Blackholing traffic by ASN

Wed Jan 30 23:57:50 UTC 2008

On Wed, 30 Jan 2008, Justin Shore wrote:

> I'm sure all of us have parts of the Internet that we block for one reason or 
> another.  I have existing methods for null routing traffic from annoying 
> hosts and subnets on our border routers today (I'm still working on a network 
> blackhole).  However I've never tackled the problem by targeting a bad guy's 
> ASN.  What's the best option for null routing traffic by ASN?  I could always 
> add another deny statement in my inbound eBGP route-maps to match a new 
> as-path ACL for _BAD-ASN_ to keep from accepting their routes to begin with. 
> Are there any other good tricks that I can employ?

You could do it with an as-path access-list.

Example:

router bgp 65500
no auto-summary
no synchronization
log-neighbor-changes
neighbor 1.2.3.4 remote-as 65400
neighbor 1.2.3.4 description UPSTREAM1
neighbor 1.2.3.4 filter-list 10 in
neighbor 1.2.3.4 soft-reconfiguration inbound

ip as-path access-list 10 deny (_65300)+$
ip as-path access-list 10 permit .*

This example should drop any prefixes you receive from your upstream
that include 65300 as the origin AS in the AS path, but permit anything 
else.  If you're concerned about prefixes that could have 65300 anywhere 
in the path, take the $ off of the regex.

You could also probably write a route-map to redirect traffic from your 
network to prefixes from that AS to null0, or to a traffic analsis box.

jms

> I have another question along those same lines.  Once I do have my blackhole 
> up and running I can easily funnel hosts or subnets into the blackhole.  What 
> about funneling all routes to a particular ASN into the blackhole?  Are there 
> any useful tricks here?
>
> The ASN I'm referring to is that of the Russian Business Network.  A Google 
> search should turn up plenty of info for those that haven't heard of them.