Monitoring Route Changes
-
Upload
thousandeyes -
Category
Technology
-
view
260 -
download
0
Transcript of Monitoring Route Changes
![Page 1: Monitoring Route Changes](https://reader031.fdocuments.us/reader031/viewer/2022030206/58ab765c1a28abb54e8b650d/html5/thumbnails/1.jpg)
BGP Series Part 2: Monitoring Route Changes Young Xu, Product Marketing Analyst
![Page 2: Monitoring Route Changes](https://reader031.fdocuments.us/reader031/viewer/2022030206/58ab765c1a28abb54e8b650d/html5/thumbnails/2.jpg)
2
• May 5th 2016 • Intro to Autonomous Systems, the BGP protocol and
how routes are advertised and learned
BGP Webinar Series
• June 16th 2016 • How to visualize, diagnose and set alerts to detect
BGP hijacks and leaks
How BGP Works
Detecting Hijacks & Leaks
• May 24th 2016 • Explore data from routing change events and
learn how to detect BGP changes with alerts
Monitoring Route Changes
Optimizing AS Paths
• July 26th 2016 • Tips and tricks for using routing data to improve how
traffic flows into or out of your network
![Page 3: Monitoring Route Changes](https://reader031.fdocuments.us/reader031/viewer/2022030206/58ab765c1a28abb54e8b650d/html5/thumbnails/3.jpg)
3
About ThousandEyes ThousandEyes delivers visibility into every network your organization relies on.
Founded by network experts; strong
investor backing
Relied on for "critical operations by leading enterprises
Recognized as "an innovative "
new approach
27 Fortune 500 5 top 5 SaaS Companies
4 top 6 US Banks
![Page 4: Monitoring Route Changes](https://reader031.fdocuments.us/reader031/viewer/2022030206/58ab765c1a28abb54e8b650d/html5/thumbnails/4.jpg)
4
45 monitors on 30+ networks
See inbound routing to your prefixes
Collecting BGP Data
Establish a BGP multi-hop session with ThousandEyes
See outbound routing
to key services and endpoints
Public Monitors Private Monitors
Your BGP speaker
ThousandEyes collector
![Page 5: Monitoring Route Changes](https://reader031.fdocuments.us/reader031/viewer/2022030206/58ab765c1a28abb54e8b650d/html5/thumbnails/5.jpg)
5
Visualizing BGP Routing
Origin AS (Comcast)
Public vantage points
Upstream ISP (Level3)
Upstream ISP (NTT)
Github prefix
![Page 6: Monitoring Route Changes](https://reader031.fdocuments.us/reader031/viewer/2022030206/58ab765c1a28abb54e8b650d/html5/thumbnails/6.jpg)
6
Visualizing Routing Changes
Withdrawn routes to Level3 New or updated
routes via Comcast
![Page 7: Monitoring Route Changes](https://reader031.fdocuments.us/reader031/viewer/2022030206/58ab765c1a28abb54e8b650d/html5/thumbnails/7.jpg)
7
Inside à Out Visibility: Private BGP Monitors
Amazon
![Page 8: Monitoring Route Changes](https://reader031.fdocuments.us/reader031/viewer/2022030206/58ab765c1a28abb54e8b650d/html5/thumbnails/8.jpg)
8
• Routes change in two ways: 1. AS Path vector changes
– Doesn’t change the destination prefix – Can change with new routes, withdrawn
routes or updated route preferences 2. A more specific prefix appears or
disappears – Changes the destination prefix – Covered and covering prefixes can be
used to maintain multiple routing policies in the routing table
– Routes can be quickly changed as needed
How Routes Change
![Page 9: Monitoring Route Changes](https://reader031.fdocuments.us/reader031/viewer/2022030206/58ab765c1a28abb54e8b650d/html5/thumbnails/9.jpg)
9
• Policy and Peering Changes – Commercial relationships – DDoS mitigation – Equipment failures – Maintenance
• Routing misconfigurations – Attribute confusion
– Prepending errors – Route flapping
• Route hijacking and leaks – Others advertising your prefix – Or a more specific prefix
Types of BGP Changes
![Page 10: Monitoring Route Changes](https://reader031.fdocuments.us/reader031/viewer/2022030206/58ab765c1a28abb54e8b650d/html5/thumbnails/10.jpg)
10
• Options to influence inbound routing to your network include: – Introducing new routes
– Advertising new routes – Introducing a more specific prefix with a different route
– Withdrawing routes – Changing BGP attributes in route advertisements
– AS path prepending – Multi-exit discriminator (MED) – Communities (e.g. NO-EXPORT); BGP conditional advertisements
• Both the origin AS and upstream ISPs can make peering changes – Monitor reachability and make sure that new routes are correct and propagated
• Look for: One-time AS path change, new providers or prefixes – Example: First Horizon changed ISPs by introducing a covered prefix.
lswfk.share.thousandeyes.com
Policy and Peering Changes
![Page 11: Monitoring Route Changes](https://reader031.fdocuments.us/reader031/viewer/2022030206/58ab765c1a28abb54e8b650d/html5/thumbnails/11.jpg)
11
• Coordinated handover from upstream ISP TW Telecom to Level 3
Policy and Peering Changes: First Horizon
Time: 22:30 CDT Prefix: 198.72.78.0/23
Time: 22:45 CDT Prefix: 198.72.78.0/24
Changes in TW routes
Level 3 routes to new covered prefix
Severe packet loss issues, due to delay between withdrawn TW routes and new Level 3 routes
![Page 12: Monitoring Route Changes](https://reader031.fdocuments.us/reader031/viewer/2022030206/58ab765c1a28abb54e8b650d/html5/thumbnails/12.jpg)
12
• BGP is commonly used to shift traffic to scrubbing centers of DDoS mitigation providers during an attack
• Look for: Mitigation provider’s AS either appearing directly upstream from Origin AS or becoming Origin AS – Example: Discover changed their upstream providers from AT&T
and Sprint to Prolexic. ugkspyenl.share.thousandeyes.com
DDoS Mitigation
![Page 13: Monitoring Route Changes](https://reader031.fdocuments.us/reader031/viewer/2022030206/58ab765c1a28abb54e8b650d/html5/thumbnails/13.jpg)
13
DDoS Mitigation: Discover
Sprint
AT&T
Withdrawn routes to
AT&T, Sprint
New routes through Prolexic
Prolexic
![Page 14: Monitoring Route Changes](https://reader031.fdocuments.us/reader031/viewer/2022030206/58ab765c1a28abb54e8b650d/html5/thumbnails/14.jpg)
14
• Failures can occur on links or interfaces in upstream providers – May re-route on its own or may require intervention
• Look for: Issues isolated within specific ISPs and subsequent routing changes – Example: When upstream ISP Verizon experienced severe issues,
First Data made a BGP change and dropped Verizon. qoeaud.share.thousandeyes.com
Equipment Failures
![Page 15: Monitoring Route Changes](https://reader031.fdocuments.us/reader031/viewer/2022030206/58ab765c1a28abb54e8b650d/html5/thumbnails/15.jpg)
15
Equipment Failures: First Data New routes
through AT&T
Withdrawn routes to Verizon
![Page 16: Monitoring Route Changes](https://reader031.fdocuments.us/reader031/viewer/2022030206/58ab765c1a28abb54e8b650d/html5/thumbnails/16.jpg)
16
• Common misconfigurations include: – BGP attribute confusion
– AS path prepending errors – Route flapping – Route leaks
• Look for: Unexpected ASes, routes or route changes – Example: Country Financial mistyped an AS when prepending the
AS path. tetuntn.share.thousandeyes.com
Routing Misconfigurations
![Page 17: Monitoring Route Changes](https://reader031.fdocuments.us/reader031/viewer/2022030206/58ab765c1a28abb54e8b650d/html5/thumbnails/17.jpg)
17
Routing Misconfigurations: Country Financial
Access2Go (correct ISP)
Mistyped AS (Jaguar Comms.) prepended to AS path
No routes to AS 15011 led to terminal paths and loops
![Page 18: Monitoring Route Changes](https://reader031.fdocuments.us/reader031/viewer/2022030206/58ab765c1a28abb54e8b650d/html5/thumbnails/18.jpg)
18
• When routes alternate or are advertised and withdrawn in rapid sequence – Usually from equipment or configuration errors – Often causes packet loss and performance degradation
• Look for: Repeating spikes or elevated levels of route changes over time – Example: Ancestry’s upstream ISP XO Communications
experienced a route flap. imjlgyfuk.share.thousandeyes.com
Route Flapping
![Page 19: Monitoring Route Changes](https://reader031.fdocuments.us/reader031/viewer/2022030206/58ab765c1a28abb54e8b650d/html5/thumbnails/19.jpg)
19
Route Flapping: Ancestry
All routes to XO withdrawn Routes to XO
re-advertised
Route flap led to convergence delay issues, where traffic had already
entered the network but no longer had the routes to leave
![Page 20: Monitoring Route Changes](https://reader031.fdocuments.us/reader031/viewer/2022030206/58ab765c1a28abb54e8b650d/html5/thumbnails/20.jpg)
20
Tuning Your BGP Alerts Scenario Threshold Peering Changes, Route Flaps
Path Changes > 1 Reachability < 100%
DDoS Mitigation Activation
Origin ASN in ___ Prefix not in ___ Next Hop ASN in ___
Prepending Errors Next Hop ASN not in ___
Prefix Hijacking, Leaks Origin ASN not in ___ Covered Prefix exists
Join us in Part 3 for a discussion on detecting BGP hijacks and leaks
![Page 21: Monitoring Route Changes](https://reader031.fdocuments.us/reader031/viewer/2022030206/58ab765c1a28abb54e8b650d/html5/thumbnails/21.jpg)
See what you’re missing.
Watch the webinar:
www.thousandeyes.com/webinars/monitoring-route-changes