[j-nsp] Am I carrying this route or not ?

Payam Tarverdyan Chychi pchychi at gmail.com
Sun Mar 24 17:11:41 EDT 2013 

On 13-03-24 2:08 PM, Payam Tarverdyan Chychi wrote:
> Hey,
>
> I'm not sure what the actual exact request from the user was since i 
> don't really participate much in the AMS-IX anymore ...
>
> maybe the attack was destined towards their actual nei ip on the 
> exchange (initially i assumed /22 was their network, sounds like maybe 
> they meant the /22 that is shared for connectivity by the exchange 
> members) and they wanted to drop traffic destined to them? You have to 
> remember that traffic routed via a router is not the same as traffic 
> destined for a router and if I recall the email paste by Tobias, it 
> sounded like the use on AMS-IX was getting attacked on their bgp ip 
> and asked everyone to either stop carrying traffic from their networks 
> to the x.x.x.x/22 or setup a filtering so only BGP protocol is allowed 
> and everything else is dropped (someone correct me here if im wrong)
>

> --> Sorry, this below was in response to your previous statement of 
> being multi-homed (if you null route on not directly connected 
> routers). The directly connected router will not drop the bgp sesions 
> as its 'directly connected'
> Yes, If you nullroute /22 that belongs to the peering session you are 
> going to kill your nei adj with the exchange.
> Since only valid traffic is identified to be BGP, i would simply setup 
> an ACL and discard anything being sent to the x.x.x.x/22 exchange 
> subnet except BGP packets, applied on the "output" (which carry the 
> routing table/updates...) and perhaps add your own network mgmt 
> interface ips for ICMP ping to help for troubleshooting down the line.
>
> On a side note ...the X0Changes really need to some up with process 
> and procedures to help people deal with issues like this, leaving it 
> open in this day and age is ... (stupid?) Not all network admins are 
> the same nor share the same knowledge and leaving it up to the network 
> admins to figure things out sometimes just means bad news for everyone.
>
> Simple link to look at for constructing an ACL on a Juniper (im sure 
> google has more!) heh
> http://kb.juniper.net/InfoCenter/index?page=content&id=KB16685
>
> cheers,
> -Payam
>
> On 13-03-24 1:24 PM, Zehef Poto wrote:
>> Thank you Payam. I think I got what you mean.
>>
>> In this particular case however, the X/22 route is not a customer or 
>> anything. It is the IXP's peering LAN !
>>
>> So... It means that the person requested all the IXP's members to 
>> null-route the whole peering LAN ? How can you possibly ask for this ?
>>
>> I peer with several members within this LAN. If I null-route the X/22 
>> LAN, we agree that my peering sessions will go down, right ?
>>
>> Thanks again,
>>
>> 2013/3/24 Payam Chychi <pchychi at gmail.com <mailto:pchychi at gmail.com>>
>>
>>     Carry a route is the same as accepting a route and having it
>>     become active, allowing traffic to traverse your network to the
>>     destination. In this case the user is asking you to drop the
>>     route (attack traffic) at your edge if possible and not to carry
>>     it through your network and deliver it to the end destination(his
>>     network) because its probably saturating or causing him
>>     performance issues.
>>
>>     Normally networks well have a global community string that they
>>     can tag a route with and it will send it to null0, dropping that
>>     traffic at the edge v.s the user withdrawing its -/24 route from
>>     the advertise table. You can also go on the peering router and
>>     set the next hop route for the attacked destination ip to null0
>>     (discard) and only traffic traversing that one router well drop
>>     the traffic (global community well handle this if you  have a
>>     multi homed network)
>>
>>     Local nullroute example:
>>     "Set routing-options static route x.x.x.x/32 discard" ...
>>     Something like this
>>
>>     All your doing is dropping traffic for x.x.x.x/x at your edge,
>>     most cases its a /32 nullroute.
>>
>>     Google is your friend :)
>>     Cheers,
>>     -- 
>>     Payam Chychi
>>     Network Engineer / Security Specialist
>>
>>     On Sunday, 24 March, 2013 at 6:47 AM, Zehef Poto wrote:
>>
>>>     Hey guys,
>>>
>>>     Thank you all for the very valuable input. Actually yes, Tobias
>>>     is right,
>>>     I'm having this question because of the (quoted by Tobias)
>>>     e-mail we got
>>>     yesterday across several IXPs.
>>>
>>>     I just don't understand what is to "carry a route in my
>>>     backbone". Am I not
>>>     supposed to know all of (or most of) the Internet routes, since
>>>     I work with
>>>     tier-1 upstream providers ? As a consequence, it means I'm
>>>     carrying all
>>>     these routes right ?
>>>
>>>     A "show route X/22" tells that it was advertised by an eBGP peer
>>>     on one of
>>>     my edge routers, and the three other ones learnt this same route
>>>     via OSPF.
>>>
>>>     This is where I'm completely confused. What am I supposed to do
>>>     to "carry"
>>>     a route or not ?
>>>
>>>     Thanks again,
>>>
>>>     2013/3/24 Tobias Heister <lists at tobias-heister.de
>>>     <mailto:lists at tobias-heister.de>>
>>>
>>>>     Hi All,
>>>>
>>>>     Am 24.03.2013 00 <tel:24.03.2013%2000>:26, schrieb Jeff Wheeler:
>>>>>     Whoever that person is that said something about "use
>>>>>     next-hop-self"
>>>>>     in this context, either you misunderstood them, or you shouldn't
>>>>>     listen to them anymore. That has nothing to do with looking to
>>>>>     see if
>>>>>     your router knows about a route.
>>>>
>>>>     This sounds like the OP wants to help the cloudfare guys who
>>>>     send the
>>>>     following mail to DECIX/AMSIX (and probably other IX) yesterday.
>>>>
>>>>>     We're currently seeing a very large attack directed to our IP
>>>>>     on AMS-IX
>>>>     (X).
>>>>>
>>>>>     We request that all peers:
>>>>>
>>>>>     1) Don't carry this route (X/22) in your backbone. (you can set
>>>>     next-hop-self, etc). It'll save other security concerns and
>>>>     possible free
>>>>     transit you're giving away to others.
>>>>>     2) Filter any traffic within to the AMS-IX exchange fabric (again,
>>>>     X/22), except for your point to [multi]point BGP communications.
>>>>
>>>>     --
>>>>     Kind Regards
>>>>     Tobias Heister
>>>     _______________________________________________
>>>     juniper-nsp mailing list juniper-nsp at puck.nether.net
>>>     <mailto:juniper-nsp at puck.nether.net>
>>>     https://puck.nether.net/mailman/listinfo/juniper-nsp
>>
>>
>

More information about the juniper-nsp mailing list