BGP Geo-Blackholing project

what it’s all about?

in the internet, not all IPv4 and IPv6 prefixes will be sources or destinations of traffic you’d like to have anything common with. some of them will be used or controlled by bad actors that can try to compromise your network (you have been likely selected at random, do not flatter yourself) or other evil goals. why would you like to receive that traffic? or send traffic towards them?

and how about creating a dynamic register of such bad prefixes and advertiste it over BGP, which has very flexible routing policy tools? we would have distribution system similar to ACLs but much faster than any human would try to edit or automate.

BGP Blackholing PL is essentially a modern incarnation of an idea that I initially started 17 years ago. in today’s landscape, we are continuously confronted with new waves of malicious actors and compromised sites. so why wait for your sophisticated Next-Generation Firewall (NGFW) or Unified Threat Management (UTM) device to handle the filtering when we can perform the filtering at the routing layer, without burdening the more advanced devices? of course, this is feasible if your router supports BGP functionality.

note, this specific instance of BGP Blackholing project is called ‘GEO-Blackholing’ for a reason - it’s actually not bogons we’re serving from route servers, but ALL prefixes currently mapped to different countries. while I advocated against using such filtering, as in most of the cases that’s really giving you only false sense of security, there may be valid use cases (like for example compliance). if you’re looking for bogons please go back to main project page.

it’s experimental, don’t blame me for anything (yet)

this is very experimental hack that I built on top of already existing infrastructure. so for now it’s just one route-server (I may add more, if you find the project useful), and serving just handful of coutry prefixes - the countries that source most of malware according to bunch of threat intelligence feeds. to map such abstract concept as a country to a prefix, I’m using United Nations Statistics Divison (M49) format, that gives us nice 3 digit mapping for each country around the world. and in that case, I’m serving following country prefixes with matching BGP communities:

Belarus - UNSD 112, BGP community 65055:112, 110 IPv4 & 48 IPv6 prefixes
Brazil - UNSD 76, BGP community 65055:76, 4462 IPv4 & 8736 IPv6 prefixes
China - UNSD 156, BGP community 65055:156, 5491 IPv4 & 1988 IPv6 prefixes
Germany - UNSD 276, BGP community 65055:276, 8159 IPv4 & 2921 IPv6 prefixes
India - UNSD 356, BGP community 65055:356, 6405 IPv4 & 2198 IPv6 prefixes
North Korea - UNSD 408, BGP community 65055:408, 1 IPv4 prefix
Russian Federation - UNSD 653, BGP community 65055:643, 8789 IPv4 & 2616 IPv6 prefixes
Turkey - UNSD 792, BGP community 65055:792, 110 IPv4 & 48 IPv6 prefixes
United Arab Emirates - UNSD 784, BGP community 65055:784, 696 IPv4 & 443 IPv6 prefixes
Vietnam - UNSD 704, BGP community 65055:704, 937 IPv4 & 529 IPv6 prefixes

how can I get a BGP blackholing feed?

just connect from your BGP running router to (currently only one) of my route servers:

for IPv4

configure following settings on your router:

Your ASN - 65055
our ASN - 65055
eBGP multihop session (TTL of 255 will work fine)
no password
version 4
our IPs - 213.189.47.206
timers - 3600 for hello and 10800 for hold time (yes, I know, quite conservative)

for IPv6

configure following settings on your router:

Your ASN - 65055
our ASN - 65055
eBGP multihop session (TTL of 255 will work fine)
no password
version 4
our IPs - 2001:1a68:0:1f::206
timers - 3600 for hello and 10800 for hold time (yes, I know, quite conservative)

if you can’t use ASN 65055, take a look below for ways to overcome that - it’s just a additional command in the config

what kind of community will I receive?

you’ll get full feed of 36320 IPv4 and 19926 IPv6 prefixes (56246 in aggregate) as of today (August 2023). country prefixes change rarely, but of course this will grow with time (and I may include additional countries in future). you need to select which prefixes you want to accept and drop traffic to (using unicast Reverse Path Filtering/Forwarding)/from (normal routing will do).

I have the feed - now what?

make sure you’re dropping traffic from/to those prefixes. it’s done by applying policy to defined BGP neighbors. you can do that easily on your routers, or for example firewalls able to run BGP and apply policies to that.

short example config for your IOS-XE router:

!
ip bgp-community new-format
!
! all possible community values - you may decide to define only those
! you'll be using
!
ip community-list standard bgp-geo-by permit 65055:112
ip community-list standard bgp-geo-br permit 65055:76
ip community-list standard bgp-geo-cn permit 65055:156
ip community-list standard bgp-geo-de permit 65055:276
ip community-list standard bgp-geo-in permit 65055:356
ip community-list standard bgp-geo-nk permit 65055:408
ip community-list standard bgp-geo-ru permit 65055:643
ip community-list standard bgp-geo-uae permit 65055:784
ip community-list standard bgp-geo-vn permit 65055:704
!
! IANA TEST-NET-1 we'll use to blackhole traffic
!
ip route 192.0.2.0 255.255.255.0 Null0 250 name IANA-TEST-NET-1
ip route 192.0.2.1 255.255.255.255 Null0 name BGP-GEO-BLACKHOLING
!
ipv6 unicast-routing
ipv6 route 100::1/128 Null0 name BGP-BLACKHOLING
ipv6 route 100::/64 Null0 name BGP-BLACKHOLING-RFC6666
!
ip prefix-list DENY-ANY seq 5 deny 0.0.0.0/0 le 32
ipv6 prefix-list DENY-ANY-V6 seq 5 deny ::/0 le 128
!
! routing policy for prefixes matching given community
! note you can match multiple communities in oue entry
! but below example is for clarity
! 
route-map BGP-GEO-BH-FEED-IN permit 10 
 match community bgp-geo-by
 set local-preference 666
 set origin igp
 set ip next-hop 192.0.2.1
 set ipv6 next-hop 100::1
route-map BGP-GEO-BH-FEED-IN permit 20 
 match community bgp-geo-br
 set local-preference 666
 set origin igp
 set ip next-hop 192.0.2.1
 set ipv6 next-hop 100::1
route-map BGP-GEO-BH-FEED-IN permit 30 
 match community bgp-geo-cn
 set local-preference 666
 set origin igp
 set ip next-hop 192.0.2.1
 set ipv6 next-hop 100::1
route-map BGP-GEO-BH-FEED-IN permit 40
 match community bgp-geo-de
 set local-preference 666
 set origin igp
 set ip next-hop 192.0.2.1
 set ipv6 next-hop 100::1
route-map BGP-GEO-BH-FEED-IN permit 50 
 match community bgp-geo-in
 set local-preference 666
 set origin igp
 set ip next-hop 192.0.2.1
 set ipv6 next-hop 100::1
route-map BGP-GEO-BH-FEED-IN permit 60
 match community bgp-geo-nk
 set local-preference 666
 set origin igp
 set ip next-hop 192.0.2.1
 set ipv6 next-hop 100::1
route-map BGP-GEO-BH-FEED-IN permit 70
 match community bgp-geo-ru
 set local-preference 666
 set origin igp
 set ip next-hop 192.0.2.1
 set ipv6 next-hop 100::1
route-map BGP-GEO-BH-FEED-IN permit 80
 match community bgp-geo-uae
 set local-preference 666
 set origin igp
 set ip next-hop 192.0.2.1
 set ipv6 next-hop 100::1
route-map BGP-GEO-BH-FEED-IN permit 90
 match community bgp-geo-vn
 set local-preference 666
 set origin igp
 set ip next-hop 192.0.2.1
 set ipv6 next-hop 100::1
!
! just for sake of security (for you)
!
route-map BGP-GEO-BH-FEED-IN deny 9999 
!
router bgp X
 !
 ! on IOS-XE 17.x this makes eBGP sessions not come up before
 ! inbound & outbound policy is applied inline with RFC 8212
 !
 bgp safe-ebgp-policy
 !
 bgp log-neighbor-changes
 !
 neighbor 213.189.47.206 remote-as 65055 ! remote ASN is 65055
 neighbor 213.189.47.206 local-as 65055  ! whatever your ASN is, use 65055
 neighbor 213.189.47.206 ebgp-multihop 255
 !
 neighbor 2001:1A68:0:1F::206 remote-as 65055
 neighbor 2001:1A68:0:1F::206 local-as 65055
 neighbor 2001:1A68:0:1F::206 ebgp-multihop 255
 !
 address-family ipv4
  neighbor 213.189.47.206 activate
  neighbor 213.189.47.206 prefix-list DENY-ANY out ! please don't send any prefixes my way
  neighbor 213.189.47.206 route-map BGP-GEO-BH-FEED-IN in
 exit-address-family
 !
 address-family ipv6
  neighbor 2001:1A68:0:1F::206 activate
  neighbor 2001:1A68:0:1F::206 prefix-list DENY-ANY-V6 out
  neighbor 2001:1A68:0:1F::206 route-map BGP-GEO-BH-FEED-IN in
 exit-address-family
!

FAQ

when you’ll add additional route servers?

when I’ll find a moment to deploy additional XRv9000 routers. give me couple of days. or weeks. or months ;) you can speed up that by dropping me email saying how much you like the project and how much you’d like it to grow.

how about configuration for device X?

I’ll add some other configurations here soon. also, take a look at the response above.

what’s next?

have a good geo-blackholing!

what it’s all about?#

it’s experimental, don’t blame me for anything (yet)#

how can I get a BGP blackholing feed?#

for IPv4#

for IPv6#

what kind of community will I receive?#

I have the feed - now what?#

FAQ#

when you’ll add additional route servers?#

how about configuration for device X?#

what’s next?#