If an IP in our network is under attack and we cannot block the source (for example DDOS attack) we can reroute the traffic on our ISPs using BGP blackhole so the attacks are rerouted before reaching our routers.

1- BGP blackhole configuration on Router0 (Cogent)

We first create a BGP session with IP 66.x.x.x

We apply the Route-map BlackHole-Export in order to make sure that only the prefix that we want is advertised to BGP blackhole peer.

The following configuration assumes that we want to blackhole 208.x.x.x/32. In order to blackhole other IPs the commands that include 208.x.x.x/32 must be added/changed accordingly. All other commands are already added.

 

# set policy prefix-list BlackHole-Export rule 10 action ‘permit’

# set policy prefix-list BlackHole-Export rule 10 prefix 208.x.x.x/32  

# set policy route-map BlackHole-Export rule 10 action ‘permit’

# set policy route-map BlackHole-Export rule 10 match ip address prefix-list ‘BlackHole-Export’

# set protocols bgp 3xxxx neighbor 66.x.x.x remote-as ‘1xx’

# set protocols bgp 3xxxx neighbor 66.x.x.x password xxxxxx

# set protocols bgp 3xxxx neighbor 66.x.x.x route-map export ‘BlackHole-Export’

# set protocols bgp 3xxxx neighbor 66.x.x.x update-source 199.103.59.1

# set protocols bgp 3xxxx neighbor 66..x.x.x ebgp-multihop ‘255’

# set protocols bgp 3xxxx neighbor 66.x.x.x description BGP_Blackhole_Peer_Cogent

 

# set protocols bgp 3xxxx network ‘208.x.x.x/32’

# set protocols static route 208.x.x.x/32 ‘blackhole’

In order to take effect we need to reset the BGP session with blackhole peer:

# reset ip bgp 66.x.x.x

# show ip bgp neighbors 66.x.x.x advertised-routes

BGP table version is 0, local router ID is 199.x.x.x

Status codes: s suppressed, d damped, h history, * valid, > best, i – internal,

              r RIB-failure, S Stale, R Removed

Origin codes: i – IGP, e – EGP, ? – incomplete

   Network          Next Hop            Metric LocPrf Weight Path

*> 208.x.x.x/32   199.x.x.x            0         32768 I

Total number of prefixes 1

For removing  the blackhole it is enough to remove the blackhole static route.

# delete protocols static route 208.x.x.x/32

Also we don’t want to receive any routes from this peer, which is desirable.

# show ip bgp neighbors 66.x.x.x received-routes

% Inbound soft reconfiguration not enabled
2- BGP blackhole configuration on Router1 (HE)

For HE it is simpler and is done by adding the community string “6xxx:6xx” to the route that we want to blackhole.

Assuming we want to blackhole  208.x.x.x/32

The following commands are needed:

# set policy route-map BlackHole rule 10 action ‘permit’

# set policy route-map BlackHole rule 10 set community ‘6xxx:6xx’

# set protocols bgp 3xxxx network 208.x.x.x/32 route-map ‘BlackHole’

# set protocols static route 208.x.x.x/32 ‘blackhole’

If we want to remove it, it is enough to remove the static route

# delete protocols static route 208.x.x.x/32

This command will show all the commands related to Blackhole configuration

# show configuration commands | grep -i blackhole

The only commands that need to be added/changed are those containing 208.x.x.x/32