Hi

We advertise a /22 to our bgp upstream. however if a person tries to access any unused /32 IP on our network it causes a network loop between our edge and our upstream router until the TTL is reached.

Is there a way I can blackhole any unused IP's? Can it be dynamic - as all unused IP's are not contiguous.

Add /22 blackhole route in your routing table.

Add /22 blackhole route in your routing table.

ok, so just
/ip route add dst-address=x.x.x.x/22 type=blackhole
This will not block legitimate routes as there will be more specific routes in the routing table anyway correct?

Yes, more specific routes will route the traffic to needed destination.

i have advertise to upstream

11.12.13.0/22
11.12.13.0/24
11.12.14.0/24
11.12.15.0/24
11.12.16.0/24

So i need to add null route for all subnet?

/ip route add dst-address=11.12.13.0/22 type=blackhole
/ip route add dst-address=11.12.13.0/24 type=blackhole
/ip route add dst-address=11.12.14.0/24 type=blackhole
/ip route add dst-address=11.12.15.0/24 type=blackhole
/ip route add dst-address=11.12.16.0/24 type=blackhole

Pls advise with thanks.

Just the /22 should be adequate, if you are using routing bgp network option instead of redistributing active routes. (I personally prefer to not use the network tab in bgp, and have blackhole route with distance 250 to supply an active route to redistribute).