Hmmmm. "cool" feature of some IX's combined with some IX participants. First, find a IX address that is not in use: Then hard set it's neighbour mac address to something that is not on the IXP Then set a destination route to go via the mac-address-that-does-not-exist and then ping it Cool right?? What is happening here is nuts on many different levels. To start, the non existent MAC address forces this IX (LINX) to treat any packets send to as "BUM" traffic, LINX could have prevented this by using static MAC like quite a lot of the other big ones do. That however does not explain why we got ping responses... It turns out some routers on the peering LAN don't check if the destination MAC address for a packet is their own before forwarding the traffic! in this case 3 different LINX member routers saw my unknown unicast packet and was like "sure, why not, I'll route that!", and the packet routed all the way through to 9.9.9.9, and a response came back to me. Mental!
root@linx-ns:~# ping 195.66.231.230
PING 195.66.231.230 (195.66.231.230) 56(84) bytes of data.
^C
--- 195.66.231.230 ping statistics ---
1 packets transmitted, 0 received, 100% packet loss, time 0ms
root@linx-ns:~# ip neigh replace 195.66.231.230 lladdr de:ad:ad:dd:dd:dd dev enp129s0f0.700
root@linx-ns:~# ip route add 9.9.9.9/32 via 195.66.231.230
root@linx-ns:~# ping 9.9.9.9
PING 9.9.9.9 (9.9.9.9) 56(84) bytes of data.
From 195.66.226.119: icmp_seq=1 Redirect Host(New nexthop: 195.66.225.238)
64 bytes from 9.9.9.9: icmp_seq=1 ttl=63 time=0.720 ms
64 bytes from 9.9.9.9: icmp_seq=1 ttl=63 time=0.756 ms (DUP!)
64 bytes from 9.9.9.9: icmp_seq=1 ttl=63 time=1.47 ms (DUP!)
^C
--- 9.9.9.9 ping statistics ---
1 packets transmitted, 1 received, +2 duplicates, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 0.720/0.981/1.468/0.344 ms
domi@donotsta.re
replied 12 Nov 2024 11:34 +0000
in reply to: https://benjojo.co.uk/u/benjojo/h/FH22193y4vxJY58fC2
benjojo
replied 12 Nov 2024 11:35 +0000
in reply to: https://donotsta.re/objects/2420ad24-4081-4b4e-8865-51c48745e172
vidister@chaos.socia..
replied 12 Nov 2024 11:41 +0000
in reply to: https://benjojo.co.uk/u/benjojo/h/FH22193y4vxJY58fC2
@benjojo and if they don't have storm control enabled for unknown unicast it's a decent amplification method for spoofed traffic..
benjojo
replied 12 Nov 2024 11:43 +0000
in reply to: https://chaos.social/users/vidister/statuses/113469796989333482
@vidister to their credit they do seem to have a limit of about 10 megabits for bum traffic, well, most of the time. Sometimes they do forget to have this limit on and I have had my one gig port completely slammed with bum traffic
wolf480pl@mstdn.io
replied 12 Nov 2024 11:55 +0000
in reply to: https://benjojo.co.uk/u/benjojo/h/FH22193y4vxJY58fC2
@benjojo would this also work if you explicitly specified a broadcast MAC? Also, did these peers forward it because 9.9.9.9 was their customer, or did they forward it through their peers or even upstreams? If you were to send all DNS queries like that, would they send you a bill at the end of the month?
benjojo
replied 12 Nov 2024 12:08 +0000
in reply to: https://mstdn.io/users/wolf480pl/statuses/113469850790002043
Probably not, I don't really want to test that no they just forwarded it because the ASIC/Software/Whatever treats any unicast packet coming into their port as for them That would require the router/vendor/operator to have tooling in existence or enabled for such things
would this also work if you explicitly specified a broadcast MAC?
Also, did these peers forward it because 9.9.9.9 was their customer, or did they forward it through their peers or even upstreams?
If you were to send all DNS queries like that, would they send you a bill at the end of the month?
wolf480pl@mstdn.io
replied 12 Nov 2024 12:09 +0000
in reply to: https://benjojo.co.uk/u/benjojo/h/n741314wG7J55yx4jL
@benjojo ok, so they don't meter the traffic coming from the IX, and they just assume the only traffic they get form the IX is for the routes they announce? Wow, that's a lot of trust...
benjojo
replied 12 Nov 2024 12:14 +0000
in reply to: https://mstdn.io/users/wolf480pl/statuses/113469906936043544
@wolf480pl It's a well known cheeky-shit thing to do on IXs to "static route" a peer to get free traffic transit. This is very obviously against the rules of the IX and you can write ACLs to stop this from happening at all, but the vast majority of IX members don't
mirabilos@toot.mirbs..
replied 12 Nov 2024 16:01 +0000
in reply to: https://benjojo.co.uk/u/benjojo/h/FH22193y4vxJY58fC2
benjojo
replied 12 Nov 2024 16:17 +0000
in reply to: https://toot.mirbsd.org/users/mirabilos/statuses/01JCGHQZ2QTVS8ZNH0TWGD161R
nicoduck@chaos.socia..
replied 12 Nov 2024 11:44 +0000
in reply to: https://benjojo.co.uk/u/benjojo/h/FH22193y4vxJY58fC2
DanDankleton@fosstod..
replied 12 Nov 2024 11:58 +0000
in reply to: https://benjojo.co.uk/u/benjojo/h/FH22193y4vxJY58fC2