Is it possible with bgp to not advertise a single ip address in a /24 when my peer will not accept less than a /24? We had a udp flood attack on a single customer and lost the network. My router successfully started blocking the packets, but it did us no good as our entire 1gig fiber had maxed out and it killed everybody. I had to take that particular /24 out until the attack stopped to keep most of the network online.

Is there another way to handle these?

Read other postings on the forum.
You can send a single IP to your upstream provider with an agreed community value and they will null-route the IP.
You need to discuss this with your upstream provider and implement a script shown elsewhere.

Ok thank you.  I'll work with my upstream provider on this.  I wanted to know first if it was possible so thank you again!

The common terminology for this is "blackhole community"

but i think you should search and find attacked ip manually...

Ok my provider set me up so I can send communities along with a /32 IP address in order to black hole a single IP.  I've been reading the wiki for the last couple of days and I'm missing something as I cannot get this to work.  If I edit my BGP peer and add an Out-Filter that I called BGP-Out I stop advertising all of my subnets.  Even if I do not have any route filters setup yet.  I'm not sure why this is?  Do these not work similar to firewall filters?  I then tried creating route filters that accept the subnets that I wanted to send but I still do not advertise anything at all if that Outfilter is present.

Can someone point me to a basic example?  The wiki hurts my brain.  :)

If it is empty routing filter chain then none of the prefixes will be blocked. By default its open chain just like firewall.

Ok, I got past that first hurdle.  I found that when I added the BGP-Out filter to the Peer the routes would stop advertising until I disabled the peer and re-enabled it, then it worked fine.

I then added a single filter with a single IP address and I am showing that I am advertising it with the new community, but I can still ping that address from outside of my network.  Did I miss something or did my provider miss something?

chain=BGP-Out prefix=1.1.1.1 invert-match=no action=accept set-bgp-prepend-path="" set-bgp-communities=209:0

One more question, prior to this working my provider had to set us up as a multihop on their end.  Do I need to do the same on my end?  

Multihop being set right/wrong will cause eBGP neighbors to form adjacencies / fail to form adjacencies.
If the session goes up then you're set properly in that regard.

Realize that the filter only allows something to be advertised, but it has nothing to do with what goes into your BGP table.
You need to put the blackholed address into your BGP - the easiest way is to define it as a /32 network in the BGP configuration, and for this particular task (black hole routing), you can just un-check the "synchronize" checkbox so that the network is always inserted into BGP regardless of whether that exact prefix appears in the IP routing table.

Check what advertisements you're sending to the peer by looking in the Advertisements tab and make sure that you're sending the /32 blackhole prefix to the provider.
This tab only shows what is actually sent to a peer so if your /32 is not shown, then your router didn't send the prefix to the peer.
The nexthop field is pretty irrelevant for a blackhole route because the provider is going to see the blackhole community and modify the nexthop on their end to be a black hole destination.

I failed to mention it, but yes I also have that IP advertised in my BGP session as a /32.  In my advertisements list it shows up and has the community value in it.  So it should be working right?  But I can still ping it from outside of my network.  I've emailed my provider to check their config, but in the meantime does it sound like I've done it properly?

Thank you for everyone's help!  My provider had something wrong on their end, now it works great!  

I've been reading through the forums and various options to automate this and see mentions of scrips, but cannot find the script.  I already have firewall rules in place that will detect and stop the attack, but how can I write a script that will take that address list and add it to the bgp route filter and advertise list?

I've been reading through the forums and various options to automate this and see mentions of scrips, but cannot find the script.  I already have firewall rules in place that will detect and stop the attack, but how can I write a script that will take that address list and add it to the bgp route filter and advertise list?

Hi,

What do you use for detect and stop the attack ?

Thanks,

This is something I'm using at the moment (scheduled to run every minute) - firewall "report" address to block using address list bgp-blackhole.

EDIT:
Route filtering - blackhole targets are usually single IPs (x.x.x.x/32), hence simple matching using just the prefix length.

Code: Select all

{
        :local addrlist [:toarray ""]
        :foreach i in=[/ip firewall address-list find where list=bgp-blackhole] do={
                :local addr [/ip firewall address-list get $i address ]
                :local addrstr
                        
                :if ([:typeof $addr] = "ip") do={
                        :set $addrstr "$addr/32"
                        :set ($addrlist->$addrstr) $i
                }
        }

        :local netlist [:toarray ""]
        :foreach i in=[/routing bgp network find where comment="rtbh"] do={
                :local network [/routing bgp network get $i network ]
                :set ($netlist->$network) $i
        }

        :foreach k,v in=$addrlist do={
                :if ([:typeof ($netlist->$k)] = "nothing") do={ 
                        :log warning "Anti-DDoS: prefix $k added to RTBH list"               
                        /routing bgp network add comment=rtbh network=$k
                }                
        }

        :foreach k,v in=$netlist do={
                :if ([:typeof ($addrlist->$k)] = "nothing") do={ 
                        :log warning "Anti-DDoS: prefix $k removed from RTBH list"               
                        /routing bgp network remove $v
                }
        }
}

This is something I'm using at the moment (scheduled to run every minute) - firewall "report" address to block using address list bgp-blackhole.

EDIT:
Route filtering - blackhole targets are usually single IPs (x.x.x.x/32), hence simple matching using just the prefix length.

Code: Select all

/routing filter
...
add action=accept chain=netia-out prefix-length=32 set-bgp-communities=12741:60000
...
add action=accept chain=epix-op-out prefix-length=32 set-bgp-communities=50607:666
...

what do you use to find attacked ip's ? and do you need to use /routing bgp peerresend-all ?

I use this for detecting attacks and dropping them. I found this on this forum somewhere a long time ago.  Someone else deserves the credit I just don't recall where I found it.  It works really well, during an attack it does start dropping the packets and expires after 10 minutes if the attack is over.  As long as you have the bandwidth to survive it that is.




 ;;; Jump New Syn Connections to Forward Syn Protect Chain
      chain=forward action=jump jump-target=Forward Syn Protect connection-state=new log=no log-prefix="" 



 ;;; Limit New Forward Connections to 50/sec Per Destination IP

      chain=Forward Syn Protect action=return connection-state=new dst-limit=50,50,src-and-dst-addresses/10s log=no log-prefix="" 



 ;;; Add SYN Flood Victims to Address List for 10 Mins

      chain=Forward Syn Protect action=add-dst-to-address-list connection-state=new address-list=Syn Flood Victims address-list-timeout=10m log=no log-prefix="" 



 ;;; Add SYN Flood Attackers to Address List for 10 Mins

      chain=Forward Syn Protect action=add-src-to-address-list address-list=Syn Flood Attackers address-list-timeout=10m log=no log-prefix="" 



 ;;; Tarpit TCP Syn Flood Attacks

      chain=forward action=tarpit connection-state=new protocol=tcp src-address-list=Syn Flood Attackers dst-address-list=Syn Flood Victims log=no log-prefix="" 



;;; Drop Syn Flood Attacks
      chain=forward action=drop connection-state=new src-address-list=Syn Flood Attackers dst-address-list=Syn Flood Victims log=no log-prefix="" 

Code: Select all

{
        :local addrlist [:toarray ""]
        :foreach i in=[/ip firewall address-list find where list=bgp-blackhole] do={
                :local addr [/ip firewall address-list get $i address ]
                :local addrstr
                        
                :if ([:typeof $addr] = "ip") do={
                        :set $addrstr "$addr/32"
                        :set ($addrlist->$addrstr) $i
                }
        }

        :local netlist [:toarray ""]
        :foreach i in=[/routing bgp network find where comment="rtbh"] do={
                :local network [/routing bgp network get $i network ]
                :set ($netlist->$network) $i
        }

        :foreach k,v in=$addrlist do={
                :if ([:typeof ($netlist->$k)] = "nothing") do={ 
                        :log warning "Anti-DDoS: prefix $k added to RTBH list"               
                        /routing bgp network add comment=rtbh network=$k
                }                
        }

        :foreach k,v in=$netlist do={
                :if ([:typeof ($addrlist->$k)] = "nothing") do={ 
                        :log warning "Anti-DDoS: prefix $k removed from RTBH list"               
                        /routing bgp network remove $v
                }
        }
}

This is something I'm using at the moment (scheduled to run every minute) - firewall "report" address to block using address list bgp-blackhole.

EDIT:
Route filtering - blackhole targets are usually single IPs (x.x.x.x/32), hence simple matching using just the prefix length.

Code: Select all

/routing filter
...
add action=accept chain=netia-out prefix-length=32 set-bgp-communities=12741:60000
...
add action=accept chain=epix-op-out prefix-length=32 set-bgp-communities=50607:666
...

Thank you for this!  I'll give this a shot!

Be very very very careful if you're going to have an automated black hole function.
The automated black hole itself could be used as a DDoS vector without the need for any botnet -

The firewall rules you posted don't require any amount of bandwidth consumption to be considered an attack - just number of connections/sec.
(and they also include UDP, even though the rules are labeled as SYN rules in their comments)

So I could just port scan a host over and over, and if it gets thrown into a black hole because I port scanned it..... well, I hope the problem is obvious.

If they decided to do this to your DNS server, for instance, then you'd be having a very bad day indeed.

Hi Zerobyte,

Whats your suggestion for dos and ddos attacks ?

@jmay also check this, in forum Deantwo write it to me.. May be this is also help to you. Its send ddosed ip to blackhole at route...

Try this:

Be very very very careful if you're going to have an automated black hole function.
The automated black hole itself could be used as a DDoS vector without the need for any botnet -

The firewall rules you posted don't require any amount of bandwidth consumption to be considered an attack - just number of connections/sec.
(and they also include UDP, even though the rules are labeled as SYN rules in their comments)

So I could just port scan a host over and over, and if it gets thrown into a black hole because I port scanned it..... well, I hope the problem is obvious.

If they decided to do this to your DNS server, for instance, then you'd be having a very bad day indeed.

Good point.  I have many other rules prior to that one to get rid of port scanners and anyone trying to telnet into servers, etc.  My servers are on another chain and go through a different set of rules.  I wonder if it would be better to do it based on bandwidth?  Since we are a wisp there are limits to how much we offer, so I could, for example create list of anyone having more than X amount of bandwidth flooding them and then black hole them?  When an attack is larger than our 1 gig fiber it wouldn't matter if I black holed the entire network since nobody can get online at the time anyways.
The problem with manual is I am the only IT person at this company.  If I'm out trying to enjoy my life its a real inconvenience for me when the system needs my attention.  But then again, it's not like these happen every day I guess.