Remote Trigger Black Hole Filtering

Remotely Triggered Blackhole Filtering

  • We will use BGP to trigger a network wide response to an attack 
  • A simple static route and BGP will enable a network-wide destination address blackhole as fast as iBGP can update the network 
  • This provides a tool that can be used to respond to security related events and forms a foundation for other remote triggered uses 
  • Often referred to as RTBH


Step 1: Prepare All the Routers with Trigger

  • Select a small block that will not be used for anything other than blackhole filtering; test Net (192.0.2.0/24) is optimal since it should not be in use
  • Put a static route with a /32 from Test-Net—192.0.2.0/24 to Null 0 on every edge router on the network

ip route 192.0.2.1 255.255.255.255 Null0 


Step 2: Prepare the Trigger Router


  • The Trigger Router Is the Device That Will Inject the iBGP Announcement into the ISP’s Network
  • Should be part of the iBGP mesh—but does not have to accept routes
  • Can be a separate router (recommended) 
  • Can be a production router 
  • Can be a workstation with Zebra/Quagga (interface with Perl scripts and other tools)

Step 3: Activate the Blackhole

  • Add a static route to the destination to be blackholed; the static is added with the “tag 66” to keep it separate from other statics on the router
ip route 172.19.61.1 255.255.255.255 Null0 Tag 66
  • BGP advertisement goes out to all BGP speaking routers
  • Routers received BGP update, and “glue” it to the existing static route; due to recursion, the next-hop is now Null0

Customer Is DOSed (After) Packet Drops Pushed to the Edge


Post a Comment

Popular posts from this blog

Pairwise Master Key (PMK) vs Parewise Transient Key(PTK) vs PseudoRandom Function(PRF) vs GTK (Groupwise Transient Key)

DSSS(直接序列展頻技術) vs OFDM(正交頻率多重分割)

DTMF Relay : RTP-NTE vs SIP INFO vs SIP NOTIFY