Filtering With Holes Either Way./.
Sinkhole routing
Sinkhole routing. While this may sound a lot
like some Star Trek episode, its important for us to understand what each is,
and more so how to implement them. Sinkholes are designed to attract traffic
and keep it (for analysis or whatever reason). Blockhouse, on the other hand,
are designed to attract traffic and never let it be seen again.
In larger networks (and
what we simulate in our CCIE labs) both of these techniques are typically done
via BGP. So lets start with the sinkhole idea. To create a sinkhole, we want
to attract traffic. The first question we need to ask is Why?
Whenever you advertise a
network out, you inadvertently attract traffic to that IPs. That traffic may
be good, or it may be bad. From a security perspective, Im sure everyone has
heard the term Honeypot used before. There is a specific purpose to attract
traffic.
So lets say that you have
a /24 network advertising to the Internet through various connections. Traffic
can come in and wend its way through your network to the destination network
segment. You notice a Dos attack, or some huge amount of traffic towards one of
your web servers. Where do you secure against this? How do you secure against
it? Are you still moving traffic all the way through your network to one final
router before the segment? Are you tying up all your links bandwidth while
doing this?
Sinkholes spread
throughout your network are a way to break apart and analyze the traffic,
perhaps cleaning it and moving the good stuff on through. But multiple routers
would need a focal point, or different way to route that traffic. You may
simply change the destination for a single IP out of that /24. Most-specific
routing always wins, so thats an easy way. Maybe you have multiple analysis
points in your network to segment the traffic and reduce load and bottlenecks in
your topology.
Either way, follow the lab
instructions and you are creating a sinkhole. You may even be advertising extra
networks just to attract traffic for analysis (like a Honeypot idea). Just
watch whats being asked, but thats the concept of a sinkhole.
Blackhole routing on the
other hand wants to kill traffic. Simply enough, we could go to all of our
routers and install some Null0 routes. In real life, this is not a scalable
approach. Hence the term remotely-triggered blackhole routing, and well use
BGP. Killing a route via a routing protocol is not a simple concept. No matter
how hard we try when advertising a route, Null0 is not a valid next-hop to pass
along to someone else!
So every router needs to
have a seed route to Null0. Pick something that isnt used.
Ip route 1.1.1.1
255.255.255.255 null0
That goes on every single
router now. Of course, we would also have BGP setup between all of our internal
routers. Perhaps not really moving any real routing information, just used to
kill things. Now we need the trigger. On a central router (wherever an admin
is anyway) well do our maintenance for what routes we want to kill.
Ip route 192.0.0.0
255.0.0.0 null0 tag 86
ip route 100.100.100.0 255.255.255.0 null0 tag 86
ip route 200.200.200.0 255.255.255.0 null0 tag 86
Notice the tag on those
static routes. This will be used for redistribution to help only get the bad
routes from a router that may actually have many other static routes. Ok, not
in the real lab, but were pretending that the skills we learn on our way to
CCIE have some real-life intrinsic value, right?
So once we have decided on
our central router what routes we want to kill everywhere, then we pass them out
through BGP.
Route-map KillRoutes
permit 10
Match tag 86
Router bgp 65000
Redistribute static route-map KillRoutes
That all seems very
simple, right? Well, yes it does, but it wont help us. At this point, all of
our iBGP routers would see the central router as the next hop for each of the
routes. Ok, yes, that creates a blackhole. Because it pulls all of the packets
into the middle of our network and then kills them locally with a Null0
next-hop. But we are wasting LOTS of bandwidth in doing this. Always filter as
close to the source as possible. Good design rules!
In order to do this, we
need to change the next hop of the route from our central routers IP address to
that of the distributed Null0 route (1.1.1.1 in my example).
Route-map NH-Change permit
10
Match tag 86
Set ip next-hop 1.1.1.1
Route-map NH-Change permit 20
Router bgp 65000
Neighbor x.x.x.x route-map NH-Change out
(repeat for each of your neighbors unless youre using peer groups!)
The last permit statement
of the route-map was to pass-through any other routes that you may want to run
in BGP unchanged. Only make the next-hop change for those routes that are
evil. You could also set this next-hop within the original redistribute
route-map. I just split it out for pointing out the differences.
At this point, all of your
other routers have learned some routes via iBGP, with a next-hop of 1.1.1.1 and
since they have a local static route to Null0 for that next hop, all routes
learned this way will be killed.
We have now used blackhole
routing in a remotely-triggered manner. Kinda cool, huh? Not difficult either,
just a matter of thinking about what we are trying to accomplish.
As noted, these techniques
have been listed more explicitly on both the Security (2.0) and Service Provider
CCIE tracks. I dont see any reason why they cant be used in Routing &
Switching as well, so it never hurts to think these things through!
For some extra
information, check out:
scenario carefully. Makes notes and diagrams as necessary, but think like the
router does. Think things through one step at a time and all of these
complicated things suddenly become much easier.
Cheers,
Scott
Scott Morris is
IPexpert's Vice President of Curriculum and Senior Technical Instructor.
With over 20 years of technical training and consulting experience and
a wealth of technical certifications, Scott Morris has proven to be among the
elite in the technical training industry. Scott is one of the few people in the
world who currently hold four separate CCIE certifications, but is one-of-a-kind
by having added Juniper Network's expert level certification. He is also
actively preparing for the CCIE Voice. Scott has years of experience both
writing and teaching CCIE lab preparation materials with an outstanding track
record of success.
Over the past seven years, Scott has also been involved in many aspects of
training directly for Cisco's internal staff on a variety of advanced technical
topics. His knowledge and real-world experiences have been sought after for many
projects.
Scott has also participated in editing, writing and reviewing training books for
Cisco Press, Wylie, Sybil, Que. Publishing and McGraw-Hill. His contributing
author work includes Cisco Press' Managing Cisco Network Security book ( ISBN:
1578701031) - Chapters on the PIX Firewall; and Cisco Press' CCIE Practical
Studies, Vol. 2 (ISBN: 1587050722) - Chapter on Multicast. Scott can be reached
by: asbservices4
Your Legitimate Online Business will Succeed if You Set Your Goals Correctly Sales Marketing How To Save Money On The Adwords Network Five Proven Ways To Safely Make Positive Life Changes Supporting Your Business During A Recession Financing A Small Business Does Not Have To Be Complicated ....... The Most Possible Taking Online Survey Fitness Business Coach: Why Should You Hire One? Traffic Is The Key To Your Accomplishment Comparing Business Credit Cards Reasons To Donate Autos In New Jersey How You Making Customer Satisfaction Surveys On Line Marketing Opportunity Save Your Precious Money
Filtering With Holes Either Way./. Campo Grande