Home page logo
/

nanog logo nanog mailing list archives

Bogus route announcements
From: Michael Dillon <michael () memra com>
Date: Fri, 31 Jan 1997 19:20:51 -0800 (PST)


This seems more appropriate here than on NAIPR. I took the liberty of
removing the discussion that led up to it and leaving only Karl's words.
This seems to tie in to the layer 2 filtering discussion here.

---------- Forwarded message ----------
Date: Fri, 31 Jan 1997 20:09:59 +73800 (CST)
From: Karl Denninger <karl () Mcs Net>
To: Michael Dillon <michael () MEMRA COM>
Cc: naipr () lists internic net
Subject: Re: Implied warranty of routability?  Was: Re:  US CODE: Title 15, ...

[some discussion of bogus TLD's and bogus routes deleted]

Balderdash.

Just the other day 0.0.0.0/0 (yes, DEFAULT) was being propagated by a LARGE
NUMBER of national providers -- from a rogue (and unintentional) announcement
that came out of a particular firm in Virginia.

This went on for well over SIX HOURS before it was stopped.  It was transiting
a large number of NATIONAL network provider's core hardware, and disrupting
connectivity to a fair number of people, some of whom were completely
clueless as to the cause.  We found it because we run defaultless and ANY
instance of default appearing in announcements or anywhere on our core 
is an instant five-alarm fire.

When we finally called the guilty party (after informing peers and upstream
links hours before with no effect), they had not heard ANYTHING about it as 
of yet, and the announcement was ALREADY a few hours old in our tables at 
that point.

Filtered out quickly my tailfeathers.  

99% of the companies out there don't filter ANYTHING at that kind of level.
Try to maintain the filters on CISCO hardware to actually verify and prevent 
any rogue announcements -- good luck.  You just can't do an EFFECTIVE job
of this; the coordination you NEED to do so is completely non-existant
between firms to make it possible, especially in the "swamp".

Now you can get routes from only a route server, yes, and that does help.
Quite a bit.  But basically all providers of any significance have exchange 
point(s) where the RADB isn't used.

If the address isn't something that someone else is using, and is of
sufficient prefix size (in 206 and above) I bet it wouldn't be noticed for
months -- if ever -- until someone tried to get a so-called "official"
allocation of the same number and said "what the hell??" when they found it
already in the tables.

I bet I could announce a random "reserved" prefix and nobody would catch 
it for at least 30 days -- during which time it would work perfectly, and
globally.

Yes, doing that kind of thing would be highly antisocial. But don't think
for an instant that anyone actually watches constructively for this kind of
chicanery on the net.  That would be a false assumption, as I think the
little episode of the other day proves rather conclusively.

--
-- 
Karl Denninger (karl () MCS Net)| MCSNet - The Finest Internet Connectivity
http://www.mcs.net/~karl     | T1's from $600 monthly to FULL DS-3 Service
                             | 99 Analog numbers, 77 ISDN, Web servers $75/mo
Voice: [+1 312 803-MCS1 x219]| Email to "info () mcs net" WWW: http://www.mcs.net/
Fax:   [+1 312 248-9865]     | 2 FULL DS-3 Internet links; 400Mbps B/W Internal

- - - - - - - - - - - - - - - - -


  By Date           By Thread  

Current thread:
  • Bogus route announcements Michael Dillon (Feb 01)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault