SEI Insights

CERT/CC Blog

Vulnerability Insights

Border Gateway Protocol Update Metric Analysis

Posted on by in

MRT is a file format used in BGP; in particular, it is used when the router writes updates into a log file. There are many programs out there for parsing these files, but I'm going to talk about a new program created at the CERT Division for searching the files. The program is designed to find routes that affect a given set of CIDR blocks, and to do it quickly.

We don't want to look just for specific CIDR blocks, we want to look for any CIDR blocks that are contained in our CIDR block or contain our CIDR block. It is not just the routes announced for our /24 we want to find, it is the people that announce more specific routes for the /24, such as a /28, or the people that announce the /8 that contains our /24. All of these routes could affect our /24, so the goal is to find all of them.

We combine the power of SiLK IPSets and RIPE's bgpdump library into bgpuma, which allows us to accomplish this task at a reasonable speed.

bgpuma parses an MRT file that is 11M in size in 15 seconds. We can also parse an entire day of files from Routeviews (http://www.routeviews.org/) in 19 minutes.

For each match the program finds, it outputs a pipe ( | ) delimited list of information that includes

1. Time stamp
2. A (Announcement) or W (Withdrawal)
3. Source IP of the data
4. Source ASN of the data
5. Destination IP of the data
6. Destination ASN of the data
7. CIDR block
8. If an announcement, the actual path

For example, when looking for bogons, that is, prefixes that should never appear in the routing table, we find

1446400337|A|66.185.128.1|AS1668|128.223.51.102|AS6447|192.88.99.0/24|1668 6939
1446406036|A|187.16.216.90|AS28138|187.16.216.223|AS6447|192.88.99.0/24|28138 16735 6939
1446406075|A|187.16.217.104|AS262757|187.16.216.223|AS6447|192.88.99.0/24|262757 16735 6939
1446406256|A|195.66.225.86|AS34288|195.66.225.222|AS6447|100.64.254.0/24|34288 9498 9583
1446406273|A|195.66.225.86|AS34288|195.66.225.222|AS6447|100.100.1.0/24|34288 9498 9730
1446406300|A|195.66.225.86|AS34288|195.66.225.222|AS6447|192.88.99.0/24|34288 6939
1446419191|W|187.16.216.219|AS14840|187.16.216.223|AS6447|192.168.1.12/30

Running bgpuma requires a file containing a list of CIDR blocks, called the cidrfile and a file listing the MRT files you want bgpuma to search. Once you have both, you can run bgpuma as:

bgpuma --file=FILE --cidrfile=FILE

bgpuma also understands the directory structures created by Routeviews and RIPE (http://ripe.net/). If you have access to a file system containing this data, you can access the files by date. In this case, bgpuma is run as

bgpuma --startdate=YYYYMMDD --enddate=YYYYMMDD --directory=DIR --cidrfile=FILE


This new program is available for free to anyone who needs it. You can learn more about how to use bgpuma and download it at https://github.com/cmu-sei/bgpuma

About the Author

Leigh Metcalf

Contact Leigh Metcalf
Visit the SEI Digital Library for other publications by Leigh
View other blog posts by Leigh Metcalf