On 13-03-24 2:08 PM, Payam Tarverdyan Chychi wrote:
Hey,
I'm not sure what the actual exact request from the user was since i
don't really participate much in the AMS-IX anymore ...
maybe the attack was destined towards their actual nei ip on the
exchange (initially i assumed /22 was their network, sounds like maybe
they meant the /22 that is shared for connectivity by the exchange
members) and they wanted to drop traffic destined to them? You have to
remember that traffic routed via a router is not the same as traffic
destined for a router and if I recall the email paste by Tobias, it
sounded like the use on AMS-IX was getting attacked on their bgp ip
and asked everyone to either stop carrying traffic from their networks
to the x.x.x.x/22 or setup a filtering so only BGP protocol is allowed
and everything else is dropped (someone correct me here if im wrong)
--> Sorry, this below was in response to your previous statement of
being multi-homed (if you null route on not directly connected
routers). The directly connected router will not drop the bgp sesions
as its 'directly connected'
Yes, If you nullroute /22 that belongs to the peering session you are
going to kill your nei adj with the exchange.
Since only valid traffic is identified to be BGP, i would simply setup
an ACL and discard anything being sent to the x.x.x.x/22 exchange
subnet except BGP packets, applied on the "output" (which carry the
routing table/updates...) and perhaps add your own network mgmt
interface ips for ICMP ping to help for troubleshooting down the line.
On a side note ...the X0Changes really need to some up with process
and procedures to help people deal with issues like this, leaving it
open in this day and age is ... (stupid?) Not all network admins are
the same nor share the same knowledge and leaving it up to the network
admins to figure things out sometimes just means bad news for everyone.
Simple link to look at for constructing an ACL on a Juniper (im sure
google has more!) heh
http://kb.juniper.net/InfoCenter/index?page=content&id=KB16685
cheers,
-Payam
On 13-03-24 1:24 PM, Zehef Poto wrote:
Thank you Payam. I think I got what you mean.
In this particular case however, the X/22 route is not a customer or
anything. It is the IXP's peering LAN !
So... It means that the person requested all the IXP's members to
null-route the whole peering LAN ? How can you possibly ask for this ?
I peer with several members within this LAN. If I null-route the X/22
LAN, we agree that my peering sessions will go down, right ?
Thanks again,
2013/3/24 Payam Chychi <pchy...@gmail.com <mailto:pchy...@gmail.com>>
Carry a route is the same as accepting a route and having it
become active, allowing traffic to traverse your network to the
destination. In this case the user is asking you to drop the
route (attack traffic) at your edge if possible and not to carry
it through your network and deliver it to the end destination(his
network) because its probably saturating or causing him
performance issues.
Normally networks well have a global community string that they
can tag a route with and it will send it to null0, dropping that
traffic at the edge v.s the user withdrawing its -/24 route from
the advertise table. You can also go on the peering router and
set the next hop route for the attacked destination ip to null0
(discard) and only traffic traversing that one router well drop
the traffic (global community well handle this if you have a
multi homed network)
Local nullroute example:
"Set routing-options static route x.x.x.x/32 discard" ...
Something like this
All your doing is dropping traffic for x.x.x.x/x at your edge,
most cases its a /32 nullroute.
Google is your friend :)
Cheers,
--
Payam Chychi
Network Engineer / Security Specialist
On Sunday, 24 March, 2013 at 6:47 AM, Zehef Poto wrote:
Hey guys,
Thank you all for the very valuable input. Actually yes, Tobias
is right,
I'm having this question because of the (quoted by Tobias)
e-mail we got
yesterday across several IXPs.
I just don't understand what is to "carry a route in my
backbone". Am I not
supposed to know all of (or most of) the Internet routes, since
I work with
tier-1 upstream providers ? As a consequence, it means I'm
carrying all
these routes right ?
A "show route X/22" tells that it was advertised by an eBGP peer
on one of
my edge routers, and the three other ones learnt this same route
via OSPF.
This is where I'm completely confused. What am I supposed to do
to "carry"
a route or not ?
Thanks again,
2013/3/24 Tobias Heister <li...@tobias-heister.de
<mailto:li...@tobias-heister.de>>
Hi All,
Am 24.03.2013 00 <tel:24.03.2013%2000>:26, schrieb Jeff Wheeler:
Whoever that person is that said something about "use
next-hop-self"
in this context, either you misunderstood them, or you shouldn't
listen to them anymore. That has nothing to do with looking to
see if
your router knows about a route.
This sounds like the OP wants to help the cloudfare guys who
send the
following mail to DECIX/AMSIX (and probably other IX) yesterday.
We're currently seeing a very large attack directed to our IP
on AMS-IX
(X).
We request that all peers:
1) Don't carry this route (X/22) in your backbone. (you can set
next-hop-self, etc). It'll save other security concerns and
possible free
transit you're giving away to others.
2) Filter any traffic within to the AMS-IX exchange fabric (again,
X/22), except for your point to [multi]point BGP communications.
--
Kind Regards
Tobias Heister
_______________________________________________
juniper-nsp mailing list juniper-nsp@puck.nether.net
<mailto:juniper-nsp@puck.nether.net>
https://puck.nether.net/mailman/listinfo/juniper-nsp
_______________________________________________
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp