Traffic destined for 100.114.128.0/24
Hello, I've noticed over the past couple of weeks that some hosts on a network I manage appear to be trying to reach hosts in this network 100.114.128.0/24 It's an IANA reserved block but I'm really not sure what it's used for. I just notice it keeps coming up but it doesn't have a route. Has anyone else been seeing this? Thanks, -Drew
On 4/8/20 2:42 PM, Drew Weaver wrote:
Hello,
I’ve noticed over the past couple of weeks that some hosts on a network I manage appear to be trying to reach hosts in this network 100.114.128.0/24
It’s an IANA reserved block but I’m really not sure what it’s used for. I just notice it keeps coming up but it doesn’t have a route.
Has anyone else been seeing this?
This is part of the RFC6598 space for carrier-NAT deployments. If you're seeing traffic inbound to your network to those addresses, someone's presumably got a default toward you and a hole in their internal routing table. If you're seeing traffic outbound toward those addresses, some of your customers have somehow picked up a configuration expecting some sort of service there. Inbound traffic toward your network from or to those addresses is effectively a bogon. Outbound traffic from/to those addresses means you have a misconfiguration somewhere (presumably unintentional and perhaps some poorly behaved automatic config on a CPE). -- Brandon Martin
On 08/04/2020 19:42, Drew Weaver wrote:
I’ve noticed over the past couple of weeks that some hosts on a network I manage appear to be trying to reach hosts in this network 100.114.128.0/24
Short answer: filter 100.64.0.0/10 from your upstreams, as you would 192.168.0.0/16 or 10.0.0.0/8. Longer answers will no doubt be available. :) -- Tom
On 9/Apr/20 15:24, Tom Hill wrote:
Short answer: filter 100.64.0.0/10 from your upstreams, as you would 192.168.0.0/16 or 10.0.0.0/8.
I was trying to remind myself what we did back in the day. Looks like that's been in on our end for yonks: tinka@all.boxes-re0# show firewall family inet filter filter-incoming term 10 { from { source-address { 10.0.0.0/8; 100.64.0.0/10; 127.0.0.0/8; 169.254.0.0/16; 172.16.0.0/12; 192.0.2.0/24; 192.42.172.0/24; 192.168.0.0/16; 198.18.0.0/15; 198.51.100.0/24; 203.0.113.0/24; 41.87.96.0/19; 41.206.96.0/19; 41.217.212.0/22; 105.16.0.0/12; } destination-address { 0.0.0.0/0; } } then { count filter-incoming-anti-spoofing-counter; syslog; discard; } } term 65535 { then { policy-map UPSTREAM-TRAFFIC-INBOUND; forwarding-class best-effort; accept; } } {master}[edit] tinka@all.boxes-re0#
Longer answers will no doubt be available. :)
As the Afrikaaners say, "Finish & Klaar" :-). Mark.
from { source-address { 10.0.0.0/8; 100.64.0.0/10; 127.0.0.0/8; 169.254.0.0/16; 172.16.0.0/12; 192.0.2.0/24; 192.42.172.0/24; 192.168.0.0/16; 198.18.0.0/15; 198.51.100.0/24; 203.0.113.0/24; 41.87.96.0/19; 41.206.96.0/19; 41.217.212.0/22; 105.16.0.0/12; } destination-address { 0.0.0.0/0; } } then { count filter-incoming-anti-spoofing-counter; syslog; discard; } }
i think i will add those last prefixes to my filters. will shut some of the mailing list noise down. :) randy
participants (5)
-
Brandon Martin
-
Drew Weaver
-
Mark Tinka
-
Randy Bush
-
Tom Hill