CAIR: Using Formal Languages to Study Routing, Leaking, and Interception in BGP

TL;DR

This paper introduces CAIR, a formal language-based framework for modeling and analyzing BGP routing policies, enabling real-time detection of route leaks and interception attacks with high efficiency.

Contribution

CAIR provides a novel formal language approach to represent BGP routes, allowing for incremental automata construction and effective detection of routing anomalies.

Findings

Successfully detects route leaks and interception attacks.

Efficient real-time monitoring of BGP path changes.

Analyzed seven years of public BGP data.

Abstract

The Internet routing protocol BGP expresses topological reachability and policy-based decisions simultaneously in path vectors. A complete view on the Internet backbone routing is given by the collection of all valid routes, which is infeasible to obtain due to information hiding of BGP, the lack of omnipresent collection points, and data complexity. Commonly, graph-based data models are used to represent the Internet topology from a given set of BGP routing tables but fall short of explaining policy contexts. As a consequence, routing anomalies such as route leaks and interception attacks cannot be explained with graphs. In this paper, we use formal languages to represent the global routing system in a rigorous model. Our CAIR framework translates BGP announcements into a finite route language that allows for the incremental construction of minimal route automata. CAIR preserves route diversity, is highly efficient, and well-suited to monitor BGP path changes in real-time. We formally derive implementable search patterns for route leaks and interception attacks. In contrast to the state-of-the-art, we can detect these incidents. In practical experiments, we analyze public BGP data over the last seven years.