BGP Black Hole Theory | BGP Black Hole Lab || Router Configuration

BGP Black Hole Theory

BGP Black Hole Theory

Black hole mean, what goes into the black hole never come back and just throws away the traffic to an unknown destination.so no one wants their traffic go there either.

BGP Network blackhole is typically referring a routing machcanalicm used to filter and drop unwanted suspicious   IP traffic over the ISP WAN. Generally Routing Black holes is created by service provider in their network in order to prevent suspicious traffic that coming from different source IP’s.

The question is, if your network is targeted under a DDoS attack than what is your strategy ??

BGP Black hole is a technique that can isolate and contain the attacks. Black hole is a way to re-direct unwanted internet traffic away from the target and unwanted internet traffic is marked and blocked so it never reaches to intended destination.



DDoS attacker always aiming a certain IP address may cause congestion of links used to connect to adjacent networks.  In order to limit the impact of such a scenario on legitimate traffic, networks can adopted a mechanism called “BGP blackholing“.

For example, a customer can ask a provider to install black hole on its provider router to prevent unwanted traffic before it entering a customer’s network or before that.

BGP Blackholing theory is typically used to fight against enormous DDoS attacks which congest the physical connection between services provide and a customer router.

Nowadays, Network infrastructures have been significantly targeting and hampered by DDoS attacks all around the world every day. In order to void the effects of these DDoS attacks, IP networks have offered blackholing with BGP using various mechanisms.

     💡

Routing Black hole, as known as Null-route is used to mitigate DDoS attacks which trigger to exhaust victim’s internet Pipe capacity. When black hole is enabled, all traffic to victim IP-address is discarded by uplink service Providers.


BGP Blackholing Requirement-

The main role of ISP that enable blackhole service for their customer as per customer requirement and purpose. The service provider ensure the countermeasure to mitigate a DDoS attack in which network traffic is routed into a blackhole before it reaches to a customer network.

Prerequisites

  • Customer must be running BGP.
  • BGP peering is must with Service Provider.
  • Service provide involvement is must for blackhole traffic engineering.
  • Customer mush have blackholing enabled on Router.
  • Customer identifies IP or IP range under attack.
  • Customer create a static routes to Null0 and announcement of the matching prefix with a route map set community.
  • Customer-triggered blackholing with a BGP community.

Null Interface-

Null interface is a virtual interface that could configure in cisco router that use for creating a black hole in the network. If a null route configured in cisco router it mean that network route that goes nowhere. And eventually matching packets will be dropped. Null interface routing stand as a black hole on the routers because it sends unwanted IP packets from a certain network to black hole before reaching them to the receiver.

R1(config)# ip route X.X.X.X 255.255.255.255 Null0

A Cisco IOS router also has an interface called null0. When traffic goes to that interface, the router just discards it. Thus, the null interface on the Cisco router is the Black hole.


A Sample Configuration for Blackhole Route at Customer.

conf t
ip route X.X.X.X 255.255.255.255 Null0
router bgp AS
network X.X.X.X mask 255.255.255.255 route-map Testblackhole
route-map Testblackhole permit 10
set community ProviderAS:666

Below network scenario that we use for testing of blackhole with ISP. In our scenario, an attacker spinning a DDoS attack targeting the customer server – 192.168.0.2/32. Below configuration will help to prevent the DDoS attack and unwanted traffic should be discarded on a router ISP. When the DDoS attack is ended, the static route 192.168.0.2/32 is removed from the customer router and withdrawn via BGP session from the ISP routers.

                                                                                   GNS3 Lab – BGP Black Hole 


Customer-R1

interface FastEthernet0/0
 ip address 172.16.1.2 255.255.255.252
 duplex auto
 speed auto
!
interface FastEthernet0/1
 ip address 192.168.0.1 255.255.255.0
 duplex auto
 speed auto
!
router bgp 200
 no synchronization
 bgp log-neighbor-changes
 network 1.1.1.1 mask 255.255.255.255
 network 192.168.0.0
 network 192.168.0.2 mask 255.255.255.255 route-map blackhole
 neighbor 172.16.1.1 remote-as 100
 neighbor 172.16.1.1 send-community
 no auto-summary
!
ip forward-protocol nd
ip route 192.168.0.2 255.255.255.255 Null0
!
!
no ip http server
no ip http secure-server
!
no cdp log mismatch duplex
!
!
!
route-map blackhole permit 10
 set community 100:666
!

ISP Router

interface FastEthernet0/0
 ip address 172.16.1.1 255.255.255.252
 duplex auto
 speed auto
!
interface FastEthernet0/1
 ip address 10.1.1.1 255.255.255.0
 duplex auto
 speed auto
!
router bgp 100
 no synchronization
 bgp log-neighbor-changes
 network 10.1.1.0 mask 255.255.255.0
 neighbor 172.16.1.2 remote-as 200
 neighbor 172.16.1.2 ebgp-multihop 255
 neighbor 172.16.1.2 prefix-list AS200-in in
 neighbor 172.16.1.2 route-map customer-R1 in
 no auto-summary
!
ip forward-protocol nd
ip route 192.0.2.1 255.255.255.255 Null0
!
ip bgp-community new-format
ip community-list 10 permit 100:666
!
no ip http server
no ip http secure-server
!
!
ip prefix-list AS200-in seq 10 permit 192.168.0.2/32
no cdp log mismatch duplex
!
!
!
route-map customer-R1 permit 10
 match community 10
 set community no-export
 set ip next-hop 192.0.2.1
!

Black Hole Validation

ISP#sh ip route
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
 D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
 N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
 E1 - OSPF external type 1, E2 - OSPF external type 2
 i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
 ia - IS-IS inter area, * - candidate default, U - per-user static route
 o - ODR, P - periodic downloaded static route

Gateway of last resort is not set

172.16.0.0/30 is subnetted, 1 subnets
C 172.16.1.0 is directly connected, FastEthernet0/0
 10.0.0.0/24 is subnetted, 1 subnets
C 10.1.1.0 is directly connected, FastEthernet0/1
 192.168.0.0/32 is subnetted, 1 subnets
B 192.168.0.2 [20/0] via 192.0.2.1, 00:01:38
 192.0.2.0/32 is subnetted, 1 subnets
S 192.0.2.1 is directly connected, Null0
ISP#
ISP#sh ip bgp
BGP table version is 3, local router ID is 172.16.1.1
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
 r RIB-failure, S Stale
Origin codes: i - IGP, e - EGP, ? - incomplete

Network Next Hop Metric LocPrf Weight Path
*> 10.1.1.0/24 0.0.0.0 0 32768 i
*> 192.168.0.2/32 192.0.2.1 0 0 200 i
ISP#

Author: Ronnie Singh

Leave a Reply