[prev in list] [next in list] [prev in thread] [next in thread]
List: nanog
Subject: Re: Public Subnet re-assignments
From: Mel Beckman <mel () beckman ! org>
Date: 2019-06-26 0:22:08
Message-ID: 01F09F5D-B787-4CB9-AA23-1D652B7D9304 () beckman ! org
[Download RAW message or body]
[Attachment #2 (text/plain)]
Michel is right. This is a common configuration error: failing to have the mask agree \
on all interfaces. This is indeed what you would see.
-mel
On Jun 25, 2019, at 4:07 PM, Michel Py \
<michel.py@tsisemi.com<mailto:michel.py@tsisemi.com>> wrote:
> Scott wrote :
> No nothing like that. I'm just removing the .0/30 and 4/30 subnets and adding \
> .0/29. To your previous question, yes .0 and .3 are unused. Once I change the \
> subnet .3 becomes a usable IP and it's getting hammered with traffic, causing \
> packet loss.
You change the subnet mask on both sides, right ?
Looks to me like expected behavior. On the sending router, with a /30 mask the .3 \
address is not usable, so the sending router does not send traffic. When you change \
to the /29 mask, .3 becomes usable, the sending router ARPs it, and starts sending \
traffic.
In a way, that is possibly good news, as it allows you do find out that you may have \
a DOS or a DDOS attack going on your .3 address.
Michel.
On 6/25/19 3:30 PM, Mel Beckman wrote:
> Also, what do you mean by "join to /30 public subnets to a /29"? You can't overlap \
> subnets, if that's what you're thinking.
> -mel
>
> > On Jun 25, 2019, at 3:27 PM, Mel Beckman \
> > <mel@beckman.org<mailto:mel@beckman.org>> wrote:
> > You're using just the two middle IPs in the four that make up the /30 set, right? \
> > IOW, the subnet x.x.x.0/30 should have .0 and .3 unused (they're broadcast), and \
> > you use .1 and .2.
> > -mel
> >
> > > On Jun 25, 2019, at 9:41 AM, Scott \
> > > <scott@viviotech.net<mailto:scott@viviotech.net>> wrote:
> > > First, sorry if this is a bit of a noob question.
> > >
> > > I'm trying to find a way of preventing a slew of traffic to an IP, or
> > > IP's, when I join two /30 public subnets to a /29. It appears that while
> > > the ranges are /30 someone is trying to brute-force the network and/or
> > > broadcast addresses for the ranges. When I change them to be a /29, now
> > > the router sees the traffic and starts dropping packets. Are there any
> > > suggestions for mitigating this behavior or is it just the nature of the
> > > beast?
> > >
> > > --
> > > 101010
> > >
> > >
--
101010
TSI Disclaimer: This message and any files or text attached to it are intended only \
for the recipients named above and contain information that may be confidential or \
privileged. If you are not the intended recipient, you must not forward, copy, use or \
otherwise disclose this communication or the information contained herein. In the \
event you have received this message in error, please notify the sender immediately \
by replying to this message, and then delete all copies of it from your system. Thank \
you!...
[Attachment #3 (text/html)]
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
</head>
<body dir="auto">
Michel is right. This is a common configuration error: failing to have the mask agree \
on all interfaces. This is indeed what you would see.<br> <br>
<div dir="ltr"> -mel</div>
<div dir="ltr"><br>
On Jun 25, 2019, at 4:07 PM, Michel Py <<a \
href="mailto:michel.py@tsisemi.com">michel.py@tsisemi.com</a>> wrote:<br> <br>
</div>
<blockquote type="cite">
<div dir="ltr">
<meta name="Generator" content="Microsoft Exchange Server">
<!-- converted from rtf --><style><!-- .EmailQuote { margin-left: 1pt; padding-left: \
4pt; border-left: #800000 2px solid; } --></style><font face="Calibri" size="2"><span \
style="font-size:11pt;"> <div>> Scott wrote :<br>
> No nothing like that. I'm just removing the .0/30 and 4/30 subnets and adding \
.0/29.</div> <div>> To your previous question, yes .0 and .3 are unused. \
Once I change the subnet .3</div> <div>> becomes a usable IP and it's getting \
hammered with traffic, causing packet loss.</div> <div> </div>
<div>You change the subnet mask on both sides, right ?</div>
<div> </div>
<div>Looks to me like expected behavior. On the sending router, with a /30 mask the \
.3 address is not usable, so the sending router does not send traffic.</div> \
<div>When you change to the /29 mask, .3 becomes usable, the sending router ARPs it, \
and starts sending traffic.</div> <div> </div>
<div>In a way, that is possibly good news, as it allows you do find out that you may \
have a DOS or a DDOS attack going on your .3 address.</div> <div> </div>
<div>Michel.</div>
<div> </div>
<div> </div>
<div> </div>
<div>On 6/25/19 3:30 PM, Mel Beckman wrote:</div>
<div>> Also, what do you mean by "join to /30 public subnets to a /29"? You can't \
overlap subnets, if that's what you're thinking.</div> <div>></div>
<div>> -mel</div>
<div>></div>
<div>>> On Jun 25, 2019, at 3:27 PM, Mel Beckman <<a \
href="mailto:mel@beckman.org">mel@beckman.org</a>> wrote:</div> \
<div>>></div> <div>>> You're using just the two middle IPs in the four \
that make up the /30 set, right? IOW, the subnet x.x.x.0/30 should have .0 and .3 \
unused (they're broadcast), and you use .1 and .2.</div> <div>>></div>
<div>>> -mel</div>
<div>>></div>
<div>>>> On Jun 25, 2019, at 9:41 AM, Scott <<a \
href="mailto:scott@viviotech.net">scott@viviotech.net</a>> wrote:</div> \
<div>>>></div> <div>>>> First, sorry if this is a bit of a noob \
question.</div> <div>>>></div>
<div>>>> I'm trying to find a way of preventing a slew of traffic to an IP, \
or</div> <div>>>> IP's, when I join two /30 public subnets to a /29. It \
appears that while</div> <div>>>> the ranges are /30 someone is trying to \
brute-force the network and/or</div> <div>>>> broadcast addresses for the \
ranges. When I change them to be a /29, now</div> <div>>>> the router sees \
the traffic and starts dropping packets. Are there any</div> <div>>>> \
suggestions for mitigating this behavior or is it just the nature of the</div> \
<div>>>> beast?</div> <div>>>></div>
<div>>>> --</div>
<div>>>> 101010</div>
<div>>>></div>
<div>>>></div>
<div>--</div>
<div>101010</div>
<div> </div>
<div>TSI Disclaimer: This message and any files or text attached to it are \
intended only for the recipients named above and contain information that may be \
confidential or privileged. If you are not the intended recipient, you must not \
forward, copy, use or otherwise disclose this communication or the information \
contained herein. In the event you have received this message in error, please notify \
the sender immediately by replying to this message, and then delete all copies of it \
from your system. Thank you!...</div> <div> </div>
</span></font></div>
</blockquote>
</body>
</html>
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic