On Apr 8, 2010, at 11:45 AM, Martin A. Brown wrote:
Just a note of confirmation that 23724 originated as many as 31847 prefixes during an 18 minute window starting around 15:54 UTC. They were prepending their own AS, and this is several orders of magnitude more prefixes than they normally originate.
Interestingly, they re-originated these prefixes - as opposed to simply leaking them, which means origin AS-based filters (e.g., as provided by the current RPKI and SIDR work) would have prevented this (however, origin AS-based filters would NOT have prevented the i-root incident a couple weeks back). Most of the incidents we see of this sort with a large number of prefixes are traditional leaks with path preservation - so that does make one raise an eyebrow. Of course, even gross "max prefix" policies would have also helped here to some extent, to at least limit the scope of this incident to a much smaller number of prefixes. One might well observe that RFC 1998-esque policies that employ LOCAL_PREF to prefer prefixes from customers over like prefixes from peers means that ALL ISPs that employ such policies in that transit service hierarchy will first ignore the AS path length when making BGP best path decisions (i.e., if a leaking Chinese provider were a transit customer of a large U.S. provider and were given BGP preference as a result, then all of that U.S. ISPs customers will end up using the Chinese path as opposed to a path learned locally in the U.S. from a peer). Perhaps it's time to rethink application of such policies ubiquitously across peers and customers, or to at least be more selective in such policy application. Just one more incident to illustrate how fragile the routing system is, and how broken the current "routing by rumor" model continues to be. -danny