On 2017 Jan 05 (Thu) at 18:15:00 +0100 (+0100), Ondrej Zajicek wrote: :On Thu, Jan 05, 2017 at 05:53:40PM +0100, Ondrej Zajicek wrote: :> On Thu, Jan 05, 2017 at 04:11:25PM +0000, Roger Whittaker wrote: :> > I'm trying to use bird to help prevent spam as described here: :> > :> > https://debian-administration.org/article/715/Preventing_SPAM_connections_with_bird :> > :> > I understand very little about BGP, so I'm really using that article :> > as a "recipe", and have used the config file there more or less as is, :> > except for changing the router id setting and enabling logging (and :> > I've increased scan time to 600). :> :> The reason for 'Hold timer expired' is funny. The IP address of eu.bgp-spamd.net :> is also on the blacklist: :> :> bird> show route 217.31.80.170/32 :> 217.31.80.170/32 blackhole [bgp1 17:36:37 from 217.31.80.170] * (100) [AS65055i] :> :> Not sure if that is intentional or not. : :OK, seems like the route server is sending not just black list entries, :but also other entries (white list?) mixed in, marked by BGP communities. : :So the original article is horribly mistaken. : :Blacklisted routes are only ones with (65066, 666) BGP community. So the :import filter should look more like: : :filter route_import { : if !( (65066, 666) ~ bgp_community ) then reject; : : dest = RTD_BLACKHOLE; : accept; :} :
Hi, I'm the author of bgp-spamd. Yes, only the routes marked with *:666 communities are blacklist entries. I also include whitelist entries for servers I semi-trust, and those are marked with *:42 communities. The service itself uses 65066 as the AS number, and the upstream servers use their own ASNs. As a side note, it's strongly discouraged from nullrouting hosts that are blacklisted. As noticed, this prevents all communication with the IPs, including sending "451 you are a spammer" responses in the SMTP transaction. I've sent a note to the author of that page, and I added notes about these two issues to the website, http://bgp-spamd.net/client/index.html -- A formal parsing algorithm should not always be used. -- D. Gries
