Dec 25 2008
Source Based RTBH
Consider the topology below.
PC1 sends a syn flood attack using source IP 192.168.1.1 to PC2 destination address 172.16.1.1.
The network engineer at ZeeNet spots the attack and quickly logs onto the trigger router. He adds a static route to the trigger router which states that the next hop for 192.168.1.1/32 is Null0. This static route is then redistributed into BGP and advertised using iBGP to R1. When the static route is redistributed into iBGP, the route-map attached to the redist static command changes the next hop to 192.0.2.1.
R1 has a static route which states to get to 192.0.2.1 go via the null0 interface.
R1 has Unicast Reverse Path Forwarding (URPF) configured on fa1/1. URPF is a cool technology. When a packet enter fa1/1 URPF checks the source address of the packet to see whether it has an entry in the local routing table. If there is no entry in the local routing table or the entry points to a different interface or if the entry points to null0 then the packet is dropped.
In our case, there is an entry in the local routing table for 192.168.1.1/32 which points to null0. Therefore URPF will drop the packet.
Once again, you have to understand the implications of using this approach, if for example an attacker is sending a syn flood attack to PC2 and he is spoofing address 10.10.10.1/32 for example and you black hole 10.10.10.1/32 using source based RTBH, then the actual user 10.10.10.1/32 will be black holed.
Now lets look at how to configure Source based RTBH below, or alternatively click here to download it and watch it on your iPod.
The commands used to configure Source based RTBH are as follows.
R1
! To configure URPF on interface facing attacker.
interface FastEthernet1/1
ip verify unicast reverse-path
! Black hole static route.
ip route 192.0.2.1 255.255.255.255 Null0
Trigger router
! route-map which matches tagged static routes and sets the ip next hop as well as add a no-export community.
route-map BLACK-HOLE permit 10
match tag 100
set ip next-hop 192.0.2.1
set community no-export
! Attach the route map to redist static command under BGP.
router bgp 1
redistribute static route-map BLACK-HOLE
! Also you add a static route which you would like to black hole.
ip route 192.168.1.1 255.255.255.255 Null0 tag 100
! Black hole static route.
ip route 192.0.2.1 255.255.255.255 Null0
