HI, On Mon, May 01, 2017 at 11:01:07AM +0200, Krzysztof Puchała wrote:
On Apr 30, 2017, at 8:47 AM, Krzysztof Puchała TriplmeMedia <kpuchala at triplemedia.org> wrote: [ ... ]
Thank you for your answer, almost everything is working.
I have another question, my ddos attack detection system has a BGP session with BIRD and if it detects an attack it sends an IP address as prefix / 32. How can I make such a prefix automatically add to the blackhole?
Maybe the easiest approach is to let your ddos detection system add an community flag to the announcement and then trigger the "blackhole" acoording to the precedence of the community setting on this prefix. you can check an community (extended community in the example) with somethin like: if ( bgp_ext_community ~ [ (rt, 65000, 12345) ] ) then { # do somethin with the prefix } or community settings (non extended): if ( bgp_community ~ [ (65000, 123) ] ) then { # do somethin with the prefix } Additional you can do something with the prefixes learned in the import filter on the peering with the ddos system. If this system only announce prefixes which should be blackholed, you can do this only in the bgp import filter. HTH, tim -- Tim Weippert http://weiti.org - weiti@weiti.org GPG Fingerprint - E704 7303 6FF0 8393 ADB1 398E 67F2 94AE 5995 7DD8