anyone else seeing very long AS paths?

Mike Lewinski mike at rockynet.com
Tue Feb 17 13:02:50 CST 2009


German Martinez wrote:

> Workaround: Configure the bgp maxas limit command in such
> as way that the maximum length of the AS path is a value below 255. When the
> router receives an update with an excessive AS path value, the prefix is
> rejected and recorded the event in the log.
> 
> This workaround has been suggested previously by Hank.
> 
> Anyone knows about any possible CPU impacts in case that you implement 
> bgp maxas?

bgp max-as will NOT protect you from this exploit (but if you are not 
vulnerable it should prevent you from propogating it).

As far as I can tell the ONLY defense for a vulnerable IOS is to not run 
BGP. Dropping every received route with a filter on 0/0 does not 
mitigate the attack - as soon as that bogus as-path is received the BGP 
session resets, even if the route is never actually installed (and as 
far as I can tell the only real effect of the "bgp maxas-limit 75" is to 
cause all paths with more than 75 ASN to not be installed in the routing 
table).





More information about the NANOG mailing list