Some Interesting Stuff Found on Internet Exchange (IX) LANs Background Internet largely built on point-to-point Ethernet circuits. Internet Exchanges (IXs) still exist but their relevance is diminishing as content networks consolidate. IX fabrics operate mainly like large Ethernet switches, handling only Layer 2 MAC addresses (no Layer 3 IP processing). Home and SMB routers have defaults convenient for small networks but problematic or exploitable on IX LANs with many untrusted participants. BGP.tools “Naughty Packets” Feature The author runs a company with many IX ports and collects broadcast and multicast traffic (BUM traffic) on those IX ports. Traffic is captured via tcpdump, parsed, and reported on bgp.tools website. Alerts warn IX participants of misconfigurations. Types of Packets and Misconfigurations Found Router/Switch Identification Protocols LLDP (Link Layer Discovery Protocol) Low commonness, low operational danger, info disclosure risk. Cross-vendor device ID protocol. CDP (Cisco Discovery Protocol) High commonness, no operational danger, info disclosure risk. Cisco proprietary equivalent to LLDP. MNDP (MikroTik Neighbor Discovery Protocol) High commonness, no operational danger, info disclosure risk. Enabled by default on Mikrotik devices. Automatic Addressing Protocols DHCP/DHCPv6 Medium commonness, high operational danger: unauthorized IP allocation and traffic redirection. Used to automatically assign IP addresses but risky on IX. IPv6 Router Advertisement (RA) High commonness, operational danger: unintended free internet transit. Enabled by default on Cisco and Arista devices. Non-BGP Routing Protocols (Not Allowed on IX) OSPF and IS-IS/ES-IS Low commonness, operational and security risks: importation of private internal routes, potential route injection. RIP/RIPv2 Rare, similar risks as above. MPLS LDP (Label Distribution Protocol) Rare, risks include manipulation of MPLS labels. Vendor Loop Testing Protocols Low commonness, no significant risk. Spanning Tree Protocol (STP) Medium commonness, can cause local disruption if exchanged between networks. Issues with SONiC (Open Source NOS) Produces unnecessary broad network pings on IX LANs due to a workaround script (arpupdate). This wastes resources and is considered a poor design for IX environments. Miscellaneous Unexpected packets on IX LANs Broadcast NTP: Low commonness; time broadcasts often inaccurate. MikroTik Winbox / MAC-Telnet: Medium commonness; exposes remote config interfaces, potential operational abuse on IX. DEC-MOP (DECnet): Medium commonness; legacy protocols enabled by default on Cisco. SSDP (UPnP): Rare; consumer home protocol, indicates severe misconfiguration. LLMNR / MDNS: Rare; desktop name resolution protocols, often indicate accidental residential hardware on IX. NETBIOS: Rare; Windows file/printer sharing protocols showing some desktops/laptops mistakenly connected. VRRP/HSRP**: Low commonness; redundancy protocols that may cause failover misuse on IX. DNS-Broadcast Behavior on Cisco Devices Cisco devices broadcast DNS queries if no resolver works, leaking internal search domains. Common mis-typed commands cause broadcast DNS queries with strange domain names. Minor risk of being tricked into executing unwanted commands. Recommendations for IX Operators IX rules forbid most of these packets (e.g. AMS-IX allowed traffic list). Enforcement is poor or nonexistent in many IXs. Simple MAC and Layer 3 ACLs could filter out problematic traffic (e.g., LLDP, CDP, DHCP, IPv6 RA). Open-source monitoring tools such as IXP-Watch and bgp.tools can assist in detection. Increased enforcement and automatic filtering could vastly improve