[111942] in North American Network Operators' Group
Re: anyone else seeing very long AS paths?
daemon@ATHENA.MIT.EDU (Mike Lewinski)
Tue Feb 17 14:02:54 2009
Date: Tue, 17 Feb 2009 12:02:50 -0700
From: Mike Lewinski <mike@rockynet.com>
To: nanog@nanog.org
In-Reply-To: <20090217185434.GA9548@ajax.opentransit.net>
Errors-To: nanog-bounces@nanog.org
German Martinez wrote:
> Workaround: Configure the bgp maxas limit command in such
> as way that the maximum length of the AS path is a value below 255. When the
> router receives an update with an excessive AS path value, the prefix is
> rejected and recorded the event in the log.
>
> This workaround has been suggested previously by Hank.
>
> Anyone knows about any possible CPU impacts in case that you implement
> bgp maxas?
bgp max-as will NOT protect you from this exploit (but if you are not
vulnerable it should prevent you from propogating it).
As far as I can tell the ONLY defense for a vulnerable IOS is to not run
BGP. Dropping every received route with a filter on 0/0 does not
mitigate the attack - as soon as that bogus as-path is received the BGP
session resets, even if the route is never actually installed (and as
far as I can tell the only real effect of the "bgp maxas-limit 75" is to
cause all paths with more than 75 ASN to not be installed in the routing
table).
