Remote Trigger Black Hole Filtering

Cisco has a real good document on this:

It is a technique used to drop bad packets before they get into the network: used for DDOS attack mitigation.
interface Null0
no ip unreachables
!When packet is dropped, an Internet Control Message Protocol (ICMP) unreachable message is !sent back to the source. So it is recommended that ICMP unreachable message is disabled.
router bgp 65535
neighbor IBGP peer-group
neighbor IBGP remote-as 701
neighbor IBGP send-community
neighbor IBGP update-source Loopback0
neighbor peer-group IBGP
neighbor peer-group IBGP
redistribute static route-map STATIC_TO_BGP
! A /32 route used as next-hop to “drop” the packets configured on all routers.
ip route null0
! Route-map to signal RTHB information.
route-map STATIC_TO_BGP permit 10
match tag 100
set local-preference 200
set origin igp
set community no-export
set ip next-hop
route-map STATIC_TO_BGP deny 20

When we know that some server, for example, under attack, we would put in the blackhole route on the trigger router and propagate to all edge routers which would drop packets at the edge of the network.
ip route null0 tag 100

Back scatter analysis could be use to trace back the source of the DDOS attack.
Remove the no ip unreachable from the null0 interface on all the edge routers.
Then from the "sinkhole" router:
Add new route-map entry, to propagate self-originated "interesting" routes.
route-map STATIC_TO_BGP permit 15
match tag 200
set local-preference 200
set origin igp
set community no-export
ip route Null0 tag 200
!Network is suspected to be the source of the attack. All ICMP unreachable !messages from the edge routers will be diverted to the sinkhole router for analysis.
ip access-list extended UNREACHABLES
permit icmp any any unreachable log
permit ip any any
interface WAN
ip access-group UNREACHABLES in

If the rate is big, you might not be able to see all logging line. To tune the ACL too log every hit:
ip access-list log-update threshold 1


Post a Comment