[j-nsp] Am I carrying this route or not ?
Payam Tarverdyan Chychi
pchychi at gmail.com
Sun Mar 24 17:08:49 EDT 2013
Hey,
I'm not sure what the actual exact request from the user was since i
don't really participate much in the AMS-IX anymore ...
maybe the attack was destined towards their actual nei ip on the
exchange (initially i assumed /22 was their network, sounds like maybe
they meant the /22 that is shared for connectivity by the exchange
members) and they wanted to drop traffic destined to them? You have to
remember that traffic routed via a router is not the same as traffic
destined for a router and if I recall the email paste by Tobias, it
sounded like the use on AMS-IX was getting attacked on their bgp ip and
asked everyone to either stop carrying traffic from their networks to
the x.x.x.x/22 or setup a filtering so only BGP protocol is allowed and
everything else is dropped (someone correct me here if im wrong)
Yes, If you nullroute /22 that belongs to the peering session you are
going to kill your nei adj with the exchange.
Since only valid traffic is identified to be BGP, i would simply setup
an ACL and discard anything being sent to the x.x.x.x/22 exchange subnet
except BGP packets, applied on the "output" (which carry the routing
table/updates...) and perhaps add your own network mgmt interface ips
for ICMP ping to help for troubleshooting down the line.
On a side note ...the X0Changes really need to some up with process and
procedures to help people deal with issues like this, leaving it open in
this day and age is ... (stupid?) Not all network admins are the same
nor share the same knowledge and leaving it up to the network admins to
figure things out sometimes just means bad news for everyone.
Simple link to look at for constructing an ACL on a Juniper (im sure
google has more!) heh
http://kb.juniper.net/InfoCenter/index?page=content&id=KB16685
cheers,
-Payam
On 13-03-24 1:24 PM, Zehef Poto wrote:
> Thank you Payam. I think I got what you mean.
>
> In this particular case however, the X/22 route is not a customer or
> anything. It is the IXP's peering LAN !
>
> So... It means that the person requested all the IXP's members to
> null-route the whole peering LAN ? How can you possibly ask for this ?
>
> I peer with several members within this LAN. If I null-route the X/22
> LAN, we agree that my peering sessions will go down, right ?
>
> Thanks again,
>
> 2013/3/24 Payam Chychi <pchychi at gmail.com <mailto:pchychi at gmail.com>>
>
> Carry a route is the same as accepting a route and having it
> become active, allowing traffic to traverse your network to the
> destination. In this case the user is asking you to drop the route
> (attack traffic) at your edge if possible and not to carry it
> through your network and deliver it to the end destination(his
> network) because its probably saturating or causing him
> performance issues.
>
> Normally networks well have a global community string that they
> can tag a route with and it will send it to null0, dropping that
> traffic at the edge v.s the user withdrawing its -/24 route from
> the advertise table. You can also go on the peering router and set
> the next hop route for the attacked destination ip to null0
> (discard) and only traffic traversing that one router well drop
> the traffic (global community well handle this if you have a
> multi homed network)
>
> Local nullroute example:
> "Set routing-options static route x.x.x.x/32 discard" ...
> Something like this
>
> All your doing is dropping traffic for x.x.x.x/x at your edge,
> most cases its a /32 nullroute.
>
> Google is your friend :)
> Cheers,
> --
> Payam Chychi
> Network Engineer / Security Specialist
>
> On Sunday, 24 March, 2013 at 6:47 AM, Zehef Poto wrote:
>
>> Hey guys,
>>
>> Thank you all for the very valuable input. Actually yes, Tobias
>> is right,
>> I'm having this question because of the (quoted by Tobias) e-mail
>> we got
>> yesterday across several IXPs.
>>
>> I just don't understand what is to "carry a route in my
>> backbone". Am I not
>> supposed to know all of (or most of) the Internet routes, since I
>> work with
>> tier-1 upstream providers ? As a consequence, it means I'm
>> carrying all
>> these routes right ?
>>
>> A "show route X/22" tells that it was advertised by an eBGP peer
>> on one of
>> my edge routers, and the three other ones learnt this same route
>> via OSPF.
>>
>> This is where I'm completely confused. What am I supposed to do
>> to "carry"
>> a route or not ?
>>
>> Thanks again,
>>
>> 2013/3/24 Tobias Heister <lists at tobias-heister.de
>> <mailto:lists at tobias-heister.de>>
>>
>>> Hi All,
>>>
>>> Am 24.03.2013 00 <tel:24.03.2013%2000>:26, schrieb Jeff Wheeler:
>>>> Whoever that person is that said something about "use
>>>> next-hop-self"
>>>> in this context, either you misunderstood them, or you shouldn't
>>>> listen to them anymore. That has nothing to do with looking to
>>>> see if
>>>> your router knows about a route.
>>>
>>> This sounds like the OP wants to help the cloudfare guys who
>>> send the
>>> following mail to DECIX/AMSIX (and probably other IX) yesterday.
>>>
>>>> We're currently seeing a very large attack directed to our IP
>>>> on AMS-IX
>>> (X).
>>>>
>>>> We request that all peers:
>>>>
>>>> 1) Don't carry this route (X/22) in your backbone. (you can set
>>> next-hop-self, etc). It'll save other security concerns and
>>> possible free
>>> transit you're giving away to others.
>>>> 2) Filter any traffic within to the AMS-IX exchange fabric (again,
>>> X/22), except for your point to [multi]point BGP communications.
>>>
>>> --
>>> Kind Regards
>>> Tobias Heister
>> _______________________________________________
>> juniper-nsp mailing list juniper-nsp at puck.nether.net
>> <mailto:juniper-nsp at puck.nether.net>
>> https://puck.nether.net/mailman/listinfo/juniper-nsp
>
>
More information about the juniper-nsp
mailing list