North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re: Blackholing traffic by ASN

  • From: Deepak Jain
  • Date: Wed Jan 30 18:57:44 2008



This is prior art. (Assuming your hardware has a hardware blackhole (or you have a little router sitting on the end of a circuit)) you adjust your route-map that would deny the entry to set a community or next-hop pointing to your blackhole location.

Nowadays, most equipment can blackhole internally (to null0 say) at full speed, so it isn't an issue. Just set your next hop to a good null0 style location on route import and you are done for traffic destined to those locations.

For inbound traffic from those locations you would need to do policy routing (because you are looking up on source). If you are trying to block SPAM or anything TCP related, you only need to block 1 direction to end the conversation.

Sounds harsh, but hey, its your network.

Deepak Jain
AiNET

Justin Shore wrote:

I'm sure all of us have parts of the Internet that we block for one reason or another. I have existing methods for null routing traffic from annoying hosts and subnets on our border routers today (I'm still working on a network blackhole). However I've never tackled the problem by targeting a bad guy's ASN. What's the best option for null routing traffic by ASN? I could always add another deny statement in my inbound eBGP route-maps to match a new as-path ACL for _BAD-ASN_ to keep from accepting their routes to begin with. Are there any other good tricks that I can employ?


I have another question along those same lines. Once I do have my blackhole up and running I can easily funnel hosts or subnets into the blackhole. What about funneling all routes to a particular ASN into the blackhole? Are there any useful tricks here?

The ASN I'm referring to is that of the Russian Business Network. A Google search should turn up plenty of info for those that haven't heard of them.

Thanks
 Justin