2014-04-17 13:20 GMT+02:00 Tristan PILAT <tristan.pi...@gmail.com>: > 2014-04-17 12:25 GMT+02:00 Gregory Edigarov <ediga...@qarea.com>: > >> On 04/17/2014 12:24 PM, Tristan PILAT wrote: >> >> 2014-04-15 18:42 GMT+02:00 Laurent Caron (Mobile) < >>> lca...@unix-scripts.info> >>> : >>> >>> On 14 avril 2014 17:57:53 CEST, Tristan PILAT <tristan.pi...@gmail.com> >>>> wrote: >>>> >>>>> match from any community 64514:888 set nexthop blackhole >>>>> >>>>> Hi, >>>> >>>> Make sure you dont accept from any but eg from group customers, make >>>> sure >>>> the address *does* belong to your customers space (to avoid a customer >>>> installing a blackhole route on a route you advertise). >>>> Make sure you do strip 64514:888 from other peers. >>>> ... >>>> >>>> And what about the client side ? Which command should he enter if he >>>>> wishes >>>>> to blackhole ip 1.2.3.4 eg >>>>> >>>>> Is it something like that ? bgpctl network add 1.2.3.4/32 community >>>>> 64514:888 >>>>> >>>> Exactly. >>>> >>>> Hi, >>>> >>> Thanks for your reply ! I just tested this in my lab and it's working >>> like >>> a charm but only if I set "allow from any inet prefixlen 8 - 32" and this >>> is annoying. >>> >>> Is there a way to make this work with "allow from any inet prefixlen 8 - >>> 24" to accept /32 only for the blackhole ? >>> >>> -- >>> Tristan >>> >> like this: >> >> >> allow from any inet prefixlen 8 - 24 >> allow from any inet prefixlen 32 community 64514:888 >> >> > That goes without saying after all :-) Thanks ! > > -- > Tristan >
Another question... Anyone knows if there is a way to do Source Base Remotely-Triggered Black Hole with OpenBGPd ? eg If I am attacked by a single IP and i want to blackhole it.
