This is exactly the clarification I was looking for. Now I completely got it I think.
Thanks a lot guys. Cheers, 2013/3/24 Payam Tarverdyan Chychi <[email protected]> > On 13-03-24 2:08 PM, Payam Tarverdyan Chychi wrote: > > Hey, > > I'm not sure what the actual exact request from the user was since i don't > really participate much in the AMS-IX anymore ... > > maybe the attack was destined towards their actual nei ip on the exchange > (initially i assumed /22 was their network, sounds like maybe they meant > the /22 that is shared for connectivity by the exchange members) and they > wanted to drop traffic destined to them? You have to remember that traffic > routed via a router is not the same as traffic destined for a router and if > I recall the email paste by Tobias, it sounded like the use on AMS-IX was > getting attacked on their bgp ip and asked everyone to either stop carrying > traffic from their networks to the x.x.x.x/22 or setup a filtering so only > BGP protocol is allowed and everything else is dropped (someone correct me > here if im wrong) > > > --> Sorry, this below was in response to your previous statement of > being multi-homed (if you null route on not directly connected routers). > The directly connected router will not drop the bgp sesions as its > 'directly connected' > > Yes, If you nullroute /22 that belongs to the peering session you are > going to kill your nei adj with the exchange. > Since only valid traffic is identified to be BGP, i would simply setup an > ACL and discard anything being sent to the x.x.x.x/22 exchange subnet > except BGP packets, applied on the "output" (which carry the routing > table/updates...) and perhaps add your own network mgmt interface ips for > ICMP ping to help for troubleshooting down the line. > > On a side note ...the X0Changes really need to some up with process and > procedures to help people deal with issues like this, leaving it open in > this day and age is ... (stupid?) Not all network admins are the same nor > share the same knowledge and leaving it up to the network admins to figure > things out sometimes just means bad news for everyone. > > Simple link to look at for constructing an ACL on a Juniper (im sure > google has more!) heh > http://kb.juniper.net/InfoCenter/index?page=content&id=KB16685 > > cheers, > -Payam > > On 13-03-24 1:24 PM, Zehef Poto wrote: > > Thank you Payam. I think I got what you mean. > > In this particular case however, the X/22 route is not a customer or > anything. It is the IXP's peering LAN ! > > So... It means that the person requested all the IXP's members to > null-route the whole peering LAN ? How can you possibly ask for this ? > > I peer with several members within this LAN. If I null-route the X/22 > LAN, we agree that my peering sessions will go down, right ? > > Thanks again, > > 2013/3/24 Payam Chychi <[email protected]> > >> Carry a route is the same as accepting a route and having it become >> active, allowing traffic to traverse your network to the destination. In >> this case the user is asking you to drop the route (attack traffic) at your >> edge if possible and not to carry it through your network and deliver it to >> the end destination(his network) because its probably saturating or causing >> him performance issues. >> >> Normally networks well have a global community string that they can tag >> a route with and it will send it to null0, dropping that traffic at the >> edge v.s the user withdrawing its -/24 route from the advertise table. You >> can also go on the peering router and set the next hop route for the >> attacked destination ip to null0 (discard) and only traffic traversing that >> one router well drop the traffic (global community well handle this if you >> have a multi homed network) >> >> Local nullroute example: >> "Set routing-options static route x.x.x.x/32 discard" ... Something like >> this >> >> All your doing is dropping traffic for x.x.x.x/x at your edge, most >> cases its a /32 nullroute. >> >> Google is your friend :) >> Cheers, >> -- >> Payam Chychi >> Network Engineer / Security Specialist >> >> On Sunday, 24 March, 2013 at 6:47 AM, Zehef Poto wrote: >> >> Hey guys, >> >> Thank you all for the very valuable input. Actually yes, Tobias is >> right, >> I'm having this question because of the (quoted by Tobias) e-mail we got >> yesterday across several IXPs. >> >> I just don't understand what is to "carry a route in my backbone". Am I >> not >> supposed to know all of (or most of) the Internet routes, since I work >> with >> tier-1 upstream providers ? As a consequence, it means I'm carrying all >> these routes right ? >> >> A "show route X/22" tells that it was advertised by an eBGP peer on one >> of >> my edge routers, and the three other ones learnt this same route via OSPF. >> >> This is where I'm completely confused. What am I supposed to do to >> "carry" >> a route or not ? >> >> Thanks again, >> >> 2013/3/24 Tobias Heister <[email protected]> >> >> Hi All, >> >> Am 24.03.2013 00 <24.03.2013%2000>:26, schrieb Jeff Wheeler: >> >> Whoever that person is that said something about "use next-hop-self" >> in this context, either you misunderstood them, or you shouldn't >> listen to them anymore. That has nothing to do with looking to see if >> your router knows about a route. >> >> >> This sounds like the OP wants to help the cloudfare guys who send the >> following mail to DECIX/AMSIX (and probably other IX) yesterday. >> >> We're currently seeing a very large attack directed to our IP on AMS-IX >> >> (X). >> >> >> We request that all peers: >> >> 1) Don't carry this route (X/22) in your backbone. (you can set >> >> next-hop-self, etc). It'll save other security concerns and possible free >> transit you're giving away to others. >> >> 2) Filter any traffic within to the AMS-IX exchange fabric (again, >> >> X/22), except for your point to [multi]point BGP communications. >> >> -- >> Kind Regards >> Tobias Heister >> >> _______________________________________________ >> juniper-nsp mailing list [email protected] >> https://puck.nether.net/mailman/listinfo/juniper-nsp >> >> >> > > > _______________________________________________ juniper-nsp mailing list [email protected] https://puck.nether.net/mailman/listinfo/juniper-nsp
