A Comparative Analysis of BGP Anomaly Detection and Robustness Algorithms

Abstract

We present an evaluation methodology for comparison of existing and proposed new algorithms for Border Gateway Protocol (BGP) anomaly detection and robustness. A variety of algorithms and alert tools have been proposed and/or prototyped recently. They differ in the anomaly situations which they attempt to alert or mitigate, and also in the type(s) of data they use. Some are based on registry data from Regional Internet Registries (RIRs) and Internet Routing Registries (IRRs) - an example is the Nemecis tool. Others such as the Prefix Hijack Alert System (PHAS) and the Pretty Good BGP (PGBGP) are driven by BGP trace data. The trace data is obtained from Reseaux Internet Protocol Europeens - Routing Information Service (RIPE-RIS), Routeviews, or a BGP speaker where the algorithm operates. We propose a new algorithm that combines the use of both registry and trace data, and also makes some key improvements over existing algorithms. We have built an evaluation platform called TERRAIN (Testing and Evaluation of Routing Robustness in Assurable Inter-domain Networking) on which these algorithms can be tested and empirically compared based on real and/or synthetic anomalies in BGP messages. We will present a variety of results providing interesting insights into the comparative utility and performance of the various BGP robustness algorithms.