| The Internet has many autonomous systems which exchange routing information by BGP to achieve network reachability. However, in the design stage, BGP did not consider the routing security issues comprehensively, which results that lots of routing anomalies and attacks occurred, such as prefix hijacking attack. It is necessary to design and implement the network monitoring system for inter-domain routing system. But no existing design can satisfy the critical requirments of a truly effective system:easily and incrementally deployable, detecting a variety of anomalies or attacks. Therefore it is necessary to design and implement an inter-domain routing security monitoring system. The system can detect routing attacks and abnormal events with association analysis. It is useful for help people grasping network security situation, controlling and protecting routing attacks and abnormal events, ensuring the stable operation of the improtant business and improving the security level of routing system.In this thesis, we design and implement a BGP routing monitor system based on the actual needs. Specifically, the main contributions of the thesis are as follows:(1) Design and implement a detection subsystem for inter-domain routing abnormal eventsThe main function of the subsystem is to detect abnormal events, such as abnormal increase of autonomous systems, network storm, and so on. The system is composed of routing information receiving layer and analysis layer. The detection subsystem can confirm the occurrence of various types of abnormal events by analyzing the inter-domain routing information of network. In the process of detecting inter-domain routing anomaly events, the most important factor is how to analyze BGP Update packet. It can determine whether there are network anomalies or not, such as network concussion, by analyzing the content of the update packet. Finally, the test results show that the subsystem can detect network anomalies timely.(2) Design and implement a detection subsystem for inter-domain routing attack eventsThe main function of the subsystem is to detect attack events. In this thesis, we mainly focus on detecting prefix hijacking. The system is composed of routing information receiving layer and analysis layer. Information receiving layer is designed to receive BGP Update packets in the monitored network, and pass the information to the analysis layer. The second layer is to detect suspicious attack events of the network by analyzing the routing information. For attack detecting, firstly, it is to analyze BGP Update packets; secondly, with the help of network data layer information, it is to confirm the occurrence of inter-domain routing attack incidents by the correlation analysis of the control layer and data layer information. The experimental results show that the subsystem can almost accurately detect prefix hijacking. |
PDF Full Text Request