Hey Daniel, Apologies for not answering your question, but generally this is not a problem, because:
a) have edgeACL which polices ICMP and UDP high ports to your links and drops rest b) don't advertise your links in IGP or iBGP On 8 March 2018 at 22:17, Dan Římal <d...@danrimal.net> wrote: > Hi all, > > I would like to discuss, how do you handle ddos attack pointing to IP address > of any router core interface, if your UPLINK/ISP support RTBH and you would > like to drop traffic at ISP level because of congested links. > > I have tried to implement "classic" BGP signalized RTBH, via changing > next-hop to discard route. It works good for customers IPs, but applied to > core-interface IP address, it drops routing protocol running on this > interfaces between routers (because /32 discard route is more specific than, > at least, /31 p2p). I tried to implement export filter between RIB and FIB > (routing-options forwarding-table export) to not to install this routes to > FIB. It looks better, it doesn't drop BGP/BFD/... anymore, but it works just > by half. Try to explain: > > I have two routers, both have transit operator (UPLINK-A, UPLINK-B) and they > are connected to each other. Routers interconnect is let's say > 192.168.72.248/31 (248 router-A, 249 router-B). I will start to propagate via > iBGP discard route 192.168.72.248/32 from ddos detection appliance to both > routers. Router-B get RTBH route as the best, skip install to FIB because of > export filter between RIB and FIB and will start to propagate appropriate > route with blackhole community to UPLINK-B. UPLINK-B drops dst at their edge. > Good. > > But, router A get the same blackhole route, but not as the best, because it > has the same route (/32) as a local route with lower route preference: > > 192.168.72.248/32 *[Local/0] 34w1d 07:59:10 > Local via ae2.3900 > [BGP/170] 07:43:20, localpref 2000 > AS path: I, validation-state: unverified > > to 10.110.0.12 via ae1.405 > > So, router-A doesn't start propagate blackhole route to UPLINK-A (because it > is not the best, i guess) and DDOS still came from UPLINK-A. > > How can i handle this situation? Maybe set lower route preference from > detection appliance than default 170? But "Directly connected network" has > preference 0 and i cannot go lower and cannot get more specific than local > /32. Or maybe use bgp advertise-inactive toward my UPLINKs? Will this help? > > Thanks! > > Daniel > _______________________________________________ > juniper-nsp mailing list juniper-nsp@puck.nether.net > https://puck.nether.net/mailman/listinfo/juniper-nsp -- ++ytti _______________________________________________ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp