Internet eXchange Points play key roles in contributing to a more resilient and secure Internet and in this sense Namex is continuing the development of all those defense mechanisms to mitigate the most common routing threats.
As you know, Namex route servers perform initial filtering on routes received from their peers (RPKI+IRRs filtering), thus guaranteeing greater reliability of announced routes (protection against hijacks, the announcement of Bogons/Martians, and default routes). Route servers take care of applying proper input filtering to all the BGP announcements. In terms of routing security, the advantages of doing peering at Namex route servers:
- Saves time and effort for Namex members
- Namex provides multiple RS running different software for redundancy
- Professionally maintained and automatically updated, so smaller chance of mistakes
But what happens on bilateral sessions and private interconnections? We think that real-time monitoring could be a good way to understand what is happening. That’s where BGPalerter comes into play!
The tool
BGPalerter is a self-configuring BGP monitoring tool – developed by Massimo Candela of NTT – which analyses streams of BGP data from various sources. It is pre-configured for real-time detection of visibility loss, RPKI invalid announcements, hijacks, and more.
BGPalerter allows you to monitor in real-time routing conditions such as:
- any of your prefixes loses visibility;
- any of your prefixes is hijacked;
- your AS is announcing RPKI invalid prefixes (e.g., not matching prefix length);
- your AS is announcing prefixes not covered by ROAs;
- ROAs covering your prefixes are no longer reachable (e.g., TA malfunction);
- a ROA involving any of your prefixes or ASes was deleted/added/edited;
- your AS is announcing a new prefix that was never announced before;
- one of the AS paths used to reach your prefix matches a specific condition defined by you.
You don’t need to provide any data source or connect it to anything in your network since it autonomously connects and retrieves data from publicly available repositories.
Namex provides its own installation of a BGPalerter instance exclusively to its members, but a standalone setup is possible for anyone who is interested in monitoring its own network prefixes. Read the following to know how to set it up.
Sample alerts
Here are a couple of examples that can be generated and sent by a BGPalerter instance:
Standalone installation and setup
You can run BGPalerter as a standalone Linux Service, the original instructions that follow are based on RHEL7 systems, the same setup has been reproduced on an Ubuntu 20.04 system.
Setup the application environment
Create a user for BGPalerter:
sudo adduser bgpalerter
sudo su bgpalerterIn the home directory, download BGPalerter Linux binary executable and execute it:
cd /home/bgpalerter
wget https://github.com/nttgin/BGPalerter/releases/latest/download/bgpalerter-linux-x64
chmod +x bgpalerter-linux-x64
./bgpalerter-linux-x64The auto-configuration will start at the end of which all the needed files will be created. The application will also create logs and src subdirectories here if needed.
Here’s an example of the interactive setup, you just need to specify your Autonomous System number and answer a few questions:
Run BGPalerter as a systemd service
After the first setup and run, you can stop the application (CTRL+C) and proceed with the configuration of a systemd service file:
sudo vi /etc/systemd/system/bgpalerter.serviceContents of the file should be as follows:
[Unit]
Description=BGPalerter
After=network.target
[Service]
Type=simple
Restart=on-failure
User=bgpalerter
WorkingDirectory=/home/bgpalerter
ExecStart=/home/bgpalerter/bgpalerter-linux-x64
[Install]
WantedBy=multi-user.targetAfter saving the file, you need to reload the systemd daemon:
sudo systemctl daemon-reloadand then enable the service at startup and finally start it as a service:
sudo systemctl enable bgpalerter
sudo systemctl start bgpalerterEnable automatic updates
Optionally, you can turn on automatic updates of the binary executable. Create a simple upgrade shell script as follows:
cd /home/bgpalerter
vi upgrade.shThe file needs to be executable:
chmod +x upgrade.sh
chown bgpalerter:bgpalerter /home/bgpalerter/upgrade.shThe contents of this file should be as follows:
#!/usr/bin/env bash
#If log file does not exist, create it
if [ ! -f /home/bgpalerter/logs/upgrade.log ]; then
touch /home/bgpalerter/logs/upgrade.log
chown bgpalerter:bgpalerter /home/bgpalerter/logs/upgrade.log
fi
#Log everything if executing manually
exec 1> /home/bgpalerter/logs/upgrade.log 2>&1
set -vex
PS4='+\t '
#Download the latest version and save it to a temp file
wget -O bgpalerter-linux-x64.tmp https://github.com/nttgin/BGPalerter/releases/latest/download/bgpalerter-linux-x64
#Set permissions and ownership to execute the file and capture the version
chmod +x bgpalerter-linux-x64.tmp
chown -R bgpalerter:bgpalerter /home/bgpalerter/
#Set variables to compare versions
if [ -f bgpalerter-linux-x64 ]; then
#If a file exists already
v1=$(./bgpalerter-linux-x64 -v)
v2=$(./bgpalerter-linux-x64.tmp -v)
else
#If the file does not exist - For testing purposes
v1=$"0"
v2=$(./bgpalerter-linux-x64.tmp -v)
fi
#If the versions are not the same
if [ "$v1" == "0" ];then
#Rename the temp file
mv bgpalerter-linux-x64.tmp bgpalerter-linux-x64
#Restart the service
systemctl restart bgpalerter
#Pause for one second for service to fully start
sleep 1
elif [ "$v1" != "$v2" ];then
#Rename the old binary and append the version
mv bgpalerter-linux-x64 "bgpalerter-linux-x64-$v1"
#Rename the temp file
mv bgpalerter-linux-x64.tmp bgpalerter-linux-x64
#Restart the service
systemctl restart bgpalerter
#Pause for one second for service to fully start
sleep 1
else
#If the versions are the same - delete the temp file
rm bgpalerter-linux-x64.tmp
fi
#Log service status
systemctl status bgpalerter -l
#Delete renamed binaries older than 60 days
find -type f -name 'bgpalerter-linux-x64-*' -mtime +60 -delete
#Delete log file if larger than 5MB
find /home/bgpalerter/logs/ -type f -name "upgrade.log" -size +5M -delete
Configure a cron job to run, in this case, weekly:
crontab -eThe contents of this file should be as follows:
0 0 * * 0 /home/bgpalerter/upgrade.shConfigure email alerts
In the config.yml configuration file, find the following section:
# - file: reportEmail
# channels:
# - hijack
# - newprefix
# - visibility
# - path
# - misconfiguration
# - rpki
# params:
# showPaths: 5 # Amount of AS_PATHs to report in the alert
# senderEmail: bgpalerter@xxxx
# # BGPalerter uses nodemailer.
# # The smtp section can be configured with all the parameters available at https://nodemailer.com/smtp/
# # the following are just the most useful one
# smtp:
# host: localhost
# port: 25
# secure: false # If true the connection will use TLS when connecting to server. If false it will be still possible doing connection upgrade via STARTTLS
# ignoreTLS: false # If true TLS will be completely disabled, including STARTTLS. Set this to true if you see certificate errors in the logs.
# auth:
# user: username
# pass: password
# type: login
# tls:
# rejectUnauthorized: true # Reject unauthorized certificates
# notifiedEmails:
# default:
# - admin@example.org
# noc:
# - joe@example.org
# - seb@example.org
Uncomment this section to enable email alerts, please note that the default smtp section should work for local Sendmail installations, if you need a different setup please refer to the full BGPalerter configuration guide and Nodemailer documentation.
In order to configure email addresses, pay attention to the following lines:
# senderEmail: bgpalerter@xxxxthis should be set to whatever the sender email should be, a typical value may be bgpalerter@yourdomain.
# notifiedEmails:
# default:
# - admin@example.org
# noc:
# - joe@example.org
# - seb@example.orgUnder the default section you should specify an email address for receiving general operational alerts, while under the noc section you can list several email address you want to send BGP alert to (please note that this is YAML syntax, check for spaces/indentation).
After saving the configuration, restart the service (as root):
sudo systemctl restart bgpalerter.service