Errors like "bgp1: Error: Hold timer expired"

Peter Hessler phessler at theapt.org
Thu Jan 5 20:37:10 CET 2017


On 2017 Jan 05 (Thu) at 18:15:00 +0100 (+0100), Ondrej Zajicek wrote:
:On Thu, Jan 05, 2017 at 05:53:40PM +0100, Ondrej Zajicek wrote:
:> On Thu, Jan 05, 2017 at 04:11:25PM +0000, Roger Whittaker wrote:
:> > I'm trying to use bird to help prevent spam as described here:
:> > 
:> > https://debian-administration.org/article/715/Preventing_SPAM_connections_with_bird
:> > 
:> > I understand very little about BGP, so I'm really using that article
:> > as a "recipe", and have used the config file there more or less as is,
:> > except for changing the router id setting and enabling logging (and
:> > I've increased scan time to 600).
:> 
:> The reason for 'Hold timer expired' is funny. The IP address of eu.bgp-spamd.net
:> is also on the blacklist:
:> 
:>   bird> show route 217.31.80.170/32
:>   217.31.80.170/32   blackhole [bgp1 17:36:37 from 217.31.80.170] * (100) [AS65055i]
:> 
:> Not sure if that is intentional or not.
:
:OK, seems like the route server is sending not just black list entries,
:but also other entries (white list?) mixed in, marked by BGP communities.
:
:So the original article is horribly mistaken.
:
:Blacklisted routes are only ones with (65066, 666) BGP community. So the
:import filter should look more like:
:
:filter route_import {
:    if !( (65066, 666) ~ bgp_community ) then reject;
:
:    dest = RTD_BLACKHOLE;
:    accept;
:}
:

Hi, I'm the author of bgp-spamd.

Yes, only the routes marked with *:666 communities are blacklist entries.
I also include whitelist entries for servers I semi-trust, and those are
marked with *:42 communities.  The service itself uses 65066 as the AS
number, and the upstream servers use their own ASNs.

As a side note, it's strongly discouraged from nullrouting hosts that
are blacklisted.  As noticed, this prevents all communication with the
IPs, including sending "451 you are a spammer" responses in the SMTP
transaction.

I've sent a note to the author of that page, and I added notes about
these two issues to the website, http://bgp-spamd.net/client/index.html


-- 
A formal parsing algorithm should not always be used.
		-- D. Gries


More information about the Bird-users mailing list