Slashdot Mirror

← Back to Stories (view on slashdot.org)

One Broken Router Takes Out Half the Internet?

Posted by kdawson on from the brain-gone-punky dept.

Silent Stephus writes "I work for a smallish hosting provider, and this morning we experienced a networking event with one of our upstreams. What is interesting about this, is it's being caused by a mis-configured router in Europe — and it appears to be affecting a significant portion of the transit providers across the Internet. In other words, a single mis-configured router is apparently able to cause a DOS for a huge chunk of the Net. And people don't believe me when I tell them all this new-fangled technology is held together by duct-tape and baling wire!"

8 of 412 comments (clear)

  1. Half the internet? Are you serious? by Anonymous Coward · · Score: 5, Informative

    A router takes out 'half the internet' and I learn this from Slashdot?

    Seriously, what is/was the impact? I work for a large e-commerce provider and haven't seen a thing that would indicate a problem today.

  2. BGP by winkydink · · Score: 5, Informative

    The internet's dirty little secret. It's amazing it works at all.

    --

    "I'd rather be a lightning rod than a seismometer." -Ken Kesey

  3. AS 47868 by Anonymous Coward · · Score: 5, Informative

    There is a post in nanog and on isc.sans.org.

    AS 47868 causing AS paths to become too long...

    http://www.merit.edu/mail.archives/nanog/msg15472.html

  4. Ditto the A.C. by khasim · · Score: 5, Informative

    It must have been the "half the Internet" that I don't use. Which would be an interesting half because many of the sites I visit regularly are based in Europe.

    From the thread, it looks like AS 47868 was the route being lost.

    http://en.wikipedia.org/wiki/Autonomous_System_Number

  5. Outage Cause: Old software by Anonymous Coward · · Score: 5, Informative

    The AS 47868 decided that they wanted to prepend their ASN about 75 or so times to their BGP announcements. When this got re-populated throughout the rest of the world, a bug in older versions of Cisco IOS still in use on many ISP/NSP networks does not like paths this long. As soon as they saw the prefix with that long of a path, the software terminated the BGP session, resulting in the doorway being closed between the two networks -- So on and so forth throughout the rest of the web.

  6. Ye olde versions of IOS by DeadBeef · · Score: 5, Informative

    This only broke BGP implementations that are getting pretty long in the tooth now, on a moderately recent version of IOS all we saw is:

    Feb 17 05:25:03.731 nzdt: %BGP-6-ASPATH: Long AS path 10026 3356 29113 47868 47868 47868 47868 47868 47868 47868 47868 47868 47868 47868 47868 47868 47868 47868 47868 47868 47868 47868 47868 47868 47868 47868 47868 47868 47868 47868 47868 47868 47868 47868 47868 47868 47868 47868 47868 47868 47868 47868 47868 47868 47868 47868 47868 47868 47868 47868 47868 47868 47868 47868 47868 47868 47868 47868 47868 47868 47868 47868 47868 47868 47868 47868 47868 47868 47868 47868 47868 47868 47868 47868 47868 47868 47868 47868 47868 47868 received from xxx.xxx.xxx.xxx: More than configured MAXAS-LIMIT

    It was definitely an insane path, our routers were configured to drop anything with an AS path longer than 75, old versions of IOS would often just drop the BGP session ( or even crash with some _really_ old versions ).

    I'm sure there will be some red faced network engineers updating IOS or even doing forklift upgrades of old boxes at their edges in the near future.

    --
    I am a lawyer and this constitutes legal advice and I shall indemnify you against any losses arising from taking it.
  7. Only some old versions of IOS broke by lotaris · · Score: 5, Informative

    This only took down people running fairly old versions of IOS that didn't patch a known bug.

    Did not affect non-cisco.
    Did not affect modern versions of IOS
    Did not affect old versions of IOS that set the knob to limit the max as-path.

  8. Re:Intelligence Op by hardwarefreak · · Score: 5, Informative

    They need to replace it with a network that is designed to survive a nuclear attack. Oh wait, hang on....

    Wish I had mod points today. Parent should already be SCORE:5 Funny. Apparently not enough Slashdotters know the history/evolution of the net.

    If you're referring to the myth that the Internet was "designed to withstand nuclear attack", perhaps Slashdotters know more than you think.

    The Internet was designed to allow distributed control, and to withstand telephone company malice and incompetence. This was a much more useful goal than withstanding nuclear attack.

    One of the early arguments made by DARPA folks to politicians, in order to secure continued federal funding for packet switched network development, was the ability of the network to route around failed or destroyed nodes. They made this argument in the context of the cold war, of nuclear war.

    It reality, as you state, this argument had little practical impact on the technical development or evolution of the the network. However, it most certainly did have an impact on the commitment of federal/military funding. This is the origin of the "surviving nuclear attack" lore of the development of DARPANET. It's not a myth. It's real.

    Take Obama's current stimulus package as a parallel example. It's not going to solve the recession, but it's being sold as such. And the congress bought into it. Just as this stimulus bill isn't what it's being sold as, most likely DARPANET wouldn't have really given us what it was sold as at one point. Nonetheless, it was sold as such, thus creating the lore that you call myth.