> -----Original Message----- > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of > Claudio Jeker > Sent: Wednesday, May 04, 2005 4:18 PM > To: [email protected] > Subject: Re: openbgpd nexthop blackhole > > On Wed, May 04, 2005 at 02:55:56PM -0400, Will H. Backman wrote: > > Anyone have an example bgpd.conf that uses the nexthop blackhole option > > for null routing ddos attacks? > > > > Looking for an openbsd version of: > > http://www.secsup.org/Tracking/ > > > > Depends on what you like to achive but a basic starting point is: > > match from any community 65001:666 set nexthop blackhole > > This will blackhole all prefixes with the community tag set to 65001:666. > Normaly 65001 is your AS and it may be good to limit the match to a group > of neighbors (only customers should send you blackhole requests). > Last but not least a peer remote-as == source-as check would be good. > > match from $customer source-as $customer_as community $myas:666 \ > set nexthop blackhole > > -- > :wq Claudio
And this would be combined with the -label option in the route command to get the 666? Taking their example: " Now, Black Hole Route the victim IP address: ip route victimip 255.255.255.255 Null0 tag 666" In openbsd: route add victimip/32 -blackhole -label 666
