{ "annotations": {"list": [{"builtIn": 1,"datasource": {"type": "datasource","uid": "grafana"},"enable": true,"hide": true,"iconColor": "rgba(0, 211, 255, 1)","name": "Annotations & Alerts","type": "dashboard"}]}, "description": "AS path length distribution and analysis. Teaches how BGP AS paths reflect internet topology and how to detect anomalies like route leaks or AS path prepending.", "editable": true, "fiscalYearStartMonth": 0, "graphTooltip": 1, "id": null, "links": [], "panels": [ { "datasource": {"type": "postgres","uid": "obmp_postgres"}, "description": "Learn: Internet routes typically have 2-5 hops. A /32 or /24 appearing with only 1-hop AS path from an unexpected ASN is a classic hijack indicator. Routes with 10+ hops may indicate prepending.", "fieldConfig": { "defaults": { "color": {"mode": "palette-classic"}, "custom": {"fillOpacity": 80,"gradientMode": "none","lineWidth": 0}, "unit": "short" } }, "gridPos": {"h": 10,"w": 12,"x": 0,"y": 0}, "id": 1, "options": {"barRadius": 0,"barWidth": 0.7,"groupWidth": 0.7,"legend": {"calcs": [],"displayMode": "list","placement": "bottom"},"orientation": "auto","tooltip": {"mode": "single"},"xTickLabelRotation": 0,"xTickLabelSpacing": 200}, "targets": [ { "datasource": {"type": "postgres","uid": "obmp_postgres"}, "format": "table", "rawSql": "SELECT\n ba.as_path_count AS \"AS Path Length (hops)\",\n COUNT(*) AS \"Prefix Count\"\nFROM ip_rib r\nJOIN base_attrs ba ON ba.hash_id = r.base_attr_hash_id\nWHERE r.iswithdrawn = false\n AND r.isipv4 = true\n AND ba.as_path_count > 0\nGROUP BY ba.as_path_count\nORDER BY ba.as_path_count", "refId": "A" } ], "title": "AS Path Length Distribution (Active IPv4 Routes)", "type": "barchart" }, { "datasource": {"type": "postgres","uid": "obmp_postgres"}, "description": "Learn: Average AS path length on the internet is ~4-5 hops. Your lab has shorter paths since ExaBGP is a single eBGP hop away.", "fieldConfig": { "defaults": { "color": {"mode": "thresholds"}, "thresholds": {"mode": "absolute","steps": [{"color": "green","value": null},{"color": "yellow","value": 5},{"color": "red","value": 8}]}, "unit": "short", "decimals": 1 } }, "gridPos": {"h": 5,"w": 6,"x": 12,"y": 0}, "id": 2, "options": {"colorMode": "value","graphMode": "none","justifyMode": "auto","orientation": "auto","reduceOptions": {"calcs": ["lastNotNull"],"fields": "","values": false},"text": {}}, "targets": [ { "datasource": {"type": "postgres","uid": "obmp_postgres"}, "format": "time_series", "rawSql": "SELECT NOW() AS time,\n ROUND(AVG(ba.as_path_count)::numeric, 1) AS \"Avg AS Path Length\"\nFROM ip_rib r\nJOIN base_attrs ba ON ba.hash_id = r.base_attr_hash_id\nWHERE r.iswithdrawn = false AND r.isipv4 = true AND ba.as_path_count > 0", "refId": "A" } ], "title": "Average AS Path Length", "type": "stat" }, { "datasource": {"type": "postgres","uid": "obmp_postgres"}, "description": "Learn: Routes with only 1-hop AS path are directly connected or possibly hijacked. In your lab, ExaBGP injects routes starting with AS 65100.", "fieldConfig": { "defaults": { "color": {"mode": "thresholds"}, "thresholds": {"mode": "absolute","steps": [{"color": "green","value": null},{"color": "yellow","value": 5},{"color": "red","value": 20}]}, "unit": "short" } }, "gridPos": {"h": 5,"w": 6,"x": 18,"y": 0}, "id": 3, "options": {"colorMode": "value","graphMode": "none","justifyMode": "auto","orientation": "auto","reduceOptions": {"calcs": ["lastNotNull"],"fields": "","values": false},"text": {}}, "targets": [ { "datasource": {"type": "postgres","uid": "obmp_postgres"}, "format": "time_series", "rawSql": "SELECT NOW() AS time,\n COUNT(*) AS \"Direct (1-hop) Routes\"\nFROM ip_rib r\nJOIN base_attrs ba ON ba.hash_id = r.base_attr_hash_id\nWHERE r.iswithdrawn = false AND r.isipv4 = true AND ba.as_path_count = 1", "refId": "A" } ], "title": "1-Hop Routes (Direct/Possible Hijack)", "type": "stat" }, { "datasource": {"type": "postgres","uid": "obmp_postgres"}, "description": "Learn: The longest paths reveal the most AS-level hops in your network. AS path prepending intentionally lengthens paths to make a route less preferred.", "fieldConfig": { "defaults": {"custom": {"align": "auto","displayMode": "auto"}}, "overrides": [ {"matcher": {"id": "byName","options": "AS Path Length"},"properties": [{"id": "custom.displayMode","value": "color-background"},{"id": "thresholds","value": {"mode": "absolute","steps": [{"color": "green","value": null},{"color": "yellow","value": 5},{"color": "red","value": 10}]}}]}, {"matcher": {"id": "byName","options": "AS Path"},"properties": [{"id": "custom.width","value": 400}]} ] }, "gridPos": {"h": 10,"w": 24,"x": 0,"y": 10}, "id": 4, "options": {"footer": {"fields": "","reducer": ["sum"],"show": false},"showHeader": true,"sortBy": [{"desc": true,"displayName": "AS Path Length"}]}, "targets": [ { "datasource": {"type": "postgres","uid": "obmp_postgres"}, "format": "table", "rawSql": "SELECT\n r.prefix AS \"Prefix\",\n ba.as_path_count AS \"AS Path Length\",\n ba.as_path::text AS \"AS Path\",\n ba.origin_as AS \"Origin AS\",\n ba.next_hop AS \"Next Hop\"\nFROM ip_rib r\nJOIN base_attrs ba ON ba.hash_id = r.base_attr_hash_id\nWHERE r.iswithdrawn = false AND r.isipv4 = true\nORDER BY ba.as_path_count DESC\nLIMIT 30", "refId": "A" } ], "title": "Longest AS Paths (Top 30)", "type": "table" }, { "datasource": {"type": "postgres","uid": "obmp_postgres"}, "description": "Learn: Origin AS is the rightmost ASN in the AS path — the network that first originated the prefix. Most internet prefixes are originated by their owning organization.", "fieldConfig": { "defaults": {"custom": {"align": "auto","displayMode": "auto"}}, "overrides": [ {"matcher": {"id": "byName","options": "Route Count"},"properties": [{"id": "custom.displayMode","value": "lcd-gauge"},{"id": "custom.width","value": 200}]} ] }, "gridPos": {"h": 12,"w": 12,"x": 0,"y": 20}, "id": 5, "options": {"footer": {"fields": "","reducer": ["sum"],"show": false},"showHeader": true,"sortBy": [{"desc": true,"displayName": "Route Count"}]}, "targets": [ { "datasource": {"type": "postgres","uid": "obmp_postgres"}, "format": "table", "rawSql": "SELECT\n ba.origin_as AS \"Origin AS\",\n COALESCE(ia.as_name, 'Unknown') AS \"AS Name\",\n COUNT(*) AS \"Route Count\"\nFROM ip_rib r\nJOIN base_attrs ba ON ba.hash_id = r.base_attr_hash_id\nLEFT JOIN info_asn ia ON ia.asn = ba.origin_as\nWHERE r.iswithdrawn = false AND r.isipv4 = true\nGROUP BY ba.origin_as, ia.as_name\nORDER BY COUNT(*) DESC\nLIMIT 20", "refId": "A" } ], "title": "Top Origin ASNs by Route Count", "type": "table" }, { "datasource": {"type": "postgres","uid": "obmp_postgres"}, "description": "Learn: A transit AS (appearing frequently in AS paths but not as origin) is a carrier. The most frequent transit ASNs in your lab correspond to simulated Tier-1 carriers (174=Cogent, 3356=Lumen, 1299=Telia, etc.)", "fieldConfig": { "defaults": {"color": {"mode": "palette-classic"},"custom": {"fillOpacity": 80,"lineWidth": 0},"unit": "short"} }, "gridPos": {"h": 12,"w": 12,"x": 12,"y": 20}, "id": 6, "options": {"barRadius": 0,"barWidth": 0.7,"groupWidth": 0.7,"legend": {"calcs": [],"displayMode": "list","placement": "bottom"},"orientation": "horizontal","tooltip": {"mode": "single"},"xTickLabelRotation": 0,"xTickLabelSpacing": 200}, "targets": [ { "datasource": {"type": "postgres","uid": "obmp_postgres"}, "format": "table", "rawSql": "SELECT\n asn_val AS \"Transit ASN\",\n COUNT(*) AS \"Appearances in AS Paths\"\nFROM ip_rib r\nJOIN base_attrs ba ON ba.hash_id = r.base_attr_hash_id\nCROSS JOIN LATERAL unnest(ba.as_path) AS asn_val\nWHERE r.iswithdrawn = false AND asn_val != ba.origin_as\nGROUP BY asn_val\nORDER BY COUNT(*) DESC\nLIMIT 15", "refId": "A" } ], "title": "Most Common Transit ASNs", "type": "barchart" } ], "schemaVersion": 36, "style": "dark", "tags": ["obmp","learning","bgp","as-path","topology"], "time": {"from": "now-1h","to": "now"}, "timepicker": {}, "timezone": "browser", "title": "AS Path Analysis", "uid": "obmp-learn-03", "version": 1 }