BGP Blackholing with FlowSpec project

what it’s all about?

in the internet, not all IPv4 and IPv6 prefixes will be sources or destinations of traffic you’d like to have anything common with. some of them will be used or controlled by bad actors that can try to compromise your network (you have been likely selected at random, do not flatter yourself) or other evil goals. why would you like to receive that traffic? or send traffic towards them?

and how about creating a dynamic register of such bad prefixes and advertiste it over BGP, which has very flexible routing policy tools? we would have distribution system similar to ACLs but much faster than any human would try to edit or automate.

BGP Blackholing PL is essentially a modern incarnation of an idea that I initially started 17 years ago. in today’s landscape, we are continuously confronted with new waves of malicious actors and compromised sites. so why wait for your sophisticated Next-Generation Firewall (NGFW) or Unified Threat Management (UTM) device to handle the filtering when we can perform the filtering at the routing layer, without burdening the more advanced devices? of course, this is feasible if your router supports BGP functionality.

note, this specific instance of BGP Blackholing project is called ‘with FlowSpec’ for a reason - it’s early experiment in serving bogons via FlowSpec. scale is limited to allow for testing. if you’re looking for bogons please go back to main project page.

it’s experimental, don’t blame me for anything (yet)

this is very experimental hack that I built on top of already existing infrastructure. so for now it’s just one route-server (I may add more, if you find the project useful), and it’s serving just handful of routes for IPv4 and for IPv6. it’s just to test your side, as I know different vendors gear and software has still a lot of problems with processing of FlowSpec routes properly. so please don’t run it on production system unless you really know what are you doing. also, configure safeguards (like prefix limit that’s specific to your platform) to avoid unexpected career-changing events.

how can I get a BGP with FlowSpec blackholing feed?

just connect from your BGP running router to (currently only one) of my route servers:

for IPv4 FS

configure following settings on your router:

Your ASN - 65055
our ASN - 65055
eBGP multihop session (TTL of 255 will work fine)
no password
version 4
our IPs - 85.232.240.180
timers - 3600 for hello and 10800 for hold time (yes, I know, quite conservative)

for IPv6 FS

configure following settings on your router:

Your ASN - 65055
our ASN - 65055
eBGP multihop session (TTL of 255 will work fine)
no password
version 4
our IPs - 2001:1a68:2c:2::180
timers - 3600 for hello and 10800 for hold time (yes, I know, quite conservative)

if you can’t use ASN 65055, take a look below for ways to overcome that - it’s just a additional command in the config

what kind of community will I receive?

you’ll get full feed of 1345 IPv4 and 45 IPv6 prefixes as of today (August 2023). they represent split of basic FlowSpec traffic drop specification for spam (25/tcp) and mail bruteforcers (via BSDly tarpitting list)

I have the feed - now what?

BGP FlowSpec configuration is a bit more involved than basic Blackholing or Sinkholing, and will have some platform specific configuration you need to check with your vendors documentation.

short example config for your IOS-XE router:

!
flowspec  
 address-family ipv4
  local-install interface-all
 address-family ipv6
  local-install interface-all
!
router bgp X
 bgp log-neighbor-changes
 !
 neighbor 85.232.240.180 remote-as 65055 ! remote ASN is 65055
 neighbor 85.232.240.180 local-as 65055  ! whatever your ASN is, use 65055
 neighbor 85.232.240.180 ebgp-multihop 255
 !
 neighbor 2001:1A68:2C:2::180 remote-as 65055
 neighbor 2001:1A68:2C:2::180 local-as 65055
 neighbor 2001:1A68:2C:2::180 ebgp-multihop 255
 !
 !
 address-family ipv4 flowspec
  neighbor 85.232.240.180 activate
  neighbor 85.232.240.180 maximum-prefix 2500
 exit-address-family
 !
 !
 address-family ipv6 flowspec
  neighbor 2001:1A68:2C:2::180 activate
  neighbor 2001:1A68:2C:2::180 maximum-prefix 500
 exit-address-family
!

FAQ

when you’ll add additional route servers?

when I’ll find a moment to deploy additional XRv9000 routers. give me couple of days. or weeks. or months ;) you can speed up that by dropping me email saying how much you like the project and how much you’d like it to grow.

how about configuration for device X?

I’ll add some other configurations here soon. also, take a look at the response above.

what’s next?

have a good flowspec-blackholing!

what it’s all about?#

it’s experimental, don’t blame me for anything (yet)#

how can I get a BGP with FlowSpec blackholing feed?#

for IPv4 FS#

for IPv6 FS#

what kind of community will I receive?#

I have the feed - now what?#

FAQ#

when you’ll add additional route servers?#

how about configuration for device X?#

what’s next?#