Finding asymmetric path

Brielle Bruns bruns at 2mbit.com
Sat Nov 28 17:14:27 UTC 2009


On 11/27/09 8:43 PM, ML wrote:
> I'm reasonable certain a customer of ours who is using one of our
> netblocks is using a different reverse path to reach us. How might I
> figure out who is allowing them to source traffic from IPs that belong
> to us?
>
>
>

I've had two customers pull this stunt in the past with me - one, a 
spammer, tried to do this with an ADSL modem from me, the other (a 
non-spammer with a clueless 'consultant') had a T1 from me and a T1 from 
UUNet.

It started with the T1 customer.  I believe they had a smaller block of 
IPs (less then /24, more like a /25 or /26), and their 'computer 
consultant' with his infinite wisdom decided to send all outbound 
traffic through the UUNet T1 rather then source routing which we highly 
recommended to them.  Of course, we had ingress filters in place to 
block IP ranges we have from coming into us from the WAN links, so when 
they tried to contact servers on the other half of the netblock on our 
end, the connections mysteriously failed.  After lying up and down that 
it was our fault, that their computer 'consultant' was regarded as best 
in the country, blah blah blah, we flipped on logging on the ingress 
filters out of sheer curiosity and discovered exactly what was going on.

The ADSL customer was a bit more tricky - we were getting spam reports 
about his single IP address sending spam, but we had his outbound port 
25 blocked.  Ended up sniffing the port off the router he sat off of, 
and discovering that it was all one sided, wasn't even tickling the 
ingress filters.

Hey, at least your customer didn't convince AT&T to allow them to 
announce out one of your /24s when all they had was a /29.

Your in a tricky bind, I'd approach them under the guise of ingress 
filtering issues.

-- 
Brielle Bruns
The Summit Open Source Development Group
http://www.sosdg.org    /     http://www.ahbl.org




More information about the NANOG mailing list