Hello, We have been experiencing heavy DDoS attacks, and one of the mitigation techniques we've used is to peer with Team Cyrmu's UTRS bgp server[0] in order to announce /32s to null route. We also connect with one of our tranist provider's null route services, and our internet exchange's null route service to push these out when they happen. We were contacted by the UTRS folks because it seems like we are sending 'withdrawl' messages for networks that we do not control that are larger than /32, and EOR announcements. For example, from their logs: 2020-10-20T00:19:21+00:00 xp07-as19 UTRS[6681]: receive-routes: update: withdrawal|16652|198.252.153.1|88.16.0.0/16 Our ASN is 16652, and that 198.252.153 address is ours, but that /16 is not ours. I suspect we might be sending withdrawls for every route in our table. It also appears we are sending "eor" advertisements: 2020-10-21T01:01:29+00:00 xp07-as19 UTRS[6681]: receive-routes: update: announcement|16652|198.252.153.1|eor It seems that neither of these are desired by them, and I'm at a loss as to what I can do to make them stop. My bird configuration looks like this, I would greatly appreciate any help in improving this, we cannot afford to lose our UTRS peer, and I'd like to keep us from polluting our friendly neighborhood logs! define LOOPBACKADDR = 198.252.153.1; protocol kernel { learn; # Learn all alien routes from the kernel preference 10000; scan time 15; # Scan kernel routing table every 20 seconds import all; # Default is import all export where ! our_network(); # set preferred source address of routes, # otherwise connections initiated by router might have the transfernet as source address. export filter { krt_prefsrc = LOOPBACKADDR; accept; }; } protocol device { scan time 15; # Scan interfaces every 10 seconds } protocol static static_bgp { import all; preference 10000; include "static_bgp.conf"; } protocol static static_nullroute { import filter static_nullroutes; include "static_nullroutes.conf"; # example: route xxx.xxx.xxx.xxx/32 blackhole; } define OURNETS = [ xxx+ ]; define PEER1 = [ xxx ]; define PEER_ASNS = [ xxx]; function martians() { return net ~ [ 169.254.0.0/16+, 192.168.0.0/16+, 10.0.0.0/8+, 172.16.0.0/12+, 172.24.0.0/13+, 172.25.0.0/16+, 172.26.0.0/16+, 172.27.0.0/16+, 172.28.0.0/16+, 172.29.0.0/16+, 172.30.0.0/16+, 172.31.0.0/16+, 224.0.0.0/4+, 240.0.0.0/4+, 0.0.0.0/32-, 127.0.0.0/8+ ]; filter static_nullroutes { if proto = "static_nullroute" then { bgp_community = -empty-; bgp_community.add((ASN,666)); accept; } } function our_network() { return net ~ OURNETS; } function rt_export() { if proto = "static_bgp" then return true; if proto = "static_nullroute" then return true; if source != RTS_BGP then return false; if martians() then return false; if bgp_path.len > 64 then return false; return bgp_path.first ~ PEER_ASNS; } function rt_export_all() { if proto = "static_links" then return false; if proto = "static_bgp" then return true; if proto = "static_nullroute" then return true; if source != RTS_BGP then return false; if martians() then return false; if bgp_path.len > 64 then return false; return true; } # for outgoing BGP we do not want to announce anything but our own nets filter bgp_out { # SIX nullrouting: https://www.seattleix.net/blackholing if (ASN,666) ~ bgp_community && net.len = 32 && our_network() then { bgp_community = -empty-; bgp_community.add((65535,666)); } # only allow our networks that are statically configured to be announced if ! rt_export() then { reject; } accept; } filter sink { reject; } # anything that is announced via the UTRS peer that has the community 64496:0 set # and is a /32 is null-routed filter bgp_in_utrs_bl { if (64496,0) ~ bgp_community && net.len = 32 then { dest = RTD_BLACKHOLE; accept; } else reject; } filter bgp_out_utrs_bl { if (ASN,666) ~ bgp_community && net.len = 32 && our_network() then { bgp_community = -empty-; bgp_community.add((ASN,0)); accept; } else reject; } filter bgp_nullroute { if (ASN,666) ~ bgp_community && net.len = 32 && our_network() then { accept; } else reject; } -- micah 0. https://team-cymru.com/community-services/utrs/getting-started/