How to make Blackhole Community Null0 into Vyos?

CristianD · November 26, 2020, 10:40am

Hello,

I founded 1 or 2 topics regarding my topic but there is no answear at all or any infos on documentation

Ower ISP provider give us a community “number” for blackholing and /24 or /32 in case it gets some flood/ddos to route map the ip from the BGP.

"Customer static routes the ip or ip range to Null0 and adds an announcement of the corresponding prefix with a route map that tags it with

Occasionally customers need to drop traffic before it reaches their network.

ISP transit customers with customer blackholing enabled may tag prefixes they announce to ISP with the community 6830:666 to cause traffic destined for those prefixes to be blackholed on all ISP core routers"

Can anyone give me a hand ? Or example regarding this, i founded example on Cisco from the ISP but not for Vyos, and i keep searching and didnt founded nothink.

Thank you

Viacheslav · November 26, 2020, 3:19pm

@CristianD Try it

vyos@r5:~$ show conf com | match "bgp|policy"
set policy community-list blackhole rule 10 action 'permit'
set policy community-list blackhole rule 10 regex '6830:666'
set policy prefix-list OUT rule 10 action 'permit'
set policy prefix-list OUT rule 10 prefix '203.0.113.0/24'
set policy route-map EXPORT rule 10 action 'permit'
set policy route-map EXPORT rule 10 match community community-list 'blackhole'
set policy route-map EXPORT rule 20 action 'permit'
set policy route-map EXPORT rule 20 match ip address prefix-list 'OUT'
set policy route-map blackhole rule 10 action 'permit'
set policy route-map blackhole rule 10 set community '6830:666'
set protocols bgp 65001 address-family ipv4-unicast network 203.0.113.6/32 route-map 'blackhole'
set protocols bgp 65001 address-family ipv4-unicast redistribute connected
set protocols bgp 65001 address-family ipv4-unicast redistribute static
set protocols bgp 65001 neighbor 100.64.0.2 address-family ipv4-unicast route-map export 'EXPORT'
set protocols bgp 65001 neighbor 100.64.0.2 remote-as '65002'
set protocols bgp 65001 neighbor 100.64.0.2 timers holdtime '30'
set protocols bgp 65001 neighbor 100.64.0.2 timers keepalive '10'

Show local bgp

vyos@r5:~$ show ip bgp 203.0.113.6
BGP routing table entry for 203.0.113.6/32
Paths: (1 available, best #1, table default)
  Advertised to non peer-group peers:
  100.64.0.2
  Local
    0.0.0.0 from 0.0.0.0 (203.0.113.1)
      Origin IGP, metric 0, weight 32768, valid, sourced, local, best (First path received)
      Community: 6830:666
      Last update: Thu Nov 26 17:05:06 2020

What we send:

vyos@r5:~$ show ip bgp neighbors 100.64.0.2 advertised-routes 
BGP table version is 6, local router ID is 203.0.113.1, vrf id 0
Default local pref 100, local AS 65001

   Network          Next Hop            Metric LocPrf Weight Path
*> 203.0.113.0/24   0.0.0.0                  0         32768 ?
*> 203.0.113.6/32   0.0.0.0                  0         32768 i

Show bgp on neighbor:

vyos@r4-roll:~$ show ip bgp 203.0.113.6/32
BGP routing table entry for 203.0.113.6/32
Paths: (1 available, best #1, table default)
  Advertised to non peer-group peers:
  100.64.0.1
  65001
    100.64.0.1 from 100.64.0.1 (203.0.113.1)
      Origin IGP, metric 0, valid, external, best (First path received)
      Community: 6830:666
      Last update: Thu Nov 26 17:14:34 2020

Viacheslav · November 28, 2020, 5:17pm

@CristianD As another option, you can use “tags” for blackhole routes. And use “match tag” for route-map.

set protocols static route 203.0.113.6/32 blackhole tag 666

https://phabricator.vyos.net/T3091

CristianD · November 28, 2020, 9:49pm

Thank you tomorow i make an VM and config it

This is owsem

CristianD · January 13, 2021, 5:16pm

Hello, for me is not working, i think is sompting i dont do it right on the first option.

s@vyos:~ show ip bgp 89.34xxxx BGP routing table entry for 89.34.xxxx/32 Paths: (1 available, best #1, table default) Not advertised to any peer Local 0.0.0.0 from 0.0.0.0 (192.168.100.100) Origin IGP, metric 0, weight 32768, valid, sourced, local, best (First path received) Community: 6830:666 Last update: Wed Jan 13 14:59:29 2021 vyos@vyos:~

I dont know why it shows “192.168.100.100” is added on eth0 we use for local access on the vyos

eth1 & 2 is for ISP

Can someone available to help, im available to pay

Viacheslav · January 13, 2021, 10:42pm

@CristianD Do you use tags?
Can you share your configuration example?
You can hide/replace private formation.

CristianD · January 14, 2021, 8:09am

`vyos@vyos:~$ show configuration commands

set firewall all-ping ‘enable’
set firewall broadcast-ping ‘disable’
set firewall config-trap ‘disable’
set firewall group address-group ag-Blacklist
set firewall group address-group geoblock
set firewall group network-group ng-Blacklist
set firewall ipv6-receive-redirects ‘disable’
set firewall ipv6-src-route ‘disable’
set firewall ip-src-route ‘disable’
set firewall log-martians ‘enable’
set firewall name FIREWALL-LOCAL default-action ‘accept’
set firewall name FIREWALL-LOCAL rule 10 action ‘drop’
set firewall name FIREWALL-LOCAL rule 10 source group address-group ‘geoblock’
set firewall name FIREWALL-LOCAL rule 11 action ‘drop’
set firewall name FIREWALL-LOCAL rule 11 source group address-group ‘ag-Blacklist’
set firewall name FIREWALL-LOCAL rule 12 action ‘drop’
set firewall name FIREWALL-LOCAL rule 12 source group network-group ‘ng-Blacklist’
set firewall receive-redirects ‘disable’
set firewall send-redirects ‘enable’
set firewall source-validation ‘disable’
set firewall syn-cookies ‘enable’
set firewall twa-hazaISP1-protection ‘disable’

set interfaces ethernet eth0 address ‘192.168.100.100/24’
set interfaces ethernet eth0 description ‘Local Connect’
set interfaces ethernet eth0 hw-id ‘b8:ac:6f:14:c2:16’
set interfaces ethernet eth1 address ‘10.192.56.X/29’
set interfaces ethernet eth1 description ‘ISP1’
set interfaces ethernet eth1 firewall in name ‘FIREWALL-LOCAL’
set interfaces ethernet eth1 hw-id ‘b8:ac:6f:14:c2:18’
set interfaces ethernet eth2 firewall in name ‘FIREWALL-LOCAL’
set interfaces ethernet eth2 hw-id ‘b8:ac:6f:14:c2:1a’
set interfaces ethernet eth2 vif 2288 address ‘89.136.224.X/30’
set interfaces ethernet eth2 vif 2288 description ‘ISP2 National’
set interfaces ethernet eth2 vif 2288 firewall in name ‘FIREWALL-LOCAL’
set interfaces ethernet eth3 firewall in name ‘FIREWALL-LOCAL’
set interfaces ethernet eth3 hw-id ‘b8:ac:6f:14:c2:1c’
set interfaces ethernet eth3 vif 2291 address ‘89.136.224.X/30’
set interfaces ethernet eth3 vif 2291 description ‘ISP2 International’
set interfaces ethernet eth3 vif 2291 firewall in name ‘FIREWALL-LOCAL’
set interfaces ethernet eth4 firewall in name ‘FIREWALL-LOCAL’
set interfaces ethernet eth4 hw-id ‘28:92:4a:af:31:b0’
set interfaces ethernet eth5 address ‘89.X.X.1/24’
set interfaces ethernet eth5 address ‘89.X.X.1/24’
set interfaces ethernet eth5 address ‘188.X.X.1/24’
set interfaces ethernet eth5 address ‘77.X.X.1/24’
set interfaces ethernet eth5 address ‘89.X.X.1/24’
set interfaces ethernet eth5 address ‘89.X.X.1/24’
set interfaces ethernet eth5 description ‘10GB Port > Switch’
set interfaces ethernet eth5 firewall in name ‘FIREWALL-LOCAL’
set interfaces ethernet eth5 hw-id ‘28:92:4a:af:31:b4’

set interfaces loopback lo

set policy community-list blackhole rule 10 action ‘permit’
set policy community-list blackhole rule 10 regex ‘6830:666’

set policy prefix-list IPv4-BGP-OUT rule 100 action ‘permit’
set policy prefix-list IPv4-BGP-OUT rule 100 description ‘AS339XX BGP US’
set policy prefix-list IPv4-BGP-OUT rule 100 prefix ‘77.X.X.0/24’
set policy prefix-list IPv4-BGP-OUT rule 105 action ‘permit’
set policy prefix-list IPv4-BGP-OUT rule 105 description ‘AS339XX BGP US’
set policy prefix-list IPv4-BGP-OUT rule 105 prefix ‘89.X.X.0/23’
set policy prefix-list IPv4-BGP-OUT rule 106 action ‘permit’
set policy prefix-list IPv4-BGP-OUT rule 106 description ‘AS339XX BGP US’
set policy prefix-list IPv4-BGP-OUT rule 106 prefix ‘188.X.X.0/24’
set policy prefix-list IPv4-BGP-OUT rule 140 action ‘permit’
set policy prefix-list IPv4-BGP-OUT rule 140 description ‘AS339XX BGP US’
set policy prefix-list IPv4-BGP-OUT rule 140 prefix ‘89.X.X.0/23’

set policy route-map IPv4-NET rule 100 action ‘permit’
set policy route-map IPv4-NET rule 100 match community community-list ‘blackhole’
set policy route-map IPv4-NET rule 100 match ip address prefix-list ‘IPv4-BGP-OUT’
set policy route-map IPv4-NET rule 105 action ‘permit’
set policy route-map IPv4-NET rule 105 match community community-list ‘blackhole’
set policy route-map IPv4-NET rule 105 match ip address prefix-list ‘IPv4-BGP-OUT’
set policy route-map IPv4-NET rule 106 action ‘permit’
set policy route-map IPv4-NET rule 106 match community community-list ‘blackhole’
set policy route-map IPv4-NET rule 106 match ip address prefix-list ‘IPv4-BGP-OUT’
set policy route-map IPv4-NET rule 120 action ‘permit’
set policy route-map IPv4-NET rule 120 match ip address prefix-list ‘IPv4-BGP-OUT’
set policy route-map IPv4-NET rule 130 action ‘permit’
set policy route-map IPv4-NET rule 130 match ip address prefix-list ‘IPv4-BGP-OUT’
set policy route-map IPv4-NET rule 140 action ‘permit’
set policy route-map IPv4-NET rule 140 match community community-list ‘blackhole’
set policy route-map IPv4-NET rule 140 match ip address prefix-list ‘IPv4-BGP-OUT’
set policy route-map blackhole rule 10 action ‘permit’
set policy route-map blackhole rule 10 set community ‘6830:666’

set protocols bgp 339XX address-family ipv4-unicast network 77.X.X.0/24
set protocols bgp 339XX address-family ipv4-unicast network 89.X.X.0/23
set protocols bgp 339XX address-family ipv4-unicast network 89.X.X.250/32 route-map ‘blackhole’
set protocols bgp 339XX address-family ipv4-unicast network 89.X.X.0/23
set protocols bgp 339XX address-family ipv4-unicast network 188.X.X.0/24

set protocols bgp 339XX neighbor 10.192.56.X address-family ipv4-unicast route-map export ‘IPv4-NET’
set protocols bgp 339XX neighbor 10.192.56.X address-family ipv4-unicast soft-reconfiguration inbound
set protocols bgp 339XX neighbor 10.192.56.X description ‘ISP1 National AS Neighbor’
set protocols bgp 339XX neighbor 10.192.56.X remote-as ‘8708’
set protocols bgp 339XX neighbor 10.192.56.X update-source ‘10.192.56.X’
set protocols bgp 339XX neighbor 10.192.56.XX address-family ipv4-unicast route-map export ‘IPv4-NET’
set protocols bgp 339XX neighbor 10.192.56.XX address-family ipv4-unicast soft-reconfiguration inbound
set protocols bgp 339XX neighbor 10.192.56.XX description ‘ISP1 National AS Neighbor - Back-UP’
set protocols bgp 339XX neighbor 10.192.56.XX remote-as ‘8708’
set protocols bgp 339XX neighbor 10.192.56.XX update-source ‘10.192.56.X’
set protocols bgp 339XX neighbor 89.136.224.XX address-family ipv4-unicast route-map export ‘IPv4-NET’
set protocols bgp 339XX neighbor 89.136.224.XX address-family ipv4-unicast soft-reconfiguration inbound
set protocols bgp 339XX neighbor 89.136.224.XX description ‘ISP2 International AS Neighbor’
set protocols bgp 339XX neighbor 89.136.224.XX remote-as ‘6830’
set protocols bgp 339XX neighbor 89.136.224.XX update-source ‘89.136.224.X’
set protocols bgp 339XX neighbor 89.136.224.X address-family ipv4-unicast route-map export ‘IPv4-NET’
set protocols bgp 339XX neighbor 89.136.224.X address-family ipv4-unicast soft-reconfiguration inbound
set protocols bgp 339XX neighbor 89.136.224.X description ‘ISP2 National AS Neighbor’
set protocols bgp 339XX neighbor 89.136.224.X remote-as ‘6830’
set protocols bgp 339XX neighbor 89.136.224.X update-source ‘89.136.224.X’
set protocols bgp 339XX neighbor 193.231.184.X address-family ipv4-unicast route-map export ‘IPv4-NET’
set protocols bgp 339XX neighbor 193.231.184.X address-family ipv4-unicast soft-reconfiguration inbound
set protocols bgp 339XX neighbor 193.231.184.X description ‘ISP1 International AS Neighbor’
set protocols bgp 339XX neighbor 193.231.184.X ebgp-multihop ‘255’
set protocols bgp 339XX neighbor 193.231.184.X remote-as ‘8708’
set protocols bgp 339XX neighbor 193.231.184.X update-source ‘10.192.56.X’

set protocols bgp 339XX parameters log-neighbor-changes

set protocols ospf area 0 network ‘89.X.X.0/23’
set protocols ospf area 0 network ‘77.X.X.0/24’
set protocols ospf area 0 network ‘188.X.X.0/24’
set protocols ospf area 0 network ‘89.X.X.0/24’
set protocols ospf area 0 network ‘89.X.X.0/24’

set protocols ospf area 0.0.0.0 area-type normal
set protocols ospf default-information originate always
set protocols ospf default-information originate metric ‘10’
set protocols ospf default-information originate metric-type ‘2’
set protocols ospf parameters abr-type ‘cisco’

set protocols static route 77.X.X.0/24 blackhole distance ‘254’
set protocols static route 89.X.X.0/23 blackhole distance ‘254’
set protocols static route 89.X.X.0/23 blackhole distance ‘254’
set protocols static route 188.X.X.0/24 blackhole distance ‘254’

set service ids ddos-protection direction ‘in’
set service ids ddos-protection listen-interface ‘eth0’
set service ids ddos-protection listen-interface ‘eth1’
set service ids ddos-protection listen-interface ‘eth2’
set service ids ddos-protection listen-interface ‘eth3’
set service ids ddos-protection listen-interface ‘eth4’
set service ids ddos-protection listen-interface ‘eth5’
set service ids ddos-protection mode mirror
set service ids ddos-protection network ‘89.X.X.1/32’
set service ids ddos-protection network ‘89.X.X.1/32’
set service ids ddos-protection network ‘77.X.X.1/32’
set service ids ddos-protection network ‘188.X.X.1/32’
set service ids ddos-protection network ‘89.X.X.1/32’
set service ids ddos-protection network ‘89.X.X.1/32’
set service ids ddos-protection threshold fps ‘1000’
set service ids ddos-protection threshold mbps ‘50’
set service ids ddos-protection threshold pps ‘10000’

set system config-management commit-revisions ‘100’
set system console device ttyS0 speed ‘115200’

set system flow-accounting interface ‘eth0’
set system flow-accounting interface ‘eth2’
set system flow-accounting interface ‘eth3’
set system flow-accounting interface ‘eth1’
set system flow-accounting netflow sampling-rate ‘1’
set system flow-accounting netflow server 89.X.X.2 port ‘2055’
set system flow-accounting netflow timeout expiry-interval ‘30’
set system flow-accounting netflow timeout flow-generic ‘30’
set system flow-accounting netflow timeout icmp ‘30’
set system flow-accounting netflow timeout max-active-life ‘30’
set system flow-accounting netflow timeout tcp-fin ‘30’
set system flow-accounting netflow timeout tcp-generic ‘30’
set system flow-accounting netflow timeout tcp-rst ‘30’
set system flow-accounting netflow timeout udp ‘30’
set system flow-accounting netflow version ‘9’
set system flow-accounting syslog-facility ‘daemon’

set system ntp server 0.pool.ntp.org
set system ntp server 1.pool.ntp.org
set system ntp server 2.pool.ntp.org

set system syslog global facility all level ‘info’
set system syslog global facility protocols level ‘debug’
vyos@vyos:~$
`

Viacheslav · January 14, 2021, 11:18am

192.168.100.100 it’s your router-id.

In that case, is used logical AND. It’s the wrong logic.
So prefix match AND community AND PREFIX /24

Try to change your route-map

set policy route-map IPv4-NET rule 100 action 'permit'
set policy route-map IPv4-NET rule 100 match ip address prefix-list 'IPv4-BGP-OUT'
set policy route-map IPv4-NET rule 101 action 'permit'
set policy route-map IPv4-NET rule 101 match community community-list 'blackhole'

So the full test config

set policy community-list blackhole rule 10 action 'permit'
set policy community-list blackhole rule 10 regex '6830:666'
set policy prefix-list IPv4-BGP-OUT rule 100 action 'permit'
set policy prefix-list IPv4-BGP-OUT rule 100 description 'AS339XX BGP US'
set policy prefix-list IPv4-BGP-OUT rule 100 prefix '203.0.113.0/24'
set policy route-map IPv4-NET rule 100 action 'permit'
set policy route-map IPv4-NET rule 100 match ip address prefix-list 'IPv4-BGP-OUT'
set policy route-map IPv4-NET rule 101 action 'permit'
set policy route-map IPv4-NET rule 101 match community community-list 'blackhole'
set policy route-map blackhole rule 10 action 'permit'
set policy route-map blackhole rule 10 set community '6830:666'
set protocols bgp 65001 address-family ipv4-unicast network 203.0.113.0/24
set protocols bgp 65001 address-family ipv4-unicast network 203.0.113.6/32 route-map 'blackhole'
set protocols bgp 65001 neighbor 100.64.0.2 address-family ipv4-unicast route-map export 'IPv4-NET'
set protocols bgp 65001 neighbor 100.64.0.2 remote-as '65002'

Check bgp table:

vyos@r5-roll:~$ show ip bgp 203.0.113.6
BGP routing table entry for 203.0.113.6/32
Paths: (1 available, best #1, table default)
  Advertised to non peer-group peers:
  100.64.0.2
  Local
    0.0.0.0 from 0.0.0.0 (192.168.122.15)
      Origin IGP, metric 0, weight 32768, valid, sourced, local, best (First path received)
      Community: 6830:666
      Last update: Thu Jan 14 12:45:24 2021

Check routes and table bgp on the uplink side

   Network          Next Hop            Metric LocPrf Weight Path
*> 203.0.113.0/24   100.64.0.1               0             0 65001 i
*> 203.0.113.6/32   100.64.0.1               0             0 65001 i

vyos@r2-roll:~$ show ip bgp 203.0.113.6 
BGP routing table entry for 203.0.113.6/32
Paths: (1 available, best #1, table default)
  Advertised to non peer-group peers:
  100.64.0.1
  65001
    100.64.0.1 from 100.64.0.1 (192.168.122.15)
      Origin IGP, metric 0, valid, external, best (First path received)
      Community: 6830:666
      Last update: Thu Jan 14 13:12:36 2021

Why you don’t use tags? It is easier. But its your choice.

CristianD · January 14, 2021, 1:00pm

Cuz it kills the entire connection on it on both ISP providers, we whant to kill only on 1 cuz the other ISP it auto makes blackhole on it.

If we make blackhole on international ISP the connection on ower Country (Metro) still works, and it kills the connection only outside ower country, cuz all the ddos and bad staff comes from outside.

If someone makes DDOS from ower country to ower country (RO) in 5 minutes he dosent have any more internet the providers kills hes internet and contract, so, nobody whants this, and if is big problem we can report it to authoritys.

CristianD · January 18, 2021, 7:36am

Hello,

It sems to be a problem on ower ISP , the one we whant to make the blackhole, the enginers they dont know how to make blackhole not even them to theyr network manualy right from theyr network :)) jesus, so now i whant after them to fix theyr issue so i can test.

I will update this as soon as they fix it

Thank you.

CristianD · January 21, 2021, 7:46am

OKa so my provider told us just now after 1 year, if we whant to make blackhole/null-route to an ip we have to email them and them to make it is not working to make it from my router.

So i used this instead to complet kill it

set protocols static route xxxxxx/32 blackhole
set protocols static route xxxxxx/32 blackhole tag 666

But on the interfaces router i still can see incoming traffic , is this the way it is or is sompting i do wrong ?

Dmitry · January 21, 2021, 10:24am

Hello @CristianD, technically you will see incoming packets because it still received by NIC. Packets will be dropped on the kernel layer.

CristianD · January 21, 2021, 11:05am

Thank you.

Now i have to find a good solution for ddos protection, some hardware i think will be better.

CristianD · February 23, 2021, 7:42am

I asked to my other provider for blackhole and they ask me to use 8708:9999 and test to see if it works, they ar not 100% sure is fully function.

At this moment we change ower secand provider the one mentioned to make manualy blackhole 6830:666 with another provider witch 100% blackhole works 6663:10000 or 6663:0 , till now no chance to work and i dont understand why.

I will contact some other hosters who use the same provider but with another router not vyos to confirm if for them is working or not.

Thank you

tjh · February 24, 2021, 2:40am

I don’t fully understand what you said I’m sorry, but if you’re advertising that community to them and are worried it’s not working, can’t you just ask them to verify what they’re learning on their side of the eBGP connection?

They should be able to tell you pretty quickly if they’re getting your routes with the correct community or not.

CristianD · March 1, 2021, 9:35am

I configured again and asked my provider to check for me.

I reinstalled the router with v 1.14 and dont get it if there was some changes made cuz

vyos@router.100:~$ show ip bgp 188.21xxxxxxxx

Invalid command: show ip bgp [188.21xxx]

CristianD · March 1, 2021, 12:06pm

Now is working, my provider has to optimize some staff on theyr side.

My last question is, show can i add multiple comunitys ?

Just like

set policy community-list blackhole rule 11 regex '6830:667'
set policy community-list blackhole rule 11 regex '6830:668'
set policy route-map blackhole rule 10 set community '6830:667'
set policy route-map blackhole rule 10 set community '6830:668'

Or

set policy community-list blackhole rule 11 regex '6830:667 6830:668'
set policy route-map blackhole rule 10 set community '6830:667 6830:668'

Thank you

Viacheslav · March 1, 2021, 10:03pm

The second option should work fine.
Because the second string of the same rule overwrites it.