[c-nsp] BGP blackholling with communites
Oliver Boehmer (oboehmer)
oboehmer at cisco.com
Mon Mar 21 04:18:01 EST 2005
Rob Polland <> wrote on Monday, March 21, 2005 9:57 AM:
> I have a customer that want to implement triggered black holling using
> communites ( if the customer faced an attack just send to our AS the
> route with a community and we set the route to null zero), can any
> body told me how can we do it or if any body have any document
> concerning this issue.
ip cef
!
! enable the following Null0 route on all your BGP speakers, don't
redistribute
! into your IGP
!
int null0
no ip unreachables
!
ip route 192.168.255.255 255.255.255.255 null0
!
ip community-list 50 permit xxx:yyy
!
route-map PEER-INBOUND permit 10
match community 50
set ip next-hop 192.168.255.255
set community no-export ! optional
route-map PEER-INBOUND permit 20
....
so you set the next-hop of paths matching the community xxx:yyy to a
bogus IP addresses which recurses to Null0. If you create the static
Null0 route on all your BGP speakers, the traffic will be black-holed as
soon as it enters your network..
see
ftp://ftp-eng.cisco.com/cons/isp/security/Remote-Triggered-Black-Hole-Fi
ltering-02.pdf and http://www.nanog.org/mtg-0110/greene.html for more
information and addtl. techniques..
oli
More information about the cisco-nsp
mailing list