(Destination or Source) Based Remote Triggered Black Hole Filtering.

 

Destination based Remote Blackhole Filtering.

082509_0955_RemoteBlack1.png

Step 1. – Configure the Static Route to Null0 on ALL the router.

This is a prefix that will never be used in the network, it can be a RFC1918 prefix, the favorite for ISPs is TEST-NET 192.0.2.0/24, Test-Net was a IANA allocation made for people t o do documentation.

Step 2.- The Trigger Router.

it does not have to be a big router, on this router the iBGP just configured to redistribute static routes, So The “trigger” router used to add and remove static routes, with the help of a route-map that is used to match the static tag and set the metrics for the iBGP adversitment.

Step 3.- The Activation.

Say the Network 44.4.4.4/32 is currently under attack,

so we add this static route ip route 44.4.4.4/32  with the TAG of 666,  pointing to NullO on the trigger router,

and the trigger router, will just send a advertisement to all the iBGP speaking router in the network

when this advertisement is received,  Routers  glues this BGP Advertisement with the Next Hop that is routed to NullO – triggering black hole routing.

Mitigating the Attack  for 44.4.4.4/32 on our network!

Source based Remote Triggered BlackHole Filtering.

Please observe that with the previous configuration of Destination based blackhole filter, we certainly mitigate the attack, but now we have a issue, internal router would not have reachability to the routes that is Black Holed.

Source-based black holes provide the ability to drop traffic at the network edge based on a specific source address or range of source addresses. With destination-based black holing, all traffic to a specific destination is dropped once the black hole has been activated, regardless of where it is coming from.

If the source address (or range of addresses) of the attack can be identified (spoofed or not), it would be better to drop all traffic at the edge based on the source address, regardless of the destination address.

This would permit legitimate traffic from other sources to reach the target. Implementation of source-based black hole filtering depends on Unicast Reverse Path Forwarding (URPF), most often loose mode URPF.

urpfloose

Loose URPF checks the packet and forwards it if there is a route entry for the source IP of the incoming packet in the router FIB. If the router does not have an FIB entry for the source IP address, or if the entry points to Null0, the Reverse Path Forwarding (RPF) check fails, and the packet is dropped

On the Trigger router

Now on the Edge Router:

Forwarding ASICs are designed to work with routes to Null0 – dropping the packet with minimal to no performance impact.

082509_0955_remoteblacklast

Thanks to
http://www.cisco.com/web/about/security/intelligence/blackhole.pdf

 

A Networker Blog

Advertisements

2 thoughts on “(Destination or Source) Based Remote Triggered Black Hole Filtering.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s