It is a technique used to drop bad packets before they get into the network: used for DDOS attack mitigation.
interface Null0no ip unreachables
!When packet is dropped, an Internet Control Message Protocol (ICMP) unreachable message is !sent back to the source. So it is recommended that ICMP unreachable message is disabled.
!
router bgp 65535
neighbor IBGP peer-group
neighbor IBGP remote-as 701
neighbor IBGP send-community
neighbor IBGP update-source Loopback0
neighbor 1.1.1.1 peer-group IBGP
neighbor 2.2.2.2 peer-group IBGP
!
redistribute static route-map STATIC_TO_BGP
!
! A /32 route used as next-hop to “drop” the packets configured on all routers.
!
ip route 192.0.2.1 255.255.255.255 null0
!
! Route-map to signal RTHB information.
!
route-map STATIC_TO_BGP permit 10
match tag 100
set local-preference 200
set origin igp
set community no-export
set ip next-hop 192.0.2.1
!
route-map STATIC_TO_BGP deny 20
When we know that some server, for example 10.10.10.10, under attack, we would put in the blackhole route on the trigger router and propagate to all edge routers which would drop packets at the edge of the network.
!
ip route 10.10.10.10 255.255.255.255 null0 tag 100
Back scatter analysis could be use to trace back the source of the DDOS attack.
Remove the no ip unreachable from the null0 interface on all the edge routers.
Then from the "sinkhole" router:
Add new route-map entry, to propagate self-originated "interesting" routes.
!
route-map STATIC_TO_BGP permit 15
match tag 200
set local-preference 200
set origin igp
set community no-export
!
ip route 20.0.0.0 255.0.0.0 Null0 tag 200
!Network 20.0.0.0/8 is suspected to be the source of the attack. All ICMP unreachable !messages from the edge routers will be diverted to the sinkhole router for analysis.
!
ip access-list extended UNREACHABLES
permit icmp any any unreachable log
permit ip any any
!
interface WAN
ip access-group UNREACHABLES in
If the rate is big, you might not be able to see all logging line. To tune the ACL too log every hit:
ip access-list log-update threshold 1
No comments:
Post a Comment