North American Network Operators Group|
Date Prev | Date Next |
Date Index |
Thread Index |
Author Index |
Re: Blackholing traffic by ASN
- From: Deepak Jain
- Date: Wed Jan 30 18:57:44 2008
This is prior art. (Assuming your hardware has a hardware blackhole (or
you have a little router sitting on the end of a circuit)) you adjust
your route-map that would deny the entry to set a community or next-hop
pointing to your blackhole location.
Nowadays, most equipment can blackhole internally (to null0 say) at full
speed, so it isn't an issue. Just set your next hop to a good null0
style location on route import and you are done for traffic destined to
For inbound traffic from those locations you would need to do policy
routing (because you are looking up on source). If you are trying to
block SPAM or anything TCP related, you only need to block 1 direction
to end the conversation.
Sounds harsh, but hey, its your network.
Justin Shore wrote:
I'm sure all of us have parts of the Internet that we block for one
reason or another. I have existing methods for null routing traffic
from annoying hosts and subnets on our border routers today (I'm still
working on a network blackhole). However I've never tackled the problem
by targeting a bad guy's ASN. What's the best option for null routing
traffic by ASN? I could always add another deny statement in my inbound
eBGP route-maps to match a new as-path ACL for _BAD-ASN_ to keep from
accepting their routes to begin with. Are there any other good tricks
that I can employ?
I have another question along those same lines. Once I do have my
blackhole up and running I can easily funnel hosts or subnets into the
blackhole. What about funneling all routes to a particular ASN into the
blackhole? Are there any useful tricks here?
The ASN I'm referring to is that of the Russian Business Network. A
Google search should turn up plenty of info for those that haven't heard