RE: Bird blackhole, example config
On Apr 30, 2017, at 8:47 AM, Krzysztof Puchała TriplmeMedia <kpuchala at triplemedia.org> wrote:
Hi, You once added an example of a blackhole configuration in the birde on the mailing list: http://bird.network.cz/pipermail/bird-users/2012-March/007671.html I'm trying to implement this in my setup and when I'm overloading the configuration I have an error bird> configure check Reading configuration from /etc/bird/bird.conf /etc/bird/bird.conf, line 49: syntax error
49 lines of code: protocol kernel blackhole {
Maybe you have an idea why it does not work? thanks in advance for your answer. Hi, I'm replying to list for relevant benefit/discussion.
Wow, my example config is over 5 years old now...something probably changed in syntax requirements over the years, as this is what >we currently have in place (note that a pipe isn't used, as we now leverage "ip rule" to separately include the blacklist table):
table blackholes; ... protocol kernel kblackholes { table blackholes; kernel table 10; scan time 10; learn; import all; export all; } ... filter bgp_out_upstream { if (proto = "kblackholes" ) then { if net.len = 32 then { bgp_community.add((64665,666)); # Replace 64665,666 with your upstream's community designation...if needed, otherwise >delete this line printn "Blackhole nulling "; print net; accept; } } if net ~ [192.168.0.0/16] then accept; ...replace this with your own netblocks, one netblock per entry reject; } ... protocol bgp upstream { ... export filter bgp_out_upstream; ... }
HTH, Gregg Berkholtz Datacenter consulting, hosting & support since 1995 www.tocici.com [1] | 503-488-5461 | AS14613
Thank you for your answer, almost everything is working. I have another question, my ddos attack detection system has a BGP session with BIRD and if it detects an attack it sends an IP address as prefix / 32. How can I make such a prefix automatically add to the blackhole? Links: ------ [1] http://www.tocici.com
HI, On Mon, May 01, 2017 at 11:01:07AM +0200, Krzysztof Puchała wrote:
On Apr 30, 2017, at 8:47 AM, Krzysztof Puchała TriplmeMedia <kpuchala at triplemedia.org> wrote: [ ... ]
Thank you for your answer, almost everything is working.
I have another question, my ddos attack detection system has a BGP session with BIRD and if it detects an attack it sends an IP address as prefix / 32. How can I make such a prefix automatically add to the blackhole?
Maybe the easiest approach is to let your ddos detection system add an community flag to the announcement and then trigger the "blackhole" acoording to the precedence of the community setting on this prefix. you can check an community (extended community in the example) with somethin like: if ( bgp_ext_community ~ [ (rt, 65000, 12345) ] ) then { # do somethin with the prefix } or community settings (non extended): if ( bgp_community ~ [ (65000, 123) ] ) then { # do somethin with the prefix } Additional you can do something with the prefixes learned in the import filter on the peering with the ddos system. If this system only announce prefixes which should be blackholed, you can do this only in the bgp import filter. HTH, tim -- Tim Weippert http://weiti.org - weiti@weiti.org GPG Fingerprint - E704 7303 6FF0 8393 ADB1 398E 67F2 94AE 5995 7DD8
participants (2)
-
Krzysztof Puchała -
Tim Weippert