Re: Some OT questions from a mild noob about an IP network

To: ghe2001 <ghe2001@pm.me>
Cc: "debian-user@lists.debian.org" <debian-user@lists.debian.org>
Subject: Re: Some OT questions from a mild noob about an IP network
From: Dan Ritter <dsr@randomstring.org>
Date: Fri, 24 Jul 2020 16:30:38 -0400
Message-id: <[🔎] 20200724203038.GX29877@randomstring.org>
In-reply-to: <[🔎] LB620oQgxQ9o0_yzJ11svfH_8_Pec_MEz86qaC8GlWvJrwdE6oc2EELsjUe15C1vSdSKp9744M00Bk3lWBbB6yBgbEKr9MTH-vUNx1d_-4M=@pm.me>
References: <[🔎] LB620oQgxQ9o0_yzJ11svfH_8_Pec_MEz86qaC8GlWvJrwdE6oc2EELsjUe15C1vSdSKp9744M00Bk3lWBbB6yBgbEKr9MTH-vUNx1d_-4M=@pm.me>

ghe2001 wrote: 
> Buster, Cisco IOS router, T1 connection. But it probably doesn't matter.

(an actual T1? really? Not even a PRI? Yes, this is irrelevant
to your question)

> I have a /31 transit net (n.n.n.40 to 43) to my ISP. I had everything to/from that net allowed, but I was getting strange hits to odd ports. So, in the border ACL, I allowed 41 and 42, then blocked the entire net to see what was going on. Now I see no traffic on 41 or 42, but lots of activity on 40 and 43 (the edges, that my understanding says aren't used for anything on the transit net).

Better show us the actual ACL you put in. 

What you describe is a /30, not a /31. 

I don't know why you think that the ISP won't send you traffic
for the 40 and 43 addresses. While it's technically the case
that the first address in a block is "for the router" and the
last is "for broadcast", people upstream don't know that and
are just spraying traffic at you, which your router is noting.

> Homework: I asked my ISP (last week and no reply yet). I've looked at the web and at my books on IP networking. I couldn't find an answer.
> 
> Question 0: Why are IPs 41 and 42 not showing any activity? My current guess is that traffic on those IPs hits the Internet interface and is sucked up before the packets get to the ACL.

I don't quite know what you mean. Are you routing them somewhere
in particular?

> Question 1: Have I done something untoward and the ISP is trying to do something with the edges (their alive probes use ICMP to an IP on my T1 net), or are the edges being hit by script kiddies? Or something else that I don't understand at all?

Random traffic is random traffic. The IPv4 is only 4 billion
addresses, people scan the whole thing every day.

-dsr-

> Question 2: Since I see nothing happening on the important IPs, can I just not say anything one way or the other about the transit net and let those packets hit the end of the ACL and be denied?

You are always free to drop packets, especially if you don't
want them.

-dsr-

Reply to:

References:
- Some OT questions from a mild noob about an IP network
  - From: ghe2001 <ghe2001@pm.me>

Prev by Date: Some OT questions from a mild noob about an IP network
Next by Date: Re: Do other owners of WD Gold disks hear a periodic plonk ?
Previous by thread: Some OT questions from a mild noob about an IP network
Next by thread: node.js updates processor microcode?
Index(es):
- Date
- Thread