利用BGP community黑洞路由
场景
在被攻击的时候,当入口无法承受巨大的流量时大家采用的方式是切换业务IP,然后把之前的IP做黑洞。
在与ISP对接时,每个ISP都有自己的BGP配置规范。接入方可以参考commuity属性对自己的路由做很多设置,包括MED,Localpref,AS-PATH 添加、路由定向宣告等,另外一个常用的就是黑洞某条路由
模拟拓扑
https://blog.gnuers.org/?attachment_id=1393
测试的环境有4个路由器:
– R1:企业路由器
– R2:ISP路由器
– R3:其他ISP的路由器
– R4: 其他ISP的客户
){kind=link}
测试的方案
先把R1-R4的BGP调通,然后分别按下属操作:
- R1上添加prefix-list把5.5.5.6/32这个明细路由直接发送给R2,并设置community属性4134:666(电信的黑洞属性).
- R2上添加对community 4134:666的匹配操作
ip community-list standard cm-blackhole permit 4134:666
route-map out-filter permit 20
match community cm-blackhole
set local-preference 10
set ip next-hop 172.20.20.1
set community additive no-export
route-map out-filter permit 30
set local-preference 30
set metric 30
可以观察在R1-R4上的路由情况:
R1 路由
094846cab3a9# show ip bgp
BGP table version is 0, local router ID is 10.10.0.22
Status codes: s suppressed, d damped, h history, * valid, > best, = multipath,
i internal, r RIB-failure, S Stale, R Removed
Origin codes: i - IGP, e - EGP, ? - incomplete
Network Next Hop Metric LocPrf Weight Path
*> 4.4.4.0/24 0.0.0.0 121 32768 ?
*> 5.5.5.0/24 0.0.0.0 121 32768 ?
*> 5.5.5.6/32 0.0.0.0 121 32768 ?
*> 6.6.6.0/24 0.0.0.0 121 32768 ?
*> 8.8.8.0/24 0.0.0.0 121 32768 ?
* 10.10.0.0/16 10.10.0.23 121 0 65010 ?
*> 0.0.0.0 121 32768 ?
*> 100.100.100.1/32 0.0.0.0 121 32768 ?
*> 100.100.100.2/32 10.10.0.23 121 0 65010 ?
*> 100.100.100.3/32 10.10.0.23 0 65010 65002 ?
*> 100.100.100.4/32 10.10.0.23 0 65010 65002 65003 ?
* 172.18.0.0 10.10.0.23 121 0 65010 ?
*> 0.0.0.0 121 32768 ?
Displayed 11 out of 13 total prefixes
094846cab3a9# show ip bgp neighbors 10.10.0.23 advertised-routes
BGP table version is 0, local router ID is 10.10.0.22
Status codes: s suppressed, d damped, h history, * valid, > best, = multipath,
i internal, r RIB-failure, S Stale, R Removed
Origin codes: i - IGP, e - EGP, ? - incomplete
Network Next Hop Metric LocPrf Weight Path
*> 4.4.4.0/24 10.10.0.22 121 32768 ?
*> 5.5.5.0/24 10.10.0.22 121 32768 ?
*> 5.5.5.6/32 10.10.0.22 121 32768 ?
*> 8.8.8.0/24 10.10.0.22 121 32768 ?
*> 100.100.100.1/32 10.10.0.22 121 32768 ?
R2路由
05fe39a5b056# show ip bgp neighbors 10.10.0.22 routes
BGP table version is 0, local router ID is 10.10.0.23
Status codes: s suppressed, d damped, h history, * valid, > best, = multipath,
i internal, r RIB-failure, S Stale, R Removed
Origin codes: i - IGP, e - EGP, ? - incomplete
Network Next Hop Metric LocPrf Weight Path
*> 4.4.4.0/24 10.10.0.22 110 0 65001 65001 ?
*> 5.5.5.0/24 10.10.0.22 110 0 65001 65001 ?
*> 5.5.5.6/32 10.10.0.22 110 0 65001 65001 ?
*> 8.8.8.0/24 10.10.0.22 100 250 0 65010 65001 ?
*> 100.100.100.1/32 10.10.0.22 100 250 0 65010 65001 ?
Displayed 5 out of 12 total prefixes
05fe39a5b056# show ip bgp 5.5.5.6/32
BGP routing table entry for 5.5.5.6/32
Paths: (1 available, best #1, table Default-IP-Routing-Table)
Advertised to non peer-group peers:
10.10.0.24
65001 65001
10.10.0.22 from 10.10.0.22 (10.10.0.22)
Origin incomplete, metric 110, localpref 100, valid, external, best
Community: 4134:666
Last update: Tue Mar 14 07:17:16 2017
可以看到R2收到的 5.5.5.6/32路由具有4134:666这个community属性。
然后再看看R3的
R3 路由
cc6a781cbc3a# show ip bgp neighbors 10.10.0.23 routes
BGP table version is 0, local router ID is 10.10.0.24
Status codes: s suppressed, d damped, h history, * valid, > best, = multipath,
i internal, r RIB-failure, S Stale, R Removed
Origin codes: i - IGP, e - EGP, ? - incomplete
Network Next Hop Metric LocPrf Weight Path
*> 4.4.4.0/24 10.10.0.23 30 0 65010 65001 65001 ?
*> 5.5.5.0/24 10.10.0.23 30 0 65010 65001 65001 ?
*> 5.5.5.6/32 172.20.20.1 0 65010 65001 65001 ?
*> 8.8.8.0/24 10.10.0.23 30 0 65010 65010 65001 ?
* 10.10.0.0/16 10.10.0.23 30 0 65010 ?
*> 100.100.100.1/32 10.10.0.23 30 0 65010 65010 65001 ?
*> 100.100.100.2/32 10.10.0.23 30 0 65010 ?
* 172.18.0.0 10.10.0.23 30 0 65010 ?
Displayed 8 out of 14 total prefixes
cc6a781cbc3a# show ip bgp 5.5.5.6/32
BGP routing table entry for 5.5.5.6/32
Paths: (1 available, best #1, table Default-IP-Routing-Table, not advertised to EBGP peer)
Not advertised to any peer
65010 65001 65001
172.20.20.1 from 10.10.0.23 (10.10.0.23)
Origin incomplete, localpref 100, valid, external, best
Community: 4134:666 no-export
Last update: Tue Mar 14 07:17:44 2017
可以看到R2把我们想要黑洞的路由5.5.5.6/32转发给R3时,按照需求标记了 no-export属性,并把路由的下一条改到了不存的一个IP 172.20.20.1(quagga上不能直接写127.0.0.1,会导致邻居无法建立)。
R4路由
db71d04826e4# show ip bgp neighbors 10.10.0.24 routes
BGP table version is 0, local router ID is 10.10.0.25
Status codes: s suppressed, d damped, h history, * valid, > best, = multipath,
i internal, r RIB-failure, S Stale, R Removed
Origin codes: i - IGP, e - EGP, ? - incomplete
Network Next Hop Metric LocPrf Weight Path
*> 4.4.4.0/24 10.10.0.24 0 65002 65010 65001 65001 ?
*> 5.5.5.0/24 10.10.0.24 0 65002 65010 65001 65001 ?
*> 8.8.8.0/24 10.10.0.24 0 65002 65010 65010 65001 ?
* 10.10.0.0/16 10.10.0.24 121 0 65002 ?
*> 100.100.100.1/32 10.10.0.24 0 65002 65010 65010 65001 ?
*> 100.100.100.2/32 10.10.0.24 0 65002 65010 ?
*> 100.100.100.3/32 10.10.0.24 121 0 65002 ?
* 172.18.0.0 10.10.0.24 121 0 65002 ?
从上面可以看到R4上完全没有5.5.5.6/32的路由,虽然/24的路由指向了R3,但是因为R3本地5.5.5.6/32的路由被指向了一个无效的IP,因此从R4访问被黑洞的IP 5.5.5.6/32的流量就止于R3。在实际的运营商网络中,一般会在路由器上把这个 172.20.20.1 设置为NULL0,并丢弃其所有的流量。
完整配置
附上完整的配置:
R1
----
log file /var/log/quagga/bgpd.log
password bgp
router bgp 65001
bgp router-id 10.10.0.22
redistribute connected metric 121
neighbor 10.10.0.23 remote-as 65010
neighbor 10.10.0.23 password DOCKER
neighbor 10.10.0.23 ebgp-multihop 255
neighbor 10.10.0.23 next-hop-self
neighbor 10.10.0.23 route-map out-filter out
distance bgp 250 200 150
!
!
ip prefix-list blackhole seq 5 permit 5.5.5.6/32
!ip prefix-list blackhole seq 10 permit 5.5.5.0/24
ip prefix-list r1-out seq 5 permit 4.4.4.0/24
ip prefix-list r1-out seq 6 permit 5.5.5.0/24
ip prefix-list r1-out seq 11 permit 8.8.8.0/24
ip prefix-list r1-out seq 15 permit 100.100.100.0/23 ge 24
ip prefix-list r1-out seq 25 permit 10.0.0.0/8
ip prefix-list r1-out seq 50 deny any
!
route-map out-filter permit 5
match ip address prefix-list blackhole
set community 4134:666
route-map out-filter permit 10
match ip address prefix-list r1-out
!
R2
---
log file /var/log/quagga/bgpd.log
password bgp
router bgp 65010
distance bgp 250 200 150
bgp router-id 10.10.0.23
neighbor 10.10.0.22 remote-as 65001
neighbor 10.10.0.24 remote-as 65002
neighbor 10.10.0.22 password DOCKER
neighbor 10.10.0.24 password DOCKER
neighbor 10.10.0.22 route-map in-filter in
neighbor 10.10.0.24 route-map out-filter out
neighbor 10.10.0.22 ebgp-multihop
neighbor 10.10.0.24 ebgp-multihop
neighbor 10.10.0.22 next-hop-self
neighbor 10.10.0.24 next-hop-self
redistribute connected metric 121
access-list all permit any
ip prefix-list from-r1-in seq 5 permit 4.4.4.0/24
ip prefix-list from-r1-in seq 6 permit 5.5.5.0/24 le 32
!ip prefix-list from-r1-in seq 7 permit 8.8.8.0/24
!ip prefix-list from-r1-in seq 15 permit 100.100.100.0/24 le 32
ip prefix-list from-r1-in seq 20 permit 10.0.0.0/8
ip prefix-list from-r1-in seq 50 deny any
ip prefix-list from-r1-in-t1 seq 7 permit 8.8.8.0/24 le 32
ip prefix-list from-r1-in-t1 seq 15 permit 100.100.100.0/24 le 32
ip prefix-list to-r3 seq 5 permit any
ip community-list standard cm-blackhole permit 4134:666
!ip community-list standard cm-blackhole permit
route-map out-filter permit 20
match community cm-blackhole
set local-preference 10
set ip next-hop 172.20.20.1
set community additive no-export
route-map out-filter permit 30
set local-preference 30
set metric 30
route-map in-filter permit 5
match ip address prefix-list from-r1-in-t1
set as-path prepend 65010
set metric 100
set local-preference 250
set community 65002:4134
route-map in-filter permit 10
match ip address prefix-list from-r1-in
set as-path prepend 65001
set metric 110
R3
---
log file /var/log/quagga/bgpd.log
password bgp
router bgp 65002
distance bgp 250 200 150
bgp router-id 10.10.0.24
neighbor 10.10.0.23 remote-as 65010
neighbor 10.10.0.23 password DOCKER
neighbor 10.10.0.23 ebgp-multihop
neighbor 10.10.0.23 next-hop-self
neighbor 10.10.0.25 remote-as 65003
neighbor 10.10.0.25 password DOCKER
neighbor 10.10.0.25 ebgp-multihop
neighbor 10.10.0.25 next-hop-self
redistribute connected metric 121
access-list all permit any
R4
---
log file /var/log/quagga/bgpd.log
password bgp
router bgp 65003
distance bgp 250 200 150
bgp router-id 10.10.0.25
neighbor 10.10.0.24 remote-as 65002
neighbor 10.10.0.24 password DOCKER
redistribute connected metric 121
access-list all permit any