Kevin Beaumont

BGP is the yellow pages that hangs the internet together with string.

Pretty incredible blog about BGP here from @benjojo https://blog.benjojo.co.uk/post/bgp-path-attributes-grave-error-handling

Talk to go with the blog: https://www.youtube.com/watch?v=6wMXEiFiueM&cbrd=1

Tl;dr - if you fuzz BGP attributes, you can very easily find ones which propagate to every router and crash routers. About half of vendors have easily reproducible issues. None of the vendors have bug bounty programmes. Or in other words, you can own the internet in your underpants.

Grave flaws in BGP Error handling

Oct 2, 2023 at 2:00pmWeb
Show threadDavid AndersenOct 2, 2023

@GossiTheDog @benjojo I'm reminded of the 1997 deaggregation crash, when AS7007 started advertising itself as the owner of every /24 on the Internet; the huge table size caused a lot of Cisco routers to crash, and then they'd re-flood the huge BGP table as they flapped. I don't recall if anyone figured out what % of the Internet it took out (it took us out), but it was quite bad for a few hours.

https://lists.ucc.gu.uwa.edu.au/pipermail/lore/2006-August/000040.html

[lore] Murphy's Law Strikes Again: AS7007

Show threadJorge Caballero, MDOct 2, 2023
@GossiTheDog @benjojo Remarkable reminder that much of the internet operates on "just trust me, bro" vibes
Show threadStéphane BortzmeyerOct 2, 2023
@GossiTheDog @benjojo I thought that the DNS were the yellow pages :-)
Show threadFritz AdalisOct 2, 2023
@GossiTheDog @benjojo
TIL I have an internet in my underpants, and I don't even own it.
Show threadRubyOct 2, 2023
@GossiTheDog @benjojo one of Canada's 3 main telecoms made this mistake a year ago, leading to nation wide outages.
Show threadCJOct 2, 2023
@GossiTheDog It seems like the Internet at large is lucky every day there isn’t a BGP issue either by accident or malicious intent.
Show threadJames CapeNov 13, 2023
@GossiTheDog @benjojo I'm kind of impressed that anyone still has these issues, the huge Colt outage (actually wider than them) they mentioned was over a decade ago now...
Show threadbenjojoNov 13, 2023
@jcape I guess lightning strikes twice, since that same outage happened on June 2nd 2023, do you have a cite for the previous one?
James Cape (@[email protected])

274 Posts, 161 Following, 49 Followers ·

Hachyderm.io
Show threadJames CapeNov 15, 2023

@benjojo

2001 IOS bug: https://www.kb.cert.org/vuls/id/106392
2010 Juniper (probably the incident I remembered): https://supportportal.juniper.net/s/article/BGP-Malformed-AS-4-Byte-Transitive-Attributes-Drop-BGP-Sessions?language=en_US

CERT/CC Vulnerability Note VU#472136

Information Leak and DoS Vulnerabilities in Redmi Buds 3 Pro through 6 Pro

Show threadJake Hildreth (acorn) Nov 13, 2023
@GossiTheDog Correction. You don't need to wear pants of any sort to own the internet.
Show threadSheogorathNov 13, 2023
@GossiTheDog @benjojo thankfully we are all nice people who like each other in BGP world :)