Grave flaws in BGP Error handling (blog.benjojo.co.uk)
from stsp to cloudsec on 29 Aug 2023 12:31
https://azorius.net/g/cloudsec/p/3YZps47p638yl8385b-Grave-flaws-in-BGP-Error-handling

On 2 June 2023, a small Brazilian network (re)announced one of their internet routes with a small bit of information called an attribute that was corrupted. The information on this route was for a feature that had not finished standardisation, but was set up in such a way that if an intermediate router did not understand it, then the intermediate router would pass it on unchanged.

As many routers did not understand this attribute, this was no problem for them. They just took the information and propagated it along. However it turned out that Juniper routers running even slightly modern software did understand this attribute, and since the attribute was corrupted the software in its default configuration would respond by raising an error that would shut down the whole BGP session. Since a BGP session is often a critical part of being “connected” to the wider internet, this resulted in the small Brazilian network disrupting other networks’ ability to communicate with the rest of the internet, despite being 1000’s of miles away.

#bgp #cloudsec #security

threaded - newest

stsp on 29 Aug 2023 12:33 collapse

I enjoyed the section about vendor responses. Unbelievable that companies running critical infrastructure for the public behave like this.

Apparently #OpenBSD were the only responsive vendor to issue a patch quickly.