Bird blackhole, example config
Tim Weippert
weiti at weiti.org
Mon May 1 17:17:35 CEST 2017
HI,
On Mon, May 01, 2017 at 11:01:07AM +0200, Krzysztof Puchała wrote:
> >> On Apr 30, 2017, at 8:47 AM, Krzysztof Puchała TriplmeMedia <kpuchala at triplemedia.org> wrote:
[ ... ]
>
> Thank you for your answer, almost everything is working.
>
> I have another question, my ddos attack detection system has a BGP
> session with BIRD and if it detects an attack it sends an IP address as
> prefix / 32.
> How can I make such a prefix automatically add to the blackhole?
Maybe the easiest approach is to let your ddos detection system add an
community flag to the announcement and then trigger the "blackhole"
acoording to the precedence of the community setting on this prefix.
you can check an community (extended community in the example) with
somethin like:
if ( bgp_ext_community ~ [ (rt, 65000, 12345) ] ) then {
# do somethin with the prefix
}
or community settings (non extended):
if ( bgp_community ~ [ (65000, 123) ] ) then {
# do somethin with the prefix
}
Additional you can do something with the prefixes learned in the import
filter on the peering with the ddos system. If this system only announce
prefixes which should be blackholed, you can do this only in the bgp
import filter.
HTH,
tim
--
Tim Weippert
http://weiti.org - weiti at weiti.org
GPG Fingerprint - E704 7303 6FF0 8393 ADB1 398E 67F2 94AE 5995 7DD8
More information about the Bird-users
mailing list