From:
So far it's been visible as an apparently accidental byproduct of an
attack
with other goals. Are you willing to bet your bifocals that the same mechanism can't be weaponized and used against the routing infrastructure directly in the future?
Yet the question becomes the reasoning behind it. How much is a direct result of the worm and how much is a result of actions based on the NE's? The other question is BGP deployment within smaller networks. I've seen a lot of different BGP configs handed down from reputable NEs to smaller businesses and ISPs. Unfortunately, the configs are usually comparable to what you'd use in a network that has peers beneath it versus what a network that only has two uplinks requires (ie, AS filtering not really required). It is quite common that /24 networks listed on connected interfaces not be null routed which has it's good points and bad. When you lose the interface, the traffic will stop at the local ISP's BGP routers if using ARIN assigned addresses or it will stop at the upstream provider's routers due to aggregates if using their IPs. In general, unless cost is an issue, it's usually good to let the packet come all the way to your network. It makes external troubleshooting easier and keeps BGP stable so long as the peering connection isn't lost. Of course, people need to learn to use metrics when doing null routes. Some people forget they exist. :) BGP update storms are enough to drop some peering sessions due to underpowered routers. Some large providers reject updates if the network goes critical in order to keep traffic manageable while the problem is determined and rectified. So while I do agree that the worms themselves hold some sway over the BGP activity, the same lack of preparation that allowed the worm to run so rampant can also be seen in the networks themselves. I personally have dealt with enough DOS/DDOS attacks that I have a emergency plan in place which allows as much control over the network from remote without depending on the network itself. I have an understanding of how my network is effected by different loads and which direction cascade failures will go. Luckily, I have a relatively small network, yet such an understanding and research should exist for any network regardless of size. The records of both worms should be indications of the weak points in people's networks. Jack Bates BrightNet Oklahoma