Published on March 20th, 2017 | 392 views
BGP Hijack Detection: TaBi
Developed since 2011 for the needs of the French Internet Resilience Observatory, TaBi is a framework that ease the detection of BGP IP prefixes conflicts, and their classification into BGP hijacking events. The term prefix hijacking refers to an event when an AS, called an hijacking AS, advertises illegitimately a prefix equal or more specific to a prefix delegated to another AS, called the hijacked AS.
Usually, TaBi processes BGP messages that are archived in MRT files. Then, in order to use it, you will then need to install a MRT parser. Its favorite companion is MaBo, but it is also compatible with CAIDA’s bgpreader. Internally, TaBi translates BGP messages into its own representation. Therefore, its is possible to implement new inputs depending on your needs.
If you use a Debian-like system you can install these dependencies using:
apt-get install python-dev python-pip python-virtualenv
Then install TaBi in a virtual environment:
virtualenv ve_tabi source ve_tabi/bin/activate pip install py-radix python-dateutil python setup.py install
Removing TaBi and its dependencies is therefore as simple as removing the cloned repository.
Historically TaBi was designed to process MRT dump files from the collectors of the RIPE RIS.
Grabbing MRT dumps
You will then need to retrieve some MRT dumps. Copying and pasting the following commands in a terminal will grab a full BGP view and some updates.
wget -c http://data.ris.ripe.net/rrc01/2016.01/bview.20160101.0000.gz wget -c http://data.ris.ripe.net/rrc01/2016.01/updates.20160101.0000.gz
tabi – the command line tool
Given the name of the BGP collector, an output directory and MRT dumps using the RIS naming convention,
tabi will follow the evolution of routes seen in MRT dumps (or provided with the
--asesoption), and detect BGP IP prefixes conflicts.
Several options can be used to control tabi behavior:
$ tabi --help Usage: tabi [options] collector_id output_directory filenames* Options: -h, --help show this help message and exit -f, --file files content comes from mabo -p PIPE, --pipe=PIPE Read the MRT filenames used as input from this pipe -d, --disable disable checks of the filenames RIS format -j JOBS, --jobs=JOBS Number of jobs that will process the files -a ASES, --ases=ASES File containing the ASes to monitor -s, --stats Enable code profiling -m OUTPUT_MODE, --mode=OUTPUT_MODE Select the output mode: legacy, combined or live -v, --verbose Turn on verbose output -l, --log Messages are written to a log file.
Among this options, two are very interesting:
-jthat forks several
tabiprocesses to process the MRT dumps faster
-athat can be used to limit the output to a limited list of ASes
Note that the legacy output mode will likely consume all file descriptors as it creates two files per processed AS (i.e. around 100k opened files). The default is the combined output mode.
Here is an example call to tabi:
tabi -j 8 rrc01 results/ bview.20160101.0000.gz updates.20160101.0000.gz
After around 5 minutes of processing, you will find the following files in
all.defaults.json.gzthat contains all default routes seen by TaBi
all.routes.json.gzthat contains all routes monitored
all.hijacks.json.gzthat contains all BGP prefix conflicts