cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
4822
Views
14
Helpful
24
Replies

BGP injecting long ASN path

Danilo Dy
VIP Alumni
VIP Alumni

Has anyone experience this? I saw ASN 39625 and 47868

1 Accepted Solution

Accepted Solutions

Hello Maria,

just a little note:

there is a process level command

router bgp xxx

bgp maxas-limit ?

<1-2000> Number of ASes in the AS-PATH attribute

this is from a GSR with prp and 12.0.32SY6

this makes the application of the command easier.

I'm suggesting my customer to implement it with value 75 as reported in the forums you have linked

to see the effects of this issue see

Just as a follow-up -- and in case anyone hasn't read these yet:

http://www.renesys.com/blog/2009/02/the-flap-heard-around-the-worl.shtml

http://asert.arbornetworks.com/2009/02/ahh-the-ease-of-introducing-global-r

outing-instability/

this command should become part of BGP best practice even if it doesn't resolve any case as explained by Ivan Pepelnjak

Hope to help

Giuseppe

View solution in original post

24 Replies 24

royalblues
Level 10
Level 10

Could you please be more specific ?

Narayan

Like this. What could be the possible reason?

Date Time: %BGP-6-ASPATH: Long AS path wwww xxxx yyyy zzzz 39625 39625 39625 39625 39625 39625 39625 39625 39625 39625 39625 39625

39625 39625 39625 39625 39625 39625 39625 39625 39625 39625 39625 39625

39625 39625 39625 39625...

Date Time: %BGP-6-ASPATH: Long AS path wwww xxxx yyyy zzzz 47868 47868

47868 47868 47868 47868 47868 47868 47868 47868 47868 47868 47868 47868

47868 47868 47868 47868 47868 47868 47868 47868 47868 47868 47868 47868

47868 47868 47868 47868...

Date Time: %BGP-6-BIGCHUNK: Big chunk pool request (524) for aspath. Replenishing with malloc

This doesn't look good whether it is intentional (attack) or unintenional (misconfiguration). You may need to use the bgp maxas-limit command to keep your router stable, until we can have the time to explore this further:

http://www.cisco.com/en/US/docs/ios/iproute/command/reference/irp_bgp1.html#wp1013932

Hi Maria,

Thank you for your reply.

I'll definitely follow your recommendation. Currently analyzing what is the best maximum :)

I currently, deny the entry of those two ASN.

Thanks,

Dandy

Nice thought. I was considering the worst case of many routes being polluted.

Certainly seems to be a problem... i dont think anyone would add an AS-Path prepend so many times

Narayan

Hi Narayan,

I heard that some router crashes, but I don't experience this and no first hand information about this.

I just notice that when this is happening, the internet is very slow to some extent that some websites are unacessible.

Regards,

Dandy

More people seem to be having the same problem

http://www.gossamer-threads.com/lists/cisco/nsp/103838

Narayan

I wonder if this is;

- something to do with 4-byte asn

- new bugs/security exploit

- someone invented a machine able to prepend 250+ times :)

Any side-effects with such practice are to be expected. It is effectively an attack (whether minor or severe) to the internet.

Those 2 ASs seem valid in RIPE NCC database. Are you seeing any other logs or issues?

You may want to read this article about practical BGP security:

http://www.networkworld.com/community/node/37729

"Preventing long AS paths from causing problems for our routers. Use this command to restrict the maximum length of the AS paths received.

bgp maxas-limit 50"

You may also like to read this discussion:

http://www.gossamer-threads.com/lists/nanog/users/109412

It is more free-style than we are used to express ourselves in here, but still fun :-)

Hi Maria,

Thanks again for the links :)

From what I understand there is a default maxas-limit of 75 starting from IOS version 12.2

Thanks,

Dandy

The link posted by Narayan from NSP was referring to this ongoing issue. People there also refer to the relevant NANOG discussion:

http://www.gossamer-threads.com/lists/nanog/users/112553

The older link I posted previously has more information about the reasoning behind such acts. Some guy there suggested prefering routes with extreme prepends by setting local preference to 1000 :-)))

p.s. It seems this has alerted many NOCs and cisco as well. Device reaction depends on the device and code. Some people try to keep the world adrenaline levels high.

Is it also advisable to upgrade the IOS to a certain version to protect the network from this event?

Please try to reply at the end of the thread. People normally expect new posts to appear at the bottom. If your post appears somewhere in the middle, they might fail to see it or have a hard time to understand the sequence of the posts overall.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: