automatic rtbh trigger using flow data
Joe Maimon
jmaimon at jmaimon.com
Thu Aug 30 23:30:18 UTC 2018
Michel Py wrote:
>> Aaron Gould wrote :
>> Hi, does anyone know how to use flow data to trigger a rtbh (remotely triggered blackhole) route using bgp ? ...I'm thinking we could use
>> quagga or a script of some sort to interact with a router to advertise to bgp the /32 host route of the victim under attack.
> Look at Exabgp : https://github.com/Exa-Networks/exabgp
> That's what I use in here : https://arneill-py.sacramento.ca.us/cbbc/ to inject the prefixes in BGP.
> I block the attacker's addresses, not the victim but if you are willing to write your own scripts it does the job.
>
> Michel.
>
I use a bunch of scripts plus a supervisory sqlite3 database process all
injecting into quagga
Also aimed at attacker sources. I feed it with honeypots and live
servers, hooked into fail2ban and using independent host scripts.
Not very sophisticated, the remotes use ssh executed commands to
add/delete. I also setup a promiscuous ebgp RR so I can extend my
umbrella to CPE with diverse connectivity.
Using flow data, that sounds like an interesting direction to take this
into, so thank you!
Joe
More information about the NANOG
mailing list