anyone else seeing very long AS paths?

German Martinez gmartine at ajax.opentransit.net
Tue Feb 17 13:20:59 CST 2009


On Tue Feb 17, 2009, Mike Lewinski wrote:

> bgp max-as will NOT protect you from this exploit (but if you are not 
> vulnerable it should prevent you from propogating it).

Are you trying to say that the receiving bgp speaker will drop the session
no matter what but it won't forward the update?

Here is what I have found on Cisco's website

bgp maxas-limit

To configure Border Gateway Protocol (BGP) to discard routes that have a
number of as-path segments that exceed the specified value,
use the bgp maxas-limit command in router configuration
mode. To return the router to default operation, use the no form of 
this command. 

Usage Guidelines

The bgp maxas-limit command is used to limit the number of as-path segments
that are permitted in inbound routes. If a route is received with an as-path
segment that exceeds the configured limit, the BGP routing process will
discard the route. 

I heard about people running this command that were not impacted 

>
> As far as I can tell the ONLY defense for a vulnerable IOS is to not run 
> BGP. Dropping every received route with a filter on 0/0 does not mitigate 
> the attack - as soon as that bogus as-path is received the BGP session 
> resets, even if the route is never actually installed (and as far as I can 
> tell the only real effect of the "bgp maxas-limit 75" is to cause all paths 
> with more than 75 ASN to not be installed in the routing table).
>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 197 bytes
Desc: not available
URL: <http://mailman.nanog.org/pipermail/nanog/attachments/20090217/1fbf60af/attachment.bin>


More information about the NANOG mailing list