If the sources are from many different IPs, it could be a DDoS attack that you simply didn’t notice before. You can black-hole individual IPs using a /32 null0 route. That will at least stop your border router from trying to ARP the destination, reducing broadcast traffic on the subnet. In fact, it’s a good idea to configure /32 null0 routes for IPs you don’t use. Those IPs can’t then be scanned. -mel
On Jun 25, 2019, at 3:50 PM, Scott <scott@viviotech.net> wrote:
No nothing like that. I'm just removing the .0/30 and 4/30 subnets and adding .0/29.
To your previous question, yes .0 and .3 are unused. Once I change the subnet .3 becomes a usable IP and it's getting hammered with traffic, causing packet loss.
On 6/25/19 3:30 PM, Mel Beckman wrote:
Also, what do you mean by “join to /30 public subnets to a /29”? You can’t overlap subnets, if that’s what you’re thinking.
-mel
On Jun 25, 2019, at 3:27 PM, Mel Beckman <mel@beckman.org> wrote:
You’re using just the two middle IPs in the four that make up the /30 set, right? IOW, the subnet x.x.x.0/30 should have .0 and .3 unused (they’re broadcast), and you use .1 and .2.
-mel
On Jun 25, 2019, at 9:41 AM, Scott <scott@viviotech.net> wrote:
First, sorry if this is a bit of a noob question.
I'm trying to find a way of preventing a slew of traffic to an IP, or IP's, when I join two /30 public subnets to a /29. It appears that while the ranges are /30 someone is trying to brute-force the network and/or broadcast addresses for the ranges. When I change them to be a /29, now the router sees the traffic and starts dropping packets. Are there any suggestions for mitigating this behavior or is it just the nature of the beast?
-- 101010
-- 101010