Rabid Wombat writes:
I have been noticing a problem contacting sites all over Northern and Central Europe.
Sprint's network was somewhat overloaded due to the bogus routes redirecting traffic onto their network. I doubt the problem spread as far as Europe, at least on a widespread basis. We have about 200 sites worldwide, only a few actually connected to Sprint. We only saw intermittent failures reaching some sites for about an hour.
Hmm. I saw problems friday and saturday. Saturday I was checking URLs in a book on hacking and security that I'm editing, and a number of ordinarily reachable sites were down. Traceroutes to them showed wierd routing problems, mostly routing 'loops'.
I wonder how long it'll be possible for unauthenticated/unapproved people to mess around with routers.
Sprint probably should have been filtering routes / AS_PATH (insert debate here) from its downstreams. This is a management challenge, but Bad Things(tm) can happen if you don't.
can't bring down the whole net, they'll just pass a law requiring that anyone who wants the 'enable' password to a cisco have first passed a government-approved "Internet Administrators Class" and gotten a license.
Why are you picking on Cisco? The equipment in question was a pair of Bay Networks BLN routers. The jury is still out as to whether this was a Bay bug or a config screw-up.
I'm not picking on cisco, you missed my point. In all other 'infrastructures' (i.e. phone company, roads) only officially-sanctioned people are allowed access to work on things. With the phone company, it's phone company employees & contractors, with the roads its government employees and contractors. When private extensions are added, they're restricted and compartlemtalized so that they can't affect the entire infrastructure... a private corporate phone switch's misprogramming doesn't bring down Pac Bell. OTOH, with the internet, this is not true. IP routing is complex enough that a router configurating error (or perhaps a series of them, maybe Sprint was accepting BGP sessions from someone they shouldn't have) _can_ damage major parts of the net. Engineers (like most people on this list) first thought when faced with a situation like this is to design more fail-safes into the system to prevent a clueless admin or a router with a software error from causing so much damage. But politicians, when faced with the same situation, their first reaction is "We gotta have a Law". My prediction is that if things like this keep happening, the Internet will be declared a "defense interest computer system" or something similar, and only "approved personnel" will be allowed to mess with net-connected routers. Hence mentioning the 'enable' (root) password on ciscos- I figured more people here are familiar with them since they're the most popular router and the OS's look and feel hasn't changed substantialy for the last 5 years or so. -- Eric Murray ericm@lne.com Privacy through technology! Network security and encryption consulting. PGP keyid:E03F65E5