Border Gateway Protocol Update Metric Analysis
MRT is a file format used in BGP; in particular, it is used when the router writes updates into a log file. There are many programs out there for parsing these files, but I'm going to talk about a new program created at the CERT Division for searching the files. The program is designed to find routes that affect a given set of CIDR blocks, and to do it quickly.
We don't want to look just for specific CIDR blocks, we want to look for any CIDR blocks that are contained in our CIDR block or contain our CIDR block. It is not just the routes announced for our /24 we want to find, it is the people that announce more specific routes for the /24, such as a /28, or the people that announce the /8 that contains our /24. All of these routes could affect our /24, so the goal is to find all of them.
We combine the power of SiLK IPSets and RIPE's bgpdump library into bgpuma, which allows us to accomplish this task at a reasonable speed.
bgpuma parses an MRT file that is 11M in size in 15 seconds. We can also parse an entire day of files from Routeviews (http://www.routeviews.org/) in 19 minutes.
For each match the program finds, it outputs a pipe ( | ) delimited list of information that includes
- Time stamp
2. A (Announcement) or W (Withdrawal)
3. Source IP of the data
4. Source ASN of the data
5. Destination IP of the data
6. Destination ASN of the data
7. CIDR block
8. If an announcement, the actual path
For example, when looking for bogons, that is, prefixes that should never appear in the routing table, we find
1446406036|A|18.104.22.168|AS28138|22.214.171.124|AS6447|126.96.36.199/24|28138 16735 6939
1446406075|A|188.8.131.52|AS262757|184.108.40.206|AS6447|220.127.116.11/24|262757 16735 6939
1446406256|A|18.104.22.168|AS34288|22.214.171.124|AS6447|100.64.254.0/24|34288 9498 9583
1446406273|A|126.96.36.199|AS34288|188.8.131.52|AS6447|100.100.1.0/24|34288 9498 9730
Running bgpuma requires a file containing a list of CIDR blocks, called the cidrfile and a file listing the MRT files you want bgpuma to search. Once you have both, you can run bgpuma as:
bgpuma --file=FILE --cidrfile=FILE
bgpuma also understands the directory structures created by Routeviews and RIPE (http://ripe.net/). If you have access to a file system containing this data, you can access the files by date. In this case, bgpuma is run as
bgpuma --startdate=YYYYMMDD --enddate=YYYYMMDD --directory=DIR --cidrfile=FILE
This new program is available for free to anyone who needs it. You can learn more about how to use bgpuma and download it at https://github.com/cmu-sei/bgpuma
This post has been shared 0 times.
More By The Author
More In CERT/CC Vulnerabilities
The Latest Work from the SEI: Coordinated Vulnerability Disclosure, Cybersecurity Research, Cyber Risk and Resilience, and the Importance of Fostering Diversity in Software Engineering
CERT/CC Comments on Standards and Guidelines to Enhance Software Supply Chain Security
Get updates on our latest work.
Sign up to have the latest post sent to your inbox weekly.