Simulating blackhole in lab enviroment

godzillante · March 29, 2018, 3:38pm

Hi,

I’ve built a lab setup with four routers, each of them running the latest ROS release (6.41.3).

This is the scenario:

          R2
        /    \
C1 -- R1       R4 -- C2
        \    /
          R3

I’ve configured BGP so that R1 and R4 are my endpoint routers (i.e. R1 is default gateway for C1 and R4 is default gateway for C2), and R2+R3 are two different “ISPs”.

Everything is working smoothly, I can detach any cable and routes reconfigure themselves in a jiffy. I’m also playing with filters in order to give “preference” to a route over another for a given destination, and so on.

Now I would like to ‘blackhole’ a destination. I read that real providers provide you with a blackhole BGP community and if you add that community to an announcement they mitigate or discard all the incoming traffic for that IP.

I know how to set a community using filters on R1 or R4, but how can I blackhole the traffic on the transit routers R2 and R3?

Thank you!

jprietove · March 30, 2018, 2:29pm

Let’s say the providers R2 and R3 has AS numbers 65002 and 65003, respectively.

If R2 provides a Blackhole community, usually 65002:666, the peer with R1 has an IN-FILTER like this:

[admin@MikroTik] > routing filter print 
Flags: X - disabled 
 0   chain=bgp-in bgp-communities=65002:666 invert-match=no action=accept 
     set-type=blackhole set-bgp-prepend-path=""

So if R1 detects a DoS attack to an internal IP, let’s say 192.168.1.254 and wants to tell R2 to not send packets to 192.168.1.254, R1 publishes the 192.168.1.254 in BGP networks and the peer in R1 with R2 has an OUT-FILTER like this:

[admin@MikroTik] > routing filter print   
Flags: X - disabled 
 0   chain=bgp-out prefix=192.168.1.254 prefix-length=32 invert-match=no 
     action=passthrough set-bgp-prepend-path="" append-bgp-communities=65002:666 
[admin@MikroTik] > routing bgp network print 
Flags: X - disabled 
 #   NETWORK              SYNCHRONIZE
 0   192.168.1.0/24       no         
 1   192.168.1.254/32     no

So in R2 the routing table will be like:

[admin@MikroTik] > ip route print 
Flags: X - disabled, A - active, D - dynamic, 
C - connect, S - static, r - rip, b - bgp, o - ospf, m - mme, 
B - blackhole, U - unreachable, P - prohibit 
 #      DST-ADDRESS        PREF-SRC        GATEWAY            DISTANCE
...
 2 ADb  192.168.1.0/24                     10.0.0.1                 20
 3 ADbB 192.168.1.254/32                                            20
 ...

Some providers offers a peer in which any network you announce, will be blackholed. You can read about how providers do this reading this guide of Cogent as an example: http://www.cogentco.com/files/docs/customer_service/guide/global_cogent_customer_user_guide.pdf

godzillante · March 31, 2018, 2:08pm

Thank you very much! I’ll give it a try as soon as I can