Hello, welcome to the Monday, August 31st, 2020 edition of the Sands Internet Storm Center's

Stormcast. My name is Johannes Ulrich, and then I'm recording from Jacksonville, Florida.

Sunday morning, we had a large outage at Sand TrayLink that caused many large sites across the internet

to no longer be reachable.

A fact that were sides, for example, behind Cloudflare, behind Imperva, also Open DNS.

We heard some users where they had problems reaching their service.

A lot of it did not necessarily depend on these services themselves, but also how different

customers reached these services and if Central Link was involved in that connection. In particular,

connections between the US and Europe appear to be quite heavily affected by this outage.

Of course, it's a little bit too early to expect a full post-mortem from CentralLink about this outage, but there are a number of

things that CenturyLink and others announced to put together some of the pieces as to what

happened. Cloudflare probably at this point has the best summary of these events.

It all started around 10 a.m. UTC on Sunday. That's about 6 a.m. Eastern Daylight Savings

time. And according to Cloudflare, they essentially first noticed that Cloudflare wasn't able to reach

some of its customers for which they are proxying connections.

So the result was that Cloudflare responded with 522 errors and that then sort of started

Cloudflare to investigate things further. The core of the problem was

AS 3356. Now if you look this up in some who is data, you may get level three back, but level

three was purchased by CenturyLink, so this is now a CenturyLink network.

According to CenturyLink, the root cause was a bad FlowSpec rule.

Now, FlowSpec is an extension to BGP, the Border Gateway Protocol, that regulates routing

across the internet.

...