BGP injecting long ASN path

Answered Question
Feb 16th, 2009
User Badges:
  • Blue, 1500 points or more

Has anyone experience this? I saw ASN 39625 and 47868



Correct Answer by Giuseppe Larosa about 8 years 4 months ago

Hello Maria,

just a little note:

there is a process level command


router bgp xxx

bgp maxas-limit ?

<1-2000> Number of ASes in the AS-PATH attribute


this is from a GSR with prp and 12.0.32SY6


this makes the application of the command easier.


I'm suggesting my customer to implement it with value 75 as reported in the forums you have linked


to see the effects of this issue see


Just as a follow-up -- and in case anyone hasn't read these yet:


http://www.renesys.com/blog/2009/02/the-flap-heard-around-the-worl.shtml

http://asert.arbornetworks.com/2009/02/ahh-the-ease-of-introducing-global-r

outing-instability/


this command should become part of BGP best practice even if it doesn't resolve any case as explained by Ivan Pepelnjak



Hope to help

Giuseppe


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4.8 (4 ratings)
Loading.
royalblues Tue, 02/17/2009 - 00:42
User Badges:
  • Green, 3000 points or more

Could you please be more specific ?



Narayan

Danilo Dy Tue, 02/17/2009 - 00:48
User Badges:
  • Blue, 1500 points or more

Like this. What could be the possible reason?


Date Time: %BGP-6-ASPATH: Long AS path wwww xxxx yyyy zzzz 39625 39625 39625 39625 39625 39625 39625 39625 39625 39625 39625 39625

39625 39625 39625 39625 39625 39625 39625 39625 39625 39625 39625 39625

39625 39625 39625 39625...


Date Time: %BGP-6-ASPATH: Long AS path wwww xxxx yyyy zzzz 47868 47868

47868 47868 47868 47868 47868 47868 47868 47868 47868 47868 47868 47868

47868 47868 47868 47868 47868 47868 47868 47868 47868 47868 47868 47868

47868 47868 47868 47868...


Date Time: %BGP-6-BIGCHUNK: Big chunk pool request (524) for aspath. Replenishing with malloc


Danilo Dy Tue, 02/17/2009 - 01:03
User Badges:
  • Blue, 1500 points or more

Hi Maria,


Thank you for your reply.


I'll definitely follow your recommendation. Currently analyzing what is the best maximum :)


I currently, deny the entry of those two ASN.


Thanks,

Dandy

marikakis Tue, 02/17/2009 - 01:06
User Badges:
  • Gold, 750 points or more

Nice thought. I was considering the worst case of many routes being polluted.

royalblues Tue, 02/17/2009 - 01:21
User Badges:
  • Green, 3000 points or more

Certainly seems to be a problem... i dont think anyone would add an AS-Path prepend so many times


Narayan

Danilo Dy Tue, 02/17/2009 - 01:26
User Badges:
  • Blue, 1500 points or more

Hi Narayan,


I heard that some router crashes, but I don't experience this and no first hand information about this.


I just notice that when this is happening, the internet is very slow to some extent that some websites are unacessible.


Regards,

Dandy

Danilo Dy Tue, 02/17/2009 - 01:51
User Badges:
  • Blue, 1500 points or more

I wonder if this is;

- something to do with 4-byte asn

- new bugs/security exploit

- someone invented a machine able to prepend 250+ times :)

marikakis Tue, 02/17/2009 - 01:50
User Badges:
  • Gold, 750 points or more

Any side-effects with such practice are to be expected. It is effectively an attack (whether minor or severe) to the internet.


Those 2 ASs seem valid in RIPE NCC database. Are you seeing any other logs or issues?


You may want to read this article about practical BGP security:

http://www.networkworld.com/community/node/37729

"Preventing long AS paths from causing problems for our routers. Use this command to restrict the maximum length of the AS paths received.


bgp maxas-limit 50"


You may also like to read this discussion:

http://www.gossamer-threads.com/lists/nanog/users/109412

It is more free-style than we are used to express ourselves in here, but still fun :-)

Danilo Dy Tue, 02/17/2009 - 01:54
User Badges:
  • Blue, 1500 points or more

Hi Maria,


Thanks again for the links :)


From what I understand there is a default maxas-limit of 75 starting from IOS version 12.2


Thanks,

Dandy

marikakis Tue, 02/17/2009 - 02:31
User Badges:
  • Gold, 750 points or more

The link posted by Narayan from NSP was referring to this ongoing issue. People there also refer to the relevant NANOG discussion:

http://www.gossamer-threads.com/lists/nanog/users/112553

The older link I posted previously has more information about the reasoning behind such acts. Some guy there suggested prefering routes with extreme prepends by setting local preference to 1000 :-)))


p.s. It seems this has alerted many NOCs and cisco as well. Device reaction depends on the device and code. Some people try to keep the world adrenaline levels high.

greg.loria Tue, 02/17/2009 - 20:55
User Badges:

Is it also advisable to upgrade the IOS to a certain version to protect the network from this event?

marikakis Wed, 02/18/2009 - 02:13
User Badges:
  • Gold, 750 points or more

Please try to reply at the end of the thread. People normally expect new posts to appear at the bottom. If your post appears somewhere in the middle, they might fail to see it or have a hard time to understand the sequence of the posts overall.

Mohamed Sobair Tue, 02/17/2009 - 02:31
User Badges:
  • Gold, 750 points or more


Hello Maria,


Your describtion seems to be very useful..


From my point, its a sign for an AS being a transit.


Applying the appropriate filtering in place besides limiting the AS path length should be sufficent.



HTH

Mohamed

marikakis Tue, 02/17/2009 - 02:56
User Badges:
  • Gold, 750 points or more

The most common reasoning behind this is to prepend enough times so that nobody prefers it, until your primary path fails. It is an extreme way of controlling the incoming traffic to the AS (no inbound traffic at all), which is the hardest thing to control on the internet with conflicting interests between parties. But here is the thing: if internet goes down, you won't be receiving traffic on your primary path either ;-)

marikakis Tue, 02/17/2009 - 03:03
User Badges:
  • Gold, 750 points or more

Mohamed, I do not agree that this is a sign of an AS being a transit. For this to happen, the AS should attract traffic by advertising blocks that have not been assigned to it. This is more severely controlled (or I hope so). There were not many blocks advertised in this case, as far as I understand up to now.

Mohamed Sobair Tue, 02/17/2009 - 03:15
User Badges:
  • Gold, 750 points or more


Maria,


Prepending the AS-path will certainly cause this.. But dont you agree that IF the AS being transit AS will cause similar behaviour?


HTH

Mohamed

marikakis Tue, 02/17/2009 - 03:22
User Badges:
  • Gold, 750 points or more

Being unintentionally transit is not good either. Causes blackholing of traffic and hopefully brings down the AS that attracted the traffic fast enough to alert its own administrators to fix their configuration ;-) In this case, they had to be alerted by others.

marikakis Wed, 02/18/2009 - 02:37
User Badges:
  • Gold, 750 points or more

It seems that we have yet another good article by Ivan Pepelnjak about this issue:

http://blog.ioshints.info/2009/02/protect-your-network-with-bgp-maxas.html


Greg, I would not be in a hurry to upgrade IOS, because it seems there are unresolved issues associated with this problem even in later versions. Those are reported here:

http://www.gossamer-threads.com/lists/cisco/nsp/103840#103840

http://wiki.nil.com/Limit_the_maximum_BGP_AS-path_length


As a first step, I would say that your version should be recent enough for you to be able to set the bgp maxas-limit. Note that it might be a hidden command in some older IOS (neighbor maxas-limit ).


I suppose cisco might soon provide an answer for this and ISPs will try to enforce some sanity checks for their clients. This prepend might have been extreme, but the entire responsibility for the end result does not belong to a single person I believe.

Correct Answer
Giuseppe Larosa Wed, 02/18/2009 - 03:26
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,

    Founding Member

Hello Maria,

just a little note:

there is a process level command


router bgp xxx

bgp maxas-limit ?

<1-2000> Number of ASes in the AS-PATH attribute


this is from a GSR with prp and 12.0.32SY6


this makes the application of the command easier.


I'm suggesting my customer to implement it with value 75 as reported in the forums you have linked


to see the effects of this issue see


Just as a follow-up -- and in case anyone hasn't read these yet:


http://www.renesys.com/blog/2009/02/the-flap-heard-around-the-worl.shtml

http://asert.arbornetworks.com/2009/02/ahh-the-ease-of-introducing-global-r

outing-instability/


this command should become part of BGP best practice even if it doesn't resolve any case as explained by Ivan Pepelnjak



Hope to help

Giuseppe


marikakis Wed, 02/18/2009 - 04:25
User Badges:
  • Gold, 750 points or more

Guiseppe,


Yes, I suggested the process level command too in my first post, and I agree that it makes life easier in many cases. A more granular approach per neighbor would be targeted towards environments with very specific needs. The per-neighbor command I referred to in my previous post has to do with the potential of a hidden command in older IOS versions, in case anyone needs to explore the possibility of applying a temporary workaround without changing IOS. This per-neighbor hidden command is mentioned in ISP Essentials, which has been published for some years now and I don't know if a process level hidden command is also available in those versions.


The best practices are known to ISP communities for years, but it seems that a push is always needed for actual measures to be taken.


Kind Regards,

Maria

marikakis Wed, 02/18/2009 - 05:35
User Badges:
  • Gold, 750 points or more

Guiseppe,


I just read the first thread you posted. OK, the first reaction of most people would be to blame the originating AS or people who do not maintain their router's software and suggest that some people get a BGP licence (like we get a driver's licence). They could also blame cisco and the IETF. I would expect in any of the threads I read up to now to see a little bit more sense of responsibility from SPs in general. If SPs had done the right thing (and they knew what is reasonable and what is not), it would be impossible for such routes to propagate no matter how reckless a single AS is. I think the suggestion of everyone becoming a BGP expert is unreasonable. After all, a common saying in SP related material is the following: "do not expect that everyone will play by your rules". As long as this attitude of not accepting responsibility goes on, we will keep seeing such things happening. If people that know the best practice do not enforce it, how can they possibly ask for others to know what they know? If "knowing" does not mean "doing", it is useless anyway.


Kind Regards,

Maria


p.s. And just for the case some SPs did not know, it seems there will be many candidates for the suggested BGP licence. Still, the messages in the forums suggest the ISP engineers see the warnings on their consoles and even get bored to explore who sents insane updates at any given time.

Actions

This Discussion