Auto-Mitigation
We include a Proof of Concept (PoC) implementation of a mitigation setup to be used with ARTEMIS.
The folder with the needed scripts and configurations is here.
We include a script that receives the information of the hijack (id + prefix), and upon execution advertises the two subnets of the prefix, performing deaggregation.
PoC Setup architecture
---------------- ------------- -------------
| ExaBGP Monitor | | MONITOR AS | | EXTERNAL AS |
| AS65001 | eBGP | AS65003 | eBGP | AS65004 |
| exa | ------ | r03 (goBGP) | ------ | r04 (goBGP) |
| 1.1.1.11 | | 1.1.1.13 | | 1.1.1.14 |
---------------- ------------- -------------
| eBGP | | eBGP
ARTEMIS ----------------------- |
| | |
-------------- -------------- --------------
| ExaBGP Deagg | | PEER AS | | HIJACKER AS |
| AS65002 | eBGP | AS65005 | eBGP | AS65006 |
| exa | ------ | r05 (goBGP) | ------ | r06 (goBGP) |
| 1.1.1.12 | | 1.1.1.15 | | 1.1.1.16 |
-------------- -------------- --------------
Hijack mitigation steps
- AS65002 announces prefix 192.168.0.0/16 legally.
- The hijacker AS (AS65006) announces prefix 192.168.0.0/16 whose legal origin is AS65002.
- ARTEMIS detects the hijack using its feed from AS65003 via the ExaBGP monitor.
- ARTEMIS mitigates the hijack (by order of the user - mitigation action) by deaggregating the hijacked prefix and announcing the new BGP updates via PEER AS AS65005.
How to run PoC
-
In
docker-compose.yaml, edit volumes to point to the PoC's files:version: '3.4' services: ... configuration: ... volumes: ... - ./poc_mitigate_deaggregate/configs/artemis/:/etc/artemis/ - ./poc_mitigate_deaggregate/poc_mitigate_deaggregate.py:/root/poc_mitigate_deaggregate.py ... ... fileobserver: ... volumes: ... - ./poc_mitigate_deaggregate/configs/artemis/:/etc/artemis/ ... mitigation: ... volumes: ... - ./poc_mitigate_deaggregate/poc_mitigate_deaggregate.py:/root/poc_mitigate_deaggregate.py ... -
Run the following command and check the ARTEMIS UI:
3. Connect todocker-compose -f docker-compose.yaml -f docker-compose.pocmitigatedeaggregate.yaml up -dr06and announce the hijacked prefix:4. Observe the hijack in ARTEMIS and initiate the mitigation action. You can optionally invoke thedocker-compose -f docker-compose.yaml -f docker-compose.pocmitigatedeaggregate.yaml exec r06 sh gobgp global rib add 192.168.0.0/16un-mitigateaction to stop mitigation (not implemented in-PoC-script).
How to run in production (to be tested)
In case you want to run this in production you can adjust poc_mitigate_deaggregate.py and docker-compose.pocmitigatedeaggregate.yaml as needed. So the following steps would be required:
-
Adjust
poc_mitigate_deaggregate.pyso that it applies what you want it to apply. -
In
docker-compose.yaml, edit volumes to point to the mitigation file:version: '3.4' services: ... configuration: ... volumes: ... - ./poc_mitigate_deaggregate/poc_mitigate_deaggregate.py:/root/poc_mitigate_deaggregate.py ... ... mitigation: ... volumes: ... - ./poc_mitigate_deaggregate/poc_mitigate_deaggregate.py:/root/poc_mitigate_deaggregate.py ... -
Edit the exabgp configuration files according to your router setup. Note that the
monitoris passive (receiving updates from routers), while theroutecommanderactive (sending updates to routers). -
Adjust
docker-compose.pocmitigatedeaggregate.yamlso that it maps to your setup (networking, keeping only the exabgp containers, etc.). -
Initiate ARTEMIS with the new microservices:
docker-compose -f docker-compose.yaml -f docker-compose.pocmitigatedeaggregate.yaml up -d -
Edit your ARTEMIS configuration file at will:
rules: - prefixes: ... origin_asns: ... neighbors: ... mitigation: "/root/poc_mitigate_deaggregate.py"
Notes
Feedback is more than welcome, feel free to expand this section!