{ "annotations": { "list": [ { "builtIn": 1, "datasource": { "type": "datasource", "uid": "grafana" }, "enable": true, "hide": true, "iconColor": "rgba(0, 211, 255, 1)", "name": "Annotations & Alerts", "type": "dashboard" } ] }, "description": "AS path length distribution and analysis. Teaches how BGP AS paths reflect internet topology and how to detect anomalies like route leaks or AS path prepending.", "editable": true, "fiscalYearStartMonth": 0, "graphTooltip": 1, "id": null, "links": [ { "asDropdown": true, "icon": "external link", "includeVars": true, "keepTime": true, "tags": [ "obmp-nav" ], "title": "OBMP Dashboards", "type": "dashboards" } ], "panels": [ { "datasource": { "type": "postgres", "uid": "obmp_postgres" }, "description": "Learn: Internet routes typically have 2-5 hops. A /32 or /24 appearing with only 1-hop AS path from an unexpected ASN is a classic hijack indicator. Routes with 10+ hops may indicate prepending.", "fieldConfig": { "defaults": { "color": { "mode": "palette-classic" }, "custom": { "fillOpacity": 80, "gradientMode": "none", "lineWidth": 0 }, "unit": "short" } }, "gridPos": { "h": 10, "w": 12, "x": 0, "y": 0 }, "id": 1, "options": { "barRadius": 0, "barWidth": 0.7, "groupWidth": 0.7, "legend": { "calcs": [], "displayMode": "list", "placement": "bottom" }, "orientation": "auto", "tooltip": { "mode": "single" }, "xTickLabelRotation": 0, "xTickLabelSpacing": 200 }, "targets": [ { "datasource": { "type": "postgres", "uid": "obmp_postgres" }, "format": "table", "rawSql": "SELECT\n ba.as_path_count AS \"AS Path Length (hops)\",\n COUNT(*) AS \"Prefix Count\"\nFROM ip_rib r\nJOIN base_attrs ba ON ba.hash_id = r.base_attr_hash_id\nWHERE r.iswithdrawn = false\n AND r.isipv4 = true\n AND ba.as_path_count > 0\nGROUP BY ba.as_path_count\nORDER BY ba.as_path_count", "refId": "A" } ], "title": "AS Path Length Distribution (Active IPv4 Routes)", "type": "barchart" }, { "datasource": { "type": "postgres", "uid": "obmp_postgres" }, "description": "Learn: Average AS path length on the internet is ~4-5 hops. Your lab has shorter paths since ExaBGP is a single eBGP hop away.", "fieldConfig": { "defaults": { "color": { "mode": "thresholds" }, "thresholds": { "mode": "absolute", "steps": [ { "color": "green", "value": null }, { "color": "yellow", "value": 5 }, { "color": "red", "value": 8 } ] }, "unit": "short", "decimals": 1 } }, "gridPos": { "h": 5, "w": 6, "x": 12, "y": 0 }, "id": 2, "options": { "colorMode": "value", "graphMode": "none", "justifyMode": "auto", "orientation": "auto", "reduceOptions": { "calcs": [ "lastNotNull" ], "fields": "", "values": false }, "text": {} }, "targets": [ { "datasource": { "type": "postgres", "uid": "obmp_postgres" }, "format": "time_series", "rawSql": "SELECT NOW() AS time,\n ROUND(AVG(ba.as_path_count)::numeric, 1) AS \"Avg AS Path Length\"\nFROM ip_rib r\nJOIN base_attrs ba ON ba.hash_id = r.base_attr_hash_id\nWHERE r.iswithdrawn = false AND r.isipv4 = true AND ba.as_path_count > 0", "refId": "A" } ], "title": "Average AS Path Length", "type": "stat" }, { "datasource": { "type": "postgres", "uid": "obmp_postgres" }, "description": "Learn: Routes with only 1-hop AS path are directly connected or possibly hijacked. In your lab, ExaBGP injects routes starting with AS 65100.", "fieldConfig": { "defaults": { "color": { "mode": "thresholds" }, "thresholds": { "mode": "absolute", "steps": [ { "color": "green", "value": null }, { "color": "yellow", "value": 5 }, { "color": "red", "value": 20 } ] }, "unit": "short" } }, "gridPos": { "h": 5, "w": 6, "x": 18, "y": 0 }, "id": 3, "options": { "colorMode": "value", "graphMode": "none", "justifyMode": "auto", "orientation": "auto", "reduceOptions": { "calcs": [ "lastNotNull" ], "fields": "", "values": false }, "text": {} }, "targets": [ { "datasource": { "type": "postgres", "uid": "obmp_postgres" }, "format": "time_series", "rawSql": "SELECT NOW() AS time,\n COUNT(*) AS \"Direct (1-hop) Routes\"\nFROM ip_rib r\nJOIN base_attrs ba ON ba.hash_id = r.base_attr_hash_id\nWHERE r.iswithdrawn = false AND r.isipv4 = true AND ba.as_path_count = 1", "refId": "A" } ], "title": "1-Hop Routes (Direct/Possible Hijack)", "type": "stat" }, { "datasource": { "type": "postgres", "uid": "obmp_postgres" }, "description": "Learn: The longest paths reveal the most AS-level hops in your network. AS path prepending intentionally lengthens paths to make a route less preferred.", "fieldConfig": { "defaults": { "custom": { "align": "auto", "displayMode": "auto" } }, "overrides": [ { "matcher": { "id": "byName", "options": "AS Path Length" }, "properties": [ { "id": "custom.displayMode", "value": "color-background" }, { "id": "thresholds", "value": { "mode": "absolute", "steps": [ { "color": "green", "value": null }, { "color": "yellow", "value": 5 }, { "color": "red", "value": 10 } ] } } ] }, { "matcher": { "id": "byName", "options": "AS Path" }, "properties": [ { "id": "custom.width", "value": 400 } ] } ] }, "gridPos": { "h": 10, "w": 24, "x": 0, "y": 10 }, "id": 4, "options": { "footer": { "fields": "", "reducer": [ "sum" ], "show": false }, "showHeader": true, "sortBy": [ { "desc": true, "displayName": "AS Path Length" } ] }, "targets": [ { "datasource": { "type": "postgres", "uid": "obmp_postgres" }, "format": "table", "rawSql": "SELECT\n r.prefix AS \"Prefix\",\n ba.as_path_count AS \"AS Path Length\",\n ba.as_path::text AS \"AS Path\",\n ba.origin_as AS \"Origin AS\",\n ba.next_hop AS \"Next Hop\"\nFROM ip_rib r\nJOIN base_attrs ba ON ba.hash_id = r.base_attr_hash_id\nWHERE r.iswithdrawn = false AND r.isipv4 = true\nORDER BY ba.as_path_count DESC\nLIMIT 30", "refId": "A" } ], "title": "Longest AS Paths (Top 30)", "type": "table" }, { "datasource": { "type": "postgres", "uid": "obmp_postgres" }, "description": "Learn: Origin AS is the rightmost ASN in the AS path \u2014 the network that first originated the prefix. Most internet prefixes are originated by their owning organization.", "fieldConfig": { "defaults": { "custom": { "align": "auto", "displayMode": "auto" } }, "overrides": [ { "matcher": { "id": "byName", "options": "Route Count" }, "properties": [ { "id": "custom.displayMode", "value": "lcd-gauge" }, { "id": "custom.width", "value": 200 } ] } ] }, "gridPos": { "h": 12, "w": 12, "x": 0, "y": 20 }, "id": 5, "options": { "footer": { "fields": "", "reducer": [ "sum" ], "show": false }, "showHeader": true, "sortBy": [ { "desc": true, "displayName": "Route Count" } ] }, "targets": [ { "datasource": { "type": "postgres", "uid": "obmp_postgres" }, "format": "table", "rawSql": "SELECT\n ba.origin_as AS \"Origin AS\",\n COALESCE(ia.as_name, 'Unknown') AS \"AS Name\",\n COUNT(*) AS \"Route Count\"\nFROM ip_rib r\nJOIN base_attrs ba ON ba.hash_id = r.base_attr_hash_id\nLEFT JOIN info_asn ia ON ia.asn = ba.origin_as\nWHERE r.iswithdrawn = false AND r.isipv4 = true\nGROUP BY ba.origin_as, ia.as_name\nORDER BY COUNT(*) DESC\nLIMIT 20", "refId": "A" } ], "title": "Top Origin ASNs by Route Count", "type": "table" }, { "datasource": { "type": "postgres", "uid": "obmp_postgres" }, "description": "Learn: A transit AS (appearing frequently in AS paths but not as origin) is a carrier. The most frequent transit ASNs in your lab correspond to simulated Tier-1 carriers (174=Cogent, 3356=Lumen, 1299=Telia, etc.)", "fieldConfig": { "defaults": { "color": { "mode": "palette-classic" }, "custom": { "fillOpacity": 80, "lineWidth": 0 }, "unit": "short" } }, "gridPos": { "h": 12, "w": 12, "x": 12, "y": 20 }, "id": 6, "options": { "barRadius": 0, "barWidth": 0.7, "groupWidth": 0.7, "legend": { "calcs": [], "displayMode": "list", "placement": "bottom" }, "orientation": "horizontal", "tooltip": { "mode": "single" }, "xTickLabelRotation": 0, "xTickLabelSpacing": 200 }, "targets": [ { "datasource": { "type": "postgres", "uid": "obmp_postgres" }, "format": "table", "rawSql": "SELECT\n asn_val AS \"Transit ASN\",\n COUNT(*) AS \"Appearances in AS Paths\"\nFROM ip_rib r\nJOIN base_attrs ba ON ba.hash_id = r.base_attr_hash_id\nCROSS JOIN LATERAL unnest(ba.as_path) AS asn_val\nWHERE r.iswithdrawn = false AND asn_val != ba.origin_as\nGROUP BY asn_val\nORDER BY COUNT(*) DESC\nLIMIT 15", "refId": "A" } ], "title": "Most Common Transit ASNs", "type": "barchart" } ], "schemaVersion": 36, "style": "dark", "tags": [ "obmp", "bgp", "as-path", "topology", "obmp-nav" ], "time": { "from": "now-1h", "to": "now" }, "timepicker": {}, "timezone": "browser", "title": "AS Path Analysis", "uid": "obmp-learn-03", "version": 1 }