I was wondering if anyone has a howto floating around on the
step by step setup of having an internal bgp peer for sending
quick updates to border routers to null route sources of
undesirable traffic? I've seen it discussed on nanog from
time to time, typically suggesting using Zebra, but could
not search up a link on a step by step.
Thanks,
David
Take a look here for starters:
http://www.cisco.com/web/about/security/intelligence/blackhole.pdf
Searching through NANOG archives will return a couple of sessions
that went through the other vendor configs for such functionality.
Maybe I read your question wrong, but null-routing things at your border is
often not very useful if the traffic is flooding your transit links. Most
transits publish their community lists - you just need to tag the prefix you
want to blackhole with the right community.
See example from HE: http://www.he.net/adm/blackhole.html
<http://www.he.net/adm/blackhole.html>-Jack Carrozzo
Also:
http://docs.as701.net/tmp/CustomerBlackhole.txt
Remember to set eBGP multihop on sessions for the next-hop rewrite capability 
- Jared
Also:
http://docs.as701.net/tmp/CustomerBlackhole.txt
Remember to set eBGP multihop on sessions for the next-hop rewrite capability
oh hey, I was looking for that! 
(I'll try to re-setup the
www.secsup.org links tonight) ... this is a 'how to setup so a
customer can blackhole', which you should be able to easily hack to
'make my quagga server a customer, make him be able to blackhole all
of 0/0 by /32s'
keep in mind also that somethings do not react well to k's of /32's ...
I can't give you a step-by-step with configuration examples off the top
of my head, but, hopefully this helps:
1. Create a static anchor route to a magic "next-hop" value
such as 192.168.99.99 or whatever you choose.
2. Configure all your routers to route 192.168.99.99 to null.
3. Advertise that into your iBGP mesh from the blackhole anchor
router.
Owen
I actually did a blog entry just a couple weeks ago about this with relatively step by step [cisco] instructions.
http://jonsblog.lewis.org/2011/02/05#blackhole
I'm curious what others think of the setup.
This is certainly true. Although most "big transit networks" offer
this feature today, there are some important differences in what some
of them will and won't accept. Some will only learn /32s, some say
they'll accept /30-/32 but nothing shorter, some will honor anything
you send them. This may be undocumented.
Some networks seem to have forgotten about this feature when
implementing IPv6, even though it is offered for IPv4.
I don't see any value in not accepting a RTBH /24 but accepting a /30.
I also don't know of any platform issues which would make deploying
RTBH for IPv6 BGP customers any more difficult than doing so for IPv4.
Ultimately it depends on the transit provider.
For example, some have you set up a separate BGP session with a black hole
router. Any prefix sent will be blackholed network wide.
Some, such as the case of Level3, they are looking for specific community tags
on your primary BGP session.
So in a nutshell...lets blackhole a host:
ip route x.x.x.x 255.255.255.255 null0 tag 255
Then set up a static-to-bgp with route-map to add community strings (for
example 3356:9999 for level3) to your routes with tag 255.
route-map STATIC-TO-BGP permit 10
match tag 255
set community 3356:9999
set origin igp
And in your BGP config:
redistribute static route-map STATIC-TO-BGP
Now, for the case of level3, you're already set (just be sure to apply
send-community on the neighbor).
Now for a provider having a unique blackhole BGP session, you want a special
route-map to filter prefixes going out that session:
ip community-list BLACKHOLE seq 10 permit 3356:9999
route-map BLACKHOLE permit 10
match community BLACKHOLE
Now for the blackhole session:
neighbor <blackhole_peer> route-map out BLACKHOLE
It can get more complicated than this (for example, you've got more than one
EBGP router) but this is just a simple case.
I hope it helps...
~Randy
Team Cymru has some really good examples on how to configure something
similar (utilizing their BOGON feed).
http://www.team-cymru.org/Services/Bogons/bgp.html
Scroll down to "AUTOMATICALLY FILTERING BOGONS" for IOS, JUNOS, etc examples
I was wondering if anyone has a howto floating around on the
step by step setup of having an internal bgp peer for sending
quick updates to border routers to null route sources of
undesirable traffic? I've seen it discussed on nanog from
time to time, typically suggesting using Zebra, but could
not search up a link on a step by step.Thanks,
I'd include:
in your list of reading materials.