[nsp-sec] [OT] Providers with RTBH capability?

[Steve Colam]

On Tue, 9 Apr 2013, John Kristoff wrote:

> I don't know if I should be honored or afraid for you.  You're brave to
> use my Perl code from that period.

We made most of the changes back in 2008 and it's run fine since then
so it must be ok :)

> Do you think there would be any interest in an option to enable traffic
> to be sinkholed by setting a next hop to a tunnel or something?  If it
> is the type of traffic can be sinked, we could then feed that directly
> back to source networks through a reporting process.

Well we do actually do that already on a case by case basis but not via
this script... I'd hate for one of our NOC folks to get all crazy and
redirect everything to a snoop port :) That said the /etc/group check
could be used to enable this on a group basis.

>> We have an external script to do snmp pull/push; I've not included
>> that. Johns original has code to do this in it...
>> mkdir /tftpboot/bhrs; chgrp <www> /tftpboot/bhrs
>
> I'd probably have it interact more directly with a local Quagga/BIRD
> router than doing snmp or tftp or even just run Net::BGP directly.  Any
> interest in a version like that? I really feel like I need to redeem
> myself here.  Please.  :-)

I think a slightly different approach if a re-write is being considered.

It needs to be modular, a tool to manage the db, a tool to build config
from the db (maybe to bgp/push/etc), and a web frontend.

So for instance using the existing tool to auto-blackhole netflow/syslog
detected badness (eg port scanner) for a short period doesn't work with this
script.

Happy to work on this if you like... Any other suggestions from anyone ?

S.