RE: Qwest outage In NY

["Patrick McEvilly" <pmcevilly () harvard edu>]

Let me clarify, our directly connected Qwest router was not under DOS attack
so BGP stayed up and we had a full routing table.  The router that got hosed
was 3 router hops into their backbone and it was definitely hosed good.  :-)



-----Original Message-----
From: owner-nanog () merit edu [mailto:owner-nanog () merit edu]On Behalf Of
Richard A Steenbergen
Sent: Wednesday, May 08, 2002 1:21 PM
To: Patrick McEvilly
Cc: nanog () merit edu
Subject: Re: Qwest outage In NY



On Wed, May 08, 2002 at 12:32:00PM -0400, Patrick McEvilly wrote:
> Qwest has confirmed a DOS attach against two of their Juniper routers in
> the NY POP.  I believe they had a UDP attack last week also (maybe on
> Saturday). This time the DOS was a TCP attack on the 100Mb management
> interface on the Juniper, leaving the box unable to pass packets, hence
> BGP stays up and a full routing table but you cannot get anywhere.

Ok I'll bite... What crackpipe are you smoking from?

If the link from the RE to the PFE (the fxp1) became saturated, or enough
packets hit the RE to blow away the processor, BGP (and the CLI, and
everything else) would certainly fall over.

Much like with any other router using distributed forwarding, if the
management processor dies, the traffic will continue to forward until the
routing protocols timed out and the rest of the network stopped sending it
traffic. The attack would then stop hitting the box in question, it would
come back up, and the cycle would repeat. This assumes that there are
actual routing protocols, in the case where it's statically routed the
box just stays down. :)

But Juniper is more resilient to this form of attack than most, and you
have the ability to filter packets going to the RE on any IP rev.

--
Richard A Steenbergen <ras () e-gerbil net>       http://www.e-gerbil.net/ras
PGP Key ID: 0x138EA177  (67 29 D7 BC E8 18 3E DA  B2 46 B3 D8 14 36 FE B6)