How a Router's Missed Range Check Nearly Crashed the Internet

Barlaam writes "A bug by router vendor A (omitting a range check from a critical field in the configuration interface) tickled a bug from router vendor B (dropping BGP sessions when processing some ASPATH attributes with length very close to 256), causing a ripple effect that caused widespread global routing instability last week. The flaw lay dormant until one of vendor A's systems was deployed in an autonomous system whose ASN, modulo 256, was greater than 250. At that point, the Internet was one typo away from disaster. Other router vendors, who were not affected by the bug, happily propagated the trigger message to every vulnerable system on the planet in about 30 seconds. Few people appreciate how fragile and unsecured the Internet's trust-based critical infrastructure really is — this is just the latest example." Vendor A, in this case, is a Latvian router vendor called MikroTik.

Gee, known Cisco bug causes problems

[seifried]

If people had upgraded their routers this wouldn't have happened. Newsflash: software has bugs. Not upgrading your software will bite you in the ass eventually, especially if this software runs critical systems like your routers.

Re:Gee, known Cisco bug causes problems

[vux984]

Newsflash: software has bugs. Not upgrading your software will bite you in the ass eventually, especially if this software runs critical systems like your routers.

Newsflash: software has bugs. Upgrading your software will bite you in the ass eventually, especially if this software runs critical systems like your routers.

See? The statement is true either way... update or don't update. It doesn't matte. One way you'll get bitten by dormant bugs in the old version, the other way will bite you with bugs introduced in the upgrade.

The only question that remains is which will bite you in the ass first and more often. From long experience most people agree... if it isn't broken, don't fix it.

Re:Gee, known Cisco bug causes problems

[ThePromenader]

Did you RTFA? The problem was due to a router misconfiguration - a human error - and a worldwide ISP tendency of not reading/filtering garbage from what they pass along. Not bugs, not upgrades.

Re:Gee, known Cisco bug causes problems

[fuzzyfuzzyfungus]

Possibly because Cisco has trained attack lawyers and a history of rocky relationships with people who say unkind things about their firmware?

Re:Gee, known Cisco bug causes problems

[ThePromenader]

The Cisco 'bug' is an oversight - with its own configuration system (where the actual AS path is written out, not an algorithm treating the same set earlier in a variable), there can be no problem. Cisco does not take into account possible errors (garbage) created by the configuration of other-type routers, thus the problem. True, this also reveals a laziness on the behalf of network engineers who assume that all routers use the dominant Cisco-ish configuration language - not. So what is needed is a means of filtering errored garbage from all platforms and sources, and this job would be most efficient were it undertaken by ISP's.

Re:Gee, known Cisco bug causes problems

[SanityInAnarchy]

if it isn't broken, don't fix it.

That also implies, if it is broken, fix it.

From long experience, we all get bitten sooner or later. I would say we most often remember the upgrades as being more hazardous, because we blame ourselves for those -- should've known better than to use that new, untrusted code. At least with inaction (not patching), it's negligence, rather than active incompetence -- harder to blame yourself, or for others to blame you.

But this should not be about escaping blame, it should be about minimizing risk.

Re:Gee, known Cisco bug causes problems

[Tony+Hoyle]

It wasn't 'previously unknown' it was fixed over 3 years ago.

A router that hasn't been updated in 3 years has problems - including a couple of security holes that have been discovered in the interim.

Re:Gee, known Cisco bug causes problems

[Bert64]

Trouble is, you can't just go and download cisco updates... Even if you own their harware, they make it difficult to download anything... You need a support contract and valid account to download most stuff, and their website is absolutely horrendous to navigate.
It's pretty stupid, just about every other vendor makes the updates freely downloadable.

Re:Gee, known Cisco bug causes problems

[Bert64]

Which is a lot more hassle than the update mechanisms offered by pretty much every other vendor.

Re:Gee, known Cisco bug causes problems

[ScrewMaster]

Cisco is where they are because they monetize everything.

And where they are is with a customer base that is reluctant to fix security holes...

No kidding. Even the great Beast of Redmond has not, so far as I'm aware, tried to profit from WindowsUpdate. Of course, if they did, nobody would ever use it.

Re:Vendor B

[mysidia]

It seems like we live in a world now where media go ridiculously out of their way to soften the blow and protect the parties who screwed up and shipped software that had mistakes in it, by playing PR on their behalf and hiding their name.

They had a bug; they deserve to be called on that fact, authors should be honest and direct, and always mention them by name. ESPECIALLY in this case, so people who bought their product KNOWM they need to update, even if they didn't notice the fact that they were impacted by the bug (not everyone impacted necessarily knows what caused their problems, a lot of people may still be wide open to the bug but not know about it).

Seriously, if you develop an implementation of an exterior routing protocol that untrusted devices participate in BY DESIGN...

How do you justify NOT taking basic steps to validate what happens in your implementation if another party decides to play dirty, and hit you with a ridiculously long or corrupt entry in a field (like AS path) ?

How does your QA team miss the potential consequences of how such a case can impact your re-advertisements of that long path? And miss testing that the result you send is still valid, or that you at least block it properly.

It doesn't mean they're totally inept, i'm sure their QA team does a lot of good work. But something fundamental seems to be missing, if these sort of elementary bugs slip through the cracks.

It may be hard on them PR wise, but the public deserves to know the facts, without the names being changed to protect the guilty.

didnt kdawson post this last week

[gad_zuki!]

except in the kdawson style it was a single link to a message board posting about a router "taking out half the internet." Dupe? Correction? I dont care as long as kdawson is kept away from the site for a while.

Re:didnt kdawson post this last week

[Bryan+Ischo]

That explains alot.

I complained to CmdrTaco a year ago or so about kdawson's terrible editing and article judgement. The site would be SOOO much better without him. But CmdrTaco stood up for him, arguing that he does "a pretty good job".

I lost alot of faith in Slashdot that day. I only continue to read out of habit. But I skip more articles now and I get a chuckle when I see lame stories posted by lame editors with sub-100 comments. I only wish that *no one* would read and comment on the lame stories (I should be taking my own advice here!) so that maybe the Slashdot editor cabal would get the hint.

Re:didnt kdawson post this last week

[Bryan+Ischo]

As you speculated, it's a "not wanting to miss out on the news" thing. I filtered kdawson for about a day but got paranoid that I was missing some interesting stories.

kdawson is a terrible editor, and makes poor choices about which articles to post to Slashdot, but of course he sometimes posts good stories too. The problem is that the signal to noise ratio is so low with him. It's irritating to have to scan through so many crappy summaries just to find the few good ones. But I don't want to miss out on the few good ones, so I don't filter him.

If kdawson were gone, then presumably someone with better judgement would take his place, and they'd still post the good stories that he would have posted, but wouldn't post nearly as many of the bad ones. That's what I want to happen, it's why I wrote to CmdrTaco, it's the point I tried to make with him, and it's what I was utterly unable to convince him of. So kdawson and his 8-crappy-stories-to-every-1-good-story-that-you-don't-want-to-miss contributions to Slashdot are unfortunately here to stay.

The only editor I ever filtered was JonKatz. He never posted a single good story, so I knew I wasn't missing anything when I filtered him out.

Re:Same story, different spin???

[Anthony_Cargile]

It just amazes me how differently presented this story is compared with the previous.

Previous story: kdawson. Current story: Timothy. Do you need any more explanation than that?

Re:Vendor B

[Shakrai]

It seems like we live in a world now where media go ridiculously out of their way to soften the blow and protect the parties who screwed up and shipped software that had mistakes in it, by playing PR on their behalf and hiding their name.

Well that may be the case but in this case the criticism doesn't really seem deserved. For better or worse /. generally posts exactly what was written by the person who submitted the article. Blame that person for trying to "soften" the blow.

Sigh... maybe next time...

... the crash will take out the entire interwebs for a full week. Wouldn't it be amazing if mankind as a whole had to "survive" an entire week without the face-to-face interaction killer that is the internet? I suppose that what's even more pathetic is that we depend on it so much now; countries would go into widespread panic if internet was lost for a single week. Isn't it sad how people seem to think that something that didn't even exist 30 years ago is now considered a bare necessity? Oh, the priorities of man.

Should have updated IOS in 2003 when fixed.

Maybe if they updated their IOS back in 2003 when Cisco came out with the fix they wouldn't have these problems. You wouldn't give an XP user a pass on not updating for 6 years and having a problem, don't give these upstreams any.

-zifr

Re:Vendor B

[eudaemon]

Just another reason for Cisco to opensource IOS and sell their hardware and service,instead.
IOS has been famously pirated along with its hardware by Chinese knock-offs for years now.
Might as well finish the transition. Then again I'd like to see Mac OSX opensourced, too,
so it may be something in the water. :-)

Re:Vendor B

Actually, no. The problem is that you need to pay big bucks to have access to IOS updates, and too many people just buy the router, whatever IOS comes with it, and NEVER want to hear from Cisco's overpriced services ever again.

Really, critical internet infrastructure needs to be *easy* (as in low cost and not many technical pitfalls) to keep up-to-date, and we need to start doing Very Bad Things to those that don't implement BCP-38 (you're a danger to all your customers and downstream if you don't), egress filtering (good neighborhood requirements), automated up-to-date bogon filtering (or you will cause troubles for everyone that gets a new block of IP space freshly handed to a RIR), and strict BGP filtering...

Cisco's IOS update policies REALLY have a part of the blame on this.

Re:Reminds me of a story

[Bert64]

Make your backup device be different to the main one... If you use 2 different vendors the chances of a bug affecting both is significantly reduced, It also means that the devices have to actually use standard interoperable protocols to handle the failover.

Re:Vendor B

[anon+mouse-cow-aard]

Then again I'd like to see Mac OSX opensourced, too,

umm... http://www.opensource.apple.com/darwinsource/