how to send an ip to blackhole community using bgp?

static-x · April 20, 2008, 1:11am

I am trying to send an ip to blackhole using bgp.
My isp only gives me the community ports but nothing more.
I searched and find out how it’s done for ciso/zebra/quagga
My Isp said:
Blackhole community is: 9000:666 (9000 My Isp As number 666 is the blackhole community)

And to do it for Cisco/Zebra/Quagga:

conf t
    !
    ! Prefix list create. send 192.168.1.11 IP to NULL below
    ip prefix-list ISPBLACKHOLE-ACL seq 5 permit 192.168.1.11/32
    ip prefix-list ISPBLACKHOLE-ACL seq 10 deny any
    !
    ! Create Route-map.
    route-map ISP-OUT permit 5
    match ip address prefix-list ISPBLACKHOLE-ACL
    set community 9000:666
    exit
    route-map ISPBLACKHOLE permit 20
    exit
    !
    router bgp 1967
    neighbor 10.0.0.1 remote-as 9000
    neighbor 10.0.0.1 description FIBREETHERNET
    address-family ipv4
    neighbor 10.0.0.1 activate
    neighbor 10.0.0.1 send-community
    neighbor 10.0.0.1 route-map ISP-OUT out
    end

can someone please translate this to me in Mikrotik Router Os Language

static-x · April 20, 2008, 2:11am

I found another more detailed example in ciso way.
Can someone please translate these ?

attacked ip: 10.0.0.99 /32

first create a static route:

ip route 10.0.0.99 255.255.255.255 10.0.0.2

under bgp entered as /32 and bgp soft clear command run

router bgp 12345
network 10.0.0.99 mask 255.255.255.255 route-map ispipblocks

clear ip bgp 99.99.99.99 soft out

write prefix list then set community in isp-out route map

ip prefix-list attackkedcustomer seq 5 permit 10.0.0.99/32

set community

route-map isp-out permit 15
match ip address prefix-list attackkedcustomer
set community 9000:666

static-x · April 21, 2008, 3:19am

I am still trying to do this using mikrotik.
I can’t do it
Please some one help

I own my /21 ip block and AS# from RIPE

I setup my BGP using http://wiki.mikrotik.com/wiki/BGP_Case_Studies_1 link:

my current setup is: (Ips and AS changed for security reasons)

[admin@Mikrotik] > /routing bgp instance print
Flags: X - disabled
 0   name="default" as=66855 router-id=0.0.0.0 redistribute-connected=no redistribute-static=yes
     redistribute-rip=no redistribute-ospf=no redistribute-other-bgp=no out-filter=""
     client-to-client-reflection=yes ignore-as-path-len=no

Peers:

[admin@Mikrotik] > /routing bgp peer print
Flags: X - disabled
 0   name="MYISP" instance=default remote-address=212.111.222.129 remote-as=9829 tcp-md5-key=""
     nexthop-choice=default multihop=no route-reflect=no hold-time=3m ttl=255 in-filter=""
     out-filter=to_MYISP address-families=ip

Status:

[admin@Mikrotik] > /routing bgp peer print status
Flags: X - disabled
 0   name="MYISP" instance=default remote-address=212.111.222.129 remote-as=9829 tcp-md5-key=""
     nexthop-choice=default multihop=no route-reflect=no hold-time=3m ttl=255 in-filter=""
     out-filter=to_MYISP address-families=ip remote-id=212.176.154.65 local-address=212.111.222.130
     uptime=21m1s prefix-count=257333 updates-sent=1 updates-received=258801 withdrawn-sent=4
     withdrawn-received=186 remote-hold-time=1m30s used-hold-time=1m30s used-keepalive-time=30s
     refresh-capability=yes state=established

Routing Filter:

[admin@Mikrotik] > routing filter print
Flags: X - disabled
 0   chain=to_MYISP prefix=91.99.16.0/21 invert-match=yes action=discard

I want to announce 91.99.16.5/32 Ip to blackhole community
blackhole community is: 9829:666

I try to add 91.99.16.5/32 to to_MYISP routing filter but what ever I did I can’t do it.
Can please some one point me to right direction.

static-x · April 21, 2008, 3:49am

Hi

At Last without someone helping I tried to do this by myself.
But I don’t know if I’m doing it right or wrong.

Here is what I did:

1- Add 91.99.16.0/21 and 91.99.16.5/32 into Bgp Networks

[admin@Mikrotik] > /routing bgp network print
Flags: X - disabled, A - active
 #   NETWORK            SYNCHRONIZE
 0 A 91.99.16.0/21      no
 1 A 91.99.16.5/32     no

2- Create a routing filter like this:

[admin@Mikrotik] > /routing filter print
Flags: X - disabled
 0   chain=to_MYISP prefix=91.99.16.5 invert-match=no action=passthrough set-bgp-communities=9829:666

And the status:

[admin@Mikrotik] > /routing bgp advertisements print
PREFIX                 NEXTHOP               PEER          AS-PATH                               ORIGIN     LOCAL-PREF
0.0.0.0/0             212.111.222.130      MYISP                                                 incomplete
91.99.16.0/21      212.111.222.130       MYISP                                                 igp
91.99.16.5/32      212.111.222.130       MYISP                                                 igp

And now when I test this stuff form outside.
91.99.16.0/21 ips work and respond to ping and traceroute works
91.99.16.5 ip TTL expired in transit. And traceroute stucks and gets into a loop in my ISP router infront of my network not reaching me.

The only thing I am still not sure about is
0.0.0.0/0 212.111.222.130 MYISP incomplete
Line above

Do you think I did everything right or Not?

changeip · April 21, 2008, 3:04pm

that looks mostly right. you need to filter out your default route, you shouldnt be advertising that to your upstream.

static-x · April 21, 2008, 4:05pm

I did that at first.
Add my ip block to route filters:

[admin@Mikrotik] > /routing filter print
Flags: X - disabled
0   chain=to_MYISP prefix=91.99.16.5 invert-match=no action=passthrough set-bgp-communities=9829:666
1   chain=to_MYISP prefix=91.99.16.0/21 invert-match=yes action=discard

But If I enable my configuration like that my blackhole community rules are not working.

If I switch places of chains 1 and 0

again blackhole community filter is not working.

I can’t figure out how to create a routing filter which discards my ip blocks but only sends 1 of them to blackhole community.

Can you please tell me how to do that?

changeip · April 21, 2008, 5:30pm

remove that last rule and just enter a new blank rule with action=discard. Change the first rule to be action=accept.

Sam

static-x · April 21, 2008, 7:10pm

Hi Sam Here’s the final result.
I checked this with my ISP and everything is working like a charm.
Thank you very much.

In this scenario 91.99.16.5 and 91.99.16.33 Ips are under attack and needs to be send to ISP blackhole community - 9888:666

1- Add 91.99.16.0/21, 91.99.16.5/32 and 91.99.16.33 into Bgp Networks

[admin@Mikrotik] > /routing bgp network print
Flags: X - disabled, A - active
 #   NETWORK            SYNCHRONIZE
 0 A 91.99.16.0/21      no
 1 A 91.99.16.5/32      no
 2 A 91.99.16.33/32     no

2- After creating routing filters:

[[admin@Mikrotik] > /routing filter print
Flags: X - disabled
 0   chain=to_MYISP prefix=91.99.16.5 invert-match=no action=accept set-bgp-communities=9888:666

 1   chain=to_MYISP prefix=91.99.16.33 invert-match=no action=accept set-bgp-communities=9888:666

 2   chain=to_MYISP prefix=91.99.16.0/21 invert-match=yes action=discard

3- final status of advertisements:

[admin@Mikrotik] > /routing bgp advertisements print
PREFIX             NEXTHOP         PEER     AS-PATH                                     ORIGIN     LOCAL-PREF
91.99.16.0/21      212.111.222.130  MYISP                                                igp
91.99.16.5/32      212.111.222.130  MYISP                                                igp
91.99.16.33/32     212.111.222.130  MYISP                                                igp

maxfava · April 23, 2014, 6:25pm

Hi static-x
are you located in Italy?
we have our provider (FW) that accept only /24 announcement min. as BGP annuncement
is in your same case?

static-x · April 23, 2014, 9:53pm

this was a very old topic.
I am not in Italy but Turkey using Superonline isp.
but this still works as written above.

maxfava · April 24, 2014, 7:26am

Thanks.
I have tried, but seems it does not work for me.
The /32 even passed is not accepted
Needs to work with ISP

giuseppe64 · November 28, 2020, 11:02am

did you found any way with FW for /32 bgp blackholing ?