Slashdot Mirror

← Back to Stories (view on slashdot.org)

Duke Research Experiment Disrupts Internet Traffic

Posted by timothy on from the oopsie-daisy dept.

alphadogg writes with this excerpt from Network World about an experiment gone wrong which affected a big chunk of internet traffic yesterday morning: "It was kicked off when RIPE NCC (Reseaux IP Europeens Network Coordination Centre) and Duke ran an experiment that involved the Border Gateway Protocol (BGP) — used by routers to know where to send their traffic on the Internet. RIPE started announcing BGP routes that were configured a little differently from normal because they used an experimental data format. RIPE's data was soon passed from router to router on the Internet, and within minutes it became clear that this was causing problems. ... [f]or a brief period Friday morning, about 1 percent of all the Internet's traffic was affected by the snafu, as routers could not properly process the BGP routes they were being sent."

3 of 80 comments (clear)

  1. Re:Hmm... by phyrexianshaw.ca · · Score: 4, Informative

    Fake it? Not in the last five years!
    unless you know of some BGP peers that refuse the standard peering protocol, 1) they are required to only listen to routes from known surrounding peers, 2) will not be listening to what's being advertised by your router unless you have instructed them ahead of time what AS you manage and what prefixes you will be advertising to them.

    if for some strange reason, you manage to be adjacent to a backbone CORE router, and wanted to spend a few years moving traffic from core's to edges of the internet, you could start injecting routes for a short span of time after having been trusted and your metric's lowered, (at some point BGP will fail to converge and your advertisements will begin being ignored by the AS)

    for research purposes here in Canada, we have access to a major core router, and are able to inject routes to get traffic routed through a particular peer for a few minutes at a time. wirecapping the lines at that router, we can then monitor for organisational security compliance for penetration testing. (you'd be surprised how often usernames and passwords get sent in clear text, or how often people THINK intra building traffic is being encrypted via a VPN only to find out it's badly midconfigured.)

    I too am far from all knowing on the ins and outs of global BGP, but every peering agreement I've read (from about twelve countries and almost a hundred cities) have always been the same. "you are required to listen to ASxxxxx for advertisments for this super block, you are required to listen to these private peers with multi-homing agreements, you are required to advertise with the AS number assigned to you only, you are required to advertise only the prefixes you privately manage, and to contact and update the peers directly adjacent to you if assigned a new superblock. etc"

  2. It was a Cisco bug in a specific model of router by rwyoder · · Score: 5, Informative

    http://www.cisco.com/en/US/products/products_security_advisory09186a0080b4411f.shtml

  3. Re:Hmm... by phyrexianshaw.ca · · Score: 4, Informative

    What "big boys" are you talking about?

    for every major carrier that I've worked with, filtering isn't optional, it's mandatory.

    at the tier one level, Qwest, AT&T, Sprint and L3 all dampen their allowable routes to what they know the immediate peers will advertise. at tier two, there will be many smaller ISP's who will haply pass routes to whomever wants to advertise them, but is not going to be listening to BGP messages on customer facing ports. (unless that customer has already made an agreement with that peer to make an AS entry on both sides)