[c-nsp] BGP blackholling with communites
David Freedman
david.freedman at uk.clara.net
Mon Mar 21 04:58:10 EST 2005
Don't forget to also "set origin igp" in the route-map.
Dave.
Oliver Boehmer (oboehmer) wrote:
> Rob Polland <> wrote on Monday, March 21, 2005 9:57 AM:
>
>> I have a customer that want to implement triggered black holling using
>> communites ( if the customer faced an attack just send to our AS the
>> route with a community and we set the route to null zero), can any
>> body told me how can we do it or if any body have any document
>> concerning this issue.
>
> ip cef
> !
> ! enable the following Null0 route on all your BGP speakers, don't
> redistribute
> ! into your IGP
> !
> int null0
> no ip unreachables
> !
> ip route 192.168.255.255 255.255.255.255 null0
> !
> ip community-list 50 permit xxx:yyy
> !
> route-map PEER-INBOUND permit 10
> match community 50
> set ip next-hop 192.168.255.255
> set community no-export ! optional
> route-map PEER-INBOUND permit 20
> ....
>
>
> so you set the next-hop of paths matching the community xxx:yyy to a
> bogus IP addresses which recurses to Null0. If you create the static
> Null0 route on all your BGP speakers, the traffic will be black-holed as
> soon as it enters your network..
>
> see
> ftp://ftp-eng.cisco.com/cons/isp/security/Remote-Triggered-Black-Hole-Fi
> ltering-02.pdf and http://www.nanog.org/mtg-0110/greene.html for more
> information and addtl. techniques..
>
> oli
>
> _______________________________________________
> cisco-nsp mailing list cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>
More information about the cisco-nsp
mailing list