02-16-2009 11:33 PM - edited 03-04-2019 03:35 AM
Has anyone experience this? I saw ASN 39625 and 47868
Solved! Go to Solution.
02-18-2009 03:26 AM
Hello Maria,
just a little note:
there is a process level command
router bgp xxx
bgp maxas-limit ?
<1-2000> Number of ASes in the AS-PATH attribute
this is from a GSR with prp and 12.0.32SY6
this makes the application of the command easier.
I'm suggesting my customer to implement it with value 75 as reported in the forums you have linked
to see the effects of this issue see
Just as a follow-up -- and in case anyone hasn't read these yet:
http://www.renesys.com/blog/2009/02/the-flap-heard-around-the-worl.shtml
http://asert.arbornetworks.com/2009/02/ahh-the-ease-of-introducing-global-r
outing-instability/
this command should become part of BGP best practice even if it doesn't resolve any case as explained by Ivan Pepelnjak
Hope to help
Giuseppe
02-17-2009 12:42 AM
Could you please be more specific ?
Narayan
02-17-2009 12:48 AM
Like this. What could be the possible reason?
Date Time: %BGP-6-ASPATH: Long AS path wwww xxxx yyyy zzzz 39625 39625 39625 39625 39625 39625 39625 39625 39625 39625 39625 39625
39625 39625 39625 39625 39625 39625 39625 39625 39625 39625 39625 39625
39625 39625 39625 39625...
Date Time: %BGP-6-ASPATH: Long AS path wwww xxxx yyyy zzzz 47868 47868
47868 47868 47868 47868 47868 47868 47868 47868 47868 47868 47868 47868
47868 47868 47868 47868 47868 47868 47868 47868 47868 47868 47868 47868
47868 47868 47868 47868...
Date Time: %BGP-6-BIGCHUNK: Big chunk pool request (524) for aspath. Replenishing with malloc
02-17-2009 12:59 AM
This doesn't look good whether it is intentional (attack) or unintenional (misconfiguration). You may need to use the bgp maxas-limit command to keep your router stable, until we can have the time to explore this further:
http://www.cisco.com/en/US/docs/ios/iproute/command/reference/irp_bgp1.html#wp1013932
02-17-2009 01:03 AM
Hi Maria,
Thank you for your reply.
I'll definitely follow your recommendation. Currently analyzing what is the best maximum :)
I currently, deny the entry of those two ASN.
Thanks,
Dandy
02-17-2009 01:06 AM
Nice thought. I was considering the worst case of many routes being polluted.
02-17-2009 01:21 AM
Certainly seems to be a problem... i dont think anyone would add an AS-Path prepend so many times
Narayan
02-17-2009 01:26 AM
Hi Narayan,
I heard that some router crashes, but I don't experience this and no first hand information about this.
I just notice that when this is happening, the internet is very slow to some extent that some websites are unacessible.
Regards,
Dandy
02-17-2009 01:45 AM
More people seem to be having the same problem
http://www.gossamer-threads.com/lists/cisco/nsp/103838
Narayan
02-17-2009 01:51 AM
I wonder if this is;
- something to do with 4-byte asn
- new bugs/security exploit
- someone invented a machine able to prepend 250+ times :)
02-17-2009 01:50 AM
Any side-effects with such practice are to be expected. It is effectively an attack (whether minor or severe) to the internet.
Those 2 ASs seem valid in RIPE NCC database. Are you seeing any other logs or issues?
You may want to read this article about practical BGP security:
http://www.networkworld.com/community/node/37729
"Preventing long AS paths from causing problems for our routers. Use this command to restrict the maximum length of the AS paths received.
bgp maxas-limit 50"
You may also like to read this discussion:
http://www.gossamer-threads.com/lists/nanog/users/109412
It is more free-style than we are used to express ourselves in here, but still fun :-)
02-17-2009 01:54 AM
Hi Maria,
Thanks again for the links :)
From what I understand there is a default maxas-limit of 75 starting from IOS version 12.2
Thanks,
Dandy
02-17-2009 02:31 AM
The link posted by Narayan from NSP was referring to this ongoing issue. People there also refer to the relevant NANOG discussion:
http://www.gossamer-threads.com/lists/nanog/users/112553
The older link I posted previously has more information about the reasoning behind such acts. Some guy there suggested prefering routes with extreme prepends by setting local preference to 1000 :-)))
p.s. It seems this has alerted many NOCs and cisco as well. Device reaction depends on the device and code. Some people try to keep the world adrenaline levels high.
02-17-2009 08:55 PM
Is it also advisable to upgrade the IOS to a certain version to protect the network from this event?
02-18-2009 02:13 AM
Please try to reply at the end of the thread. People normally expect new posts to appear at the bottom. If your post appears somewhere in the middle, they might fail to see it or have a hard time to understand the sequence of the posts overall.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: