Well, long as-path of 100 is certain to be invalid (result of misconfig if not direct probe for vulnerability). Would it be good to recommend for ISPs filter at some as-path size as its easy easy and does not consume router resources? Would would be good as-path size to filter on, just to be certain no valid route is filtered (just in case allow possible growth of as-path up to 2x what it is now)?
On Mon, 31 Jan 2005, Blaine Christian wrote: > Specifically, they have the ability to tickle a legacy cisco bug with AS > path length. This bug was supposedly mitigated in code and I believe my > previous company is still filtering AS path length (UUNET) of 100 or > greater. > > A valid AS-Path of greater than 100 has not yet been found (which was why > the filters were in place). > > On 1/31/05 8:53 AM, "Jared Mauch" <[EMAIL PROTECTED]> wrote: > > > On Mon, Jan 31, 2005 at 07:19:14AM +0200, Hank Nussbacher wrote: > >> > >> At 10:23 PM 30-01-05 -0500, Jon Lewis wrote: > >> > >>> Someone at fido.net having some bgp config issues? > >> > >> Looks like someone probing for a buffer overflow on a world-wide basis. > >> > >> -Hank > >> > >> > >>> Jan 30 18:34:51 EST: %BGP-6-ASPATH: Long AS path 6461 3356 6770 8282 8282 > >>> 8282 8282 8282 8282 8282 8282 8282 8282 8282 8282 8282 8282 8282 8282 8282 > >>> 8282 8282 8282 8282 8282 8282 8282 8282 8282 8282 8282 8282 8282 8282 8282 > >>> 8282 8282 8282 8282 8282 8282 8282 8282 8282 8282 8282 8282 8282 8282 8282 > >>> 8282 8282 8282 8282 8282 8282 8282 8282 8282 8282 8282 8282 8282 8282 8282 > >>> 8282 8282 8282 8282 8282 8282 8282 8282 8282 8282 8282 8282 8282 8282 8282 > >>> 8282 8282 8282 8282 8282 8282 8282 8282 8282 8282 8282 8282 8282 8282 8282 > >>> received from ... > > > > Router(config-router)#bgp maxas-limit ? > > <1-2000> Number of ASes in the AS-PATH attribute > > > > Router(config-router)#bgp maxas-limit 50 > > > > Easy to fix/reject. > > > > - jared
