In this post I will demo a simple blackhole injection where a yabgp process sends /32 for blackholing
The junos device is set to accept /32 only and with a bgp community of 2:666
set protocols bgp group yabgp import IMPORT_RTBH
set protocols bgp group yabgp export DENY
set protocols bgp group yabgp peer-as 65101
set protocols bgp group yabgp neighbor 192.168.1.108
set policy-options policy-statement IMPORT_RTBH term 1 from community BLACKHOLE
set policy-options policy-statement IMPORT_RTBH term 1 from route-filter 0.0.0.0/0 prefix-length-range /32-/32
set policy-options policy-statement IMPORT_RTBH term 1 then local-preference 999
set policy-options policy-statement IMPORT_RTBH term 1 then next-hop discard
set policy-options policy-statement IMPORT_RTBH term 1 then accept
set policy-options policy-statement IMPORT_RTBH term 999 then reject
set policy-options community BLACKHOLE members 2:666
1st let start a bgp session for establishment to our junos SRX
yabgpd --bgp-remote_as 2 --bgp-local_as 65101 --bgp-remote_addr 192.168.1.99 --rest-bind_port 8888 --verbose
Now with simple JSON we can push via the API our route-advertisement, withdraws and route_refresh
e.g. API entry /v1/peer/x.x.x.x/send/update
sock:~ kfelix$ curl -X POST -d @advertise.json_file -u admin:admin -H "Content-Type: application/json" http://127.0.0.1:8888/v1/peer/
{"status":true}
You can also withdraw routes also
e.g . API entry /v1/peer/x.x.x.x/send/update
sock:~ kfelix$ curl -X POST -d @withdraw.json_file -u admin:admin -H "Content-Type: application/json" http://127.0.0.1:8888/v1/peer/
{"status":true}
For route refresh you have the following
e,g API entry /v1/peer/x.x.x.x/send/route-refresh
sock:~ kfelix$ curl -X POST -d @rrr.json_file -u admin:admin -H "Content-Type: application/json" http://127.0.0.1:8888/v1/peer/
{"status":true}
So with a open source bgp daemon you can easily build a route injector for RTBH and to drop traffic deem malicious
Ken Felix
No comments:
Post a Comment