On 17 avril 2014 19:02:14 CEST, Claudio Jeker <cje...@diehard.n-r-g.com> wrote: >On Thu, Apr 17, 2014 at 05:17:15PM +0200, Tristan PILAT wrote: >> 2014-04-17 15:23 GMT+02:00 Tristan PILAT <tristan.pi...@gmail.com>: >> >> > 2014-04-17 13:20 GMT+02:00 Tristan PILAT <tristan.pi...@gmail.com>: >> > >> > 2014-04-17 12:25 GMT+02:00 Gregory Edigarov <ediga...@qarea.com>: >> >> >> >>> On 04/17/2014 12:24 PM, Tristan PILAT wrote: >> >>> >> >>> 2014-04-15 18:42 GMT+02:00 Laurent Caron (Mobile) < >> >>>> lca...@unix-scripts.info> >> >>>> : >> >>>> >> >>>> On 14 avril 2014 17:57:53 CEST, Tristan PILAT ><tristan.pi...@gmail.com >> >>>>> > >> >>>>> wrote: >> >>>>> >> >>>>>> match from any community 64514:888 set nexthop blackhole >> >>>>>> >> >>>>>> Hi, >> >>>>> >> >>>>> Make sure you dont accept from any but eg from group customers, >make >> >>>>> sure >> >>>>> the address *does* belong to your customers space (to avoid a >customer >> >>>>> installing a blackhole route on a route you advertise). >> >>>>> Make sure you do strip 64514:888 from other peers. >> >>>>> ... >> >>>>> >> >>>>> And what about the client side ? Which command should he enter >if he >> >>>>>> wishes >> >>>>>> to blackhole ip 1.2.3.4 eg >> >>>>>> >> >>>>>> Is it something like that ? bgpctl network add 1.2.3.4/32 >community >> >>>>>> 64514:888 >> >>>>>> >> >>>>> Exactly. >> >>>>> >> >>>>> Hi, >> >>>>> >> >>>> Thanks for your reply ! I just tested this in my lab and it's >working >> >>>> like >> >>>> a charm but only if I set "allow from any inet prefixlen 8 - 32" >and >> >>>> this >> >>>> is annoying. >> >>>> >> >>>> Is there a way to make this work with "allow from any inet >prefixlen 8 - >> >>>> 24" to accept /32 only for the blackhole ? >> >>>> >> >>>> -- >> >>>> Tristan >> >>>> >> >>> like this: >> >>> >> >>> >> >>> allow from any inet prefixlen 8 - 24 >> >>> allow from any inet prefixlen 32 community 64514:888 >> >>> >> >>> >> >> That goes without saying after all :-) Thanks ! >> >> >> >> -- >> >> Tristan >> >> >> > >> > Another question... Anyone knows if there is a way to do Source >> > Base Remotely-Triggered Black Hole with OpenBGPd ? eg If I am >attacked by a >> > single IP and i want to blackhole it. >> > >> >> I found something to do Source Base Remotely-Triggered Black Hole. >> >> On the provider side, i can set labels like that : >> In bgpd.conf --> match from any community 64514:999 set rtlabel dos >> In pf.conf --> block drop from route dos >> >> On the client side, if we want to black 4.3.2.1/32 source ip : >> bgpctl network add 4.3.2.1/32 community 64514:999 >> >> Unfortunaly this is not working, i certainly missed something ! >Please give >> me hints :-) > >You can't use rtlabels for matching the source, at least I think it >does >not work. I would try to use the "set pftable dos" in bgpd and >"block quick drop from <dos>" in pf.
Ok i will try this tomorrow thanks. But if it does not work. How can I set up blockhole based on source address as described in RFC5635 with OpenBSD ? -- Tristan
