Skip to main content
Blackholing and blackhole routing relay setup leveraging BGP communities
Here is a simple yet powerful mean of blackholing, as an ISP, an internal or customer IP address victim of a DDoS, with the goal of minimizing the impact for other customers and services. The first Cisco IOS config snippet is to be set on a router acting only as a route server. The first BGP peer shows Cogent route blackhole server setup of some years back.
Router acting only as a route server
router bgp 65333 bgp router-id 10.11.12.252 neighbor 130.117.20.1 remote-as 174 neighbor 130.117.20.1 description Cogent BlackHole RS neighbor 130.117.20.1 ebgp-multihop 63 neighbor 130.117.20.1 update-source Loopback0 neighbor 130.117.20.1 send-community neighbor 130.117.20.1 version 4 neighbor 130.117.20.1 route-map BLACKHOLE out neighbor 130.117.20.1 filter-list 6 in ! Border A neighbor 10.0.0.3 remote-as 65333 neighbor 10.0.0.3 send-community neighbor 10.0.0.3 route-map BLACKHOLE out neighbor 10.0.0.3 filter-list 6 in ! Border B neighbor 10.0.0.5 remote-as 65333 neighbor 10.0.0.5 send-community neighbor 10.0.0.5 route-map BLACKHOLE out neighbor 10.0.0.5 filter-list 6 in ! customer or internal address to blackhole on the borders network 10.6.6.6 mask 255.255.255.255 ! ip as-path access-list 6 deny .* ! route-map BLACKHOLE permit 100 description DoS Mitigation set community 65333:666 !
The sole "network" statement in the BGP router config indicate a single IP address to blackhole. This way, using BGP communities, a single point in your network is to be configured to blackhole an IP address in your whole ISP. On one border router, we want to indicate our upstream or peer to blackhole this same address inside of it. The "set community" statement in the AS3303_OUT route map indicate just that.
Border router A
router bgp 65333 bgp router-id 10.0.0.3 neighbor 10.11.12.252 remote-as 65333 neighbor 10.11.12.252 description BlackHole RS neighbor 10.11.12.252 send-community neighbor 10.11.12.252 route-map CUSTOMERS_IN in ! neighbor 164.128.20.41 remote-as 3303 neighbor 164.128.20.41 description Swisscom IP-PLUS peering neighbor 164.128.20.41 send-community neighbor 164.128.20.41 route-map AS3303_OUT out ! ip route 172.16.0.0 255.240.0.0 Null0 ! ip as-path access-list 13 permit ^$ ip as-path access-list 13 permit ^(65333_)+$ ip as-path access-list 13 permit ^(CUSTOMERASN_)+$ ... ip as-path access-list 13 deny .* ! ip community-list 6 permit 65333:666 ! ip prefix-list BLACKHOLE seq 5 permit 0.0.0.0/0 ge 32 ip prefix-list BLACKHOLE seq 10 deny 0.0.0.0/0 le 31 ! route-map CUSTOMERS_IN permit 100 description DoS Mitigation match ip address prefix-list BLACKHOLE match as-path 13 match community 6 set ip next-hop 172.16.6.6 ! route-map AS3303_OUT permit 100 description DoS Mitigation match community 6 set community 3303:888 ! route-map AS3303_OUT permit 110 !
Community 888 in AS3303 is designed to blackhole a customer or peer route.
On the other hand, border router B has no connection with an upstream implementing blackholing itself we can relay like the above, we resort to send the traffic on the Null0 device in this router, limitating the attack to a minimum in the internal network.
Border router B
router bgp 65333 bgp router-id 10.0.0.5 neighbor 10.11.12.252 remote-as 65333 neighbor 10.11.12.252 description BlackHole RS neighbor 10.11.12.252 send-community neighbor 10.11.12.252 prefix-list BLACKHOLE in neighbor 10.11.12.252 route-map CUSTOMERS_IN in ! ip route 172.16.0.0 255.240.0.0 Null0 ! ip as-path access-list 13 permit ^$ ip as-path access-list 13 permit ^(65333_)+$ ip as-path access-list 13 permit ^(CUSTOMERASN_)+$ ... ip as-path access-list 13 deny .* ! ip community-list 6 permit 65333:666 ! ip prefix-list BLACKHOLE seq 5 permit 0.0.0.0/0 ge 32 ip prefix-list BLACKHOLE seq 10 deny 0.0.0.0/0 le 31 ! route-map CUSTOMERS_IN permit 100 description DoS Mitigation match as-path 13 match community 6 set ip next-hop 172.16.6.6
Straightforward, simple, effective.
Comments