I'm trying to use bird to help prevent spam as described here: https://debian-administration.org/article/715/Preventing_SPAM_connections_wi... I understand very little about BGP, so I'm really using that article as a "recipe", and have used the config file there more or less as is, except for changing the router id setting and enabling logging (and I've increased scan time to 600). First question: is trying to use bird in this way in any case this a sensible thing to do? If so: second question - I'm seeing the following behaviour: 2017-01-05 15:24:21 <INFO> Started 2017-01-05 15:24:21 <ERR> KRT: Received route 0.0.0.0/0 with unknown ifindex 2 2017-01-05 15:27:59 <RMT> bgp1: Error: Hold timer expired 2017-01-05 15:34:01 <RMT> bgp1: Error: Hold timer expired 2017-01-05 15:34:21 <ERR> KRT: Received route 0.0.0.0/0 with unknown ifindex 2 2017-01-05 15:40:11 <RMT> bgp1: Error: Hold timer expired 2017-01-05 15:44:21 <ERR> KRT: Received route 0.0.0.0/0 with unknown ifindex 2 2017-01-05 15:46:16 <RMT> bgp1: Error: Hold timer expired 2017-01-05 15:52:20 <RMT> bgp1: Error: Hold timer expired 2017-01-05 15:54:21 <ERR> KRT: Received route 0.0.0.0/0 with unknown ifindex 2 2017-01-05 15:58:35 <RMT> bgp1: Error: Hold timer expired I can't find much reference to these errors in the mailing list archives. But it seems that when the "Hold timer expired" errors happen, the blackhole entries in the routing table disappear for a while. It would be great if someone could comment on this. Roger -- ======================== Roger Whittaker roger@disruptive.org.uk ========================
On Thu, Jan 05, 2017 at 04:11:25PM +0000, Roger Whittaker wrote:
I'm trying to use bird to help prevent spam as described here:
https://debian-administration.org/article/715/Preventing_SPAM_connections_wi...
I understand very little about BGP, so I'm really using that article as a "recipe", and have used the config file there more or less as is, except for changing the router id setting and enabling logging (and I've increased scan time to 600).
First, the config from the recipe is missing an important part, the device protocol section: protocol device { } That is responsible for these messages: 2017-01-05 15:24:21 <ERR> KRT: Received route 0.0.0.0/0 with unknown ifindex 2
First question: is trying to use bird in this way in any case this a sensible thing to do?
Well, BIRD is a good tool for this task. The real question is whether using a public blacklist for hard SMTP blocking is a reasonable approach to fight spam. At least, it would be a good idea to add some filters, e.g. to ensure that all prefix lengths are /32, that IP ranges are not parts of your infrastructure. Also, i would suggest to use separate routing table for that and then ensure by netfilter and ip rules that it is applied just on SMTP traffic.
If so: second question - I'm seeing the following behaviour:
2017-01-05 15:24:21 <INFO> Started 2017-01-05 15:24:21 <ERR> KRT: Received route 0.0.0.0/0 with unknown ifindex 2 2017-01-05 15:27:59 <RMT> bgp1: Error: Hold timer expired
The reason for 'Hold timer expired' is funny. The IP address of eu.bgp-spamd.net is also on the blacklist: bird> show route 217.31.80.170/32 217.31.80.170/32 blackhole [bgp1 17:36:37 from 217.31.80.170] * (100) [AS65055i] Not sure if that is intentional or not. By exporting that route to the kernel, you cut off from the BGP neighbor and the session fails. After that, blackhole routes are removed and the session may be reestablished. -- Elen sila lumenn' omentielvo Ondrej 'Santiago' Zajicek (email: santiago@crfreenet.org) OpenPGP encrypted e-mails preferred (KeyID 0x11DEADC3, wwwkeys.pgp.net) "To err is human -- to blame it on a computer is even more so."
On Thu, Jan 05, 2017 at 05:53:40PM +0100, Ondrej Zajicek wrote:
On Thu, Jan 05, 2017 at 04:11:25PM +0000, Roger Whittaker wrote:
I'm trying to use bird to help prevent spam as described here:
https://debian-administration.org/article/715/Preventing_SPAM_connections_wi...
I understand very little about BGP, so I'm really using that article as a "recipe", and have used the config file there more or less as is, except for changing the router id setting and enabling logging (and I've increased scan time to 600).
The reason for 'Hold timer expired' is funny. The IP address of eu.bgp-spamd.net is also on the blacklist:
bird> show route 217.31.80.170/32 217.31.80.170/32 blackhole [bgp1 17:36:37 from 217.31.80.170] * (100) [AS65055i]
Not sure if that is intentional or not.
OK, seems like the route server is sending not just black list entries, but also other entries (white list?) mixed in, marked by BGP communities. So the original article is horribly mistaken. Blacklisted routes are only ones with (65066, 666) BGP community. So the import filter should look more like: filter route_import { if !( (65066, 666) ~ bgp_community ) then reject; dest = RTD_BLACKHOLE; accept; } -- Elen sila lumenn' omentielvo Ondrej 'Santiago' Zajicek (email: santiago@crfreenet.org) OpenPGP encrypted e-mails preferred (KeyID 0x11DEADC3, wwwkeys.pgp.net) "To err is human -- to blame it on a computer is even more so."
On Thu, Jan 05, 2017 at 06:15:00PM +0100, Ondrej Zajicek wrote:
On Thu, Jan 05, 2017 at 05:53:40PM +0100, Ondrej Zajicek wrote:
On Thu, Jan 05, 2017 at 04:11:25PM +0000, Roger Whittaker wrote:
I'm trying to use bird to help prevent spam as described here:
https://debian-administration.org/article/715/Preventing_SPAM_connections_wi...
I understand very little about BGP, so I'm really using that article as a "recipe", and have used the config file there more or less as is, except for changing the router id setting and enabling logging (and I've increased scan time to 600).
The reason for 'Hold timer expired' is funny. The IP address of eu.bgp-spamd.net is also on the blacklist:
bird> show route 217.31.80.170/32 217.31.80.170/32 blackhole [bgp1 17:36:37 from 217.31.80.170] * (100) [AS65055i]
Not sure if that is intentional or not.
OK, seems like the route server is sending not just black list entries, but also other entries (white list?) mixed in, marked by BGP communities.
So the original article is horribly mistaken.
Blacklisted routes are only ones with (65066, 666) BGP community. So the import filter should look more like:
filter route_import { if !( (65066, 666) ~ bgp_community ) then reject;
dest = RTD_BLACKHOLE; accept; }
Thanks very much for this - I can now at least get started with this idea and see how it goes. -- ======================== Roger Whittaker roger@disruptive.org.uk ========================
On 2017 Jan 05 (Thu) at 18:15:00 +0100 (+0100), Ondrej Zajicek wrote: :On Thu, Jan 05, 2017 at 05:53:40PM +0100, Ondrej Zajicek wrote: :> On Thu, Jan 05, 2017 at 04:11:25PM +0000, Roger Whittaker wrote: :> > I'm trying to use bird to help prevent spam as described here: :> > :> > https://debian-administration.org/article/715/Preventing_SPAM_connections_wi... :> > :> > I understand very little about BGP, so I'm really using that article :> > as a "recipe", and have used the config file there more or less as is, :> > except for changing the router id setting and enabling logging (and :> > I've increased scan time to 600). :> :> The reason for 'Hold timer expired' is funny. The IP address of eu.bgp-spamd.net :> is also on the blacklist: :> :> bird> show route 217.31.80.170/32 :> 217.31.80.170/32 blackhole [bgp1 17:36:37 from 217.31.80.170] * (100) [AS65055i] :> :> Not sure if that is intentional or not. : :OK, seems like the route server is sending not just black list entries, :but also other entries (white list?) mixed in, marked by BGP communities. : :So the original article is horribly mistaken. : :Blacklisted routes are only ones with (65066, 666) BGP community. So the :import filter should look more like: : :filter route_import { : if !( (65066, 666) ~ bgp_community ) then reject; : : dest = RTD_BLACKHOLE; : accept; :} : Hi, I'm the author of bgp-spamd. Yes, only the routes marked with *:666 communities are blacklist entries. I also include whitelist entries for servers I semi-trust, and those are marked with *:42 communities. The service itself uses 65066 as the AS number, and the upstream servers use their own ASNs. As a side note, it's strongly discouraged from nullrouting hosts that are blacklisted. As noticed, this prevents all communication with the IPs, including sending "451 you are a spammer" responses in the SMTP transaction. I've sent a note to the author of that page, and I added notes about these two issues to the website, http://bgp-spamd.net/client/index.html -- A formal parsing algorithm should not always be used. -- D. Gries
participants (3)
-
Ondrej Zajicek -
Peter Hessler -
Roger Whittaker