On Thu, May 05, 2005 at 09:43:13AM -0400, Will H. Backman wrote: > > -----Original Message----- > > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf > Of > > Claudio Jeker > > Sent: Wednesday, May 04, 2005 4:18 PM > > To: [email protected] > > Subject: Re: openbgpd nexthop blackhole > > > > On Wed, May 04, 2005 at 02:55:56PM -0400, Will H. Backman wrote: > > > Anyone have an example bgpd.conf that uses the nexthop blackhole > option > > > for null routing ddos attacks? > > > > > > Looking for an openbsd version of: > > > http://www.secsup.org/Tracking/ > > > > > > > Depends on what you like to achive but a basic starting point is: > > > > match from any community 65001:666 set nexthop blackhole > > > > This will blackhole all prefixes with the community tag set to > 65001:666. > > Normaly 65001 is your AS and it may be good to limit the match to a > group > > of neighbors (only customers should send you blackhole requests). > > Last but not least a peer remote-as == source-as check would be good. > > > > match from $customer source-as $customer_as community $myas:666 \ > > set nexthop blackhole > > > > -- > > :wq Claudio > > And this would be combined with the -label option in the route command > to get the 666?
The client sets the bgp community to that value to tell your router to blackhole his traffic. If only a small part of his IP block is under a DDoS attack the customer can blackhole this traffic before it hit his possibly small uplink. That's the idea behind blackhole in bgp. To tell your uplink to blackhole a network something like network 10.2.4.5/32 set community 65001:666 should be enough. > Taking their example: > " Now, Black Hole Route the victim IP address: > ip route victimip 255.255.255.255 Null0 tag 666" > > In openbsd: > route add victimip/32 -blackhole -label 666 > If you just want to blackhole traffic localy you can do it like this. Currently route labels are mostly unused but hopefully this will change soon. -- :wq Claudio
