Bad traffic is coming into my IX Peering interface.
How do I find out where that bad traffic is coming from?
How do I get it to stop?
Customers of Internet Exchanges get a good deal on peering. Life is easy.
Until something goes wrong.
DDoS traffic starts coming into the IX interface..
I work for Arbor Networks and I have seen such questions many times.
cFlow, Netflow, IPFIX can show that there is anomalous traffic arriving, but
not where it is coming from (last hop).
I have a suggestion and I would like to know if it is already in use, or
considered of any use..
The answers are in Layer-2, of course. The MAC addresses identify which of
the routers of my Peers actually transmitted a packet to my router.
Problems:
1/ I could try to tap off the interface and get a packet trace,
but I have to capture and identify a sample of the offending traffic,
2/ My peering router generates Netflow/IPFIX, but only populates Layer-3
data. Even if it did populate field 56 - Src MAC..
3/ In either case I need to get into the ARP cache to figure out which IP
address the MAC address belongs to..
Suggestion:
Ask all IX customers to Embed the ASN into a Locally Administered MAC
address on each peering interface.
First byte for Local flag, second byte for interface number, others for
four-byte ASN
02:00:00:00:01:00 for ASN 256
02:00:00:00:04:F9 for ASN 1273 (first interface)
02:01:00:00:04:F9 for ASN 1273 (second interface)
Now, if all peers have their router interfaces configured with these Local
MAC Addresses, then a customer can capture the traffic and very quickly
extract the identity of each Peer that is sending packets.
And peers can change their router hardware and still transmit from the same
MAC address.
Also, if I can get a peering Router to populate the Src MAC field of IPFIX
and Netflow then I can start monitoring it all with flow reporting tools.
Such MAC level encoding of ASN could be part of the peering agreement
between organisations, or part of the requirement to connect to an IX
RouteReflector.
Even as a voluntary recommendation it could cut down the workload of
identifying where traffic is coming from.
I would appreciate your comments.
I know that I am coming from the monitoring angle and have had few dealing
with the business of an IX, so you may have tried and rejected such things.
I'll be in Dublin too, if a discussion is worthwhile.
Regards
Steve Nash
