[eix-wg] RIPE EIX-WG: Attributing inbound traffic

Hi Steve,

On Mon, 25 Feb 2013 15:36:40 -0000
"Steve Nash" <steve.nash at theiet.org> wrote:

> Suggestion:
> 
> Ask all IX customers to Embed the ASN into a Locally Administered MAC
> address on each peering interface.
> 
> First byte for Local flag, second byte for interface number, others for
> four-byte ASN
> 
> 02:00:00:00:01:00 for ASN 256
> 
> 02:00:00:00:04:F9 for ASN 1273 (first interface)
> 
> 02:01:00:00:04:F9 for ASN 1273 (second interface)
> 
>  
> 
> Now, if all peers have their router interfaces configured with these Local
> MAC Addresses, then a customer can capture the traffic and very quickly
> extract the identity of each Peer that is sending packets.
> 
> And peers can change their router hardware and still transmit from the same
> MAC address.

On our exchange we regularly encounter issues where several customer routers
misbehave in the same way. It is not uncommon that these issues are caused by a
software bug on routers of a particular brand and model. Using locally
administered MAC addresses means we loose the ability to narrow down problems
to a particular vendor.

In addition, not all routers have the configuration option to modify the MAC
address on a single interface. For these routers it would not be possible to
implement the scheme you propose.


To focus on your problem: Several exchanges collect sFlow samples of traffic
that is transmitted between customers. Of these samples the L2 header
information is stored, and out of this MAC2MAC graphs can be generated. This
allows the customer to see how much traffic they are receiving from each of
their individual peers. In case of a DDoS it is usually very easy to determine
the source peer(s) without doing any traffic capturing, simply by looking at
sudden increases in traffic on these graphs.

Kind regards,
Martin