If the sources are from many different IPs, it could be a DDoS attack that you 
simply didn’t notice before. You can black-hole individual IPs using a /32 
null0 route. That will at least stop your border router from trying to ARP the 
destination, reducing broadcast traffic on the subnet. In fact, it’s a good 
idea to configure /32 null0 routes for IPs you don’t use. Those IPs can’t then 
be scanned. 

 -mel

> On Jun 25, 2019, at 3:50 PM, Scott <sc...@viviotech.net> wrote:
> 
> No nothing like that. I'm just removing the .0/30 and 4/30 subnets and
> adding .0/29.
> 
> To  your previous question, yes .0 and .3 are unused. Once I change the
> subnet .3 becomes a usable IP and it's getting hammered with traffic,
> causing packet loss.
> 
> On 6/25/19 3:30 PM, Mel Beckman wrote:
>> Also, what do you mean by “join to /30 public subnets to a /29”? You can’t 
>> overlap subnets, if that’s what you’re thinking.
>> 
>> -mel
>> 
>>> On Jun 25, 2019, at 3:27 PM, Mel Beckman <m...@beckman.org> wrote:
>>> 
>>> You’re using just the two middle IPs in the four that make up the /30 set, 
>>> right? IOW, the subnet x.x.x.0/30 should have .0 and .3 unused (they’re 
>>> broadcast), and you use .1 and .2.
>>> 
>>> -mel
>>> 
>>>> On Jun 25, 2019, at 9:41 AM, Scott <sc...@viviotech.net> wrote:
>>>> 
>>>> First, sorry if this is a bit of a noob question.
>>>> 
>>>> I'm trying to find a way of preventing a slew of traffic to an IP, or
>>>> IP's, when I join two /30 public subnets to a /29. It appears that while
>>>> the ranges are /30 someone is trying to brute-force the network and/or
>>>> broadcast addresses for the ranges. When I change them to be a /29, now
>>>> the router sees the traffic and starts dropping packets. Are there any
>>>> suggestions for mitigating this behavior or is it just the nature of the
>>>> beast?
>>>> 
>>>> -- 
>>>> 101010
>>>> 
>>>> 
> -- 
> 101010
> 

Reply via email to