Erroneous withdrawls and EOR announcements

micah anderson micah at riseup.net
Thu Oct 22 17:53:31 CEST 2020 

Hello,

We have been experiencing heavy DDoS attacks, and one of the mitigation
techniques we've used is to peer with Team Cyrmu's UTRS bgp server[0] in
order to announce /32s to null route. We also connect with one of our
tranist provider's null route services, and our internet exchange's null
route service to push these out when they happen.

We were contacted by the UTRS folks because it seems like we are sending
'withdrawl' messages for networks that we do not control that are larger
than /32, and EOR announcements.

For example, from their logs:

2020-10-20T00:19:21+00:00 xp07-as19 UTRS[6681]: receive-routes: update:
withdrawal|16652|198.252.153.1|88.16.0.0/16

Our ASN is 16652, and that 198.252.153 address is ours, but that /16 is
not ours. I suspect we might be sending withdrawls for every route in
our table.

It also appears we are sending "eor" advertisements:

2020-10-21T01:01:29+00:00 xp07-as19 UTRS[6681]: receive-routes: update:
announcement|16652|198.252.153.1|eor

It seems that neither of these are desired by them, and I'm at a loss as
to what I can do to make them stop.

My bird configuration looks like this, I would greatly appreciate any
help in improving this, we cannot afford to lose our UTRS peer, and I'd
like to keep us from polluting our friendly neighborhood logs!

define LOOPBACKADDR = 198.252.153.1;

protocol kernel {
        learn;			# Learn all alien routes from the kernel
        preference 10000;
        scan time 15;		# Scan kernel routing table every 20 seconds
	import all;		# Default is import all
	export where ! our_network();
        # set preferred source address of routes,
        # otherwise connections initiated by router might have the transfernet as source address.
        export filter {  krt_prefsrc = LOOPBACKADDR;     accept;   };
}

protocol device {
	scan time 15;		# Scan interfaces every 10 seconds
}

protocol static static_bgp {
        import all;
        preference 10000;
        include "static_bgp.conf";
}

protocol static static_nullroute {
         import filter static_nullroutes;
         include "static_nullroutes.conf"; # example: route xxx.xxx.xxx.xxx/32 blackhole;
}

define OURNETS = [ xxx+ ];
define PEER1 = [ xxx ];
define PEER_ASNS = [ xxx];


function martians()
{
  return net ~ [ 169.254.0.0/16+, 192.168.0.0/16+, 10.0.0.0/8+, 172.16.0.0/12+, 172.24.0.0/13+, 172.25.0.0/16+,
               172.26.0.0/16+, 172.27.0.0/16+, 172.28.0.0/16+, 172.29.0.0/16+, 172.30.0.0/16+, 172.31.0.0/16+,
               224.0.0.0/4+, 240.0.0.0/4+, 0.0.0.0/32-, 127.0.0.0/8+ ];

filter static_nullroutes
{
  if proto = "static_nullroute" then {
    bgp_community = -empty-;
    bgp_community.add((ASN,666));
    accept;
  }
}

function our_network()
{
 return net ~ OURNETS;
}

function rt_export()
{
  if proto = "static_bgp" then return true;
  if proto = "static_nullroute" then return true;
  if source != RTS_BGP then return false;
  if martians() then return false;
  if bgp_path.len > 64 then return false;
  return bgp_path.first ~ PEER_ASNS;
}

function rt_export_all()
{
  if proto = "static_links" then return false;
  if proto = "static_bgp" then return true;
  if proto = "static_nullroute" then return true;
  if source != RTS_BGP then return false;
  if martians() then return false;
  if bgp_path.len > 64 then return false;
  return true;
}

# for outgoing BGP we do not want to announce anything but our own nets
filter bgp_out
{
   # SIX nullrouting: https://www.seattleix.net/blackholing
   if (ASN,666) ~ bgp_community && net.len = 32 && our_network() then {
      bgp_community = -empty-;
      bgp_community.add((65535,666));
   }
   # only allow our networks that are statically configured to be announced
   if ! rt_export() then
   {
      reject;
   }
   accept;
}

filter sink
{
        reject;
}

# anything that is announced via the UTRS peer that has the community 64496:0 set
# and is a /32 is null-routed
filter bgp_in_utrs_bl {
    if (64496,0) ~ bgp_community && net.len = 32 then {
        dest = RTD_BLACKHOLE;
        accept;
    }
    else reject;
}

filter bgp_out_utrs_bl {
    if (ASN,666) ~ bgp_community && net.len = 32 && our_network() then {
        bgp_community = -empty-;
        bgp_community.add((ASN,0));
        accept;
    }
    else reject;
}

filter bgp_nullroute {
   if (ASN,666) ~ bgp_community && net.len = 32 && our_network() then {
   accept;
   }
   else reject;
}

-- 
        micah

0. https://team-cymru.com/community-services/utrs/getting-started/

More information about the Bird-users mailing list