<html><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /></head><body style='font-size: 10pt; font-family: Verdana,Geneva,sans-serif'>
<div class="pre" style="margin: 0; padding: 0; font-family: monospace">
<blockquote type="cite" style="padding: 0 0.4em; border-left: #1010ff 2px solid; margin: 0">
<blockquote type="cite" style="padding: 0 0.4em; border-left: #1010ff 2px solid; margin: 0">On Apr 30, 2017, at 8:47 AM, Krzysztof PuchaĆa TriplmeMedia <kpuchala at triplemedia.org> wrote:<br /> <br /> Hi, You once added an example of a blackhole configuration in the birde on the mailing list:<br /> <span style="white-space: nowrap;"><a href="http://bird.network.cz/pipermail/bird-users/2012-March/007671.html">http://bird.network.cz/pipermail/bird-users/2012-March/007671.html</a></span><br /> I'm trying to implement this in my setup and when I'm overloading the configuration I have an error<br /> <span style="white-space: nowrap;">bird> configure check</span><br /> <span style="white-space: nowrap;">Reading configuration from /etc/bird/bird.conf</span><br /> <span style="white-space: nowrap;">/etc/bird/bird.conf, line 49: syntax error</span><br /> <br /> <span style="white-space: nowrap;">49 lines of code:</span><br /> <span style="white-space: nowrap;">protocol kernel blackhole {</span><br /> <br /> <span style="white-space: nowrap;">Maybe you have an idea why it does not work?</span><br /> <span style="white-space: nowrap;">thanks in advance for your answer.</span><br /> </blockquote>
<span style="white-space: nowrap;">Hi, I'm replying to list for relevant benefit/discussion.</span><br /> <br /> Wow, my example config is over 5 years old now...something probably changed in syntax requirements over the years, as this is what >we currently have in place (note that a pipe isn't used, as we now leverage "ip rule" to separately include the blacklist table):<br /> <br /> <span style="white-space: nowrap;">table blackholes;</span><br /> <span style="white-space: nowrap;">...</span><br /> <span style="white-space: nowrap;">protocol kernel kblackholes {</span><br /> <span style="white-space: nowrap;"> table blackholes;</span><br /> <span style="white-space: nowrap;"> kernel table 10;</span><br /> <span style="white-space: nowrap;"> scan time 10;</span><br /> <span style="white-space: nowrap;"> learn;</span><br /> <span style="white-space: nowrap;"> import all;</span><br /> <span style="white-space: nowrap;"> export all;</span><br /> <span style="white-space: nowrap;">}</span><br /> <span style="white-space: nowrap;">...</span><br /> <span style="white-space: nowrap;">filter bgp_out_upstream {</span><br /> <span style="white-space: nowrap;"> if (proto = "kblackholes" ) then</span><br /> <span style="white-space: nowrap;"> {</span><br /> <span style="white-space: nowrap;"> if net.len = 32 then {</span><br /> bgp_community.add((64665,666)); # Replace 64665,666 with your upstream's community designation...if needed, otherwise >delete this line<br /> <span style="white-space: nowrap;"> printn "Blackhole nulling ";</span><br /> <span style="white-space: nowrap;"> print net;</span><br /> <span style="white-space: nowrap;"> accept;</span><br /> <span style="white-space: nowrap;"> }</span><br /> <span style="white-space: nowrap;"> }</span><br /> if net ~ [192.168.0.0/16] then accept; ...replace this with your own netblocks, one netblock per entry<br /> <span style="white-space: nowrap;"> reject;</span><br /> <span style="white-space: nowrap;">}</span><br /> <span style="white-space: nowrap;">...</span><br /> <span style="white-space: nowrap;">protocol bgp upstream {</span><br /> <span style="white-space: nowrap;">...</span><br /> <span style="white-space: nowrap;"> export filter bgp_out_upstream;</span><br /> <span style="white-space: nowrap;">...</span><br /> <span style="white-space: nowrap;">}</span><br /> <br /> <span style="white-space: nowrap;">HTH,</span><br /> <span style="white-space: nowrap;">Gregg Berkholtz</span><br /> <span style="white-space: nowrap;">Datacenter consulting, hosting & support since 1995</span><br /> <span style="white-space: nowrap;"> <a href="http://www.tocici.com">www.tocici.com</a> | 503-488-5461 | AS14613</span></blockquote>
<br /> <span style="white-space: nowrap;">Thank you for your answer, almost everything is working.</span><br /> <br /> I have another question, my ddos attack detection system has a BGP session with BIRD and if it detects an attack it sends an IP address as prefix / 32.<br /> <span style="white-space: nowrap;">How can I make such a prefix automatically add to the blackhole?</span></div>
</body></html>