Blackhole Routes

• Previous message (by thread): Blackhole Routes
• Next message (by thread): Blackhole Routes
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

It sounds like you are confusing ideas here...

If BGP is making a forwarding table entry, that's it. Ports are not 
really considered in forwarding decisions -- or if they are, the box is 
usually called a Firewall, not a router.

It would be pretty trivial to take the information you are generating 
and dump them into an IPFW or similar table and filter them that way. It 
would not be as effective, but you could watch your netflow data and 
selectively add holes or filters based on abuse of certain IP:port 
combinations. However, if you can destroy end-to-end connectivity and 
your customers are happy, I wouldn't change a thing. Its much simpler to 
debug a blackhole then it is a more selective filter.

Deepak Jain
AiNET

Eric Germann wrote:

> We use a variation of this for several things.  At the risk of getting in to
> political policy discussions ...
> 
> We have a PERL script which looks for the wildcard .com record.  If it finds
> it (the old Verisign SiteFinder), it injects a blackhole route to kill it.
> Also, we periodically pull in (every 4 hours), allocations from various
> registries like ARIN, APNIC, LACNIC, etc. and filter by country.  It isn't
> elegant, but it does give us the ability to deny traffic to areas our
> policies dictate.  Pretty effective for getting rid of spam and the offshore
> phishing sites.  If you want to argue the political or policy side of doing
> this, I really don't have time, but our clients have been happy with it for
> two plus years.
> 
> What I would to see (and have never researched in depth) is a way to apply
> the blackhole routes on a community to port basis (i.e. we set up a specific
> BGP community to filter mail, and that community goes to a route map that
> kills only port 25, another community applies to a map that kills port 80,
> etc).  When I have spare time, I may see if there is any way to do that.  Of
> course by then, IPv6 will be obsolete, so .....
> 
> Eric
> 
> 
> -----Original Message-----
> From: owner-nanog at merit.edu [mailto:owner-nanog at merit.edu] On Behalf Of
> Abhishek Verma
> Sent: Thursday, September 30, 2004 2:52 AM
> To: nanog at merit.edu
> Subject: Blackhole Routes
> 
> 
> Hi,
> 
> There are ways to add static routes that can be blackholed. I can understand
> the utility of such routes if those are installed in my forwarding table.
> What bewilders me is why would anyone want to advertise "blackhole" routes
> using say, BGP?
> 
> Is it only to prevent some sort of DoS attacks or are there other uses also
> of advertising black hole routes?
> 
> Thanks,
> Abhishek
> 
> --
> Class of 2004
> Institute of Technology, BHU
> Varanasi, India
> 
> 
> 
> 
> 

• Previous message (by thread): Blackhole Routes
• Next message (by thread): Blackhole Routes
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]