You are here: Home > Publications > RIPE Labs > Massimo Candela > Upstream Visibility: Monitor the Visibility of your Prefix

Upstream Visibility: Monitor the Visibility of your Prefix

Massimo Candela — 25 Sep 2018
Upstream Visibility is the new tool produced by the Computer Network Research Group of Roma Tre in collaboration with the RIPE NCC. It is a web application which proposes a concise way of visualising interdomain routing data of a specified prefix.
Introduction 

The Internet is constantly evolving. Outages, attacks, upgrades, censorship, and policy changes frequently modify routing everywhere in the world.

Monitoring inter-domain routing is challenging without visualisations because it requires the processing of a large volume of BGP data provided by a platforms such as the RIPE Routing Information Service (RIS). In RIS, various Autonomous Systems (ASes) are peering with a RIS Route Collector, providing an observation point on the inter-domain routing of the Internet.

These ASes are called Collector Peers (CP). The most common approach for displaying BGP data collected is to use an animated graph (e.g. BGPlay). In this type of visualisation, each node of the graph is an AS and each link is a peering session among ASes. Every time a BGP update is applied, the links in the graph change according to the new status.

Graph animations are not suitable for real-time monitoring for which it is crucial to easily spot differences with previous routing states. In addition, in some cases the overall perception of an incident can be lost due to the visual complexity.

The Computer Network research group of Roma Tre, in collaboration with the RIPE NCC, proposes a new visual interface, called Upstream Visibility, to achieve easier readability of BGP data. It is based on three views:

1) A global view, which provides a high-level overview of the visibility of an IP prefix;

2) A local view, which allows the user to check  the visibility of a prefix in a specific location of the network; and

3) A traditional BGPlay view

A prototype of the tool has been presented in May 2017 at RIPE 74. The development is now complete and the tool is integrated in RIPEstat.
 

The interface

The new Upstream Visibility tool uses stacked area charts and heat maps for a concise representation of a portion of the inter-domain routing of a specified prefix.

 

Figure 1: The global view of Upstream Visibility

This tool shows through which upstream providers the various RIS Collector Peers (CPs) are reaching the monitored prefix over time.

Figure 1 shows the DDoS attack on Dyn DNS that happened in 2016. In particular the image shows the main view, called global view, monitoring the prefix 208.76.59.0/24 (AS33517).

The upstream providers of AS33517 are represented with coloured areas. The x-axis represents the time. The y-axis shows the percentage of CPs able to reach the origin AS through a specific upstream provider. White areas on the chart represent a lack of visibility. In general, when the routing is stable, the global view is composed only by horizontal straight coloured strips.

A you can see, the visibility of the prefix changed dramatically at about 12:45, when most of the CPs started passing through AS10026 (the red area enlarges). From 12:45 to 2:40 the routing is unstable, oscillating between moments where AS4637 (green) and AS2914 (purple) appear and disappear. From 2:40 to 3:35 there are three dramatic losses of reachability followed by periods when the ASes reach AS33517 only through AS2914 (purple). The stable routing state is restored at 4:45.

In this description we refer, naively, to upstream providers meaning ASes at distance 1 from the origin AS, and we don't infer any business relation among ASes. In the interface the user can select what distance from the origin AS should be monitored.

While the global view gives a summary of the visibility status of a prefix, we provide also a local view, which allows the user to check the effects of a visibility change on specific locations of the network, where the CPs are placed.

 heatmap upstream visibility

Figure 2: The local view of Upstream Visibility

Figure 2 shows the local view of the same network event used above. The various horizontal segments represent which upstream provider was used over time, by a specific CP, to reach the origin AS. The colours used for representing the ASes are the same across the global and the local view. More information about the ASes are available when hovering over the coloured areas.

When the users interact with the global or with the local view and find an instance that is especially interesting, they can click on it and get the BGPlay representation of the routing around that time.

This new tool is available in RIPEstat in the routing tab.

We also worked to improve the readability of these kinds of diagrams. We tackled the problem of automatically generating the stacked area charts by designing and evaluating several heuristics able to run directly in the browser. More details can be found in the paper "Upstream Visibility: a Multi-View Routing Visualization", proc. 11th International Symposium on Visual Information Communication and Interaction.

Embedding and source code

Upstream Visibility is a RIPEstat widget which can be embedded in any HTML page. Simply copy and paste the "embed code" on the footer of the widget into your web page.

If you want to contribute, please help us on GitHub.

Feedback

We always want to hear what you think about the tools and services we offer.

Here is how you can get in touch:

  • If you want to leave a feedback or report a bug, please use one of the channels reported here.
  • For direct feedback: Contact the Computer Networks Research Group of Roma Tre at compunet [at] dia.uniroma3 [dot] it or Massimo Candela at mcandela [at] ripe [dot] net.

You can also leave a comment under the article here on RIPE Labs.

4 Comments

Sylvain BAYA says:
27 Sep, 2018 09:43 AM
Hi Massimo,
Congrates to your Team and thanks for sharing.

Just to look ahead, my question is this : if some Org wants to follow-up own' prefix|es (live), is it the appropriate tool to rely to ?

Look, if someone want to be lively notified when a particular prefix is hijacked or a route is leaked, how to use your tool ?

Regards,
--sb.
Massimo Candela says:
01 Oct, 2018 05:22 PM
Hi Sylvain,

The tool can be used for real-time monitoring (but it doesn't notify you automatically).
The RIPEstat version is not enabled for real-time monitoring yet. The source code on GitHub includes already such feature (polling from API or WebSocket streaming).

Tell me more about your use-case: would you use it directly from RIPEstat with real-time monitoring or you want to integrate it in a dashboard you already have and use your own data?

Thanks

Ciao,
Massimo
Sylvain BAYA says:
27 Sep, 2018 11:37 AM
...please, also look at the link [1] to the DDoS attack on Dyn DNS. It not works well here. You must change with the right [2] one :-)
__
[1]: https://labs.ripe.net/a-quick-look-at-the-attack-on-dyn
[2]: https://labs.ripe.net/[…]/a-quick-look-at-the-attack-on-dyn

Thanks&Regards,
--sb.
Massimo Candela says:
01 Oct, 2018 05:22 PM
Thanks, fixed!
Add comment

You can add a comment by filling out the form below. Comments are moderated so they won't appear immediately. If you have a RIPE NCC Access account, we would like you to log in.