Obsolete BGP Attributes in the LACNIC Region

This flaw was classified as a vulnerability, and the need to maintain consistency in BGP implementations considering the state of obsolete attributes was highlighted to avoid similar disruptions in the future.

List of devices vulnerable to attacks with malformed BGP attributes:

• CVE-2023-4481 (Juniper)
• CVE-2023-38802 (FRR)
• CVE-2023-38283 (OpenBGPd)
• CVE-2023-40457 (EXOS)

Analysis of Obsolete Attributes in the LACNIC Region

LACNIC conducted a study on the presence of obsolete attributes in BGP announcements observed by the LACNIC collector (RRC24) between October 2022 and October 2024. BVIEWS and UPDATES files were analyzed separately.

BVIEWS Analysis

Results revealed the presence of three obsolete attributes:

• No. 20: Connector Attribute
• No. 21: AS_PATHLIMIT
• No. 243: Deprecated [RFC8093]

Sixteen different ASNs were identified as origins of the announcements containing these obsolete attributes. The graph shows an increase in the number of announcements with attribute 21 towards the end of the period.

When analyzing the number of announcements for each ASN individually, it was observed that three ASNs began announcing with attribute 21 starting on 21 August 2024. Additionally, a fourth ASN showed a significant increase in announcements around the same dates, contributing to the overall increase.

Announcements with attribute No. 28 (Entropy Label) were not found in the data obtained from the BVIEWS, which is mentioned in the articles that originated this analysis. Therefore, we decided to analyze the UPDATES messages for the same period.

UPDATES Analysis

Results revealed the presence of three obsolete attributes:

• No. 20: Connector Attribute
• No. 21: AS_PATHLIMIT
• No. 28: Entropy Label
• No. 243: Unidentified

The number of updates with each of the obsolete attributes mentioned above observed during the period that was considered is shown below.

For attribute No. 20, a high variability in the number of updates was observed, with peaks ranging from 200 to 750 per day. On 11 June 2023, there was a peak of more than 26,000 updates.

In the case of attribute No. 21, an increase in the number of update messages can be noticed since the start of October 2022. The peak of 1,170 updates occurred on 1^st February 2024.

As for attribute No. 243, its presence was observed for approximately one year within the period considered from 8 December 2022 to 13 November 2023, as illustrated in the image below:

Finally, attribute No. 28, which, as mentioned earlier, was classified as a vulnerability by CMU. In the case of the LACNIC RRC24 collector, this attribute was rare, as shown in the following image:

In the case of UPDATE messages, 23 ASNs were identified as the origin of announcements with obsolete attributes from 11 different countries, including Argentina and Brazil in the LACNIC region.

The table below shows the number of UPDATE messages with obsolete attributes by country of the originating ASN:

Mitigation

To mitigate the risks associated with UPDATE messages containing obsolete attributes, BGP implementations must support RFC 7606. This recommendation provides guidelines on how to handle errors in UPDATE messages without restarting the entire BGP session, ensuring greater stability when dealing with unknown or unimplemented attributes.

Some vendors enable this error handling by default, while others require it to be manually enabled.

Configuration Examples:

Juniper
set protocols bgp bgp-error-tolerance

Nokia
[router bgp group]
error-handling update-fault-tolerance

Details for other vendors can be found in the references listed below.

Implementing these mitigation strategies helps strengthen the resilience and security of BGP routing, minimizing the risk of disruptions and improving long-term connectivity stability.

References

https://www.kb.cert.org/vuls/id/347067

https://blog.benjojo.co.uk/post/bgp-path-attributes-grave-error-handling