OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
Re: BGP - IP Blackhole

From: Marios Makassikis (mmakassikisgmail.com)
Date: Fri Apr 18 2014 - 09:34:17 CDT


On 18 April 2014 16:29, Tristan PILAT <tristan.pilatgmail.com> wrote:

> 2014-04-18 10:23 GMT+02:00 Tristan PILAT <tristan.pilatgmail.com>:
>
> > 2014-04-17 19:27 GMT+02:00 Tristan Pilat <tristan.pilatgmail.com>:
> >
> >>
> >>
> >> On 17 avril 2014 19:02:14 CEST, Claudio Jeker <cjekerdiehard.n-r-g.com
> >
> >> wrote:
> >> >You can't use rtlabels for matching the source, at least I think it
> >> >does
> >> >not work. I would try to use the "set pftable dos" in bgpd and
> >> >"block quick drop from <dos>" in pf.
> >>
> >> Ok i will try this tomorrow thanks. But if it does not work. How can I
> >> set up blockhole based on source address as described in RFC5635 with
> >> OpenBSD ?
> >> --
> >> Tristan
> >>
> >
> > Me again.
> >
> > This slide from a presentation by Henning Brauer is very interesting...
> > http://quigon.bsws.de/papers/2014/asiabsdcon/mgp00031.html
> >
> > i'm keep digging :-)
> > --
> > Tristan
> >
>
> Thanks Claudio, I just tested it and it works with "set pftable dos" in
> bgpd.conf and "block drop quick from <dos>" in pf.conf but there still a
> small thing. In my lab i tried this, sending icmp, and it works only if i
> stop the ping command and i relaunch it. I mean, if i'm pinging an IP
> address and set the "bgpctl network add..." it don't hang ping.
>
> How can I stop the flow immediatly with PF ?
>
>
Sounds like your traffic is matching an existing state which is why it's
still passing.
Look at pfctl manpage, and more specifically the -k switch.

Marios

> --
> Tristan