introduced TA healh check

2024-05-19 06:50:08 +00:00 · 2021-05-23 15:48:57 +02:00
parent f63398cb54
commit 6fd2b8318f
4 changed files with 98 additions and 8 deletions
--- a/README.md
+++ b/README.md
@@ -9,7 +9,8 @@ Self-configuring BGP monitoring tool, which allows you to monitor in **real-time
 * your AS is announcing RPKI invalid prefixes (e.g., not matching prefix length);
 * your AS is announcing prefixes not covered by ROAs;
 * any of your ROAs is expiring;
-* ROAs covering your prefixes are no longer reachable (e.g., TA malfunction);
+* ROAs covering your prefixes are no longer reachable;
+* RPKI Trust Anchors malfunctions;
 * a ROA involving any of your prefixes or ASes was deleted/added/edited;
 * your AS is announcing a new prefix that was never announced before;
 * an unexpected upstream (left-side) AS appears in an AS path;
--- a/docs/configuration.md
+++ b/docs/configuration.md
@@ -331,7 +331,8 @@ Parameters for this monitor module:

 #### monitorROAS

-This monitor will periodically check and report diffs in ROAs repos involving any of your ASes or prefixes.
+This monitor will periodically check the ROAs involving any of your ASes or prefixes.
+In particular, it will report about: ROAs involving your resources being edited, added or removed; expiring ROAs; TA malfunctions.
 You need to configure your RPKI data source as described [here](rpki.md).
 Note, while BGPalerter will perform the check near real time, many RIRs have delayed ROAs publication times.

@@ -358,8 +359,12 @@ Note, while BGPalerter will perform the check near real time, many RIRs have del

 **Important 2:** prefix matching rules have always priorities on `monitorASns` rules. If an alert matches both a prefix rule and an AS rule, it will be sent only to the prefix rule, except if the `checkOnlyAsns` params is set to true (see parameters below). In the example above, a ROA change impacting `1.2.3.4/24` is only sent to the user group `noc1` and not to `noc2`; whatever other ROA change impacting a prefix not in the list (no prefix matching rule) will be sent to `noc2` instead.

+**Important 3:** alerts about the generic health status of TAs are generated according to the provided VRP file. This types of alerts are not necessarily related to the monitored resources and they are send to the `default` user group.
+
 Example of alerts:
 > ROAs change detected: removed <1.2.3.4/24, 1234, 25, apnic>; added <5.5.3.4/24, 1234, 25, apnic>
+> 
+> Possible TA malfunction: 24% of the ROAs disappeared from APNIC

 **This monitor also alerts about ROAs expiration.**

@@ -375,6 +380,9 @@ The field `expire` must be the closest expiration time of all of the above.

 Example of alerts:
 > The following ROAs will expire in less than 2 hours: <1.2.3.4/24, 1234, 25, apnic>; <5.5.3.4/24, 1234, 25, apnic>
+> 
+> Possible TA malfunction: 24% of the ROAs are expiring in APNIC
+

 Parameters for this monitor module:

@@ -382,10 +390,12 @@ Parameters for this monitor module:
 |---|---|
 |enableDiffAlerts| Enables alerts showing edits impacting ROAs for the monitored resources. Default true|
 |enableExpirationAlerts| Enables alerts about expiring ROAs. Default true.|
+|enableExpirationCheckTA| Enables alerts about TA malfunctions detected when too many ROAs expire in the same TA. Default true.|
+|enableDeletedCheckTA| Enables alerts about TA malfunctions detected when too many ROAs are deleted in the same TA. Default true.|
 |roaExpirationAlertHours| If a ROA is expiring in less than this amount of hours, an alert will be triggered. The default is 2 hours. I strongly suggest to keep this value, ROAs are almost expiring every day, read above what this expiration time means. |
 |checkOnlyAsns| If set to true (default false), ROAs diff alerts will be generated based only on the ASns contained in the `monitorASns` of `prefixes.yml`. This means that no ROA diffs will be matched against prefix matching rules (see example above). |
-
-
+|toleranceExpiredRoasTA|The percentage of expiring ROAs in a single TA tolerated before triggering a TA malfunction alert. Default 20.|
+|toleranceDeletedRoasTA|The percentage of deleted ROAs in a single TA tolerated before triggering a TA malfunction alert. Default 20.|

 #### monitorPathNeighbors

--- a/src/config/config.js
+++ b/src/config/config.js
@@ -80,8 +80,12 @@ export default class Config {
                    params: {
                        enableDiffAlerts: true,
                        enableExpirationAlerts: true,
+                        enableExpirationCheckTA: true,
+                        enableDeletedCheckTA: true,
                        roaExpirationAlertHours: 2,
-                        checkOnlyAsns: false
+                        checkOnlyAsns: false,
+                        toleranceDeletedRoasTA: 20,
+                        toleranceExpiredRoasTA: 20,
                    }
                },
                {
--- a/src/monitors/monitorROAS.js
+++ b/src/monitors/monitorROAS.js
@@ -11,10 +11,20 @@ export default class MonitorROAS extends Monitor {

        this.logger = env.logger;
        this.rpki = env.rpki;
-        this.roaExpirationAlertHours = params.roaExpirationAlertHours || 2;
-        this.checkOnlyAsns = params.checkOnlyAsns || false;
+
+        // Enabled checks
        this.enableDiffAlerts = params.enableDiffAlerts != null ? params.enableDiffAlerts : true;
        this.enableExpirationAlerts = params.enableExpirationAlerts != null ? params.enableExpirationAlerts : true;
+        this.enableExpirationCheckTA = params.enableExpirationCheckTA != null ? params.enableExpirationCheckTA : true;
+        this.enableDeletedCheckTA = params.enableDeletedCheckTA != null ? params.enableDeletedCheckTA : true;
+
+        // Default parameters
+        this.roaExpirationAlertHours = params.roaExpirationAlertHours || 2;
+        this.checkOnlyAsns = params.checkOnlyAsns || false;
+        this.toleranceExpiredRoasTA = params.toleranceExpiredRoasTA || 20;
+        this.toleranceDeletedRoasTA = params.toleranceDeletedRoasTA || 20;
+        this.timesExpirationTAs = {};
+        this.timesDeletedTAs = {};

        if (this.enableDiffAlerts) {
            setInterval(this._diffVrps, 20000);
@@ -24,11 +34,72 @@ export default class MonitorROAS extends Monitor {
        }
    };

+    _calculateSizes = (vrps) => {
+        const times = {};
+
+        for (let vrp of vrps) {
+            times[vrp.ta] = times[vrp.ta] || 0;
+            times[vrp.ta]++
+        }
+
+        return times;
+    };
+
+    _checkDeletedRoasTAs = (vrps) => {
+        const sizes =  this._calculateSizes(vrps);
+
+        for (let ta in sizes) {
+            if (this.timesDeletedTAs[ta]) {
+                const min = Math.min(this.timesDeletedTAs[ta], sizes[ta]);
+                const max = Math.min(this.timesDeletedTAs[ta], sizes[ta]);
+                const diff = max - min;
+                const percentage = 100 / max * diff;
+
+                if (percentage > this.toleranceDeletedRoasTA) {
+                    const message = `Possible TA malfunction: ${percentage.toFixed(2)}% of the ROAs disappeared from ${ta}`;
+
+                    this.publishAlert(`disappeared-${ta}`, // The hash will prevent alert duplications in case multiple ASes/prefixes are involved
+                        ta,
+                        { group: "default" },
+                        message,
+                        {});
+                }
+            }
+        }
+        this.timesDeletedTAs = sizes;
+    };
+
+    _checkExpirationTAs = (vrps) => {
+        const sizes =  this._calculateSizes(vrps);
+
+        for (let ta in sizes) {
+            if (this.timesExpirationTAs[ta]) {
+                const min = Math.min(this.timesExpirationTAs[ta], sizes[ta]);
+                const max = Math.min(this.timesExpirationTAs[ta], sizes[ta]);
+                const diff = max - min;
+                const percentage = 100 / max * diff;
+
+                if (percentage > this.toleranceExpiredRoasTA) {
+                    const message = `Possible TA malfunction: ${percentage.toFixed(2)}% of the ROAs are expiring in ${ta}`;
+
+                    this.publishAlert(`expiring-${ta}`, // The hash will prevent alert duplications in case multiple ASes/prefixes are involved
+                        ta,
+                        { group: "default" },
+                        message,
+                        {});
+                }
+            }
+        }
+        this.timesExpirationTAs = sizes;
+    };
+
    _verifyExpiration = () => {
        const vrps = this.rpki.getVrps()
            .filter(i => !!i.expires && (i.expires - moment.utc().unix()  < this.roaExpirationAlertHours * 3600));

-        // We can check here if too many vrps are expiring, maybe TA malfunction
+        if (this.enableExpirationCheckTA) {
+            this._checkExpirationTAs(vrps); // Check for TA malfunctions
+        }

        const prefixesIn = this.monitored.prefixes.map(i => i.prefix);
        const asnsIn = this.monitored.asns.map(i => i.asn.getValue());
@@ -100,6 +171,10 @@ export default class MonitorROAS extends Monitor {
    _diffVrps = () => {
        const newVrps = this.rpki.getVrps(); // Get all the vrps as retrieved from the rpki validator

+        if (this.enableDeletedCheckTA) {
+            this._checkDeletedRoasTAs(newVrps); // Check for TA malfunctions for too many deleted roas
+        }
+
        if (this._oldVrps) { // No diff if there were no vrps before
            const prefixesIn = this.monitored.prefixes.map(i => i.prefix);
            const asns = this.monitored.asns.map(i => i.asn.getValue());