RTBH stands for Remote Triggering Black Hole, which means, the ability to route traffic to black hole from remote. In the real world the intention is to allow customers to instruct their ISP to route traffic to black hole without any intervention from the ISP side.
So why do we want to route traffic to black hole? in case of DoS/DDoS we would like to stop the attack ASAP and the best way to accomplish that is by routing traffic designate to victim into black hole and to prevent from the excess traffic (or pps) to reach or go through our links and devices.
looking on the network diagram we can see that the attacker will conduct his DoS attack through the ISP toward the customer server.
The customer can stop the attack by advertising the victim IP (destination) to the ISP with special community where as the ISP in return will re-route the traffic to this IP toward black hole (null 0 or discard).
Currently we are working with Level3 and Tinet which support RTBH communities 3356:9999 and 3257:2666 respectively.
So if the victim IP was 200.10.0.1 the configuration for Level3 will be:
ip prefix-list PL_RTBH_LEVEL3 permit 200.10.0.1/32
!
route-map RM_BGP_LEVEL3_OUTBOUND permit 10
match ip address prefix-list PL_RTBH_LEVEL3
set community 3356:9999
take note that although ISP's doesn't s support BGP advertisements less the prefix /24 when it comes to RTBH you can advertise any prefix length includes /32.
No comments:
Post a Comment