Routing
Routing

RTBH on mx960.

‎12-28-2015 07:56 AM

hy guys, we have been experienced some attacks comming from the outside network to some of my customers.

Instead of directly blocking those ips, I  would like to advertise my peer for him to block, this way there would not be bandwith waste nor the attack neither.

I have been reading about rtbh but steel can not find good examples or documents for my mx960.

Currently we only have one active bgp peer.

The config is pretty straight-forward:

 

leandro@edge> show configuration protocols bgp                                    
traceoptions {
    file bgplog size 10m files 10 world-readable;
    flag state detail;
}
mtu-discovery;
log-updown;
damping;
group eBGP_PEER {
    type external;
    local-address XX.XX.XX.110;
    import RCV_FROM_PEER;
    family inet {
        unicast {
            prefix-limit {
                maximum 500000;
            }
        }
    }
    export ADV_TO_PEER;
    peer-as 3549;
    neighbor XX.XX.XX.109 {
        description Section_eBGP_with_PEER;
        multihop;
        local-as 11111 loops 2;
    }
}

leandro@edge> show configuration policy-options policy-statement ADV_TO_PEER   
term static {
    from {
        route-filter 22.22.22.0/21 exact;
        route-filter 33.33.33.0/21 exact;
    }
    then accept;
}
term rest {
    then reject;
}

Some comment / ideas / usefull links would be wellcome,

Regards,

Leandro.

7 REPLIES 7
Routing

Re: RTBH on mx960.

[ Edited ]
‎12-28-2015 09:28 AM

You would need to make sure that your upstream supports RTBH, otherwise, it doesn't do any good. They should provide you with a community to use for this, where you would advertise specific prefixes (usually a /32 host route) to them, with this community attached to it, and their routers set the next-hop to something like 'discard' or 'null0'.

 

For instance, if your provider gives you community string 111:2222 for RTBH routes, you would simply make a policy like this:

 

policy-statement RTBH-OUT {
	term rtbh {
		from {
			route-filter 22.22.24.15/32 exact;
			route-filter 33.33.36.54/32 exact;
} } then {
community add RTBH-comm;
accept;
} } }
community RTBH-comm members 111:2222;

Apply this policy as the first 'export' policy on your upstream neighbor. Of course, you need to make sure that BGP has the /32 prefix in its routing table, so one way to do that would be to add a static route in your edge router for that IP:

 

 

set routing-options static route 22.22.24.15/32 next-hop discard
set routing-options static route 33.33.36.54/32 next-hop discard

 Again, this all depends on whether your upstream provider even supports RTBH. 

 

EDIT: Sorry, my logic was backwards - fixed above.

Routing

Re: RTBH on mx960.

‎12-28-2015 09:50 AM

Hi.

Alternatively you can use the BGP flow specification.
In the next link you can find information about that.

 

https://www.juniper.net/documentation/en_US/junos12.1/topics/example/routing-bgp-flow-specification-...

 

 

 

Mario Perez
JNCIE-SP, JNCIP-ENT, JNCIP-SEC
Sales Advisor.
Technical Master.
Champions Ingenius.
Routing
Solution
Accepted by topic author leostereo
‎12-29-2015 04:47 AM

Re: RTBH on mx960.

‎12-28-2015 11:39 AM

leostero,

The first response had the logic a bit mixed up. I've edited the post to note it as such and fixed it. Sorry, doing too many things at once.

Routing

Re: RTBH on mx960.

‎12-29-2015 04:56 AM

Thanks !! can you post the complete config ?

Routing

Re: RTBH on mx960.

‎12-29-2015 05:18 AM

Using your config above, here's the full example:

 

 

routing-options {
    static {
        route 22.22.24.15/32 next-hop discard;
        route 33.33.36.54/32 next-hop discard;
    }
autonomous-system 11111; } protocols { bgp { traceoptions { file bgplog size 10m files 10 world-readable; flag state detail; } mtu-discovery; log-updown; damping; group eBGP_PEER { type external; local-address 1.2.3.110; import RCV_FROM_PEER; family inet { unicast { prefix-limit { maximum 500000; } } } export [ RTBH-OUT ADV_TO_PEER ]; peer-as 3549; neighbor 1.2.3.109 { description Section_eBGP_with_PEER; multihop; local-as 11111 loops 2; } } } } policy-options { policy-statement ADV_TO_PEER { term static { from { route-filter 22.22.22.0/21 exact; route-filter 33.33.33.0/21 exact; } then accept; } term rest { then reject; } } policy-statement RTBH-OUT { term rtbh { from { route-filter 22.22.24.15/32 exact; route-filter 33.33.36.54/32 exact; } } then { community add RTBH-comm; accept; } } policy-statement static-to-ospf { term 1 { from protocol static; then accept; } } community RTBH-comm members 111:2222; }

 

Routing

Re: RTBH on mx960.

‎01-04-2016 05:58 AM

thanks a lot !!!

One more question about rtbh.

On this setting its me or my bgp peer who will discard the packets comming from 22.22.24.15 and 33.33.36.54 ?

Routing

Re: RTBH on mx960.

[ Edited ]
‎01-04-2016 06:03 AM

This does not discard traffic coming *from* those IPs - it only discards traffic going *to* those IPs. Source-based RTBH is significantly more complicated to manage.

 

EDIT: But to answer your question, both you and your ISP would drop traffic to those addresses, depending on whether you propagate the RTBH throughout your own network.