MIKROTIK ROUTER OS: DDOS: Send an attacked ip to TTNET BGP Blackhole Community…

, shukko·MIKROTIK ROUTER OS: DDOS: Send an attacked ip to TTNET BGP Blackhole Community… için yorumlar kapalı

Oncelikle en son yazimdan sonra is hayatimda pek cok yeni gelisme oldugunu yazayim.

Olan gelismelerden en onemlisi firmamin artik bir RIPE uyesi olmasi. Dolayisi ile kendime ait IP bloklarim ve bir AS numaram var 🙂

Butun bunlarin sebebide networkume yapilan saldirilarda Turk Telekomun sundugu BGP Blackhole Community hizmetinden faydalanabilmek.

Bu hizmetten faydalanabilmek icin kendi BGP anonslarimi kendim yapiyorum. Ve networkumde DDOS Saldirisi yiyen Ip adreslerini TTNET BGP Blackhole Communitye yonlendirerek networkun kalaninin huzur icinde calismaya devam etmesini sagliyorum.

Router olarak BGP anonslari icin Mikrotik Router OS kullandim.

Sistemin calismasi icin yapilan islemler su sekilde: ( Ip bloklari ve #AS numaralarini guvenlik nedeniyle Degistiriyorum)

1- http://wiki.mikrotik.com/wiki/BGP_Case_Studies_1 adresindeki Mikrotike nasil BGP kurulur makalesinden yola cikarak BGP tanimlamami yaptim

Enabling BGP

To enable BGP assuming only one BGP process will be present in the system, it is enough to do the following:

* modify configuration of the default BGP instance. In particular, change instance AS number to the desired ASN:

[admin@rb11] > /routing bgp instance set default as=100 redistribute-static=no
[admin@rb11] > /routing bgp instance print Flags: X - disabled
0 as=100 router-id=0.0.0.0 redistribute-static=no redistribute-connected=no
redistribute-rip=no redistribute-ospf=no redistribute-other-bgp=no
name="default" out-filter=""
[admin@rb11]>

Note, that, unless explicitly specified, BGP router ID is set as the highest IP address on the interface.

* add at least one BGP peer. Refer to the next section for more information on how to configure BGP peers.

BGP Peers

Two BGP routers have to establish TCP connection between each other to be considered as BGP peers. Since BGP requires a reliable transport for routing information, a TCP connection is essential for it to operate properly.

Once TCP connection is up, routers exchange some initial information such as the BGP router ID, the BGP version, the AS number and the Hold Time interval value in the OPEN message. After these values are communicated and agreed upon, the BGP session is established and the routers are ready to exchange routing information via BGP UPDATE messages.

To establish TCP connection to another BGP router, issue the following command:

[eugene@SM_BGP] > /routing bgp peer add remote-address=10.20.1.210 remote-as=65534
[eugene@SM_BGP] > /routing bgp peer print
Flags: X - disabled
0 instance=default remote-address=10.20.1.210 remote-as=65534 tcp-md5-key=""
multihop=no route-reflect=no hold-time=3m ttl=3 in-filter=""
out-filter=""

[eugene@SM_BGP]>

Issue the following command to verify the connection is established:

[eugene@SM_BGP] > /routing bgp peer print status
Flags: X - disabled
0 instance=default remote-address=10.20.1.210 remote-as=65534 tcp-md5-key=""
multihop=no route-reflect=no hold-time=3m ttl=3 in-filter=""
out-filter="" remote-id=10.20.1.210 uptime=1d1h43m16s
prefix-count=180000 remote-hold-time=3m used-hold-time=3m
used-keepalive-time=1m refresh-capability=yes state=established
[eugene@SM_BGP] >

2- BGP calisir hale geldikten sonra asagidaki olaylari gerceklestirdim.

In this scenario 91.99.16.5 and 91.99.16.33 Ips are under attack and needs to be send to ISP blackhole community – 9888:666

1- Add 91.99.16.0/21, 91.99.16.5/32 and 91.99.16.33 into Bgp Networks

[admin@Mikrotik] > /routing bgp network print
Flags: X - disabled, A - active
# NETWORK SYNCHRONIZE
0 A 91.99.16.0/21 no
1 A 91.99.16.5/32 no
2 A 91.99.16.33/32 no

2- After creating routing filters:


[[admin@Mikrotik] > /routing filter print
Flags: X - disabled
0 chain=to_MYISP prefix=91.99.16.5 invert-match=no action=accept set-bgp-communities=9888:666

1 chain=to_MYISP prefix=91.99.16.33 invert-match=no action=accept set-bgp-communities=9888:666

2 chain=to_MYISP prefix=91.99.16.0/21 invert-match=yes action=discard
3- final status of advertisements:

[admin@Mikrotik] > /routing bgp advertisements print
PREFIX NEXTHOP PEER AS-PATH ORIGIN LOCAL-PREF
91.99.16.0/21 212.111.222.130 MYISP igp
91.99.16.5/32 212.111.222.130 MYISP igp
91.99.16.33/32 212.111.222.130 MYISP igp