Filter excessively prepended BGP paths

By Ivan Pepelnjak

BGP AS-path prepending is commonly used to influence BGP path selection in

upstream autonomous systems, forcing the upstream networks to use one of the
advertised paths as a primary path and another one as a backup path based on the
AS path length.
Short
Excessive AS-path prepending (more than five or six copies of the same AS in the
description AS-path) very rarely solves the path selection issues, pollutes the BGP routing
tables and adversely impacts routers throughout the Internet. As an ISP cannot rely
on its customers ability to advertise acceptable BGP prefixes, AS path access lists
should be used to filter inbound BGP updates and drop excessively prepended
prefixes.

Solution

Use the following statement in an AS-path access list to block all AS-paths where
the same AS number appears more than five times consecutively (change the
number of _\1_ expressions to tailor the filter to your needs).
ip as-path access-list 100 deny _([0-9]+)_\1_\1_\1_\1_

Short
The \1 Cisco IOS regular expression pattern allows you to match a previouslyexplanation matched string. This pattern can be used to match prepended AS-paths.

Contents
[hide]

1 Detailed description

2 Test bed

3 Test results

4 Initial configurations

5 Final router configuration

Detailed description
The following features of Cisco IOS regular expressions were used in this solution:

The [0-9] pattern matches any digit.

The [0-9]+ pattern matches a sequence of digits.

The _[0-9]+_ pattern matches a complete number (the _ characters match separators,
including beginning or end of string).

The _([0-9]+)_ pattern matches a complete number and saves it for further reference.

The \1 pattern matches a previously saved match.

The regular expression _([0-9]+)_\1_\1_\1_\1_ therefore matches any AS path where a single AS
number appears five or more times in a sequence.

Test bed
A simple test network was set up using a single Cisco IOS router (10.17.0.1) and a Linux host
(10.17.0.2) running Quagga BGP daemon (see the Initial configurations section for details). The
Quagga BGP daemon advertised numerous BGP routes with various lengths of prepended AS
paths to the Cisco IOS router (note that prepending happens at various points in the AS path, not
just at the beginning of it).
Rtr#show ip bgp
Network
*> 10.2.1.0/24
*> 10.2.2.0/24
*> 10.2.3.0/24
*> 10.2.4.0/24
*> 10.2.5.0/24
*> 10.2.6.0/24

| begin Network
Next Hop
Metric Loc Weight Path
10.17.0.2
0
0 65000 1 2 3 4 i
10.17.0.2
0
0 65000 1 2 2 3 4
10.17.0.2
0
0 65000 1 2 3 3 3
10.17.0.2
0
0 65000 1 2 3 4 4
10.17.0.2
0
0 65000 1 2 2 2 2
10.17.0.2
0
0 65000 1 1 1 1 1

i
4
4
2
1

i
4 i
3 4 i
2 3 4 i

Test results
You can use the show ip bgp regexp command to test a regular expression on the actual data
stored in the BGP table. When used on the test router, the regular expression matched all IP
prefixes where a single AS number was prepended four or more times, verifying the correctness
of the regular expression.
The show ip bgp quote-regexp command was used to combine the regexp match with additional
show filters.
R2#show ip bgp quote-regexp "_([0-9]+)_\1_\1_\1_\1_" | begin Network
Network
Next Hop
Metric Loc Weight Path
*> 10.2.5.0/24 10.17.0.2
0
0 65000 1 2 2 2 2 2 3 4 i
*> 10.2.6.0/24 10.17.0.2
0
0 65000 1 1 1 1 1 1 2 3 4 i

The following changes were made to the router configuration to filter excessively prepended
BGP prefixes:

router bgp 65100

neighbor 10.17.0.2 filter-list 100 in
!
ip as-path access-list 100 deny _([0-9]+)_\1_\1_\1_\1_
ip as-path access-list 100 permit .*

After a soft reset of the BGP session, the printout of the resulting BGP table verified that the
router has filtered all inbound BGP updates with excessively prepended AS paths.
Final BGP table on the router
R2#show ip bgp begin Network
Network
Next Hop
Metric Loc Weight Path
*> 10.2.1.0/24 10.17.0.2
0
0 65000 1 2 3
*> 10.2.2.0/24 10.17.0.2
0
0 65000 1 2 2
*> 10.2.3.0/24 10.17.0.2
0
0 65000 1 2 3
*> 10.2.4.0/24 10.17.0.2
0
0 65000 1 2 3

Initial configurations
Router configuration
hostname Rtr
!
ip cef
!
interface Loopback0
ip address 10.0.1.2 255.255.255.255
!
interface FastEthernet0/0
ip address 10.17.0.1 255.255.255.0
!
router bgp 65100
no synchronization
bgp log-neighbor-changes
neighbor 10.17.0.2 remote-as 65000
no auto-summary
!
line con 0
exec-timeout 0 0
privilege level 15
logging synchronous
transport preferred none
stopbits 1
!
ntp logging
end

BGP daemon configuration

hostname BGP_prepend
!
router bgp 65000

4
3
3
4

i
4 i
3 4 i
4 4 4 i

bgp router-id 10.17.0.2

network 10.2.1.0/24 route-map P1
network 10.2.2.0/24 route-map P2
network 10.2.3.0/24 route-map P3
network 10.2.4.0/24 route-map P4
network 10.2.5.0/24 route-map P5
network 10.2.6.0/24 route-map P6
neighbor 10.17.0.1 remote-as 65100
!
route-map P1
set as-path
!
route-map P2
set as-path
!
route-map P3
set as-path
!
route-map P4
set as-path
!
route-map P5
set as-path
!
route-map P6
set as-path
!
line vty
no login

permit 10
prepend 1 2 3 4
permit 10
prepend 1 2 2 3 4
permit 10
prepend 1 2 3 3 3 4
permit 10
prepend 1 2 3 4 4 4 4
permit 10
prepend 1 2 2 2 2 2 3 4
permit 10
prepend 1 1 1 1 1 1 2 3 4

Final router configuration

hostname R2
!
ip cef
!
interface Loopback0
ip address 10.0.1.2 255.255.255.255
!
interface FastEthernet0/1
ip address 10.17.0.1 255.255.255.0
speed auto
duplex auto
!
router bgp 65100
no synchronization
bgp log-neighbor-changes
neighbor 10.17.0.2 remote-as 65000
neighbor 10.17.0.2 filter-list 100 in
no auto-summary
!
ip classless
!
ip as-path access-list 100 deny _([0-9]+)_\1_\1_\1_\1_
ip as-path access-list 100 permit .*

!
!
line con 0
exec-timeout 0 0
privilege level 15
logging synchronous
transport preferred none
stopbits 1
!
ntp logging
http://wiki.nil.com/Special:Categories

http://wiki.nil.com/Filter_excessively_prepended_BGP_paths
Matching on ^ASPath_ASPath$ Prepending information.
Posted on 22/10/2008 by vcappuccio

Suppose you want to find all routes that have the same AS number in a row 8 or more times
is this possible using regexp?
Yes you can :)
using this Regular Expression
1

^([0-9]+)(_\1)*$

With regular expression we can match in Prepended information performed in neighboring

originating AS.
1R1(config-router)#do show ip bgp reg ^([0-9]+)(_\1)*$
2BGP table version is 3, local router ID is 172.22.81.1
Status codes: s suppressed, d damped, h history, * valid, > best, i internal,

3
4

r RIB-failure, S Stale

5Origin codes: i - IGP, e - EGP, ? - incomplete

6
7

Network

8*> 2.2.2.0/24

Next Hop
172.22.142.2

Metric LocPrf Weight Path

0

0222222222?

AS Prepeding, means for me in a simple term a multiplication of directly connected AS Number.

1 R6(config)#do show ip bgp | b Net

2
3
4
5
6

Network

Next Hop

*> 1.1.1.1/32

172.22.83.1

*> 3.3.3.3/32

172.22.83.1

Metric LocPrf Weight Path

0 4321 4321 4321 ?

7
0

0 4321 400 400 400 400 400 ?

8
9

*> 33.33.0.0/16

172.22.83.1

0 4321 100 100 100 100 100 ?

1
0 R6(config)#do show ip bgp regex ^([0-9]+)(_\1)*$| b Net
1
1

BGP table version is 87, local router ID is 172.217.43.6

1 Status codes: s suppressed, d damped, h history, * valid, > best, i 2 internal,

1
3

r RIB-failure, S Stale
Origin codes: i - IGP, e - EGP, ? - incomplete

1
4
Network

1
5 *> 1.1.1.1/32

Next Hop
172.22.83.1

Metric LocPrf Weight Path

0 4321 4321 4321 ?

1
6

the expression
1

^([0-9]+)(_\1)*$

in the first parenthesis, matches any AS Number, the parenthesis stores the value of the matched
ASNumber, and this value is called by the second part of the regular expression, in the Variable
\1 is like where you store the result and clearly you repeat this value zero or more atoms, and
the $ matches the end of the string.
if you are looking for more information, here is a nice article wrote by Brian McGahan about
Understanding BGP Regular Expressions

http://anetworkerblog.com/2008/10/22/as-path-prepend/

Filtering BGP routes with regular expressions

Hi everybody!
What regular expression should be used to display only BGP routes on which as path prepending
was done, say, more than 20 times (by the same AS)?
The question was born after reading the article: http://www.renesys.com/blog/2009/02/longer-isnot-better.shtml.
The task is to find whether there are such suspicious internet routes, on which some ISP executed
as-path prepending procedure unusually many times.

I thought that _([0-9]+)(_\1){20,} would work (repeat delimiter and backreference 20 or more
times), but public route server @ Optus, Australia, said otherwise:

******************************************************************************
***

route-views.optus.net.au>sh ip bgp reg _([0-9]+)(_\1){3,}

route-views.optus.net.au>

******************************************************************************
***

- actually, nothing. That is, even at least triple prepending is not discovered, although the standard expression
_([0-9]+)(_\1)+ works fine:

******************************************************************************
***
route-views.optus.net.au>sh ip bgp reg _([0-9]+)(_\1)+
BGP table version is 150012938, local router ID is 203.202.125.6
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
r RIB-failure, S Stale, m multipath, b backup-path, x best-external
Origin codes: i - IGP, e - EGP, ? - incomplete

Network

Next Hop

*> 1.0.4.0/22

Metric LocPrf Weight Path

202.160.242.71

0 7473 6453 7545 7545 7545 56203 i

203.13.132.49

20

0 7474 7545 7545 7545 7545 7545 56203 i

203.13.132.47

10

0 7474 7545 7545 7545 7545 7545 56203 i

202.139.124.175

0 7474 7545 7545 7545 7545 7545 56203 i

202.139.124.145

10

0 7474 7545 7545 7545 7545 7545 56203 i

202.139.124.130

20

0 7474 7545 7545 7545 7545 7545 56203 i

202.139.124.159

203.13.132.51

202.139.124.177

192.65.89.98

20

0 7474 7545 7545 7545 7545 7545 56203 i

192.65.89.161

0 7474 7545 7545 7545 7545 7545 56203 i

0 7474 7545 7545 7545 7545 7545 56203 i

20

0 7474 7545 7545 7545 7545 7545 56203 i

0 7474 7545 7545 7545 7545 7545 56203 i

******************************************************************************
*******

Help, please!

Best regards, Eugene Smirnov. CCSI #32361

Correct Answer by Hans on Mar 1, 2013 7:00 AM

Hi Eugene,
I was sure that I had tested that regex before posting it, so I had to go back and look. When I use
the regex (_[0-9]+)\1\1\1\1, this will display routes with an AS-PATH that have AT LEAST 5
ASNs in a row, it will also show 6, 7, 8, 9..... The regex that you have listed above, _([09]+)\1\1\1\1 does not repeat the delimiter match, _ So, what your regex is actually matching is
AS paths that include ASNs with 5 digits. Try again and put the underscore inside the
parenthesis.
http://www.ciscopress.com/articles/article.asp?p=169556
http://networklessons.com/bgp/bgp-regular-expressions-examples/