Blackholing traffic by ASN

Deepak Jain deepak at ai.net
Wed Jan 30 23:54:57 UTC 2008



This is prior art. (Assuming your hardware has a hardware blackhole (or 
you have a little router sitting on the end of a circuit)) you adjust 
your route-map that would deny the entry to set a community or next-hop 
pointing to your blackhole location.

Nowadays, most equipment can blackhole internally (to null0 say) at full 
speed, so it isn't an issue. Just set your next hop to a good null0 
style location on route import and you are done for traffic destined to 
those locations.

For inbound traffic from those locations you would need to do policy 
routing (because you are looking up on source). If you are trying to 
block SPAM or anything TCP related,  you only need to block 1 direction 
to end the conversation.

Sounds harsh, but hey, its your network.

Deepak Jain
AiNET

Justin Shore wrote:
> 
> I'm sure all of us have parts of the Internet that we block for one 
> reason or another.  I have existing methods for null routing traffic 
> from annoying hosts and subnets on our border routers today (I'm still 
> working on a network blackhole).  However I've never tackled the problem 
> by targeting a bad guy's ASN.  What's the best option for null routing 
> traffic by ASN?  I could always add another deny statement in my inbound 
> eBGP route-maps to match a new as-path ACL for _BAD-ASN_ to keep from 
> accepting their routes to begin with.  Are there any other good tricks 
> that I can employ?
> 
> I have another question along those same lines.  Once I do have my 
> blackhole up and running I can easily funnel hosts or subnets into the 
> blackhole.  What about funneling all routes to a particular ASN into the 
> blackhole?  Are there any useful tricks here?
> 
> The ASN I'm referring to is that of the Russian Business Network.  A 
> Google search should turn up plenty of info for those that haven't heard 
> of them.
> 
> Thanks
>  Justin
> 
> 



More information about the NANOG mailing list