On Thu, Apr 17, 2014 at 05:17:15PM +0200, Tristan PILAT wrote: > 2014-04-17 15:23 GMT+02:00 Tristan PILAT <tristan.pi...@gmail.com>: > > > 2014-04-17 13:20 GMT+02:00 Tristan PILAT <tristan.pi...@gmail.com>: > > > > 2014-04-17 12:25 GMT+02:00 Gregory Edigarov <ediga...@qarea.com>: > >> > >>> On 04/17/2014 12:24 PM, Tristan PILAT wrote: > >>> > >>> 2014-04-15 18:42 GMT+02:00 Laurent Caron (Mobile) < > >>>> lca...@unix-scripts.info> > >>>> : > >>>> > >>>> On 14 avril 2014 17:57:53 CEST, Tristan PILAT <tristan.pi...@gmail.com > >>>>> > > >>>>> wrote: > >>>>> > >>>>>> match from any community 64514:888 set nexthop blackhole > >>>>>> > >>>>>> Hi, > >>>>> > >>>>> Make sure you dont accept from any but eg from group customers, make > >>>>> sure > >>>>> the address *does* belong to your customers space (to avoid a customer > >>>>> installing a blackhole route on a route you advertise). > >>>>> Make sure you do strip 64514:888 from other peers. > >>>>> ... > >>>>> > >>>>> And what about the client side ? Which command should he enter if he > >>>>>> wishes > >>>>>> to blackhole ip 1.2.3.4 eg > >>>>>> > >>>>>> Is it something like that ? bgpctl network add 1.2.3.4/32 community > >>>>>> 64514:888 > >>>>>> > >>>>> Exactly. > >>>>> > >>>>> Hi, > >>>>> > >>>> Thanks for your reply ! I just tested this in my lab and it's working > >>>> like > >>>> a charm but only if I set "allow from any inet prefixlen 8 - 32" and > >>>> this > >>>> is annoying. > >>>> > >>>> Is there a way to make this work with "allow from any inet prefixlen 8 - > >>>> 24" to accept /32 only for the blackhole ? > >>>> > >>>> -- > >>>> Tristan > >>>> > >>> like this: > >>> > >>> > >>> allow from any inet prefixlen 8 - 24 > >>> allow from any inet prefixlen 32 community 64514:888 > >>> > >>> > >> That goes without saying after all :-) Thanks ! > >> > >> -- > >> Tristan > >> > > > > Another question... Anyone knows if there is a way to do Source > > Base Remotely-Triggered Black Hole with OpenBGPd ? eg If I am attacked by a > > single IP and i want to blackhole it. > > > > I found something to do Source Base Remotely-Triggered Black Hole. > > On the provider side, i can set labels like that : > In bgpd.conf --> match from any community 64514:999 set rtlabel dos > In pf.conf --> block drop from route dos > > On the client side, if we want to black 4.3.2.1/32 source ip : > bgpctl network add 4.3.2.1/32 community 64514:999 > > Unfortunaly this is not working, i certainly missed something ! Please give > me hints :-)
You can't use rtlabels for matching the source, at least I think it does not work. I would try to use the "set pftable dos" in bgpd and "block quick drop from <dos>" in pf. -- :wq Claudio
