Blackholing Routes

Problem

You don't want to route any traffic to particular networks.

Solution

Define static routes to these networks that discard the traffic:

	[edit routing-options]
	aviva@router1# set static route 1.0.0.0/8 discard
	aviva@router1# set static route 2.0.0.0/8 discard

 

Discussion

There are some network addresses to which the router should never send traffic, and you never want routes to these networks to be installed in the routing table by one or all routing protocols. A good practice for dealing with these routes is to blackhole them. You do this by defining static routes to them with a next hop of discard. Packets being sent to these networks are then dropped. Also, the router does not send an ICMP (or ICMPv6) unreachable message in response to traffic sent to these networks, and the traffic to these networks is dropped silently. (When there is a reason to have the router send ICMP unreachable messages, use a next hop of reject instead.) Routes with a discard next hop are placed in the forwarding table with a next-hop type of dscd (discard).

Verify that the routes are in the routing table:

	aviva@router1> show route
	inet.0: 23 destinations, 23 routes (22 active, 0 holddown, 1 hidden)
	+ = Active Route, - = Last Active, * = Both
	1.0.0.0/8 *[Static/5] 00:03:41
	 Discard
	2.0.0.0/8 *[Static/5] 00:00:02
	 Discard

They are installed in the forwarding table as discard routes:

	aviva@router1> show route forwarding-table
	Routing table: inet
	Internet:
	Destination Type RtRef Next hop Type Index NhRef Netif
	1.0.0.0/8 user 0 dscd 12 3
	2.0.0.0/8 user 0 dscd 12 3

A good security practice is to blackhole addresses that have not yet been allocated by one of the domain registries, such as ARIN or RIPE (see http://www.iana.org/assignments/ipv4-address-space). This recipe shows two of those addresses. For a complete list, see http://www.cymru.com/gillsr/documents/junos-discard-routes.txt. Because these addresses are not allocated and no traffic should be destined for them anyway, you might wonder why you should bother blackholing traffic to them. One reason is to limit a malicious hacker's ability to attack your router with a DoS attack from external spoofed sources. It also reduces the potential for outbound spoofing from your network. Certain spammers may also use unallocated space to send spam, first by announcing a prefix from unallocated space and sending their spam, then quickly withdrawing the route. Another reason to blackhole unallocated addresses is to reduce the possibility of prefix hijacking. For example, an AS might announce a /16, and the spammer can announce some unused (or even used) space within the /16.

As a note of caution, unallocated-addresses space changes from time to time as new allocations are made. You need to pay close attention to the changes and change your filters accordingly so as not to block legitimate traffic.

See Also

Internet Assigned Numbers Authority (IANA) (http://www.iana.org/assignments/ipv4-address-space) and Team Cymru (http://www.cymru.com/gillsr/documents/junos-discard-routes.txt)


Router Configuration and File Management

Basic Router Security and Access Control

IPSec

SNMP

Logging

NTP

Router Interfaces

IP Routing

Routing Policy and Firewall Filters

RIP

IS-IS

OSPF

BGP

MPLS

VPNs

IP Multicast



JUNOS Cookbook
Junos Cookbook (Cookbooks (OReilly))
ISBN: 0596100140
EAN: 2147483647
Year: 2007
Pages: 290
Authors: Aviva Garrett

Flylib.com © 2008-2020.
If you may any questions please contact us: flylib@qtcs.net