nttgin / bgpalerter Goto Github PK

Describe the bug
The monitorASns option in prefixes.yml triggers double messages.
The issue doesn't affect the normal monitoring but increases the number of messages that have to be parsed.

This is an issue of RIPE RIS. In the meanwhile that this is fixed on their side, we could deploy a filter in BGPalerter to drop duplicates.

Derived from: #114

Provide an example

206.189.244.0/22:                        
  description: LON1 909
  asn: 14061                               
  ignoreMorespecifics: false               
  ignore: false  

options:
  monitorASns:
    14061:
      group: default

These rules partially overlap when 206.189.244.0/22 is announced by its correct origin 14061.

In RIS, multiple subscriptions are served in the same channel. The overlap in the subscriptions provokes duplication of the messages in the channel (once for the first rule, once for the second, same md5 hash of the content).

Example of duplicates:

IDENTICAL: d69be6a54012637ad749f07e59957ee3 {
  type: 'announcement',
  prefix: '165.227.224.0/20',
  peer: '187.16.217.59',
  path: Path { value: [ [AS], [AS], [AS] ] },
  originAS: AS { numbers: [ 14061 ], ASset: false, _valid: true },
  nextHop: '187.16.217.59',
  aggregator: null,
  timestamp: 1579634518760,
  communities: [ [ 23106, 4009 ] ]
}
IDENTICAL: 8a810904e54455e2d06badb007c48a3d {
  type: 'announcement',
  prefix: '174.138.104.0/22',
  peer: '187.16.217.59',
  path: Path { value: [ [AS], [AS], [AS] ] },
  originAS: AS { numbers: [ 14061 ], ASset: false, _valid: true },
  nextHop: '187.16.217.59',
  aggregator: null,
  timestamp: 1579634518760,
  communities: [ [ 23106, 4009 ] ]
}
IDENTICAL: 5e8a57456fe1f5ea7215f772f6d35bc0 {
  type: 'announcement',
  prefix: '167.172.48.0/20',
  peer: '187.16.217.59',
  path: Path { value: [ [AS], [AS], [AS] ] },
  originAS: AS { numbers: [ 14061 ], ASset: false, _valid: true },
  nextHop: '187.16.217.59',
  aggregator: null,
  timestamp: 1579634518760,
  communities: [ [ 23106, 4009 ] ]
}
IDENTICAL: 255d417c4219261e0b99b69f3bbca759 {
  type: 'announcement',
  prefix: '188.166.132.0/22',
  peer: '187.16.217.59',
  path: Path { value: [ [AS], [AS], [AS] ] },
  originAS: AS { numbers: [ 14061 ], ASset: false, _valid: true },
  nextHop: '187.16.217.59',
  aggregator: null,
  timestamp: 1579634518760,
  communities: [ [ 23106, 4009 ] ]

Expected behavior
RIPE RIS should send only one message if multiple rules are satisfied, not duplicated messages, one for each rule.

I reported this to the RIPE RIS team. In the meanwhile, an expected behaviour for a patch is to hash the BGP messages and filter out duplicates.

Are you using the binary or the source code?
Not relevant

Hello,

I'm running BGPAlerter on two Ubuntu 18.04.3 LTS VMs and keep getting "error: 1006" after some time. Nothing in the error log.

When logging/notifying about visibility issues it would be nice to also have logs that document when visibility got restored (visible on all peers again, or not visible bellow a configurable threshold) so we can see how long the visibility was affected.

2019-11-08T06:50:58.481Z [production] verbose: The prefix 109.70.100.0/24 (ipv4) has been withdrawn. It is no longer visible from 10 peers.
2019-11-08T08:50:58.649Z [production] verbose: The prefix 109.70.100.0/24 (ipv4) has been withdrawn. It is no longer visible from 10 peers.
2019-11-08T11:54:58.935Z [production] verbose: The prefix 109.70.100.0/24 (ipv4) has been withdrawn. It is no longer visible from 11 peers.

Invalid characters in the prefix in prefixes.yml lead to type error.

prefixes.yml:

2001:DB8:C00^::/32:
  description: bad v6 prefix
  asn: 65215
  ignoreMorespecifics: false

172.16.x.0/24:
  description: badv4 prefix
  asn: 65215
  ignoreMorespecifics: false

output:

loading config: /home/agallo/downloads/BGPalerter/config.yml
RUNNING ENVIRONMENT: production
Subscribing to: 2001:DB8:C00:^:/32
Subscribing to: 172.16.x.0/24
loading config: /home/agallo/downloads/BGPalerter/config.yml
RUNNING ENVIRONMENT: production
error: TypeError: Cannot read property 'filter' of undefined
error: TypeError: Cannot read property 'filter' of undefined

packet capture shows BGPalerter is attempting to subscribe to the prefix with the bad character:

Line-based text data (1 lines)
    {"type":"ris_subscribe","data":{"moreSpecific":true,"type":"UPDATE","host":null,"socketOptions":{"includeRaw":false},"prefix":"2001:DB8:C00:^:/32"}}

and the response does show that the bad prefix is detected:

Line-based text data (1 lines)
    {"type":"ris_error","data":{"params":{"moreSpecific":true,"type":"UPDATE","host":null,"socketOptions":{"includeRaw":false},"prefix":"2001:DB8:C00:^:/32"},"message":"Unable to parse the specified 'prefix'"}}

Maybe validate prefix and report errors when launched?

Thank you.

Mattermost is a popular open-source, self-hosting capable alternative to Slack. It would be highly appreciated if you could look into creating a reporter for that platform.

If you decide to implement it I would definitely be willing to test and provide feedback.

Describe what you would like to achieve

It'd be great to have the Docker image tagged per release and branch. This way, you can pin to a specific version to avoid confusion and unexpected side effects.

Describe why the current solution (if any) is not satisfactory

Currently, everything merged into dev seems to get pushed under the latest tag: https://hub.docker.com/r/nttgin/bgpalerter/tags

Provide an example

Here's the Docker hub config I have for a project of mine, which I think would work well for BGPalerter too (with some minor changes):

Please let me know if you have any questions!

Is this a group which must be defined in within Slack or is something missing from config.yml?

• file: reportSlack
  channels:
  • hijack
  • newprefix
  • visibility
  • path
    params:
    colors:
    hijack: '#d60b1c'
    newprefix: '#fa9548'
    visibility: '#fad648'
    path: '#42cbf5'
    hooks: https://hooks.slack.com/services/AAAA/BBBB/CCCC

The webhook URL should work - I took it from when I was experimenting with the NLNOG/bgpalerter project. Changing the URL to something invalid gives me the same error which is why there is something missing from the default config.yml which specifies the "group".

We assigned a /24 from one of our /19's to one of our customers, who is multihomed and announces that /24 from their ASN instead of ours.

At this moment, when monitoring the /19 we get hijack notifications. Would it be possible to add some list of prefixes to be ignored, preferably specific combinations of prefix + ASN, so we do get alerts for "real" hijacks, but not for this one? Of course, we could filter this in the notification handler on our side, but it would make more sense not to generate notifications for known .

I followed the instructions, but I have a huge stacktrace:

bgpalerter@bgpalerter:/opt/bgpalerter$ wget https://github.com/nttgin/BGPalerter/releases/download/v1.22.0/bgpalerter-linux-x64
--2019-12-04 18:42:47--  https://github.com/nttgin/BGPalerter/releases/download/v1.22.0/bgpalerter-linux-x64
Resolving github.com (github.com)... 140.82.118.3
Connecting to github.com (github.com)|140.82.118.3|:443... connected.
HTTP request sent, awaiting response... 302 Found
Location: https://github-production-release-asset-2e65be.s3.amazonaws.com/197530275/35ddb180-1226-11ea-9f29-34a601409835?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=AKIAIWNJYAX4CSVEH53A%2F20191204%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Date=20191204T174247Z&X-Amz-Expires=300&X-Amz-Signature=4e24677f6e26a69999d1e59469b0cd93fde0a25774afa5bef2f7879f00445c22&X-Amz-SignedHeaders=host&actor_id=0&response-content-disposition=attachment%3B%20filename%3Dbgpalerter-linux-x64&response-content-type=application%2Foctet-stream [following]
--2019-12-04 18:42:47--  https://github-production-release-asset-2e65be.s3.amazonaws.com/197530275/35ddb180-1226-11ea-9f29-34a601409835?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=AKIAIWNJYAX4CSVEH53A%2F20191204%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Date=20191204T174247Z&X-Amz-Expires=300&X-Amz-Signature=4e24677f6e26a69999d1e59469b0cd93fde0a25774afa5bef2f7879f00445c22&X-Amz-SignedHeaders=host&actor_id=0&response-content-disposition=attachment%3B%20filename%3Dbgpalerter-linux-x64&response-content-type=application%2Foctet-stream
Resolving github-production-release-asset-2e65be.s3.amazonaws.com (github-production-release-asset-2e65be.s3.amazonaws.com)... 52.216.94.163
Connecting to github-production-release-asset-2e65be.s3.amazonaws.com (github-production-release-asset-2e65be.s3.amazonaws.com)|52.216.94.163|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 66995512 (64M) [application/octet-stream]
Saving to: ‘bgpalerter-linux-x64’

bgpalerter-linux-x64              100%[============================================================>]  63.89M  14.0MB/s    in 4.9s    

2019-12-04 18:43:08 (13.0 MB/s) - ‘bgpalerter-linux-x64’ saved [66995512/66995512]

bgpalerter@bgpalerter:/opt/bgpalerter$ chmod 700 bgpalerter-linux-x64 && nohup ./bgpalerter-linux-x64
nohup: ignoring input and appending output to 'nohup.out'
bgpalerter@bgpalerter:/opt/bgpalerter$ ./bgpalerter-linux-x64
pkg/prelude/bootstrap.js:1185
      throw error;
      ^

Error: Cannot find module './monitors/MonitorAS'
1) If you want to compile the package/file into executable, please pay attention to compilation warnings and specify a literal in 'require' call. 2) If you don't want to compile the package/file into executable and want to 'require' it from filesystem (likely plugin), specify an absolute path in 'require' call using process.cwd() or process.execPath.
    at Function.Module._resolveFilename (internal/modules/cjs/loader.js:580:15)
    at Function.Module._resolveFilename (pkg/prelude/bootstrap.js:1287:46)
    at Function.Module._load (internal/modules/cjs/loader.js:506:25)
    at Module.require (internal/modules/cjs/loader.js:635:17)
    at Module.require (pkg/prelude/bootstrap.js:1166:31)
    at require (internal/modules/cjs/helpers.js:22:18)
    at /snapshot/build/src/env.js:187:14
    at Array.map (<anonymous>)
    at Object.<anonymous> (/snapshot/build/src/env.js:185:35)
    at Module._compile (pkg/prelude/bootstrap.js:1261:22)
bgpalerter@bgpalerter:/opt/bgpalerter$ 
bgpalerter@bgpalerter:/opt/bgpalerter$ ls -lh
total 64M
-rwx------ 1 bgpalerter bgpalerter  64M Nov 28 21:29 bgpalerter-linux-x64
-rw-r--r-- 1 root       root       4.8K Dec  4 18:43 config.yml
drwxr-xr-x 2 bgpalerter bgpalerter 4.0K Dec  4 18:43 logs
-rw------- 1 bgpalerter bgpalerter 1.1K Dec  4 18:43 nohup.out
-rw-r--r-- 1 root       root       1.3K Dec  4 18:43 prefixes.yml

it'd be convenient if the included prefixes.yml and config.yml files were embedded in the binary resulting from 'npm build' and written out to disk (either in the current path, or in a predetermined configuration directory for each platform) upon initial invocation of the binary if they are not present.

Originally posted by @wk in #8 (comment)

Describe what you would like to achieve

I want to run BGPalerter in docker, but there's no information on here or on hub.docker.com that would tell you how to launch it. What ports to expose ? Does it require a volume ? Are there environment variables set ??

Describe why the current solution (if any) is not satisfactory

There's literally no information at all.

Could we see an example docker-compose file maybe that would easily show us all required info.

Describe the bug
Time on the alert is incorrect

Expected behavior
Message says:

When event started: 2020-05-02 03:08:29 UTC
Last event: 2020-05-02 03:09:24 UTC

When it should be (It says 03:08:29 when in fact its 15:08:29):

When event started: 2020-05-02 15:08:29 UTC
Last event: 2020-05-02 15:09:24 UTC

Are you using the binary or the source code?
Binary

Your information
The prefix XXXX has been withdrawn. It is no longer visible from 10 peers
DETAILS:

Monitored prefix: XXXX
Prefix Description: XXXX
Prefix origin: XXXX
Event type: withdrawal-detection
When event started: 2020-05-02 03:08:29 UTC
Last event: 2020-05-02 03:09:24 UTC
Detected by peers: 10

When I configure ReportSlack the program fails when loading. Apologies, github code formatting is broken with what I've included so I've separated sections with "snip".

-- snip --
./bgpalerter-linux-x64
loading config: /home/user/tools/bgpalerter/config.yml
pkg/prelude/bootstrap.js:1185
throw error;
^

Error: Cannot find module './reports/ReportSlack'

1. If you want to compile the package/file into executable, please pay attention to compilation warnings and specify a literal in 'require' call. 2) If you don't want to compile the package/file into executable and want to 'require' it from filesystem (likely plugin), specify an absolute path in 'require' call using process.cwd() or process.execPath.
   at Function.Module._resolveFilename (internal/modules/cjs/loader.js:580:15)
   at Function.Module._resolveFilename (pkg/prelude/bootstrap.js:1287:46)
   at Function.Module._load (internal/modules/cjs/loader.js:506:25)
   at Module.require (internal/modules/cjs/loader.js:635:17)
   at Module.require (pkg/prelude/bootstrap.js:1166:31)
   at require (internal/modules/cjs/helpers.js:22:18)
   at /snapshot/build/env.js:102:14
   at Array.map ()
   at Object. (/snapshot/build/env.js:100:41)
   at Module._compile (pkg/prelude/bootstrap.js:1261:22)

-- snip --

The config is as follows:

-- snip --

• file: ReportSlack
  channels:
  • hijack
  • newprefix
  • visibility
    params:
    hookUrl: https://hooks.slack.com/services/something/something/something`

-- snip --

When removed it loads fine.

Running Ubuntu 18.04

Hi,

So I've downloaded the bin and run it but I get three errors

error: hijack template cannot be loaded
error: newprefix template cannot be loaded
error: visibility template cannot be loaded

What I did:

cd /appl/bgpalerter
wget https://raw.githubusercontent.com/nttgin/BGPalerter/master/bin/bgpalerter-linux-x64
wget https://raw.githubusercontent.com/nttgin/BGPalerter/master/config.yml
wget https://raw.githubusercontent.com/nttgin/BGPalerter/master/prefixes.yml
chmod +x bgpalerter-linux-x64
nano config.yml
nano prefixes.yml
./bgpalerter-linux-x64

Outcome:

./bgpalerter-linux-x64
loading config: /appl/bgpalerter/config.yml
RUNNING ENVIRONMENT: production
Subscribing to: output removed
loading config: /appl/bgpalerter/config.yml
RUNNING ENVIRONMENT: production
error: hijack template cannot be loaded
error: newprefix template cannot be loaded
error: visibility template cannot be loaded

Did I do something wrong?

Thanks!

Hi,

on macOS Darwin Kernel Version 17.7.0:

./bgpalerter-macos-x64.dms 
pkg/prelude/bootstrap.js:1185
      throw error;
      ^

Error: No prefixes to monitor in prefixes.yml
    at _loop (/snapshot/build/inputs/inputYml.js:167:19)
    at new InputYml (/snapshot/build/inputs/inputYml.js:198:9)
    at Object.<anonymous> (/snapshot/build/env.js:209:13)
    at Module._compile (pkg/prelude/bootstrap.js:1261:22)
    at Object.Module._extensions..js (internal/modules/cjs/loader.js:710:10)
    at Module.load (internal/modules/cjs/loader.js:598:32)
    at tryModuleLoad (internal/modules/cjs/loader.js:537:12)
    at Function.Module._load (internal/modules/cjs/loader.js:529:3)
    at Module.require (internal/modules/cjs/loader.js:635:17)
    at Module.require (pkg/prelude/bootstrap.js:1166:31)

A help output is expected instead:

./bgpalerter-macos-x64.dms --help
Usage: bgpalerter-macos-x64.dms <command> [options]

Commands:
  bgpalerter-macos-x64.dms           Run BGPalerter (default)          [default]
  bgpalerter-macos-x64.dms generate  Generate prefixes to monitor

Options:
  --version   Show version number                                      [boolean]
  -h, --help  Show help                                                [boolean]

Examples:
  bgpalerter-macos-x64.dms run -c           Run BGPalerter
  config.yml
  bgpalerter-macos-x64.dms generate -a      Generate prefixes for AS2914
  2914 -o prefixes.yml

Copyright (c) 2019, NTT Ltd

thank you

antonio

Hi,

I just tested the tool by hijacking myself, it works. But it detects a more-spec that is another prefix.

2019-08-14T15:43:26.671Z [production] verbose: Possible change of configuration. A new prefix 2a00:5884::/32 is announced by AS204092. It is a more specific of 2a0e:f40::/29 (Grifon).

This prefix is correctly announced and configured:

2a00:5884::/32:
  description: Grifon
  asn: 204092
  ignoreMorespecifics: false

Plus, it’s not a more specific of 2a0e:f40::/29.

It may be required to run in an environment without direct access to the internet. The Websocket library suggests that this is possible
https://github.com/websockets/ws#how-to-connect-via-a-proxy

using https-proxy-agent available here
https://github.com/TooTallNate/node-https-proxy-agent

It may also be useful to support proxy of other connections like those used by generate to download prefixes from RIPEstat.

Hello,

Before anything, thanks for this project. I've been watching it for a while, and now finally deployed it... I hope I'll be able to contribute to at some point, for now, at least, with some reports.

Describe the bug

Well, it is not exactly a bug (or maybe it is), but I've noticed the memory is steadily increasing. In 24 hours after deploying the app, the memory footprint grew from 150MB to over 800MB, and it looks like it's only going to be getting worse - see screenshot below:

The CPU usage seems pretty stable however.

I'm yet to play with Node Js, but in general a pattern like that means there's a possibility of a memory leak somewhere.

Provide an example
Provide an example in terms of prefixes and BGP messages. Possibly provide a snippet of config.yml and prefixes.yml.

Nothing really specific, pretty much all the prefixes from https://bgp.he.net/AS14061#_prefixes and https://bgp.he.net/AS14061#_prefixes6, e.g.,

"5.101.96.0/21":
  description: "Some description"
  asn: 14061
  ignoreMorespecifics: false
  ignore: false

3581 prefixes in total.

Expected behavior

Given the high number of prefixes, I'd expect to see a pretty important memory footprint, but I find an always growing figure more worrying because it's not easily predictable how much resources you're going to need on the long term.

Are you using the binary or the source code?

A custom Docker image based on nttgin/BGPalerter, so source code.

Your information
Provide your name and your AS/company (see Bert Hubert's post https://berthub.eu/articles/posts/anonymous-help/).

AS14061, DigitalOcean.

Cheers!

Hello,

is there a mechanism to spoof an alert to verify the config and prefixes, and reports for logging, sending to slack, etc?

Thank you for this project it looks very interesting and useful!

Thanks,

Will

I'm trying to use the new feature from #28
(version 1.21.0)

cat p.txt
1.1.1.0/24

./bgpalerter-linux-x64 generate -pf p.txt  -o prefixes.yml 
/snapshot/build/index.js:51
      prefixes = params.p.split(",");
                          ^

TypeError: params.p.split is not a function
    at Object.<anonymous> (/snapshot/build/index.js:51:27)
    at Module._compile (pkg/prelude/bootstrap.js:1261:22)
    at Object.Module._extensions..js (internal/modules/cjs/loader.js:710:10)
    at Module.load (internal/modules/cjs/loader.js:598:32)
    at tryModuleLoad (internal/modules/cjs/loader.js:537:12)
    at Function.Module._load (internal/modules/cjs/loader.js:529:3)
    at Function.Module.runMain (pkg/prelude/bootstrap.js:1316:12)
    at startup (internal/bootstrap/node.js:320:19)
    at bootstrapNodeJSCore (internal/bootstrap/node.js:659:3)

Describe the bug
Got:

(node:28577) UnhandledPromiseRejectionWarning: RIPE RIS connection failed. Trying again...
(node:28577) UnhandledPromiseRejectionWarning: Unhandled promise rejection. This error originated either by throwing inside of an async function without a catch block, or by rejecting a promise which was not handled with .catch(). (rejection id: 1)
(node:28577) [DEP0018] DeprecationWarning: Unhandled promise rejections are deprecated. In the future, promise rejections that are not handled will terminate the Node.js process with a non-zero exit code.

Are you using the binary or the source code?
Source - tag v1.24.0 (3b23a90), with nodejs-12.14.0.

Your information
Chris Caputo - AS33108/SeattleIX

Hi,

I downloaden the newest build. But it shows this message after running:

Current version: undefined new version: 1.19.1.

best regards,
Benjamin

I'm running generate with a big input list (~3k prefixes)

./bgpalerter-linux-x64 generate --pf prefixes.txt -o prefixes.yml

and it apparently takes a very long time (>1h) it would be nice to have some indicator that it does something and did not simply die or get stuck.

Describe the bug
New BGPalerter installation on Ubuntu. Configuration done on first run. Crtl to exit and second run of the binary. Exception on second run of the binary.

Provide an example

vagrant@srv:~/BGPalerter$ ./bgpalerter-linux-x64
Impossible to load config.yml. A default configuration file has been generated.
BGPalerter, version: 1.24.0 environment: production
Loaded config: /home/vagrant/BGPalerter/config.yml
? The file prefixes.yml cannot be loaded. Do you want to auto-configure BGPalerter? Yes
? Which Autonomous System(s) you want to monitor? (comma-separated, e.g. 2914,3333) 3333
? Are there sub-prefixes delegated to other ASes? (e.g. sub-prefixes announced by customers) No
? Do you want to be notified when your AS is announcing a new prefix? Yes
Generating monitoring rule for 193.0.22.0/23
Generating monitoring rule for 193.0.10.0/23
Generating monitoring rule for 193.0.12.0/23
Generating monitoring rule for 2001:67c:2e8::/48
Generating monitoring rule for 193.0.20.0/23
Generating monitoring rule for 193.0.18.0/23
Generating monitoring rule for 193.0.0.0/21
Generating generic monitoring rule for AS 3333
Done!
Monitoring 193.0.0.0/21
Monitoring 193.0.22.0/23
Monitoring 193.0.18.0/23
Monitoring 193.0.20.0/23
Monitoring 193.0.12.0/23
Monitoring 193.0.10.0/23
Monitoring 2001:67c:2e8::/48
Monitoring AS 3333
^C

vagrant@srv:~/BGPalerter$ ./bgpalerter-linux-x64
pkg/prelude/bootstrap.js:1248
      throw error;
      ^

Error: The file /home/vagrant/BGPalerter/config.yml is not valid yml: unknown tag !<tag
    at Object.<anonymous> (/snapshot/build/src/env.js:116:11)
    at Module._compile (pkg/prelude/bootstrap.js:1324:22)
    at Object.Module._extensions..js (internal/modules/cjs/loader.js:993:10)
    at Module.load (internal/modules/cjs/loader.js:813:32)
    at Function.Module._load (internal/modules/cjs/loader.js:725:14)
    at Module.require (internal/modules/cjs/loader.js:850:19)
    at Module.require (pkg/prelude/bootstrap.js:1229:31)
    at require (internal/modules/cjs/helpers.js:74:18)
    at Object.<anonymous> (/snapshot/build/src/consumer.js:8:35)
    at Module._compile (pkg/prelude/bootstrap.js:1324:22)

Expected behavior
bgpalerter should read config.yml and prefixes.yml and continue monitoring prefixes for our ASN. I use your ASN on first try with same results. For this report, I also tried 3333 with same results.

Are you using the binary or the source code?
I'm using binary for Linux

vagrant@srv:~/BGPalerter$ wget https://github.com/nttgin/BGPalerter/releases/download/v1.24.0/bgpalerter-linux-x64

My server is on Ubuntu 19.10

Your information
Alfred
Simula

There appears to be an issue with the version of the latest release (1.21):

wget https://github.com/nttgin/BGPalerter/releases/download/v1.21.0/bgpalerter-linux-x64

sha1sum bgpalerter-linux-x64 
b190708745a25168864c3b58f16bcc5bb46522cc  bgpalerter-linux-x64

./bgpalerter-linux-x64 
BGPalerter, version: 1.20.2 environment: production

A new version of BGPalerter is available. Current version: 1.20.2 new version: 1.21.0. Please, go to: https://github.com/nttgin/BGPalerter

Today, when a prefix is withdrawn you get an alert, it could be fine to get 1 alert when prefix is online again.

Describe what you would like to achieve
I would like to disable the alerts for a new version being available (not just the first check at boot).

Describe why the current solution (if any) is not satisfactory
I don't want our customers to get this notification.

Provide an example
It is sent to all channels every time the monitor fires.

Hijack alerts should display complete as-path for hijacked prefixes. Paths from all peers observing the hijack should be displayed in the alert.

A knob to set a minimum threshold of peers observing the hijack would also be nice.

Allow the user to set a configuration flag to only alert once.

Example would be when you have a more specific route without an ripe route-object.

In the current form the software alerts at predefined interval until the issue is resolved. As far as i understand the issue for a new more specific is resolved with adding the prefix in prefixes.yml but this requires manual intervention. At least in my case i only need to be aware of the first time a more specific is see in the routing table and then ignore. I undertand this might be a corner case thus a configurable config option would be great.

Proposed changes:

• add configuration option to enable or disable re-alerts

notificationNoResend: true|false

• based on this flag , allow re-send of alerts in monitor.js

    _checkLastSent = (group) => {
        const lastTimeSent = this.sent[group.id];

        if (this.config.notificationNoResend) {
           return true;
        }

Describe the bug
The matching of more specific prefixes is not working correctly. Below is an example where a hijack alert is generated where BGPalerter matches a prefix 193.105.222.0/24 to a /16 (193.1.0.0/16) which it does not belong to.

Provide an example
The following is the hijack message that is logged:
"hijack
A new prefix 193.105.222.0/24 is announced by AS50762. It should be instead 193.1.0.0/16 (HEAnet) announced by AS1213"

From: prefixes.yml
193.1.0.0/16:
description: HEAnet
asn: 1213
ignoreMorespecifics: false
ignore: false

From: config.yml
options:
monitorASns:
1213:
group: default

Expected behavior
There should be no match for 193.105.222.0/24 for the super net 193.1.0.0/16. There appears to be a partial string match for "193.1" but this is clearly not correct.

Are you using the binary or the source code?
Yes, the Linux binary on Ubuntu 18.04. https://github.com/nttgin/BGPalerter/releases/download/v1.23.2/bgpalerter-linux-x64
BGPalerter, version: 1.23.2 environment: production

Your information
Eoin Kenny
HEAnet
AS1213

Is is possible to generate the prefix file with the binary version without needing to install NodeJS just to run the generate-prefixes npm command?

It would be nice to have an alert for new prefixes advertised by ASNs configured in prefixes.yml which are not part of more specifics. BGPmon has this functionality and I find it useful. There are use cases where an aggregate can not be announced and any new announced prefixes within that aggregate are not picked up by BGPalerter even though the origin ASN is announcing prefixes listed in prefixes.yml.

We do DDoS mitigation by announcing a more specific (/24) covering the IP address under attack to a scrubbing center. Now, this triggers a 'possible change of configuration' notification, and the only way to solve that is to set 'ignoreMoreSpecifics' to 'true'. That would be unwanted though, since we would like to detect paths made up by 'BGP optimizers'.

Would it be possible to ignore a more specific only if it matches a specific prefix length and AS-path $SCRUBBING_CENTER $MY_ASN.

My config.yml

• file: reportAlerta
  channels:
  - hijack
  - newprefix
  - visibility
  - path
  - misconfiguration
  params:
  severity:
  hijack: critical
  newprefix: informational
  visibility: debug
  path: trace
  resource_templates:
  default: "${type}"
  hijack: "hijack::${prefix}@@${asn}"
  newprefix: "newprefix::${prefix}@@${asn}"
  visibility: "visibility::${prefix}@@${asn}"
  urls:
  default: "http://my_ip:5000/api/"

The log received this message:

2020-02-17T08:56:43+01:00 error: Error: Request failed with status code 403

I tried change my url to

"http://my_ip:5000/"
"http://my_ip:5000/api"

but it doesn't work.

Any idea?

Hello,

We setup BGPalerter ubuntu instances (18.04). We are not getting an email alert when the withdrawal of our prefixes via email, but we are getting alert from our subscription with bgpmon when it is detected by 16 peers.
We tested email from local ubuntu instance is working fine.

Any help will be much appreciated.

Describe the bug

I upgraded from 1.22.0 to 1.23.1 (binary on Debian 10), didn't change the configuration apart from the changed "processMonitors: - file: uptimeApi" part. Now BGP alerter is not recognizing the configured IPv6 prefix anymore, the IPv4 one is fine.

Both prefixes are not RPKI signed (yes I know...the IPv4 is legacy space, the IPv6 I have to ask the sponsoring LIR to turn activate it, will do).

Provide an example

Error message is:
"AS65000 is announcing 2001:db8:123::/48 but this prefix is not in the configured list of announced prefixes"

prefixes.yml:

'2001:db8:123::/48':
  description: No description provided
  asn:
    - 65000
  ignoreMorespecifics: false
  ignore: false
192.168.22.0/24:
  description: No description provided
  asn:
    - 65000
  ignoreMorespecifics: false
  ignore: false

options:
  monitorASns:
    6500:
      group: default

Expected behavior
Configured prefix recognized by bgpalerter

Are you using the binary or the source code?
binary

Your information
Volunteering for a non profit oriented small NGO AS where all are volunteers and noone gets any money.

Thank you!

Describe the bug
When a prefix is configured with ignore: true and an ASN covered by monitorASns announces the prefix a misconfiguration is emitted.

Per the documentation ignore should Exclude the current prefix from monitoring. Useful when you are monitoring a prefix and you want to exclude a particular sub-prefix, which I interpret to mean we shouldn't alert for things related to this prefix.

Currently this appears to work for prefix monitoring (monitorHijack, monitorNewPrefix, monitorPath, monitorVisibility), but not for AS monitoring.

Provide an example

config.yml

environment: production

connectors:
  - file: connectorRIS
    name: ris
    params:
      carefulSubscription: true
      url: wss://ris-live.ripe.net/v1/ws/
      subscription:
        moreSpecific: true
        type: UPDATE
        host:
        socketOptions:
          includeRaw: false

monitors:
  - file: monitorVisibility
    channel: visibility
    name: withdrawal-detection
    params:
      thresholdMinPeers: 1

  - file: monitorAS
    channel: misconfiguration
    name: asn-monitor
    params:
      thresholdMinPeers: 1

reports:
  - file: reportFile
    channels:
      - misconfiguration
      - visibility

notificationIntervalSeconds: 86400
alertOnlyOnce: true

monitoredPrefixesFiles:
  - prefixes.yml

logging:
  directory: logs
  logRotatePattern: YYYY-MM-DD 
  zippedArchive: true
  maxSize: 80m
  maxFiles: 7d

checkForUpdatesAtBoot: true

prefixes.yml

172.111.69.96/27:
    asn: [65001]
    description: example prefix
    ignore: true
    ignoreMorespecifics: true

options:
    monitorASns:
        65001: {group: default}

Expected behavior

1. When AS65001 announces 172.111.69.96/27 no message is emitted from BGPalerter.
2. When AS65001 withdraws 172.111.69.96/27 no message is emitted from BGPalerter.

Currently 2 is happening, however for the AS path monitor it is being logged/notified;

$ cat reports-2019-12-15.log
[production] verbose: AS65001 is announcing 172.111.69.96/27 but this prefix is not in the configured list of announced prefixes

Are you using the binary or the source code?

Binary;

# /opt/bgpalerter/bgpalerter-linux-x64 --version
1.22.0

Would love a way to add a list of prefixes to ignore when using more specific prefixes

Would it be possible to get a binary release for BSD (freebsd/netbsd/openbsd)?

I personally prefer freebsd (11.x or 12.x)

Describe what you would like to achieve
Currently the configuration is only read on startup, changing the monitored prefixes requires restarting the instance.

In an environment which has many prefix monitors, the configuration of which change in a relatively dynamic manner this requires restarting the process very regularly (hourly/daily) interval.

Describe why the current solution (if any) is not satisfactory

1. During the process restart any RIS messages are lost, potentially causing missed messages
2. alarmOnlyOnce only applies during the single run, causing messages to re-trigger at the restart interval
3. notificationIntervalSeconds only applies during the single run, causing messages to re-trigger at the smaller of notificationIntervalSeconds and the restart interval

Provide an example
Start the instance with a prefixes.yml;

23.235.32.0/24:
    asn: [54113]
    description:  example prefix 1
    ignore: false
    ignoreMorespecifics: false

Once running update prefixes.yml;

23.235.32.0/24:
    asn: [54113]
    description:  example prefix 2
    ignore: false
    ignoreMorespecifics: false

23.235.36.0/24:
    asn: [54113]
    description:  example more specific prefix
    ignore: false
    ignoreMorespecifics: false

No new prefixes will be subscribed to, any withdrawals, announcements etc will not be notified.

Your information
@DamianZaremba, Fastly / Infra Bits

hi Massimo, im new here in BGPalerter and bgp world :)
I have question regarding BGPalerter updating, how it is work? i have to reconfigure everything from scratch when i go ahead with the update ?
thanks in advance

Getting match notifications into Slack channel, but there is no actionable information with AS_PATH of a triggered match (even though am running BGPalerter with 'environment: development' setting, expecting more verbosity).

a bunch of (sub)- prefixes are beacons which are announced and withdrawn. how can i suppress visibility alerts for them?

Currently you can provide an ASN (-a) as input to the generate command to generate the list of prefixes to monitor.

It would be nice to support an input file (-p) containing one prefix per line that generates the prefixes.yml output file.
It must be an input file (not a parameter like -e) since the list of prefixes would be to long to be passed in on the command line.

The ASN would be determined by:

• RPKI ROA
• if there is no ROA use IRR
• if there is no ROA or IRR entry: use currently announcing ASN as per RIPEstat

Thanks for implementing #28, now that I'm trying to use it a related feature request comes to mind:
allow the file to contain an optional description

so these inputs would all be valid in a --pf input file:

1.1.1.0/24
1.1.1.0/24,
1.1.1.0/24,my nice description

The description is then used in the generated prefixes.yml.

What do you think?

If prefixes is read only or created and owned by a different owner; then this error is thrown:

Error: EACCES: permission denied, open 'prefixes.yml'

This is because the file can be written back under some conditions. See https://github.com/nttgin/BGPalerter/blob/master/inputs/inputYml.js#L58

$ ls -l prefixes.yml 
-r--r--r--  1 martin  staff  289 Oct 17 02:58 prefixes.yml
$

$ ./bgpalerter-macos-x64 
pkg/prelude/bootstrap.js:1185
      throw error;
      ^

Error: EACCES: permission denied, open 'prefixes.yml'
    at Object.openSync (fs.js:438:3)
    at Object.fs.openSync (pkg/prelude/bootstrap.js:490:32)
    at Object.writeFileSync (fs.js:1189:35)
    at _loop (/snapshot/build/inputs/inputYml.js:161:26)
    at new InputYml (/snapshot/build/inputs/inputYml.js:193:9)
    at Object.<anonymous> (/snapshot/build/env.js:200:13)
    at Module._compile (pkg/prelude/bootstrap.js:1261:22)
    at Object.Module._extensions..js (internal/modules/cjs/loader.js:710:10)
    at Module.load (internal/modules/cjs/loader.js:598:32)
    at tryModuleLoad (internal/modules/cjs/loader.js:537:12)
$ 

Currently a withdrawn log entry look like this:

The prefix 2a03:e600:100::/48 (ipv6) has been withdrawn. It is no longer visible from 12 peers.

It does not include any information about where the withdrawals have been observed.

It would be useful for diagnostics to include that information.
It could look something like that:

The prefix 2a03:e600:100::/48 (ipv6) has been withdrawn. It is no longer visible from 12 peers: RRCXX (9), RRCYY (3)

Describe what you would like to achieve
The tests should validate that an ignored (per the config) prefix is not having messages generated about it and thus is actually being ignored, rather than alerted upon.

Related issue: #100

Describe why the current solution (if any) is not satisfactory
Currently there are a number of tests that assert expected messages are generated from the relevant monitors.

It is possible to have additional tests, not existing in the expectedData, which are never 'seen' by the current test logic.

Provide an example
On current master (pre #100), add an example update for an ignored prefix to the misconfiguration data in connectorTest.js;

                        {
                            data: {
                                announcements: [{
                                    prefixes: ["2a0e:240::/32"],
                                    next_hop: "124.0.0.3"
                                }],
                                peer: "124.0.0.4",
                                path: [1, 2, 3, 4321, 5060, 3333]
                            },
                            type: "ris_message"
                        },
                        {
                            data: {
                                announcements: [{
                                    prefixes: ["2a0e:240::/32"],
                                    next_hop: "124.0.0.5"
                                }],
                                peer: "124.0.0.6",
                                path: [1, 2, 3, 4321, 5060, 3333]
                            },
                            type: "ris_message"
                        }

The test receives 2 messages (1 incorrect);

{
  id: '2914',
  origin: 'asn-monitor',
  earliest: 1576436988706,
  latest: 1576436988707,
  affected: 2914,
  message: 'AS2914 is announcing 2.2.2.3/22 but this prefix is not in the configured list of announced prefixes',
  data: [
    {
      extra: {},
      matchedRule: [Object],
      matchedMessage: [Object],
      timestamp: 1576436988706
    },
    {
      extra: {},
      matchedRule: [Object],
      matchedMessage: [Object],
      timestamp: 1576436988707
    },
    {
      extra: {},
      matchedRule: [Object],
      matchedMessage: [Object],
      timestamp: 1576436988707
    }
  ]
}
{
  id: '3333',
  origin: 'asn-monitor',
  earliest: 1576436988707,
  latest: 1576436988708,
  affected: 3333,
  message: 'AS3333 is announcing 2a0e:240::/32 but this prefix is not in the configured list of announced prefixes',
  data: [
    {
      extra: {},
      matchedRule: [Object],
      matchedMessage: [Object],
      timestamp: 1576436988707
    },
    {
      extra: {},
      matchedRule: [Object],
      matchedMessage: [Object],
      timestamp: 1576436988708
    }
  ]
}

And asserts 1 message;

  Alerting
    ✓ asn monitoring reporting (1013ms)

The second (incorrect) message should either be asserted to not exist (explicit ignore check), or the number of messages should match the length of the expected data (implicit, no additional messages check).

Does that mean that RIS Live is running on a self signed cert some of the times?

2019-11-07T23:17:58.698Z [production] error: Error: self signed certificate
2019-11-07T23:31:59.306Z [production] error: Error: self signed certificate
2019-11-08T01:31:58.532Z [production] error: Error: self signed certificate
2019-11-08T03:43:58.291Z [production] error: Error: self signed certificate
2019-11-08T04:51:01.278Z [production] error: Error: self signed certificate
2019-11-08T05:44:00.500Z [production] error: Error: self signed certificate
2019-11-08T06:51:00.387Z [production] error: Error: self signed certificate
2019-11-08T08:06:00.649Z [production] error: Error: self signed certificate
2019-11-08T08:50:59.587Z [production] error: Error: self signed certificate
2019-11-08T10:05:59.818Z [production] error: Error: self signed certificate
2019-11-08T11:54:59.981Z [production] error: Error: self signed certificate
2019-11-08T12:06:00.437Z [production] error: Error: self signed certificate
2019-11-08T14:05:59.570Z [production] error: Error: self signed certificate
2019-11-08T16:06:01.805Z [production] error: Error: self signed certificate

I think it would be useful to have a step-by-step tutorial (in the documentation) about how to install and integrate Alerta with BGPalerter.

Who can help with this? @mirceaulinic ?