What is Black Hole Routing?
DDoS blackhole routing/filtering (sometimes called blackholing), is a countermeasure to mitigate a DDoS attack in which network traffic is routed into a “black hole,” and is lost. When blackhole filtering is implemented without specific restriction criteria, both legitimate and malicious network traffic is routed to a null route or black hole and dropped from the network. When using protocols that are connectionless such as UDP, no notification of the dropped data will be returned to the source. With connection oriented protocols like TCP, which require a handshake to connect with the target system, a notification will be returned if the data is dropped.
For organizations that have no other means of blocking an attack, blackholing is a widely available option. This method of mitigation may have serious consequences, potentially making it an undesirable option to mitigate a DDoS attack. Similar to the way antibiotics kill both good and bad bacteria, when implemented improperly this type of DDoS mitigation will indiscriminately disrupt sources of traffic to the network or service. Sophisticated attacks will also use variable IP addresses and attack vectors, which can limit the effectiveness of this type of mitigation as a sole means of disrupting the attack.
A key consequence of using blackhole routing when good traffic is also affected, is that the attacker has essentially accomplished their goal of disrupting traffic to the target network or service. Even though it can help a malicious actor accomplish their goal, blackhole routing can still be useful when the target of the attack is a small site that’s part of a larger network. In that case, blackholing the traffic directed at the targeted site could protect the larger network from the effects of the attack.
Getting started with VyOS
First things first, we need to install VyOS Router. The ISO image can be downloaded directly from the community servers, or you can download the VMware OVA image if you are going to run this on a virtual machine server. Once you have the ISO image downloaded, you can install the software on a physical server or a virtual machine.
The below configuration examples contain variables that will require replacement. These are identified as {{variable}}
Initial Configuration
##### # Setup base system configurations ##### set system host-name '{{hostname}}' set system domain-name '{{domain-name}}' set system time-zone '{{local-time-zone}}' ## Setup configuration management history set system config-management commit-revisions '20' ## Setup SYSLOG services set system syslog global facility all level 'notice' set system syslog global facility protocols level 'debug' ## Setup DNS resolvers set system name-server '{{dns-server-1}}' set system name-server '{{dns-server-2}}' ## Setup NTP source servers set system ntp server '0.pool.ntp.org' set system ntp server '1.pool.ntp.org' set system ntp server '2.pool.ntp.org' ## Enable remote SSH access to the server set service ssh port '22' ## Setup system package repository set system package auto-sync '1' set system package repository community components 'main' set system package repository community distribution 'helium' set system package repository community password '' set system package repository community url 'http://packages.vyos.net/vyos' set system package repository community username ''
Next, we need to setup the eBGP policies and route-maps. Below is an example configuration.
## Black Hole Routing Communities set policy community-list 100 description 'Black Hole Routing Communities' set policy community-list 100 rule 10 action 'permit' set policy community-list 100 rule 10 regex '65535:666' set policy community-list 100 rule 20 action 'permit' set policy community-list 100 rule 20 regex '65535:9999' ## IPv4 Prefix Lists set policy prefix-list DEFAULT-ROUTE-v4 rule 10 action 'permit' set policy prefix-list DEFAULT-ROUTE-v4 rule 10 prefix '0.0.0.0/0' set policy prefix-list BHR-ROUTES-v4 rule 10 action 'permit' set policy prefix-list BHR-ROUTES-v4 rule 10 le '32' set policy prefix-list BHR-ROUTES-v4 rule 10 prefix '0.0.0.0/0' ## Route Maps ### BHR-ROUTERS-IN set policy route-map BHR-ROUTERS-IN description 'Black Hole Routers - Import Policy' set policy route-map BHR-ROUTERS-IN rule 10 action 'deny' set policy route-map BHR-ROUTERS-IN rule 10 description 'Block all received route prefixes' ### BHR-ROUTERS-OUT set policy route-map BHR-ROUTERS-OUT description 'Black Hole Routers - Export Policy' set policy route-map BHR-ROUTERS-OUT rule 10 action 'deny' set policy route-map BHR-ROUTERS-OUT rule 10 description 'Block announcements of default route' set policy route-map BHR-ROUTERS-OUT rule 10 match ip address prefix-list 'DEFAULT-ROUTE-v4' set policy route-map BHR-ROUTERS-OUT rule 20 action 'permit' set policy route-map BHR-ROUTERS-OUT rule 20 description 'Announce static routes matching /32 prefix length' set policy route-map BHR-ROUTERS-OUT rule 20 match ip address prefix-list 'BHR-ROUTES-v4' set policy route-map BHR-ROUTERS-OUT rule 20 set community '65535:666' set policy route-map BHR-ROUTERS-OUT rule 20 set ip-next-hop '192.0.2.1' set policy route-map BHR-ROUTERS-OUT rule 30 action 'permit' set policy route-map BHR-ROUTERS-OUT rule 30 description 'Reannounce received black hole route communities' set policy route-map BHR-ROUTERS-OUT rule 30 match ip address prefix-list 'BHR-ROUTES-v4' set policy route-map BHR-ROUTERS-OUT rule 30 match community community-list '100' set policy route-map BHR-ROUTERS-OUT rule 30 set ip-next-hop '192.0.2.1' set policy route-map BHR-ROUTERS-OUT rule 9999 action 'deny' set policy route-map BHR-ROUTERS-OUT rule 9999 description 'Deny all other annoucements'
We are now ready to setup our eBGP protocol services and some eBGP peering neighbors. You will also need to configure a peering session from receiving router to peer with this VyOS router. This is outside the scope of this document.
## eBGP Peering Sessions set protocols bgp 65535 parameters router-id '{{vyos-ip-address}}' set protocols bgp 65535 redistribute 'static' set protocols bgp 65535 peer-group BHR_ROUTERS ebgp-multihop '255' set protocols bgp 65535 peer-group BHR_ROUTERS route-map export 'BHR-ROUTERS-OUT' set protocols bgp 65535 peer-group BHR_ROUTERS route-map import 'BHR-ROUTERS-IN' set protocols bgp 65535 peer-group BHR_ROUTERS soft-reconfiguration 'inbound' set protocols bgp 65535 neighbor {{peer-01}} description "eBGP Neighbor #1" set protocols bgp 65535 neighbor {{peer-01}} peer-group 'BHR_ROUTERS' set protocols bgp 65535 neighbor {{peer-01}} remote-as '65500' set protocols bgp 65535 neighbor {{peer-02}} description "eBGP Neighbor #2" set protocols bgp 65535 neighbor {{peer-02}} peer-group 'BHR_ROUTERS' set protocols bgp 65535 neighbor {{peer-02}} remote-as '65500'
Once you have established a peering session, you can add static routes that are marked as “blackhole” to be announced to your core or edge network routers.
## Static Route Entries set protocols static route {{ip-address}/32 blackhole