Routing Security

BGPalerter, a tool for monitoring your BGP

Internet eXchange Points play key roles in contributing to a more resilient and secure Internet and in this sense Namex is continuing the development of all those defense mechanisms to mitigate the most common routing threats. 

As you know, Namex route servers perform initial filtering on routes received from their peers (RPKI+IRRs filtering), thus guaranteeing greater reliability of announced routes (protection against hijacks, the announcement of Bogons/Martians, and default routes). Route servers take care of applying proper input filtering to all the BGP announcements.
In terms of routing security, the advantages of doing peering at Namex route servers:

  • Saves time and effort for Namex members
  • Namex provides multiple RS running different software for redundancy
  • Professionally maintained and automatically updated, so smaller chance of mistakes

But what happens on bilateral sessions and private interconnections? We think that real-time monitoring could be a good way to understand what is happening. That’s where BGPalerter comes into play!

The tool

BGPalerter is a self-configuring BGP monitoring tool – developed by Massimo Candela of NTT – which analyses streams of BGP data from various sources. It is pre-configured for real-time detection of visibility loss, RPKI invalid announcements, hijacks, and more.

BGPalerter allows you to monitor in real-time routing conditions such as:

  • any of your prefixes loses visibility;
  • any of your prefixes is hijacked;
  • your AS is announcing RPKI invalid prefixes (e.g., not matching prefix length);
  • your AS is announcing prefixes not covered by ROAs;
  • ROAs covering your prefixes are no longer reachable (e.g., TA malfunction);
  • a ROA involving any of your prefixes or ASes was deleted/added/edited;
  • your AS is announcing a new prefix that was never announced before;
  • one of the AS paths used to reach your prefix matches a specific condition defined by you.

You don’t need to provide any data source or connect it to anything in your network since it autonomously connects and retrieves data from publicly available repositories.

Namex provides its own installation of a BGPalerter instance exclusively to its members, but a standalone setup is possible for anyone who is interested in monitoring its own network prefixes. Read the following to know how to set it up.

Sample alerts

Here are a couple of examples that can be generated and sent by a BGPalerter instance:

Example alert: prefix withdrawal
Example alert: RPKI mismatch on newly announced prefix
Example alert: prefix hijacking

Standalone installation and setup

You can run BGPalerter as a standalone Linux Service, the original instructions that follow are based on RHEL7 systems, the same setup has been reproduced on an Ubuntu 20.04 system.

Setup the application environment

Create a user for BGPalerter:

sudo adduser bgpalerter
sudo su bgpalerter

In the home directory, download BGPalerter Linux binary executable and execute it:

cd /home/bgpalerter
wget https://github.com/nttgin/BGPalerter/releases/latest/download/bgpalerter-linux-x64
chmod +x bgpalerter-linux-x64
./bgpalerter-linux-x64

The auto-configuration will start at the end of which all the needed files will be created. The application will also create logs and src subdirectories here if needed.

Here’s an example of the interactive setup, you just need to specify your Autonomous System number and answer a few questions:

Example session with a first run and configuration

Run BGPalerter as a systemd service

After the first setup and run, you can stop the application (CTRL+C) and proceed with the configuration of a systemd service file:

sudo vi /etc/systemd/system/bgpalerter.service

Contents of the file should be as follows:

[Unit]
Description=BGPalerter
After=network.target

[Service]
Type=simple
Restart=on-failure
User=bgpalerter
WorkingDirectory=/home/bgpalerter
ExecStart=/home/bgpalerter/bgpalerter-linux-x64

[Install]
WantedBy=multi-user.target

After saving the file, you need to reload the systemd daemon:

sudo systemctl daemon-reload

and then enable the service at startup and finally start it as a service:

sudo systemctl enable bgpalerter

sudo systemctl start bgpalerter

Enable automatic updates

Optionally, you can turn on automatic updates of the binary executable. Create a simple upgrade shell script as follows:

cd /home/bgpalerter

vi upgrade.sh

The file needs to be executable:

chmod +x upgrade.sh
chown bgpalerter:bgpalerter /home/bgpalerter/upgrade.sh

The contents of this file should be as follows:

#!/usr/bin/env bash

#If log file does not exist, create it
if [ ! -f /home/bgpalerter/logs/upgrade.log ]; then
  touch /home/bgpalerter/logs/upgrade.log
  chown bgpalerter:bgpalerter /home/bgpalerter/logs/upgrade.log
fi

#Log everything if executing manually
exec 1> /home/bgpalerter/logs/upgrade.log 2>&1
set -vex
PS4='+\t '

#Download the latest version and save it to a temp file
wget -O bgpalerter-linux-x64.tmp https://github.com/nttgin/BGPalerter/releases/latest/download/bgpalerter-linux-x64

#Set permissions and ownership to execute the file and capture the version
chmod +x bgpalerter-linux-x64.tmp
chown -R bgpalerter:bgpalerter /home/bgpalerter/

#Set variables to compare versions
if [ -f bgpalerter-linux-x64 ]; then
  #If a file exists already
  v1=$(./bgpalerter-linux-x64 -v)
  v2=$(./bgpalerter-linux-x64.tmp -v)

else
  #If the file does not exist - For testing purposes
  v1=$"0"
  v2=$(./bgpalerter-linux-x64.tmp -v)
fi

#If the versions are not the same
if [ "$v1" == "0" ];then
  #Rename the temp file
  mv bgpalerter-linux-x64.tmp bgpalerter-linux-x64

  #Restart the service
  systemctl restart bgpalerter

  #Pause for one second for service to fully start
  sleep 1

elif [ "$v1" != "$v2" ];then
  #Rename the old binary and append the version
  mv bgpalerter-linux-x64 "bgpalerter-linux-x64-$v1"

  #Rename the temp file
  mv bgpalerter-linux-x64.tmp bgpalerter-linux-x64

  #Restart the service
  systemctl restart bgpalerter
  
  #Pause for one second for service to fully start
  sleep 1

else
  #If the versions are the same - delete the temp file
  rm bgpalerter-linux-x64.tmp
fi

#Log service status
systemctl status bgpalerter -l

#Delete renamed binaries older than 60 days
find -type f -name 'bgpalerter-linux-x64-*' -mtime +60 -delete

#Delete log file if larger than 5MB
find /home/bgpalerter/logs/ -type f -name "upgrade.log" -size +5M -delete

Configure a cron job to run, in this case, weekly:

crontab -e

The contents of this file should be as follows:

0 0 * * 0 /home/bgpalerter/upgrade.sh

Configure email alerts

In the config.yml configuration file, find the following section:

#  - file: reportEmail
#    channels:
#      - hijack
#      - newprefix
#      - visibility
#      - path
#      - misconfiguration
#      - rpki
#    params:
#      showPaths: 5 # Amount of AS_PATHs to report in the alert
#      senderEmail: bgpalerter@xxxx
#      # BGPalerter uses nodemailer.
#      # The smtp section can be configured with all the parameters available at https://nodemailer.com/smtp/
#      # the following are just the most useful one
#      smtp:
#        host: localhost
#        port: 25
#        secure: false # If true the connection will use TLS when connecting to server. If false it will be still possible doing connection upgrade via STARTTLS
#        ignoreTLS: false # If true TLS will be completely disabled, including STARTTLS. Set this to true if you see certificate errors in the logs.
#        auth:
#          user: username
#          pass: password
#          type: login
#        tls:
#          rejectUnauthorized: true  # Reject unauthorized certificates
#      notifiedEmails:
#        default:
#          - admin@example.org
#        noc:
#          - joe@example.org
#          - seb@example.org

Uncomment this section to enable email alerts, please note that the default smtp section should work for local Sendmail installations, if you need a different setup please refer to the full BGPalerter configuration guide and Nodemailer documentation.

In order to configure email addresses, pay attention to the following lines:

#      senderEmail: bgpalerter@xxxx

this should be set to whatever the sender email should be, a typical value may be bgpalerter@yourdomain.

#      notifiedEmails:
#        default:
#          - admin@example.org
#        noc:
#          - joe@example.org
#          - seb@example.org

Under the default section you should specify an email address for receiving general operational alerts, while under the noc section you can list several email address you want to send BGP alert to (please note that this is YAML syntax, check for spaces/indentation).

After saving the configuration, restart the service (as root):

sudo systemctl restart bgpalerter.service