Intrusion Prevention
Highlighted
Intrusion Prevention

Blackhole routes via BGP peer feed

‎04-23-2018 11:44 PM

Hello.

 

I'm having problems implementing blackhole routes on MX platform for bad networks that we get a feed from a EBGP peer. All trafic with destination of a prefix that is in the BGP feed should be next-hop discard interface dsc.0.

 

I have been looking around for different implemantations and with filter logs on dsc.0 I get zero hits. BGP feed provider has given me a cisco tepmplate of the setup and I think this is the correct configuration for JUNOS but something is not working.

 

BGP routes from peer ends up in the routing-table with state "hidden":

show route hidden extensive

x.x.x.x/21 (1 entry, 0 announced)
BGP Preference: 170/-101
Next hop type: Unusable, Next hop index: 0
Address: 0x3750298
Next-hop reference count: 1464
State: <Hidden Ext>
Local AS:  Peer AS: xxxx
Age: 3d 21:18:03 Metric: 0
Validation State: unverified
Task: BGP_
AS path:  I
Communities:  no-export
Accepted
Localpref: 100
Router ID: xx.xx.xx.xx
Indirect next hops: 1
Protocol next hop: 192.0.2.1
Indirect next hop: 0x0 - INH Session ID: 0x0

 

Network is not using dsc.0 interface for next-hop:

 

show route x.x.x.x/21 

x.x.x.x/21 *[BGP/170] 1d 05:35:07, localpref 100
AS path: xx I, validation-state: unverified
>  via ge-1/1/0.0
[BGP/170] 1d 05:35:17, localpref 100, from 10.40.0.1
AS path: xx I, validation-state: unverified
> to  via ae0.0

 

 

Configuraion:

 

BGP group

 

type external;
import dsc-feed;
export deny-all;
peer-as xxxx;
neighbor x.x.x.x {
multihop {
ttl 255;
}
local-address xx.xx.xx.xx;
family inet {
unicast;
}
}

 

Policy-statement

 

from {
family inet;
community blackhole-routes;
}
then {
community set blackhole-routes;
next-hop 192.0.2.2;
accept;
}

 

community blackhole-routes members [ xxxx:1000 xxxx:2000 xxxx:3000 ];

 

dsc interface

 

unit 0 {
family inet {
filter {
input log-discard;
output log-discard;
}
address 192.0.2.102/32 {
destination 192.0.2.2;
}
}
}

 

 

 

6 REPLIES 6
Intrusion Prevention

Re: Blackhole routes via BGP peer feed

‎04-24-2018 01:28 AM

Hello,

You don't need 192.0.2.1 nexthop, change Your policy to point to "discard":

policy-statement blah {
 

from {
family inet;
community blackhole-routes;
}
then {
community set blackhole-routes;
next-hop discard;
accept;
}}

HTH

Thx

Alex

_____________________________________________________________________

Please ask Your Juniper account team about Juniper Professional Services offerings.
Juniper PS can design, test & build the network/part of the network as per Your requirements

+++++++++++++++++++++++++++++++++++++++++++++

Accept as Solution = cool !
Accept as Solution+Kudo = You are a Star !
Intrusion Prevention

Re: Blackhole routes via BGP peer feed

‎04-24-2018 06:37 AM

You're trying to count the packets that get discarded?  Then you do need the dsc interface configuration, but you also need a static discard route for the dsc.0 destination IP otherwise you get the 'Unusable next hop' that you see.  You should see a route in the table to the dsc.0 destination, with the discard next-hop.  Depending on your config, you may also need to allow the two addresses associated with dsc.0 in the system bogon filter - 'set routing-options martians {IP address} exact allow'.

 

Discard interface example is at https://www.juniper.net/documentation/en_US/junos/topics/example/policy-discard-interface.html.  The Juniper example for Team Cymru's bogon feed mentions the martians - https://www.team-cymru.com/bgp-examples.html#juniper-trad.

 

Hope this helps.

Intrusion Prevention

Re: Blackhole routes via BGP peer feed

‎04-24-2018 07:35 AM

Hello.

 

Thanks for your input, yes logging of the packets is a must in my case, to see how how much packets that drops.

 

Current static routes for dsc network is configured according to this article: 

https://www.juniper.net/documentation/en_US/junos/topics/example/policy-discard-interface.html)

set routing-options static route 192.0.2.102/32 next-hop 192.0.2.101

 

In my situation I use

set routing-options static route 192.0.2.102/32 next-hop 192.0.2.2

 

Show routes output:

 

show route 192.0.2.102

192.0.2.102/32 *[Local/0] 1d 01:58:21
Local via dsc.0
[Static/5] 00:18:18
> to 192.0.2.2 via dsc.0

 

show route 192.0.2.2

192.0.2.2/32 *[Direct/0] 1d 01:58:57
> via dsc.0

 

Prefix still shows up as hidden under the routing-table

 

xx.xx.xx.xx/18 (1 entry, 0 announced)
BGP Preference: 170/-101
Next hop type: Unusable, Next hop index: 0
Address: 0x3750298
Next-hop reference count: 1462
State: <Hidden Ext>
Local AS: xxxx Peer AS: xxxx
Age: 4d 5:24:46 Metric: 0 
Validation State: unverified 
Task: BGP_xxxx.xx.xx.xx.xx
AS path: xxxx I
Communities: xxxx:1000 no-export
Accepted
Localpref: 100
Router ID: xx.xx.xx.xx
Indirect next hops: 1
Protocol next hop: 192.0.2.1
Indirect next hop: 0x0 - INH Session ID: 0x0

Intrusion Prevention
Solution
Accepted by topic author sesa
‎04-24-2018 11:36 PM

Re: Blackhole routes via BGP peer feed

‎04-24-2018 09:29 AM

The hidden routes have a protocol next-hop of 192.0.2.1.  Are you receiving the routes from the blackhole service with that next-hop set?  It almost seems like your input filter for the blackhole routes isn't changing the next-hop properly, although I don't see anything misconfigured in what you have provided.

You could quickly test by just doing a static discard route for 192.0.2.1 - 'set routing-options static route 192.0.2.1/32 discard'.  If the routes go active at that point, that implies a problem with the input filter.

Intrusion Prevention

Re: Blackhole routes via BGP peer feed

‎04-24-2018 11:16 AM

Hello,

If Your eBGP peer has already manipulated NH of the prefixes in question to be 192.0.2.1 BEFORE sending the prefixes to You, then You need this knob under eBGP group/peer:

https://www.juniper.net/documentation/en_US/junos/topics/reference/configuration-statement/accept-re...

But better tell Your eBGP peer admin to stop doing this since You are also overwriting this NH - second time.

HTH

Thx
Alex

_____________________________________________________________________

Please ask Your Juniper account team about Juniper Professional Services offerings.
Juniper PS can design, test & build the network/part of the network as per Your requirements

+++++++++++++++++++++++++++++++++++++++++++++

Accept as Solution = cool !
Accept as Solution+Kudo = You are a Star !
Intrusion Prevention

Re: Blackhole routes via BGP peer feed

‎04-24-2018 11:38 PM

Correct, that was the problem.

 

I added a static route for 192.0.2.1/32 next-hop 192.0.2.2 (destination discard interface)

 

Packets are coming and and they are getting logged.

 

Thanks alot for your help!