Routing

hy guys, we have been experienced some attacks comming from the outside network to some of my customers.

Instead of directly blocking those ips, I  would like to advertise my peer for him to block, this way there would not be bandwith waste nor the attack neither.

I have been reading about rtbh but steel can not find good examples or documents for my mx960.

Currently we only have one active bgp peer.

The config is pretty straight-forward:

leandro@edge> show configuration protocols bgp                                    
traceoptions {
    file bgplog size 10m files 10 world-readable;
    flag state detail;
}
mtu-discovery;
log-updown;
damping;
group eBGP_PEER {
    type external;
    local-address XX.XX.XX.110;
    import RCV_FROM_PEER;
    family inet {
        unicast {
            prefix-limit {
                maximum 500000;
            }
        }
    }
    export ADV_TO_PEER;
    peer-as 3549;
    neighbor XX.XX.XX.109 {
        description Section_eBGP_with_PEER;
        multihop;
        local-as 11111 loops 2;
    }
}

leandro@edge> show configuration policy-options policy-statement ADV_TO_PEER   
term static {
    from {
        route-filter 22.22.22.0/21 exact;
        route-filter 33.33.33.0/21 exact;
    }
    then accept;
}
term rest {
    then reject;
}

Some comment / ideas / usefull links would be wellcome,

Regards,

Leandro.

You would need to make sure that your upstream supports RTBH, otherwise, it doesn't do any good. They should provide you with a community to use for this, where you would advertise specific prefixes (usually a /32 host route) to them, with this community attached to it, and their routers set the next-hop to something like 'discard' or 'null0'.

For instance, if your provider gives you community string 111:2222 for RTBH routes, you would simply make a policy like this:

policy-statement RTBH-OUT {
	term rtbh {
		from {
			route-filter 22.22.24.15/32 exact;
			route-filter 33.33.36.54/32 exact;
                        }
		}
		then {
                   community add RTBH-comm;
                   accept;
                }
	}
}
community RTBH-comm members 111:2222;

Apply this policy as the first 'export' policy on your upstream neighbor. Of course, you need to make sure that BGP has the /32 prefix in its routing table, so one way to do that would be to add a static route in your edge router for that IP:

set routing-options static route 22.22.24.15/32 next-hop discard
set routing-options static route 33.33.36.54/32 next-hop discard

 Again, this all depends on whether your upstream provider even supports RTBH. 

EDIT: Sorry, my logic was backwards - fixed above.

Hi.

Alternatively you can use the BGP flow specification.
In the next link you can find information about that.

https://www.juniper.net/documentation/en_US/junos12.1/topics/example/routing-bgp-flow-specification-routes.html

leostero,

The first response had the logic a bit mixed up. I've edited the post to note it as such and fixed it. Sorry, doing too many things at once.

Thanks !! can you post the complete config ?

Using your config above, here's the full example:

routing-options {
    static {
        route 22.22.24.15/32 next-hop discard;
        route 33.33.36.54/32 next-hop discard;
    }
    autonomous-system 11111;
}
protocols {
    bgp {
        traceoptions {
            file bgplog size 10m files 10 world-readable;
            flag state detail;
        }
        mtu-discovery;
        log-updown;
        damping;
        group eBGP_PEER {
            type external;
            local-address 1.2.3.110;
            import RCV_FROM_PEER; 
            family inet {
                unicast {
                    prefix-limit {
                        maximum 500000;
                    }
                }
            }
            export [ RTBH-OUT ADV_TO_PEER ];
            peer-as 3549;
            neighbor 1.2.3.109 {
                description Section_eBGP_with_PEER;
                multihop;
                local-as 11111 loops 2;
            }
        }
    }
}
policy-options {
    policy-statement ADV_TO_PEER {
        term static {
            from {
                route-filter 22.22.22.0/21 exact;
                route-filter 33.33.33.0/21 exact;
            }
            then accept;
        }
        term rest {
            then reject;
        }
    }
    policy-statement RTBH-OUT {
        term rtbh {
            from {
                route-filter 22.22.24.15/32 exact;
                route-filter 33.33.36.54/32 exact;
            }
        }
        then {
            community add RTBH-comm;
            accept;
        }
    }
    policy-statement static-to-ospf {
        term 1 {
            from protocol static;
            then accept;
        }
    }
    community RTBH-comm members 111:2222;
}

thanks a lot !!!

One more question about rtbh.

On this setting its me or my bgp peer who will discard the packets comming from 22.22.24.15 and 33.33.36.54 ?

This does not discard traffic coming *from* those IPs - it only discards traffic going *to* those IPs. Source-based RTBH is significantly more complicated to manage.

EDIT: But to answer your question, both you and your ISP would drop traffic to those addresses, depending on whether you propagate the RTBH throughout your own network.