Re: SMURF amplifier block list

[Hank Nussbacher <hank () ibm net il>]

At 09:33 PM 4/13/98 -0700, Vadim Antonov wrote:
> You're right, silly me.
>
> --vadim
>
>
> Forrest W. Christian <forrestc () iMach com> wrote:
>
> On Mon, 13 Apr 1998, Vadim Antonov wrote:
>
> >  Uh.  Just modify BGP routes from that feed to have a next hop pointing
> >  to a black hole.  route-maps are sometimes useful.
>
> Could someone PLEASE explain to me how this is accomplished?
>
> Let's assume that you do use a route-map to set next hop to a null
> interface or a black hole or something for a prefix.  AND set local pref
> appropriately so that route gets preferred.
>
> You now have a routing entry which essentially says:
>
>  "forward packets DESTINED FOR the evil network to the black hole".
>
> What you really want is a routing entry which says:
>
>  "forward packets FROM the evil network to the black hole".
>
> Now, if someone could enlighten me to a way which you can get BGP to make
> a routing/filter entry to do this second one, I'd be most grateful.

Why wouldn't this work (on IOS 11.3 at least):

a) pick an unused interface (shutdown):

inter s0/2
 ip address 192.168.1.5 255.255.255.252
 shutdown
ip route 192.168.1.0 255.255.255.0 Null0 254

b) Say the spammer is 220.88.182.128/27:

access-list 20 permit 220.88.182.128 0.0.0.31
route-map spam-filter permit 10
 match ip address 20
 set ip default next-hop 192.168.1.6

c) On your Fast Ethernet - or whatever interface you use to feed pkts to
your outgoing lines:

int fa1/0
 ip policy route-map spam-filter

All outgoing pkts to 220.88.192.128/27 now should go to Null0.  I am sure
one can improve on the logic even more.

-Hank