what it’s all about?

in the internet, not all IPv4 and IPv6 prefixes will be sources or destinations of traffic you’d like to have anything common with. some of them will be used or controlled by bad actors that can try to compromise your network (you have been likely selected at random, do not flatter yourself) or other evil goals. why would you like to receive that traffic? or send traffic towards them?

and how about creating a dynamic register of such bad prefixes and advertiste it over BGP, which has very flexible routing policy tools? we would have distribution system similar to ACLs but much faster than any human would try to edit or automate.

BGP Blackholing PL is essentially a modern incarnation of an idea that I initially started 17 years ago. in today’s landscape, we are continuously confronted with new waves of malicious actors and compromised sites. so why wait for your sophisticated Next-Generation Firewall (NGFW) or Unified Threat Management (UTM) device to handle the filtering when we can perform the filtering at the routing layer, without burdening the more advanced devices? of course, this is feasible if your router supports BGP functionality.

the project consists of a set of route servers that advertise specific prefixes over BGP. these prefixes are sourced from trusted information channels that have been validated to contain legitimate, verified bad sources and/or destinations. these include prefixes from which no traffic should be originating (as they haven’t been allocated by IANA yet or are reserved).

the sources of information include:

  • bogons - so prefixes for space not allocated by IANA yet (or reserved)
  • prefixes (up to host routes - /32 and /128) identified as clearly hostile/malicious by organizations like Cisco Talos or Spamhaus (C&C botnet nodes, malware, spam sources)
  • other, also malicious or openly hostile (for example, spam scanners observed by BSDly)

how does it work then?

you can find numerous sources of information about BGP blackholing, so I don’t want to repeat everything that was already told and demonstrated. take a look at:

in short, the logic behind the blackholing works like that:

  • somebody (me in this case) sets up and maintains BGP route servers, that are advertising those prefixes to all willing to setup a BGP session
  • each prefix is marked with special community; that signals context of the advertisement (spam, malware, bogon, etc)
  • your router receives the prefix and applies policy, either based on the community or one that fits your purpose

…and that’s it. because those prefixes selected by threat intelligence organizations are changing pretty often (at least once a day), that does scale and work better than trying to update your ACLs.

how can I get a BGP blackholing feed?

just connect from your BGP running router to one or both of route servers:

for IPv4

configure following settings on your router:

  • Your ASN - 65055
  • our ASN - 65055
  • eBGP multihop session (TTL of 255 will work fine)
  • no password
  • version 4
  • our IPs - 77.79.194.196 and/or 195.136.71.54 (you can use both for redundancy)
  • your IP - your public IPv4
  • timers - 3600 for hello and 7200 for hold time (yes, I know, quite conservative)

if you can’t use ASN 65055, take a look below for ways to overcome that - it’s just a additional command in the config

for IPv6

configure following settings on your router:

  • Your ASN - 65055
  • our ASN - 65055
  • eBGP multihop session (TTL of 255 will work fine)
  • no password
  • version 4
  • our IPs - 2001:1A68:0:1E::196 and/or 2a00:4120:8000:a::54 (you can use both for redundancy)
  • your IP - your public IPv4
  • timers - 3600 for hello and 7200 for hold time (yes, I know, pretty i 7200 dla hold time (yes, quite conservative)

what kind of community will I receive?

  • Spamhouse “DROP” - Don’t Route Or Process - spam sources with community 65055:25 (at end of February 2022 - 945 prefixes)

  • Spamhouse “eDROP” - Extended Don’t Route Or Process (some additional sources of spam) - with community 65055:26 (at end of February 2022 - 59 prefixes)

  • BSDly spam trap - with community 65055:27 (at end of February 2022 - 1483 prefixes)

  • unassigned IPv4 and IPv6 prefixes - thanks to Team Cymru - with community 65055:666 (at end of February 2022 - 1470 IPv4 prefixes and 130050 prefixes for IPv6 - yes, that’s pretty big list! )

  • host routes (IPv4 /32) from GreyNoise of hosts attacking Ukraine networks (in the middle of March 2022 - around 250 prefixes) - with community 65055:667

  • host routes (IPv4 /32) from Abuse.ch - top aggressive/scanning ones - also with community 65055:667

  • “demo” list thanks to Cisco Talos (host /32 IPv4s) - with community 65055:999 (at end of February 2022 - 1100 prefixes)

so you’ll get around 5000 prefixes for IPv4 and about 130000 prefixes for IPv6. please check before if you platform can handle that!

I have the feed - now what?

make sure you’re dropping traffic from/to those prefixes. it’s done by applying policy to defined BGP neighbors.

some example configurations for Your routers:

FAQ

when you’ll run/advertise/use BGP FlowSpec?

I did some experiments with FlowSpec in the past, back when one vendor had serious problems with the implementation. I may return to that given during last decade the solutions got a bit better.

where to find other configuration examples?

it’s very popular technique, so you should be able to find it using your favorite search. take a look here. if you can’t find anything, reach out to me directly, maybe I’ll be able to help.

why you don’t have feed from X?

I’ll happily look at any feed X with good reputation, however I’m driving this myself and don’t have money, time or power to do threat analytics of prefixes like big CERTs and SOCs. so, I’m basing the served feeds on the sources I trust myself.

It doesn’t obviously mean I won’t enable other sources with time - if you have something, let me take a look at it.

why your feeds don’t contain ad sources?

because you can block them in much more efficient and quicker way using DNS, using either great free (Pi-hole) or commercial solutions.

what’s next?

have a good blackholing!