2014-04-17 15:23 GMT+02:00 Tristan PILAT <tristan.pi...@gmail.com>: > 2014-04-17 13:20 GMT+02:00 Tristan PILAT <tristan.pi...@gmail.com>: > > 2014-04-17 12:25 GMT+02:00 Gregory Edigarov <ediga...@qarea.com>: >> >>> On 04/17/2014 12:24 PM, Tristan PILAT wrote: >>> >>> 2014-04-15 18:42 GMT+02:00 Laurent Caron (Mobile) < >>>> lca...@unix-scripts.info> >>>> : >>>> >>>> On 14 avril 2014 17:57:53 CEST, Tristan PILAT <tristan.pi...@gmail.com >>>>> > >>>>> wrote: >>>>> >>>>>> match from any community 64514:888 set nexthop blackhole >>>>>> >>>>>> Hi, >>>>> >>>>> Make sure you dont accept from any but eg from group customers, make >>>>> sure >>>>> the address *does* belong to your customers space (to avoid a customer >>>>> installing a blackhole route on a route you advertise). >>>>> Make sure you do strip 64514:888 from other peers. >>>>> ... >>>>> >>>>> And what about the client side ? Which command should he enter if he >>>>>> wishes >>>>>> to blackhole ip 1.2.3.4 eg >>>>>> >>>>>> Is it something like that ? bgpctl network add 1.2.3.4/32 community >>>>>> 64514:888 >>>>>> >>>>> Exactly. >>>>> >>>>> Hi, >>>>> >>>> Thanks for your reply ! I just tested this in my lab and it's working >>>> like >>>> a charm but only if I set "allow from any inet prefixlen 8 - 32" and >>>> this >>>> is annoying. >>>> >>>> Is there a way to make this work with "allow from any inet prefixlen 8 - >>>> 24" to accept /32 only for the blackhole ? >>>> >>>> -- >>>> Tristan >>>> >>> like this: >>> >>> >>> allow from any inet prefixlen 8 - 24 >>> allow from any inet prefixlen 32 community 64514:888 >>> >>> >> That goes without saying after all :-) Thanks ! >> >> -- >> Tristan >> > > Another question... Anyone knows if there is a way to do Source > Base Remotely-Triggered Black Hole with OpenBGPd ? eg If I am attacked by a > single IP and i want to blackhole it. >
I found something to do Source Base Remotely-Triggered Black Hole. On the provider side, i can set labels like that : In bgpd.conf --> match from any community 64514:999 set rtlabel dos In pf.conf --> block drop from route dos On the client side, if we want to black 4.3.2.1/32 source ip : bgpctl network add 4.3.2.1/32 community 64514:999 Unfortunaly this is not working, i certainly missed something ! Please give me hints :-)
