Intrusion Prevention

  • 1.  Blackhole routes via BGP peer feed

    Posted 04-23-2018 23:44

    Hello.

     

    I'm having problems implementing blackhole routes on MX platform for bad networks that we get a feed from a EBGP peer. All trafic with destination of a prefix that is in the BGP feed should be next-hop discard interface dsc.0.

     

    I have been looking around for different implemantations and with filter logs on dsc.0 I get zero hits. BGP feed provider has given me a cisco tepmplate of the setup and I think this is the correct configuration for JUNOS but something is not working.

     

    BGP routes from peer ends up in the routing-table with state "hidden":

    show route hidden extensive

    x.x.x.x/21 (1 entry, 0 announced)
    BGP Preference: 170/-101
    Next hop type: Unusable, Next hop index: 0
    Address: 0x3750298
    Next-hop reference count: 1464
    State: <Hidden Ext>
    Local AS:  Peer AS: xxxx
    Age: 3d 21:18:03 Metric: 0
    Validation State: unverified
    Task: BGP_
    AS path:  I
    Communities:  no-export
    Accepted
    Localpref: 100
    Router ID: xx.xx.xx.xx
    Indirect next hops: 1
    Protocol next hop: 192.0.2.1
    Indirect next hop: 0x0 - INH Session ID: 0x0

     

    Network is not using dsc.0 interface for next-hop:

     

    show route x.x.x.x/21 

    x.x.x.x/21 *[BGP/170] 1d 05:35:07, localpref 100
    AS path: xx I, validation-state: unverified
    >  via ge-1/1/0.0
    [BGP/170] 1d 05:35:17, localpref 100, from 10.40.0.1
    AS path: xx I, validation-state: unverified
    > to  via ae0.0

     

     

    Configuraion:

     

    BGP group

     

    type external;
    import dsc-feed;
    export deny-all;
    peer-as xxxx;
    neighbor x.x.x.x {
    multihop {
    ttl 255;
    }
    local-address xx.xx.xx.xx;
    family inet {
    unicast;
    }
    }

     

    Policy-statement

     

    from {
    family inet;
    community blackhole-routes;
    }
    then {
    community set blackhole-routes;
    next-hop 192.0.2.2;
    accept;
    }

     

    community blackhole-routes members [ xxxx:1000 xxxx:2000 xxxx:3000 ];

     

    dsc interface

     

    unit 0 {
    family inet {
    filter {
    input log-discard;
    output log-discard;
    }
    address 192.0.2.102/32 {
    destination 192.0.2.2;
    }
    }
    }

     

     

     



  • 2.  RE: Blackhole routes via BGP peer feed

    Posted 04-24-2018 01:28

    Hello,

    You don't need 192.0.2.1 nexthop, change Your policy to point to "discard":

    policy-statement blah {
     
    
    from {
    family inet;
    community blackhole-routes;
    }
    then {
    community set blackhole-routes;
    next-hop discard;
    accept;
    }}

    HTH

    Thx

    Alex



  • 3.  RE: Blackhole routes via BGP peer feed

    Posted 04-24-2018 06:37

    You're trying to count the packets that get discarded?  Then you do need the dsc interface configuration, but you also need a static discard route for the dsc.0 destination IP otherwise you get the 'Unusable next hop' that you see.  You should see a route in the table to the dsc.0 destination, with the discard next-hop.  Depending on your config, you may also need to allow the two addresses associated with dsc.0 in the system bogon filter - 'set routing-options martians {IP address} exact allow'.

     

    Discard interface example is at https://www.juniper.net/documentation/en_US/junos/topics/example/policy-discard-interface.html.  The Juniper example for Team Cymru's bogon feed mentions the martians - https://www.team-cymru.com/bgp-examples.html#juniper-trad.

     

    Hope this helps.



  • 4.  RE: Blackhole routes via BGP peer feed

    Posted 04-24-2018 07:36

    Hello.

     

    Thanks for your input, yes logging of the packets is a must in my case, to see how how much packets that drops.

     

    Current static routes for dsc network is configured according to this article: 

    https://www.juniper.net/documentation/en_US/junos/topics/example/policy-discard-interface.html)

    set routing-options static route 192.0.2.102/32 next-hop 192.0.2.101

     

    In my situation I use

    set routing-options static route 192.0.2.102/32 next-hop 192.0.2.2

     

    Show routes output:

     

    show route 192.0.2.102

    192.0.2.102/32 *[Local/0] 1d 01:58:21
    Local via dsc.0
    [Static/5] 00:18:18
    > to 192.0.2.2 via dsc.0

     

    show route 192.0.2.2

    192.0.2.2/32 *[Direct/0] 1d 01:58:57
    > via dsc.0

     

    Prefix still shows up as hidden under the routing-table

     

    xx.xx.xx.xx/18 (1 entry, 0 announced)
    BGP Preference: 170/-101
    Next hop type: Unusable, Next hop index: 0
    Address: 0x3750298
    Next-hop reference count: 1462
    State: <Hidden Ext>
    Local AS: xxxx Peer AS: xxxx
    Age: 4d 5:24:46 Metric: 0 
    Validation State: unverified 
    Task: BGP_xxxx.xx.xx.xx.xx
    AS path: xxxx I
    Communities: xxxx:1000 no-export
    Accepted
    Localpref: 100
    Router ID: xx.xx.xx.xx
    Indirect next hops: 1
    Protocol next hop: 192.0.2.1
    Indirect next hop: 0x0 - INH Session ID: 0x0



  • 5.  RE: Blackhole routes via BGP peer feed
    Best Answer

    Posted 04-24-2018 09:29

    The hidden routes have a protocol next-hop of 192.0.2.1.  Are you receiving the routes from the blackhole service with that next-hop set?  It almost seems like your input filter for the blackhole routes isn't changing the next-hop properly, although I don't see anything misconfigured in what you have provided.

    You could quickly test by just doing a static discard route for 192.0.2.1 - 'set routing-options static route 192.0.2.1/32 discard'.  If the routes go active at that point, that implies a problem with the input filter.



  • 6.  RE: Blackhole routes via BGP peer feed

    Posted 04-24-2018 11:16

    Hello,

    If Your eBGP peer has already manipulated NH of the prefixes in question to be 192.0.2.1 BEFORE sending the prefixes to You, then You need this knob under eBGP group/peer:

    https://www.juniper.net/documentation/en_US/junos/topics/reference/configuration-statement/accept-remote-nexthop-edit-protocols-bgp.html

    But better tell Your eBGP peer admin to stop doing this since You are also overwriting this NH - second time.

    HTH

    Thx
    Alex



  • 7.  RE: Blackhole routes via BGP peer feed

    Posted 04-24-2018 23:39

    Correct, that was the problem.

     

    I added a static route for 192.0.2.1/32 next-hop 192.0.2.2 (destination discard interface)

     

    Packets are coming and and they are getting logged.

     

    Thanks alot for your help!