North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re: Level3 routing issues?

  • From: cowie
  • Date: Tue Jan 28 10:39:27 2003

> > So far it's been visible as an apparently accidental byproduct of an
> attack
> > with other goals.  Are you willing to bet your bifocals that the same
> > mechanism can't be weaponized and used against the routing infrastructure
> > directly in the future?
> >
> 
> Yet the question becomes the reasoning behind it. How much is a direct
> result of the worm and how much is a result of actions based on the NE's?

Good question. null routing of traffic destined to a network with a BGP
interface on it will cause the session to drop. That is a BGP effect due
to engineers' actions, indirectly triggered by the worm.  

On the other hand, we also know (from private communications and from
other mailing lists.. ahem) that high rate and high src/dst diversity
of scans causes some network devices to fail (devices that cache flows, or
devices that suffer from cpu overload under such conditions). 

Some BGP-speaking routers (not all, by any means, but some subpopulation)
found themselves pegged at 100% CPU on Saturday.  Just one example: 

   http://noc.ilan.net.il/stats/ILAN-CPU/new-gp-cpu.html

Whether you believe "anthropogenic" explanations for the instability 
depends on how fast you believe NEs can look, think, and type, compared
to the speed with which the BGP announcement and withdrawal rates are 
observed to take off.  For my part, I'd bet that the long slow exponential 
decay (with superimposed spiky noise) is people at work.  But the initial 
blast is not.    

----------
James Cowie
Renesys Corporation
http://gradus.renesys.com