Home  |  Login  |  FAQ  |  About Cyclops

Frequently asked questions

  1. What is Cyclops?
  2. Why the name "Cyclops"?
  3. How do I enter my network information in Cyclops?
  4. What are Cyclops' data sources?
  5. What types of alerts can Cyclops send me about my network?
  6. How fast can Cyclops react and alert me of anomalous events?
  7. What about ipv6?
  8. What about 4-byte ASNs?
  9. What are link weights and how are they computed?
  10. How do I change my email address and other personal information?
  11. How does Cyclops determine the geographical location where prefixes are being originated?
  12. In what units are the lifetimes?
  13. Can I remove my Cyclops account?
  14. What do alert activity and status mean?
  15. What is the Cyclops newsletter?
  16. What do I do when I start receiving false alerts?

  1. What is Cyclops?
    Cyclops is a system that provides ISPs a view of how their connectivity is perceived from hundreds of vantage points across the network, enabling a comparison between their observed connectivity and their intended connectivity. Anomalies detected by Cyclops include prefix hijacks, unexpected peerings/depeerings, sudden routing shifts, bogon prefixes, bogus ASNs and route leakages among others. Registered users can configure what type of alerts they would like to receive.
     
  2. Why the name "Cyclops"?
    The name comes from the fact that the system focus on one network at a time (the Cyclops eye), providing a radial view of its connectivity as a Cyclops would see it.
     
  3. How do I enter my network information in Cyclops?
    There are three different set of parameters Cyclops needs to know about your network:
    • Your prefixes: the list of prefixes your network originates, which ASN originates each prefix, and which next-hop ASNs are used by each prefix; Cyclops can also detect the set of prefixes announced by your network from BGP announcements here.
    • Your ASNs: the list of ASNs in your network; if you're a small net you probably only have 1 ASN
    • Your neighbors: the list of neighbors of each ASN; Cyclops can detect the set of neighbors of each ASN from BGP announcements
  4. What are Cyclops' data sources?
    Cyclops uses BGP data from RouteViews, RIPE-RIS, Abilene, Packet Clearing House and University of Colorado Bgpmon. If you want to send us a BGP feed, please contact cyclops at 6watch dot net.
     
  5. What types of alerts can Cyclops send me about my network?
  6. Cyclops can alert you when any of the following events happen:
  • New prefix: a new prefix starts being announced by one of your ASNs (and is not in your prefix set)
  • New neighbor: a new neighbor appears in some AS path (and is not in your neighbor list)
  • Transit: one of your ASNs is in the middle of an AS path doing transit for other networks; stub ASes should activate this alert
  • Origin change: one of your prefixes starts being announced by an AS not in the allowed AS list; this can happen in prefix hijack scnenarios
  • Next-hop change: one of your prefixes starts being announced to a next-hop ASN that is not in the allowed list
  • More specific: a more specific prefix is being announced for one of your prefixes, and this prefix is not in your list; this can happen in prefix hijack scenarios
How fast can Cyclops react and alert me of anomalous events? Cyclops can react as fast as a few seconds in case the event is detected in BGPmon real-time feeds. For other feeds, it tyipically takes anytime between 5 and 15 minutes. The data available from the left menu (connectivity, prefixes, anomalies) is tipically refreshed every 1 to 2 hours.
 
What about ipv6?
Cyclops processes only IPv4 data and the complemenary Cyclops6 (http://cyclops.6watch.net) focuses on IPv6 data processing.
 
What about 4-byte ASNs?
Cyclops currently supports 4-byte ASNs. They are shown in ASDOT notation in BGP messages and in ASPLAIN in queries and tables.
 
What are link weights and how are they computed?
The link weights in connectivity mode are computed from full routing tables from RouteViews and RIPE-RIS. The numbers shown in the "Weight" columns are the number of routes averaged over 126 monitors with temporal average (0.8 * past_value + 0.2 * current_value). For link A-B Cyclops shows the number of routes that reach B from A (from), as well as the number of routes that reach A from B (to). The former value indicates how the Cyclops eye is reaching the rest of the Internet, while the latter indicates how the rest of the Internet is reaching the Cyclops eye.
 
How can I change my email address and other personal information?
Just go to My account.
 
How does Cyclops determine the geographical location where prefixes are originated? Cyclops uses data from Maxmind's GeoLite City. The accuracy is over 99.5% for country level and 79% on the city level for the US.
 
In what units are the lifetimes? The lifetimes are usually measured in number of days.
 
Can I remove my Cyclops account? Yes, Just go to My account.
 
What do alert activity and status mean? The alert activity indicates if the offending attribute (e.g. a prefix) is still being observed in BGP updates in the last 8h ("On" state). If the attribute disappears from feeds for more than 8h, then the alert is automatically cleared to "Off" state. The alert status is a state controlled by the user. By default all alerts are created in the "open" state, but the user may want to "close" them later for house keeping purposes. The activity and status are independent properties of the alerts.
 
What is the Cyclops newsletter? The Cyclops newsletter is a bi-monthly digest of the top routing anomalies detected by Cyclops. You can subscribe to the newsletter here, bottom right corner.
 
What do I do when I start receiving false alerts? Cyclops can adapt its filters to your feedback. If you think you're receiving false alerts, you can do two things. You can click on the email alert link that says "Mark as false alert". After you do this, Cyclops will automatically update its filters so that you won't receive an alert with same root-cause in the future. Alternatively, you can go to My Alerts and flag each false alert by selecting it and clicking on the link "Mark as false alert". The alert will be removed and the filters updated.

 

(c) 2007-2013, Internet Research Lab , CS Department, UCLA
Please send questions/bugs/suggestions to cyclops at 6watch dot net