look for: One-time AS path change, new providers or prefixes – Example: First Horizon changed ISPs by introducing a covered prefix.
lswfk.share.thousandeyes.com
Policy and Peering Changes
11
• Coordinated handover from upstream ISP TW Telecom to Level 3
Policy and Peering Changes: First Horizon
Time: 22:30 CDT Prefix: 198.72.78.0/23
Time: 22:45 CDT Prefix: 198.72.78.0/24
Changes in TW routes
Level 3 routes to new covered prefix
Severe packet loss issues, due to delay between withdrawn TW routes and new Level 3 routes
12
• BGP is commonly used to shift traffic to scrubbing centers of DDoS mitigation providers during an attack
• Look for: Mitigation provider’s AS either appearing directly upstream from Origin AS or becoming Origin AS – Example: Discover changed their upstream providers from AT&T
and Sprint to Prolexic. ugkspyenl.share.thousandeyes.com
DDoS Mitigation
13
DDoS Mitigation: Discover
Sprint
AT&T
Withdrawn routes to
AT&T, Sprint
New routes through Prolexic
Prolexic
14
• Failures can occur on links or interfaces in upstream providers – May re-route on its own or may require intervention
• Look for: Issues isolated within specific ISPs and subsequent routing changes – Example: When upstream ISP Verizon experienced severe issues,
First Data made a BGP change and dropped Verizon. qoeaud.share.thousandeyes.com
Equipment Failures
15
Equipment Failures: First Data New routes
through AT&T
Withdrawn routes to Verizon
16
• Common misconfigurations include: – BGP attribute confusion
– AS path prepending errors – Route flapping – Route leaks
• Look for: Unexpected ASes, routes or route changes – Example: Country Financial mistyped an AS when prepending the
AS path. tetuntn.share.thousandeyes.com
Routing Misconfigurations
17
Routing Misconfigurations: Country Financial
Access2Go (correct ISP)
Mistyped AS (Jaguar Comms.) prepended to AS path
No routes to AS 15011 led to terminal paths and loops
18
• When routes alternate or are advertised and withdrawn in rapid sequence – Usually from equipment or configuration errors – Often causes packet loss and performance degradation
• Look for: Repeating spikes or elevated levels of route changes over time – Example: Ancestry’s upstream ISP XO Communications
experienced a route flap. imjlgyfuk.share.thousandeyes.com
Route Flapping
19
Route Flapping: Ancestry
All routes to XO withdrawn Routes to XO
re-advertised
Route flap led to convergence delay issues, where traffic had already
entered the network but no longer had the routes to leave
20
Tuning Your BGP Alerts Scenario Threshold Peering Changes, Route Flaps
Path Changes > 1 Reachability < 100%
DDoS Mitigation Activation
Origin ASN in ___ Prefix not in ___ Next Hop ASN in ___
Prepending Errors Next Hop ASN not in ___
Prefix Hijacking, Leaks Origin ASN not in ___ Covered Prefix exists
Join us in Part 3 for a discussion on detecting BGP hijacks and leaks
See what you’re missing.
Watch the webinar:
www.thousandeyes.com/webinars/monitoring-route-changes