Intrusion Prevention

IMPORTANT MODERATION NOTICE

This community is currently under full moderation, meaning  all posts will be reviewed before appearing in the community. Please expect a brief delay—there is no need to post multiple times. If your post is rejected, you'll receive an email outlining the reason(s). We've implemented full moderation to control spam. Thank you for your patience and participation.



  • 1.  Blackhole routes via BGP peer feed

    Posted 04-23-2018 23:44

    Hello.

     

    I'm having problems implementing blackhole routes on MX platform for bad networks that we get a feed from a EBGP peer. All trafic with destination of a prefix that is in the BGP feed should be next-hop discard interface dsc.0.

     

    I have been looking around for different implemantations and with filter logs on dsc.0 I get zero hits. BGP feed provider has given me a cisco tepmplate of the setup and I think this is the correct configuration for JUNOS but something is not working.

     

    BGP routes from peer ends up in the routing-table with state "hidden":

    show route hidden extensive

    x.x.x.x/21 (1 entry, 0 announced)
    BGP Preference: 170/-101
    Next hop type: Unusable, Next hop index: 0
    Address: 0x3750298
    Next-hop reference count: 1464
    State: <Hidden Ext>
    Local AS:  Peer AS: xxxx
    Age: 3d 21:18:03 Metric: 0
    Validation State: unverified
    Task: BGP_
    AS path:  I
    Communities:  no-export
    Accepted
    Localpref: 100
    Router ID: xx.xx.xx.xx
    Indirect next hops: 1
    Protocol next hop: 192.0.2.1
    Indirect next hop: 0x0 - INH Session ID: 0x0

     

    Network is not using dsc.0 interface for next-hop:

     

    show route x.x.x.x/21 

    x.x.x.x/21 *[BGP/170] 1d 05:35:07, localpref 100
    AS path: xx I, validation-state: unverified
    >  via ge-1/1/0.0
    [BGP/170] 1d 05:35:17, localpref 100, from 10.40.0.1
    AS path: xx I, validation-state: unverified
    > to  via ae0.0

     

     

    Configuraion:

     

    BGP group

     

    type external;
    import dsc-feed;
    export deny-all;
    peer-as xxxx;
    neighbor x.x.x.x {
    multihop {
    ttl 255;
    }
    local-address xx.xx.xx.xx;
    family inet {
    unicast;
    }
    }

     

    Policy-statement

     

    from {
    family inet;
    community blackhole-routes;
    }
    then {
    community set blackhole-routes;
    next-hop 192.0.2.2;
    accept;
    }

     

    community blackhole-routes members [ xxxx:1000 xxxx:2000 xxxx:3000 ];

     

    dsc interface

     

    unit 0 {
    family inet {
    filter {
    input log-discard;
    output log-discard;
    }
    address 192.0.2.102/32 {
    destination 192.0.2.2;
    }
    }
    }

     

     

     



  • 2.  RE: Blackhole routes via BGP peer feed

    Posted 04-24-2018 01:28

    Hello,

    You don't need 192.0.2.1 nexthop, change Your policy to point to "discard":

    policy-statement blah {
     
    
    from {
    family inet;
    community blackhole-routes;
    }
    then {
    community set blackhole-routes;
    next-hop discard;
    accept;
    }}

    HTH

    Thx

    Alex



  • 3.  RE: Blackhole routes via BGP peer feed

    Posted 04-24-2018 06:37

    You're trying to count the packets that get discarded?  Then you do need the dsc interface configuration, but you also need a static discard route for the dsc.0 destination IP otherwise you get the 'Unusable next hop' that you see.  You should see a route in the table to the dsc.0 destination, with the discard next-hop.  Depending on your config, you may also need to allow the two addresses associated with dsc.0 in the system bogon filter - 'set routing-options martians {IP address} exact allow'.

     

    Discard interface example is at https://www.juniper.net/documentation/en_US/junos/topics/example/policy-discard-interface.html.  The Juniper example for Team Cymru's bogon feed mentions the martians - https://www.team-cymru.com/bgp-examples.html#juniper-trad.

     

    Hope this helps.



  • 4.  RE: Blackhole routes via BGP peer feed

    Posted 04-24-2018 07:36

    Hello.

     

    Thanks for your input, yes logging of the packets is a must in my case, to see how how much packets that drops.

     

    Current static routes for dsc network is configured according to this article: 

    https://www.juniper.net/documentation/en_US/junos/topics/example/policy-discard-interface.html)

    set routing-options static route 192.0.2.102/32 next-hop 192.0.2.101

     

    In my situation I use

    set routing-options static route 192.0.2.102/32 next-hop 192.0.2.2

     

    Show routes output:

     

    show route 192.0.2.102

    192.0.2.102/32 *[Local/0] 1d 01:58:21
    Local via dsc.0
    [Static/5] 00:18:18
    > to 192.0.2.2 via dsc.0

     

    show route 192.0.2.2

    192.0.2.2/32 *[Direct/0] 1d 01:58:57
    > via dsc.0

     

    Prefix still shows up as hidden under the routing-table

     

    xx.xx.xx.xx/18 (1 entry, 0 announced)
    BGP Preference: 170/-101
    Next hop type: Unusable, Next hop index: 0
    Address: 0x3750298
    Next-hop reference count: 1462
    State: <Hidden Ext>
    Local AS: xxxx Peer AS: xxxx
    Age: 4d 5:24:46 Metric: 0 
    Validation State: unverified 
    Task: BGP_xxxx.xx.xx.xx.xx
    AS path: xxxx I
    Communities: xxxx:1000 no-export
    Accepted
    Localpref: 100
    Router ID: xx.xx.xx.xx
    Indirect next hops: 1
    Protocol next hop: 192.0.2.1
    Indirect next hop: 0x0 - INH Session ID: 0x0



  • 5.  RE: Blackhole routes via BGP peer feed
    Best Answer

    Posted 04-24-2018 09:29

    The hidden routes have a protocol next-hop of 192.0.2.1.  Are you receiving the routes from the blackhole service with that next-hop set?  It almost seems like your input filter for the blackhole routes isn't changing the next-hop properly, although I don't see anything misconfigured in what you have provided.

    You could quickly test by just doing a static discard route for 192.0.2.1 - 'set routing-options static route 192.0.2.1/32 discard'.  If the routes go active at that point, that implies a problem with the input filter.



  • 6.  RE: Blackhole routes via BGP peer feed

    Posted 04-24-2018 11:16

    Hello,

    If Your eBGP peer has already manipulated NH of the prefixes in question to be 192.0.2.1 BEFORE sending the prefixes to You, then You need this knob under eBGP group/peer:

    https://www.juniper.net/documentation/en_US/junos/topics/reference/configuration-statement/accept-remote-nexthop-edit-protocols-bgp.html

    But better tell Your eBGP peer admin to stop doing this since You are also overwriting this NH - second time.

    HTH

    Thx
    Alex



  • 7.  RE: Blackhole routes via BGP peer feed

    Posted 04-24-2018 23:39

    Correct, that was the problem.

     

    I added a static route for 192.0.2.1/32 next-hop 192.0.2.2 (destination discard interface)

     

    Packets are coming and and they are getting logged.

     

    Thanks alot for your help!