BGP: Control route flaps using damping

Again, another BGP hints...

As a result of link failures and restorations, router reloads, and other events, repeated route withdrawals and re-announcements may occur. This instability, often referred to as flapping, imposes a processing burden on BGP routers, as they must process the flaps by repeatedly updating the route table and propagating the changes to their peers.

RFC 2439 describes a solution, called route flap damping, or sometimes also called dampening. The algorithm described in this RFC is based on assigning a penalty to each route flap. When the penalty exceeds a configured limit, the prefix will be suppressed. Further withdrawals and re-announcements of the prefix will not be accepted, nor propagated to peers. The penalty value will decay over time, so that eventually the prefix will be accepted again.
As a result, a few flaps in a short time, or multiple flaps over a longer period, will not cause a prefix to be suppressed, but multiple flaps in a short time will cause a prefix to be temporarily suppressed. The more unstable a prefix is, the longer it will be suppressed.
The RIPE Routing workgroup has published recommendations for setting appropriate configuration parameters for route flap damping. The document recommends to start damping after 4 consecutive flaps in a row.
The proposed decay values are dependent on prefix length. For short prefixes (/21 and shorter), the maximum time a prefix is suppressed is 30 minutes, for /22 and /23, it is 45 minutes, whereas /24 and longer prefixes can be suppressed for 60 minutes. In addition, several prefixes, such as the DNS root servers, should never be suppressed. These are called golden networks in the document.
The golden networks web page also shows example configuration fragments for Cisco and Juniper routers based on the parameters recommended by the RIPE routing work group. The open source Zebra routing suite cannot be configured to do prefix length based damping. If you use Zebra, you can only configure a single damping policy.
However, not everyone is convinced that route flap damping is actually beneficial to global BGP stability. In a presentation given at the October 2002 NANOG meeting, Randy Bush, Tim Griffin and Zhuoqing Morley Mao show that even a single withdrawal/re-announcement can be observed as multiple flaps across the internet.
As a result, even minor instabilities may lead to prefixes being suppressed. Since it is hard to see whether your prefix is being suppressed by another party, these situations may be hard to debug.

Server Load Average Explained

A useful indicator of how 'busy' or 'loaded' your Web server is, the server load average is used to help server administrators monitor server performance and take corrective action to reduce the load.How are the average server load numbers interpreted? How do you monitor server load over time using scripts and/or software. What are the possible causes of high server load? All is revealed, along with useful resources to further your understanding of server load average.

Recently,I read the article about web servers load from HostProno and found it useful to write it here, but because it isn't my related projects, I link to the original .

Exploit code release may mean an unhappy Windows Christmas

Exploit code has been released for two flaws in Windows at a time of year when many IT departments may be too short-staffed to cope

A Chinese security group has released sample code to exploit two new unpatched flaws in Microsoft Windows.

The advisory comes in the week before Christmas, a time when many companies and home users are least prepared to deal with the problems. Security firm Symantec warned its clients of the vulnerabilities on Thursday, after the Chinese company that found the flaws published them to the Internet.

One vulnerability, in the operating system's LoadImage function, could enable an attacker to compromise a victim's PC when the computer displays a specially crafted image placed on a Web site or in an email. The other vulnerability, in the Windows Help program, likewise could affect any program that opens a Help file.
Because the flaws are in a library used by Windows programs, almost all browsers and email clients are likely affected by the flaws, said Alfred Huger, senior director of engineering at Symantec.
"They are rather serious," Huger said. "Both can be exploited by anything that processes images or reads help files."
Because the flaws were accompanied by exploit code that shows how to take advantage of the security holes, Huger expected the exploits to be quickly incorporated into the tools of malicious Internet users.
"The fact that there is an exploit out there is very concerning," he said. "I think you will see it in phishing scams and spyware in very short order."
A mass-mailing computer virus could also quickly begin using the vulnerabilities to spread.
Microsoft could not immediately be reached for comment on the issues.

NASA hacker jailed for six months

A US man has been jailed for six months for a 2001 attack on the web systems of space agency NASA which cost $200,000 to fix.

Gregory Aaron Herns, 21, from Portland, Oregon, hacked into the network at NASA's Goddard Space Flight Center to store movies he had downloaded. The intrusion caused systems to crash and took technicians hours to fix, according to reports. In court last Friday, Herns admitted his guilt and apologised for the inconvenience he caused.

Cisco to buy Protego Networks for about $65 million in cash

SAN JOSE, Calif. (Dow Jones/AP) -- Cisco Systems Inc. said it will buy privately held Protego Networks Inc. for about $65 million in cash.

Protego, based in Sunnyvale, Calif., provides security monitoring and threat management products.
Computer networking giant Cisco on Monday said the ability of Protego's products to detect, correlate and mitigate threats extends Cisco's Self-Defending Network initiative.
The Self-Defending Network initiative attempts to build security capabilities directly into a computer network.
The acquisition, which is subject to various standard closing conditions, is expected to close in the quarter ending Jan. 29.
Protego and Cisco have worked together to sell security products.
Protego, which has 38 employees, will be integrated into Cisco's Security Technology Group.Shares of San Jose-based Cisco closed Monday at $19.05, up 6 cents, on the Nasdaq Stock Market.

Google: We've fixed desktop search tool flaw

The vulnerability in Google's desktop search application could have compromised users' security.

Google has fixed a flaw that allowed hackers to search the contents of a PC running its desktop search tool.
According to a statement from the Web search company on Monday, it has rolled out a fix for the vulnerability that a US computer scientist and two of his students found in the tool in late November."We were made aware of this vulnerability with the Google Desktop Search software and have since fixed the problem so that all current and future users are secure," said a Google spokeswoman.

Dan Wallach, an assistant professor of computer science at Rice University, discovered the vulnerability while working with graduate students Seth Fogarty and Seth Nielson. Wallach describes it as a composition flaw -- where a security weakness is caused by the interaction of several separate components.
According to The New York Times , which first reported the discovery of the vulnerability, Wallach, Fogarty and Nielson found that the Google desktop tool looks for traffic that appears to be going to Google.com and then inserts results from a user's hard disk for a particular search.

They managed to trick the Google desktop search program into inserting those results into other Web pages where an attacker could read them. This would only work after a user had visited an attacker's Web site, upon which a Java program (as created by the Rice group) would be able to fool the Google desktop software into providing the user's search information. The program was able to do anything with the results, including transmitting them back to the attacking site.

Hotmail moves to Trend Micro for antivirus

The email service, with 187 million users worldwide, is to move away from McAfee to Trend Micro for its antivirus scanning and protection...

MSN's Hotmail service, which has almost 200 million users worldwide, has dumped McAfee as its antivirus partner in favour of rival Trend Micro.

According to Microsoft, emails and attachments sent or received by any of Hotmail's 187 million Web mail customers will from Monday be scanned and cleaned in real time by Trend Micro's antivirus software.Hotmail's antivirus service was previously provided by McAfee and the reason for the change is unclear. However, Martin Hoffman, chief executive of ninemsn, which operates Hotmail in Australia and is half owned by Microsoft, said in a statement that Hotmail will be able to provide a "safer online experience" using Trend Micro's products because they provide "deeper antivirus protection".