[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
anyone else seeing very long AS paths?
German Martinez wrote:
> Workaround: Configure the bgp maxas limit command in such
> as way that the maximum length of the AS path is a value below 255. When the
> router receives an update with an excessive AS path value, the prefix is
> rejected and recorded the event in the log.
>
> This workaround has been suggested previously by Hank.
>
> Anyone knows about any possible CPU impacts in case that you implement
> bgp maxas?
bgp max-as will NOT protect you from this exploit (but if you are not
vulnerable it should prevent you from propogating it).
As far as I can tell the ONLY defense for a vulnerable IOS is to not run
BGP. Dropping every received route with a filter on 0/0 does not
mitigate the attack - as soon as that bogus as-path is received the BGP
session resets, even if the route is never actually installed (and as
far as I can tell the only real effect of the "bgp maxas-limit 75" is to
cause all paths with more than 75 ASN to not be installed in the routing
table).