nanog mailing list archives

Re: anyone else seeing very long AS paths?

From: Mike Lewinski <mike () rockynet com>
Date: Tue, 17 Feb 2009 12:02:50 -0700

German Martinez wrote:

Workaround: Configure the bgp maxas limit command in such
as way that the maximum length of the AS path is a value below 255. When the
router receives an update with an excessive AS path value, the prefix is
rejected and recorded the event in the log.

This workaround has been suggested previously by Hank.

Anyone knows about any possible CPU impacts in case that you implementbgp maxas?

bgp max-as will NOT protect you from this exploit (but if you are notvulnerable it should prevent you from propogating it).

As far as I can tell the ONLY defense for a vulnerable IOS is to not runBGP. Dropping every received route with a filter on 0/0 does notmitigate the attack - as soon as that bogus as-path is received the BGPsession resets, even if the route is never actually installed (and asfar as I can tell the only real effect of the "bgp maxas-limit 75" is tocause all paths with more than 75 ASN to not be installed in the routingtable).

Current thread:

Re: anyone else seeing very long AS paths?, (continued)
- - - Re: anyone else seeing very long AS paths? Paul Ferguson (Feb 16)
    - RE: anyone else seeing very long AS paths? Jason Kalai Arasu (Feb 16)
    - Re: anyone else seeing very long AS paths? Jens Ott - PlusServer AG (Feb 17)
    - RE: anyone else seeing very long AS paths? Hank Nussbacher (Feb 16)
    - Re: anyone else seeing very long AS paths? Florian Weimer (Feb 17)
    - Re: anyone else seeing very long AS paths? Jared Mauch (Feb 17)
    - Re: anyone else seeing very long AS paths? Etaoin Shrdlu (Feb 17)
    - Re: anyone else seeing very long AS paths? Adrian Chadd (Feb 17)
    - Re: anyone else seeing very long AS paths? Michael Ulitskiy (Feb 17)
    - Re: anyone else seeing very long AS paths? German Martinez (Feb 17)
    - Re: anyone else seeing very long AS paths? Mike Lewinski (Feb 17)
    - Re: anyone else seeing very long AS paths? German Martinez (Feb 17)
    - Re: anyone else seeing very long AS paths? Jack Bates (Feb 17)
    - Re: anyone else seeing very long AS paths? Leland E. Vandervort (Feb 17)
    - RE: anyone else seeing very long AS paths? Ivan Pepelnjak (Feb 17)
    - Re: anyone else seeing very long AS paths? Jack Bates (Feb 17)
    - Re: anyone else seeing very long AS paths? Mike Lewinski (Feb 17)
    - RE: anyone else seeing very long AS paths? Ivan Pepelnjak (Feb 17)
    - Re: anyone else seeing very long AS paths? Rodney Dunn (Feb 17)
    - Re: anyone else seeing very long AS paths? German Martinez (Feb 17)
    - Re: anyone else seeing very long AS paths? Rodney Dunn (Feb 17)

(Thread continues...)