[eix-wg] RIPE EIX-WG: Attributing inbound traffic
Martin Pels martin.pels at ams-ix.net
Mon Feb 25 19:12:37 CET 2013
Hi Steve, On Mon, 25 Feb 2013 15:36:40 -0000 "Steve Nash" <steve.nash at theiet.org> wrote: > Suggestion: > > Ask all IX customers to Embed the ASN into a Locally Administered MAC > address on each peering interface. > > First byte for Local flag, second byte for interface number, others for > four-byte ASN > > 02:00:00:00:01:00 for ASN 256 > > 02:00:00:00:04:F9 for ASN 1273 (first interface) > > 02:01:00:00:04:F9 for ASN 1273 (second interface) > > > > Now, if all peers have their router interfaces configured with these Local > MAC Addresses, then a customer can capture the traffic and very quickly > extract the identity of each Peer that is sending packets. > > And peers can change their router hardware and still transmit from the same > MAC address. On our exchange we regularly encounter issues where several customer routers misbehave in the same way. It is not uncommon that these issues are caused by a software bug on routers of a particular brand and model. Using locally administered MAC addresses means we loose the ability to narrow down problems to a particular vendor. In addition, not all routers have the configuration option to modify the MAC address on a single interface. For these routers it would not be possible to implement the scheme you propose. To focus on your problem: Several exchanges collect sFlow samples of traffic that is transmitted between customers. Of these samples the L2 header information is stored, and out of this MAC2MAC graphs can be generated. This allows the customer to see how much traffic they are receiving from each of their individual peers. In case of a DDoS it is usually very easy to determine the source peer(s) without doing any traffic capturing, simply by looking at sudden increases in traffic on these graphs. Kind regards, Martin
[ eix-wg Archives ]