Slashdot Mirror

← Back to Stories (view on slashdot.org)

How a Router's Missed Range Check Nearly Crashed the Internet

Posted by timothy on from the pssst-don't-pass-it-on dept.

Barlaam writes "A bug by router vendor A (omitting a range check from a critical field in the configuration interface) tickled a bug from router vendor B (dropping BGP sessions when processing some ASPATH attributes with length very close to 256), causing a ripple effect that caused widespread global routing instability last week. The flaw lay dormant until one of vendor A's systems was deployed in an autonomous system whose ASN, modulo 256, was greater than 250. At that point, the Internet was one typo away from disaster. Other router vendors, who were not affected by the bug, happily propagated the trigger message to every vulnerable system on the planet in about 30 seconds. Few people appreciate how fragile and unsecured the Internet's trust-based critical infrastructure really is — this is just the latest example." Vendor A, in this case, is a Latvian router vendor called MikroTik.

16 of 196 comments (clear)

  1. Same story, different spin??? by Anonymous Coward · · Score: 4, Informative

    Is this related to the story posted that stated:

    "One Broken Router Takes Out Half the Internet?"

    http://tech.slashdot.org/article.pl?sid=09/02/16/2233207

    It just amazes me how differently presented this story is compared with the previous.

    In fairness, there is much more information about this 'outage' now.

    This news is alarming. Thanks for not making in alarmist this time.

    1. Re:Same story, different spin??? by Anonymous Coward · · Score: 1, Informative

      Wait, Slashdot has ad revenue? They have ads here?

      I'm a subscriber, so I didn't know.

      I have AdBlock Plus, so I didn't know.

  2. Vendor B by CSFFlame · · Score: 5, Informative

    Vendor B is Cisco btw. Dunno why they were being vague.

    1. Re:Vendor B by afidel · · Score: 5, Informative

      The Cisco bug had been fixed for about forever so anyone running an affected version probably had a million other known bugs as well, just most didn't bring their primary function to a screeching halt. Some of the time admins choose to run with the devil they know rather than finding all the new bugs waiting in new code, this time it bit a bunch of them hard and hence bit their customers. They will now upgrade to newer software or implement a workaround for this bug, if they upgrade their customers will probably have some additional downtime while the new bugs are found and worked around. Unfortunately this is how IT works, it's a complex web of systems built, programmed, and administered by fallible humans.

      --
      There are 4 boxes to use in the defense of liberty: soap, ballot, jury, ammo. Use in that order. Starting now.
    2. Re:Vendor B by Anonymous Coward · · Score: 1, Informative

      Vendor B is Cisco btw.

      Dunno why they were being vague.

      The Cisco thing is actually quite old. During the event a new bug in OpenBSD was discovered:
      http://secunia.com/advisories/33975/

  3. Re:Gee, known Cisco bug causes problems by Anonymous Coward · · Score: 1, Informative

    If you have no clue what offensive fortunes are try 'fortune -o'.

    (in bold) Please, please, please request a potentially offensive fortune if and only if you believe, deep down in your heart, that you are willing to be offended...

    If you don't have fortune installed then you are clearly on the wrong website ;)

    Hey, I've got it installed! "fortune -o" says: No fortunes found.

    (Sorry, I'm new.)

  4. Re:Gee, known Cisco bug causes problems by DerekLyons · · Score: 4, Informative

    The summary used Company A and Company B, the editor's comment tagged the Latvian vendor.

  5. Re:Gee, known Cisco bug causes problems by seifried · · Score: 4, Informative

    Speaking of RTFA'ing you should maybe take your own advice:

    As it turns out, the reason for all those routing resets and general instability was due to a previously unknown Cisco bug involving AS paths close to 255 in length. If you try to prepend to a long path that you receive and by doing so, create a path longer than 255, you are toast. So the maps we gave in our our last blog were more of an indication of Cisco market share (at least among prependers), rather than the propensity of outdated routers. Kudos to Ivan for figuring this out.

  6. Re:Gee, known Cisco bug causes problems by Kaboom13 · · Score: 5, Informative

    You have to have a support agreement with Cisco to get the latest IOS. They won't even give you the last version when your support contract ran out. Also, older routers do not always have upgrades available for various reasons, either they do not have enough space or hardware limitations or Cisco End-of-Lifed it and hasn't bothered.

    There's also the "if it isn't broke don't fix it" mentality in the networking world. A new version may fix some bugs but it might add some bugs as well. An upgrade, even if minor, generally means a lot of work testing and reconfiguring before you roll it out. Network engineers are expensive and that time isn't free. Sometimes the devil you know is better then the devil you don't.

    In an ideal world it wouldn't be an issue, but when it comes to networking it's NEVER an ideal world. There's always too much to do and never enough budget/manpower to do it. Every network admin probably has 10 things on his mental wishlist right now, upgrades he would like to make, redundant hardware he would like to purchase, failover contingencies he needs to test, etc. Upgrading IOS on an old router in a rack somewhere (and hoping it doesn't blow up in your face) can be pretty far down the list.

  7. Cisco to Blame, not Mikrotik by DeadboltX · · Score: 5, Informative

    The critical bug is with the Cisco routers; a Mikrotik router merely nearly triggered the bug.
    It would be possible to trigger this bug with any routing software that does not do range checking on the amount of times the ASN is pretended.

    The summary is spreading FUD by making Mikrotik, the only named vendor in the summary, look like the vendor at fault.

    1. Re:Cisco to Blame, not Mikrotik by Crackez · · Score: 2, Informative

      On the other hand, MikroTik devices do suck.

      Ever had the pleasure of dealing with one of these pieces of garbage?

      Not that Cisco doesn't have problems (FWIW, I admin a fair sized Cisco network), but MikroTik routers give me a feeling in my gut that it's just about to break, any minute now... I could build a better router out of a PC and some NICs (and have - love OpenBSD)...

      Disclaimer: my experience with MikroTik is from dealing with a particular Indian Contracting firm that uses them, and they also happen to have incompetent admins (willing to give me admin on their boxes to fix their problems - told 'em to deal with their own gear)... Maybe that's a commonality between MicroTik users?

  8. Re:didnt kdawson post this last week by ion.simon.c · · Score: 4, Informative

    You should check out alterslash.org. It's an excellent way to sort through the shitty /. comments and get to some decent threads.

  9. GPL violators by Anonymous Coward · · Score: 5, Informative

    Mikrotik are known GPL violators, that use a modified Linux (they re-branded that as "RouterOS") and a terribly bad implementation of the BGP protocol..

    In some custom community network, where MikroTik has been deployed internally, that stolen-Linux is being hacked to use the Quagga instead of MikroTik's BGP.

    In short: that "RouterOS" has been higly unsuitable for the Internet. I can't believe somebody was so stupid to trust it.

    1. Re:GPL violators by transporter_ii · · Score: 3, Informative

      I used Mikrotik for quite some time and I'm not sure they are "known GPL violators." I guess it sounds good to kdawson them and all, but they offer the changes made to GPLed software:

      To get a CD with the corresponding source code for the GPL-covered programs in this distribution, wire transfer $45 to MikroTikls SIA, Pernavas 46, Riga, LV-1009, Latvia. Please contact MikroTikls SIA for our current account information and wire transfer instructions. Offer valid until 2010. This CD will only include the source code of the following programs according to the license requirements. This CD will not include MikroTikls proprietary SOFTWARE.

      In reading through their posts on their forums, they claim that there aren't many changes to GPL software, and that they aren't required to release proprietary software code (true). And it seems they do make some attempt to release the code to what little GPL they do change (see above).

      Personally, I think Mikrotik is awesome. But to me, they are a little bit in a TiVo-type of area here.

      Why on earth they didn't just use FreeBSD instead of Linux, I will never understand. Then they could have done whatever they wanted with FreeBSD and not been made to look bad over it.

      transporter_ii

      --
      Doctors destroy health, lawyers destroy justice, universities destroy knowledge, religion destroys spirituality
  10. Re:Gee, known Cisco bug causes problems by SanityInAnarchy · · Score: 2, Informative

    Or, they move it to a separate package. For example, on Ubuntu, this is fortunes-off.

    No need to make it more complicated than it is.

    --
    Don't thank God, thank a doctor!
  11. Re:It's only a matter of time before... by Wakko+Warner · · Score: 2, Informative

    That happened to my account once when I bitched about an editor too, almost ten years ago now. (Within a week of pretty simple, thought-free karma-whoring comments, I was back posting at +2.)

    --
    "Remember when the U.S. had a drug problem, and then we declared a War On Drugs, and now you can't buy drugs anymore?"