I was thinking openBGDd, but admittedly, I haven't used either yet.
Of course controls would be in place to not blackhole myself.
-----
Mike Hammett
Intelligent Computing Solutions
http://www.ics-il.com
----- Original Message -----
From: "Christopher Morrow" <[email protected]>
To: "Gavin Henry" <[email protected]>
Cc: "fail2ban list" <[email protected]>,
[email protected]
Sent: Sunday, November 30, 2014 7:26:09 PM
Subject: Re: [Fail2ban-users] Syslog -> BGP Blackhole
Jumping in near/at the end of this conversation...
On Sun, Nov 30, 2014 at 2:23 PM, Gavin Henry <[email protected]> wrote:
>
> On 30 Nov 2014 19:09, "Mike Hammett" <[email protected]> wrote:
>>
>> You can still withdraw the route advertisement.
>>
>> If you're attempting to gain access to my systems, you don't belong on my
>> network. No one other than my management should ever attempt to gain access
>> to my systems. The vast majority of the time it'll be script kiddies or
>> malware.
There area myriad of reasons NOT to do this, but since you seem like
you've thought through a few, I think you want to do something like:
0) setup quagga on your machine that does the logging, have it ibgp
peer with your network gear (quagga - http://www.nongnu.org/quagga/)
1) setup an 'action script' to simply add the offending ip
address(range/etc) and a tiemstamp for the event to a simple text
file.
(http://www.fail2ban.org/wiki/index.php/MANUAL_0_8#Actions)
2) have a cronjob cycle through the list, adding/removing offending
ips to a list of static routes in quagga, you can do this with expect
or you could simply update the on-disk configuration file for quagga
and hup the daemon (which I think won't bounce the bgp sessions.. but
you'd be best testing)
3) redistribute the static routes into BGP with some community the
ibgp speakers can match and reset next-hop with.
I suggest the expect method so your config starts clean at each
reboot, I think you'll also want to quality control some of the inputs
to quagga's list, you might not want to blackhole yourself or other
interesting things around the network.
-chris
------------------------------------------------------------------------------
Download BIRT iHub F-Type - The Free Enterprise-Grade BIRT Server
from Actuate! Instantly Supercharge Your Business Reports and Dashboards
with Interactivity, Sharing, Native Excel Exports, App Integration & more
Get technology previously reserved for billion-dollar corporations, FREE
http://pubads.g.doubleclick.net/gampad/clk?id=157005751&iu=/4140/ostg.clktrk
_______________________________________________
Fail2ban-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/fail2ban-users
