[195971] in North American Network Operators' Group
Re: Settle Free Peering - Default Route Abuse Monitoring
daemon@ATHENA.MIT.EDU (Job Snijders)
Sun Sep 24 16:05:37 2017
X-Original-To: nanog@nanog.org
In-Reply-To: <CAAP2CnNK-XXa9cJeBxoRj2BHybnN8ihnuK=r8WqV6gVjZhXhgQ@mail.gmail.com>
From: Job Snijders <job@ntt.net>
Date: Sun, 24 Sep 2017 20:05:18 +0000
To: "North American Network Operators' Group" <nanog@nanog.org>,
Raymond Beaudoin <raymond.beaudoin@icarustech.com>
Errors-To: nanog-bounces@nanog.org
Dear Raymond,
On Sun, 24 Sep 2017 at 21:33, Raymond Beaudoin <
raymond.beaudoin@icarustech.com> wrote:
> How is this monitored and tracked? Are ACLs applied to help enforce this
> (seems to be limited at scale)? Flow export and alarming? Analytics and
> anomalous behavior detection? Common professional courtesy?
This RFC https://tools.ietf.org/html/rfc7789 covers the topic of
=E2=80=9Cunexpected traffic flows=E2=80=9D which is essentially the same as=
having default
being pointed at you without you permission. May be worth reading!
A most scalable option is to use a flow collection / monitoring program
like pmacct (http://pmacct.net/) to inspect flows and flag the ones that
shouldn=E2=80=99t exist according to your policy. Paolo Lucente has done ex=
cellent
work to make this problem space manageable:
http://wiki.pmacct.net/DetectingRoutingViolations
Also, if you are at an internet exchange, make sure to enable MAC
accounting (if available) on the IX facing interface, so you can easily
monitor for traffic coming from MAC addresses with which you don=E2=80=99t =
have a
BGP session.
Kind regards,
Job
