North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re: Blackholing traffic by ASN

  • From: Christopher Morrow
  • Date: Thu Jan 31 00:24:04 2008
  • Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:message-id:date:from:sender:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references:x-google-sender-auth; bh=RIkckgCtKbViy1Ym6/MJZS2IiZqi4dhLMqD06RUzE0E=; b=nJlJEuG2QT0eJELlHO5WoQHQPK+HkVTwLSem7O8/ecVtpMtwuqntzwagk46IZekFEdbBpsdWHaJ6iOSB49jzuG3EQrXvRPDQdYv3z7T8VW3HIlOi658xcyUujiB5iBGpgUCCsDNl1nspmjX52nYsNbaUof6Vb2f2HAxll+3HymA=
  • Domainkey-signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=message-id:date:from:sender:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references:x-google-sender-auth; b=pWhsRuOC6k3/QHIC5kr2CUNNAKGe1Otz/KHQtvaKlOPMONVvD4B8ZpXobDsxz7nJz9Lk6aTr2P8B1YBMv6USgPVKhUScr+nXEj3zcJpxpLhNrAhun9m4hY5LXhCH8X3RGfjfeMaxUN731Fk9RGy++KKm4bA/Yq4rNAVHpl8zkVI=

On Jan 30, 2008 3:54 PM, Deepak Jain <[email protected]> wrote:
>
>
> This is prior art. (Assuming your hardware has a hardware blackhole (or
> you have a little router sitting on the end of a circuit)) you adjust
> your route-map that would deny the entry to set a community or next-hop
> pointing to your blackhole location.
>
> Nowadays, most equipment can blackhole internally (to null0 say) at full
> speed, so it isn't an issue. Just set your next hop to a good null0
> style location on route import and you are done for traffic destined to
> those locations.
>

...do uRPF-loose-mode and you kill FROM these locations as well...

> For inbound traffic from those locations you would need to do policy
> routing (because you are looking up on source). If you are trying to

(uRPF loose-mode)

> block SPAM or anything TCP related,  you only need to block 1 direction
> to end the conversation.
>

be cautious of 'synflooding' your internal hosts with this though...
Null0 doesn't generate unreachables at packet-rate, but at a lower
(1:1000 I believe on cisco by default) rate.

> Sounds harsh, but hey, its your network.
>

wee! and for some extra fun, just append the bad-guy's ASN to your
route announcements, force bgp loop-detection to kill the traffic on
their end (presuming they don't default-route as well)