Destination based Remote Blackhole Filtering.
Step 1. – Configure the Static Route to Null0 on ALL the router.
This is a prefix that will never be used in the network, it can be a RFC1918 prefix, the favorite for ISPs is TEST-NET 192.0.2.0/24, Test-Net was a IANA allocation made for people t o do documentation.
Step 2.- The Trigger Router.
it does not have to be a big router, on this router the iBGP just configured to redistribute static routes, So The “trigger” router used to add and remove static routes, with the help of a route-map that is used to match the static tag and set the metrics for the iBGP adversitment.
Step 3.- The Activation.
Say the Network 184.108.40.206/32 is currently under attack,
so we add this static route ip route 220.127.116.11/32 with the TAG of 666, pointing to NullO on the trigger router,
and the trigger router, will just send a advertisement to all the iBGP speaking router in the network
when this advertisement is received, Routers glues this BGP Advertisement with the Next Hop that is routed to NullO – triggering black hole routing.
Mitigating the Attack for 18.104.22.168/32 on our network!
Source based Remote Triggered BlackHole Filtering.
Please observe that with the previous configuration of Destination based blackhole filter, we certainly mitigate the attack, but now we have a issue, internal router would not have reachability to the routes that is Black Holed.
Source-based black holes provide the ability to drop traffic at the network edge based on a specific source address or range of source addresses. With destination-based black holing, all traffic to a specific destination is dropped once the black hole has been activated, regardless of where it is coming from.
If the source address (or range of addresses) of the attack can be identified (spoofed or not), it would be better to drop all traffic at the edge based on the source address, regardless of the destination address.
This would permit legitimate traffic from other sources to reach the target. Implementation of source-based black hole filtering depends on Unicast Reverse Path Forwarding (URPF), most often loose mode URPF.
Loose URPF checks the packet and forwards it if there is a route entry for the source IP of the incoming packet in the router FIB. If the router does not have an FIB entry for the source IP address, or if the entry points to Null0, the Reverse Path Forwarding (RPF) check fails, and the packet is dropped
On the Trigger router
Now on the Edge Router:
Forwarding ASICs are designed to work with routes to Null0 – dropping the packet with minimal to no performance impact.