BGP Black Hole Theory
Black hole mean, what goes into the black hole never come back and just throws away the traffic to an unknown destination.so no one wants their traffic go there either.
BGP Network blackhole is typically referring a routing machcanalicm used to filter and drop unwanted suspicious IP traffic over the ISP WAN. Generally Routing Black holes is created by service provider in their network in order to prevent suspicious traffic that coming from different source IP’s.
The question is, if your network is targeted under a DDoS attack than what is your strategy ??
BGP Black hole is a technique that can isolate and contain the attacks. Black hole is a way to re-direct unwanted internet traffic away from the target and unwanted internet traffic is marked and blocked so it never reaches to intended destination.
DDoS attacker always aiming a certain IP address may cause congestion of links used to connect to adjacent networks. In order to limit the impact of such a scenario on legitimate traffic, networks can adopted a mechanism called “BGP blackholing“.
For example, a customer can ask a provider to install black hole on its provider router to prevent unwanted traffic before it entering a customer’s network or before that.
BGP Blackholing theory is typically used to fight against enormous DDoS attacks which congest the physical connection between services provide and a customer router.
Nowadays, Network infrastructures have been significantly targeting and hampered by DDoS attacks all around the world every day. In order to void the effects of these DDoS attacks, IP networks have offered blackholing with BGP using various mechanisms.
Routing Black hole, as known as Null-route is used to mitigate DDoS attacks which trigger to exhaust victim’s internet Pipe capacity. When black hole is enabled, all traffic to victim IP-address is discarded by uplink service Providers.
BGP Blackholing Requirement-
The main role of ISP that enable blackhole service for their customer as per customer requirement and purpose. The service provider ensure the countermeasure to mitigate a DDoS attack in which network traffic is routed into a blackhole before it reaches to a customer network.
- Customer must be running BGP.
- BGP peering is must with Service Provider.
- Service provide involvement is must for blackhole traffic engineering.
- Customer mush have blackholing enabled on Router.
- Customer identifies IP or IP range under attack.
- Customer create a static routes to Null0 and announcement of the matching prefix with a route map set community.
- Customer-triggered blackholing with a BGP community.
Null interface is a virtual interface that could configure in cisco router that use for creating a black hole in the network. If a null route configured in cisco router it mean that network route that goes nowhere. And eventually matching packets will be dropped. Null interface routing stand as a black hole on the routers because it sends unwanted IP packets from a certain network to black hole before reaching them to the receiver.
R1(config)# ip route X.X.X.X 255.255.255.255 Null0
A Cisco IOS router also has an interface called null0. When traffic goes to that interface, the router just discards it. Thus, the null interface on the Cisco router is the Black hole.
A Sample Configuration for Blackhole Route at Customer.
ip route X.X.X.X 255.255.255.255 Null0
router bgp AS
network X.X.X.X mask 255.255.255.255 route-map Testblackhole
route-map Testblackhole permit 10
set community ProviderAS:666
Below network scenario that we use for testing of blackhole with ISP. In our scenario, an attacker spinning a DDoS attack targeting the customer server – 192.168.0.2/32. Below configuration will help to prevent the DDoS attack and unwanted traffic should be discarded on a router ISP. When the DDoS attack is ended, the static route 192.168.0.2/32 is removed from the customer router and withdrawn via BGP session from the ISP routers.
GNS3 Lab – BGP Black Hole
interface FastEthernet0/0 ip address 172.16.1.2 255.255.255.252 duplex auto speed auto ! interface FastEthernet0/1 ip address 192.168.0.1 255.255.255.0 duplex auto speed auto ! router bgp 200 no synchronization bgp log-neighbor-changes network 188.8.131.52 mask 255.255.255.255 network 192.168.0.0 network 192.168.0.2 mask 255.255.255.255 route-map blackhole neighbor 172.16.1.1 remote-as 100 neighbor 172.16.1.1 send-community no auto-summary ! ip forward-protocol nd ip route 192.168.0.2 255.255.255.255 Null0 ! ! no ip http server no ip http secure-server ! no cdp log mismatch duplex ! ! ! route-map blackhole permit 10 set community 100:666 !
interface FastEthernet0/0 ip address 172.16.1.1 255.255.255.252 duplex auto speed auto ! interface FastEthernet0/1 ip address 10.1.1.1 255.255.255.0 duplex auto speed auto ! router bgp 100 no synchronization bgp log-neighbor-changes network 10.1.1.0 mask 255.255.255.0 neighbor 172.16.1.2 remote-as 200 neighbor 172.16.1.2 ebgp-multihop 255 neighbor 172.16.1.2 prefix-list AS200-in in neighbor 172.16.1.2 route-map customer-R1 in no auto-summary ! ip forward-protocol nd ip route 192.0.2.1 255.255.255.255 Null0 ! ip bgp-community new-format ip community-list 10 permit 100:666 ! no ip http server no ip http secure-server ! ! ip prefix-list AS200-in seq 10 permit 192.168.0.2/32 no cdp log mismatch duplex ! ! ! route-map customer-R1 permit 10 match community 10 set community no-export set ip next-hop 192.0.2.1 !
Black Hole Validation
ISP#sh ip route Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2 E1 - OSPF external type 1, E2 - OSPF external type 2 i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2 ia - IS-IS inter area, * - candidate default, U - per-user static route o - ODR, P - periodic downloaded static route Gateway of last resort is not set 172.16.0.0/30 is subnetted, 1 subnets C 172.16.1.0 is directly connected, FastEthernet0/0 10.0.0.0/24 is subnetted, 1 subnets C 10.1.1.0 is directly connected, FastEthernet0/1 192.168.0.0/32 is subnetted, 1 subnets B 192.168.0.2 [20/0] via 192.0.2.1, 00:01:38 192.0.2.0/32 is subnetted, 1 subnets S 192.0.2.1 is directly connected, Null0 ISP#
ISP#sh ip bgp BGP table version is 3, local router ID is 172.16.1.1 Status codes: s suppressed, d damped, h history, * valid, > best, i - internal, r RIB-failure, S Stale Origin codes: i - IGP, e - EGP, ? - incomplete Network Next Hop Metric LocPrf Weight Path *> 10.1.1.0/24 0.0.0.0 0 32768 i *> 192.168.0.2/32 192.0.2.1 0 0 200 i ISP#