Bigfoot: A geo-based visualization methodology for detecting BGP threats

Abstract

Studies of inter-domain routing in the Internet have highlighted the complex and dynamic nature of connectivity changes that take place daily on a global scale. The ability to assess and identify normal, malicious, irregular and unexpected behaviors in routing update streams is important in daily network and security operations. In this paper we describe Bigfoot, a Border Gateway Protocol (BGP) update visualization system that has been designed to highlight and assess a wide variety of behaviors in update streams. At the core of Bigfoot is the notion of visualizing the announcements of network prefixes via IP geolocation. We investigate different representations of polygons for network footprints and show how straightforward application of IP geolocation can lead to representations that are difficult to interpret. Bigfoot includes techniques to filter, organize, analyze and visualize BGP updates that enable characteristics and behaviors of interest to be identified effectively. To demonstrate Bigfoot's capabilities, we consider 1.79B BGP updates collected over a period of one year and identify 139 candidate events in this data. We investigate a subset of these events in detail, along with ground truth from existing literature to show how network footprint visualizations can be used in operational deployments.