Threat Level: green Handler on Duty: Didier Stevens

SANS ISC: SANS Internet Storm Center SANS ISC InfoSec Forums

Participate: Learn more about our honeypot network

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Something is amiss with the Interwebs! BGP is a flapping.

[Update] See for a good summary of what happened.


Tuesday Morning, various networks experienced outages from 4-6am EDT (8-10am UTC) [1]. I appears the outage was the result of a somewhat anticipated problem with older routers and their inability to deal with the ever increasing size of the Internet's routing table.

These BGP routers need to store a map of the internet defining which IP address range belongs to which network. Due to the increasing scarcity of IPv4 space, registrars and ISPs assign smaller and smaller netblocks to customers, leading to a more and more fragmented topology. Many older routers are limited to store 512k entries, and the Internet's routing table has become large enough to reach this limit. Tuesday morning, it appears to have exceeded this limit for a short time [2][3].

The large number of route announcements, and immediate removals shown in [2] could indicate a malicious intend behind this events (or a simple configuration error), but either way likely point to one entity "pushing" the size of the routing table beyond the 512k limit briefly. At around this time, one larger ISP (Windstream, AS7029) recovered from an unrelated outage and routing changes due to the recovery are one suspect that may have triggered the event.

Vendors published guidance for users of older routers how to avoid this issue [5]. This guidance has been available for a while. Please contact your vendor if you are affected. You may also want to consider upgrading your router. The routing table is likely going to get larger over the next few years until networks rely less on IPv4 and take advantage of IPv6.


[2] (see the spike in deltas around that time)
[3]  (note how close it is to 512k and rising)

Adrien de Beaupré Inc.
My SANS Teaching Schedule

I will be teaching next: Enterprise and Cloud | Threat and Vulnerability Assessment - SANS Secure Japan 2022

Adrien de Beaupre

353 Posts
ISC Handler
Aug 12th 2014
Apparently some routers have a hardware BGP FIB cap of 512K.
Tinfoil hat time...

57 Posts

Sign Up for Free or Log In to start participating in the conversation!