New Data Source, Feedback Loop Enhance MANRS Observatory

The MANRS Observatory monitors Internet routing security by aggregating data from trusted sources into a user-friendly dashboard to help network operators improve the security of their networks. We are constantly improving the MANRS Observatory based on your feedback, and today we are proud to announce two new features that increase the quality of routing incident detection and the calculation of related MANRS readiness metrics.

The MANRS community requested public MANRS Readiness scores for implemented Actions so that everyone can see how well a network adheres to their declared commitments. The main challenge to these scores is a still-high level of false positives (when a legitimate BGP announcement is marked as a routing incident) and false negatives (when a routing incident is not detected by the Observatory).

But it’s very difficult to detect an incident without knowing the intent, exact relationships between the networks, their topology, and operational practices. Several tools allow a network to monitor whether their prefixes become subject to a routing incident, but it doesn’t provide all the background information required. Detecting an incident without that information is based on heuristics, historical analysis, and additional data sources such as RPKI, IRR, blacklists, and network relationship databases. Further, there is no strong business case for using such tools. Because of this, data sources with reliable data on global routing incidents are hard to find.

New Feature: GRIP Data

The MANRS Observatory uses BGPStream, based on the BGPmon tool, but we were also looking for additional data sources that, in combination, will help us achieve a higher level of confidence in the data we use for MANRS Readiness scores. This moment has come, and today we have added another source on routing mis-originations – the Global Routing Intelligence Platform (GRIP).

Developed by Alberto Dainotti and his team at CAIDA, GRIP’s goal is to identify BGP security incidents (including sophisticated prefix hijacking attacks) and misconfigurations. The system monitors the global routing system, identifies events of interest, and applies informational tags based on heuristics that leverage auxiliary databases (e.g., AS2Org, economic AS relationships, blacklists) and topological properties of each event. The system then augments our knowledge of the event with data-plane measurements (traceroutes) towards the affected network prefixes. These measurements are executed ​while the event is still occurring​, thus providing a combination of control- and data-plane data. Leveraging the information acquired, the system attempts to perform an overall inference about the nature of each event (BGP hijacking, “fat finger” AS path prepending, etc.) and provides visualization interfaces that help analysts and operators gain further insight into the event.

Because information from the two data sources – BGPStream and GRIP – is difficult to combine, the new release of the MANRS Observatory features a toggle switch allowing users to select a data source. At the same time, in the detailed reports we present information from both sources, allowing users to compare the data and get a more informative picture of how their networks operate.

Figure 1. A toggle switch allows users to select which data source to use for routing mis-origination incidents (route hijacks).
Figure 2. A Detailed report now offers a feature to validate routing incidents, indicating whether they are valid or a false positive.

New Feature: Feedback Loop

Also in today’s new release of the MANRS Observatory is the ability to validate data and provide user feedback.

For each of the routing mis-origination incidents (route hijacks) you’ll see a small icon with a comment box, opening a dialog to respond to that incident. Once feedback is provided, the icon will change.

Figure 3. A dialog for providing feedback about an incident.

Providing this feedback is very valuable and will allow us to implement controls to reduce the number of false positives. Please help us to further improve the quality of data in the Observatory.

Currently, the feature is running in ‘information gathering’ mode. We will collect your feedback and analyze it with an aim for improving data controls, but it won’t affect the scores you get based on selected data source. More insight will allow us to sensibly combine data from multiple sources and discard mistakenly identified incidents, so the scores can be calculated with a higher degree of confidence.

If you are using this tool, please let us know what you think about these features. If you have suggestions on how to improve the tool further – please let us know, too! Drop us a note at [email protected], or post a question or suggestion on the MANRS community mailing list.

Check out the MANRS Observatory.

Leave a Comment