Re: Great outage of 1997 - Does anyone recall?
On Sun, 22 Feb 2009, Danny McPherson wrote: On Feb 22, 2009, at 10:10 PM, Christopher Morrow wrote: On Mon, Feb 23, 2009 at 12:06 AM, Paul Wall pauldotw...@gmail.com wrote: On Sun, Feb 22, 2009 at 2:57 AM, Gadi Evron g...@linuxbox.org wrote: What was that story with an African routes some years back, any memories anyone? I am looking for a reference. 146.20.0.0/16? that's erie forge/steal... I think maybe Gadi's referring to the 41/8 used by an italian DSL provider for their internal network?? (not announced outside their ASN I don't think) Or the AFOL-KE thing with Above last March: http://asert.arbornetworks.com/2008/03/africa-online-kenya-latest-internet-routing-insecurity-casuality/ Thanks for all the references! -danny
Re: Great outage of 1997 - Does anyone recall?
On Sun, Feb 22, 2009 at 2:57 AM, Gadi Evron g...@linuxbox.org wrote: What was that story with an African routes some years back, any memories anyone? I am looking for a reference. 146.20.0.0/16? Paul
Re: Great outage of 1997 - Does anyone recall?
On Mon, Feb 23, 2009 at 12:06 AM, Paul Wall pauldotw...@gmail.com wrote: On Sun, Feb 22, 2009 at 2:57 AM, Gadi Evron g...@linuxbox.org wrote: What was that story with an African routes some years back, any memories anyone? I am looking for a reference. 146.20.0.0/16? that's erie forge/steal... I think maybe Gadi's referring to the 41/8 used by an italian DSL provider for their internal network?? (not announced outside their ASN I don't think) -Chris
Re: Great outage of 1997 - Does anyone recall?
On Feb 22, 2009, at 10:10 PM, Christopher Morrow wrote: On Mon, Feb 23, 2009 at 12:06 AM, Paul Wall pauldotw...@gmail.com wrote: On Sun, Feb 22, 2009 at 2:57 AM, Gadi Evron g...@linuxbox.org wrote: What was that story with an African routes some years back, any memories anyone? I am looking for a reference. 146.20.0.0/16? that's erie forge/steal... I think maybe Gadi's referring to the 41/8 used by an italian DSL provider for their internal network?? (not announced outside their ASN I don't think) Or the AFOL-KE thing with Above last March: http://asert.arbornetworks.com/2008/03/africa-online-kenya-latest-internet-routing-insecurity-casuality/ -danny
Great outage of 1997 - Does anyone recall?
I recall a marvelous eighteen hour long global internet outage which I believe occurred in 1997, but this was before I'd ever touched BGP. Does anyone have the full story on this? I'm writing on article on the recent troubles with Supro and my silly editor wants fact checking and all sorts of stuff like that ... -- mailto:n...@layer3arts.com // GoogleTalk: nrauhau...@gmail.com IM: nealrauhauser
Re: Great outage of 1997 - Does anyone recall?
On Feb 22, 2009, at 2:28 PM, neal rauhauser wrote: Does anyone have the full story on this? http://www.merit.edu/mail.archives/nanog/1997-04/msg00444.html --- Roland Dobbins rdobb...@cisco.com // +852.9133.2844 mobile Some things are just too precious to entrust to computers. -- Seth Hanford
Re: Great outage of 1997 - Does anyone recall?
On Feb 22, 2009, at 1:39 AM, Roland Dobbins wrote: On Feb 22, 2009, at 2:28 PM, neal rauhauser wrote: Does anyone have the full story on this? http://www.merit.edu/mail.archives/nanog/1997-04/msg00444.html Avi happened to be next to me when I read the first post in this thread - and re-read it out loud. I didn't even get to the end of the first sentence before he laughed and said 7007. (Avi Vinny owned that together back then.) Operational content: Who still has 7007 filtered? -- TTFN, patrick
Re: Great outage of 1997 - Does anyone recall?
Does anyone have the full story on this? http://www.merit.edu/mail.archives/nanog/1997-04/msg00444.html bottom line: o do not redistribute bgp into igp o do not redistribute dynamic igp into bgp o filter your peers and customers randy
Re: Great outage of 1997 - Does anyone recall?
On Feb 21, 2009, at 10:28 PM, neal rauhauser wrote: Does anyone have the full story on this? See: http://www.flix.net/ -Richard
Re: Great outage of 1997 - Does anyone recall?
On Feb 22, 2009, at 1:47 AM, Randy Bush wrote: Does anyone have the full story on this? http://www.merit.edu/mail.archives/nanog/1997-04/msg00444.html bottom line: o do not redistribute bgp into igp o do not redistribute dynamic igp into bgp o filter your peers and customers And don't put all your most important infrastructure stuff (e.g. name server, mail server, shell host, etc.) in the first /24 of your / shorter allocation. The biggest problem with 7007 was not that it announced a bunch of prefixes. It is that 7007 announced _classful_ prefix (it had been filtered through RIP, remember?) with AS_PATH of ^7007$. This means if you had a 194.1.0.0/16, you saw 194.1.0.0/24 from 7007, which is more specific. Why this is bad is left as an exercise to the reader. And, of course, the problem persisted after the router in question was actually unplugged - not powered up or attached to any fibers/cables. Thank you Sprint for running beta code. :) -- TTFN, patrick
Re: Great outage of 1997 - Does anyone recall?
Well, I hope I'm not butchering the story up too badly - got an 800 word piece going up Monday on The Cutting Edge News and I'm doing something more lengthly and bloggy tonight for DailyKos, whilst hanging around abusing one of our spare 7507s with various new IOS versions. On Sun, Feb 22, 2009 at 12:55 AM, Patrick W. Gilmore patr...@ianai.netwrote: On Feb 22, 2009, at 1:47 AM, Randy Bush wrote: Does anyone have the full story on this? http://www.merit.edu/mail.archives/nanog/1997-04/msg00444.html bottom line: o do not redistribute bgp into igp o do not redistribute dynamic igp into bgp o filter your peers and customers And don't put all your most important infrastructure stuff (e.g. name server, mail server, shell host, etc.) in the first /24 of your /shorter allocation. The biggest problem with 7007 was not that it announced a bunch of prefixes. It is that 7007 announced _classful_ prefix (it had been filtered through RIP, remember?) with AS_PATH of ^7007$. This means if you had a 194.1.0.0/16, you saw 194.1.0.0/24 from 7007, which is more specific. Why this is bad is left as an exercise to the reader. And, of course, the problem persisted after the router in question was actually unplugged - not powered up or attached to any fibers/cables. Thank you Sprint for running beta code. :) -- TTFN, patrick -- mailto:n...@layer3arts.com // GoogleTalk: nrauhau...@gmail.com IM: nealrauhauser
Re: Great outage of 1997 - Does anyone recall?
Back on list I doubt you will get skewered, I promise to read it Sent via BlackBerry from T-Mobile -Original Message- From: neal rauhauser nrauhau...@gmail.com Date: Sun, 22 Feb 2009 01:24:08 To: chaim.rie...@gmail.com Subject: Re: Great outage of 1997 - Does anyone recall? Oh, you guys will skewer me for it :-) Shall I post the text here so it gets vetted first? On Sun, Feb 22, 2009 at 1:21 AM, chaim.rie...@gmail.com wrote: Do post a link when its up. Sent via BlackBerry from T-Mobile -Original Message- From: neal rauhauser nrauhau...@gmail.com Date: Sun, 22 Feb 2009 01:11:16 To: Patrick W. Gilmorepatr...@ianai.net Cc: NANOG listnanog@nanog.org Subject: Re: Great outage of 1997 - Does anyone recall? Well, I hope I'm not butchering the story up too badly - got an 800 word piece going up Monday on The Cutting Edge News and I'm doing something more lengthly and bloggy tonight for DailyKos, whilst hanging around abusing one of our spare 7507s with various new IOS versions. On Sun, Feb 22, 2009 at 12:55 AM, Patrick W. Gilmore patr...@ianai.net wrote: On Feb 22, 2009, at 1:47 AM, Randy Bush wrote: Does anyone have the full story on this? http://www.merit.edu/mail.archives/nanog/1997-04/msg00444.html bottom line: o do not redistribute bgp into igp o do not redistribute dynamic igp into bgp o filter your peers and customers And don't put all your most important infrastructure stuff (e.g. name server, mail server, shell host, etc.) in the first /24 of your /shorter allocation. The biggest problem with 7007 was not that it announced a bunch of prefixes. It is that 7007 announced _classful_ prefix (it had been filtered through RIP, remember?) with AS_PATH of ^7007$. This means if you had a 194.1.0.0/16, you saw 194.1.0.0/24 from 7007, which is more specific. Why this is bad is left as an exercise to the reader. And, of course, the problem persisted after the router in question was actually unplugged - not powered up or attached to any fibers/cables. Thank you Sprint for running beta code. :) -- TTFN, patrick -- mailto:n...@layer3arts.com // GoogleTalk: nrauhau...@gmail.com IM: nealrauhauser -- mailto:n...@layer3arts.com // GoogleTalk: nrauhau...@gmail.com IM: nealrauhauser
Re: Great outage of 1997 - Does anyone recall?
On Feb 22, 2009, at 3:11 PM, neal rauhauser wrote: Well, I hope I'm not butchering the story up too badly This has been written up several times before - in addition to the links in Richard's post, take a look at the following, including the links at the bottom of the page: http://lists.ucc.gu.uwa.edu.au/pipermail/lore/2006-August/40.html Here's a thorough writeup on the Supro incident: http://asert.arbornetworks.com/2009/02/ahh-the-ease-of-introducing-global-routing-instability/ For examples of specific applications of *deliberate* (as opposed to accidental, like AS7007) route hijacking, see the following: https://www.defcon.org/images/defcon-16/dc16-presentations/defcon-16-pilosov-kapela.pdf http://www.renesys.com/blog/2009/02/stealing-the-internet-back-1.shtml http://www.renesys.com/tech/presentations/pdf/blackhat-09.pdf and then for extra credit, think about this: http://www.blackhat.com/presentations/bh-dc-09/Marlinspike/BlackHat-DC-09-Marlinspike-Defeating-SSL.pdf https://media.blackhat.com/bh-dc-09/video/Marlinspike/blackhat-dc-09-marlinspike-slide.mov and this: http://www.unixwiz.net/techtips/iguide-kaminsky-dns-vuln.html --- Roland Dobbins rdobb...@cisco.com // +852.9133.2844 mobile Some things are just too precious to entrust to computers. -- Seth Hanford
Re: Great outage of 1997 - Does anyone recall?
OK, here is the expanded, bloggy one. Some time Monday the more professionally written entry on The Cutting Edge News will be out and I'll share that one, too. http://www.dailykos.com/story/2009/2/22/23440/2313/339/700368 On Sun, Feb 22, 2009 at 1:26 AM, Chaim Rieger chaim.rie...@gmail.comwrote: Back on list I doubt you will get skewered, I promise to read it Sent via BlackBerry from T-Mobile -- *From*: neal rauhauser *Date*: Sun, 22 Feb 2009 01:24:08 -0600 *To*: chaim.rie...@gmail.com *Subject*: Re: Great outage of 1997 - Does anyone recall? Oh, you guys will skewer me for it :-) Shall I post the text here so it gets vetted first? On Sun, Feb 22, 2009 at 1:21 AM, chaim.rie...@gmail.com wrote: Do post a link when its up. Sent via BlackBerry from T-Mobile -Original Message- From: neal rauhauser nrauhau...@gmail.com Date: Sun, 22 Feb 2009 01:11:16 To: Patrick W. Gilmorepatr...@ianai.net Cc: NANOG listnanog@nanog.org Subject: Re: Great outage of 1997 - Does anyone recall? Well, I hope I'm not butchering the story up too badly - got an 800 word piece going up Monday on The Cutting Edge News and I'm doing something more lengthly and bloggy tonight for DailyKos, whilst hanging around abusing one of our spare 7507s with various new IOS versions. On Sun, Feb 22, 2009 at 12:55 AM, Patrick W. Gilmore patr...@ianai.net wrote: On Feb 22, 2009, at 1:47 AM, Randy Bush wrote: Does anyone have the full story on this? http://www.merit.edu/mail.archives/nanog/1997-04/msg00444.html bottom line: o do not redistribute bgp into igp o do not redistribute dynamic igp into bgp o filter your peers and customers And don't put all your most important infrastructure stuff (e.g. name server, mail server, shell host, etc.) in the first /24 of your /shorter allocation. The biggest problem with 7007 was not that it announced a bunch of prefixes. It is that 7007 announced_classful_ prefix (it had been filtered through RIP, remember?) with AS_PATH of ^7007$. This means if you had a 194.1.0.0/16, you saw 194.1.0.0/24 from 7007, which is more specific. Why this is bad is left as an exercise to the reader. And, of course, the problem persisted after the router in question was actually unplugged - not powered up or attached to any fibers/cables. Thank you Sprint for running beta code. :) -- TTFN, patrick -- mailto:n...@layer3arts.com // GoogleTalk: nrauhau...@gmail.com IM: nealrauhauser -- mailto:n...@layer3arts.com // GoogleTalk: nrauhau...@gmail.com IM: nealrauhauser -- mailto:n...@layer3arts.com // GoogleTalk: nrauhau...@gmail.com IM: nealrauhauser