Remote Triggered Black Hole Filtering (RTBH)

RTBH is a technology to mitigate DDOS attacks in provider networks and is described in RFC 5635.

How RTBH works in a few words:

  • configure on your routers a discard route for next-hops (mostly used from 192.0.2.0/24 range)
routing-options {
    static {
        route 192.0.2.1/32 discard;
    }
}
  • apply a bgp export polices to all your routers, which could set the next-hop of a given prefix pointing to your discard routes
policy-options {
    policy-statement black-hole-filter {
        from {
            route-filter <DDOS-Destination>/<Length> exact;
       }
       then {
           next-hop 192.0.2.1;
       }
    }
}
  • in case of a DDOS attacks, only add the prefix from the destination of the attacks
  • you can get some more security if you add uRPF check (loose mode)
interfaces {
    xe-1/2/3 {
        unit 123 {
            family inet {
                 rpf-check;
            }
        }
    }
}
routing-options {
     forwarding-table {
         unicast-reverse-path feasible-paths;
     }
}

I found a very good blog post from Gonzalo Gómez Herrero (the author of Network Mergers and Migrations: Junos Design and Implementation (Wiley Series on Communications Networking & Distributed Systems) about the usage and pitfalls of RTBH in 6PE and inter-AS scenarios.

Here you can find links to the posts of Gonzalo:

Part 1 about RTBH with 6PE – http://forums.juniper.net/t5/TheRoutingChurn/IPv6-destination-remote-triggered-blackholing-with-the-6PE-model/ba-p/186951

Part 2 about RTBH with 6PE – http://forums.juniper.net/t5/TheRoutingChurn/IPv6-destination-remote-triggered-blackholing-with-the-6PE-model/ba-p/187561

Schreibe einen Kommentar

Deine E-Mail-Adresse wird nicht veröffentlicht. Erforderliche Felder sind mit * markiert.