class BGPDataConsumer(object): """docstring for BGPDataAggregator""" def __init__( self, route_collector="rrc00", rpki_validator="rpki-validator.realmv6.org:8282", ): self.rc = route_collector rpki = rpki_validator.split(":") self.mgr = RTRManager(rpki[0], rpki[1]) # self._start_rtr_manager() self.stream = BGPStream() self.rec = BGPRecord() def __del__(self): if self.mgr.is_synced(): self.mgr.stop() def _start_rtr_manager(self): self.mgr.start() while not self.mgr.is_synced(): sleep(0.2) if status.error: print("Connection error") exit()
def test(self): """ Loads a test file that includes crafted bgp updates as input and expected messages as output. """ RABBITMQ_USER = os.getenv("RABBITMQ_USER", "guest") RABBITMQ_PASS = os.getenv("RABBITMQ_PASS", "guest") RABBITMQ_HOST = os.getenv("RABBITMQ_HOST", "rabbitmq") RABBITMQ_PORT = os.getenv("RABBITMQ_PORT", 5672) RABBITMQ_URI = "amqp://{}:{}@{}:{}//".format(RABBITMQ_USER, RABBITMQ_PASS, RABBITMQ_HOST, RABBITMQ_PORT) RPKI_VALIDATOR_HOST = os.getenv("RPKI_VALIDATOR_HOST", "routinator") RPKI_VALIDATOR_PORT = os.getenv("RPKI_VALIDATOR_PORT", 3323) # check RPKI RTR manager connectivity while True: try: rtrmanager = RTRManager(RPKI_VALIDATOR_HOST, RPKI_VALIDATOR_PORT) rtrmanager.start() print("Connected to RPKI VALIDATOR '{}:{}'".format( RPKI_VALIDATOR_HOST, RPKI_VALIDATOR_PORT)) rtrmanager.stop() break except Exception: print("Could not connect to RPKI VALIDATOR '{}:{}'".format( RPKI_VALIDATOR_HOST, RPKI_VALIDATOR_PORT)) print("Retrying in 30 seconds...") time.sleep(30) # exchanges self.update_exchange = Exchange("bgp-update", type="direct", durable=False, delivery_mode=1) self.hijack_exchange = Exchange("hijack-update", type="direct", durable=False, delivery_mode=1) self.pg_amq_bridge = Exchange("amq.direct", type="direct", durable=True, delivery_mode=1) # queues self.update_queue = Queue( "detection-testing", exchange=self.pg_amq_bridge, routing_key="update-update", durable=False, auto_delete=True, max_priority=1, consumer_arguments={"x-priority": 1}, ) self.hijack_queue = Queue( "hijack-testing", exchange=self.hijack_exchange, routing_key="update", durable=False, auto_delete=True, max_priority=1, consumer_arguments={"x-priority": 1}, ) self.hijack_db_queue = Queue( "hijack-db-testing", exchange=self.pg_amq_bridge, routing_key="hijack-update", durable=False, auto_delete=True, max_priority=1, consumer_arguments={"x-priority": 1}, ) with Connection(RABBITMQ_URI) as connection: print("Waiting for pg_amq exchange..") Tester.waitExchange(self.pg_amq_bridge, connection.default_channel) print("Waiting for hijack exchange..") Tester.waitExchange(self.hijack_exchange, connection.default_channel) print("Waiting for update exchange..") Tester.waitExchange(self.update_exchange, connection.default_channel) # query database for the states of the processes db_con = self.getDbConnection() db_cur = db_con.cursor() query = "SELECT name FROM process_states WHERE running=True" running_modules = set() # wait until all 5 modules are running while len(running_modules) < 5: db_cur.execute(query) entries = db_cur.fetchall() for entry in entries: running_modules.add(entry[0]) db_con.commit() print("Running modules: {}".format(running_modules)) print("{}/5 modules are running.".format(len(running_modules))) time.sleep(1) Tester.config_request_rpc(connection) time.sleep(10) for testfile in os.listdir("testfiles/"): self.clear() self.curr_test = testfile self.messages = {} # load test with open("testfiles/{}".format(testfile), "r") as f: self.messages = json.load(f) send_len = len(self.messages) with nested( connection.Consumer( self.hijack_queue, callbacks=[self.validate_message], accept=["ujson"], ), connection.Consumer( self.update_queue, callbacks=[self.validate_message], accept=["ujson", "txtjson"], ), connection.Consumer( self.hijack_db_queue, callbacks=[self.validate_message], accept=["ujson", "txtjson"], ), ): send_cnt = 0 # send and validate all messages in the messages.json file while send_cnt < send_len: self.curr_idx = send_cnt self.send_next_message(connection) send_cnt += 1 # sleep until we receive all expected messages while self.curr_idx != send_cnt: time.sleep(0.1) try: connection.drain_events(timeout=10) except socket.timeout: # avoid infinite loop by timeout assert False, "Consumer timeout" connection.close() time.sleep(5) self.supervisor.supervisor.stopAllProcesses() self.waitProcess("listener", 0) # 0 STOPPED self.waitProcess("clock", 0) # 0 STOPPED self.waitProcess("detection", 0) # 0 STOPPED self.waitProcess("configuration", 0) # 0 STOPPED self.waitProcess("database", 0) # 0 STOPPED self.waitProcess("observer", 0) # 0 STOPPED
class Worker(ConsumerProducerMixin): """ RabbitMQ Consumer/Producer for this Service. """ def __init__(self, connection: Connection) -> NoReturn: self.connection = connection self.timestamp = -1 self.rules = None self.prefix_tree = None self.mon_num = 1 setattr(self, "publish_hijack_fun", self.publish_hijack_result_production) if TEST_ENV == "true": setattr(self, "publish_hijack_fun", self.publish_hijack_result_test) self.redis = redis.Redis(host=REDIS_HOST, port=REDIS_PORT) ping_redis(self.redis) self.rtrmanager = None if RPKI_VALIDATOR_ENABLED == "true": while True: try: self.rtrmanager = RTRManager( RPKI_VALIDATOR_HOST, RPKI_VALIDATOR_PORT ) self.rtrmanager.start() log.info( "Connected to RPKI VALIDATOR '{}:{}'".format( RPKI_VALIDATOR_HOST, RPKI_VALIDATOR_PORT ) ) break except Exception: log.info( "Could not connect to RPKI VALIDATOR '{}:{}'".format( RPKI_VALIDATOR_HOST, RPKI_VALIDATOR_PORT ) ) log.info("Retrying RTR connection in 5 seconds...") time.sleep(5) # EXCHANGES self.update_exchange = Exchange( "bgp-update", channel=connection, type="direct", durable=False, delivery_mode=1, ) self.update_exchange.declare() self.hijack_exchange = Exchange( "hijack-update", channel=connection, type="direct", durable=False, delivery_mode=1, ) self.hijack_exchange.declare() self.hijack_hashing = Exchange( "hijack-hashing", channel=connection, type="x-consistent-hash", durable=False, delivery_mode=1, ) self.hijack_hashing.declare() self.handled_exchange = Exchange( "handled-update", channel=connection, type="direct", durable=False, delivery_mode=1, ) self.config_exchange = Exchange( "config", channel=connection, type="direct", durable=False, delivery_mode=1, ) self.pg_amq_bridge = Exchange( "amq.direct", type="direct", durable=True, delivery_mode=1 ) # QUEUES self.update_queue = Queue( "detection-update-update", exchange=self.pg_amq_bridge, routing_key="update-insert", durable=False, auto_delete=True, max_priority=1, consumer_arguments={"x-priority": 1}, ) self.hijack_ongoing_queue = Queue( "detection-hijack-ongoing", exchange=self.hijack_exchange, routing_key="ongoing", durable=False, auto_delete=True, max_priority=1, consumer_arguments={"x-priority": 1}, ) self.config_queue = Queue( "detection-config-notify-{}".format(uuid()), exchange=self.config_exchange, routing_key="notify", durable=False, auto_delete=True, max_priority=3, consumer_arguments={"x-priority": 3}, ) self.config_request_rpc() log.info("started") def get_consumers( self, Consumer: Consumer, channel: Connection ) -> List[Consumer]: return [ Consumer( queues=[self.config_queue], on_message=self.handle_config_notify, prefetch_count=1, accept=["ujson"], ), Consumer( queues=[self.update_queue], on_message=self.handle_bgp_update, prefetch_count=100, accept=["ujson", "txtjson"], ), Consumer( queues=[self.hijack_ongoing_queue], on_message=self.handle_ongoing_hijacks, prefetch_count=10, accept=["ujson"], ), ] def on_consume_ready(self, connection, channel, consumers, **kwargs): self.producer.publish( self.timestamp, exchange=self.hijack_exchange, routing_key="ongoing-request", priority=1, serializer="ujson", ) def handle_config_notify(self, message: Dict) -> NoReturn: """ Consumer for Config-Notify messages that come from the configuration service. Upon arrival this service updates its running configuration. """ message.ack() log.debug("message: {}\npayload: {}".format(message, message.payload)) raw = message.payload if raw["timestamp"] > self.timestamp: self.timestamp = raw["timestamp"] self.rules = raw.get("rules", []) self.init_detection() # Request ongoing hijacks from DB self.producer.publish( self.timestamp, exchange=self.hijack_exchange, routing_key="ongoing-request", priority=1, serializer="ujson", ) def config_request_rpc(self) -> NoReturn: """ Initial RPC of this service to request the configuration. The RPC is blocked until the configuration service replies back. """ self.correlation_id = uuid() callback_queue = Queue( uuid(), durable=False, auto_delete=True, max_priority=4, consumer_arguments={"x-priority": 4}, ) self.producer.publish( "", exchange="", routing_key="config-request-queue", reply_to=callback_queue.name, correlation_id=self.correlation_id, retry=True, declare=[ Queue( "config-request-queue", durable=False, max_priority=4, consumer_arguments={"x-priority": 4}, ), callback_queue, ], priority=4, serializer="ujson", ) with Consumer( self.connection, on_message=self.handle_config_request_reply, queues=[callback_queue], accept=["ujson"], ): while self.rules is None: self.connection.drain_events() log.debug("{}".format(self.rules)) def handle_config_request_reply(self, message: Dict): """ Callback function for the config request RPC. Updates running configuration upon receiving a new configuration. """ message.ack() log.debug("message: {}\npayload: {}".format(message, message.payload)) if self.correlation_id == message.properties["correlation_id"]: raw = message.payload if raw["timestamp"] > self.timestamp: self.timestamp = raw["timestamp"] self.rules = raw.get("rules", []) self.init_detection() def init_detection(self) -> NoReturn: """ Updates rules everytime it receives a new configuration. """ log.info("Initiating detection...") log.info("Starting building detection prefix tree...") self.prefix_tree = { "v4": pytricia.PyTricia(32), "v6": pytricia.PyTricia(128), } raw_prefix_count = 0 for rule in self.rules: try: rule_translated_origin_asn_set = set() for asn in rule["origin_asns"]: this_translated_asn_list = flatten(translate_asn_range(asn)) rule_translated_origin_asn_set.update( set(this_translated_asn_list) ) rule["origin_asns"] = list(rule_translated_origin_asn_set) rule_translated_neighbor_set = set() for asn in rule["neighbors"]: this_translated_asn_list = flatten(translate_asn_range(asn)) rule_translated_neighbor_set.update( set(this_translated_asn_list) ) rule["neighbors"] = list(rule_translated_neighbor_set) conf_obj = { "origin_asns": rule["origin_asns"], "neighbors": rule["neighbors"], "policies": set(rule["policies"]), "community_annotations": rule["community_annotations"], } for prefix in rule["prefixes"]: for translated_prefix in translate_rfc2622(prefix): ip_version = get_ip_version(translated_prefix) if self.prefix_tree[ip_version].has_key(translated_prefix): node = self.prefix_tree[ip_version][translated_prefix] else: node = { "prefix": translated_prefix, "data": {"confs": []}, } self.prefix_tree[ip_version].insert( translated_prefix, node ) node["data"]["confs"].append(conf_obj) raw_prefix_count += 1 except Exception: log.exception("Exception") log.info( "{} prefixes integrated in detection prefix tree in total".format( raw_prefix_count ) ) log.info("Finished building detection prefix tree.") log.info("Detection initiated, configured and running.") def handle_ongoing_hijacks(self, message: Dict) -> NoReturn: """ Handles ongoing hijacks from the database. """ log.debug("{} ongoing hijack events".format(len(message.payload))) message.ack() for update in message.payload: self.handle_bgp_update(update) def handle_bgp_update(self, message: Dict) -> NoReturn: """ Callback function that runs the main logic of detecting hijacks for every bgp update. """ # log.debug('{}'.format(message)) if isinstance(message, dict): monitor_event = message else: message.ack() monitor_event = message.payload monitor_event["path"] = monitor_event["as_path"] monitor_event["timestamp"] = datetime( *map(int, re.findall(r"\d+", monitor_event["timestamp"])) ).timestamp() raw = monitor_event.copy() # mark the initial redis hijack key since it may change upon # outdated checks if "hij_key" in monitor_event: monitor_event["initial_redis_hijack_key"] = redis_key( monitor_event["prefix"], monitor_event["hijack_as"], monitor_event["hij_type"], ) is_hijack = False if monitor_event["type"] == "A": monitor_event["path"] = Detection.Worker.__clean_as_path( monitor_event["path"] ) ip_version = get_ip_version(monitor_event["prefix"]) if monitor_event["prefix"] in self.prefix_tree[ip_version]: prefix_node = self.prefix_tree[ip_version][monitor_event["prefix"]] monitor_event["matched_prefix"] = prefix_node["prefix"] try: path_hijacker = -1 pol_hijacker = -1 hij_dimensions = [ "-", "-", "-", "-", ] # prefix, path, dplane, policy hij_dimension_index = 0 for func_dim in self.__hijack_dimension_checker_gen(): if hij_dimension_index == 0: # prefix dimension for func_pref in func_dim(): hij_dimensions[hij_dimension_index] = func_pref( monitor_event, prefix_node ) if hij_dimensions[hij_dimension_index] != "-": break elif hij_dimension_index == 1: # path type dimension for func_path in func_dim(len(monitor_event["path"])): ( path_hijacker, hij_dimensions[hij_dimension_index], ) = func_path(monitor_event, prefix_node) if hij_dimensions[hij_dimension_index] != "-": break elif hij_dimension_index == 2: # data plane dimension for func_dplane in func_dim(): hij_dimensions[hij_dimension_index] = func_dplane( monitor_event, prefix_node ) if hij_dimensions[hij_dimension_index] != "-": break elif hij_dimension_index == 3: # policy dimension for func_pol in func_dim(len(monitor_event["path"])): ( pol_hijacker, hij_dimensions[hij_dimension_index], ) = func_pol(monitor_event, prefix_node) if hij_dimensions[hij_dimension_index] != "-": break hij_dimension_index += 1 # check if dimension combination in hijack combinations # and commit hijack if hij_dimensions in HIJACK_DIM_COMBINATIONS: is_hijack = True # show pol hijacker only if the path hijacker is uncertain hijacker = path_hijacker if path_hijacker == -1 and pol_hijacker != -1: hijacker = pol_hijacker self.commit_hijack(monitor_event, hijacker, hij_dimensions) except Exception: log.exception("exception") outdated_hijack = None if not is_hijack and "hij_key" in monitor_event: try: # outdated hijack, benign from now on redis_hijack_key = redis_key( monitor_event["prefix"], monitor_event["hijack_as"], monitor_event["hij_type"], ) outdated_hijack = self.redis.get(redis_hijack_key) purge_redis_eph_pers_keys( self.redis, redis_hijack_key, monitor_event["hij_key"] ) # mark in DB only if it is the first time this hijack was purged (pre-existent in redis) if outdated_hijack: self.mark_outdated( monitor_event["hij_key"], redis_hijack_key ) except Exception: log.exception("exception") elif ( is_hijack and "hij_key" in monitor_event and monitor_event["initial_redis_hijack_key"] != monitor_event["final_redis_hijack_key"] ): try: outdated_hijack = self.redis.get( monitor_event["initial_redis_hijack_key"] ) # outdated hijack, but still a hijack; need key change purge_redis_eph_pers_keys( self.redis, monitor_event["initial_redis_hijack_key"], monitor_event["hij_key"], ) # mark in DB only if it is the first time this hijack was purged (pre-existsent in redis) if outdated_hijack: self.mark_outdated( monitor_event["hij_key"], monitor_event["initial_redis_hijack_key"], ) except Exception: log.exception("exception") elif not is_hijack: self.gen_implicit_withdrawal(monitor_event) self.mark_handled(raw) if outdated_hijack: try: outdated_hijack = json.loads(outdated_hijack) outdated_hijack["end_tag"] = "outdated" mail_log.info( "{}".format( json.dumps( hijack_log_field_formatter(outdated_hijack), indent=4, ) ), extra={ "community_annotation": outdated_hijack.get( "community_annotation", "NA" ) }, ) hij_log.info( "{}".format( json.dumps(hijack_log_field_formatter(outdated_hijack)) ), extra={ "community_annotation": outdated_hijack.get( "community_annotation", "NA" ) }, ) except Exception: log.exception("exception") elif monitor_event["type"] == "W": self.producer.publish( { "prefix": monitor_event["prefix"], "peer_asn": monitor_event["peer_asn"], "timestamp": monitor_event["timestamp"], "key": monitor_event["key"], }, exchange=self.update_exchange, routing_key="withdraw", priority=0, serializer="ujson", ) @staticmethod def __remove_prepending(seq: List[int]) -> Tuple[List[int], bool]: """ Static method to remove prepending ASs from AS path. """ last_add = None new_seq = [] for x in seq: if last_add != x: last_add = x new_seq.append(x) is_loopy = False if len(set(seq)) != len(new_seq): is_loopy = True # raise Exception('Routing Loop: {}'.format(seq)) return (new_seq, is_loopy) @staticmethod def __clean_loops(seq: List[int]) -> List[int]: """ Static method that remove loops from AS path. """ # use inverse direction to clean loops in the path of the traffic seq_inv = seq[::-1] new_seq_inv = [] for x in seq_inv: if x not in new_seq_inv: new_seq_inv.append(x) else: x_index = new_seq_inv.index(x) new_seq_inv = new_seq_inv[: x_index + 1] return new_seq_inv[::-1] @staticmethod def __clean_as_path(path: List[int]) -> List[int]: """ Static wrapper method for loop and prepending removal. """ (clean_as_path, is_loopy) = Detection.Worker.__remove_prepending(path) if is_loopy: clean_as_path = Detection.Worker.__clean_loops(clean_as_path) return clean_as_path def __hijack_dimension_checker_gen(self) -> Callable: """ Generator that returns hijack dimension checking functions. """ yield self.__hijack_prefix_checker_gen yield self.__hijack_path_checker_gen yield self.__hijack_dplane_checker_gen yield self.__hijack_pol_checker_gen def __hijack_prefix_checker_gen(self) -> Callable: """ Generator that returns prefix dimension detection functions. """ yield self.detect_prefix_squatting_hijack yield self.detect_prefix_subprefix_hijack def __hijack_path_checker_gen(self, path_len: int) -> Callable: """ Generator that returns path dimension detection functions. """ if path_len > 0: yield self.detect_path_type_0_hijack if path_len > 1: yield self.detect_path_type_1_hijack if path_len > 2: yield self.detect_path_type_N_hijack yield self.detect_path_type_U_hijack def __hijack_dplane_checker_gen(self) -> Callable: """ Generator that returns data plane dimension detection functions. """ yield self.detect_dplane_blackholing_hijack yield self.detect_dplane_imposture_hijack yield self.detect_dplane_mitm_hijack def __hijack_pol_checker_gen(self, path_len: int) -> Callable: """ Generator that returns policy dimension detection functions. """ if path_len > 3: yield self.detect_pol_leak_hijack yield self.detect_pol_other_hijack @exception_handler(log) def detect_prefix_squatting_hijack( self, monitor_event: Dict, prefix_node: Dict, *args, **kwargs ) -> str: """ Squatting hijack detection. """ for item in prefix_node["data"]["confs"]: # check if there are origin_asns defined (even wildcards) if item["origin_asns"]: return "-" return "Q" @exception_handler(log) def detect_prefix_subprefix_hijack( self, monitor_event: Dict, prefix_node: Dict, *args, **kwargs ) -> str: """ Subprefix or exact prefix hijack detection. """ mon_prefix = ipaddress.ip_network(monitor_event["prefix"]) if ( ipaddress.ip_network(prefix_node["prefix"]).prefixlen < mon_prefix.prefixlen ): return "S" return "E" @exception_handler(log) def detect_path_type_0_hijack( self, monitor_event: Dict, prefix_node: Dict, *args, **kwargs ) -> Tuple[int, str]: """ Origin hijack detection. """ origin_asn = monitor_event["path"][-1] for item in prefix_node["data"]["confs"]: if origin_asn in item["origin_asns"] or item["origin_asns"] == [-1]: return (-1, "-") return (origin_asn, "0") @exception_handler(log) def detect_path_type_1_hijack( self, monitor_event: Dict, prefix_node: Dict, *args, **kwargs ) -> Tuple[int, str]: """ Type-1 hijack detection. """ origin_asn = monitor_event["path"][-1] first_neighbor_asn = monitor_event["path"][-2] for item in prefix_node["data"]["confs"]: # [] or [-1] neighbors means "allow everything" if ( origin_asn in item["origin_asns"] or item["origin_asns"] == [-1] ) and ( (not item["neighbors"]) or item["neighbors"] == [-1] or first_neighbor_asn in item["neighbors"] ): return (-1, "-") return (first_neighbor_asn, "1") @exception_handler(log) def detect_path_type_N_hijack( self, monitor_event: Dict, prefix_node: Dict, *args, **kwargs ) -> Tuple[int, str]: # Placeholder for type-N detection (not supported) return (-1, "-") @exception_handler(log) def detect_path_type_U_hijack( self, monitor_event: Dict, prefix_node: Dict, *args, **kwargs ) -> Tuple[int, str]: # Placeholder for type-U detection (not supported) return (-1, "-") @exception_handler(log) def detect_dplane_blackholing_hijack( self, monitor_event: Dict, prefix_node: Dict, *args, **kwargs ) -> str: # Placeholder for blackholing detection (not supported) return "-" @exception_handler(log) def detect_dplane_imposture_hijack( self, monitor_event: Dict, prefix_node: Dict, *args, **kwargs ) -> str: # Placeholder for imposture detection (not supported) return "-" @exception_handler(log) def detect_dplane_mitm_hijack( self, monitor_event: Dict, prefix_node: Dict, *args, **kwargs ) -> str: # Placeholder for mitm detection (not supported) return "-" @exception_handler(log) def detect_pol_leak_hijack( self, monitor_event: Dict, prefix_node: Dict, *args, **kwargs ) -> Tuple[int, str]: """ Route leak hijack detection """ for item in prefix_node["data"]["confs"]: if "no-export" in item["policies"]: return (monitor_event["path"][-2], "L") return (-1, "-") @exception_handler(log) def detect_pol_other_hijack( self, monitor_event: Dict, prefix_node: Dict, *args, **kwargs ) -> Tuple[int, str]: # Placeholder for policy violation detection (not supported) return (-1, "-") def commit_hijack( self, monitor_event: Dict, hijacker: int, hij_dimensions: List[str] ) -> NoReturn: """ Commit new or update an existing hijack to the database. It uses redis server to store ongoing hijacks information to not stress the db. """ hij_type = "|".join(hij_dimensions) redis_hijack_key = redis_key(monitor_event["prefix"], hijacker, hij_type) if "hij_key" in monitor_event: monitor_event["final_redis_hijack_key"] = redis_hijack_key hijack_value = { "prefix": monitor_event["prefix"], "hijack_as": hijacker, "type": hij_type, "time_started": monitor_event["timestamp"], "time_last": monitor_event["timestamp"], "peers_seen": {monitor_event["peer_asn"]}, "monitor_keys": {monitor_event["key"]}, "configured_prefix": monitor_event["matched_prefix"], "timestamp_of_config": self.timestamp, "end_tag": None, "outdated_parent": None, "rpki_status": "NA", } if ( RPKI_VALIDATOR_ENABLED == "true" and self.rtrmanager and monitor_event["path"] ): try: asn = monitor_event["path"][-1] if "/" in monitor_event["prefix"]: network, netmask = monitor_event["prefix"].split("/") # /32 or /128 else: ip_version = get_ip_version(monitor_event["prefix"]) network = monitor_event["prefix"] netmask = 32 if ip_version == "v6": netmask = 128 redis_rpki_asn_prefix_key = "rpki_as{}_p{}".format( asn, monitor_event["prefix"] ) redis_rpki_status = self.redis.get(redis_rpki_asn_prefix_key) if not redis_rpki_status: rpki_status = get_rpki_val_result( self.rtrmanager, asn, network, int(netmask) ) else: rpki_status = redis_rpki_status.decode() hijack_value["rpki_status"] = rpki_status # the default refresh interval for the RPKI RTR manager is 3600 seconds self.redis.set(redis_rpki_asn_prefix_key, rpki_status, ex=3600) except Exception: log.exception("exception") if ( "hij_key" in monitor_event and monitor_event["initial_redis_hijack_key"] != monitor_event["final_redis_hijack_key"] ): hijack_value["outdated_parent"] = monitor_event["hij_key"] # identify the number of infected ases hijack_value["asns_inf"] = set() if hij_dimensions[1] in {"0", "1"}: hijack_value["asns_inf"] = set( monitor_event["path"][: -(int(hij_dimensions[1]) + 1)] ) elif hij_dimensions[3] == "L": hijack_value["asns_inf"] = set(monitor_event["path"][:-2]) # assume the worst-case scenario of a type-2 hijack elif len(monitor_event["path"]) > 2: hijack_value["asns_inf"] = set(monitor_event["path"][:-3]) # make the following operation atomic using blpop (blocking) # first, make sure that the semaphore is initialized if self.redis.getset("{}token_active".format(redis_hijack_key), 1) != b"1": redis_pipeline = self.redis.pipeline() redis_pipeline.lpush("{}token".format(redis_hijack_key), "token") # lock, by extracting the token (other processes that access # it at the same time will be blocked) # attention: it is important that this command is batched in the # pipeline since the db may async delete # the token redis_pipeline.blpop("{}token".format(redis_hijack_key)) redis_pipeline.execute() else: # lock, by extracting the token (other processes that access it # at the same time will be blocked) token = self.redis.blpop("{}token".format(redis_hijack_key), timeout=60) # if timeout after 60 seconds, return without hijack alert # since this means that sth has been purged in the meanwhile (e.g., due to outdated hijack # in another instance; a detector cannot be stuck for a whole minute in a single hijack BGP update) if not token: log.info( "Monitor event {} encountered redis token timeout and will be cleared as benign for hijack {}".format( str(monitor_event), redis_hijack_key ) ) return # proceed now that we have clearance redis_pipeline = self.redis.pipeline() try: result = self.redis.get(redis_hijack_key) if result: result = json.loads(result) result["time_started"] = min( result["time_started"], hijack_value["time_started"] ) result["time_last"] = max( result["time_last"], hijack_value["time_last"] ) result["peers_seen"] = set(result["peers_seen"]) result["peers_seen"].update(hijack_value["peers_seen"]) result["asns_inf"] = set(result["asns_inf"]) result["asns_inf"].update(hijack_value["asns_inf"]) # no update since db already knows! result["monitor_keys"] = hijack_value["monitor_keys"] self.comm_annotate_hijack(monitor_event, result) result["outdated_parent"] = hijack_value["outdated_parent"] result["bgpupdate_keys"] = set(result["bgpupdate_keys"]) result["bgpupdate_keys"].add(monitor_event["key"]) result["rpki_status"] = hijack_value["rpki_status"] else: hijack_value["time_detected"] = time.time() hijack_value["key"] = get_hash( [ monitor_event["prefix"], hijacker, hij_type, "{0:.6f}".format(hijack_value["time_detected"]), ] ) hijack_value["bgpupdate_keys"] = {monitor_event["key"]} redis_pipeline.sadd("persistent-keys", hijack_value["key"]) result = hijack_value self.comm_annotate_hijack(monitor_event, result) mail_log.info( "{}".format( json.dumps(hijack_log_field_formatter(result), indent=4) ), extra={ "community_annotation": result.get( "community_annotation", "NA" ) }, ) redis_pipeline.set(redis_hijack_key, json.dumps(result)) # store the origin, neighbor combination for this hijack BGP update origin = None neighbor = None if monitor_event["path"]: origin = monitor_event["path"][-1] if len(monitor_event["path"]) > 1: neighbor = monitor_event["path"][-2] redis_pipeline.sadd( "hij_orig_neighb_{}".format(redis_hijack_key), "{}_{}".format(origin, neighbor), ) # store the prefix and peer ASN for this hijack BGP update redis_pipeline.sadd( "prefix_{}_peer_{}_hijacks".format( monitor_event["prefix"], monitor_event["peer_asn"] ), redis_hijack_key, ) redis_pipeline.sadd( "hijack_{}_prefixes_peers".format(redis_hijack_key), "{}_{}".format(monitor_event["prefix"], monitor_event["peer_asn"]), ) except Exception: log.exception("exception") finally: # execute whatever has been accumulated in redis till now redis_pipeline.execute() # publish hijack self.publish_hijack_fun(result, redis_hijack_key) hij_log.info( "{}".format(json.dumps(hijack_log_field_formatter(result))), extra={ "community_annotation": result.get("community_annotation", "NA") }, ) # unlock, by pushing back the token (at most one other process # waiting will be unlocked) redis_pipeline = self.redis.pipeline() redis_pipeline.set("{}token_active".format(redis_hijack_key), 1) redis_pipeline.lpush("{}token".format(redis_hijack_key), "token") redis_pipeline.execute() def mark_handled(self, monitor_event: Dict) -> NoReturn: """ Marks a bgp update as handled on the database. """ # log.debug('{}'.format(monitor_event['key'])) self.producer.publish( monitor_event["key"], exchange=self.handled_exchange, routing_key="update", priority=1, serializer="ujson", ) def mark_outdated(self, hij_key: str, redis_hij_key: str) -> NoReturn: """ Marks a hijack as outdated on the database. """ # log.debug('{}'.format(hij_key)) msg = {"persistent_hijack_key": hij_key, "redis_hijack_key": redis_hij_key} self.producer.publish( msg, exchange=self.hijack_exchange, routing_key="outdate", priority=1, serializer="ujson", ) def publish_hijack_result_production(self, result, redis_hijack_key): self.producer.publish( result, exchange=self.hijack_hashing, routing_key=redis_hijack_key, priority=0, serializer="ujson", ) def publish_hijack_result_test(self, result, redis_hijack_key): self.producer.publish( result, exchange=self.hijack_exchange, routing_key="update", priority=0, serializer="ujson", ) self.producer.publish( result, exchange=self.hijack_hashing, routing_key=redis_hijack_key, priority=0, serializer="ujson", ) def gen_implicit_withdrawal(self, monitor_event: Dict) -> NoReturn: """ Checks if a benign BGP update should trigger an implicit withdrawal """ # log.debug('{}'.format(monitor_event['key'])) prefix = monitor_event["prefix"] peer_asn = monitor_event["peer_asn"] if self.redis.exists("prefix_{}_peer_{}_hijacks".format(prefix, peer_asn)): # generate implicit withdrawal withdraw_msg = { "service": "implicit-withdrawal", "type": "W", "prefix": prefix, "path": [], "orig_path": {"triggering_bgp_update": monitor_event}, "communities": [], "timestamp": monitor_event["timestamp"] + 1, "peer_asn": peer_asn, } key_generator(withdraw_msg) self.producer.publish( withdraw_msg, exchange=self.update_exchange, routing_key="update", serializer="ujson", ) def comm_annotate_hijack(self, monitor_event: Dict, hijack: Dict) -> NoReturn: """ Annotates a hijack based on community checks (modifies "community_annotation" field in-place) """ try: if hijack.get("community_annotation", "NA") in [None, "", "NA"]: hijack["community_annotation"] = "NA" bgp_update_communities = set() for comm_as_value in monitor_event["communities"]: community = "{}:{}".format(comm_as_value[0], comm_as_value[1]) bgp_update_communities.add(community) ip_version = get_ip_version(monitor_event["prefix"]) if monitor_event["prefix"] in self.prefix_tree[ip_version]: prefix_node = self.prefix_tree[ip_version][monitor_event["prefix"]] for item in prefix_node["data"]["confs"]: annotations = [] for annotation_element in item.get("community_annotations", []): for annotation in annotation_element: annotations.append(annotation) for annotation_element in item.get("community_annotations", []): for annotation in annotation_element: for community_rule in annotation_element[annotation]: in_communities = set(community_rule.get("in", [])) out_communities = set(community_rule.get("out", [])) if ( in_communities <= bgp_update_communities and out_communities.isdisjoint( bgp_update_communities ) ): if hijack["community_annotation"] == "NA": hijack["community_annotation"] = annotation elif annotations.index( annotation ) < annotations.index( hijack["community_annotation"] ): hijack["community_annotation"] = annotation except Exception: log.exception("exception")
def test(self): """ Loads a test file that includes crafted bgp updates as input and expected messages as output. """ RABBITMQ_USER = os.getenv("RABBITMQ_USER", "guest") RABBITMQ_PASS = os.getenv("RABBITMQ_PASS", "guest") RABBITMQ_HOST = os.getenv("RABBITMQ_HOST", "rabbitmq") RABBITMQ_PORT = os.getenv("RABBITMQ_PORT", 5672) RABBITMQ_URI = "amqp://{}:{}@{}:{}//".format( RABBITMQ_USER, RABBITMQ_PASS, RABBITMQ_HOST, RABBITMQ_PORT ) RPKI_VALIDATOR_HOST = os.getenv("RPKI_VALIDATOR_HOST", "routinator") RPKI_VALIDATOR_PORT = os.getenv("RPKI_VALIDATOR_PORT", 3323) # check RPKI RTR manager connectivity while True: try: rtrmanager = RTRManager(RPKI_VALIDATOR_HOST, RPKI_VALIDATOR_PORT) rtrmanager.start() print( "Connected to RPKI VALIDATOR '{}:{}'".format( RPKI_VALIDATOR_HOST, RPKI_VALIDATOR_PORT ) ) rtrmanager.stop() break except Exception: print( "Could not connect to RPKI VALIDATOR '{}:{}'".format( RPKI_VALIDATOR_HOST, RPKI_VALIDATOR_PORT ) ) print("Retrying in 30 seconds...") time.sleep(30) # exchanges self.update_exchange = Exchange( "bgp-update", type="direct", durable=False, delivery_mode=1 ) self.hijack_exchange = Exchange( "hijack-update", type="direct", durable=False, delivery_mode=1 ) self.pg_amq_bridge = Exchange( "amq.direct", type="direct", durable=True, delivery_mode=1 ) # queues self.update_queue = Queue( "detection-testing", exchange=self.pg_amq_bridge, routing_key="update-update", durable=False, auto_delete=True, max_priority=1, consumer_arguments={"x-priority": 1}, ) self.hijack_queue = Queue( "hijack-testing", exchange=self.hijack_exchange, routing_key="update", durable=False, auto_delete=True, max_priority=1, consumer_arguments={"x-priority": 1}, ) self.hijack_db_queue = Queue( "hijack-db-testing", exchange=self.pg_amq_bridge, routing_key="hijack-update", durable=False, auto_delete=True, max_priority=1, consumer_arguments={"x-priority": 1}, ) with Connection(RABBITMQ_URI) as connection: # print("Waiting for pg_amq exchange..") # Tester.waitExchange(self.pg_amq_bridge, connection.default_channel) # print("Waiting for hijack exchange..") # Tester.waitExchange(self.hijack_exchange, connection.default_channel) # print("Waiting for update exchange..") # Tester.waitExchange(self.update_exchange, connection.default_channel) # wait for dependencies data workers to start wait_data_worker_dependencies(DATA_WORKER_DEPENDENCIES) while True: try: r = requests.get( "http://{}:{}/config".format(CONFIGURATION_HOST, REST_PORT) ) result = r.json() assert len(result) > 0 break except Exception: print("exception") time.sleep(1) time.sleep(1) for testfile in os.listdir("testfiles/"): self.clear() self.curr_test = testfile self.messages = {} # load test with open("testfiles/{}".format(testfile), "r") as f: self.messages = json.load(f) send_len = len(self.messages) with nested( connection.Consumer( self.hijack_queue, callbacks=[self.validate_message], accept=["ujson"], ), connection.Consumer( self.update_queue, callbacks=[self.validate_message], accept=["ujson", "txtjson"], ), connection.Consumer( self.hijack_db_queue, callbacks=[self.validate_message], accept=["ujson", "txtjson"], ), ): send_cnt = 0 # send and validate all messages in the messages.json file while send_cnt < send_len: self.curr_idx = send_cnt self.send_next_message(connection) send_cnt += 1 # sleep until we receive all expected messages while self.curr_idx != send_cnt: time.sleep(0.1) try: connection.drain_events(timeout=10) except socket.timeout: # avoid infinite loop by timeout assert False, "Consumer timeout"
class DetectionDataWorker(ConsumerProducerMixin): """ RabbitMQ Consumer/Producer for the detection Service. """ def __init__(self, connection: Connection, shared_memory_manager_dict: Dict) -> NoReturn: self.connection = connection self.shared_memory_manager_dict = shared_memory_manager_dict self.rtrmanager = None # wait for other needed data workers to start wait_data_worker_dependencies(DATA_WORKER_DEPENDENCIES) # EXCHANGES self.update_exchange = create_exchange("bgp-update", connection, declare=True) self.hijack_exchange = create_exchange("hijack-update", connection, declare=True) self.hijack_hashing = create_exchange("hijack-hashing", connection, "x-consistent-hash", declare=True) self.handled_exchange = create_exchange("handled-update", connection, declare=True) self.hijack_notification_exchange = create_exchange( "hijack-notification", connection, declare=True) self.command_exchange = create_exchange("command", connection, declare=True) # QUEUES self.update_queue = create_queue( SERVICE_NAME, exchange=self.update_exchange, routing_key="stored-update-with-prefix-node", priority=1, ) self.hijack_ongoing_queue = create_queue( SERVICE_NAME, exchange=self.hijack_exchange, routing_key="ongoing-with-prefix-node", priority=1, ) self.stop_queue = create_queue( "{}-{}".format(SERVICE_NAME, uuid()), exchange=self.command_exchange, routing_key="stop-{}".format(SERVICE_NAME), priority=1, ) setattr(self, "publish_hijack_fun", self.publish_hijack_result_production) if TEST_ENV == "true": setattr(self, "publish_hijack_fun", self.publish_hijack_result_test) self.redis = redis.Redis(host=REDIS_HOST, port=REDIS_PORT) ping_redis(self.redis) if RPKI_VALIDATOR_ENABLED == "true": from rtrlib import RTRManager while True: try: self.rtrmanager = RTRManager(RPKI_VALIDATOR_HOST, RPKI_VALIDATOR_PORT) self.rtrmanager.start() log.info("Connected to RPKI VALIDATOR '{}:{}'".format( RPKI_VALIDATOR_HOST, RPKI_VALIDATOR_PORT)) break except Exception: log.info( "Could not connect to RPKI VALIDATOR '{}:{}'".format( RPKI_VALIDATOR_HOST, RPKI_VALIDATOR_PORT)) log.info("Retrying RTR connection in 30 seconds...") time.sleep(30) log.info("data worker initiated") def get_consumers(self, Consumer: Consumer, channel: Connection) -> List[Consumer]: return [ Consumer( queues=[self.update_queue], on_message=self.handle_bgp_update, prefetch_count=100, accept=["ujson"], ), Consumer( queues=[self.hijack_ongoing_queue], on_message=self.handle_ongoing_hijacks, prefetch_count=10, accept=["ujson"], ), Consumer( queues=[self.stop_queue], on_message=self.stop_consumer_loop, prefetch_count=100, accept=["ujson"], ), ] def on_consume_ready(self, connection, channel, consumers, **kwargs): self.producer.publish( "", exchange=self.hijack_exchange, routing_key="ongoing-request", priority=1, serializer="ujson", ) def handle_ongoing_hijacks(self, message: Dict) -> NoReturn: """ Handles ongoing hijacks from the database. """ log.debug("{} ongoing hijack events".format(len(message.payload))) message.ack() for update in message.payload: self.handle_bgp_update(update) def handle_bgp_update(self, message: Dict) -> NoReturn: """ Callback function that runs the main logic of detecting hijacks for every bgp update. """ if isinstance(message, dict): monitor_event = message else: message.ack() monitor_event = message.payload monitor_event["path"] = monitor_event["as_path"] monitor_event["timestamp"] = datetime( *map(int, re.findall(r"\d+", monitor_event["timestamp"]))).timestamp() raw = monitor_event.copy() # mark the initial redis hijack key since it may change upon # outdated checks if "hij_key" in monitor_event: monitor_event["initial_redis_hijack_key"] = redis_key( monitor_event["prefix"], monitor_event["hijack_as"], monitor_event["hij_type"], ) is_hijack = False if monitor_event["type"] == "A": # save the original path as-is to preserve patterns (if needed) monitor_event["orig_path"] = monitor_event["path"][::] monitor_event["path"] = clean_as_path(monitor_event["path"]) if "prefix_node" in monitor_event: prefix_node = monitor_event["prefix_node"] monitor_event["matched_prefix"] = prefix_node["prefix"] final_hij_dimensions = [ "-", "-", "-", "-", ] # prefix, path, dplane, policy for prefix_node_conf in prefix_node["data"]["confs"]: try: path_hijacker = -1 pol_hijacker = -1 hij_dimensions = [ "-", "-", "-", "-", ] # prefix, path, dplane, policy hij_dimension_index = 0 for func_dim in self.__hijack_dimension_checker_gen(): if hij_dimension_index == 0: # prefix dimension for func_pref in func_dim(): hij_dimensions[ hij_dimension_index] = func_pref( monitor_event, prefix_node, prefix_node_conf) if hij_dimensions[ hij_dimension_index] != "-": break elif hij_dimension_index == 1: # path type dimension for func_path in func_dim( len(monitor_event["path"])): ( path_hijacker, hij_dimensions[hij_dimension_index], ) = func_path(monitor_event, prefix_node, prefix_node_conf) if hij_dimensions[ hij_dimension_index] != "-": break elif hij_dimension_index == 2: # data plane dimension for func_dplane in func_dim(): hij_dimensions[ hij_dimension_index] = func_dplane( monitor_event, prefix_node, prefix_node_conf) if hij_dimensions[ hij_dimension_index] != "-": break elif hij_dimension_index == 3: # policy dimension for func_pol in func_dim( len(monitor_event["path"])): ( pol_hijacker, hij_dimensions[hij_dimension_index], ) = func_pol(monitor_event, prefix_node, prefix_node_conf) if hij_dimensions[ hij_dimension_index] != "-": break hij_dimension_index += 1 # check if dimension combination in hijack combinations for this rule, # but do not commit hijack yet (record the last possible hijack issue) if hij_dimensions in HIJACK_DIM_COMBINATIONS: final_hij_dimensions = hij_dimensions[::] is_hijack = True # show pol hijacker only if the path hijacker is uncertain hijacker = path_hijacker if path_hijacker == -1 and pol_hijacker != -1: hijacker = pol_hijacker # benign rule matching beats hijack detection else: is_hijack = False break except Exception: log.exception("exception") if is_hijack: try: hij_dimensions = final_hij_dimensions self.commit_hijack(monitor_event, hijacker, hij_dimensions) except Exception: log.exception("exception") else: if "hij_key" not in monitor_event: log.error("unconfigured BGP update received '{}'".format( monitor_event)) else: is_hijack = False outdated_hijack = None if not is_hijack and "hij_key" in monitor_event: try: # outdated hijack, benign from now on redis_hijack_key = redis_key( monitor_event["prefix"], monitor_event["hijack_as"], monitor_event["hij_type"], ) outdated_hijack = self.redis.get(redis_hijack_key) purge_redis_eph_pers_keys(self.redis, redis_hijack_key, monitor_event["hij_key"]) # mark in DB only if it is the first time this hijack was purged (pre-existent in redis) if outdated_hijack: self.mark_outdated(monitor_event["hij_key"], redis_hijack_key) except Exception: log.exception("exception") elif (is_hijack and "hij_key" in monitor_event and monitor_event["initial_redis_hijack_key"] != monitor_event["final_redis_hijack_key"]): try: outdated_hijack = self.redis.get( monitor_event["initial_redis_hijack_key"]) # outdated hijack, but still a hijack; need key change purge_redis_eph_pers_keys( self.redis, monitor_event["initial_redis_hijack_key"], monitor_event["hij_key"], ) # mark in DB only if it is the first time this hijack was purged (pre-existsent in redis) if outdated_hijack: self.mark_outdated( monitor_event["hij_key"], monitor_event["initial_redis_hijack_key"], ) except Exception: log.exception("exception") elif not is_hijack: self.gen_implicit_withdrawal(monitor_event) self.mark_handled(raw) if outdated_hijack: try: outdated_hijack = classic_json.loads( outdated_hijack.decode("utf-8")) outdated_hijack["end_tag"] = "outdated" self.producer.publish( outdated_hijack, exchange=self.hijack_notification_exchange, routing_key="mail-log", retry=False, priority=1, serializer="ujson", ) self.producer.publish( outdated_hijack, exchange=self.hijack_notification_exchange, routing_key="hij-log", retry=False, priority=1, serializer="ujson", ) except Exception: log.exception("exception") elif monitor_event["type"] == "W": self.producer.publish( { "prefix": monitor_event["prefix"], "peer_asn": monitor_event["peer_asn"], "timestamp": monitor_event["timestamp"], "key": monitor_event["key"], }, exchange=self.update_exchange, routing_key="withdraw", priority=0, serializer="ujson", ) def __hijack_dimension_checker_gen(self) -> Callable: """ Generator that returns hijack dimension checking functions. """ yield self.__hijack_prefix_checker_gen yield self.__hijack_path_checker_gen yield self.__hijack_dplane_checker_gen yield self.__hijack_pol_checker_gen def __hijack_prefix_checker_gen(self) -> Callable: """ Generator that returns prefix dimension detection functions. """ yield self.detect_prefix_squatting_hijack yield self.detect_prefix_subprefix_hijack def __hijack_path_checker_gen(self, path_len: int) -> Callable: """ Generator that returns path dimension detection functions. """ if path_len > 0: yield self.detect_path_type_0_hijack if path_len > 1: yield self.detect_path_type_1_hijack yield self.detect_path_type_P_hijack if path_len > 2: yield self.detect_path_type_N_hijack yield self.detect_path_type_U_hijack def __hijack_dplane_checker_gen(self) -> Callable: """ Generator that returns data plane dimension detection functions. """ yield self.detect_dplane_blackholing_hijack yield self.detect_dplane_imposture_hijack yield self.detect_dplane_mitm_hijack def __hijack_pol_checker_gen(self, path_len: int) -> Callable: """ Generator that returns policy dimension detection functions. """ if path_len > 3: yield self.detect_pol_leak_hijack yield self.detect_pol_other_hijack @exception_handler(log) def detect_prefix_squatting_hijack(self, monitor_event: Dict, prefix_node: Dict, prefix_node_conf: Dict, *args, **kwargs) -> str: """ Squatting hijack detection. """ # check if there are origin_asns defined (even wildcards) if prefix_node_conf["origin_asns"]: return "-" return "Q" @exception_handler(log) def detect_prefix_subprefix_hijack(self, monitor_event: Dict, prefix_node: Dict, prefix_node_conf: Dict, *args, **kwargs) -> str: """ Subprefix or exact prefix hijack detection. """ mon_prefix = ipaddress.ip_network(monitor_event["prefix"]) if ipaddress.ip_network( prefix_node["prefix"]).prefixlen < mon_prefix.prefixlen: return "S" return "E" @exception_handler(log) def detect_path_type_0_hijack(self, monitor_event: Dict, prefix_node: Dict, prefix_node_conf: Dict, *args, **kwargs) -> Tuple[int, str]: """ Origin hijack detection. """ origin_asn = monitor_event["path"][-1] if origin_asn in prefix_node_conf["origin_asns"] or prefix_node_conf[ "origin_asns"] == [-1]: return -1, "-" return origin_asn, "0" @exception_handler(log) def detect_path_type_1_hijack(self, monitor_event: Dict, prefix_node: Dict, prefix_node_conf: Dict, *args, **kwargs) -> Tuple[int, str]: """ Type-1 hijack detection. """ origin_asn = monitor_event["path"][-1] first_neighbor_asn = monitor_event["path"][-2] # [] or [-1] neighbors means "allow everything" if (origin_asn in prefix_node_conf["origin_asns"] or prefix_node_conf["origin_asns"] == [-1]) and ( (not prefix_node_conf["neighbors"]) or prefix_node_conf["neighbors"] == [-1] or first_neighbor_asn in prefix_node_conf["neighbors"]): return -1, "-" return first_neighbor_asn, "1" @exception_handler(log) def detect_path_type_P_hijack(self, monitor_event: Dict, prefix_node: Dict, prefix_node_conf: Dict, *args, **kwargs) -> Tuple[int, str]: """ Type-P hijack detection. In case there is a type-P hijack (i.e. no pattern matches an incoming BGP update), it returns a tuple with the potential hijacker AS plus the hijack type (P). The potential hijacker is the first AS that differs in the most specific (best matching) pattern, starting from the origin AS. """ if "orig_path" not in monitor_event: return -1, "-" orig_path = monitor_event["orig_path"] pattern_matched = False pattern_hijacker = -1 best_match_length = 0 if len(prefix_node_conf["prepend_seq"]) > 0: for conf_seq in prefix_node_conf["prepend_seq"]: if len(orig_path) >= len(conf_seq) + 1: # isolate the monitor event pattern that # should be matched to the configured pattern # (excluding the origin which is the very first hop # of the incoming AS-path) monitor_event_seq = orig_path[len(orig_path) - len(conf_seq) - 1:-1] if monitor_event_seq == conf_seq: # patterns match, break (no hijack of type P) pattern_matched = True break else: # calculate the actual differences in the current pattern; # this creates a list of elements with values 0 on matched # elements and !0 otherwise pattern_diffs = [ observed_as - conf_as for observed_as, conf_as in zip( monitor_event_seq, conf_seq) ] this_best_match_length = 0 # after reversing the pattern difference sequence (i.e., start with # origin), find the greatest length of consecutive 0s (i.e., non-differences/matches) for diff in pattern_diffs[::-1]: if diff == 0: # match found, continue increasing the best match length this_best_match_length += 1 else: # first difference, break here and register the length break # update the best matching length for all patterns found till now best_match_length = max(best_match_length, this_best_match_length) # no hijack (either pattern matching achieved or no configured pattern provided) if len(prefix_node_conf["prepend_seq"]) == 0 or pattern_matched: return -1, "-" # the hijacker is the first AS that breaks the most specific (best matching) pattern pattern_hijacker = orig_path[len(orig_path) - best_match_length - 2] return pattern_hijacker, "P" @exception_handler(log) def detect_path_type_N_hijack(self, monitor_event: Dict, prefix_node: Dict, prefix_node_conf: Dict, *args, **kwargs) -> Tuple[int, str]: # Placeholder for type-N detection (not supported) return -1, "-" @exception_handler(log) def detect_path_type_U_hijack(self, monitor_event: Dict, prefix_node: Dict, prefix_node_conf: Dict, *args, **kwargs) -> Tuple[int, str]: # Placeholder for type-U detection (not supported) return -1, "-" @exception_handler(log) def detect_dplane_blackholing_hijack(self, monitor_event: Dict, prefix_node: Dict, prefix_node_conf: Dict, *args, **kwargs) -> str: # Placeholder for blackholing detection (not supported) return "-" @exception_handler(log) def detect_dplane_imposture_hijack(self, monitor_event: Dict, prefix_node: Dict, prefix_node_conf: Dict, *args, **kwargs) -> str: # Placeholder for imposture detection (not supported) return "-" @exception_handler(log) def detect_dplane_mitm_hijack(self, monitor_event: Dict, prefix_node: Dict, prefix_node_conf: Dict, *args, **kwargs) -> str: # Placeholder for mitm detection (not supported) return "-" @exception_handler(log) def detect_pol_leak_hijack(self, monitor_event: Dict, prefix_node: Dict, prefix_node_conf: Dict, *args, **kwargs) -> Tuple[int, str]: """ Route leak hijack detection """ if "no-export" in prefix_node_conf["policies"]: return monitor_event["path"][-2], "L" return -1, "-" @exception_handler(log) def detect_pol_other_hijack(self, monitor_event: Dict, prefix_node: Dict, prefix_node_conf: Dict, *args, **kwargs) -> Tuple[int, str]: # Placeholder for policy violation detection (not supported) return -1, "-" def commit_hijack(self, monitor_event: Dict, hijacker: int, hij_dimensions: List[str]) -> NoReturn: """ Commit new or update an existing hijack to the database. It uses redis server to store ongoing hijacks information to not stress the db. """ hij_type = "|".join(hij_dimensions) redis_hijack_key = redis_key(monitor_event["prefix"], hijacker, hij_type) if "hij_key" in monitor_event: monitor_event["final_redis_hijack_key"] = redis_hijack_key hijack_value = { "prefix": monitor_event["prefix"], "hijack_as": hijacker, "type": hij_type, "time_started": monitor_event["timestamp"], "time_last": monitor_event["timestamp"], "peers_seen": {monitor_event["peer_asn"]}, "monitor_keys": {monitor_event["key"]}, "configured_prefix": monitor_event["matched_prefix"], "timestamp_of_config": monitor_event["prefix_node"]["timestamp"], "end_tag": None, "outdated_parent": None, "rpki_status": "NA", } if (RPKI_VALIDATOR_ENABLED == "true" and self.rtrmanager and monitor_event["path"]): try: asn = monitor_event["path"][-1] if "/" in monitor_event["prefix"]: network, netmask = monitor_event["prefix"].split("/") # /32 or /128 else: ip_version = get_ip_version(monitor_event["prefix"]) network = monitor_event["prefix"] netmask = 32 if ip_version == "v6": netmask = 128 redis_rpki_asn_prefix_key = "rpki_as{}_p{}".format( asn, monitor_event["prefix"]) redis_rpki_status = self.redis.get(redis_rpki_asn_prefix_key) if not redis_rpki_status: rpki_status = get_rpki_val_result(self.rtrmanager, asn, network, int(netmask)) else: rpki_status = redis_rpki_status.decode("utf-8") hijack_value["rpki_status"] = rpki_status # the default refresh interval for the RPKI RTR manager is 3600 seconds self.redis.set(redis_rpki_asn_prefix_key, rpki_status, ex=3600) except Exception: log.exception("exception") if ("hij_key" in monitor_event and monitor_event["initial_redis_hijack_key"] != monitor_event["final_redis_hijack_key"]): hijack_value["outdated_parent"] = monitor_event["hij_key"] # identify the number of infected ases hijack_value["asns_inf"] = set() if hij_dimensions[1] in {"0", "1"}: hijack_value["asns_inf"] = set( monitor_event["path"][:-(int(hij_dimensions[1]) + 1)]) elif hij_dimensions[3] == "L": hijack_value["asns_inf"] = set(monitor_event["path"][:-2]) # assume the worst-case scenario of a type-2 hijack elif len(monitor_event["path"]) > 2: hijack_value["asns_inf"] = set(monitor_event["path"][:-3]) # make the following operation atomic using blpop (blocking) # first, make sure that the semaphore is initialized if self.redis.getset("{}token_active".format(redis_hijack_key), 1) != b"1": redis_pipeline = self.redis.pipeline() redis_pipeline.lpush("{}token".format(redis_hijack_key), "token") # lock, by extracting the token (other processes that access # it at the same time will be blocked) # attention: it is important that this command is batched in the # pipeline since the db may async delete # the token redis_pipeline.blpop("{}token".format(redis_hijack_key)) redis_pipeline.execute() else: # lock, by extracting the token (other processes that access it # at the same time will be blocked) token = self.redis.blpop("{}token".format(redis_hijack_key), timeout=60) # if timeout after 60 seconds, return without hijack alert # since this means that sth has been purged in the meanwhile (e.g., due to outdated hijack # in another instance; a detector cannot be stuck for a whole minute in a single hijack BGP update) if not token: log.info( "Monitor event {} encountered redis token timeout and will be cleared as benign for hijack {}" .format(str(monitor_event), redis_hijack_key)) return # proceed now that we have clearance redis_pipeline = self.redis.pipeline() try: result = self.redis.get(redis_hijack_key) if result: result = classic_json.loads(result.decode("utf-8")) result["time_started"] = min(result["time_started"], hijack_value["time_started"]) result["time_last"] = max(result["time_last"], hijack_value["time_last"]) result["peers_seen"] = set(result["peers_seen"]) result["peers_seen"].update(hijack_value["peers_seen"]) result["asns_inf"] = set(result["asns_inf"]) result["asns_inf"].update(hijack_value["asns_inf"]) # no update since db already knows! result["monitor_keys"] = hijack_value["monitor_keys"] self.comm_annotate_hijack(monitor_event, result) result["outdated_parent"] = hijack_value["outdated_parent"] result["bgpupdate_keys"] = set(result["bgpupdate_keys"]) result["bgpupdate_keys"].add(monitor_event["key"]) result["rpki_status"] = hijack_value["rpki_status"] else: hijack_value["time_detected"] = time.time() hijack_value["key"] = get_hash([ monitor_event["prefix"], hijacker, hij_type, "{0:.6f}".format(hijack_value["time_detected"]), ]) hijack_value["bgpupdate_keys"] = {monitor_event["key"]} redis_pipeline.sadd("persistent-keys", hijack_value["key"]) result = hijack_value self.comm_annotate_hijack(monitor_event, result) self.producer.publish( result, exchange=self.hijack_notification_exchange, routing_key="mail-log", retry=False, priority=1, serializer="ujson", ) redis_pipeline.set(redis_hijack_key, json.dumps(result)) # store the origin, neighbor combination for this hijack BGP update origin = None neighbor = None if monitor_event["path"]: origin = monitor_event["path"][-1] if len(monitor_event["path"]) > 1: neighbor = monitor_event["path"][-2] redis_pipeline.sadd( "hij_orig_neighb_{}".format(redis_hijack_key), "{}_{}".format(origin, neighbor), ) # store the prefix and peer ASN for this hijack BGP update redis_pipeline.sadd( "prefix_{}_peer_{}_hijacks".format(monitor_event["prefix"], monitor_event["peer_asn"]), redis_hijack_key, ) redis_pipeline.sadd( "hijack_{}_prefixes_peers".format(redis_hijack_key), "{}_{}".format(monitor_event["prefix"], monitor_event["peer_asn"]), ) except Exception: log.exception("exception") finally: # execute whatever has been accumulated in redis till now redis_pipeline.execute() # publish hijack self.publish_hijack_fun(result, redis_hijack_key) self.producer.publish( result, exchange=self.hijack_notification_exchange, routing_key="hij-log", retry=False, priority=1, serializer="ujson", ) # unlock, by pushing back the token (at most one other process # waiting will be unlocked) redis_pipeline = self.redis.pipeline() redis_pipeline.set("{}token_active".format(redis_hijack_key), 1) redis_pipeline.lpush("{}token".format(redis_hijack_key), "token") redis_pipeline.execute() def mark_handled(self, monitor_event: Dict) -> NoReturn: """ Marks a bgp update as handled on the database. """ # log.debug('{}'.format(monitor_event['key'])) self.producer.publish( monitor_event["key"], exchange=self.handled_exchange, routing_key="update", priority=1, serializer="ujson", ) def mark_outdated(self, hij_key: str, redis_hij_key: str) -> NoReturn: """ Marks a hijack as outdated on the database. """ # log.debug('{}'.format(hij_key)) msg = { "persistent_hijack_key": hij_key, "redis_hijack_key": redis_hij_key } self.producer.publish( msg, exchange=self.hijack_exchange, routing_key="outdate", priority=1, serializer="ujson", ) def publish_hijack_result_production(self, result, redis_hijack_key): self.producer.publish( result, exchange=self.hijack_hashing, routing_key=redis_hijack_key, priority=0, serializer="ujson", ) def publish_hijack_result_test(self, result, redis_hijack_key): self.producer.publish( result, exchange=self.hijack_exchange, routing_key="update", priority=0, serializer="ujson", ) self.producer.publish( result, exchange=self.hijack_hashing, routing_key=redis_hijack_key, priority=0, serializer="ujson", ) def gen_implicit_withdrawal(self, monitor_event: Dict) -> NoReturn: """ Checks if a benign BGP update should trigger an implicit withdrawal """ # log.debug('{}'.format(monitor_event['key'])) prefix = monitor_event["prefix"] super_prefix = ipaddress.ip_network(prefix).supernet() peer_asn = monitor_event["peer_asn"] # if the the update's prefix matched exactly or is directly more specific than an originally hijacked prefix if self.redis.exists("prefix_{}_peer_{}_hijacks".format( prefix, peer_asn)) or self.redis.exists( "prefix_{}_peer_{}_hijacks".format(super_prefix, peer_asn)): # generate implicit withdrawal withdraw_msg = { "service": "implicit-withdrawal", "type": "W", "prefix": prefix, "path": [], "orig_path": { "triggering_bgp_update": monitor_event }, "communities": [], "timestamp": monitor_event["timestamp"] + 1, "peer_asn": peer_asn, } if not self.redis.exists("prefix_{}_peer_{}_hijacks".format( prefix, peer_asn)) and self.redis.exists( "prefix_{}_peer_{}_hijacks".format( super_prefix, peer_asn)): withdraw_msg["prefix"] = str(super_prefix) key_generator(withdraw_msg) self.producer.publish( withdraw_msg, exchange=self.update_exchange, routing_key="update", serializer="ujson", ) def comm_annotate_hijack(self, monitor_event: Dict, hijack: Dict) -> NoReturn: """ Annotates a hijack based on community checks (modifies "community_annotation" field in-place) """ try: if hijack.get("community_annotation", "NA") in [None, "", "NA"]: hijack["community_annotation"] = "NA" bgp_update_communities = set() for comm_as_value in monitor_event["communities"]: community = "{}:{}".format(comm_as_value[0], comm_as_value[1]) bgp_update_communities.add(community) if "prefix_node" in monitor_event: prefix_node = monitor_event["prefix_node"] for item in prefix_node["data"]["confs"]: annotations = [] for annotation_element in item.get("community_annotations", []): for annotation in annotation_element: annotations.append(annotation) for annotation_element in item.get("community_annotations", []): for annotation in annotation_element: for community_rule in annotation_element[ annotation]: in_communities = set( community_rule.get("in", [])) out_communities = set( community_rule.get("out", [])) if (in_communities <= bgp_update_communities and out_communities.isdisjoint( bgp_update_communities)): if hijack["community_annotation"] == "NA": hijack[ "community_annotation"] = annotation elif annotations.index( annotation) < annotations.index( hijack["community_annotation"] ): hijack[ "community_annotation"] = annotation else: log.error("unconfigured BGP update received '{}'".format( monitor_event)) except Exception: log.exception("exception") def stop_consumer_loop(self, message: Dict) -> NoReturn: """ Callback function that stop the current consumer loop """ message.ack() self.should_stop = True
class BGPTest(object): def __init__(self, route_collector="rrc00", rpki_validator="rpki-validator.realmv6.org:8282"): self.rc = route_collector rpki = rpki_validator.split(":") self.mgr = RTRManager(rpki[0], rpki[1]) # self._start_rtr_manager() self.stream = BGPStream() self.rec = BGPRecord() def _start_rtr_manager(self): self.mgr.start() while not self.mgr.is_synced(): sleep(0.2) if status.error: print("Connection error") exit() def start_stream(self, start_time=None, end_time=0, route_collector=""): """ Starts the """ if route_collector == "": route_collector = self.rc self.stream.add_filter('collector', route_collector) self.stream.add_filter('record-type', 'ribs') if (start_time is None) or not isinstance(start_time, datetime): start_time = datetime.utcnow() if isinstance(end_time, datetime): end = int(end_time.strftime("%s")) else: end = 0 start = int(datetime.utcnow().strftime("%s")) print(start) self.stream.add_interval_filter(start, 0) # print('Start stream with', start_time, end_time) self.stream.start() def get_records(self): while(self.stream.get_next_record(self.rec)): # Print the self.record information only if it is not a valid self.record if self.rec.status != "valid": pass else: elem = self.rec.get_next_elem() while(elem): # Print self.record and elem information print(self.rec.project, self.rec.collector, self.rec.type, self.rec.time, self.rec.status) print(elem.type, elem.peer_address, elem.peer_asn, elem.fields) # prefix = elem.fields["prefix"].split('/') # result = mgr.validate((int) elem.fields["as-path"].split(" ")[-1], prefix[0], prefix[1]) elem = self.rec.get_next_elem() print("done.")
from rtrlib import RTRManager, PfxvState def callback(pfx_record, data): print(pfx_record) mgr = RTRManager('rpki-validator.realmv6.org', 8282) mgr.start() result = mgr.validate(55803, '223.25.52.0', 23) mgr.for_each_ipv4_record(callback, None) mgr.stop() print('\n--', result)
class BGPLocalAggregator(object): """docstring for BGPDataAggregator""" def __init__(self, filters={'collector': ['rrc00']}, rpki_validator="rpki-validator.realmv6.org:8282", db="metasnap.db"): self.stream = BGPStream( '/Users/mx/Projects/Uni/bgp-group/bgp_dump.txt') self.filters = filters self.route_table = dict() self.i = 0 self.metadata_vp = dict() self.metadata_rc = dict() self.peers = Counter() self.prefix4 = Counter() self.prefix6 = Counter() start_timestamp = get_push_timestamp(datetime.now(timezone.utc)) # for filter_type, filter_array in filters.items(): # for filter_value in filter_array: # self.stream.add_filter(filter_type, filter_value) for collector in filters['collector']: self.route_table[collector] = defaultdict(dict) self.metadata_vp[collector] = defaultdict(list) self.metadata_rc[collector] = defaultdict(int) self.peers[collector] = defaultdict(int) self.prefix4[collector] = defaultdict(int) self.prefix6[collector] = defaultdict(int) # self.db = DBConnector(db, read_only=False) rpki = rpki_validator.split(":") self.mgr = RTRManager(rpki[0], rpki[1]) self.mgr.start() self.start_collecting(start_timestamp, start_timestamp) def __del__(self): if self.mgr.is_synced(): self.mgr.stop() def start_collecting(self, start_timestamp, end_timestamp=0): # self.stream.add_interval_filter(start_timestamp, end_timestamp) print("Start BGPStream:", start_timestamp, end_timestamp) self.stream.start() rec = self.stream.get_next_record() while (rec): if rec.status == "valid": # self.i += 1 # if self.i % 1000000 == 0: # print(self.i // 1000000, end=' ') elem = rec.get_next_elem() while (elem): origin_asn = "" if elem.type is 'R' or elem.type is 'A': origin_asn = elem.fields['as-path'].split(' ')[-1] try: origin_asn = int(origin_asn) except ValueError: elem = rec.get_next_elem() continue prefix = elem.fields['prefix'] ip, mask_len = split_prefix(prefix) # Check if v4 or v6 is_v4 = check_ipv4(ip) validated = self.mgr.validate(origin_asn, ip, mask_len) old_elem = self.route_table[rec.collector][( elem.peer_asn, elem.peer_address)].get(prefix) if elem.type is 'R' or elem.type is 'A': self.route_table[rec.collector][( elem.peer_asn, elem.peer_address)][prefix] = Route( origin_asn, rec.collector, prefix, is_v4, validated.state.value) if old_elem: if old_elem.type != validated.state.value: """Make use of the fact that: 0: valid in enum 1: unknown in enum 2: invalid in enum We designed the namedtuple the way to represent that. So valid is a pos 3 and so on. """ self.metadata_vp[rec.collector][elem.peer_asn][ 3 + old_elem.type] -= 1 self.metadata_vp[rec.collector][elem.peer_asn][ 3 + validated.state] += 1 else: if not self.metadata_vp[rec.collector].get( elem.peer_asn): """Init the metadata-entry if it not exists already""" self.metadata_vp[rec.collector][elem.peer_asn] = \ [elem.peer_asn, rec.collector, rec.time, 0, 0, 0] # Update the VantagePoint Metadate the same way like above. self.metadata_vp[rec.collector][elem.peer_asn][ 3 + validated.state.value] += 1 self.metadata_vp[rec.collector][ elem.peer_asn][2] = rec.time self.peers[rec.collector][elem.peer_asn] += 1 if is_v4: self.prefix4[rec.collector][prefix] += 1 else: self.prefix6[rec.collector][prefix] += 1 elif elem.type is 'W': if old_elem: # Reduce the number of IPv4/v6 Addresses for this prefix if is_v4: self.prefix4[rec.collector][prefix] -= 1 if self.prefix4[rec.collector][prefix] == 0: del (self.prefix4[rec.collector][prefix]) else: self.prefix6[rec.collector][prefix] -= 1 if self.prefix6[rec.collector][prefix] == 0: del (self.prefix4[rec.collector][prefix]) # Reduce number of prefixes belonging to this ASN self.peers[rec.collector][elem.peer_asn] -= 1 if self.peers[rec.collector][elem.peer_asn] == 0: del (self.prefix4[rec.collector][prefix]) # Update the metadata valid/unknown/invalid count self.metadata_vp[rec.collector][elem.peer_asn][ 3 + old_elem.type] -= 1 # Update the metadata timestamp self.metadata_vp[rec.collector][ elem.peer_asn][2] = rec.time # Remove the entry from the route_table self.route_table[rec.collector][( elem.peer_asn, elem.peer_address)].pop(prefix, None) else: ##!TODO: write log about that! pass elem = rec.get_next_elem() rec = self.stream.get_next_record()
class BGPDataAggregator(object): """docstring for BGPDataAggregator""" def __init__( self, filters={"collector": ["rrc00"]}, rpki_validator="rpki-validator.realmv6.org:8282", settings_file="../settings.json", ): self.stream = BGPStream() self.filters = filters self.route_table = dict() self.i = 0 self.metadata_vp = dict() self.metadata_rc = dict() self.peers = Counter() self.prefix4 = Counter() self.prefix6 = Counter() start_timestamp = get_push_timestamp(datetime.now(timezone.utc)) for filter_type, filter_array in filters.items(): for filter_value in filter_array: self.stream.add_filter(filter_type, filter_value) for collector in filters["collector"]: self.route_table[collector] = defaultdict(dict) self.metadata_vp[collector] = defaultdict(list) self.metadata_rc[collector] = RouteCollectorMeta(None, 0, 0, 0, 0) self.peers[collector] = defaultdict(int) self.prefix4[collector] = defaultdict(int) self.prefix6[collector] = defaultdict(int) settings = get_settings(settings_file) settings["db"]["password"] = os.environ["PGPASS"] self.db = DBConnector(settings["db"]) rpki = rpki_validator.split(":") self.mgr = RTRManager(rpki[0], rpki[1]) self.mgr.start() self.start_collecting(start_timestamp) def __del__(self): if self.mgr.is_synced(): self.mgr.stop() def push_data(self, timestamp): print("UPDATE:", timestamp) self.db.update_vp_meta(self.metadata_vp) for rc in self.metadata_rc.keys(): self.metadata_rc[rc] = RouteCollectorMeta( rc, timestamp, len(self.peers[rc].keys()), len(self.prefix4[rc]), len(self.prefix6[rc]), ) self.db.update_rc_meta(self.metadata_rc) def start_collecting(self, start_timestamp, end_timestamp=0): self.stream.add_interval_filter(start_timestamp, end_timestamp) print("Start BGPStream:", start_timestamp, end_timestamp) next_timestamp = init_next_timestamp(start_timestamp, 5) print("Next Push to DB at:", next_timestamp) self.stream.start() rec = BGPRecord() while (self.stream.get_next_record(rec)): if rec.status == "valid": if rec.time >= next_timestamp: self.push_data(next_timestamp) next_timestamp += 300 elem = rec.get_next_elem() while elem: origin_asn = "" if elem.type is "R" or elem.type is "A": origin_asn = elem.fields["as-path"].split(" ")[-1] try: origin_asn = int(origin_asn) except ValueError: elem = rec.get_next_elem() continue prefix = elem.fields["prefix"] ip, mask_len = split_prefix(prefix) # Check if v4 or v6 is_v4 = check_ipv4(ip) validated = self.mgr.validate(origin_asn, ip, mask_len) old_elem = self.route_table[rec.collector][( elem.peer_asn, elem.peer_address)].get(prefix) if elem.type is "R" or elem.type is "A": self.route_table[rec.collector][( elem.peer_asn, elem.peer_address)][prefix] = Route( origin_asn, rec.collector, prefix, is_v4, validated.state.value, ) if old_elem: if old_elem.type != validated.state.value: """Make use of the fact that: 0: valid in enum 1: unknown in enum 2: invalid in enum We designed the namedtuple the way to represent that. So valid is a pos 3 and so on. """ self.metadata_vp[rec.collector][( elem.peer_asn, elem.peer_address)][4 + old_elem.type] -= 1 self.metadata_vp[rec.collector][( elem.peer_asn, elem.peer_address )][4 + validated.state.value] += 1 else: if not self.metadata_vp[rec.collector].get( (elem.peer_asn, elem.peer_address)): """Init the metadata-entry if it not exists already""" self.metadata_vp[rec.collector][( elem.peer_asn, elem.peer_address)] = [ elem.peer_asn, elem.peer_address, rec.collector, next_timestamp, 0, 0, 0, ] # Update the VantagePoint Metadate the same way like above. self.metadata_vp[rec.collector][( elem.peer_asn, elem.peer_address)][4 + validated.state.value] += 1 self.metadata_vp[rec.collector][( elem.peer_asn, elem.peer_address)][3] = next_timestamp self.peers[rec.collector][elem.peer_asn] += 1 if is_v4: self.prefix4[rec.collector][prefix] += 1 else: self.prefix6[rec.collector][prefix] += 1 elif elem.type is "W": if old_elem: # Reduce the number of IPv4/v6 Addresses for this prefix if is_v4: self.prefix4[rec.collector][prefix] -= 1 if self.prefix4[rec.collector][prefix] == 0: del (self.prefix4[rec.collector][prefix]) else: self.prefix6[rec.collector][prefix] -= 1 if self.prefix6[rec.collector][prefix] == 0: del (self.prefix6[rec.collector][prefix]) # Reduce number of prefixes belonging to this ASN self.peers[rec.collector][elem.peer_asn] -= 1 if self.peers[rec.collector][elem.peer_asn] == 0: del (self.peers[rec.collector][elem.peer_asn]) # Update the metadata valid/unknown/invalid count self.metadata_vp[rec.collector][( elem.peer_asn, elem.peer_address)][4 + old_elem.type] -= 1 # Update the metadata timestamp self.metadata_vp[rec.collector][( elem.peer_asn, elem.peer_address)][3] = next_timestamp # Remove the entry from the route_table self.route_table[rec.collector][( elem.peer_asn, elem.peer_address)].pop(prefix, None) else: # !!TODO: write log about that! pass elem = rec.get_next_elem()
class BGPCounter(object): """docstring for BGPDataAggregator""" def __init__(self, filters={'collector': ['rrc00']}, rpki_validator="rpki-validator.realmv6.org:8282", db="metasnap.db"): self.stream = BGPStream() self.filters = filters self.route_table = dict() self.i = 0 for filter_type, filter_array in filters.items(): for filter_value in filter_array: self.stream.add_filter(filter_type, filter_value) for collector in filters['collector']: self.route_table[collector] = defaultdict(dict) # self.db = DBConnector(db, read_only=False) rpki = rpki_validator.split(":") self.mgr = RTRManager(rpki[0], rpki[1]) self.mgr.start() self.counter = Counter() start_timestamp = self.get_push_timestamp(datetime.now(timezone.utc)) # self.start_collecting(start_timestamp, int(datetime.now(timezone.utc).strftime("%s"))) self.start_collecting(start_timestamp, start_timestamp) def __del__(self): if self.mgr.is_synced(): self.mgr.stop() def get_push_timestamp(self, start_time): hours = [0, 8, 16, 24] # get closest push for i in range(0, len(hours)): if hours[i + 1] > start_time.hour: break start_time = start_time.replace(hour=hours[i], minute=0, second=0, microsecond=0) return int(start_time.timestamp()) def start_collecting(self, start_timestamp, end_timestamp=0): self.stream.add_interval_filter(start_timestamp, end_timestamp) print("Start BGPStream:", start_timestamp, end_timestamp) self.stream.start() rec = BGPRecord() act_dump = "unknown" while (self.stream.get_next_record(rec)): self.i += 1 if self.i % 10000 == 0: print(self.i) if rec.status == "valid": if (act_dump != rec.dump_position): act_dump = rec.dump_position print('Dump Position:', rec.dump_position) elem = rec.get_next_elem() while (elem): self.counter.update(elem.type) elem = rec.get_next_elem() print(self.counter)
class BGPStats(object): """docstring for bgpStats""" def __init__(self, route_collector="rrc00", rpki_validator="rpki-validator.realmv6.org:8282"): self.rc = route_collector rpki = rpki_validator.split(":") self.mgr = RTRManager(rpki[0], rpki[1]) # self._start_rtr_manager() self.stream = BGPStream() self.rec = BGPRecord() def _start_rtr_manager(self): self.mgr.start() def start_stream(self, start_time=None, end_time=0, route_collector=""): """ Starts the """ hours = [0, 8, 16, 24] if route_collector == "": route_collector = self.rc self.stream.add_filter('collector', route_collector) # self.stream.add_filter('record-type', 'ribs') if (start_time is None) or not isinstance(start_time, datetime): start_time = datetime.utcnow() if isinstance(end_time, datetime): end = int(end_time.strftime("%s")) else: end = 0 # get closest push for i in range(0, len(hours)): if hours[i + 1] > start_time.hour: break start_time = start_time.replace(hour=12, minute=0, second=0, microsecond=0) yesterday = 1527163200 start = int(start_time.strftime("%s")) self.stream.add_interval_filter(1527163200, 1527183200) print('Start stream with', start_time, end_time) self.stream.start() def get_records(self): print("get_records:") while (self.stream.get_next_record(self.rec)): # Print the self.record information only if it is not a valid self.record if self.rec.status == "valid": # print('--', self.rec.project, self.rec.collector, # self.rec.type, self.rec.time, self.rec.status, '--') elem = self.rec.get_next_elem() while (elem): if elem.type is 'R' or elem.type is 'A': asn = elem.fields['as-path'].split(' ')[-1] try: asn = int(asn) except ValueError: elem = self.rec.get_next_elem() continue asn = int(elem.fields['as-path'].split(' ')[-1]) prefix = ipaddress.ip_interface(elem.fields['prefix']) ip = prefix.ip.compressed mask_len = int(prefix.with_prefixlen.split('/')[1]) validated = self.mgr.validate(asn, ip, mask_len) if validated.is_valid: print(validated) elif elem.type is 'W': pass # print("Withdrawal:", elem.peer_address, elem.peer_asn, elem.fields) elif elem.type is 'S': print("Peerstate:", elem.peer_address, elem.peer_asn, elem.fields) else: print("Unknown:", elem.peer_address, elem.peer_asn, elem.fields) elem = self.rec.get_next_elem() # print('\n') print("done.")