[j-nsp] Am I carrying this route or not ?

Zehef Poto mpdechets at gmail.com
Mon Mar 25 07:35:43 EDT 2013 

This is exactly the clarification I was looking for. Now I completely got
it I think.

Thanks a lot guys.

Cheers,

2013/3/24 Payam Tarverdyan Chychi <pchychi at gmail.com>

>  On 13-03-24 2:08 PM, Payam Tarverdyan Chychi wrote:
>
> Hey,
>
> I'm not sure what the actual exact request from the user was since i don't
> really participate much in the AMS-IX anymore ...
>
> maybe the attack was destined towards their actual nei ip on the exchange
> (initially i assumed /22 was their network, sounds like maybe they meant
> the /22 that is shared for connectivity by the exchange members) and they
> wanted to drop traffic destined to them? You have to remember that traffic
> routed via a router is not the same as traffic destined for a router and if
> I recall the email paste by Tobias, it sounded like the use on AMS-IX was
> getting attacked on their bgp ip and asked everyone to either stop carrying
> traffic from their networks to the x.x.x.x/22 or setup a filtering so only
> BGP protocol is allowed and everything else is dropped (someone correct me
> here if im wrong)
>
>
>  --> Sorry, this below was in response to your previous statement of
> being multi-homed (if you null route on not directly connected routers).
> The directly connected router will not drop the bgp sesions as its
> 'directly connected'
>
>  Yes, If you nullroute /22 that belongs to the peering session you are
> going to kill your nei adj with the exchange.
> Since only valid traffic is identified to be BGP, i would simply setup an
> ACL and discard anything being sent to the x.x.x.x/22 exchange subnet
> except BGP packets, applied on the "output" (which carry the routing
> table/updates...) and perhaps add your own network mgmt interface ips for
> ICMP ping to help for troubleshooting down the line.
>
> On a side note ...the X0Changes really need to some up with process and
> procedures to help people deal with issues like this, leaving it open in
> this day and age is ... (stupid?) Not all network admins are the same nor
> share the same knowledge and leaving it up to the network admins to figure
> things out sometimes just means bad news for everyone.
>
> Simple link to look at for constructing an ACL on a Juniper (im sure
> google has more!) heh
> http://kb.juniper.net/InfoCenter/index?page=content&id=KB16685
>
> cheers,
> -Payam
>
> On 13-03-24 1:24 PM, Zehef Poto wrote:
>
> Thank you Payam. I think I got what you mean.
>
>  In this particular case however, the X/22 route is not a customer or
> anything. It is the IXP's peering LAN !
>
>  So... It means that the person requested all the IXP's members to
> null-route the whole peering LAN ? How can you possibly ask for this ?
>
>  I peer with several members within this LAN. If I null-route the X/22
> LAN, we agree that my peering sessions will go down, right ?
>
>  Thanks again,
>
>  2013/3/24 Payam Chychi <pchychi at gmail.com>
>
>>  Carry a route is the same as accepting a route and having it become
>> active, allowing traffic to traverse your network to the destination. In
>> this case the user is asking you to drop the route (attack traffic) at your
>> edge if possible and not to carry it through your network and deliver it to
>> the end destination(his network) because its probably saturating or causing
>> him performance issues.
>>
>>  Normally networks well have a global community string that they can tag
>> a route with and it will send it to null0, dropping that traffic at the
>> edge v.s the user withdrawing its -/24 route from the advertise table. You
>> can also go on the peering router and set the next hop route for the
>> attacked destination ip to null0 (discard) and only traffic traversing that
>> one router well drop the traffic (global community well handle this if you
>>  have a multi homed network)
>>
>>  Local nullroute example:
>> "Set routing-options static route x.x.x.x/32 discard" ... Something like
>> this
>>
>>  All your doing is dropping traffic for x.x.x.x/x at your edge, most
>> cases its a /32 nullroute.
>>
>>  Google is your friend :)
>>  Cheers,
>> --
>> Payam Chychi
>> Network Engineer / Security Specialist
>>
>>    On Sunday, 24 March, 2013 at 6:47 AM, Zehef Poto wrote:
>>
>>   Hey guys,
>>
>>  Thank you all for the very valuable input. Actually yes, Tobias is
>> right,
>> I'm having this question because of the (quoted by Tobias) e-mail we got
>> yesterday across several IXPs.
>>
>>  I just don't understand what is to "carry a route in my backbone". Am I
>> not
>> supposed to know all of (or most of) the Internet routes, since I work
>> with
>> tier-1 upstream providers ? As a consequence, it means I'm carrying all
>> these routes right ?
>>
>>  A "show route X/22" tells that it was advertised by an eBGP peer on one
>> of
>> my edge routers, and the three other ones learnt this same route via OSPF.
>>
>>  This is where I'm completely confused. What am I supposed to do to
>> "carry"
>> a route or not ?
>>
>>  Thanks again,
>>
>>  2013/3/24 Tobias Heister <lists at tobias-heister.de>
>>
>>   Hi All,
>>
>>  Am 24.03.2013 00 <24.03.2013%2000>:26, schrieb Jeff Wheeler:
>>
>>  Whoever that person is that said something about "use next-hop-self"
>> in this context, either you misunderstood them, or you shouldn't
>> listen to them anymore. That has nothing to do with looking to see if
>> your router knows about a route.
>>
>>
>>  This sounds like the OP wants to help the cloudfare guys who send the
>> following mail to DECIX/AMSIX (and probably other IX) yesterday.
>>
>>  We're currently seeing a very large attack directed to our IP on AMS-IX
>>
>> (X).
>>
>>
>>  We request that all peers:
>>
>>  1) Don't carry this route (X/22) in your backbone. (you can set
>>
>> next-hop-self, etc). It'll save other security concerns and possible free
>> transit you're giving away to others.
>>
>> 2) Filter any traffic within to the AMS-IX exchange fabric (again,
>>
>> X/22), except for your point to [multi]point BGP communications.
>>
>>  --
>> Kind Regards
>> Tobias Heister
>>
>>  _______________________________________________
>>  juniper-nsp mailing list juniper-nsp at puck.nether.net
>> https://puck.nether.net/mailman/listinfo/juniper-nsp
>>
>>
>>
>
>
>

More information about the juniper-nsp mailing list