[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Staale & Elm



Rabid Wombat writes:
> 
> > > I have been noticing a problem contacting sites all over Northern and Central
> > > Europe.
> > > 
> 
> Sprint's network was somewhat overloaded due to the bogus routes
> redirecting traffic onto their network. I doubt the problem spread as far
> as Europe, at least on a widespread basis. We have about 200 sites
> worldwide, only a few actually connected to Sprint. We only saw
> intermittent failures reaching some sites for about an hour. 

Hmm.  I saw problems friday and saturday.  Saturday I was checking URLs in
a book on hacking and security that I'm editing, and a number of
ordinarily reachable sites were down.  Traceroutes to them showed
wierd routing problems, mostly routing 'loops'.


> > I wonder how long it'll be possible for unauthenticated/unapproved people to
> > mess around with routers.
> 
> Sprint probably should have been filtering routes / AS_PATH (insert debate
> here) from its downstreams. This is a management challenge, but Bad
> Things(tm) can happen if you don't. 
> 
> > can't bring down the whole net, they'll just pass a law requiring
> > that anyone who wants the 'enable' password to a cisco have first
> > passed a government-approved "Internet Administrators Class" and
> > gotten a license.
> 
> Why are you picking on Cisco? The equipment in question was a pair of Bay
> Networks BLN routers. The jury is still out as to whether this was a Bay
> bug or a config screw-up. 

I'm not picking on cisco, you missed my point.


In all other 'infrastructures' (i.e. phone company, roads)
only officially-sanctioned people are allowed access to work on things.
With the phone company, it's phone company employees & contractors, with
the roads its government employees and contractors.  When private
extensions are added, they're restricted and compartlemtalized so
that they can't affect the entire infrastructure... a private
corporate phone switch's misprogramming doesn't bring down Pac Bell.

OTOH, with the internet, this is not true.  IP routing is complex enough
that a router configurating error (or perhaps a series of them, maybe
Sprint was accepting BGP sessions from someone they shouldn't have)
_can_ damage major parts of the net.

Engineers (like most people on this list) first thought when faced with
a situation like this is to design more fail-safes into the system to
prevent a clueless admin or a router with a software error from
causing so much damage.  But politicians, when faced with the same
situation, their first reaction is "We gotta have a Law".

My prediction is that if things like this keep happening, the Internet will
be declared a "defense interest computer system" or something similar, and
only "approved personnel" will be allowed to mess with net-connected routers.
Hence mentioning the 'enable' (root) password on ciscos- I figured
more people here are familiar with them since they're the most popular
router and the OS's look and feel hasn't changed substantialy for
the last 5 years or so.



-- 
   Eric Murray  [email protected]         Privacy through technology!
  Network security and encryption consulting.    PGP keyid:E03F65E5