If the sources are from many different IPs, it could be a DDoS attack that you simply didn’t notice before. You can black-hole individual IPs using a /32 null0 route. That will at least stop your border router from trying to ARP the destination, reducing broadcast traffic on the subnet. In fact, it’s a good idea to configure /32 null0 routes for IPs you don’t use. Those IPs can’t then be scanned.
-mel > On Jun 25, 2019, at 3:50 PM, Scott <sc...@viviotech.net> wrote: > > No nothing like that. I'm just removing the .0/30 and 4/30 subnets and > adding .0/29. > > To your previous question, yes .0 and .3 are unused. Once I change the > subnet .3 becomes a usable IP and it's getting hammered with traffic, > causing packet loss. > > On 6/25/19 3:30 PM, Mel Beckman wrote: >> Also, what do you mean by “join to /30 public subnets to a /29”? You can’t >> overlap subnets, if that’s what you’re thinking. >> >> -mel >> >>> On Jun 25, 2019, at 3:27 PM, Mel Beckman <m...@beckman.org> wrote: >>> >>> You’re using just the two middle IPs in the four that make up the /30 set, >>> right? IOW, the subnet x.x.x.0/30 should have .0 and .3 unused (they’re >>> broadcast), and you use .1 and .2. >>> >>> -mel >>> >>>> On Jun 25, 2019, at 9:41 AM, Scott <sc...@viviotech.net> wrote: >>>> >>>> First, sorry if this is a bit of a noob question. >>>> >>>> I'm trying to find a way of preventing a slew of traffic to an IP, or >>>> IP's, when I join two /30 public subnets to a /29. It appears that while >>>> the ranges are /30 someone is trying to brute-force the network and/or >>>> broadcast addresses for the ranges. When I change them to be a /29, now >>>> the router sees the traffic and starts dropping packets. Are there any >>>> suggestions for mitigating this behavior or is it just the nature of the >>>> beast? >>>> >>>> -- >>>> 101010 >>>> >>>> > -- > 101010 >
