from stsp@azorius.net to cloudsec@azorius.net on 29 Aug 2023 14:31
https://azorius.net/g/cloudsec/p/3YZps47p638yl8385b-Grave-flaws-in-BGP-Error-handling
On 2 June 2023, a small Brazilian network (re)announced one of their internet routes with a small bit of information called an attribute that was corrupted. The information on this route was for a feature that had not finished standardisation, but was set up in such a way that if an intermediate router did not understand it, then the intermediate router would pass it on unchanged.
As many routers did not understand this attribute, this was no problem for them. They just took the information and propagated it along. However it turned out that Juniper routers running even slightly modern software did understand this attribute, and since the attribute was corrupted the software in its default configuration would respond by raising an error that would shut down the whole BGP session. Since a BGP session is often a critical part of being “connected” to the wider internet, this resulted in the small Brazilian network disrupting other networks’ ability to communicate with the rest of the internet, despite being 1000’s of miles away.
#bgp #cloudsec #security
threaded - newest
I enjoyed the section about vendor responses. Unbelievable that companies running critical infrastructure for the public behave like this.
Apparently #OpenBSD were the only responsive vendor to issue a patch quickly.