AS 47868 Goes Wild with AS-Prepending

Early this week a small Czech ISP, SuproNet (AS 47868) started announcing its prefix via a backup transit provider with an extraordinarily large number of AS (autonomous system) prepends, 252 to be exact.

Aside from sounding alarms all over the world with routers logging errors related to maximum AS-path limits, it also ended up triggering a previously unknown bug, crashing routers running a certain firmware from a certain vendor *hint hint*.

So how did this happen? One usually doesn’t go prepending an AS number 252 times.

In IOS configuration, a 4-time AS-path prepend would be configured as such.

     neighbor xx.xx.xx.xx route-map longerisbetter out
     route-map longerisbetter permit 10
       set as-path prepend 47868 47868 47868 47868

So then, a manual 252-time AS-path prepend with the above config would involve a grotesquely long command like this.

       set as-path prepend 47868 47868 47868 47868 47868 47868 47868 47868 47868
       47868 47868 47868 47868 47868 47868 47868 47868 47868.................

Assuming that AS 47868 is run by a group of rational individuals, it doesn’t make sense to configure a 252-time AS-path prepend in such a manner (assuming that they use IOS routers in the first place, which isn’t the case as we’ll see below).

Remember, this is a world where other router vendors, both big and small exist. In this case, AS 47868 was using a router from MicroTik which has a radically different way of configuring AS-path prepends.

On a MicroTik router, AS-path prepending is configured with the command

     bgp-prepend

This takes an integer value between 1 and 16 (i.e. how many times the AS-path should be prepended). Unfortunately, a missing input limit check likely resulted in the router accepting the following command which might have been mistaken by the router operator to mean a single prepend for AS 47868.

     bgp-prepend 47868

Assuming a 8-bit integer is reserved for storing the input value for the bgp-prepend command, the value 47868 might have been stored as 252 (think 47868 mod 256). Does the number 252 sound familiar then?

Yes! It’s precisely the number of AS-path prepends on the prefix originated by AS 47868!

But case closed? Not quite. This incident opens a can of worms which includes questions such as – why did routers from a particular vendor crash upon receiving an extraordinarily long AS-path, what constitutes a operationally reasonable number of AS-path prepends, and what sort of precautions (think maximum AS-path limits) can be applied to prevent future incidents of a similar nature?

Once again, there are few definite answers to these questions. But for now, the Internet moves on.

This post was inspired by this – http://www.renesys.com/blog/2009/02/longer-is-not-better.shtml

Related posts:

  1. BGP Man in the Middle Attacks
  2. Received-only Paths in the BGP RIB
  3. remote access ipsec vpn
  4. 10GE Linux Routers

This entry was posted on Sunday, February 22nd, 2009 at 11:26 pm and is filed under technology. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.

Leave a Reply