Comment by Fiveplus
4 days ago
I'm half sleepy but I liked the post. The analysis regarding path prepending really drives the accident theory home. If a state actor were trying to intercept traffic (MITM), the last thing they would do is pad the AS path multiple times because that tells the global routing table, "Don't come this way, I am the long scenic route" lol
This could be a classic fat finger config error, most likely a route map intended to manipulate traffic engineering for their own upstream links that inadvertently leaked widely because of a missing deny-all clause. Neverthless, a good reminder that BGP is still fundamentally a trust based system where a single typo in a config file can cascade globally. Never attribute to malice that which is adequately explained by a missing export filter.
> If a state actor were trying to intercept traffic (MITM), the last thing they would do is pad the AS path
That's presumptuous: A state actor would (and could trivially) pad the wrong directions to flow traffic down to pops that are not making new announcements (and thus not-implicated by cloudflare and other "journalistic" efforts).
There's also a lot between fat-fingers and deep-state: I know of some non-state actors who do this sort of thing just to fuck with ad impressions. I also doubt much usable intelligence can be gained from mere route-manipulation thing, but I do know that if it is a fat-finger, every techdude in the area was busy at that time trying to figure it out, and wasn't doing their best work twelve hours later...
> most likely a route map intended to manipulate traffic engineering for their own upstream links
...that being said, this does seem plausible: Most smaller multihomed sites I've seen (and a few big ones!) have some kind of adhoc health monitoring/rebalance function that snmp or something and does autoexpect/curl or something-else to the router to run some (probably broken) script, because even if your uplinks are symmetrical, the rest of the Internet isn't, so route-stuffing remains the best way to manipulate ingress traffic.
> Never attribute to malice that which is adequately explained by a missing export filter.
As soon as I peer with two big sites that don't peer directly with each-other, they both gotta let me forward announcements unfiltered across them. Once I have a third, I have a legitimate need to manipulate my own ingress.
The problems with the BGP are legion, and not just one thing that prevents BGP and security from sharing time in a sentence.
> A state actor would (and could trivially) pad the wrong directions
This isn't how BGP works. An AS-PATH isn't the path the traffic will follow; it's the path that this overall announcement has allegedly tranversed and is (one of many attributes) used to judge the quality of route. The next hop tells our peer where they should send the data if they like this route.
Putting more things in the AS path makes the route less attractive. Leaking a new route isn't going to magically make some other route become more preferred.
You're spot on regarding the mechanics. It's important to reinforce that in BGP, AS-PATH length is a cost metric and not a steering wheel.
Actually many networks will prefer routing over a cheap AS path no matter how long it is.
3 replies →
[dead]
> This isn't how BGP works
This is exactly how BGP works.
https://bgplabs.net/policy/7-prepend/
> Leaking a new route isn't going to magically make some other route become more preferred.
Not magic, but technology can look like magic when you don't understand it.
7 replies →