Border Gateway Protocol (BGP) routing records from Route Views

Citation Author(s):
Zhida
Li
Simon Fraser University
Ana Laura
Gonzalez Rios
Simon Fraser University
Ljiljana
Trajkovic
Simon Fraser University
Submitted by:
Ljiljana Trajkovic
Last updated:
Sun, 05/02/2021 - 23:08
DOI:
10.21227/wpph-ex74
Data Format:
Links:
License:
5
1 rating - Please login to submit your rating.

Abstract 

Three well-known Border Gateway Anomalies (BGP) anomalies:
WannaCrypt, Moscow blackout, and Slammer, occurred in May 2017, May 2005, and January 2003, respectively.
The Route Views BGP update messages are publicly available from the University of Oregon Route Views Project and contain:
WannaCrypt, Moscow blackout, and Slammer: http://www.routeviews.org/routeviews/.

- WannaCrypt (WannaCry) is a cryptoworm ransomware that works by gaining administrative privileges and employs the EternalBlue exploit and DoublePulsar backdoor in systems running Microsoft Windows 7.
- The Chagino substation of the Moscow energy ring experienced a transformer failure on May 24, 2005 at 20:57 (MSK). The event caused a complete shutdown of the substation and a blackout that affected all customer until 16:00 (MSK) of May 26, 2005. During the blackout, the Internet traffic exchange point MSK-IX was disconnected from 11:00 to 17:00 (MSK). Note that there are 205 missing data points in the Moscow blackout dataset.
- Slammer infected Microsoft SQL servers through a small piece of code that generated IP addresses at random. The number of infected machines doubled approximately every 9 seconds. Note that there are 12 missing data points in the Slammer dataset.

37 features are extracted from BGP update messages that originated from route collector route-views2. The data collected during periods of Internet anomalies include:
- eight-day period for WannaCrypt (four days of the attack as well as two days prior and two days after the attack);
- five-day period for Moscow blackout and Slammer (the day of the attack as well as two days prior and two days after the attack).

http://www.sfu.ca/~ljilja/cnl/projects/BGP_datasets/index.html

Instructions: 

Raw data from the "route collector route-views2" are organized in folders labeled by the year and month of the collection date.
Complete datasets for WannaCrypt, Moscow blackout, and Slammer are available from the Route Views route collector route-views2 site:
University of Oregon Route Views Project: http://www.routeviews.org/routeviews/
Collectors: http://www.routeviews.org/routeviews/index.php/collectors/
Route Views Collector Map: http://www.routeviews.org/routeviews/index.php/map/
University of Oregon Route Views Archive Project: http://archive.routeviews.org/
MRT format RIBs and UPDATEs (quagga bgpd, from route-views2.oregon-ix.net): http://archive.routeviews.org/bgpdata/
Tools: http://www.routeviews.org/routeviews/index.php/tools/
The date of last modification and the size of the datasets are also included.

BGP update messages are originally collected in multi-threaded routing toolkit (MRT) format.
"Zebra-dump-parser" written in Perl is used to extract to ASCII the BGP updated messages.
The 37 BGP features were extracted using a C# tool to generate uploaded datasets (csv files).
Labels have been added based on the periods when data were collected.