[lacnog] RFC1918 traffic observed from IX.BR Peering VLAN
Rubens Kuhl
rubensk en gmail.com
Mar Mar 5 13:37:53 -03 2019
On Tue, Mar 5, 2019 at 12:13 PM Siyuan Miao <siyuan en misaka.io> wrote:
> Hi,
>
> We enabled two NTP servers earlier today in our Brazil site and observed
> some traffic from 172.16/12 towards our NTP servers.
>
> 08:11:20.824080 d8:18:d3:14:07:f1 > a4:5d:36:11:b8:7d, ethertype IPv4
> (0x0800), length 90: 172.25.15.102.56369 > 185.184.223.223.123: NTPv3,
> Client, length 48
> 08:11:21.585601 40:55:39:64:4a:41 > a4:5d:36:11:b8:7d, ethertype IPv4
> (0x0800), length 90: 172.26.0.10.51779 > 185.184.223.223.123: NTPv3,
> Client, length 48
> 08:11:21.640335 9c:7d:a3:ee:bf:a0 > a4:5d:36:11:b8:7d, ethertype IPv4
> (0x0800), length 90: 172.20.1.142.56857 > 185.184.223.223.123: NTPv3,
> Client, length 48
> 08:11:21.933465 5c:5e:ab:db:6f:60 > a4:5d:36:11:b8:7d, ethertype IPv4
> (0x0800), length 90: 172.19.10.88.43774 > 185.184.223.224.123: NTPv3,
> Client, length 48
>
>
Step 1: see your ARP table to identify MAC to IP address relation. You
might want to do a broadcast ping to gather some.
Step 2: Use meu.ix.br list of participant contacts to warn them they are
announcing the IX network into their interior routing, so they should
either not do it or filter traffic.
Step 3: For unresponsive networks, add communities to prevent propagation
of your announcement to them.
Rubens
------------ próxima parte ------------
Se ha borrado un adjunto en formato HTML...
URL: <https://mail.lacnic.net/pipermail/lacnog/attachments/20190305/1bb6b478/attachment.html>
Más información sobre la lista de distribución LACNOG