[nsp-sec] Why do a route hijack for 1 second?
Danny McPherson
danny at tcb.net
Wed Jul 22 04:31:31 EDT 2009
On Jul 20, 2009, at 11:09 AM, Hank Nussbacher wrote:
> On Mon, 20 Jul 2009, Chris Morrow wrote:
>
>> Is it possible (given the possible cron hypothesis) that this is a
>> short-term leak of some internal route (to a proxy/filter-device/
>> better path) that's leaking during nightly route-filter updates?
>>
>> (so something not necessarily malicious)
>>
>> -Chris
>
> If so, why only that specific /24? Sorry, but I see malice here
> not mistake.
We had just this problem when I was at Q quite a while back.
Any ACL was being updated (wiped and replaced) and it would
occur sporadically while the 60 second periodic BGP redistribution
timer was running. The routes would leak, and then be withdrawn
in the next cycle - not one second, slightly more, but rippling
MRAI values could trigger behavior such as this as well.
Of course, Occam's razor usually triumphs,
-danny
More information about the nsp-security
mailing list