Errors like "bgp1: Error: Hold timer expired"

Ondrej Zajicek santiago at crfreenet.org
Thu Jan 5 17:53:40 CET 2017 

On Thu, Jan 05, 2017 at 04:11:25PM +0000, Roger Whittaker wrote:
> I'm trying to use bird to help prevent spam as described here:
> 
> https://debian-administration.org/article/715/Preventing_SPAM_connections_with_bird
> 
> I understand very little about BGP, so I'm really using that article
> as a "recipe", and have used the config file there more or less as is,
> except for changing the router id setting and enabling logging (and
> I've increased scan time to 600).

First, the config from the recipe is missing an important part, the
device protocol section:

  protocol device { }

That is responsible for these messages:

  2017-01-05 15:24:21 <ERR> KRT: Received route 0.0.0.0/0 with unknown ifindex 2


> First question: is trying to use bird in this way in any case this a
> sensible thing to do?

Well, BIRD is a good tool for this task. The real question is whether
using a public blacklist for hard SMTP blocking is a reasonable approach
to fight spam.


At least, it would be a good idea to add some filters, e.g. to ensure
that all prefix lengths are /32, that IP ranges are not parts of your
infrastructure. Also, i would suggest to use separate routing table for
that and then ensure by netfilter and ip rules that it is applied just on
SMTP traffic.


> If so: second question - I'm seeing the following behaviour:
> 
> 2017-01-05 15:24:21 <INFO> Started
> 2017-01-05 15:24:21 <ERR> KRT: Received route 0.0.0.0/0 with unknown ifindex 2
> 2017-01-05 15:27:59 <RMT> bgp1: Error: Hold timer expired

The reason for 'Hold timer expired' is funny. The IP address of eu.bgp-spamd.net
is also on the blacklist:

  bird> show route 217.31.80.170/32
  217.31.80.170/32   blackhole [bgp1 17:36:37 from 217.31.80.170] * (100) [AS65055i]

Not sure if that is intentional or not.

By exporting that route to the kernel, you cut off from the BGP neighbor and the session
fails. After that, blackhole routes are removed and the session may be reestablished.


-- 
Elen sila lumenn' omentielvo

Ondrej 'Santiago' Zajicek (email: santiago at crfreenet.org)
OpenPGP encrypted e-mails preferred (KeyID 0x11DEADC3, wwwkeys.pgp.net)
"To err is human -- to blame it on a computer is even more so."
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 181 bytes
Desc: Digital signature
URL: <http://trubka.network.cz/pipermail/bird-users/attachments/20170105/9f0c2f03/attachment.asc>

More information about the Bird-users mailing list