ABSTRACT
As the key component of Internet's inter-domain routing, BGP is expected to work flawlessly. However, a recent study has revealed the presence of BGP zombies: Withdrawn prefixes that are still active in routing tables and that can cause routing issues. That study used experimental prefixes with scheduled withdrawals (BGP beacons). In this study we aim at detecting BGP zombies for any prefixes announced on the Internet. To that end we study characteristics of withdrawn messages, and devise a method to differentiate withdraw messages corresponding to local topological changes to those standing for prefixes withdrawn by their origin AS. Based on this classification we study the occurrence of zombies in the wild in six years of BGP data. We find over 6.5 millions zombies, among those we confirm that 94% report incoherent states and caused 468 potential routing loops. Our study also reveals that noisy prefixes, long AS paths, and ASes announcing a large number of prefixes are more prone to zombies.
- zombie-hunter: Tool for analyzing BGP data and find BGP zombies. https://github.com/pora49494/zombie-hunter.Google Scholar
- S. Cho, R. Fontugne, K. Cho, A. Dainotti, and P. Gill. Bgp hijacking classification. 2019.Google ScholarCross Ref
- L. Cittadini, W. Mühlbauer, S. Uhlig, R. Bush, P. Francois, and O. Maennel. Evolution of internet address space deaggregation: myths and reality. IEEE Journal on Selected Areas in Communications, 28(8):1238--1249, 2010.Google ScholarDigital Library
- A. Fabrikant, U. Syed, and J. Rexford. There's something about mrai: Timing diversity can exponentially worsen bgp convergence. In 2011 Proceedings IEEE INFOCOM, pages 2975--2983. IEEE, 2011.Google ScholarCross Ref
- R. Fontugne, E. Bautista, C. Petrie, Y. Nomura, P. Abry, P. Goncalves, K. Fukuda, and E. Aben. BGP Zombies: an analysis of beacons stuck routes. In Passive and Active Measurement (PAM'20), pages 197--209, 2019.Google ScholarCross Ref
- A. García-Martínez and M. Bagnulo. Measuring bgp route propagation times. IEEE Communications Letters, 23(12):2432--2436, 2019.Google ScholarCross Ref
- Google. Peering. https://peering.google.com/#/options/peering, (Accessed on June 2020).Google Scholar
- C. Gray, C. Mosig, R. Bush, C. Pelsser, M. Roughan, T. C. Schmidt, and M. Wählisch. BGP Beacons, Network Tomography, and Bayesian Computation to Locate Route Flap Damping. In Proc. of ACM Internet Measurement Conference (IMC), New York, 2020. ACM. Accepted for publication.Google ScholarDigital Library
- I.-D. R. (idr) mailing list. TCP & BGP: Some don't send terminate BGP when holdtimer expired, because TCP recv window is 0. https://mailarchive.ietf.org/arch/msg/idr/L9nWFBpW0Tci0c9DGfMoqC1j_sA/, 2020.Google Scholar
- T. Kitabatake, R. Fontugne, and H. Esaki. BLT: A Taxonomy and Classification Tool for Mining BGP Update Messages. In 2018 IEEE Conference on Computer Communications Workshops (INFOCOM WKSHPS), April 2018.Google Scholar
- Z. M. Mao, R. Bush, T. G. Griffin, and M. Roughan. Bgp beacons. In Proceedings of the 3rd ACM SIGCOMM Conference on Internet Measurement, IMC '03, page 1--14, New York, NY, USA, 2003. Association for Computing Machinery.Google ScholarDigital Library
- Z. M. Mao, R. Govindan, G. Varghese, and R. H. Katz. Route flap damping exacerbates internet routing convergence. In Proceedings of the 2002 conference on Applications, technologies, architectures, and protocols for computer communications, pages 221--233, 2002.Google ScholarDigital Library
- P. Małachowski. Zombie routes, PLNOG Q3. https://www.slideshare.net/atendesoftware/bgp-zombie-routes, 2020.Google Scholar
- J. Naab, P. Sattler, J. Jelten, O. Gasser, and G. Carle. Prefix top lists: Gaining insights with prefixes from domain-based top lists on dns deployment. In Proceedings of the Internet Measurement Conference, IMC '19, page 351--357, New York, NY, USA, 2019. Association for Computing Machinery.Google ScholarDigital Library
- RIPE NCC. Current RIS Routing Beacons. https://www.ripe.net/analyse/internet-measurements/routing-information-service-ris/current-ris-routing-beacons, (Accessed on June 2020).Google Scholar
- P. Sermpezis, V. Kotronis, P. Gigis, X. Dimitropoulos, D. Cicalese, A. King, and A. Dainotti. Artemis: Neutralizing bgp hijacking within a minute. IEEE/ACM Transactions on Networking, 26(6):2471--2486, 2018.Google ScholarDigital Library
- J. Snijders and B. Cartwright-Cox. Border Gateway Protocol 4 (BGP-4) Send Hold Timer. Internet-Draft draft-spaghetti-idr-bgp-sendholdtimer-00, Internet Engineering Task Force, Apr. 2021. Work in Progress.Google Scholar
- P.-A. Vervier, O. Thonnard, and M. Dacier. Mind your blocks: On the stealthiness of malicious bgp hijacks. In NDSS, 2015.Google ScholarCross Ref
- C. Villamizar, R. Chandra, and R. Govindan. Bgp route flap damping. RFC 2439, RFC Editor, November 1998.Google Scholar
Hunting BGP zombies in the wild
Recommendations
Observing BGP route poisoning in the wild
SIGCOMM '20: Proceedings of the SIGCOMM '20 Poster and Demo SessionsOn the Internet, Border Gateway Protocol (BGP) is the standard to construct inter-domain routes among autonomous systems (ASes). Data traffic follows the inverse direction of BGP route propagation. For the outbound traffic, an AS can make its own ...
BGP skeleton: an alternative to iBGP route reflection
INFOCOM'10: Proceedings of the 29th conference on Information communicationsThe Internet is a composition of ASes (Autonomous Systems), BGP (Border Gateway Protocol) is the routing protocol that is responsible of exchanging routes between these ASes. It operates in two modes: External BGP (eBGP) and Internal BGP (iBGP). EBGP ...
Neighbor-specific BGP: more flexible routing policies while improving global stability
SIGMETRICS '09The Border Gateway Protocol (BGP) offers network administrators considerable flexibility in controlling how traffic flows through their networks. However, the interaction between routing policies in different Autonomous Systems (ASes) can lead to ...
Comments