Beta

Slashdot: News for Nerds

×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

How a Router's Missed Range Check Nearly Crashed the Internet

timothy posted more than 5 years ago | from the pssst-don't-pass-it-on dept.

Networking 196

Barlaam writes "A bug by router vendor A (omitting a range check from a critical field in the configuration interface) tickled a bug from router vendor B (dropping BGP sessions when processing some ASPATH attributes with length very close to 256), causing a ripple effect that caused widespread global routing instability last week. The flaw lay dormant until one of vendor A's systems was deployed in an autonomous system whose ASN, modulo 256, was greater than 250. At that point, the Internet was one typo away from disaster. Other router vendors, who were not affected by the bug, happily propagated the trigger message to every vulnerable system on the planet in about 30 seconds. Few people appreciate how fragile and unsecured the Internet's trust-based critical infrastructure really is — this is just the latest example." Vendor A, in this case, is a Latvian router vendor called MikroTik.

cancel ×

196 comments

Same story, different spin??? (4, Informative)

Anonymous Coward | more than 5 years ago | (#26946791)

Is this related to the story posted that stated:

"One Broken Router Takes Out Half the Internet?"

http://tech.slashdot.org/article.pl?sid=09/02/16/2233207 [slashdot.org]

It just amazes me how differently presented this story is compared with the previous.

In fairness, there is much more information about this 'outage' now.

This news is alarming. Thanks for not making in alarmist this time.

Re:Same story, different spin??? (5, Insightful)

Anthony_Cargile (1336739) | more than 5 years ago | (#26946897)

It just amazes me how differently presented this story is compared with the previous.

Previous story: kdawson. Current story: Timothy. Do you need any more explanation than that?

Re:Same story, different spin??? (-1, Offtopic)

Anonymous Coward | more than 5 years ago | (#26946959)

parent here...

No shit Sherlock.

I didn't think the post required an obvious explanation.

Re:Same story, different spin??? (0, Funny)

Anonymous Coward | more than 5 years ago | (#26947033)

parent here...

No, I'm the parent!

Re:Same story, different spin??? (-1, Offtopic)

Anonymous Coward | more than 5 years ago | (#26947123)

No, I am!

Re:Same story, different spin??? (1, Funny)

Anonymous Coward | more than 5 years ago | (#26947185)

No, I'm Spartac--wait, what?

Re:Same story, different spin??? (-1, Troll)

Anonymous Coward | more than 5 years ago | (#26947331)

Nevermind, Spartacus was a fag. I'm a nigger.

A nigger is a feral humanoid beast with superhuman strength.

Nerds: your lady isn't interested in what you have to say. She dosen't give a flying fuck about your SATA RAID and your asserts and your virtual machines. Her plan is to have a nigger baby and hope that you are stupid enough to raise it.

When she wants to be knocked up, she wants to know that her niglets will receive the preferable genes which will enable them to hunt lions and outrun cheetahs. Huge penises are evolutionary adaptions and every woman wants one to spew its pecker snot inside her. She wants a purebred nigger buck bred from the slave days to sire virile offspring and produce NBA and NFL players.

Nerds: your only hope is to knock up a nigger sow and promise it children which will have a chance in life and not look like goddamn apes or chimpanzees.

Re:Same story, different spin??? (-1, Troll)

Anonymous Coward | more than 5 years ago | (#26947989)

Your only chance is if the Grand Dragon shoots one out of his ass. Assuming of course you ever get you dick out of there.

Re:Same story, different spin??? (1)

ion.simon.c (1183967) | more than 5 years ago | (#26947143)

Mmm. We should get rid of kdawson. (Of course, /.'s board of corporate overlord directors probably likes all the ad revenue that he brings in. :/ )

Re:Same story, different spin??? (3, Funny)

Jamie's Nightmare (1410247) | more than 5 years ago | (#26947325)

No, it's best to keep him here where he can do less damage. We wouldn't want him to fill an editorial position at Fox News.

Re:Same story, different spin??? (1)

commodore64_love (1445365) | more than 5 years ago | (#26947915)

Or pro-government-leaning CNN/MSNBC.

Re:Same story, different spin??? (1)

PopeRatzo (965947) | more than 5 years ago | (#26948023)

commodore64_love(1445365),

let me be the first to welcome you to Slashdot.

Re:Same story, different spin??? (0)

PopeRatzo (965947) | more than 5 years ago | (#26948003)

Wait, Slashdot has ad revenue? They have ads here?

I'm a subscriber, so I didn't know.

It's only a matter of time before... (3, Interesting)

Anonymous Coward | more than 5 years ago | (#26947443)

...A Slashdot "Editor" notices these posts and mods them into oblivion.

But is that better or worse than having them modded down by sycophantic Slashdot readers?

My Slashdot login - a four-digit userid - is worthless now.

It's been stuck on Karma:-1, Terrible for a couple of years.

What did I do to deserve that terrible fate?

My sin was to post a message critical of dear Michael Sims and his editing methods and practices here on Slashdot.

Re:It's only a matter of time before... (0, Troll)

PopeRatzo (965947) | more than 5 years ago | (#26948035)

A Slashdot "Editor" notices these posts and mods them into oblivion.

It's not "oblivion" if we all view the comments at -1.

I find that it's quite easy to scroll past all the useless "frist" and "n-word" posts, and I wouldn't want to miss an insightful comment that was modded down just because he called some stupid cunt a stupid cunt.f

Please note, I use the word "cunt" not as any sort of gender specification, but rather as in "That stupid cunt voted Republican".

Did a... (-1)

Anonymous Coward | more than 5 years ago | (#26946795)

...fourth grader have to unplug it and plug it back in to get it working again?

Vendor B (5, Informative)

CSFFlame (761318) | more than 5 years ago | (#26946799)

Vendor B is Cisco btw. Dunno why they were being vague.

Re:Vendor B (5, Insightful)

mysidia (191772) | more than 5 years ago | (#26946841)

It seems like we live in a world now where media go ridiculously out of their way to soften the blow and protect the parties who screwed up and shipped software that had mistakes in it, by playing PR on their behalf and hiding their name.

They had a bug; they deserve to be called on that fact, authors should be honest and direct, and always mention them by name. ESPECIALLY in this case, so people who bought their product KNOWM they need to update, even if they didn't notice the fact that they were impacted by the bug (not everyone impacted necessarily knows what caused their problems, a lot of people may still be wide open to the bug but not know about it).

Seriously, if you develop an implementation of an exterior routing protocol that untrusted devices participate in BY DESIGN...

How do you justify NOT taking basic steps to validate what happens in your implementation if another party decides to play dirty, and hit you with a ridiculously long or corrupt entry in a field (like AS path) ?

How does your QA team miss the potential consequences of how such a case can impact your re-advertisements of that long path? And miss testing that the result you send is still valid, or that you at least block it properly.

It doesn't mean they're totally inept, i'm sure their QA team does a lot of good work. But something fundamental seems to be missing, if these sort of elementary bugs slip through the cracks.

It may be hard on them PR wise, but the public deserves to know the facts, without the names being changed to protect the guilty.

Re:Vendor B (4, Insightful)

Shakrai (717556) | more than 5 years ago | (#26946917)

It seems like we live in a world now where media go ridiculously out of their way to soften the blow and protect the parties who screwed up and shipped software that had mistakes in it, by playing PR on their behalf and hiding their name.

Well that may be the case but in this case the criticism doesn't really seem deserved. For better or worse /. generally posts exactly what was written by the person who submitted the article. Blame that person for trying to "soften" the blow.

Re:Vendor B (2, Interesting)

troll8901 (1397145) | more than 5 years ago | (#26947041)

They had a bug; they deserve to be called on that fact, authors should be honest and direct, and always mention them by name.

The writer is probably trying to facilitate discussions, instead of playing the blame game.

Names trigger emotions in us (right brain). Identifiers triggers logic in us (left brain).

The writer is probably relying on us to suggest how to get top-level ISPs to implement filtering. It's a human and business issue ... not a technical issue.

Re:Vendor B (5, Informative)

afidel (530433) | more than 5 years ago | (#26947099)

The Cisco bug had been fixed for about forever so anyone running an affected version probably had a million other known bugs as well, just most didn't bring their primary function to a screeching halt. Some of the time admins choose to run with the devil they know rather than finding all the new bugs waiting in new code, this time it bit a bunch of them hard and hence bit their customers. They will now upgrade to newer software or implement a workaround for this bug, if they upgrade their customers will probably have some additional downtime while the new bugs are found and worked around. Unfortunately this is how IT works, it's a complex web of systems built, programmed, and administered by fallible humans.

Re:Vendor B (1, Interesting)

Anonymous Coward | more than 5 years ago | (#26947297)

With Cisco you can choose between:

- Known, often workaroundable Bugs in older Versions

or

- new unknown fancy Bugs w/o workarounds that can hit you like a truck in the groin every minute now.

As long as the first choice does not include Show-Stopper bugs like the BGP one, there is usually no reason to use the latest IOS image.
Actually, the stability of your network is often a good reason /not/ to use the latest, shinyest version with lots of new features and even more new bugs.

Consider that.

Re:Vendor B (3, Insightful)

eudaemon (320983) | more than 5 years ago | (#26947995)

Just another reason for Cisco to opensource IOS and sell their hardware and service,instead.
IOS has been famously pirated along with its hardware by Chinese knock-offs for years now.
Might as well finish the transition. Then again I'd like to see Mac OSX opensourced, too,
so it may be something in the water. :-)

Re:Vendor B (4, Insightful)

Anonymous Coward | more than 5 years ago | (#26948033)

Actually, no. The problem is that you need to pay big bucks to have access to IOS updates, and too many people just buy the router, whatever IOS comes with it, and NEVER want to hear from Cisco's overpriced services ever again.

Really, critical internet infrastructure needs to be *easy* (as in low cost and not many technical pitfalls) to keep up-to-date, and we need to start doing Very Bad Things to those that don't implement BCP-38 (you're a danger to all your customers and downstream if you don't), egress filtering (good neighborhood requirements), automated up-to-date bogon filtering (or you will cause troubles for everyone that gets a new block of IP space freshly handed to a RIR), and strict BGP filtering...

Cisco's IOS update policies REALLY have a part of the blame on this.

Re:Vendor B (1, Funny)

Anonymous Coward | more than 5 years ago | (#26947417)

so people who bought their product KNOWM

WTF does that mean?

Re:Vendor B (5, Funny)

Shag (3737) | more than 5 years ago | (#26947433)

so people who bought their product KNOWM

WTF does that mean?

It means some people don't know how to spell GNOME.

Re:Vendor B (4, Funny)

Anonymous Coward | more than 5 years ago | (#26947573)

False. It's really the codename for the top-secret new GNOME/KDE hybrid. If anyone asks you didn't hear it from me.

Re:Vendor B (1)

bram (490) | more than 5 years ago | (#26947813)

lol :) Thanks I needed that.

Re:Vendor B (4, Interesting)

thsths (31372) | more than 5 years ago | (#26947171)

Should be obvious, hm? Because Vendor B is the one really to blame: as far as I can see, one router from Vendor A misbehaved, but thousands or more from Vendor B. Unfortunately, Vendor B is also the one with deep pockets for legal action, so you cannot possible put the blame on them. Oops, hope Ido not get sued.

Re:Vendor B (1, Informative)

Anonymous Coward | more than 5 years ago | (#26947305)

Vendor B is Cisco btw.

Dunno why they were being vague.

The Cisco thing is actually quite old. During the event a new bug in OpenBSD was discovered:
http://secunia.com/advisories/33975/

No more routers...think of the children (5, Funny)

Mrs. Grundy (680212) | more than 5 years ago | (#26946803)

I'm sure nobody here would argue with me if I suggested that the internet would be a much safer place without routers.

Re:No more routers...think of the children (0)

Anonymous Coward | more than 5 years ago | (#26946831)

The RIAA and MPAA would agree with you I think.

Legislation to point Cameras at all routers! (-1, Flamebait)

Anonymous Coward | more than 5 years ago | (#26947167)

And that way we will know who the real terrorists have become. Administrators, especially French ones, can never be trusted. I think Barack Husseim Ossama of Kenya will prove to be the greatest President of the United States by pointing cameras away from the streets and more on the people that cause 100% of all the problems in Americuz.

Re:No more routers...think of the children (1)

mysidia (191772) | more than 5 years ago | (#26946861)

It also wouldn't work.

Just b/c someone was asleep at the switch and let a bug slip into routers, doesn't mean the internet is better with just switches.

A world-wide Ethernet network with no routing (the only real alternative based on the technology we know) just isn't very scalable. Plus Ethernet doesn't handle loops very well...

Re:No more routers...think of the children (1, Funny)

Anonymous Coward | more than 5 years ago | (#26946893)

Whoosh!

Re:No more routers...think of the children (4, Funny)

ion.simon.c (1183967) | more than 5 years ago | (#26947127)

Just b/c someone was asleep at the switch and let a bug slip into routers, doesn't mean the internet is better with just switches.

Duh. PP's not talking about switches. He's talking about *hubs*.

Re:No more routers...think of the children (2, Interesting)

Mad Merlin (837387) | more than 5 years ago | (#26947469)

He said safer, not better.

Re:No more routers...think of the children (2, Funny)

macraig (621737) | more than 5 years ago | (#26946929)

What's this about a world with no reuters?

Re:No more routers...think of the children (3, Funny)

macraig (621737) | more than 5 years ago | (#26946935)

Think of the starving journalists!

Re:No more routers...think of the children (2, Funny)

Ihmhi (1206036) | more than 5 years ago | (#26947065)

Well of course, power tools are dangerous [youtube.com] .

Re:No more routers...think of the children (1)

dangitman (862676) | more than 5 years ago | (#26947161)

I'm sure nobody here would argue with me if I suggested that the internet would be a much safer place without routers.

I suggest a system based on gaffer tape and chicken wire.

Re:No more routers...think of the children (0)

Anonymous Coward | more than 5 years ago | (#26947351)

Then there shall be no Internet without routers:-)

Re:No more routers...think of the children (0)

Arancaytar (966377) | more than 5 years ago | (#26947445)

Exactly. As much as 100% of all illegal content, like child pornography or (even worse!) pirated music is transferred over the internet by routers. Get rid of them, and you nip all that crime in the bud!

Re:No more routers...think of the children (1)

Jah-Wren Ryel (80510) | more than 5 years ago | (#26947535)

I'm sure nobody here would argue with me if I suggested that the internet would be a much safer place without routers.

Either that, or they could stop sending packets down the ASSPATH, that's just a recipe for disaster right there.

Gee, known Cisco bug causes problems (2, Insightful)

seifried (12921) | more than 5 years ago | (#26946807)

If people had upgraded their routers this wouldn't have happened. Newsflash: software has bugs. Not upgrading your software will bite you in the ass eventually, especially if this software runs critical systems like your routers.

Re:Gee, known Cisco bug causes problems (2, Insightful)

vux984 (928602) | more than 5 years ago | (#26946837)

Newsflash: software has bugs. Not upgrading your software will bite you in the ass eventually, especially if this software runs critical systems like your routers.

Newsflash: software has bugs. Upgrading your software will bite you in the ass eventually, especially if this software runs critical systems like your routers.

See? The statement is true either way... update or don't update. It doesn't matte. One way you'll get bitten by dormant bugs in the old version, the other way will bite you with bugs introduced in the upgrade.

The only question that remains is which will bite you in the ass first and more often. From long experience most people agree... if it isn't broken, don't fix it.

Re:Gee, known Cisco bug causes problems (5, Funny)

Shakrai (717556) | more than 5 years ago | (#26946853)

From long experience most people agree... if it isn't broken, don't fix it.

Reminds me of an old "offensive" fortune quote: Working computer hardware is a lot like an erect penis. It stays up as long as you don't fuck with it.

If you have no clue what offensive fortunes are try 'fortune -o'. They are great when you are stoned, drunk or just bored at work. If you don't have fortune installed then you are clearly on the wrong website ;)

Re:Gee, known Cisco bug causes problems (1, Informative)

Anonymous Coward | more than 5 years ago | (#26946925)

If you have no clue what offensive fortunes are try 'fortune -o'.

(in bold) Please, please, please request a potentially offensive fortune if and only if you believe, deep down in your heart, that you are willing to be offended...

If you don't have fortune installed then you are clearly on the wrong website ;)

Hey, I've got it installed! "fortune -o" says: No fortunes found.

(Sorry, I'm new.)

Re:Gee, known Cisco bug causes problems (1)

FireFury03 (653718) | more than 5 years ago | (#26947333)

Hey, I've got it installed! "fortune -o" says: No fortunes found.

(Sorry, I'm new.)

Most distros seem to remove offensive mode for fear of offending people. :-/
You'll need to grab the source package and rebuild it yourself with offensive mode enabled.

Re:Gee, known Cisco bug causes problems (0)

Anonymous Coward | more than 5 years ago | (#26947473)

Understood, thanks!

(Same AC here)

Re:Gee, known Cisco bug causes problems (2, Informative)

SanityInAnarchy (655584) | more than 5 years ago | (#26947505)

Or, they move it to a separate package. For example, on Ubuntu, this is fortunes-off.

No need to make it more complicated than it is.

Re:Gee, known Cisco bug causes problems (0)

Anonymous Coward | more than 5 years ago | (#26947721)

wva@yup:~$ sudo apt-get install fortunes-off
[sudo] password for wva:
Reading package lists... Done
[...]
Setting up fortunes-off (1:1.99.1-3.1ubuntu2) ...

wva@yup:~$ fortune -o
The King plugged the Queen's ass with mustard
To make her fuck hot, but got flustered,
        And cried, "Oh, my dear,
        I am coming, I fear,
But the mustard will make you come `plus tard'."
wva@yup:~$

I never knew about offensive cookies... You guys made my day!

Re:Gee, known Cisco bug causes problems (1)

funkatron (912521) | more than 5 years ago | (#26947815)

Not working here (unless dawkins means something else in American).

fortune -o

"In childhood our credulity serves us well. It helps us to pack, with extraordinary rapidity, our skulls full of the wisdom of our parents and our ancestors. But if we don't grow out of it in the fullness of time, our ... nature makes us a sitting target for astrologers, mediums, gurus, evangelists, and quacks. We need to replace the automatic credulity of childhood with the constructive skepticism of adult science."

[Richard Dawkins]

Re:Gee, known Cisco bug causes problems (2, Insightful)

SanityInAnarchy (655584) | more than 5 years ago | (#26947471)

if it isn't broken, don't fix it.

That also implies, if it is broken, fix it.

From long experience, we all get bitten sooner or later. I would say we most often remember the upgrades as being more hazardous, because we blame ourselves for those -- should've known better than to use that new, untrusted code. At least with inaction (not patching), it's negligence, rather than active incompetence -- harder to blame yourself, or for others to blame you.

But this should not be about escaping blame, it should be about minimizing risk.

Re:Gee, known Cisco bug causes problems (1)

Skinkie (815924) | more than 5 years ago | (#26946839)

If this kind of software was 'free' because you bought an appliance that actually should work instead of upgraded to a different set of bugs, then you might have a point... I honestly think the firmwares that are deployed lack a critical view of some outsiders, but then again I was raised with the open source spirit, Cisco bought itself into it.

Re:Gee, known Cisco bug causes problems (2, Insightful)

ThePromenader (878501) | more than 5 years ago | (#26946847)

Did you RTFA? The problem was due to a router misconfiguration - a human error - and a worldwide ISP tendency of not reading/filtering garbage from what they pass along. Not bugs, not upgrades.

Re:Gee, known Cisco bug causes problems (4, Informative)

seifried (12921) | more than 5 years ago | (#26947029)

Speaking of RTFA'ing you should maybe take your own advice:

As it turns out, the reason for all those routing resets and general instability was due to a previously unknown Cisco bug involving AS paths close to 255 in length. If you try to prepend to a long path that you receive and by doing so, create a path longer than 255, you are toast. So the maps we gave in our our last blog were more of an indication of Cisco market share (at least among prependers), rather than the propensity of outdated routers. Kudos to Ivan for figuring this out.

Re:Gee, known Cisco bug causes problems (4, Insightful)

ThePromenader (878501) | more than 5 years ago | (#26947101)

The Cisco 'bug' is an oversight - with its own configuration system (where the actual AS path is written out, not an algorithm treating the same set earlier in a variable), there can be no problem. Cisco does not take into account possible errors (garbage) created by the configuration of other-type routers, thus the problem. True, this also reveals a laziness on the behalf of network engineers who assume that all routers use the dominant Cisco-ish configuration language - not. So what is needed is a means of filtering errored garbage from all platforms and sources, and this job would be most efficient were it undertaken by ISP's.

Re:Gee, known Cisco bug causes problems (4, Interesting)

davester666 (731373) | more than 5 years ago | (#26946877)

I wonder why the summary went out of it's way to use company A & B, then tagged a small Latvian vendor for their range-check bug, but didn't name the much larger vendor that also has a range-check bug, namely Cisco...

Re:Gee, known Cisco bug causes problems (2, Insightful)

fuzzyfuzzyfungus (1223518) | more than 5 years ago | (#26946907)

Possibly because Cisco has trained attack lawyers and a history of rocky relationships with people who say unkind things about their firmware?

Re:Gee, known Cisco bug causes problems (4, Informative)

DerekLyons (302214) | more than 5 years ago | (#26946989)

The summary used Company A and Company B, the editor's comment tagged the Latvian vendor.

Re:Gee, known Cisco bug causes problems (0)

Anonymous Coward | more than 5 years ago | (#26947077)

Exactly. Very bad reporting standards. Typical of /. really, makes me sick.

Re:Gee, known Cisco bug causes problems (0)

Anonymous Coward | more than 5 years ago | (#26947207)

Probably because he's that same troll who writes the blog that bashes on the Cisco test cloning products and threatens candidates with the Cisco Lifetime Shitlist.

Re:Gee, known Cisco bug causes problems (5, Informative)

Kaboom13 (235759) | more than 5 years ago | (#26947071)

You have to have a support agreement with Cisco to get the latest IOS. They won't even give you the last version when your support contract ran out. Also, older routers do not always have upgrades available for various reasons, either they do not have enough space or hardware limitations or Cisco End-of-Lifed it and hasn't bothered.

There's also the "if it isn't broke don't fix it" mentality in the networking world. A new version may fix some bugs but it might add some bugs as well. An upgrade, even if minor, generally means a lot of work testing and reconfiguring before you roll it out. Network engineers are expensive and that time isn't free. Sometimes the devil you know is better then the devil you don't.

In an ideal world it wouldn't be an issue, but when it comes to networking it's NEVER an ideal world. There's always too much to do and never enough budget/manpower to do it. Every network admin probably has 10 things on his mental wishlist right now, upgrades he would like to make, redundant hardware he would like to purchase, failover contingencies he needs to test, etc. Upgrading IOS on an old router in a rack somewhere (and hoping it doesn't blow up in your face) can be pretty far down the list.

Re:Gee, known Cisco bug causes problems (5, Interesting)

geirnord (150896) | more than 5 years ago | (#26947399)

Untrue. Cisco TAC wil give you the latest firmware for free, provided you tell then n\you need it due to security flaws discovered in your current version. Yoy may need to point to their blletin about the bug, but that should be trivial (http://www.cisco.com/en/US/products/products_security_advisories_listing.html)

Since Cisco almost exclusivly patches current versions due to security bugs, all their IOS are belong to us for free.

Conclusion... (1)

ThePromenader (878501) | more than 5 years ago | (#26946811)

...so ISP's should filter AS paths!

Re:Conclusion... (1)

Shakrai (717556) | more than 5 years ago | (#26946869)

...so ISP's should filter AS paths!

I always thought they did. Back in my ISP days we had multihomed connections and all three of our uplink providers filtered what we sent to them. It just seems like common sense. What's the reason for not doing it? Laziness?

Re:Conclusion... (2, Interesting)

tomstorey (1444585) | more than 5 years ago | (#26947049)

I always thought they did.

Most already do. The problem was not the ASPATH itself, it was the length of it. The routers affected did not handle updates for a prefix which required more than one AS_SEQUENCE segments in order to obtain the full AS path. The existence of the additional AS_SEQUENCE segment is what triggered the bug, causing the receiving router to treat the update as invalid, and the BGP session is dropped.

Re:Conclusion... (1)

tomstorey (1444585) | more than 5 years ago | (#26947081)

...so ISP's should filter AS paths!

Filtering the path would not have prevented this from happening. However, filtering paths whos length was unrealistically long would have done a world of good.

Bug???? (0)

Anonymous Coward | more than 5 years ago | (#26947719)

It's not a bug...it's a feature

tubes (0)

hydromike2 (1457879) | more than 5 years ago | (#26946855)

it may be safer without routers but itd be awful scary and potentially dangerous to be making your way through one of those tubes when they all come crashing down

didnt kdawson post this last week (5, Insightful)

gad_zuki! (70830) | more than 5 years ago | (#26946887)

except in the kdawson style it was a single link to a message board posting about a router "taking out half the internet." Dupe? Correction? I dont care as long as kdawson is kept away from the site for a while.

Re:didnt kdawson post this last week (2, Interesting)

timmarhy (659436) | more than 5 years ago | (#26946915)

"timothy" is actually kdawson's alter ego from which he posts the same crap

Re:didnt kdawson post this last week (5, Insightful)

Bryan Ischo (893) | more than 5 years ago | (#26946993)

That explains alot.

I complained to CmdrTaco a year ago or so about kdawson's terrible editing and article judgement. The site would be SOOO much better without him. But CmdrTaco stood up for him, arguing that he does "a pretty good job".

I lost alot of faith in Slashdot that day. I only continue to read out of habit. But I skip more articles now and I get a chuckle when I see lame stories posted by lame editors with sub-100 comments. I only wish that *no one* would read and comment on the lame stories (I should be taking my own advice here!) so that maybe the Slashdot editor cabal would get the hint.

Re:didnt kdawson post this last week (4, Informative)

ion.simon.c (1183967) | more than 5 years ago | (#26947135)

You should check out alterslash.org. It's an excellent way to sort through the shitty /. comments and get to some decent threads.

Re:didnt kdawson post this last week (2, Interesting)

troll8901 (1397145) | more than 5 years ago | (#26947545)

But CmdrTaco stood up for him, arguing that he does "a pretty good job".

I see the old "should a boss side with his subordinates or customers" argument.

I only wish that *no one* would read and comment on the lame stories (I should be taking my own advice here!) so that maybe the Slashdot editor cabal would get the hint.

What's the reason for not filtering out kdawson and timothy in Preferences > Index > Authors? (I'm not saying you're a complainer, I'm just wondering if "not wanting to miss out on the news" is the reason.)

Of course, I agree that it's important to present a better Slashdot with higher quality news to the casual visitor.

Re:didnt kdawson post this last week (1)

troll8901 (1397145) | more than 5 years ago | (#26947011)

But, kdawson is the only one who's willing to work on a Saturday!

(It's Saturday today, right?)

Sigh... maybe next time... (1, Insightful)

Anonymous Coward | more than 5 years ago | (#26946937)

... the crash will take out the entire interwebs for a full week. Wouldn't it be amazing if mankind as a whole had to "survive" an entire week without the face-to-face interaction killer that is the internet? I suppose that what's even more pathetic is that we depend on it so much now; countries would go into widespread panic if internet was lost for a single week. Isn't it sad how people seem to think that something that didn't even exist 30 years ago is now considered a bare necessity? Oh, the priorities of man.

Re:Sigh... maybe next time... (0)

Anonymous Coward | more than 5 years ago | (#26946979)

You mean something like this? [wikipedia.org]

Those South Park guys are prophets, I tell you.

Nearly crashed the Internet? (3, Interesting)

twistah (194990) | more than 5 years ago | (#26946975)

I don't know about it nearly crashing the Internet. How many people actually noticed a difference that day, for that matter?

A lot of admins, especially after the alert went out over the NANOG list, set their routers to reject long ASPATHs (or I assume, from what I saw on those list, I am not a BGP admin myself.) Many routers simply rejected these ASPATHs as well; correct me if I'm wrong, but weren't old versions of IOS the only ones affected? It was a serious issue, but I'm not sure if it came anywhere near a disaster scenario.

Re:Nearly crashed the Internet? (0, Offtopic)

interkin3tic (1469267) | more than 5 years ago | (#26947367)

A lot of admins, especially after the alert went out over the NANOG list

This is very off topic... but that's the first time I ever heard of "North American Network Operators Group." It's strange that apparently by coincidence that the acronym is the same as the name of one of the four transcription factors that causes de-differentiation in IPS cells. The wiki page says the transcription factor gets its name from some scottish legend.

http://en.wikipedia.org/wiki/Nanog [wikipedia.org]

Like I said, off topic but I thought it was interesting...

Re:Nearly crashed the Internet? (4, Funny)

Paaskonijn (1220996) | more than 5 years ago | (#26947829)

I don't know about it nearly crashing the Internet. How many people actually noticed a difference that day, for that matter?

Well, sure, nobody noticed... But they all nearly noticed!

FTA (3, Funny)

drDugan (219551) | more than 5 years ago | (#26946999)

"The Internet was back to normal in short order."

Well, not completely normal [slashdot.org] , not yet.

I heard it was a little more devastating (0, Offtopic)

mysidia (191772) | more than 5 years ago | (#26947003)

Reportedly all data was lost [youtube.com] . And it was more than just the routers -- someone was clogging the tubes by running too many apps on their desktop.

We should be very thankful that the partial backup was found with some info from the Google Tube, however.

Fragile Internet (5, Funny)

tick-tock-atona (1145909) | more than 5 years ago | (#26947069)

Few people appreciate how fragile and unsecured the Internet's trust-based critical infrastructure really is - this is just the latest example.

Yeah. Like how everyone is trusted not to google "google".

Re:Fragile Internet (1)

mail2345 (1201389) | more than 5 years ago | (#26947175)

Err...
Yeah...
I'm sorry about that whole mess.

laf (4, Interesting)

maitai (46370) | more than 5 years ago | (#26947079)

When I worked for *unnamed nw regional backbone here* we had peering agreements with everyone except uunet that we connected to, and it was pretty known that if we spat out an bad BGP route we could bring down the whole net by hitting enter ('cept uunet, although I'm pretty sure uunet woulda went down from everyone else routing around them to us)

How is this new? That was the 90's. and when we spent 100k+ on a Cisco 7513 with 64megs of ram so it could hold the BGP tables...

We even wrote our own manual ('cause none existed) on how to deal with BGP tables so junior admins working for us wouldn't fuq it up. (and on top of that, we wouldn't let them touch the routers either)

-meetme room in the westin in Seattle-

Cisco to Blame, not Mikrotik (5, Informative)

DeadboltX (751907) | more than 5 years ago | (#26947109)

The critical bug is with the Cisco routers; a Mikrotik router merely nearly triggered the bug.
It would be possible to trigger this bug with any routing software that does not do range checking on the amount of times the ASN is pretended.

The summary is spreading FUD by making Mikrotik, the only named vendor in the summary, look like the vendor at fault.

I love this article's summary. (5, Funny)

Korey Kaczor (1345661) | more than 5 years ago | (#26947115)

The next time someone needs you to fix a computer problem and asks what went wrong, simply give them this article's summary as the reason why, replacing "router" and "Internet" with the the defective part in question. You're also guarenteed to look a bit sharper, too.

"A bug by power supply vendor A (omitting a range check from a critical field in the configuration interface) tickled a bug from power supply vendor B (dropping BGP sessions when processing some ASPATH attributes with length very close to 256), causing a ripple effect that caused widespread global routing instability last week. The flaw lay dormant until one of vendor A's systems was deployed in an autonomous system whose ASN, modulo 256, was greater than 250. At that point, the power supply was one typo away from disaster. Other power supply vendors, who were not affected by the bug, happily propagated the trigger message to every vulnerable system on the planet in about 30 seconds. Few people appreciate how fragile and unsecured the power supply's trust-based critical infrastructure really is â" this is just the latest example."

Re:I love this article's summary. (0)

Anonymous Coward | more than 5 years ago | (#26947323)

Beautiful.

GPL violators (5, Informative)

Anonymous Coward | more than 5 years ago | (#26947139)

Mikrotik are known GPL violators, that use a modified Linux (they re-branded that as "RouterOS") and a terribly bad implementation of the BGP protocol..

In some custom community network, where MikroTik has been deployed internally, that stolen-Linux is being hacked to use the Quagga instead of MikroTik's BGP.

In short: that "RouterOS" has been higly unsuitable for the Internet. I can't believe somebody was so stupid to trust it.

Reminds me of a story (5, Interesting)

ShakaUVM (157947) | more than 5 years ago | (#26947199)

Reminds me of a story that Keith Marzullo told our class in a graduate level reliability class. This was back in the days of using UUCP to send email, and the vendor that he worked for had just released a "failsafe" product they were very proud of -- essentially, it was a mail router that could detect if a path went down, and would try an alternate router instead. The company touted it as a bulletproof solution.

So they go to a conference, and set up some routers, unplug some of them, etc., and everything is going fine until they ask an audience member for his UUCP address. UUCP addresses are in the form of host1!host2!host3!username, with the routing for the username explicitly specified... the addresses could thus get quite long. In this case, the guy's email address was over the buffer limit the company's routers used.

Guess what happened?

The mail server tried sending an email to the next router in the chain. The router buffer overflowed and crashed. The reliable server than tried another router... and crashed it. It then went through the entire network, and crashed every single one of the nodes, turning a bug that would have been a single point of failure into a total network collapse.

=)

Yeah, one of my favorite stories from UCSD.

Re:Reminds me of a story (1)

DarkOx (621550) | more than 5 years ago | (#26947951)

I have seen bugges in spanning-tree do similar things on my network. This seems to be a recuring problem with "HA systems". Losts of stories like this out there. Its a hard problem to solve though.

Should have updated IOS in 2003 when fixed. (5, Insightful)

Anonymous Coward | more than 5 years ago | (#26947265)

Maybe if they updated their IOS back in 2003 when Cisco came out with the fix they wouldn't have these problems. You wouldn't give an XP user a pass on not updating for 6 years and having a problem, don't give these upstreams any.

-zifr

Movie script? (2, Funny)

Mathness (145187) | more than 5 years ago | (#26947313)

Summary reads like the script for a bad disaster movie.

FirsT (-1, Flamebait)

Anonymous Coward | more than 5 years ago | (#26947391)

aas until I hit my user. 'Now that list of other Recent article put transfer, Netscape

Debug (1)

szundi (946357) | more than 5 years ago | (#26947401)

I see the poor programmers thousands of miles away from their routers jammed with idiot traffic configs trying to fix a bug knowing the WORLD is waiting for their patch... would be bad.

Latvia? (0)

Anonymous Coward | more than 5 years ago | (#26947651)

I forget - are they nasty Russian stooges or decent US stooges these days?

Just one tyop (2, Funny)

yotto (590067) | more than 5 years ago | (#26947755)

At that point, the Internet was one typo away from disaster.

I wonder how long that took?

Hmm... (2, Interesting)

OneSmartFellow (716217) | more than 5 years ago | (#26947839)

A bug by device vendor A (twiddling a framis panel instead of sparting the glinbo interface) patted a bug from device vendor B (elevating ALP packets when deferring some GALAS modifiers with size benath 176), yielding a domino effect that caused widespread universal switching instability last week. The flaw lay dormant until one of vendor A's systems was deployed in an autonomous system whose LKM, divisor 965, was less than 1250. At that point, the Internet was one typo away from disaster. Other router vendors, who were not affected by the bug, happily propagated the trigger message to every vulnerable system on the planet in about 30 seconds. Few people appreciate how fragile and unsecured the Internet's trust-based critical infrastructure really is -- this is just the latest example.

Reads just about the same to me. I can't make any sense of either description of the bug
Load More Comments
Slashdot Account

Need an Account?

Forgot your password?

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>
Create a Slashdot Account

Loading...