search

nttgin / BGPalerter

BGP and RPKI monitoring tool. Pre-configured for real-time detection of visibility loss, RPKI invalid announcements, hijacks, ROA misconfiguration, and more.
BSD 3-Clause "New" or "Revised" License
817 stars 145 forks source link

Research Mode #1258

Closed giovaneh closed 7 months ago

giovaneh commented 8 months ago

Hello everybody.

I'm Giovane Heleno, founder of ISP.Tools (non-profit free online tools for ISPs). Firstly, congratulations on the fantastic project. It is a great contribution to the community.

I would like a little help, maybe I'm not seeing something. I'm doing research work and BGPalerter will help me a lot to filter Ripe data.

I set up the environment in research mode exactly as the documentation requires. I'm using the latest version available, just yesterday I cloned the repository. Connects normally and receives the Ripe flow. (I using nodemon to facilitate the tests)

[nodemon] starting `babel-node index.js`
Loaded config: /root/BGPalerter/config.yml
BGPalerter, version: 1.33.0 environment: research
Loaded config: /root/BGPalerter/config.yml
Monitoring everything

My config.yml file looks like this:

configVersion: 2
#environment: production
environment: research
maxMessagesPerSecond: 150000
multiProcess: true

connectors:
  - file: connectorRIS
    name: ris
    params:
      carefulSubscription: true
      url: ws://ris-live.ripe.net/v1/ws/
      perMessageDeflate: true
      subscription:
        moreSpecific: true
        type: UPDATE
        host: null
        socketOptions:
          includeRaw: false
monitors:
  - file: monitorHijack
    channel: hijack
    name: basic-hijack-detection
    params:
      thresholdMinPeers: 3
  - file: monitorPath
    channel: path
    name: path-matching
    params:
      thresholdMinPeers: 1
  - file: monitorNewPrefix
    channel: newprefix
    name: prefix-detection
    params:
      thresholdMinPeers: 3
  - file: monitorVisibility
    channel: visibility
    name: withdrawal-detection
    params:
      thresholdMinPeers: 40
      notificationIntervalSeconds: 3600
  - file: monitorAS
    channel: misconfiguration
    name: asn-monitor
    params:
      skipPrefixMatch: false
      thresholdMinPeers: 3
  - file: monitorRPKI
    channel: rpki
    name: rpki-monitor
    params:
      thresholdMinPeers: 3
      checkUncovered: false
      checkDisappearing: false
  - file: monitorROAS
    channel: rpki
    name: rpki-diff
    params:
      enableDiffAlerts: true
      enableExpirationAlerts: true
      enableExpirationCheckTA: true
      enableDeletedCheckTA: true
      enableAdvancedRpkiStats: false
      roaExpirationAlertHours: 2
      checkOnlyASns: true
      toleranceDeletedRoasTA:
        ripe: 20
        apnic: 20
        arin: 20
        lacnic: 20
        afrinic: 50
      toleranceExpiredRoasTA:
        ripe: 20
        apnic: 20
        arin: 20
        lacnic: 20
        afrinic: 50
  - file: monitorPathNeighbors
    channel: hijack
    name: path-neighbors
    params:
      thresholdMinPeers: 3

reports:
  - file: reportFile
    alertDataDirectory: data/
    channels:
      - hijack
      - newprefix
      - visibility
      - path
      - misconfiguration
      - rpki

notificationIntervalSeconds: 86400
alarmOnlyOnce: false

monitoredPrefixesFiles:
  - prefixes/All.yml
#  - prefixes.yml

persistStatus: true
generatePrefixListEveryDays: 0

logging:
  directory: logs
  logRotatePattern: YYYY-MM-DD
  maxRetainedFiles: 10
  maxFileSizeMB: 15
  compressOnRotation: false

rpki:
  vrpProvider: rpkiclient
  preCacheROAs: true
  refreshVrpListMinutes: 15
  markDataAsStaleAfterMinutes: 120

rest:
  host: localhost
  port: 8011

checkForUpdatesAtBoot: true
pidFile: bgpalerter.pid
fadeOffSeconds: 360
checkFadeOffGroupsSeconds: 30

But I get no alert, no log, nothing, just a "Not valid AS number" warning.

2024-02-29T13:36:01+00:00 info: ris connector connected (instance:9ed4be13-24e6-4177-a681-b78af2ae9d6f connection:487de4e3-62c5-40de-9b70-ecd9e7f46690)
2024-02-29T13:36:01+00:00 info: Subscribed to monitored resources
2024-02-29T13:40:23+00:00 error: Error during transform (ConnectorRIS): Not valid AS number
2024-02-29T13:41:47+00:00 error: Error during transform (ConnectorRIS): Not valid AS number
2024-02-29T13:42:09+00:00 error: Error during transform (ConnectorRIS): Not valid AS number
2024-02-29T13:42:23+00:00 error: Error during transform (ConnectorRIS): Not valid AS number
2024-02-29T13:42:34+00:00 error: Error during transform (ConnectorRIS): Not valid AS number
2024-02-29T13:42:49+00:00 error: Error during transform (ConnectorRIS): Not valid AS number
2024-02-29T13:43:42+00:00 error: Error during transform (ConnectorRIS): Not valid AS number
2024-02-29T13:44:09+00:00 error: Error during transform (ConnectorRIS): Not valid AS number

My prefix file is just like this:

---
0.0.0.0/0:
   description: All IPv4
   ignoreMorespecifics: false
   ignore: false

"::/0":
   description: Monitoring the entire v6 space!
   ignoreMorespecifics: false
   ignore: false

I tried to add some ASNs in the list, but without success either.

Any help would be of great value to us. Brazilian regards to everyone.

giovaneh commented 8 months ago

Oh, in case anyone asks or is curious... Yes, I will develop my own Monitor module for my needs. I just need to make sure everything is working before then.

massimocandela commented 7 months ago

Hi @giovaneh,

The error is not related to the system not working. The error says that one of the AS you received in input from the streaming is not a valid AS. It would be interesting to see why, but the functioning should not be affected.

The configuration you are operating is not effective because it enables all monitors but doesn't provide the current prefix-as associations. This is not a problem if you are going to develop your monitor, but you have to comment out the currently available one.

However, I just realized that the example that monitors the entire address space is a really bad example of RIS abuse that we are trying to mitigate. I updated the documentation to reflect that.

I hope this helps.