Bird blackhole, example config

Krzysztof Puchała kpuchala at triplemedia.org
Mon May 1 11:01:07 CEST 2017 

>> On Apr 30, 2017, at 8:47 AM, Krzysztof Puchała TriplmeMedia <kpuchala at triplemedia.org> wrote:
>> 
>> Hi, You once added an example of a blackhole configuration in the birde on the mailing list:
>> http://bird.network.cz/pipermail/bird-users/2012-March/007671.html
>> I'm trying to implement this in my setup and when I'm overloading the configuration I have an error
>> bird> configure check
>> Reading configuration from /etc/bird/bird.conf
>> /etc/bird/bird.conf, line 49: syntax error
>> 
>> 49 lines of code:
>> protocol kernel blackhole {
>> 
>> Maybe you have an idea why it does not work?
>> thanks in advance for your answer.
> Hi, I'm replying to list for relevant benefit/discussion.
> 
> Wow, my example config is over 5 years old now...something probably changed in syntax requirements over the years, as this is what >we currently have in place (note that a pipe isn't used, as we now leverage "ip rule" to separately include the blacklist table):
> 
> table blackholes;
> ...
> protocol kernel kblackholes {
> table blackholes;
> kernel table 10;
> scan time 10;
> learn;
> import all;
> export all;
> }
> ...
> filter bgp_out_upstream {
> if (proto = "kblackholes" ) then
> {
> if net.len = 32 then {
> bgp_community.add((64665,666)); # Replace 64665,666 with your upstream's community designation...if needed, otherwise >delete this line
> printn "Blackhole nulling ";
> print net;
> accept;
> }
> }
> if net ~ [192.168.0.0/16] then accept;  ...replace this with your own netblocks, one netblock per entry
> reject;
> }
> ...
> protocol bgp upstream {
> ...
> export filter bgp_out_upstream;
> ...
> }
> 
> HTH,
> Gregg Berkholtz
> Datacenter consulting, hosting & support since 1995
> www.tocici.com [1]  |  503-488-5461  |  AS14613

Thank you for your answer, almost everything is working.

I have another question, my ddos attack detection system has a BGP
session with BIRD and if it detects an attack it sends an IP address as
prefix / 32.
How can I make such a prefix automatically add to the blackhole? 

Links:
------
[1] http://www.tocici.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://trubka.network.cz/pipermail/bird-users/attachments/20170501/7dcc0ab3/attachment.html>

More information about the Bird-users mailing list