The author selected the COVID-19 Relief Fund to receive a donation as part of the Write for DOnations program.
作者选择了COVID-19救济基金来接受捐赠,这是Write for DOnations计划的一部分。
BGP (Border Gateway Protocol) is one of the core protocols responsible for routing packets across the internet, so when it goes wrong, significant outages can occur. For example, in 2019, a small ISP made a BGP misconfiguration that unfortunately propagated upstream and took large parts of Cloudflare and AWS offline for over an hour. Also, a year earlier, a BGP hijack took place in order to intercept traffic to a well-known cryptocurrency wallet provider and steal the funds of unsuspecting customers.
BGP(边界网关协议)是负责在Internet上路由数据包的核心协议之一,因此当出现错误时,可能会发生重大中断。 例如,在2019年,一家小型ISP进行了BGP错误配置,不幸的是它向上游传播,并使大部分Cloudflare和AWS离线了一个多小时 。 此外,一年前,发生了BGP劫持事件,以拦截到知名加密货币钱包提供商的流量并窃取毫无戒心的客户的资金。
BGPalerter is an open-source BGP network monitoring tool that can provide real-time alerts on BGP activity, including route visibility and new route announcements, as well as potentially nefarious activity such as route hijacks or route leaks.
BGPalerter是一个开源BGP网络监控工具,可提供有关BGP活动的实时警报,包括路由可见性和新路由公告,以及可能有害的活动,例如路由劫持或路由泄漏 。
Note: BGPalerter automatically ingests publicly available network routing information, meaning that it does not have to have any level of privileged access or integration into the network(s) that you wish to monitor. All monitoring is fully compliant with the Computer Misuse Act, Computer Fraud and Abuse Act, and other similar laws. However, it is recommended to responsibly disclose any relevant findings to the affected network operator.
注意: BGPalerter自动提取公共可用的网络路由信息,这意味着它不必具有任何级别的特权访问或集成到您要监视的网络中。 所有监视都完全符合《计算机滥用法》,《计算机欺诈和滥用法》以及其他类似法律。 但是,建议以负责任的方式向受影响的网络运营商披露任何相关发现。
In this tutorial, you’ll install and configure BGPalerter to monitor your important networks for potentially suspicious activity.
在本教程中,您将安装并配置BGPalerter来监视重要网络的潜在可疑活动。
To complete this tutorial, you will need:
要完成本教程,您将需要:
An Ubuntu 18.04 server set up by following the Initial Server Setup with Ubuntu 18.04, including a sudo non-root user.
通过对Ubuntu 18.04进行初始服务器设置来设置Ubuntu 18.04服务器 ,包括sudo非root用户。
One or more networks or devices that you wish to monitor, for example:
您希望监视的一个或多个网络或设备,例如:
For each device or network you’ll need to identify either the individual IP address, IP address range, or Autonomous System number that it is part of. This is covered in Step 1.
对于每个设备或网络,您需要标识其所属的单个IP地址,IP地址范围或自治系统号。 这将在步骤1中介绍。
Once you have these ready, log in to your server as your non-root user to begin.
准备就绪后,以非root用户身份登录到服务器以开始。
In this step, you will identify the relevant details of the networks that you want to monitor.
在此步骤中,您将确定要监视的网络的相关详细信息。
BGPalerter can monitor based on individual IP addresses or network prefixes. It can also monitor entire networks based on their Autonomous System (AS) number, which is a globally unique identifier for a network owned by a particular administrative entity.
BGPalerter可以基于单个IP地址或网络前缀进行监视。 它还可以根据其自治系统(AS)号监视整个网络,该自治系统号是特定管理实体拥有的网络的全局唯一标识符。
In order to find this information, you can use the IP-to-ASN WHOIS lookup service provided by threat intelligence service Team Cymru. This is a custom WHOIS server designed for looking up IP address and network routing information.
为了找到此信息,您可以使用威胁情报服务团队Cymru提供的IP到ASN WHOIS查找服务 。 这是一个定制的WHOIS服务器,旨在查找IP地址和网络路由信息。
If you don’t already have whois
installed, you can install it using the following commands:
如果尚未安装whois
,则可以使用以下命令进行安装:
Once you’ve confirmed that whois
is installed, begin by performing a lookup for the IP address of your own server, using the -h
argument to specify a custom server:
确认已安装whois
,首先使用-h
参数指定自定义服务器,以查找自己服务器的IP地址:
whois -h whois.cymru.com your-ip-address
whois -h whois.cymru.com 您的IP地址
This will output a result similar to the following, which shows the AS name and number that your server is a part of. This will usually be the AS of your server hosting provider, for example, DigitalOcean.
这将输出类似于以下内容的结果,其中显示了服务器所属的AS名称和编号。 这通常是服务器托管提供商的AS,例如DigitalOcean。
Output
AS | IP | AS Name
14061 | your-ip-address | DIGITALOCEAN-ASN, US
Next, you can perform a lookup to identify the network prefix/range that your server is a part of. You do this by adding the -p
argument to your request:
接下来,您可以执行查找以识别服务器所属的网络前缀/范围。 您可以通过在请求中添加-p
参数来实现:
whois -h whois.cymru.com " -p your-ip-address"
whois -h whois.cymru.com“ -p 您的IP地址 ”
The output will be very similar to the previous command, but will now show the IP address prefix that the IP address of your server belongs to:
输出将非常类似于先前的命令,但是现在将显示服务器的IP地址所属的IP地址前缀:
Output
AS | IP | BGP Prefix | AS Name
14061 | your-ip-address | 157.230.80.0/20 | DIGITALOCEAN-ASN, US
Finally, you can look up further details of the AS that your server is a part of, including the geographic region and allocation date.
最后,您可以查找服务器所属的AS的更多详细信息,包括地理区域和分配日期。
Substitute in the AS number that you identified using the previous commands. You use the -v
argument to enable verbose output, which ensures that all relevant details are shown:
替换为使用先前命令标识的AS编号。 您可以使用-v
参数启用详细输出,以确保显示所有相关的详细信息:
whois -h whois.cymru.com " -v as14061"
whois -h whois.cymru.com“ -v as14061 ”
The output will show further information about the AS:
输出将显示有关AS的更多信息:
Output
AS | CC | Registry | Allocated | AS Name
14061 | US | arin | 2012-09-25 | DIGITALOCEAN-ASN, US
You’ve identified key details about the network(s) that you wish to monitor. Keep a note of these details somewhere, as you’ll need them later on. Next, you’ll begin the setup of BGPalerter.
您已确定有关要监视的网络的关键详细信息。 在某处记下这些详细信息,以备日后使用。 接下来,您将开始设置BGPalerter。
In this step, you will create a new non-privileged user account for BGPalerter, as the program doesn’t need to run with sudo/root privileges.
在此步骤中,您将为BGPalerter创建一个新的非特权用户帐户,因为该程序无需使用sudo / root特权运行。
Firstly, create a new user with a disabled password:
首先,使用禁用的密码创建一个新用户:
sudo adduser --disabled-password bgpalerter
sudo adduser-禁用密码bgpalerter
You do not need to set up a password or SSH keys, as you’ll use this user only as a service account for running/maintaining BGPalerter.
您不需要设置密码或SSH密钥,因为您仅将此用户用作运行/维护BGPalerter的服务帐户。
Log in to the new user using su
:
使用su
登录到新用户:
sudo su bgpalerter
苏多·苏· 巴格帕勒特
You’ll now be logged in as the new user:
现在,您将以新用户身份登录:
bgpalerter@droplet:/home/user$
Use the cd
command to move to the home directory of your new user:
使用cd
命令移动到新用户的主目录:
bgpalerter@droplet:/home/user$ cd
bgpalerter@droplet:~$
You’ve created a new non-privileged user for BGPalerter. Next, you will install and configure BGPalerter on your system.
您已经为BGPalerter创建了一个新的非特权用户。 接下来,您将在系统上安装和配置BGPalerter。
In this step, you will install and configure BGPalerter. Make sure that you’re still logged in as your new non-privileged user.
在此步骤中,您将安装和配置BGPalerter。 确保您仍以新的非特权用户身份登录。
Firstly, you need to identify the latest release of BGPalerter, in order to ensure that you download the most up-to-date version. Browse to the BGPalerter Releases page and take a copy of the download link for the most recent Linux x64 release.
首先,您需要确定BGPalerter的最新版本,以确保您下载了最新版本。 浏览至BGPalerter版本页面,并获取最新Linux x64版本的下载链接的副本。
You can now download a copy of BGPalerter using wget
, making sure to substitute in the correct download link:
现在,您可以使用wget
下载BGPalerter的副本,并确保替换为正确的下载链接:
wget https://github.com/nttgin/BGPalerter/releases/download/v1.24.0/bgpalerter-linux-x64
wget https://github.com/nttgin/BGPalerter/releases/download/v1.24.0/bgpalerter-linux-x64
Once the file has finished downloading, mark it as executable:
文件下载完成后,将其标记为可执行文件:
Next, check that BGPalerter has been downloaded and installed successfully by checking the version number:
接下来,通过检查版本号来检查BGPalerter是否已成功下载并安装:
This will output the current version number:
这将输出当前版本号:
Output
1.24.0
Before you can run BGPalerter properly, you’ll need to define the networks that you wish to monitor within a configuration file. Create and open the prefixes.yml
file in your favourite text editor:
在正确运行BGPalerter之前,您需要在配置文件中定义要监视的网络。 在您喜欢的文本编辑器中创建并打开prefixes.yml
文件:
In this config file, you’ll specify each of the individual IP addresses, IP address ranges, and AS numbers that you want to monitor.
在此配置文件中,您将指定要监视的各个IP地址,IP地址范围和AS号。
Add the following example and adjust the configuration values as required by using the network information that you identified in Step 1:
添加以下示例,并使用在步骤1中标识的网络信息根据需要调整配置值:
your-ip-address/32:
description: My Server
asn:
- 14061
ignoreMorespecifics: false
157.230.80.0/20:
description: IP range for my Server
asn:
- 14061
ignoreMorespecifics: false
options:
monitorASns:
'14061':
group: default
You can monitor as many IP address ranges or AS numbers as you want. To monitor individual IP addresses, represent them using /32
for IPv4, and /128
for IPv6.
您可以根据需要监视任意数量的IP地址范围或AS号。 要监视单个IP地址,请使用/32
对于IPv4)和/128
对于IPv6)来表示它们。
The ignoreMorespecifics
value is used to control whether BGPalerter should ignore activity for routes that are more specific (smaller) than the one that you’re monitoring. For example, if you’re monitoring a /20
and a routing change is detected for a /24
within it, this is considered to be more specific. In most cases, you don’t want to ignore these, however if you are monitoring a large network with multiple delegated customer prefixes, this may help to reduce background noise.
ignoreMorespecifics
值用于控制BGP警报器是否应忽略比您要监视的路由更具体(更小)的路由的活动。 例如,如果您正在监视/20
并且在其中检测到/24
的路由更改,则认为这更具体。 在大多数情况下,您不想忽略这些,但是,如果您正在监视具有多个委托客户前缀的大型网络,则可能有助于减少背景噪音。
You can now run BGPalerter for the first time in order to begin monitoring your networks:
现在,您可以首次运行BGPalerter,以开始监视网络:
If BGPalerter starts successfully, you’ll see output similar to the following. Note that it can sometimes take a few minutes for the monitoring to begin:
如果BGPalerter成功启动,您将看到类似于以下的输出。 请注意,有时开始监视可能需要几分钟:
Output
Impossible to load config.yml. A default configuration file has been generated.
BGPalerter, version: 1.24.0 environment: production
Loaded config: /home/bgpalerter/config.yml
Monitoring 157.230.80.0/20
Monitoring your-ip-address/32
Monitoring AS 14061
BGPalerter will continue to run until you stop it using Ctrl+C
.
BGPalerter将继续运行,直到您使用Ctrl+C
停止它为止。
In the next step, you will interpret some of the alerts that BGPalerter can generate.
在下一步中,您将解释BGPalerter可以生成的某些警报。
In this step, you will review some example BGPalerter alerts. BGPalerter will output alerts to the main output feed, and also optionally to any additional reporting endpoints that can be configured within config.yml
, as described in the BGPalerter documentation.
在此步骤中,您将查看一些BGPalerter警报示例。 BGPalerter会将警报输出到主输出提要,还可以选择将警报输出到可以在config.yml
配置的任何其他报告端点,如BGPalerter文档中所述 。
By default, BGPalerter monitors and alerts on the following:
默认情况下,BGPalerter监视以下内容并发出警报:
Route hijacks: occur when an AS announces a prefix that it is not permitted to, causing traffic to be erroneously routed. This could be either a deliberate attack, or an accidental configuration error.
路由劫持 :当AS宣布不允许使用的前缀导致流量被错误路由时,就会发生。 这可能是蓄意的攻击,也可能是偶然的配置错误。
Loss of route visibility: A route is considered visible when a majority of BGP routers on the internet are able to reliably route to it. Loss of visibility refers to your network potentially being unavailable, for example if your BGP peering has stopped working.
路由可见性损失 :当Internet上的大多数BGP路由器能够可靠地路由到该路由时,该路由被视为可见。 可见性丧失是指您的网络可能不可用,例如,如果您的BGP对等已停止工作。
New sub-prefix announcements: is when an AS begins announcing a prefix that is smaller that what is anticipated. This could be indicative of an intended configuration change, an accidental misconfiguration, or in some cases an attack.
新的子前缀公告 :指AS开始发布小于预期的前缀的时间。 这可能表示预期的配置更改,意外的错误配置,或者在某些情况下是攻击。
Activity within your AS: will usually refer to new route announcements. A route is considered “new” if BGPalerter doesn’t yet know about it.
您的AS中的活动 :通常会引用新的路线公告。 如果BGPalerter尚不知道路由,则该路由被视为“新”路由。
Following are some example alerts, along with a short description of their meaning:
以下是一些示例警报,以及对其含义的简短描述:
The prefix 203.0.113.0/24 is announced by AS64496 instead of AS65540
This alert shows evidence of a route hijack, where AS64496 has announced 203.0.113.0/24
when it is expected that this route would be announced by AS65540. This is a strong indicator of a misconfiguration leading to a route leak, or a deliberate hijack by an attacker.
该警报显示路由劫持,其中AS64496已经公布的证据203.0.113.0/24
时,预计这条线路将通过AS65540公布。 这是配置错误导致路由泄漏或攻击者故意劫持的有力指示。
The prefix 203.0.113.0/24 has been withdrawn. It is no longer visible from 6 peers
This alert shows that the 203.0.113.0/24
network is no longer visible. This could be because of an upstream routing issue, or a router has suffered a power failure.
此警报表明203.0.113.0/24
网络不再可见。 这可能是由于上游路由问题,或者路由器遭受了电源故障。
A new prefix 203.0.113.0/25 is announced by AS64496. It should be instead 203.0.113.0/24 announced by AS64496
This alert shows that a more-specific prefix has been announced where it is not anticipated, for example by announcing a /25
when only a /24
is expected. This is most likely a misconfiguration, however in some cases could be evidence of a route hijack.
此警报表明,在没有预料到的前缀之前已经宣布了更具体的前缀,例如,在仅预期/24
时宣布了/25
。 这很可能是配置错误,但是在某些情况下可能是路由劫持的证据。
AS64496 is announcing 192.0.2.0/24 but this prefix is not in the configured list of announced prefixes
Finally, this alert shows that AS64496 has announced a prefix that BGPalerter does not yet know about. This could be because your are legitimately announcing a new prefix, or it could be indicative of a misconfiguration resulting in you accidentally announcing a prefix owned by someone else.
最后,此警报表明AS64496已宣布BGPalerter尚不知道的前缀。 这可能是因为您合法地宣布了新的前缀,或者可能是由于配置错误而导致您意外地宣布了其他人拥有的前缀。
In this step, you reviewed some example BGPalerter alerts. Next, you’ll configure BGPalerter to run automatically at boot.
在此步骤中,您回顾了一些BGPalerter警报示例。 接下来,您将配置BGPalerter在启动时自动运行。
In this final step, you’ll configure BGPalerter to run at boot.
在最后一步中,您将配置BGPalerter在引导时运行。
Ensure that you’re still logged in as your new non-privileged user, and then open the crontab editor:
确保您仍以新的非特权用户身份登录,然后打开crontab编辑器:
Next, add the following entry to the bottom of the crontab file:
接下来,将以下条目添加到crontab文件的底部:
@reboot sleep 10; screen -dmS bgpalerter "./bgpalerter-linux-x64"
Every time your system boots, this will create a detached screen
session called ‘bgpalerter’, and start BGPalerter within it.
每次系统启动时,这都会创建一个名为“ bgpalerter”的分离screen
会话,并在其中启动BGPalerter。
Save and exit the crontab editor. You may now wish to reboot your system in order to make sure that BGPalerter correctly starts at boot.
保存并退出crontab编辑器。 现在,您可能希望重新引导系统,以确保BGPalerter在引导时正确启动。
You’ll first need to log out of your BGPalerter user:
您首先需要注销BGPalerter用户:
Then proceed with a normal system reboot:
然后继续进行正常的系统重启:
Once your system has rebooted, log back in to your server and use su
to access your BGPalerter user again:
系统重新启动后,重新登录到服务器并使用su
再次访问BGPalerter用户:
sudo su bgpalerter
苏多·苏· 巴格帕勒特
You can then attach to the session at any time in order to view the output from BGPalerter:
然后,您可以随时连接到会话,以查看BGPalerter的输出:
In this final step, you configured BGPalerter to run at boot.
在最后一步中,您将BGPalerter配置为在引导时运行。
In this article you set up BGPalerter and used it to monitor networks for BGP routing changes.
在本文中,您设置了BGPalerter并将其用于监视网络中BGP路由更改。
If you wish to make BGPalerter more user-friendly, you can configure it to send alerts to a Slack channel via a webhook:
如果希望使BGPalerter更加用户友好,可以将其配置为通过Webhook将警报发送到Slack频道:
Configure Slack Reporting for BGPalerter
为BGPalerter配置松弛报告
If you wish to learn more about BGP itself, but do not have access to a production BGP environment, you may enjoy using DN42 to experiment with BGP in a safe, isolated environment:
如果您想了解有关BGP本身的更多信息,但无权访问生产BGP环境,则可以在安全,隔离的环境中使用DN42进行BGP实验:
Decentralized Network 42
分散网络42
翻译自: https://www.digitalocean.com/community/tutorials/how-to-monitor-bgp-announcements-and-routes-using-bgpalerter-on-ubuntu-18-04