• We’re currently investigating an issue related to the forum theme and styling that is impacting page layout and visual formatting. The problem has been identified, and we are actively working on a resolution. There is no impact to user data or functionality, this is strictly a front-end display issue. We’ll post an update once the fix has been deployed. Thanks for your patience while we get this sorted.

IP Spoofing and .cn DNS lookups

D

drebo

Diamond Member
We host two public DNS servers.

Lately, we've had some minor stability problems on them that we've never had before. Namely, pings (as monitored by Whatsup Gold) will fail sometimes, and DNS lookups can also fail.

I looked at the router port (Cisco 7206 Ethernet port) that connects to the switch that the DNS servers are plugged in to, and there are lots of collisions and dropped packets. I probably shouldn't be seeing these, at least not as many as I am.

Working back up the line, I installed wireshark on one of the DNS servers. Immediately, I saw a LOT of DNS requests for .cn domains originating from IP addresses on my public subnet that are not in use. I see the ARP requests from the DNS server, which of course go unanswered. Also, all of these packets have ridiculously low TTLs, like 2 and 3.

It's a weird problem that I'm not sure where to look.

Anyone have any ideas where to go next in potentially filtering out these spoofed IPs?
 
So, if I'm understanding this properly, if I enable unicast RPF in strict mode, my router will drop packets that enter the uplink interface that have a source IP address within my own routed network?

That should clean up quite a bit of the traffic I'm seeing. I imagine that disabling proxy arp would probably help with a few things as well.

I just wish I wasn't seeing so many dropped packets and collisions on the interface. I need to upgrade it to a fast ethernet interface. Heck, I need a new router up there...the 7206 isn't really handling everything I need, and being limited to 3 fast ethernet ports is a pretty big limitation. It's not really fast enough at this point either.
 
Get a new NPE? Collisions are normal on half-duplex but I can't think of an NPE that wasn't at least 100 Base-T.

And always turn off proxy-arp.
 
Yeah, I'm looking at getting a new NPE. The router's running a 12.0 firmware, too...ick. Enabling the RPF checks has helped a lot. Not getting dropped packets, and collisions are much less frequent now.

I'm getting collisions on one of my FA ports, too, which appears to be running at half duplex despite the fact that it shouldn't be. I suspect cabling issues may be at play here, too.

I have 3 FA ports on the thing already, I just haven't moved all of the servers to it. I didn't set this thing up. Unfortunately, I can't suffer any downtime with it to fix all the problems we've been having. I'm thinking about scheduling a maintenance window on Labor Day for it and redoing all of our colo cabinents with new switches and everything.

sh ip traffic doesn't show any proxy arp replies, so I'm not too worried about that. The way this network is set up is just freaking stupid. I should have fixed it years ago. Unfortunately, downtime is even less possible now that we have hosted PBXes running on our network.

Oh well. Dug my own hole here by putting it off.
 
You must log in or register to reply here.

TRENDING THREADS

Back
Top