Thursday, December 31, 2020

Using yabgp for Blackhole injection

 In this post I will demo a simple blackhole injection where a yabgp process sends /32 for blackholing 


The junos device is set to accept /32 only and with a bgp community of 2:666


set protocols bgp group yabgp import IMPORT_RTBH

set protocols bgp group yabgp export DENY

set protocols bgp group yabgp peer-as 65101

set protocols bgp group yabgp neighbor 192.168.1.108


set policy-options policy-statement IMPORT_RTBH term 1 from community BLACKHOLE

set policy-options policy-statement IMPORT_RTBH term 1 from route-filter 0.0.0.0/0 prefix-length-range /32-/32

set policy-options policy-statement IMPORT_RTBH term 1 then local-preference 999

set policy-options policy-statement IMPORT_RTBH term 1 then next-hop discard

set policy-options policy-statement IMPORT_RTBH term 1 then accept

set policy-options policy-statement IMPORT_RTBH term 999 then reject


set policy-options community BLACKHOLE members 2:666


1st let start a bgp session for establishment to our junos SRX

yabgpd --bgp-remote_as 2 --bgp-local_as 65101 --bgp-remote_addr 192.168.1.99 --rest-bind_port 8888 --verbose


Now with simple JSON we can push via the API our route-advertisement, withdraws and route_refresh


e.g. API entry  /v1/peer/x.x.x.x/send/update





sock:~ kfelix$ curl -X POST -d @advertise.json_file  -u admin:admin -H "Content-Type: application/json" http://127.0.0.1:8888/v1/peer/192.168.1.99/send/update

{"status":true}



You can also withdraw routes also 


e.g . API entry  /v1/peer/x.x.x.x/send/update



sock:~ kfelix$ curl -X POST -d @withdraw.json_file  -u admin:admin -H "Content-Type: application/json" http://127.0.0.1:8888/v1/peer/192.168.1.99/send/update

{"status":true}


For route refresh you have the following 





e,g API entry  /v1/peer/x.x.x.x/send/route-refresh






sock:~ kfelix$ curl -X POST -d @rrr.json_file  -u admin:admin -H "Content-Type: application/json" http://127.0.0.1:8888/v1/peer/192.168.1.99/send/route-refresh

{"status":true}



So with a open source bgp daemon you can easily build a route injector for RTBH and to drop traffic deem malicious 







Ken Felix 

NSE ( network security expert) and Route/Switching Engineer
kfelix  -----a----t---- socpuppets ---dot---com
     ^      ^
=(  @  @ )=
         o

        /  \


No comments:

Post a Comment