[prev in list] [next in list] [prev in thread] [next in thread] 

List:       nanog
Subject:    Re: Public Subnet re-assignments
From:       Mel Beckman <mel () beckman ! org>
Date:       2019-06-26 0:22:08
Message-ID: 01F09F5D-B787-4CB9-AA23-1D652B7D9304 () beckman ! org
[Download RAW message or body]

[Attachment #2 (text/plain)]

Michel is right. This is a common configuration error: failing to have the mask agree \
on all interfaces. This is indeed what you would see.

 -mel

On Jun 25, 2019, at 4:07 PM, Michel Py \
<michel.py@tsisemi.com<mailto:michel.py@tsisemi.com>> wrote:

> Scott wrote :
> No nothing like that. I'm just removing the .0/30 and 4/30 subnets and adding \
> .0/29. To  your previous question, yes .0 and .3 are unused. Once I change the \
> subnet .3 becomes a usable IP and it's getting hammered with traffic, causing \
> packet loss.

You change the subnet mask on both sides, right ?

Looks to me like expected behavior. On the sending router, with a /30 mask the .3 \
address is not usable, so the sending router does not send traffic. When you change \
to the /29 mask, .3 becomes usable, the sending router ARPs it, and starts sending \
traffic.

In a way, that is possibly good news, as it allows you do find out that you may have \
a DOS or a DDOS attack going on your .3 address.

Michel.



On 6/25/19 3:30 PM, Mel Beckman wrote:
> Also, what do you mean by "join to /30 public subnets to a /29"? You can't overlap \
> subnets, if that's what you're thinking. 
> -mel
> 
> > On Jun 25, 2019, at 3:27 PM, Mel Beckman \
> > <mel@beckman.org<mailto:mel@beckman.org>> wrote: 
> > You're using just the two middle IPs in the four that make up the /30 set, right? \
> > IOW, the subnet x.x.x.0/30 should have .0 and .3 unused (they're broadcast), and \
> > you use .1 and .2. 
> > -mel
> > 
> > > On Jun 25, 2019, at 9:41 AM, Scott \
> > > <scott@viviotech.net<mailto:scott@viviotech.net>> wrote: 
> > > First, sorry if this is a bit of a noob question.
> > > 
> > > I'm trying to find a way of preventing a slew of traffic to an IP, or
> > > IP's, when I join two /30 public subnets to a /29. It appears that while
> > > the ranges are /30 someone is trying to brute-force the network and/or
> > > broadcast addresses for the ranges. When I change them to be a /29, now
> > > the router sees the traffic and starts dropping packets. Are there any
> > > suggestions for mitigating this behavior or is it just the nature of the
> > > beast?
> > > 
> > > --
> > > 101010
> > > 
> > > 
--
101010

TSI Disclaimer:  This message and any files or text attached to it are intended only \
for the recipients named above and contain information that may be confidential or \
privileged. If you are not the intended recipient, you must not forward, copy, use or \
otherwise disclose this communication or the information contained herein. In the \
event you have received this message in error, please notify the sender immediately \
by replying to this message, and then delete all copies of it from your system. Thank \
you!...


[Attachment #3 (text/html)]

<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
</head>
<body dir="auto">
Michel is right. This is a common configuration error: failing to have the mask agree \
on all interfaces. This is indeed what you would see.<br> <br>
<div dir="ltr">&nbsp;-mel</div>
<div dir="ltr"><br>
On Jun 25, 2019, at 4:07 PM, Michel Py &lt;<a \
href="mailto:michel.py@tsisemi.com">michel.py@tsisemi.com</a>&gt; wrote:<br> <br>
</div>
<blockquote type="cite">
<div dir="ltr">
<meta name="Generator" content="Microsoft Exchange Server">
<!-- converted from rtf --><style><!-- .EmailQuote { margin-left: 1pt; padding-left: \
4pt; border-left: #800000 2px solid; } --></style><font face="Calibri" size="2"><span \
style="font-size:11pt;"> <div>&gt;&nbsp; Scott wrote :<br>
&gt; No nothing like that. I'm just removing the .0/30 and 4/30 subnets and adding \
.0/29.</div> <div>&gt; To&nbsp; your previous question, yes .0 and .3 are unused. \
Once I change the subnet .3</div> <div>&gt; becomes a usable IP and it's getting \
hammered with traffic, causing packet loss.</div> <div>&nbsp;</div>
<div>You change the subnet mask on both sides, right ?</div>
<div>&nbsp;</div>
<div>Looks to me like expected behavior. On the sending router, with a /30 mask the \
.3 address is not usable, so the sending router does not send traffic.</div> \
<div>When you change to the /29 mask, .3 becomes usable, the sending router ARPs it, \
and starts sending traffic.</div> <div>&nbsp;</div>
<div>In a way, that is possibly good news, as it allows you do find out that you may \
have a DOS or a DDOS attack going on your .3 address.</div> <div>&nbsp;</div>
<div>Michel.</div>
<div>&nbsp;</div>
<div>&nbsp;</div>
<div>&nbsp;</div>
<div>On 6/25/19 3:30 PM, Mel Beckman wrote:</div>
<div>&gt; Also, what do you mean by "join to /30 public subnets to a /29"? You can't \
overlap subnets, if that's what you're thinking.</div> <div>&gt;</div>
<div>&gt;&nbsp; -mel</div>
<div>&gt;</div>
<div>&gt;&gt; On Jun 25, 2019, at 3:27 PM, Mel Beckman &lt;<a \
href="mailto:mel@beckman.org">mel@beckman.org</a>&gt; wrote:</div> \
<div>&gt;&gt;</div> <div>&gt;&gt; You're using just the two middle IPs in the four \
that make up the /30 set, right? IOW, the subnet x.x.x.0/30 should have .0 and .3 \
unused (they're broadcast), and you use .1 and .2.</div> <div>&gt;&gt;</div>
<div>&gt;&gt; -mel</div>
<div>&gt;&gt;</div>
<div>&gt;&gt;&gt; On Jun 25, 2019, at 9:41 AM, Scott &lt;<a \
href="mailto:scott@viviotech.net">scott@viviotech.net</a>&gt; wrote:</div> \
<div>&gt;&gt;&gt;</div> <div>&gt;&gt;&gt; First, sorry if this is a bit of a noob \
question.</div> <div>&gt;&gt;&gt;</div>
<div>&gt;&gt;&gt; I'm trying to find a way of preventing a slew of traffic to an IP, \
or</div> <div>&gt;&gt;&gt; IP's, when I join two /30 public subnets to a /29. It \
appears that while</div> <div>&gt;&gt;&gt; the ranges are /30 someone is trying to \
brute-force the network and/or</div> <div>&gt;&gt;&gt; broadcast addresses for the \
ranges. When I change them to be a /29, now</div> <div>&gt;&gt;&gt; the router sees \
the traffic and starts dropping packets. Are there any</div> <div>&gt;&gt;&gt; \
suggestions for mitigating this behavior or is it just the nature of the</div> \
<div>&gt;&gt;&gt; beast?</div> <div>&gt;&gt;&gt;</div>
<div>&gt;&gt;&gt; --</div>
<div>&gt;&gt;&gt; 101010</div>
<div>&gt;&gt;&gt;</div>
<div>&gt;&gt;&gt;</div>
<div>--</div>
<div>101010</div>
<div>&nbsp;</div>
<div>TSI Disclaimer:&nbsp; This message and any files or text attached to it are \
intended only for the recipients named above and contain information that may be \
confidential or privileged. If you are not the intended recipient, you must not \
forward, copy, use or  otherwise disclose this communication or the information \
contained herein. In the event you have received this message in error, please notify \
the sender immediately by replying to this message, and then delete all copies of it \
from your system. Thank you!...</div> <div>&nbsp;</div>
</span></font></div>
</blockquote>
</body>
</html>



[prev in list] [next in list] [prev in thread] [next in thread]