'Re: Implementing RTBH filtering / BGP tagging'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       bird-users
Subject:    Re: Implementing RTBH filtering / BGP tagging
From:       Gregg Berkholtz <gregg () tocici ! com>
Date:       2012-03-28 19:04:57
Message-ID: 16779C3B-40BB-41F9-A6F4-11125C27E646 () tocici ! com
[Download RAW message or body]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Thanks for the help and suggestions, we have a working configuration that now imports \
and uniquely tags/announces blackhole specific kernel route entries.

For the archives, here's a basic working "example" config. I opted to get away from \
statically configuring blackhole routes within BIRD itself, as existing tooling \
adds/removes kernel route table entries on the linux-based router, and keeping this \
within kernel routing tables is a simpler approach for us.

If using a Linux 2.6 kernel based router, and when tracking blacklisted IPs via a 2nd \
route table:

To blacklist 192.0.2.44/32, run:
~$ sudo ip route add blackhole 192.0.2.44/32 table 10

Using the below configuration, within 10 seconds BIRD will detect a new addition to \
kernel routing table 10, and:  1) Auto-add a corresponding blackhole entry to your \
kernel's master routing table...truly blacklisting the IP on your router.

 2) Announce 192.0.2.44/32 with a BGP tag of 64665:666 to your upstream provider, \
enabling you to leverage a customer blackhole community config (e.g. RTBH portion of \
RFC3882).

Relevant portions of bird.conf:
"...
# Scans and learns of blackhole routes from table 10, every 10 seconds
table blackholes;
protocol kernel blackhole {
  table blackholes;
  kernel table 10;
  scan time 10;
  learn;
  import all;
  export all;
}

# Merges kernel route table 10 into the kernel's active/master routing table
protocol pipe {
  table master;
  peer table blackholes;
  mode transparent;
  import filter {
    print "Importing blackhole list.";
    accept;
  };
}

filter bgp_out_upstream {
  # Limit to blackholed routes
  if (proto = "blackhole" ) then
  {
    # Limit to /32 netmask
    if net.len = 32 then {
      bgp_community.add((64665,666)); # Replace 64665 with your upstream's ASN
      printn "Nulling ";
      print net;
      accept;
    }
  }
  if net ~ [192.0.2.0/24] then accept; # Replace 192.0.2.0/24 with your local \
netblock(s)  reject;
}

protocol bgp upstream {
...
  export filter bgp_out_upstream;
...
}
..."

Hope this helps others,
Gregg Berkholtz
Datacenter consulting, hosting & support since 1995
  www.tocici.com  |  503-488-5461 x17  |  AS14613

On Mar 20, 2012, at 3:25 PM, Ondrej Zajicek wrote:

> On Tue, Mar 20, 2012 at 11:42:05AM -0700, Kelly Cochran wrote:
> > > Or much simpler solution - remove secondary tables, add blackhole routes
> > > to bird config as static routes (in static protocol) and have everything
> > > in the master table.
> > 
> 
> > Which is exactly what I wound up doing when testing this sort of thing
> > internally.  Soft config reloads won't bounce the session when you
> > change items in the static protocol.  Good use for an include, generate
> 
> BTW, even 'hard' reconfiguration will not restart the session if there is
> no change in the BGP session protocol (and its filters). The difference
> between soft/hard reconfiguration in BIRD is just whether filter changes
> are considered.
> 
> > > BTW, in the filter bgp_out_he(), i guess you want accept all routes with
> > > proto = "blackhole", otherwise only your routes would be exported (and i
> > > suppose blackholed IPs are foreign).
> > 
> 
> > Blackholed IPs would actually have to be local.  This mechanism is
> > common for dropping a DDoS at your upstream's borders, and not just your
> > own border, as it's presumably not something you can effectively
> > mitigate internally.  Remote IPs would be S/RTBH, and that's not usually
> > seen in transit networks due to the nature of what that would require to
> > affect only the requestor of the blackhole, and not the network as a
> > whole.  (VRFs for everyone!  Wait... that requires how much RAM? 
> > Nevermind...)
> 
> Yes, i thought more about S/RTBH. 
> 
> BTW, to implement other side of RTBH we would probably need to support
> explicit change of received BGP route destination to
> unreachable/blackhole/prohibit type. This currently could by done by
> some tricks, so explicit filter operator for that would be useful, i
> suppose.
> 
> -- 
> Elen sila lumenn' omentielvo
> 
> Ondrej 'SanTiago' Zajicek (email: santiago@crfreenet.org)
> OpenPGP encrypted e-mails preferred (KeyID 0x11DEADC3, wwwkeys.pgp.net)
> "To err is human -- to blame it on a computer is even more so."

-----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2.0.17 (Darwin)
Comment: GPGTools - http://gpgtools.org

iEYEARECAAYFAk9zYNkACgkQw+5R43T/iWXgUgCfcH5j2/vF2i40C4RHf5o5gKIV
5C0AoJlSRUJmzzVlAyitQTSWR8NrYmaj
=bn0k
-----END PGP SIGNATURE-----


[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic