[lacnog] RFC1918 traffic observed from IX.BR Peering VLAN

Siyuan Miao siyuan en misaka.io
Mar Mar 5 13:48:56 -03 2019


I've already got a list using tcpdump -e. The list is about ~50 ASNs.

Will write a script later to contact them later today.

:-)

On Wed, Mar 6, 2019 at 12:38 AM Rubens Kuhl <rubensk en gmail.com> wrote:

>
>
> On Tue, Mar 5, 2019 at 12:13 PM Siyuan Miao <siyuan en misaka.io> wrote:
>
>> Hi,
>>
>> We enabled two NTP servers earlier today in our Brazil site and observed
>> some traffic from 172.16/12 towards our NTP servers.
>>
>> 08:11:20.824080 d8:18:d3:14:07:f1 > a4:5d:36:11:b8:7d, ethertype IPv4
>> (0x0800), length 90: 172.25.15.102.56369 > 185.184.223.223.123: NTPv3,
>> Client, length 48
>> 08:11:21.585601 40:55:39:64:4a:41 > a4:5d:36:11:b8:7d, ethertype IPv4
>> (0x0800), length 90: 172.26.0.10.51779 > 185.184.223.223.123: NTPv3,
>> Client, length 48
>> 08:11:21.640335 9c:7d:a3:ee:bf:a0 > a4:5d:36:11:b8:7d, ethertype IPv4
>> (0x0800), length 90: 172.20.1.142.56857 > 185.184.223.223.123: NTPv3,
>> Client, length 48
>> 08:11:21.933465 5c:5e:ab:db:6f:60 > a4:5d:36:11:b8:7d, ethertype IPv4
>> (0x0800), length 90: 172.19.10.88.43774 > 185.184.223.224.123: NTPv3,
>> Client, length 48
>>
>>
> Step 1: see your ARP table to identify MAC to IP address relation. You
> might want to do a broadcast ping to gather some.
> Step 2: Use meu.ix.br list of participant contacts to warn them they are
> announcing the IX network into their interior routing, so they should
> either not do it or filter traffic.
> Step 3: For unresponsive networks, add communities to prevent propagation
> of your announcement to them.
>
>
> Rubens
>
> _______________________________________________
> LACNOG mailing list
> LACNOG en lacnic.net
> https://mail.lacnic.net/mailman/listinfo/lacnog
> Cancelar suscripcion: https://mail.lacnic.net/mailman/options/lacnog
>
------------ próxima parte ------------
Se ha borrado un adjunto en formato HTML...
URL: <https://mail.lacnic.net/pipermail/lacnog/attachments/20190306/87c19f44/attachment.html>


Más información sobre la lista de distribución LACNOG