Public Subnet re-assignments

Scott · June 25, 2019, 4:41pm

First, sorry if this is a bit of a noob question.

I'm trying to find a way of preventing a slew of traffic to an IP, or
IP's, when I join two /30 public subnets to a /29. It appears that while
the ranges are /30 someone is trying to brute-force the network and/or
broadcast addresses for the ranges. When I change them to be a /29, now
the router sees the traffic and starts dropping packets. Are there any
suggestions for mitigating this behavior or is it just the nature of the
beast?

Mel_Beckman · June 25, 2019, 10:27pm

You’re using just the two middle IPs in the four that make up the /30 set, right? IOW, the subnet x.x.x.0/30 should have .0 and .3 unused (they’re broadcast), and you use .1 and .2.

-mel

Mel_Beckman · June 25, 2019, 10:30pm

Also, what do you mean by “join to /30 public subnets to a /29”? You can’t overlap subnets, if that’s what you’re thinking.

-mel

Scott · June 25, 2019, 10:50pm

No nothing like that. I'm just removing the .0/30 and 4/30 subnets and
adding .0/29.

To your previous question, yes .0 and .3 are unused. Once I change the
subnet .3 becomes a usable IP and it's getting hammered with traffic,
causing packet loss.

Mel_Beckman · June 25, 2019, 11:01pm

If the sources are from many different IPs, it could be a DDoS attack that you simply didn’t notice before. You can black-hole individual IPs using a /32 null0 route. That will at least stop your border router from trying to ARP the destination, reducing broadcast traffic on the subnet. In fact, it’s a good idea to configure /32 null0 routes for IPs you don’t use. Those IPs can’t then be scanned.

-mel

Michel_Py · June 25, 2019, 11:07pm

Scott wrote :
No nothing like that. I’m just removing the .0/30 and 4/30 subnets and adding .0/29.
To your previous question, yes .0 and .3 are unused. Once I change the subnet .3
becomes a usable IP and it’s getting hammered with traffic, causing packet loss.

You change the subnet mask on both sides, right ?

Looks to me like expected behavior. On the sending router, with a /30 mask the .3 address is not usable, so the sending router does not send traffic.
When you change to the /29 mask, .3 becomes usable, the sending router ARPs it, and starts sending traffic.

In a way, that is possibly good news, as it allows you do find out that you may have a DOS or a DDOS attack going on your .3 address.

Michel.

Mel_Beckman · June 26, 2019, 12:22am

Michel is right. This is a common configuration error: failing to have the mask agree on all interfaces. This is indeed what you would see.

-mel