CN101471824B - System and method for monitoring abnormity of BGP network - Google Patents
System and method for monitoring abnormity of BGP network Download PDFInfo
- Publication number
- CN101471824B CN101471824B CN2007103085571A CN200710308557A CN101471824B CN 101471824 B CN101471824 B CN 101471824B CN 2007103085571 A CN2007103085571 A CN 2007103085571A CN 200710308557 A CN200710308557 A CN 200710308557A CN 101471824 B CN101471824 B CN 101471824B
- Authority
- CN
- China
- Prior art keywords
- bgp network
- border gateway
- gateway protocol
- message
- prefix
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Expired - Fee Related
Links
Images
Abstract
The invention relates to computer network technology and discloses a system and a method for monitoring the abnormity of a border gateway protocol (BGP) network. The method comprises the following steps: collecting BGP update declaration messages in the BGP network, constructing a character string v corresponding to each collected BGP update message, adding the character strings v to a character string set V, searching a character substring v[sub] with the highest appearance frequency as the position where the BGP network abnormity occurs, and speculating the reason inducing the BGP network abnormity according to the content of the character substring v[sub] and a routing behavior analysis method. The invention can more effectively monitor BGP network abnormity and analyzing abnormity reason, with remarkably improved accuracy and simplicity.
Description
Technical field
The present invention relates to computer networking technology, particularly a kind of exception monitoring system and method for BGP network.
Background technology
In internet (internet) architecture, router is a kind of network equipment that is used to connect a plurality of networks or the network segment, it can carry out " translation " with the data message between the heterogeneous networks or the network segment, so that they can " read " to understand the other side's data mutually, thereby constitute a bigger network.People are divided into one by one autonomous system (AS) to numerous routers, and each autonomous system is to be in a router and a network group under management organization's control.In autonomous system internal operation Interior Gateway Protocol (IGP), then move Exterior Gateway Protocol (EGP) between the autonomous system.Current, Border Gateway Protocol (BGP) is the de facto standards agreement of carrying out route between the autonomous system, and therefore, the fine or not degree of Border Gateway Protocol operation itself can influence the operation conditions and the service quality of whole internet.Because Border Gateway Protocol itself is a kind of path vector agreement based on strategy, the configuration of its agreement has bigger human factor, be prone to mistake, thereby influence the stable of route between the autonomous system, and then influence whole stability of network and service quality, therefore, how to find fast and effectively that position and induced factor that BGP network is unusual become an important leverage that improves network stabilization and service performance.
Method at the BGP network exception monitoring mainly can be divided into four big classifications at present:
1) Anja Feldmann.etc " Locating Internet Routing Instabiliyies ", among the ACMSIGCOMM ' 04 use<Time has been proposed, View, Prefix〉the three dimensional analysis method carry out the unusual positioning analysis of bgp network, article is from time dimension, the monitoring point dimension, the prefix dimension is analyzed the unusual position that takes place of bgp network for three layers.Similar article also has:
CAESAR,M.,SUBRAMANIAN,L.,AND?KATZ,R.H.“Towards?LocalizingRoot?Causes?of?BGP?Dynamics”.Tech.Rep.CSD-03-1292,UC?Berkeley,November2003;
Jian?Wu,Z.Morley?Mao,Jennifer?Rexford,Jia?Wang,“Finding?a?Needle?in?aHaystack:Pinpointing?Significant?BGP?Routing?Changes?in?an?IP?Network”,NSDI’05
2) study based on statistics with based on the unusual localization method of BGP of input
Ke Zhang.etc " On Dection of Anomalous Routing Dynamics in BGP ", NETWORKING 2004, proposed to use based on statistical method for detecting abnormality with based on the unusual localization method of input, in the article content of BGP Update data packet arrival frequency and Update packet has been analyzed unusual occurrence positions of bgp network and classification roughly as input.
3) study based on the unusual localization method of BGP of pattern recognition
" the The Temporal and Topological Characteristics of BGPPath Changes " of Di-Fa Chang.etc, ICNP ' 03 has proposed the BGP exception monitoring algorithm based on pattern recognition, message is quantized, and used the method for hierarchical clustering that message is clustered into incident, the method that incident is analyzed then;
4) study based on the unusual localization method of BGP of machine learning
Jian Zhang.etc " Learning-Based Anomaly Dection in BGP Updates ", 2005ACM SIGCOMM workshop on Mining network data has proposed the BGP anomaly method based on machine learning method; Similarly article also has Murat Can Ganiz, Sudhan Kanitkar.etc " Dection of Interdomain Routing Anomalies Based on Higher-Order PathAnalysis ".
The not high problem of said method ubiquity operation efficiency the more important thing is, in these methods, all only provided the unusual position that takes place of BGP network, and effectively do not infer and the unusual induced factor of BGP network.
Summary of the invention
The objective of the invention is to, a kind of exception monitoring system and method for BGP network is provided, and problem that unusual induced factor can not effectively be provided low with existing operational efficiency in the method for monitoring abnormality that solves existing Border Gateway Protocol.
To achieve these goals, the invention provides a kind of exception monitoring system of BGP network, comprise acquisition module and analysis module;
Described acquisition module is used for by setting up the Border Gateway Protocol syntople with the specific Border Gateway Protocol node of BGP network, and make described acquisition module be connected to all Border Gateway Protocol nodes in the described BGP network, and be used for receiving Border Gateway Protocol and upgrade message from described specific Border Gateway Protocol node by described specific Border Gateway Protocol node;
Described analysis module is used for when the received Border Gateway Protocol renewal message of described acquisition module satisfies certain condition, the received Border Gateway Protocol of described acquisition module is upgraded message analyze, to judge unusual position that occurs and the unusual reason that occurs in the described BGP network.
Preferable, in the exception monitoring system of described BGP network, the received Border Gateway Protocol of described acquisition module is upgraded message and is satisfied certain condition, be meant quantity that the received Border Gateway Protocol of described acquisition module the upgrades message quantity in section sometime more than or equal to a default maximum, and after sometime section in quantity smaller or equal to a minimum value of presetting.
Preferable, in the exception monitoring system of described BGP network:
In the described acquisition module, comprise link block and Border Gateway Protocol renewal message acquisition module;
Described link block is used for connecting the specific Border Gateway Protocol node of described BGP network, so that described acquisition module is connected to all Border Gateway Protocol nodes in the described BGP network by described specific Border Gateway Protocol node;
Described Border Gateway Protocol is upgraded the message acquisition module and is used for receiving Border Gateway Protocol renewal message from described specific Border Gateway Protocol node.
Preferable, in the exception monitoring system of described BGP network:
In the described analysis module, comprise character string module and string analysis module;
Described character string module is used for when the received Border Gateway Protocol renewal message of described acquisition module satisfies certain condition, upgrade from the received Border Gateway Protocol of described acquisition module and to choose the Border Gateway Protocol that to analyze the message and upgrade message, each Border Gateway Protocol that need analyze is upgraded message be configured to character string, and from described character string, select standard compliant character substring by predefined rule;
Described string analysis module is used for the character substring that selects according to described character string module, according to preset rule described character substring is analyzed, to judge unusual position that occurs and the unusual reason that occurs in the described BGP network.
Preferable, in the exception monitoring system of described BGP network, describedly from described character string, select standard compliant character substring by predefined rule and be meant and from described character string, select the highest character substring that meets following form of the frequency of occurrences:
<Border Gateway Protocol neighbours' ip 〉;
Last Border Gateway Protocol node of<AS Path attribute information, prefix information 〉;
A in the<AS Path attribute information
i, a in the AS Path attribute information
j;
Last Border Gateway Protocol node in the<AS Path attribute information 〉;
<nexthop, first Border Gateway Protocol node in the AS Path attribute information 〉.
Preferable, in the exception monitoring system of described BGP network:
When the form of the character substring that selects is<Border Gateway Protocol neighbours' ip〉time, unusual position that takes place of described BGP network and the unusual reason that occurs are that described Border Gateway Protocol neighbours are broken down or the link that described collector is used to collect to upgrade from described Border Gateway Protocol neighbours' border gateway protocol message breaks down;
When the form of the character substring that selects is<a in the AS Path attribute information
i, a in the AS Path attribute information
jThe time, unusual position that takes place of described BGP network and the unusual reason that occurs are Border Gateway Protocol node a
iWith Border Gateway Protocol node a
jBetween link or protocol related validity fault;
When the form of the character substring that selects is<last Border Gateway Protocol node in the AS Path attribute information〉time, unusual position that takes place of described BGP network and the unusual reason that occurs are prefix hijack or path black hole to have occurred in described last Border Gateway Protocol node;
When the form of the character substring that selects is<nexthop, first Border Gateway Protocol node in the AS Path attribute information〉time, the Multi-Exit Discriminator concussion or the traffic engineering of Interior Gateway Protocol that unusual position that takes place of then described BGP network and the unusual reason that occurs are described first Border Gateway Protocol intra-nodes.
Preferable, in the exception monitoring system of described BGP network, described string analysis module also is used for the character substring that selects according to described character string module, upgrade the received demonstration declaration of message acquisition module, show and cancel the quantity of cancelling message with implicit expression in conjunction with described Border Gateway Protocol, according to preset rule described character substring is analyzed, to judge unusual position that occurs and the unusual reason that occurs in the described BGP network.
Preferable, in the exception monitoring system of described BGP network:
When the form of the character substring that selects is<last Border Gateway Protocol node in the AS Path attribute information, prefix information 〉, and the number of the explicit declaration incident that takes place in the described BGP network is far longer than explicit cancelling when cancelling two kinds of event number sums with implicit expression is taken place, and unusual position that takes place of then described BGP network and the unusual reason that occurs are the link that occurs of described last Border Gateway Protocol intra-node declaration prefix or described last Border Gateway Protocol intra-node or the reparation of node;
When the form of the character substring that selects is<last Border Gateway Protocol node in the AS Path attribute information, prefix information 〉, and the number of the explicit declaration incident that takes place in the described BGP network approximates explicit cancelling when cancelling two kinds of event number sums with implicit expression is taken place, and unusual position that takes place of then described BGP network and the unusual reason that occurs are concussion or the fluctuations that prefix has taken place in described last Border Gateway Protocol node;
When the form of the character substring that selects is<last Border Gateway Protocol node in the AS Path attribute information, prefix information 〉, and the number of the explicit declaration incident that takes place in the described BGP network is far smaller than generation explicit cancelling when cancelling two kinds of event number sums with implicit expression, unusual position that takes place of then described BGP network and the unusual reason that occurs are to delete prefix in described last Border Gateway Protocol node, or the inner link in described last Border Gateway Protocol node or the reparation of node.
Preferable, in the exception monitoring system of described BGP network, the number of the explicit declaration incident that takes place in the described BGP network is far longer than and explicit cancelling taken place cancels number that two kinds of event number sums are meant explicit declaration incident in the described BGP network with implicit expression and cancel 10 times of two kinds of event number sums more than or equal to explicit cancelling with implicit expression.
Preferable, in the exception monitoring system of described BGP network, the number of the explicit declaration incident that takes place in the described BGP network approximate take place explicit cancel with implicit expression cancel difference that two kinds of event number sums are meant them smaller or equal to the number of described explicit declaration incident 5% or described explicit cancel with implicit expression cancel two kinds of event number sums 5% at least one.
Preferable, in the exception monitoring system of described BGP network, the number of the explicit declaration incident that takes place in the described BGP network is far smaller than generation, and explicit cancelling cancelled the number that two kinds of event number sums are meant explicit declaration incident in the described BGP network with implicit expression and cancelled 1/10 of two kinds of event number sums smaller or equal to explicit cancelling with implicit expression.
To achieve these goals, the invention also discloses a kind of method for monitoring abnormality of BGP network, may further comprise the steps:
Step 20, described collector is collected the Border Gateway Protocol node received whole Border Gateway Protocols renewal messages specific from, and the frequency feature that arrives according to predefined described message, collection meets the message of described frequency feature as message set to be analyzed, enters step 30;
Step 30, Border Gateway Protocol in the described message to be analyzed set is upgraded message to be analyzed, upgrade message in conjunction with described collector received Border Gateway Protocol before the described time started of analyzing, retrieve the Border Gateway Protocol renewal message that is used to judge unusual position that occurs of described BGP network and the unusual reason that occurs, and, enter step 40 with each message that retrieves structure character string;
Step 40 is searched for the highest character substring of occurrence frequency in the character substring that meets predefined form from the character string that constructs step 30, enter step 50;
Step 50 is analyzed the highest character substring of occurrence frequency that searches out in step 40, judge unusual position that occurs of described BGP network and the unusual reason that occurs.
Preferable, in the method for monitoring abnormality of described BGP network, in the described step 20, may further comprise the steps:
The described collector of step 21 is collected from the described specific received whole Border Gateway Protocols of Border Gateway Protocol node and is upgraded message, and calculate the quantity of renewal message received in each time period, if the quantity of received renewal message is more than or equal to a predefined maximum in some time periods, then with time started of this time period as the time to count of analyzing, collect all and upgrade message, enter step 22 from received Border Gateway Protocol of this time started;
Step 22, described collector continues to calculate the quantity of renewal message received in each time period, if the quantity of received renewal message is smaller or equal to a predefined minimum value in some time periods, then with concluding time of this time period as the concluding time of analyzing, will be from the described time to count of analyzing to the described concluding time of analyzing all received Border Gateway Protocols upgrade messages as message set to be analyzed.
Preferable, in the method for monitoring abnormality of described BGP network, in the described step 30, may further comprise the steps:
Step 31, when having Border Gateway Protocol that the BGP network node of neighbouring relations sent and upgrade message and declared one or a plurality of prefix information with collector, enter step 32, when with collector have Border Gateway Protocol that the BGP network node of neighbouring relations sent upgrade message be at one or more prefix cancel message the time, enter step 33;
Step 32, when having Border Gateway Protocol that the BGP network node of neighbouring relations sent and upgrade message and declared one or a plurality of prefix information with collector, upgrade message according to described Border Gateway Protocol and generate character string<BGP network node i p address, the ip address of nexthop, the attribute information of AS Path, the prefix that arrives 〉, simultaneously, upgrade each prefix information of declaring in the message at described Border Gateway Protocol, retrieval is sent and the next history renewal message with same prefix information by described same BGP network node, and upgrade the ip that message generates character string<BGP network node according to the history that retrieves with same prefix information, the ip address of nexthop, the attribute information of ASPath, the prefix of arrival 〉, EO;
Step 33, when with collector have Border Gateway Protocol that the BGP network node of neighbouring relations sent upgrade message be at one or more prefix cancel message the time, at each prefix information in the described Border Gateway Protocol renewal message, retrieval is sent and the next history declaration message at same prefix information by described BGP network node, and according to described historical ip address of declaring message generation character string<BGP network node, the ip address of nexthop, the attribute information of AS Path, the prefix of arrival 〉.
Preferable, in the method for monitoring abnormality of described BGP network, in step 40, the form of described predefined character substring comprises following kind:
<Border Gateway Protocol neighbours' ip 〉;
Last Border Gateway Protocol node of<AS Path attribute information, prefix information 〉;
A in the<AS Path attribute information
i, a in the AS Path attribute information
j;
Last Border Gateway Protocol node in the<AS Path attribute information 〉;
<nexthop, first Border Gateway Protocol node in the AS Path attribute information 〉.
Preferable, in the method for monitoring abnormality of described BGP network, in step 50:
When the form of the character substring that selects is<Border Gateway Protocol neighbours' ip〉time, unusual position that takes place of described BGP network and the unusual reason that occurs are that described Border Gateway Protocol neighbours are broken down or the link that described collector is used to collect to upgrade from described Border Gateway Protocol neighbours' border gateway protocol message breaks down;
When the form of the character substring that selects is<a in the AS Path attribute information
i, a in the AS Path attribute information
jThe time, unusual position that takes place of described BGP network and the unusual reason that occurs are Border Gateway Protocol node a
iWith Border Gateway Protocol node a
jBetween link or protocol related validity fault;
When the form of the character substring that selects is<last Border Gateway Protocol node in the AS Path attribute information〉time, unusual position that takes place of described BGP network and the unusual reason that occurs are prefix hijack or path black hole to have occurred in described last Border Gateway Protocol node;
When the form of the character substring that selects is<nexthop, first Border Gateway Protocol node in the AS Path attribute information〉time, the Multi-Exit Discriminator concussion or the traffic engineering of Interior Gateway Protocol that unusual position that takes place of then described BGP network and the unusual reason that occurs are described first Border Gateway Protocol intra-nodes.
Preferable, in the method for monitoring abnormality of described BGP network, in step 50, when judging unusual position that occurs of described BGP network and the unusual reason that occurs, also comprise one in conjunction with by the setting up the demonstration declaration that takes place the described BGP network of syntople, show the number of cancelling the incident of cancelling with implicit expression of described collector statistics, the step that the reason of unusual position that occurs of described BGP network and unusual appearance is judged from described collector and described specific Border Gateway Protocol node.
Preferable, in the method for monitoring abnormality of described BGP network, in step 50,
When the form of the character substring that selects is<last Border Gateway Protocol node in the AS Path attribute information, prefix information 〉, and the number of the explicit declaration incident that takes place in the described BGP network is far longer than explicit cancelling when cancelling two kinds of event number sums with implicit expression is taken place, and unusual position that takes place of then described BGP network and the unusual reason that occurs are the link that occurs of described last Border Gateway Protocol intra-node declaration prefix or described last Border Gateway Protocol intra-node or the reparation of node;
When the form of the character substring that selects is<last Border Gateway Protocol node in the AS Path attribute information, prefix information 〉, and the number of the explicit declaration incident that takes place in the described BGP network approximates explicit cancelling when cancelling two kinds of event number sums with implicit expression is taken place, and unusual position that takes place of then described BGP network and the unusual reason that occurs are concussion or the fluctuations that prefix has taken place in described last Border Gateway Protocol node;
When the form of the character substring that selects is<last Border Gateway Protocol node in the AS Path attribute information, prefix information 〉, and the number of the explicit declaration incident that takes place in the described BGP network is far smaller than generation explicit cancelling when cancelling two kinds of event number sums with implicit expression, unusual position that takes place of then described BGP network and the unusual reason that occurs are to delete prefix in described last Border Gateway Protocol node, or the inner link in described last Border Gateway Protocol node or the reparation of node.
Preferable, in the method for monitoring abnormality of described BGP network, the number of the explicit declaration incident that takes place in the described BGP network is far longer than and explicit cancelling taken place cancels number that two kinds of event number sums are meant explicit declaration incident in the described BGP network with implicit expression and cancel 10 times of two kinds of event number sums more than or equal to explicit cancelling with implicit expression.
Preferable, in the method for monitoring abnormality of described BGP network, the number of the explicit declaration incident that takes place in the described BGP network approximate take place explicit cancel with implicit expression cancel difference that two kinds of event number sums are meant them smaller or equal to the number of described explicit declaration incident 5% or described explicit cancel with implicit expression cancel two kinds of event number sums 5% at least one.
Preferable, in the method for monitoring abnormality of described BGP network, the number of the explicit declaration incident that takes place in the described BGP network is far smaller than generation, and explicit cancelling cancelled the number that two kinds of event number sums are meant explicit declaration incident in the described BGP network with implicit expression and cancelled 1/10 of two kinds of event number sums smaller or equal to explicit cancelling with implicit expression.
The invention has the beneficial effects as follows: the exception monitoring system and method for a kind of BGP network of the present invention, has very strong practicality, can more effectively infer and unusual position and the induced factor that takes place in the bgp network, thereby it is low to solve traditional several BGP network method for monitoring abnormality operational efficiency, give the problem of outgoing event induced factor, have the high and analysis high accuracy for examination of efficiency of algorithm.
Description of drawings
Fig. 1 is the flow chart of the method for monitoring abnormality of a kind of BGP network of the present invention;
Fig. 2 is among the rapid S600, to the highest character substring of occurrence frequency in conjunction with showing declaration, showing to cancel and cancel the flow chart that the quantity of incident is analyzed with implicit expression;
Fig. 3 is the frame diagram of the exception monitoring system of a kind of BGP network of the present invention.
Embodiment
In order to make purpose of the present invention, technical scheme and advantage clearer,, the exception monitoring system and method for a kind of BGP network of the present invention is further elaborated below in conjunction with drawings and Examples.Should be appreciated that specific embodiment described herein only in order to explanation the present invention, and be not used in qualification the present invention.
Please refer to Fig. 1, this is the flow chart of the method for monitoring abnormality of a kind of BGP network of the present invention.The method for monitoring abnormality of a kind of BGP network of the present invention may further comprise the steps:
Step S100, use collector simulation router, by with BGP network in specific Border Gateway Protocol node (autonomous system) set up the Border Gateway Protocol syntople, and make described collector be connected to all Border Gateway Protocol nodes in the described BGP network by described specific Border Gateway Protocol node, that is, the union of all described specific Border Gateway Protocol nodes Border Gateway Protocol node that can be connected in described BGP network is all the Border Gateway Protocol nodes in the described BGP network.
Step S200, described collector is collected from setting up the successfully received whole Border Gateway Protocols of syntople with described specific Border Gateway Protocol node and is upgraded (BGP Update) message, and from setting up the quantity n that syntople successfully calculates renewal message received in each time period Vt with described specific Border Gateway Protocol node, if the quantity n of received renewal message is more than or equal to a predefined maximum Nmax among some time period Vt, then with the time started Tstart of this time period Vt as the time to count of analyzing, collect all and begin received renewal message with to be analyzed from Tstart.Wherein, the value of Vt and Nmax can be set according to the needs of practice, in an embodiment of the present invention, the value of setting Vt is 30 seconds, the value of Nmax is 10, therefore, in 30 seconds of certain time period, upgrade message if received 15 altogether, the value that is n is 15, because n is greater than the Nmax that sets, therefore start routine analyzer, with time started of this time period as the time to count of analyzing, and add 15 received in this time period messages to be used for preserving renewal message to be analyzed message set U, and being used to of being provided with in described collector simultaneously indicates whether that the value of the flag bit Status_Start that analyzes is set to true, expression described collector this moment has entered analysis state, described flag bit Status_Start is provided with when described collector collection is set up syntople with described specific Border Gateway Protocol node, and its value is set at false.
Step S300, described collector will add among the message set U by received renewal message in the next time period Vt ' after the quantity n of the satisfied renewal message of receiving described in the step S200 is greater than the time period Vt of Nmax, and whether the quantity n ' of calculating received renewal message in described time period Vt ' is smaller or equal to a predefined minimum value Nmin, if the quantity n ' of received renewal message is smaller or equal to Nmin in described time period Vt ', then with the concluding time Tend of described time period Vt ' as the concluding time of analyzing, routine analyzer can with the time period (Tstart, all that receive between Tend) are upgraded the message set U of messages as the data acquisition system that carries out anomaly analysis; If the quantity n ' of received renewal message is greater than Nmin in described time period Vt ', then continue renewal message received in next time period is added among the message set U, and judge whether will with concluding time of next time period as the concluding time of analyzing.In an embodiment of the present invention, when time period Vt ' and each time period begin, system can check at first all whether the value of described flag bit Status_Start is true, if then directly received all in this time period are upgraded message and add among the message set U.In this step S300, owing in step S200, the value of described flag bit Status_Start is set at true, therefore system directly will add among the message set U by all received renewal messages in described time period Vt ', then when described time period Vt ' finishes, judge whether with concluding time of described time period Vt ' as the concluding time of analyzing.In an embodiment of the present invention, the value of setting Nmin is 5, therefore, in described time period Vt ', if the quantity of received renewal message is 2, promptly n ' is smaller or equal to Nmin, then with the concluding time Tend of described time period Vt ' as the concluding time of analyzing.At this moment, upgrade message owing to received 15 among the described time period Vt among the step S200, receive 2 among the described time period Vt ' in this step and upgraded message, publicly-owned 17 are upgraded message among the therefore described message set U, and these 17 are upgraded message and are the analytic target that will analyze.After having drawn analysis concluding time Tend, the value of the flag bit Status_Start in the described collector is set to false, so that begin to proceed the judgement of next analysis time to count Tstart from the next time period.
Step S400 upgrades message packet_current at each Border Gateway Protocol among the message set U and analyzes.
The Border Gateway Protocol of being come if BGP network node (bgp neighbor) a that has neighbouring relations by some and collector among the described message set U sends is upgraded message b and has been declared one or a plurality of prefix information prefix (described Border Gateway Protocol is upgraded the prefix information of declaring among the message b and put down in writing the network prefix that described bgp neighbor a can arrive), then at each the prefix information prefix among the described Border Gateway Protocol renewal message b
i, retrieval send by described bgp neighbor a and come have a same prefix information prefix
iHistory upgrade message packet_history (the described historical message that upgrades be a Border Gateway Protocol renewal message received before described analysis time to count Tstart), and upgrade message packet_history according to the history that retrieves and generate character string v_history: the ip of<bgp neighbor with same prefix information, the ip address of nexthop, the attribute information a of AS Path
1, a
2... a
n, the prefix prefix of arrival
i; Simultaneously, upgrade message b according to described Border Gateway Protocol and generate character string v_current: the ip address of<bgp neighbor, the ip address of nexthop, the attribute information a of AS Path
1, a
2... a
n, the prefix prefix of arrival
i; Then, character string v_history and the character string v_current with described generation adds among the string assemble V.For instance, in specific embodiments of the invention, when a Border Gateway Protocol in reading message set U is upgraded message c, it is to be that the Border Gateway Protocol node of 192.168.30.1 sends by the ip address that described Border Gateway Protocol is upgraded message c, to the declaration of prefix Prefix:192.169.30.0/24 (wherein/length of the described prefix mask of 24 expressions), the ip address of its next jumping nexthop is 192.168.30.17, the As Path that declaration is upgraded in the message is 5,4,2; At this moment, system will construct corresponding with it character string v_current according to above-mentioned information:<192.168.30.1,192.168.30.17,5,4,2,192.169.30.0 〉.Then, system retrieval is to be that the Border Gateway Protocol node of 192.168.30.1 is sended over by the ip address equally, the declaration prefix is that the history of 192.169.30.0/24 is upgraded message, the result that system's retrieval obtains is: the IP address of bgp neighbor: 192.168.30.1, declaration prefix: 192.169.30.0/24, next jumps the ip address of nexthop: 192.168.30.51, AS Path:6,4,2; At this moment, system will be according to above-mentioned information structuring character string v_history:<192.168.30.1,192.168.30.51,6,4,2,192.169.30.0 〉.Afterwards, system adds the character string v_current and the character string v_history of described structure among the string assemble V to.
It is the message of cancelling at one or more prefix that the Border Gateway Protocol of being come if BGP network node (bgp neighbor) d that has neighbouring relations by some and collector among the described message set U sends is upgraded message e, then at each the prefix information prefix among the described Border Gateway Protocol renewal message e
j, retrieval send by described bgp neighbor c and come at same prefix information prefix
jHistory declaration message packet_announce ', and according to retrieve at same prefix information prefix
jHistory declaration message packet_announce ' generate character string v_withdraw: the ip address of<bgp neighbor, the ip address of nexthop, the attribute information a of AS Path
1, a
2... a
n, the prefix prefix of arrival
j; Then, the character string v_withdraw with described generation adds among the string assemble V.For instance, in specific embodiments of the invention, when a Border Gateway Protocol in reading message set U is upgraded message f, it is to be that the Border Gateway Protocol node of 192.168.40.1 sends by the ip address that described Border Gateway Protocol is upgraded message f, about the message of cancelling of a prefix 192.169.70.0/24; At this moment, it is to be that the Border Gateway Protocol node of 192.168.40.1 sends by the ip address equally that system will retrieve, about prefix is the history declaration message packet_announce ' of 192.169.70.0/24, the result that system's retrieval obtains is: the IP address of bgp neighbor: 192.168.40.1, declaration prefix 192.169.70.0/24, next jumps the ip address of nexthop: 192.168.40.51, and AS Path is: 12,4; At this moment, system will be according to above-mentioned information structuring character string v_withdraw:<192.168.40.1,192.168.40.51,12,4,192.169.70.0 〉.Then, system adds the character string v_withdraw of described structure among the string assemble V to.
Step S500, the highest character substring Vsub of search occurrence frequency in described string assemble V.In specific embodiments of the invention, the form of described character substring Vsub comprises following kind:
1)<have the ip of the BGP network node (bgp neighbor) of neighbouring relations with collector 〉;
2)<last autonomous system a of AS Path attribute information
n, prefix information prefix 〉;
3)<a in the AS Path attribute information
i, a in the AS Path attribute information
j;
4)<last autonomous system a in the AS Path attribute information
n;
5)<and nexthop, first autonomous system a in the AS Path attribute information
1.
Therefore, the character substring that search has above-mentioned 5 kinds of forms in described string assemble V in resulting result, is determined the character substring Vsub that occurrence frequency is the highest, in subsequent step described character substring Vsub is analyzed treating.
Step S600, the character substring Vsub that the occurrence frequency that analysis searches out in described step S500 is the highest, set up the demonstration declaration that takes place the described BGP network of syntople, the number that the incident of cancelling with implicit expression is cancelled in demonstration in conjunction with what add up from described collector and described specific Border Gateway Protocol node, judge unusual position that occurs of described BGP network and the reason that occurs unusually by described collector.Wherein, demonstration declaration, demonstration are cancelled and cancelled with implicit expression all is that Border Gateway Protocol is upgraded message, show that declaration is used to declare a route, show to cancel to be used for clearly representing to cancel certain bar route that implicit expression is cancelled and is used for by declaring that a route a with the path of " better " replaces route b before and cancels route b indirectly.In specific embodiments of the invention, pass through the method for route behavioural analysis in advance, draw the unusual table of comparisons of a feature and BGP network, wherein, in " feature " for the form of the form of described character substring Vsub or described character substring Vsub with show combining of declaration, demonstration is cancelled, implicit expression is cancelled number, " BGP network is unusual " is position and the unusual reason that occurs that BGP network takes place unusually, and described " feature " and described " convenient gateway protocol network is unusual " is for concerning one to one.Please refer to Fig. 2, this is among the step S600, the highest character substring Vsub of occurrence frequency in conjunction with showing declaration, showing to cancel with implicit expression and cancel the flow chart that the quantity of incident is analyzed, has wherein been shown the contrast relationship that described feature and BGP network are unusual.Contrast relationship in the unusual table of comparisons of described feature and BGP network comprises following kind:
1) when the form of described character substring Vsub is the ip of BGP network node (bgp neighbor) with neighbouring relations of some and collector, unusual position that takes place of then described BGP network and the unusual reason that occurs are that described bgp neighbor breaks down or the link that described collector is used to collect to upgrade from the border gateway protocol of described bgp neighbor message breaks down.For instance, when described Vsub was 192.168.30.1, unusual position that takes place of described BGP network and the unusual reason that occurs were because the ip address is this bgp neighbor of 192.168.30.1 breaks down or described collector and described ip address are that the link that is used to set up neighborhood between the autonomous system of 192.168.30.1 breaks down.
2) form as described character substring Vsub is<a in the AS Path attribute information
i, a in the AS Path attribute information
jThe time, unusual position that takes place of then described BGP network and the unusual reason that occurs are autonomous system a
iWith autonomous system a
jBetween link or protocol related validity fault, as link or protocol related foundation, disconnect or restart.For instance, when described Vsub is<3,6〉time, unusual position that takes place of described BGP network and the unusual reason that occurs are that the link between autonomous system 3 and the autonomous system 6 breaks down or repairs, or the neighborhood between autonomous system 3 and the autonomous system 6 is set up or disconnected.
3) form as described character substring Vsub is<last autonomous system a in the AS Path attribute information
nThe time, unusual position that takes place of then described BGP network and the unusual reason that occurs are autonomous system a
nIn prefix hijack (promptly by non-existent network of assailant's malice declaration in the network) or path black hole have appearred.For instance, when described Vsub is<6 〉, and when autonomous system 6 was last autonomous system in the AS Path attribute information, unusual position that takes place of described BGP network and the unusual reason that occurs were to have occurred prefix hijack or path black hole in the autonomous system 6.
4) form as described character substring Vsub is<nexthop, first autonomous system a in the AS Path attribute information
1The time, unusual position that takes place of then described BGP network and the unusual reason that occurs are autonomous system a
1Inner Multi-Exit Discriminator (MED) concussion (the MED concussion is because the route surge events that the med value concussion occurs) or the traffic engineering of Interior Gateway Protocol (IGP) (TE is mapped to service traffics on the actual physical path).For instance, when described Vsub is<192.168.30.1,4 〉, and when autonomous system 4 was first autonomous system in the AS Path attribute information, unusual position that takes place of described BGP network and the unusual reason that occurs were that MED concussion or the traffic engineering of IGP have appearred in autonomous system 4 inside.
5) form as described character substring Vsub is<last autonomous system a in the AS Path attribute information
nPrefix information prefix 〉, and the number of the explicit declaration incident that takes place in the described BGP network is far longer than explicit cancelling when cancelling two kinds of event number sums with implicit expression is taken place, and unusual position that takes place of then described BGP network and the unusual reason that occurs are autonomous system a
nInner declaration prefix prefix or autonomous system a
nThe inner link that occurs or the reparation of node.Wherein, in specific embodiments of the invention, cancel when cancelling 10 times of two kinds of event number sums more than or equal to explicit when the number of explicit declaration incident in the described BGP network, think that the number of described explicit declaration incident is far longer than explicit cancelling with implicit expression and cancels two kinds of event number sums with implicit expression.For instance, when described Vsub is<3,192.168.30.0, autonomous system 3 is last autonomous system number in the AS Path attribute information, and the number of the explicit declaration in the described BGP network is 21, the explicit number sum of cancelling with implicit expression of cancelling is 2, unusual position that takes place of then described BGP network and the unusual reason that occurs are to have declared a new prefix 192.168.30.0 in autonomous system 3, or the autonomous system 3 inner links that arrive prefix 192.168.30.0 break down or repair.
6) when the form of described character substring Vsub for being last the autonomous system a the in<AS Path attribute information
nPrefix information prefix 〉, and the number of the explicit declaration incident that takes place in the described BGP network approximates explicit cancelling when cancelling two kinds of event number sums with implicit expression is taken place, and unusual position that takes place of then described BGP network and the unusual reason that occurs are autonomous system a
nIn the concussion or the fluctuation (be that successional declaration has appearred in prefix, cancel incident) of prefix have taken place.Wherein, in specific embodiments of the invention, when the number of explicit declaration incident in the described BGP network and explicit cancel the difference of cancelling two kinds of event number sums with implicit expression smaller or equal to the number of described explicit declaration incident 5% or described explicit cancel with implicit expression cancel two kinds of event number sums 5% at least one the time, think that the number of the explicit declaration incident that takes place in the described BGP network approximates explicit cancelling with implicit expression and cancels two kinds of event number sums.For instance, when described Vsub is<6,192.168.30.0, autonomous system 6 is last autonomous system number in the AS Path attribute information, and the number of the explicit declaration in the described BGP network is 21, the explicit number sum of cancelling with implicit expression of cancelling is 20, and unusual position that takes place of then described BGP network and the unusual reason that occurs are that prefix has taken place in autonomous system 6 is the concussion or the fluctuation of the prefix of 192.168.30.0.
7) form as described character substring Vsub is<last autonomous system a in the AS Path attribute information
nPrefix information prefix 〉, and the number of the explicit declaration incident that takes place in the described BGP network is far smaller than generation explicit cancelling when cancelling two kinds of event number sums with implicit expression, unusual position that takes place of then described BGP network and the unusual reason that occurs are autonomous system a
nMiddle deletion prefix, or autonomous system a
nIn inner link or the reparation of node.Wherein, in specific embodiments of the invention, when the number of explicit declaration incident in the described BGP network smaller or equal to explicit cancel with implicit expression cancel two kinds of event number sums 1/10 the time, think that the number of described explicit declaration incident is far smaller than explicit cancelling with implicit expression and cancels two kinds of event number sums.For instance, when described Vsub is<6,192.168.30.0, autonomous system 6 is last autonomous system number in the AS Path attribute information, and the number of the explicit declaration in the described BGP network is 2, the explicit number sum of cancelling with implicit expression of cancelling is 21, and unusual position that takes place of then described BGP network and the unusual reason that occurs are in autonomous system 6 prefix to have taken place to cancel, or the link or the reparation of node have taken place in autonomous system 6.
Please refer to Fig. 3, this is the frame diagram of the exception monitoring system of BGP network of the present invention.In the exception monitoring system 10 of BGP network of the present invention, comprise acquisition module 11 and analysis module 12.
Described acquisition module 11 is used to simulate router, by with BGP network in specific Border Gateway Protocol node (autonomous system) set up the Border Gateway Protocol syntople, and making described acquisition module 11 be connected to all Border Gateway Protocol nodes in the described BGP network by described specific Border Gateway Protocol node, described acquisition module 11 also is used for receiving Border Gateway Protocol from described specific Border Gateway Protocol node and upgrades (BGP Update) message simultaneously.
Described analysis module 12 is used for when described acquisition module 11 received Border Gateway Protocols renewal messages satisfy certain condition, described acquisition module 11 received Border Gateway Protocols are upgraded message analyze, to judge unusual position that occurs and the unusual reason that occurs in the described BGP network.
In the described acquisition module 11, comprise link block 111 and Border Gateway Protocol renewal message acquisition module 112.Described link block 111 is used for connecting the specific Border Gateway Protocol node (autonomous system) of described BGP network, and makes described acquisition module 11 be connected to all Border Gateway Protocol nodes in the described BGP network by described specific Border Gateway Protocol node.Described Border Gateway Protocol is upgraded message acquisition module 112 and is used for receiving Border Gateway Protocol renewal (BGP Update) message from described specific Border Gateway Protocol node.
In the described analysis module 12, comprise character string module 121 and string analysis module 122.Described character string module 121 is used for when described acquisition module 11 received Border Gateway Protocols renewal messages satisfy certain condition, upgrade from described acquisition module 11 received Border Gateway Protocols and to choose the Border Gateway Protocol that to analyze the message and upgrade message, each Border Gateway Protocol that need analyze is upgraded message be configured to character string, and from described character string, select standard compliant character substring by predefined rule.Described string analysis module 122 is used for the character substring that selects according to described character string module 121, upgrade 112 received demonstration declaration, the demonstrations of message acquisition module in conjunction with described Border Gateway Protocol and cancel the quantity of cancelling message with implicit expression, according to preset rule described character substring is analyzed, to judge unusual position that occurs and the unusual reason that occurs in the described BGP network.
In specific embodiments of the invention, when the exception monitoring system 10 of described BGP network operates, upgrade message acquisition module 112 from described specific Border Gateway Protocol node reception Border Gateway Protocol renewal (BGP Update) message earlier by the specific Border Gateway Protocol node in the described BGP network of described link block 111 connections, and by described Border Gateway Protocol.
Then, the described character string module 121 described Border Gateway Protocol of monitoring is in real time upgraded the Border Gateway Protocol renewal message that message acquisition module 112 receives, calculate the Border Gateway Protocol that receives among each time period Vt and whether upgrade the quantity n of message more than or equal to a preset value Nmax, when the n of section among the Vt is more than or equal to Nmax sometime, with the start time point Tstart of described time period Vt as time to count, collection begins all received Border Gateway Protocols from Tstart and upgrades message, simultaneously, whether the Border Gateway Protocol that receives among each time period Vt ' after calculating upgrades the quantity n ' of message smaller or equal to a preset value Nmin, when the n ' of section among the Vt ' is smaller or equal to Nmin sometime, with the concluding time Tend of described time period Vt ' as the concluding time, (Tstart, all Border Gateway Protocols that receive between Tend) are upgraded messages in the time period in analysis.
To time period (Tstart, when all Border Gateway Protocols renewal messages that receive Tend) are analyzed, the Border Gateway Protocol of being come if BGP network node (bgp neighbor) a that has neighbouring relations by some and collector wherein sends is upgraded message b and has been declared one or a plurality of prefix information prefix, then at each the prefix information prefix among the described Border Gateway Protocol renewal message b
i, retrieval send by described bgp neighbor a and come have a same prefix information prefix
iHistory upgrade message packet_history, and upgrade message packet_history according to the history that retrieves and generate character string v_history: the ip of<bgp neighbor, the ip address of nexthop, the attribute information a of ASPath with same prefix information
1, a
2... a
n, the prefix prefix of arrival
i; Simultaneously, upgrade message b according to described Border Gateway Protocol and generate character string v_current: the ip address of<bgp neighbor, the ip address of nexthop, the attribute information a of AS Path
1, a
2... a
n, the prefix prefix of arrival
i.It is the message of cancelling at one or more prefix that the Border Gateway Protocol of being come if BGP network node (bgp neighbor) c that has neighbouring relations by some and collector wherein sends is upgraded message d, then at each the prefix information prefix among the described Border Gateway Protocol renewal message d
j, retrieval send by described bgp neighbor c and come at same prefix information prefix
jHistory declaration message packet_announce ', and according to retrieve at same prefix information prefix
jHistory declaration message packet_announce ' generate character string v_withdraw: the ip address of<bgp neighbor, the ip address of nexthop, the attribute information a of AS Path
1, a
2... a
n, the prefix prefix of arrival
j.
Then, described character string module 121 according to the form of predefined character substring Vsub, is searched for the highest character substring Vsub of occurrence frequency from character string v_history, the character string v_current and character string v_withdraw of all generations.Wherein, the form of described character substring Vsub comprises following kind:
1)<have the ip of the BGP network node (bgp neighbor) of neighbouring relations with collector 〉;
2)<last autonomous system a of AS Path attribute information
n, prefix information prefix 〉;
3)<a in the AS Path attribute information
i, a in the AS Path attribute information
j;
4)<last autonomous system a in the AS Path attribute information
n;
5)<and nexthop, first autonomous system a in the AS Path attribute information
1.
At last, described string analysis module 122 is used for the character substring that selects according to described character string module 121, upgrade 112 received demonstration declaration, the demonstrations of message acquisition module in conjunction with described Border Gateway Protocol and cancel the quantity of cancelling message with implicit expression, according to preset rule described character substring is analyzed, to judge unusual position that occurs and the unusual reason that occurs in the described BGP network.
When the form of described character substring Vsub was the ip of BGP network node (bgp neighbor) with neighbouring relations of some and collector, unusual position that takes place of then described BGP network and the unusual reason that occurs were that described bgp neighbor breaks down or the link that described collector is used to collect to upgrade from the border gateway protocol of described bgp neighbor message breaks down.
When the form of described character substring Vsub is<a in the AS Path attribute information
i, a in the AS Path attribute information
jThe time, unusual position that takes place of then described BGP network and the unusual reason that occurs are autonomous system a
iWith autonomous system a
jBetween link or protocol related validity fault, as link or protocol related foundation, disconnect or restart.
When the form of described character substring Vsub is<last autonomous system a in the AS Path attribute information
nThe time, unusual position that takes place of then described BGP network and the unusual reason that occurs are autonomous system a
nIn prefix hijack or path black hole have appearred.
When the form of described character substring Vsub is<nexthop first autonomous system a in the AS Path attribute information
1The time, unusual position that takes place of then described BGP network and the unusual reason that occurs are autonomous system a
1Inner Multi-Exit Discriminator (MED) concussion or the traffic engineering of Interior Gateway Protocol (IGP) (TE is mapped to service traffics on the actual physical path).
When the form of described character substring Vsub is<last autonomous system a in the AS Path attribute information
nPrefix information prefix 〉, and the number of the explicit declaration incident that takes place in the described BGP network is far longer than explicit cancelling when cancelling two kinds of event number sums with implicit expression is taken place, and unusual position that takes place of then described BGP network and the unusual reason that occurs are autonomous system a
nInner declaration prefix prefix or autonomous system a
nThe inner link that occurs or the reparation of node.
When the form of described character substring Vsub for being last the autonomous system a the in<AS Path attribute information
nPrefix information prefix 〉, and the number of the explicit declaration incident that takes place in the described BGP network approximates explicit cancelling when cancelling two kinds of event number sums with implicit expression is taken place, and unusual position that takes place of then described BGP network and the unusual reason that occurs are autonomous system a
nIn the concussion or the fluctuation of prefix have taken place.
When the form of described character substring Vsub is<last autonomous system a in the AS Path attribute information
nPrefix information prefix 〉, and the number of the explicit declaration incident that takes place in the described BGP network is far smaller than generation explicit cancelling when cancelling two kinds of event number sums with implicit expression, unusual position that takes place of then described BGP network and the unusual reason that occurs are autonomous system a
nMiddle deletion prefix, or autonomous system a
nIn inner link or the reparation of node.
Certainly; the present invention also can have other various embodiments; under the situation that does not deviate from spirit of the present invention and essence thereof; those of ordinary skill in the art work as can make various corresponding changes and distortion according to the present invention, but these corresponding changes and distortion all should belong to the protection range of the appended claim of the present invention.
Claims (20)
1. the exception monitoring system of a BGP network is characterized in that, comprises acquisition module and analysis module;
Described acquisition module is used for by setting up the Border Gateway Protocol syntople with the specific Border Gateway Protocol node of BGP network, and make described acquisition module be connected to all Border Gateway Protocol nodes in the described BGP network, and be used for receiving Border Gateway Protocol and upgrade message from described specific Border Gateway Protocol node by described specific Border Gateway Protocol node;
Described analysis module is used for when the received Border Gateway Protocol renewal message of described acquisition module satisfies certain condition, the received Border Gateway Protocol of described acquisition module is upgraded message analyze, to judge unusual position that occurs and the unusual reason that occurs in the described BGP network;
The received Border Gateway Protocol of described acquisition module is upgraded message and is satisfied certain condition, be meant quantity that the received Border Gateway Protocol of described acquisition module the upgrades message quantity in section sometime more than or equal to a default maximum, and after sometime section in quantity smaller or equal to a minimum value of presetting.
2. the exception monitoring system of a kind of BGP network according to claim 1 is characterized in that:
In the described acquisition module, comprise link block and Border Gateway Protocol renewal message acquisition module;
Described link block is used for connecting the specific Border Gateway Protocol node of described BGP network, so that described acquisition module is connected to all Border Gateway Protocol nodes in the described BGP network by described specific Border Gateway Protocol node;
Described Border Gateway Protocol is upgraded the message acquisition module and is used for receiving Border Gateway Protocol renewal message from described specific Border Gateway Protocol node.
3. the exception monitoring system of a kind of BGP network according to claim 1 is characterized in that:
In the described analysis module, comprise character string module and string analysis module;
Described character string module is used for when the received Border Gateway Protocol renewal message of described acquisition module satisfies certain condition, upgrade from the received Border Gateway Protocol of described acquisition module and to choose the Border Gateway Protocol that to analyze the message and upgrade message, each Border Gateway Protocol that need analyze is upgraded message be configured to character string, and from described character string, select standard compliant character substring by predefined rule;
Described string analysis module is used for the character substring that selects according to described character string module, according to preset rule described character substring is analyzed, to judge unusual position that occurs and the unusual reason that occurs in the described BGP network.
4. the exception monitoring system of a kind of BGP network according to claim 3, it is characterized in that, describedly from described character string, select standard compliant character substring by predefined rule and be meant and from described character string, select the highest character substring that meets following form of the frequency of occurrences:
<have the ip of the BGP network node of neighbouring relations with acquisition module 〉;
Last autonomous system of<AS Path attribute information, prefix information 〉;
A in the<AS Path attribute information
i, a in the AS Path attribute information
j;
Last autonomous system in the<AS Path attribute information 〉;
<nexthop, first autonomous system in the AS Path attribute information 〉.
5. the exception monitoring system of a kind of BGP network according to claim 4 is characterized in that:
When the form of the character substring that selects be<have the ip of the BGP network node of neighbouring relations with acquisition module the time, unusual position that takes place of described BGP network and the unusual reason that occurs are that BGP network node that described and acquisition module have neighbouring relations breaks down or the exception monitoring system of described BGP network is used to collect break down from the link that the border gateway protocol that described and acquisition module have a BGP network node of neighbouring relations is upgraded message;
When the form of the character substring that selects is<a in the AS Path attribute information
i, a in the AS Path attribute information
jThe time, unusual position that takes place of described BGP network and the unusual reason that occurs are autonomous system a
iWith autonomous system a
jBetween link or protocol related validity fault;
When the form of the character substring that selects is<last autonomous system in the AS Path attribute information〉time, unusual position that takes place of described BGP network and the unusual reason that occurs are prefix hijack or path black hole to have occurred in described last autonomous system;
When the form of the character substring that selects is<nexthop, first autonomous system in the AS Path attribute information〉time, the Multi-Exit Discriminator concussion or the traffic engineering of Interior Gateway Protocol that unusual position that takes place of then described BGP network and the unusual reason that occurs are described first autonomous system inside;
Traffic engineering is that service traffics are mapped on the actual physical path.
6. the exception monitoring system of a kind of BGP network according to claim 4, it is characterized in that, described string analysis module also is used for the character substring that selects according to described character string module, upgrade the received demonstration declaration of message acquisition module, show and cancel the quantity of cancelling message with implicit expression in conjunction with described Border Gateway Protocol, according to preset rule described character substring is analyzed, to judge unusual position that occurs and the unusual reason that occurs in the described BGP network.
7. the exception monitoring system of a kind of BGP network according to claim 6 is characterized in that:
When the form of the character substring that selects is<last autonomous system in the AS Path attribute information, prefix information 〉, and the number of the explicit declaration incident that takes place in the described BGP network is far longer than explicit cancelling when cancelling two kinds of event number sums with implicit expression is taken place, and unusual position that takes place of then described BGP network and the unusual reason that occurs are described last autonomous system inner declaration prefix or the inner link that occurs of described last autonomous system or the reparation of node;
When the form of the character substring that selects is<last autonomous system in the AS Path attribute information, prefix information 〉, and the number of the explicit declaration incident that takes place in the described BGP network approximates explicit cancelling when cancelling two kinds of event number sums with implicit expression is taken place, and unusual position that takes place of then described BGP network and the unusual reason that occurs are concussion or the fluctuations that prefix has taken place in described last autonomous system;
When the form of the character substring that selects is<last autonomous system in the AS Path attribute information, prefix information 〉, and the number of the explicit declaration incident that takes place in the described BGP network is far smaller than generation explicit cancelling when cancelling two kinds of event number sums with implicit expression, unusual position that takes place of then described BGP network and the unusual reason that occurs are to delete prefix in described last autonomous system, or the inner link in described last autonomous system or the reparation of node.
8. the exception monitoring system of a kind of BGP network according to claim 7, it is characterized in that the number of the explicit declaration incident that takes place in the described BGP network is far longer than and explicit cancelling taken place cancels number that two kinds of event number sums are meant explicit declaration incident in the described BGP network with implicit expression and cancel 10 times of two kinds of event number sums more than or equal to explicit cancelling with implicit expression.
9. the exception monitoring system of a kind of BGP network according to claim 7, it is characterized in that, the number of the explicit declaration incident that takes place in the described BGP network approximate take place explicit cancel with implicit expression cancel difference that two kinds of event number sums are meant them smaller or equal to the number of described explicit declaration incident 5% or described explicit cancel with implicit expression cancel two kinds of event number sums 5% at least one.
10. the exception monitoring system of a kind of BGP network according to claim 7, it is characterized in that the number of the explicit declaration incident that takes place in the described BGP network is far smaller than generation, and explicit cancelling cancelled the number that two kinds of event number sums are meant explicit declaration incident in the described BGP network with implicit expression and cancelled 1/10 of two kinds of event number sums smaller or equal to explicit cancelling with implicit expression.
11. the method for monitoring abnormality of a BGP network is characterized in that, may further comprise the steps:
Step 10, use collector by with BGP network in specific Border Gateway Protocol node set up the Border Gateway Protocol syntople, make described collector be connected to all Border Gateway Protocol nodes in the described BGP network, enter step 20 by described specific Border Gateway Protocol node;
Step 20, described collector is collected from the described specific received whole Border Gateway Protocols of Border Gateway Protocol node and is upgraded message, and upgrade the frequency feature that message arrives according to predefined described Border Gateway Protocol, collection meets the Border Gateway Protocol of described frequency feature and upgrades message as Border Gateway Protocol renewal message set to be analyzed, enters step 30;
Step 30, the Border Gateway Protocol renewal message that described Border Gateway Protocol to be analyzed is upgraded in the message set is analyzed, upgrade message in conjunction with described collector received Border Gateway Protocol before the described time started of analyzing, retrieve the Border Gateway Protocol renewal message that is used to judge unusual position that occurs of described BGP network and the unusual reason that occurs, and upgrade message with each Border Gateway Protocol that retrieves and construct character string, enter step 40;
Step 40 is searched for the highest character substring of occurrence frequency in the character substring that meets predefined form from the character string that constructs step 30, enter step 50;
Step 50 is analyzed the highest character substring of occurrence frequency that searches out in step 40, judge unusual position that occurs of described BGP network and the unusual reason that occurs.
12. the method for monitoring abnormality of a kind of BGP network according to claim 11 is characterized in that, in the described step 20, may further comprise the steps:
The described collector of step 21 is collected from the described specific received whole Border Gateway Protocols of Border Gateway Protocol node and is upgraded message, and calculate the quantity that Border Gateway Protocol received in each time period is upgraded message, if received Border Gateway Protocol is upgraded the quantity of message more than or equal to a predefined maximum in some time periods, then with time started of this time period as the time to count of analyzing, collect all and upgrade message, enter step 22 from received Border Gateway Protocol of this time started;
Step 22, described collector continues to calculate the quantity that Border Gateway Protocol received in each time period is upgraded message, if received Border Gateway Protocol is upgraded the quantity of message smaller or equal to a predefined minimum value in some time periods, then with concluding time of this time period as the concluding time of analyzing, will be from the described time to count of analyzing to the described concluding time of analyzing all received Border Gateway Protocols upgrade messages as message set to be analyzed.
13. the method for monitoring abnormality of a kind of BGP network according to claim 11 is characterized in that, in the described step 30, may further comprise the steps:
Step 31, when having Border Gateway Protocol that the BGP network node of neighbouring relations sent and upgrade message and declared one or a plurality of prefix information with collector, enter step 32, when with collector have Border Gateway Protocol that the BGP network node of neighbouring relations sent upgrade message be at one or more prefix cancel message the time, enter step 33;
Step 32, when having Border Gateway Protocol that the BGP network node of neighbouring relations sent and upgrade message and declared one or a plurality of prefix information with collector, upgrade message according to described Border Gateway Protocol and generate character string<BGP network node i p address, the ip address of nexthop, the attribute information of AS Path, the prefix that arrives 〉, simultaneously, upgrade each prefix information of declaring in the message at described Border Gateway Protocol, retrieval is sent and the next historical Border Gateway Protocol renewal message with same prefix information by same BGP network node, and upgrade the ip that message generates character string<BGP network node according to the historical Border Gateway Protocol that retrieves with same prefix information, the ip address of nexthop, the attribute information of AS Path, the prefix that arrives 〉, EO;
Step 33, when with collector have Border Gateway Protocol that the BGP network node of neighbouring relations sent upgrade message be at one or more prefix cancel message the time, at each prefix information in the described Border Gateway Protocol renewal message, retrieval is sent and the next historical Border Gateway Protocol declaration message at same prefix information by described BGP network node, and according to the historical ip address of declaring message generation character string<BGP network node of described Border Gateway Protocol, the ip address of nexthop, the attribute information of AS Path, the prefix of arrival 〉.
14. the method for monitoring abnormality of a kind of BGP network according to claim 11 is characterized in that, in step 40, the form of described predefined character substring comprises following kind:
<have the ip of the BGP network node of neighbouring relations with collector 〉;
Last autonomous system of<AS Path attribute information, prefix information 〉;
A in the<AS Path attribute information
i, a in the AS Path attribute information
j;
Last autonomous system in the<AS Path attribute information 〉;
<nexthop, first autonomous system in the AS Path attribute information 〉.
15. the method for monitoring abnormality of a kind of BGP network according to claim 11 is characterized in that, in step 50:
When the form of the character substring that selects be<have the ip of the BGP network node of neighbouring relations with collector the time, unusual position that takes place of described BGP network and the unusual reason that occurs are that BGP network node that described and acquisition module have neighbouring relations breaks down or described collector is used to collect break down from the link that the border gateway protocol that described and acquisition module have a BGP network node of neighbouring relations is upgraded message;
When the form of the character substring that selects is<a in the AS Path attribute information
i, a in the AS Path attribute information
jThe time, unusual position that takes place of described BGP network and the unusual reason that occurs are autonomous system a
iWith autonomous system a
jBetween link or protocol related validity fault;
When the form of the character substring that selects is<last autonomous system in the AS Path attribute information〉time, unusual position that takes place of described BGP network and the unusual reason that occurs are prefix hijack or path black hole to have occurred in described last autonomous system;
When the form of the character substring that selects is<nexthop, first autonomous system in the AS Path attribute information〉time, the Multi-Exit Discriminator concussion or the traffic engineering of Interior Gateway Protocol that unusual position that takes place of then described BGP network and the unusual reason that occurs are described first autonomous system inside.
16. the method for monitoring abnormality of a kind of BGP network according to claim 14, it is characterized in that, in step 50, when judging unusual position that occurs of described BGP network and the unusual reason that occurs, also comprise one in conjunction with setting up the demonstration that takes place the described BGP network of syntople from described collector with described specific Border Gateway Protocol node and declare by described collector statistics, show the number cancel the incident of cancelling with implicit expression, the step that the unusual position that occurs of described BGP network and the unusual reason that occurs are judged.
17. the method for monitoring abnormality of a kind of BGP network according to claim 16 is characterized in that, in step 50,
When the form of the character substring that selects is<last autonomous system in the AS Path attribute information, prefix information 〉, and the number of the explicit declaration incident that takes place in the described BGP network is far longer than explicit cancelling when cancelling two kinds of event number sums with implicit expression is taken place, and unusual position that takes place of then described BGP network and the unusual reason that occurs are described last autonomous system inner declaration prefix or the inner link that occurs of described last autonomous system or the reparation of node;
When the form of the character substring that selects is<last autonomous system in the AS Path attribute information, prefix information 〉, and the number of the explicit declaration incident that takes place in the described BGP network approximates explicit cancelling when cancelling two kinds of event number sums with implicit expression is taken place, and unusual position that takes place of then described BGP network and the unusual reason that occurs are concussion or the fluctuations that prefix has taken place in described last autonomous system;
When the form of the character substring that selects is<last autonomous system in the AS Path attribute information, prefix information 〉, and the number of the explicit declaration incident that takes place in the described BGP network is far smaller than generation explicit cancelling when cancelling two kinds of event number sums with implicit expression, unusual position that takes place of then described BGP network and the unusual reason that occurs are to delete prefix in described last autonomous system, or the inner link in described last autonomous system or the reparation of node.
18. the method for monitoring abnormality of a kind of BGP network according to claim 17, it is characterized in that the number of the explicit declaration incident that takes place in the described BGP network is far longer than and explicit cancelling taken place cancels number that two kinds of event number sums are meant explicit declaration incident in the described BGP network with implicit expression and cancel 10 times of two kinds of event number sums more than or equal to explicit cancelling with implicit expression.
19. the method for monitoring abnormality of a kind of BGP network according to claim 17, it is characterized in that, the number of the explicit declaration incident that takes place in the described BGP network approximate take place explicit cancel with implicit expression cancel difference that two kinds of event number sums are meant them smaller or equal to the number of described explicit declaration incident 5% or described explicit cancel with implicit expression cancel two kinds of event number sums 5% at least one.
20. the method for monitoring abnormality of a kind of BGP network according to claim 17, it is characterized in that the number of the explicit declaration incident that takes place in the described BGP network is far smaller than generation, and explicit cancelling cancelled the number that two kinds of event number sums are meant explicit declaration incident in the described BGP network with implicit expression and cancelled 1/10 of two kinds of event number sums smaller or equal to explicit cancelling with implicit expression.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN2007103085571A CN101471824B (en) | 2007-12-29 | 2007-12-29 | System and method for monitoring abnormity of BGP network |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN2007103085571A CN101471824B (en) | 2007-12-29 | 2007-12-29 | System and method for monitoring abnormity of BGP network |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN101471824A CN101471824A (en) | 2009-07-01 |
| CN101471824B true CN101471824B (en) | 2011-05-04 |
Family
ID=40828967
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN2007103085571A Expired - Fee Related CN101471824B (en) | 2007-12-29 | 2007-12-29 | System and method for monitoring abnormity of BGP network |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN101471824B (en) |
Families Citing this family (12)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102404774B (en) * | 2010-09-09 | 2014-05-07 | 中国移动通信集团上海有限公司 | Method and device for detecting network black holes |
| CN102394794A (en) * | 2011-11-04 | 2012-03-28 | 中国人民解放军国防科学技术大学 | Coordinated monitoring method for preventing BGP routing hijacking |
| CN103856367B (en) * | 2012-12-06 | 2017-10-20 | 中国电信股份有限公司 | IP network routing safety quick determination method and route analysis server |
| CN104348672A (en) * | 2013-07-29 | 2015-02-11 | 中国电信股份有限公司 | Large-scale IP network BGP routing entry detection method and device |
| US10397263B2 (en) * | 2017-04-25 | 2019-08-27 | Futurewei Technologies, Inc. | Hierarchical pattern matching for deep packet analysis |
| CN107846402B (en) * | 2017-10-30 | 2019-12-13 | 北京邮电大学 | BGP stability abnormity detection method and device and electronic equipment |
| CN110572386A (en) * | 2019-09-03 | 2019-12-13 | 赛尔网络有限公司 | Ranking statistic monitoring method and device |
| CN110995581B (en) * | 2019-12-19 | 2022-07-19 | 锐捷网络股份有限公司 | Method and device for preventing black hole in route, electronic equipment and storage medium |
| CN111106970B (en) * | 2019-12-31 | 2023-05-09 | 腾讯科技(深圳)有限公司 | Data monitoring method and device, electronic equipment and readable storage medium |
| CN113225194B (en) * | 2020-01-21 | 2022-09-09 | 华为技术有限公司 | Routing abnormity detection method, device and system and computer storage medium |
| CN113271286B (en) * | 2020-02-14 | 2022-07-29 | 华为技术有限公司 | Method, equipment and system for realizing BGP (Border gateway protocol) anomaly detection |
| CN112737885B (en) * | 2020-12-28 | 2022-05-03 | 鹏城实验室 | Self-managed BGP abnormity detection method in autonomous domain |
Citations (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1741481A (en) * | 2005-09-22 | 2006-03-01 | 中国科学院计算技术研究所 | The analytical method of interfield routing instability |
| CN1859239A (en) * | 2006-06-07 | 2006-11-08 | 北京邮电大学 | Monitoring and analytic system for route between domain of internet and its working method |
-
2007
- 2007-12-29 CN CN2007103085571A patent/CN101471824B/en not_active Expired - Fee Related
Patent Citations (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1741481A (en) * | 2005-09-22 | 2006-03-01 | 中国科学院计算技术研究所 | The analytical method of interfield routing instability |
| CN1859239A (en) * | 2006-06-07 | 2006-11-08 | 北京邮电大学 | Monitoring and analytic system for route between domain of internet and its working method |
Also Published As
| Publication number | Publication date |
|---|---|
| CN101471824A (en) | 2009-07-01 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN101471824B (en) | System and method for monitoring abnormity of BGP network | |
| Jin et al. | Stable and practical {AS} relationship inference with {ProbLink} | |
| CN110147387B (en) | Root cause analysis method, root cause analysis device, root cause analysis equipment and storage medium | |
| Shi et al. | Detecting prefix hijackings in the internet with argus | |
| CN102215136B (en) | Flow topology generation method and device | |
| CN102970306B (en) | Intrusion detection system under Internet protocol version 6 (IPv6) network environment | |
| CN101931628B (en) | Method and device for verifying intra-domain source addresses | |
| de Urbina Cazenave et al. | An anomaly detection framework for BGP | |
| CN106506242A (en) | A kind of Network anomalous behaviors and the accurate positioning method and system of flow monitoring | |
| CN106534068B (en) | Method and device for cleaning counterfeit source IP in DDOS defense system | |
| CN111930592A (en) | Method and system for detecting log sequence abnormity in real time | |
| CN110768946A (en) | Industrial control network intrusion detection system and method based on bloom filter | |
| JP4860745B2 (en) | BGP traffic fluctuation monitoring apparatus, method, and system | |
| CN108632267A (en) | A kind of topology pollution attack defense method and system | |
| Dimitropoulos et al. | Revisiting Internet AS-level topology discovery | |
| Zhang et al. | On the impact of route monitor selection | |
| CN111565124B (en) | Topology analysis method and device | |
| Guo et al. | Ldbt: A lightweight ddos attack tracing scheme based on blockchain | |
| CN110995606B (en) | Congestion analysis method and device | |
| Edwards et al. | Border gateway protocol anomaly detection using machine learning techniques | |
| US7266088B1 (en) | Method of monitoring and formatting computer network data | |
| US20230113462A1 (en) | Routing table anomaly detection using unsupervised machine learning | |
| JP5221594B2 (en) | Network monitoring apparatus, network monitoring method, and network monitoring program | |
| CN107612916B (en) | Distributed intrusion detection method based on ant colony fusion algorithm | |
| JP4455285B2 (en) | Route analyzer |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant | ||
| CF01 | Termination of patent right due to non-payment of annual fee | ||
| CF01 | Termination of patent right due to non-payment of annual fee |
Granted publication date: 20110504 Termination date: 20201229 |