Search:
(clear)
  • PolarEdge refers to a covert cyber espionage infrastructure attributed to China-linked advanced persistent threat (APT) actors. It is a large-scale, stealthy network of compromised internet-connected devices—primarily routers and IoT devices—used to facilitate cyber operations globally. Key Features of PolarEdge • Operational Relay Box (ORB) Network: PolarEdge is an ORB network, meaning it uses compromised devices as relay points to route malicious traffic, hide the origin of cyber operations, and maintain persistence without disrupting the normal function of the infected devices.• Scale and Activity: As of 2025, PolarEdge reportedly consists of over 2,000 infected routers and IoT devices, and has been active since at least 2023.• Stealth and Flexibility: Unlike traditional botnets, ORB networks like PolarEdge are designed for long-term, stealthy operations. The infected devices continue to operate normally, making detection and attribution difficult.• Purpose: The infrastructure is used to provide operational cover for malicious activity, including espionage campaigns, rather than for launching disruptive cyberattacks.• Targeting: The campaign has focused on specific countries and geographies, including the United States and parts of Asia, and has targeted sectors such as real estate, IT, networking, and media.• Attribution: Security researchers have linked PolarEdge to Chinese APT groups, including those associated with Volt Typhoon, Flax Typhoon, Earth Estries, and Dalbit. How PolarEdge Operates • Compromise: Threat actors exploit known vulnerabilities in routers and IoT devices to gain initial access.• Persistence: They deploy backdoors and open-source tools to maintain long-term access and control.• Espionage: The infrastructure is used to relay traffic, harvest credentials, and support other post-compromise operations, all while remaining largely undetected.
  • POP3 (Post Office Protocol version 3) is an application-layer Internet standard protocol used by email clients to retrieve email messages from a remote mail server over a TCP/IP connection. It is the third and most widely adopted version of the Post Office Protocol, defined in RFC 1939. The email client (such as Microsoft Outlook, Mozilla Thunderbird, or Apple Mail) connects to the mail server using POP3, typically over TCP port 110 for unencrypted connections or port 995 for SSL/TLS encrypted connections. The client authenticates with a username and password. The session ends when the client disconnects, and any messages marked for deletion are removed from the server.
  • A port scan is a series of messages sent by someone attempting to break into a computer to learn which computer network services, each associated with a "well-known" port number, the computer provides. Port scanning, a favorite approach of computer cracker, gives the assailant an idea where to probe for weaknesses. Essentially, a port scan consists of sending a message to each port, one at a time. The kind of response received indicates whether the port is used and can therefore be probed for weakness.
  • The Point-to-Point Protocol (PPP) is a data link layer (Layer 2) communication protocol designed to establish a direct connection between two network nodes, such as routers or computers, over a serial or point-to-point link. PPP is widely recognized for its role in enabling dial-up internet access and continues to be used in various network types, including DSL and VPN connections. PPP can encapsulate and transport multiple network layer protocols, such as IP, IPX, and AppleTalk, making it highly versatile for different network environments. It includes mechanisms for error detection and correction to ensure reliable data transmission. PPP supports several authentication methods, including Password Authentication Protocol (PAP), Challenge Handshake Authentication Protocol (CHAP), and Extensible Authentication Protocol (EAP), offering varying levels of security for verifying the identity of connected devices. PPP uses the Link Control Protocol (LCP) to establish, configure, test, and manage the data link connection. NNCPs are used to negotiate and configure network layer protocols that will be carried over the PPP link, such as IPCP for IP traffic. PPP can compress data for faster transmission and combine multiple physical links into a single logical link to increase bandwidth.
  • PPTP (Point-to-Point Tunneling Protocol) is a network protocol designed to implement virtual private networks (VPNs) by creating a secure tunnel for data transmission between a remote client and a server over the internet. Developed in the 1990s by a consortium led by Microsoft, PPTP was one of the earliest protocols used for VPNs and played a significant role in enabling private, remote access to networks. PPTP establishes a tunnel between a VPN client and a VPN server by encapsulating data packets within a Point-to-Point Protocol (PPP) frame, which is then further wrapped in a Generic Routing Encapsulation (GRE) header. It uses TCP port 1723 to set up a control channel for managing VPN sessions, while the actual data transmission occurs over the GRE tunnel. Authentication is typically handled by protocols like MS-CHAPv2, and data encryption is provided by Microsoft Point-to-Point Encryption (MPPE), which uses the RC4 stream cipher. PPTP supports both voluntary (client-initiated) and compulsory (server-initiated) tunneling modes.
  • Predatory Sparrow (Farsi: Gonjeshke Darande) is a highly sophisticated hacking group known for executing politically motivated cyberattacks against Iranian targets. The group is widely reported to have links to Israel, though the Israeli government has never officially acknowledged any connection. Notable Operations Nobitex Crypto Exchange Hack (June 2025) • Predatory Sparrow claimed responsibility for hacking Nobitex, Iran’s largest cryptocurrency exchange, siphoning and destroying nearly $90 million in various cryptocurrencies. The funds were sent to blockchain wallets with anti-government slogans and then irreversibly burned, signaling a political rather than financial motive.• The group accused Nobitex of helping the Iranian government evade sanctions and fund militant groups.• Following the hack, Predatory Sparrow also released the exchange’s source code, exposing further vulnerabilities. Bank Sepah Attack (June 2025) • Just before the Nobitex breach, the group claimed to have destroyed data at Iran’s state-owned Bank Sepah, targeting the institution for allegedly financing Iranian military operations. Past Attacks • 2021: Attributed with a cyberattack that paralyzed gas stations across Iran.• 2022: Claimed responsibility for an attack on an Iranian steel mill that caused a significant fire and physical damage, an incident rare for its real-world impact. Tactics and Motivations • Political Messaging: Predatory Sparrow’s operations are characterized by their overt political messaging, often targeting institutions linked to the Iranian regime or its military apparatus. Their attacks are designed to disrupt, embarrass, and weaken the Iranian state, especially in the context of ongoing conflict and sanctions.• Destructive Techniques: The group has a track record of not just stealing data or funds but also destroying them—either by wiping data or burning cryptocurrency assets—making recovery impossible and maximizing disruption.• Public Disclosure: They often publicize their exploits on social media, sometimes leaking stolen data or source code to further damage their targets and expose vulnerabilities
  • Process injection is a sophisticated and widely used technique in cybersecurity where an attacker injects and executes malicious code within the address space of a legitimate, running process. By leveraging the trusted context of these legitimate processes, adversaries can evade detection, escalate privileges, and maintain persistence on a compromised system. How Process Injection Works • Target Selection: The attacker identifies a running process, often one with elevated privileges or that is allow-listed by security tools (e.g., svchost.exe, rundll32.exe).• Memory Manipulation: The attacker allocates memory in the target process and writes their malicious code into this space using system APIs (e.g., OpenProcess(), VirtualAllocEx(), WriteProcessMemory()).• Execution Trigger: The attacker initiates execution of the injected code, often by creating a new thread in the target process (CreateRemoteThread()) or hijacking an existing thread.• Stealth and Evasion: The malicious code runs under the privileges and identity of the legitimate process, making it difficult for security tools to detect the intrusion since the process itself appears normal. Why Attackers Use Process Injection • Defense Evasion: Since the code runs inside a trusted process, it avoids detection by antivirus and endpoint security solutions that typically monitor new or untrusted processes.• Privilege Escalation: If the targeted process has higher privileges, the injected code inherits these, allowing attackers to perform actions that would otherwise be restricted.• Persistence: Attackers can maintain long-term access by hiding their code within processes that are always running or are critical to the operating system.• Lateral Movement: Process injection can facilitate movement across a network by leveraging the access rights of the compromised process. Detection and Prevention • Behavioral Monitoring: Watch for unusual memory allocations, thread creations, and process manipulations.• Memory Protection: Use security solutions that monitor in-memory activity, not just files on disk.• Access Controls: Restrict permissions to prevent unauthorized process manipulation.• Endpoint Detection and Response (EDR): Advanced tools can detect suspicious process injection patterns and respond in real time.
  • Prometei is a sophisticated, modular malware family that operates as a botnet, primarily targeting both Windows and Linux systems for illicit cryptocurrency mining (focusing on Monero), credential theft, and other malicious activities. First identified in 2020, with evidence of earlier variants dating back to 2016, Prometei has evolved significantly, with its latest versions demonstrating advanced persistence, lateral movement, and evasion capabilities. Modular Architecture • Prometei is built from multiple independent modules, each responsible for specific tasks such as brute-forcing credentials, exploiting vulnerabilities, mining cryptocurrency, stealing data, and maintaining command-and-control (C2) communications.• This design allows the botnet to adapt quickly: individual modules can be updated or replaced without disrupting the overall operation. Cross-Platform Targeting • Early versions focused on Windows, but since late 2020, Linux variants have become prominent, especially in recent campaigns.• The malware is distributed as 64-bit ELF binaries for Linux and PE files for Windows, often packed with tools like UPX to evade detection. Propagation and Infection Methods • Prometei spreads by exploiting well-known vulnerabilities, including:• EternalBlue (SMB protocol exploit)• BlueKeep (RDP vulnerability)• Microsoft Exchange vulnerabilities (e.g., ProxyLogon, ProxyNotShell).• It also uses brute-force attacks against RDP, SMB, and SSH services to gain initial access. Command-and-Control (C2) Infrastructure • Relies on a Domain Generation Algorithm (DGA) to dynamically generate domains for C2 communication, making it resilient against domain takedowns.• Maintains persistence via scheduled tasks, services, and web shells (e.g., Apache with PHP web shell). Self-Updating and Evasion • Prometei can self-update its modules, allowing it to adapt to new security measures and evade detection.• Uses obfuscation techniques, such as compressing payloads and encoding commands in Base64. Symptoms of Infection • Noticeable system slowdowns and overheating• Unexpectedly high electricity bills (due to mining)• Unrecognized processes or services running• Persistent high network activity• Rapid battery drain on laptops
  • Proof of Concept (POC) is an early-stage experiment or demonstration designed to verify that a program, product, system, or idea is feasible and can work effectively in real-world conditions before full-scale development or deployment begins. It aims to prove that the concept is viable technically and practically, reducing risks associated with investing time, money, and resources into a project that might fail. Key Aspects of a POC: Purpose: To validate that an idea or solution can be built and will work as intended in practice, addressing real problems or needs. Scope: Typically small-scale and focused on critical aspects of the concept rather than producing a finished product. Outcome: Provides evidence of feasibility, helps identify potential challenges, and informs decision-making on whether to proceed with full development. Difference from Demos and Prototypes: Unlike demos that showcase features or prototypes that simulate functionality, a POC focuses specifically on proving the concept’s viability and feasibility. Why POCs are Important: Risk Reduction: Avoids costly failures by testing assumptions early. Resource Efficiency: Ensures that time and money are invested only in viable projects. Stakeholder Confidence: Builds trust among investors, clients, and teams by demonstrating potential success. Better Planning: Reveals technical or market challenges early, allowing course corrections before full-scale development. Typical Use Cases: Testing new technologies or innovative ideas. Validating solutions to specific technical problems. Assessing market demand or return on investment potential. Informing project scope, requirements, and resource allocation. Example in Software Development: Before building a complete software product, a POC might involve creating a minimal implementation or prototype to verify that the software can solve the identified problem, work with existing systems, or meet performance criteria. Feedback from this stage guides further development and investment decisions.
  • A proxy, in computer networking, is an intermediary server or application that sits between a client (such as your computer or web browser) and the server providing a resource (such as a website or file). When you use a proxy, your requests for resources are sent to the proxy server first, which then forwards those requests to the destination server. The proxy receives the response and relays it back to you, effectively acting as a go-between for network traffic. Proxies can mask your IP address, making it harder for destination servers to identify your device or location. By filtering traffic and hiding internal network details, proxies can help protect against cyberattacks and unauthorized access. Proxies can distribute network requests to balance the load across multiple servers, improving performance and reliability. Organizations often use proxies to enforce internet usage policies, block access to certain websites, or monitor traffic. Proxies can store copies of frequently accessed resources, speeding up access and reducing bandwidth usage.
  • QakBot (also known as Qbot or Pinkslipbot) is a sophisticated malware that originated in 2008 as a banking trojan but evolved into a multi-purpose cybercriminal tool. Core Capabilities• Financial data theft: Steals banking credentials, credit card details, and personal data through browser cache scanning and keylogging.• Network propagation: Spreads laterally via network shares, PowerShell scripts, and the Mimikatz exploit kit to compromise entire networks.• Modular payload delivery: Acts as a gateway for ransomware (Conti, Black Basta, REvil) and tools like Cobalt Strike or Brute Ratel.• Email hijacking: Harvests email credentials to create convincing phishing threads for further attacks.
  • Qilin is a Russian-speaking cybercrime organization and ransomware-as-a-service (RaaS) group that first emerged in July/August 2022, initially operating under the name “Agenda” before rebranding as Qilin. The group is known for its sophisticated and aggressive tactics, targeting organizations across multiple sectors—especially healthcare, manufacturing, education, and critical infrastructure—in countries including the UK, US, Canada, France, Japan, Brazil, and others. Key Features and Tactics Qilin provides affiliates with customizable ransomware tools and infrastructure, taking a 15–20% cut of ransom payments. The group exfiltrates sensitive data before encrypting systems, then threatens to release the stolen data unless a ransom is paid—sometimes publishing data even if the ransom is paid. Qilin uses kernel-level exploits, process injection, and Bring-Your-Own-Vulnerable-Driver (BYOVD) methods to bypass and disable security controls. Initial access it typically gained through compromised VPNs, phishing emails, or exploiting vulnerabilities in exposed services (e.g., Fortinet devices). Persistence achieved via scheduled tasks, group policy manipulation, and registry run key modifications. Notably, Qilin affiliates can tailor ransomware payloads for specific targets, adjust ransom amounts, and control deployment timing.
  • RansomHub is a ransomware-as-a-service (RaaS) platform that first appeared in February 2024. It quickly became one of the most prolific ransomware groups, filling the void left by LockBit’s law enforcement setbacks and BlackCat/ALPHV’s dissolution. RansomHub attracted experienced affiliates—many formerly with LockBit and BlackCat—by offering a more affiliate-friendly payment model, where affiliates control ransom payments and remit only a 10% commission to the core group, reducing the risk of “exit scams” that plagued previous syndicates.
  • A ransomware attack is a type of cyberattack in which malicious software (malware) is used to block access to a victim’s files, systems, or entire networks by encrypting data or locking devices. The attacker then demands a ransom payment—usually in cryptocurrency—to provide a decryption key or restore access. Ransomware attacks typically follow these stages: (1) Infection: The malware gains entry to a computer or network, often through phishing emails, malicious attachments, compromised websites, or exploiting vulnerabilities in remote access services like Remote Desktop Protocol (RDP). (2) Establishing Foothold: Attackers may install additional malware or create backdoors to maintain access and evade detection. (3) Encryption or Lockdown: Once inside, the ransomware encrypts files or locks the system, making data inaccessible to the victim. (4) Ransom Demand: The victim receives a ransom note with instructions on how to pay—commonly in Bitcoin or other cryptocurrencies—to regain access. Some modern ransomware also threatens to leak stolen data if the ransom is not paid (double extortion).
  • RARP (Reverse Address Resolution Protocol) is a protocol by which a physical machine in a local area network can request to learn its IP address from a gateway server's Address Resolution Protocol table or cache. A network administrator creates a table in a local area network's gateway router that maps the physical machine (or Media Access Control - MAC address) addresses to corresponding Internet Protocol addresses. When a new machine is set up, its RARP client program requests from the RARP server on the router to be sent its IP address. Assuming that an entry has been set up in the router table, the RARP server will return the IP address to the machine which can store it for future use.
  • Role-Based Access Control (RBAC) is a widely used security model for managing user access to systems, applications, and data based on the roles assigned to users within an organization. Instead of granting permissions to each user individually, RBAC groups users into roles according to their job responsibilities and assigns permissions to those roles. Users inherit the permissions of their assigned roles, streamlining access management and reducing the risk of errors.
  • RedLine is a highly popular information-stealing malware (infostealer) that first emerged in early 2020 and quickly became one of the most widely used tools for cybercriminals worldwide. It is distributed under a malware-as-a-service (MaaS) model, allowing even less technically skilled attackers to rent and deploy it for their own malicious purposes. Maxim Alexandrovich Rudometov is identified by US and international law enforcement as the primary creator and operator of the RedLine malware. Rudometov was born in Ukraine in 1999 but is believed to have fled to Krasnodar, Russia, after the Russian invasion of Ukraine in February 2022. He is currently wanted by US authorities, who are offering a reward of up to $10 million for information leading to his identification or location
  • Remote Code Execution (RCE) is a critical security vulnerability that allows an attacker to remotely execute arbitrary code—commands or programs of their choosing—on a target system, typically over a network or the internet, without needing physical access to the device. This means an attacker can control the victim’s computer or server from anywhere in the world. How RCE Works: RCE attacks exploit vulnerabilities in software, such as web applications, operating systems, or network services. Common sources of RCE vulnerabilities include improper input validation, injection flaws (like SQL injection), deserialization bugs, and memory corruption issues. Attackers typically scan for systems with known vulnerabilities, then deliver a specially crafted payload designed to exploit the flaw and execute their code on the target system. Potential Impact: Full system compromise: Attackers can gain administrator-level access, allowing them to control the system entirely. Data breaches: Sensitive information can be stolen or exposed. Malware deployment: Attackers can install ransomware, spyware, or other malicious software. Service disruption: Systems can be disabled or used in denial-of-service (DoS) attacks. Network propagation: RCE can serve as a gateway to move laterally and compromise additional systems within a network. Real-World Examples: The WannaCry ransomware outbreak exploited an RCE vulnerability in Windows SMB protocol to rapidly spread across networks worldwide. The Log4J vulnerability allowed attackers to inject and execute code via log messages, impacting millions of systems globally. Prevention: Regularly patch and update software to fix known vulnerabilities. Validate and sanitize all user inputs to prevent injection attacks. Use security tools like Web Application Firewalls (WAFs) and Intrusion Detection Systems (IDS). Restrict application permissions and enforce the principle of least privilege.
  • Remote Desktop Protocol (RDP) is a proprietary network communication protocol developed by Microsoft that enables users to remotely access and control another computer over a network connection, typically the Internet or a local area network. RDP is widely used for remote administration, technical support, and enabling employees to access work computers from different locations. Key features and functions: Graphical User Interface (GUI) Transmission: RDP transmits the desktop display from the remote (server) computer to the local (client) computer, while mouse movements and keyboard inputs from the client are sent to the server. This allows the user to interact with the remote system as if they were physically present. Secure Communication: RDP establishes an encrypted communication channel, enhancing security for data transmitted between client and server. Multi-Platform Support: While RDP is built into most Windows operating systems (especially professional and server editions), clients are available for macOS, Linux, iOS, Android, and other platforms. Port Usage: By default, RDP uses TCP port 3389 for communication. Virtual Channels: RDP supports multiple virtual channels for different types of data, such as presentation data, device communication, licensing, and highly encrypted input events. It can support up to 64,000 channels for data transmission, though typical usage involves fewer. Remote Management: IT administrators use RDP to remotely diagnose and resolve issues, install software, perform updates, and manage servers or workstations. Resource Redirection: RDP allows redirection of resources such as printers, audio, and drives, so users can access local devices from the remote session. How it works: The user runs an RDP client application to connect to a remote computer running RDP server software. The client’s inputs (keyboard, mouse) are securely transmitted to the server. The server processes these inputs, updates the display, and sends the graphical output back to the client. This exchange enables real-time remote interaction with the server’s desktop and applications. Common uses: Remote work: Accessing office computers from home or while traveling. Technical support: IT professionals troubleshooting or maintaining computers without being physically present. Server(...)
  • A “repo” (short for repository) in computer and software development terminology is a centralized digital storage space where developers keep, manage, and track changes to their project’s files and source code. Key Features and Functions of a Repo • Centralized storage for all project files, including code, documentation, tests, and scripts.• Tracks the entire history of changes made to files, allowing users to view, revert, or compare previous versions.• Supports collaboration by enabling multiple people to work on the same project simultaneously, often through features like branching and merging.• Facilitates version control, ensuring that changes can be reviewed, tested, and integrated without disrupting the main codebase.• Can be hosted locally on a developer’s computer or remotely on platforms like GitHub, GitLab, or Bitbucket.
  • Retrieval-Augmented Generation (RAG) is an AI framework that enhances the performance of large language models (LLMs) by integrating them with external information retrieval systems. This approach allows LLMs to generate more accurate, up-to-date, and contextually relevant responses by referencing authoritative data sources beyond their original training data. RAG operates through a multi-step process: (1) Indexing: External data—such as documents, databases, or web pages—is converted into embeddings (numerical vector representations) and stored in a vector database for efficient retrieval. (2) Retrieval: When a user submits a query, a retrieval mechanism searches the indexed data to find the most relevant documents or information snippets. (3) Augmentation: The retrieved information is combined (augmented) with the user’s query and provided as additional context to the LLM. (4) Generation: The LLM uses both its internal knowledge and the newly retrieved data to generate a response that is more accurate and grounded in up-to-date or domain-specific information.
  • Reverse lookup in networking refers to the process of determining the domain name associated with a given IP address by querying the Domain Name System (DNS). This is the opposite of a forward DNS lookup, which starts with a domain name and returns its corresponding IP address. The process uses special DNS records called Pointer (PTR) records. For IPv4 addresses, the IP address is reversed and appended to the .in-addr.arpa domain. For example, the IP address 192.0.2.1 would be queried as 1.2.0.192.in-addr.arpa. For IPv6 addresses, the process is similar but uses the .ip6.arpa domain. The DNS server is queried for a PTR record at this reversed address. If a PTR record exists, the server returns the associated domain name.
  • A reverse proxy is a server that sits in front of one or more web servers and acts as an intermediary for client requests. When a client (such as a web browser) sends a request to a website, the reverse proxy intercepts this request and forwards it to the appropriate backend web server. The backend server processes the request and sends the response back to the reverse proxy, which then returns it to the client as if the proxy itself had handled the request. The client is unaware of the actual backend server handling its request, interacting only with the reverse proxy.
  • REvil, also known as Sodinokibi or Sodin, was one of the most prolific and notorious ransomware-as-a-service (RaaS) operations, active from April 2019 until its official dismantling in January 2022. The group was primarily Russian-speaking and believed to be based in Russia, with its name inspired by the “Resident Evil” franchise. REvil Structure and Modus Operandi REvil operated as a business, developing ransomware and leasing it to affiliates who carried out attacks. The core group maintained the code, managed payment and leak sites, and took a percentage (20–30%) of the ransom proceeds, while affiliates executed the breaches and infections. The group exploited zero-day vulnerabilities, breached Remote Desktop Protocol (RDP) servers, and used phishing emails to infiltrate organizations. Once inside, they encrypted files and exfiltrated sensitive data, threatening to leak or auction it unless a ransom was paid—a tactic known as double extortion. They typically targeted high-profile organizations globally, including JBS (the world’s largest meat processor), Kaseya (IT management software provider), Colonial Pipeline, and the law firm Grubman Shire Meiselas & Sacks. REvil is widely believed to be the successor to the GandCrab ransomware group, which shut down in mid-2019. Much of REvil’s code and tactics trace back to GandCrab, and several operators reportedly transitioned directly from GandCrab to REvil. Law Enforcement Actions and Downfall of REvil The July 2021 Kaseya attack, which affected over 1,500 businesses, prompted U.S. President Biden to pressure Russian President Putin to act against Russian-based cybercriminals. This led to a coordinated international law enforcement response. In January 2022, Russia’s FSB raided 25 locations, arresting 14 individuals linked to REvil and seizing over $5.6 million in cash and cryptocurrency, as well as luxury vehicles. The U.S. and other countries also arrested and prosecuted affiliates, including Ukrainian national Yaroslav Vasinskyi, who was sentenced to 13 years in prison for his role in the Kaseya attack. Despite the arrests, some REvil infrastructure briefly resurfaced, leading to speculation about whether original members or copycats were behind renewed activity. However, the group’s core operations and reputation were irreparably damaged by law enforcement actions.
  • Routing Information Protocol (RIP) is one of the oldest and simplest distance-vector routing protocols used in computer networks to help routers determine the best path for forwarding data packets within a local or small-scale network. RIP uses the distance-vector algorithm (specifically, the Bellman-Ford algorithm) to calculate the best route to each destination. The primary metric it uses is hop count, where each router a packet passes through counts as one hop. RIP supports a maximum of 15 hops. Any destination more than 15 hops away is considered unreachable, making RIP unsuitable for large or complex networks. Each RIP-enabled router maintains a routing table listing all known destinations and the number of hops to reach them. Routers broadcast their entire routing table to directly connected neighbors every 30 seconds. These neighbors, in turn, update their own tables and propagate the information further, a process known as convergence. When a router receives an update, it adds one to the hop count and updates its table if the new route is shorter. If the new route is longer, it waits to see if the change persists before updating, to avoid instability. If a router does not receive updates from a neighbor for 180 seconds, it marks routes through that neighbor as unreachable (hop count 16), and after 240 seconds, removes those routes from its table.