North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re: Blackhole Routes

  • From: Bill Stewart
  • Date: Fri Oct 01 03:25:15 2004

On Thu, 30 Sep 2004 10:35:36 -0400, Eric Germann <[email protected]> wrote:
> What I would to see (and have never researched in depth) is a way to apply
> the blackhole routes on a community to port basis (i.e. we set up a specific
> BGP community to filter mail, and that community goes to a route map that
> kills only port 25, another community applies to a map that kills port 80,

A not particularly scalable method of doing that, which should be ok
for small data flows,
is to set up routers port25killer.example.net, a port80killer.example.net, etc.,
with ACLs that block those ports regardless of  address, use BGP or
OSPF to advertise
whichever IP address spaces should be routed there, and set up those
machines in
whatever sort of firewalling location makes sense.  It's more of an
enterprise solution
than an ISP solution, but if you're a small ISP or dealing with a
relatively specific
set of problem sites you could probably do it.  You may need to burn some CPE on
GRE tunnels, depending on your topology, but if you're trying to solve
a limited problem
like letting your users access Korean web sites while blocking Korean
email, it may work.