[137912] in North American Network Operators' Group
Re: Howto for BGP black holing/null routing
daemon@ATHENA.MIT.EDU (Christopher Morrow)
Tue Feb 22 17:06:06 2011
In-Reply-To: <A17CCA08-E5BB-4E4E-AE62-CBA9EEA65BD2@puck.nether.net>
Date: Tue, 22 Feb 2011 17:06:00 -0500
From: Christopher Morrow <morrowc.lists@gmail.com>
To: Jared Mauch <jared@puck.nether.net>
Cc: nanog@nanog.org
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
2011/2/22 Jared Mauch <jared@puck.nether.net>:
> Also:
>
> http://docs.as701.net/tmp/CustomerBlackhole.txt
>
> Remember to set eBGP multihop on sessions for the next-hop rewrite capabi=
lity :)
oh hey, I was looking for that! :) (I'll try to re-setup the
www.secsup.org links tonight) ... this is a 'how to setup so a
customer can blackhole', which you should be able to easily hack to
'make my quagga server a customer, make him be able to blackhole all
of 0/0 by /32s'
keep in mind also that somethings do not react well to k's of /32's ...
> - Jared
>
> On Feb 22, 2011, at 4:54 PM, =A3ukasz Bromirski wrote:
>
>> On 2011-02-22 22:42, David Hubbard wrote:
>>> I was wondering if anyone has a howto floating around on the
>>> step by step setup of having an internal bgp peer for sending
>>> quick updates to border routers to null route sources of
>>> undesirable traffic? =A0I've seen it discussed on nanog from
>>> time to time, typically suggesting using Zebra, but could
>>> not search up a link on a step by step.
>>
>> Take a look here for starters:
>> http://www.cisco.com/web/about/security/intelligence/blackhole.pdf
>>
>> Searching through NANOG archives will return a couple of sessions
>> that went through the other vendor configs for such functionality.
>>
>> --
>> "There's no sense in being precise when | =A0 =A0 =A0 =A0 =A0 =A0 =A0 =
=A3ukasz Bromirski
>> you don't know what you're talking =A0 =A0 | =A0 =A0 =A0jid:lbromirski@j=
abber.org
>> about." =A0 =A0 =A0 =A0 =A0 =A0 =A0 John von Neumann | =A0 =A0http://luk=
asz.bromirski.net
>
>
>
