[c-nsp] Research experiment disrupts Internet, for some

Pete Lumbis alumbis at gmail.com
Mon Aug 30 18:11:26 EDT 2010


I believe this issue only affects IOS-XR platforms as they corrupt this
/valid/ update going outbound. When the peer receives the corrupted update
from the IOS-XR box it resets the BGP peering relationship.

As far as publicizing I don't think Cisco has ever told the publicized how
to exploit flaws that lead to DoS attacks. In the networking community at
large I think there might have been a bit of fear about having someone else
advertise this update before fixes could be rolled out. Given the nature of
BGP it could lead to some serious damage on the internet as a whole if it
continued to be injected, particularly if it was originated from multiple
points.

-Pete

On Mon, Aug 30, 2010 at 5:04 PM, Keegan Holley <keegan.holley at sungard.com>wrote:

> Is anyone else curious as to what fields/attributes they were using?  Also,
> what other vendors are or aren't affected.  I think the response to this
> even has been remarkably limited given the possibility for it's use as an
> attack.  If this were windows or linux there would have been full
> disclosure
> with example exploit code by now.  Everyone seems to be content just
> upgrading their quarter million dollar routers and hoping for the best.
>
> 2010/8/30 Antonio Soares <amsoares at netcabo.pt>
>
> > Now that i have more information I can tell you that you are 100%
> correct.
> > So let's upgrade the IOS-XR devices first then those running IOS. I'm
> > curious to see if the IOS issue is a known or new bug.
> >
> >
> > Regards,
> >
> > Antonio Soares, CCIE #18473 (R&S/SP)
> > amsoares at netcabo.pt
> >
> >
> > -----Original Message-----
> > From: cisco-nsp-bounces at puck.nether.net
> > [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Lukasz Bromirski
> > Sent: segunda-feira, 30 de Agosto de 2010 00:18
> > To: cisco-nsp at puck.nether.net
> > Subject: Re: [c-nsp] Research experiment disrupts Internet, for some
> >
> > On 2010-08-29 19:59, Jared Mauch wrote:
> >
> > > IOS-XR had a bug processing valid bgp updates.  This has happened
> > > in the past as well with 4-byte ASNs and other things over the
> > > years.
> >
> > [...]
> >
> > > If the software is old, they likely saw a bug.  If you don't
> > > maintain your BGP speaking devices software revisions, you will
> > > likely see problems.
> >
> > What's most propable IMHO is that the GSR dropped the session to
> > BGP-speaker which was indeed IOS-XR box, then dCEF ran out of
> > memory on the LCs (for example because of memory fragmentation or
> > some bug indeed) and the issue happened.
> >
> > This is of course based on incomplete data - if there was any
> > session directly established to IOS-XR box for starters.
> >
> > --
> > "Everything will be okay in the end.  |                 Łukasz Bromirski
> >  If it's not okay, it's not the end." |      http://lukasz.bromirski.net
> > _______________________________________________
> > cisco-nsp mailing list  cisco-nsp at puck.nether.net
> > https://puck.nether.net/mailman/listinfo/cisco-nsp
> > archive at http://puck.nether.net/pipermail/cisco-nsp/
> >
> >
> > _______________________________________________
> > cisco-nsp mailing list  cisco-nsp at puck.nether.net
> > https://puck.nether.net/mailman/listinfo/cisco-nsp
> > archive at http://puck.nether.net/pipermail/cisco-nsp/
> >
> >
> >
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>


More information about the cisco-nsp mailing list