North American Network Operators Group|
Date Prev | Date Next |
Date Index |
Thread Index |
Author Index |
Re: Level3 routing issues?
- From: Jack Bates
- Date: Tue Jan 28 09:39:12 2003
> So far it's been visible as an apparently accidental byproduct of an
> with other goals. Are you willing to bet your bifocals that the same
> mechanism can't be weaponized and used against the routing infrastructure
> directly in the future?
Yet the question becomes the reasoning behind it. How much is a direct
result of the worm and how much is a result of actions based on the NE's?
The other question is BGP deployment within smaller networks. I've seen a
lot of different BGP configs handed down from reputable NEs to smaller
businesses and ISPs. Unfortunately, the configs are usually comparable to
what you'd use in a network that has peers beneath it versus what a network
that only has two uplinks requires (ie, AS filtering not really required).
It is quite common that /24 networks listed on connected interfaces not be
null routed which has it's good points and bad. When you lose the interface,
the traffic will stop at the local ISP's BGP routers if using ARIN assigned
addresses or it will stop at the upstream provider's routers due to
aggregates if using their IPs. In general, unless cost is an issue, it's
usually good to let the packet come all the way to your network. It makes
external troubleshooting easier and keeps BGP stable so long as the peering
connection isn't lost. Of course, people need to learn to use metrics when
doing null routes. Some people forget they exist. :)
BGP update storms are enough to drop some peering sessions due to
underpowered routers. Some large providers reject updates if the network
goes critical in order to keep traffic manageable while the problem is
determined and rectified. So while I do agree that the worms themselves hold
some sway over the BGP activity, the same lack of preparation that allowed
the worm to run so rampant can also be seen in the networks themselves.
I personally have dealt with enough DOS/DDOS attacks that I have a emergency
plan in place which allows as much control over the network from remote
without depending on the network itself. I have an understanding of how my
network is effected by different loads and which direction cascade failures
will go. Luckily, I have a relatively small network, yet such an
understanding and research should exist for any network regardless of size.
The records of both worms should be indications of the weak points in