Кривой трафик на аплинке

shicoy

Posted October 22, 2009 (edited) · Report post

Нормально ли видеть такое на Аплинке к одному из магистральных провайдеров?

brd:# tcpdump -ni eth0 src net 10.0.0.0/8

tcpdump: verbose output suppressed, use -v or -vv for full protocol decode

listening on eth0, link-type EN10MB (Ethernet), capture size 96 bytes

22:05:23.588071 IP 10.200.19.11 > *.*.*.209: ICMP host 93.185.177.5 unreachable, length 36

22:05:24.360336 IP 10.199.6.213 > *.*.*.251: ICMP time exceeded in-transit, length 36

22:05:24.503373 IP 10.199.4.209 > *.*.*.216: ICMP time exceeded in-transit, length 36

22:05:24.649096 IP 10.199.14.102 > *.*.*.216: ICMP host 77.241.41.17 unreachable, length 36

22:05:25.063479 IP 10.199.6.213 > *.*.*.235: ICMP time exceeded in-transit, length 36

22:05:26.399406 IP 10.199.6.213 > *.*.*.227: ICMP time exceeded in-transit, length 36

22:05:26.577644 IP 10.200.19.11 > *.*.*.209: ICMP host 93.185.177.5 unreachable, length 36

22:05:26.649610 IP 10.199.2.102 > *.*.*.216: ICMP host 77.241.47.152 unreachable, length 36

22:05:27.157487 IP 10.200.6.13 > *.*.*.221: ICMP time exceeded in-transit, length 36

22:05:27.660703 IP 10.200.13.11 > *.*.*.204: ICMP host 77.241.40.11 unreachable, length 36

22:05:28.022500 IP 10.199.25.102 > 91.197.174.68: ICMP host 93.185.180.2 unreachable, length 36

22:05:29.054043 IP 10.199.3.102 > *.*.*.218: ICMP host 87.237.114.27 unreachable, length 36

22:05:29.205728 IP 10.2.53.31.54157 > 91.197.172.41.80: S 3592338405:3592338405(0) win 512

22:05:29.327660 IP 10.199.6.213 > *.*.*.227: ICMP time exceeded in-transit, length 36

22:05:30.280677 IP 10.199.6.213 > *.*.*.251: ICMP time exceeded in-transit, length 36

22:05:30.426084 IP 10.240.91.53 > *.*.*.242: ICMP host 91.76.181.0 unreachable - admin prohibited filter, length 60

22:05:30.606743 IP 10.200.13.11 > *.*.*.204: ICMP host 77.241.40.11 unreachable, length 36

22:05:31.065744 IP 10.199.3.102 > *.*.*.218: ICMP host 77.241.39.27 unreachable, length 36

22:05:32.510547 IP 10.200.19.11 > *.*.*.209: ICMP host 93.185.177.5 unreachable, length 36

22:05:32.590437 IP 10.199.6.213 > *.*.*.204: ICMP time exceeded in-transit, length 36

22:05:32.671571 IP 10.199.12.209 > *.*.*.222: ICMP time exceeded in-transit, length 36

22:05:33.761276 IP 10.240.94.74 > *.*.*.247: ICMP host 85.140.116.93 unreachable - admin prohibited filter, length 56

22:05:35.364066 IP 10.199.6.213 > *.*.*.227: ICMP time exceeded in-transit, length 36

22:05:35.591017 IP 10.199.6.213 > *.*.*.204: ICMP time exceeded in-transit, length 36

22:05:36.521351 IP 10.200.13.11 > *.*.*.204: ICMP host 77.241.40.11 unreachable, length 36

22:05:36.691197 IP 10.199.14.102 > *.*.*.222: ICMP host 93.185.176.154 unreachable, length 36

22:05:38.660683 IP 10.1.24.24.21555 > *.*.*.237.1853: R 0:0(0) ack 2947345316 win 0

22:05:39.443362 IP 10.134.248.1 > *.*.*.239: ICMP time exceeded in-transit, length 36

22:05:39.581109 IP 10.199.6.213 > *.*.*.209: ICMP time exceeded in-transit, length 36

22:05:39.910177 IP 10.1.1.1 > *.*.*.208: ICMP time exceeded in-transit, length 36

22:05:41.600412 IP 10.199.6.213 > *.*.*.204: ICMP time exceeded in-transit, length 36

22:05:41.700600 IP 10.1.24.24.21555 > *.*.*.237.1853: R 0:0(0) ack 1 win 0

22:05:42.612262 IP 10.199.4.209 > *.*.*.247: ICMP time exceeded in-transit, length 36

22:05:43.254469 IP 10.10.254.3 > *.*.*.237: ICMP time exceeded in-transit, length 36

22:05:43.963216 IP 10.96.8.142.1988 > *.*.*.240.179: FP 3591935666:3591935734(68) ack 2598577176 win 65535: BGP, length: 68

22:05:44.160071 IP 10.199.15.105 > *.*.*.216: ICMP host 93.185.188.15 unreachable, length 36

22:05:44.727590 IP 10.199.6.102 > *.*.*.248: ICMP host 77.241.41.142 unreachable, length 36

22:05:45.601628 IP 10.199.4.209 > *.*.*.247: ICMP time exceeded in-transit, length 36

22:05:46.124145 IP 10.10.254.3 > *.*.*.237: ICMP time exceeded in-transit, length 36

22:05:46.747502 IP 10.199.4.209 > *.*.*.247: ICMP time exceeded in-transit, length 36

22:05:47.713258 IP 10.1.24.24.21555 > *.*.*.237.1853: R 0:0(0) ack 1 win 0

22:05:48.448681 IP 10.134.248.1 > *.*.*.239: ICMP time exceeded in-transit, length 36

22:05:49.192211 IP 10.199.30.101 > *.*.*.234: ICMP host 77.241.42.134 unreachable, length 36

22:05:49.757639 IP 10.199.4.209 > *.*.*.247: ICMP time exceeded in-transit, length 36

22:05:50.650489 IP 10.200.19.11 > *.*.*.243: ICMP host 93.185.177.7 unreachable, length 36

22:05:51.601207 IP 10.199.4.209 > *.*.*.247: ICMP time exceeded in-transit, length 36

22:05:51.872145 IP 10.199.3.102 > *.*.*.248: ICMP host 87.237.117.28 unreachable, length 36

22:05:51.892530 IP 10.199.6.213 > *.*.*.248: ICMP time exceeded in-transit, length 36

22:05:52.141303 IP 10.10.254.3 > *.*.*.237: ICMP time exceeded in-transit, length 36

Откуда вообще береться 10.0.0.0/8 на аплинке да еще и в таком кол-ве....

Edited October 22, 2009 by shicoy

Share this post

Link to post

Share on other sites

martini

Posted October 22, 2009 · Report post

забыли внутренние сетки подропать фаером на выходе. Может экономат ресурсы роутеров ?? )))

Share this post

Link to post

Share on other sites

UglyAdmin

Posted October 23, 2009 · Report post

Заведите себе за правило дропать на входе всё, кроме того что должно быть.

На любом входе, от юзера до аплинка.

Кривые руки вполне могут встретиться у кого угодно, даже и у тирвана.

Можете дропать и на выходе, по счётчикам на ACL увидите свои кривые руки.

Share this post

Link to post

Share on other sites

shicoy

Posted October 23, 2009 · Report post

Дропать то дропаем, просто интересно откуда такое чудо....

Share this post

Link to post

Share on other sites

Ilya Nikitin

Posted October 23, 2009 (edited) · Report post

забыли внутренние сетки подропать фаером на выходе. Может экономат ресурсы роутеров ?? )))

Адреса 10/8 скорее всего спуфеные, и не факт что источник находится в сети аплинка.

Что-то мне подсказывает, что не будет магистрал вешать ACL на клиентов, незачем... Ведь чем больше трафика он Вам вольет, тем больше денег получит :)

Edited October 23, 2009 by Ilya Nikitin

Share this post

Link to post

Share on other sites

st_re

Posted October 23, 2009 · Report post

А, если сделать трейс на, к примеру, 77.241.40.11, там эти 10.199 и 10.200 не вылезут ? (дроп, естественно учесть надо, или снять, или tcpdump посмотреть)

Share this post

Link to post

Share on other sites

Дегтярев Илья

Posted October 23, 2009 · Report post

Постоянно вижу 10 адреса в трейсах. Даже у крупняка. Например

1 n2-core.mipt.ru (193.125.143.132) 0.293 ms 0.361 ms 0.437 ms

2 Gw1-c7609-tenGb1.mipt.ru (193.125.142.177) 2.664 ms 2.754 ms 2.958 ms

3 comcor-gw.mipt.ru (212.45.31.33) 1.745 ms 1.753 ms 1.855 ms

4 62.117.100.145 (62.117.100.145) 3.544 ms 3.551 ms 3.554 ms

5 212.45.12.218 (212.45.12.218) 23.441 ms 23.543 ms 23.630 ms

6 mpts-a197-53.msk.stream-internet.net (212.188.1.114) 3.832 ms 3.859 ms 3.913 ms

7 10.240.90.75 (10.240.90.75) 4.137 ms 4.302 ms 4.402 ms

Share this post

Link to post

Share on other sites

1GE

Posted October 24, 2009 · Report post

6 mpts-a197-53.msk.stream-internet.net (212.188.1.114) 3.832 ms 3.859 ms 3.913 ms
7 10.240.90.75 (10.240.90.75) 4.137 ms 4.302 ms 4.402 ms

Извините, а МПТС - это кто ?

Sign In

shicoy

Share this post

Link to post

Share on other sites

martini

Share this post

Link to post

Share on other sites

UglyAdmin

Share this post

Link to post

Share on other sites

shicoy

Share this post

Link to post

Share on other sites

Ilya Nikitin

Share this post

Link to post

Share on other sites

st_re

Share this post

Link to post

Share on other sites

Дегтярев Илья

Share this post

Link to post

Share on other sites

1GE

Share this post

Link to post

Share on other sites

Create an account or sign in to comment

Create an account

Sign in