Traffic destined for 100.114.128.0/24

Drew_Weaver · April 8, 2020, 6:42pm

Hello,

I’ve noticed over the past couple of weeks that some hosts on a network I manage appear to be trying to reach hosts in this network 100.114.128.0/24

It’s an IANA reserved block but I’m really not sure what it’s used for. I just notice it keeps coming up but it doesn’t have a route.

Has anyone else been seeing this?

Thanks,

-Drew

Brandon_Martin · April 8, 2020, 6:54pm

This is part of the RFC6598 space for carrier-NAT deployments. If you're seeing traffic inbound to your network to those addresses, someone's presumably got a default toward you and a hole in their internal routing table. If you're seeing traffic outbound toward those addresses, some of your customers have somehow picked up a configuration expecting some sort of service there.

Inbound traffic toward your network from or to those addresses is effectively a bogon. Outbound traffic from/to those addresses means you have a misconfiguration somewhere (presumably unintentional and perhaps some poorly behaved automatic config on a CPE).

Tom_Hill · April 9, 2020, 1:24pm

Short answer: filter 100.64.0.0/10 from your upstreams, as you would
192.168.0.0/16 or 10.0.0.0/8.

Longer answers will no doubt be available.

Mark_Tinka1 · April 9, 2020, 1:34pm

Short answer: filter 100.64.0.0/10 from your upstreams, as you would
192.168.0.0/16 or 10.0.0.0/8.

I was trying to remind myself what we did back in the day. Looks like
that's been in on our end for yonks:

tinka@all.boxes-re0# show firewall family inet filter filter-incoming
term 10 {
from {
source-address {
10.0.0.0/8;
100.64.0.0/10;
127.0.0.0/8;
169.254.0.0/16;
172.16.0.0/12;
192.0.2.0/24;
192.42.172.0/24;
192.168.0.0/16;
198.18.0.0/15;
198.51.100.0/24;
203.0.113.0/24;
41.87.96.0/19;
41.206.96.0/19;
41.217.212.0/22;
105.16.0.0/12;
}
destination-address {
0.0.0.0/0;
}
}
then {
count filter-incoming-anti-spoofing-counter;
syslog;
discard;
}
}
term 65535 {
then {
policy-map UPSTREAM-TRAFFIC-INBOUND;
forwarding-class best-effort;
accept;
}
}

{master}[edit]
tinka@all.boxes-re0#

Longer answers will no doubt be available.

As the Afrikaaners say, "Finish & Klaar" :-).

Mark.

Bandy_Rush1 · April 9, 2020, 5:27pm

from \{
    source\-address \{
        10\.0\.0\.0/8;
        100\.64\.0\.0/10;
        127\.0\.0\.0/8;
        169\.254\.0\.0/16;
        172\.16\.0\.0/12;
        192\.0\.2\.0/24;
        192\.42\.172\.0/24;
        192\.168\.0\.0/16;
        198\.18\.0\.0/15;
        198\.51\.100\.0/24;
        203\.0\.113\.0/24;
        41\.87\.96\.0/19;
        41\.206\.96\.0/19;
        41\.217\.212\.0/22;
        105\.16\.0\.0/12;
    \}
    destination\-address \{
        0\.0\.0\.0/0;
    \}
\}
then \{
    count filter\-incoming\-anti\-spoofing\-counter;
    syslog;
    discard;
\}

}

i think i will add those last prefixes to my filters. will shut some of
the mailing list noise down.

randy

Mark_Tinka1 · April 9, 2020, 7:04pm

:-).

Mark.