Filtering With Holes Either Way.
Byrupender
Networking RSS Feed
Sinkhole routing.
While this may sound a lot like some Star Trek episode, it’s important for us to understand what each is, and more so how to implement them. Sinkholes are designed to attract traffic
and keep it (for analysis or whatever reason). Blockhouses, on the other hand, are designed to attract traffic and never let it be seen again. In larger networks (and what we simulate in our CCIE labs) both of these techniques are typically done via BGP. So let’s start with the sinkhole idea. To create a sinkhole, we want
to attract traffic. The first question we need to ask is “Why?”
Whenever you advertise a network out, you inadvertently attract traffic to that IPs. That traffic may be good, or it may be bad. From a security perspective, I’m sure everyone has heard the term Honeypot used before. There is a specific purpose to attract traffic. So let’s say that you have a /24 network advertising to the Internet through various connections. Traffic can come in and wend its way through your network to the destination network segment. You notice a Dos attack or some huge amount of traffic towards one of your web servers. Where do you secure against this? How do you secure against
it?
Are you still moving traffic all the way through your network to one final router before the segment? Are you tying up your entire link’s bandwidth while doing this? Sinkholes spread throughout your network are a way to break apart and analyze the traffic, perhaps cleaning it and moving the good stuff on through. But multiple routers would need a focal point, or different way to route that traffic. You may simply change the destination for a single IP out of that /24. Most-specific routing always wins, so that’s an easy way. Maybe you have multiple analysis points in your network to segment the traffic and reduce load and bottlenecks in your topology. Either way follows the lab instructions and you are creating a sinkhole. You may even be advertising extra networks just to attract traffic for analysis (like a Honeypot idea). Just watch what’s being asked, but that’s the concept of a sinkhole.
Black hole routing on the other hand wants to kill traffic. Simply enough, we could go to all of our routers and install some Null0 routes. In real life, this is not a scalable approach. Hence the term remotely-triggered black hole routing, and we’ll use
BGP. Killing a route via a routing protocol is not a simple concept.
No matter how hard we try when advertising a route, Null0 is not a valid next-hop to pass along to someone else! So every router needs to have a seed route to Null0. Pick something that isn’t used. Ip route 1.1.1.1 255.255.255.255 null0 that goes on every single router now. Of course, we would also have BGP setup between all of our internal routers. Perhaps not really moving any “real” routing information just used to kill things. Now we need the trigger. On a central router (wherever an admin is anyway) we’ll do our maintenance for what routes we want to kill. Ip route 192.0.0.0 255.0.0.0 null0 tag 86 ip route 100.100.100.0 255.255.255.0 null0 tag 86 ip route 200.200.200.0 255.255.255.0 null0 tag 86 Notice the tag on those static routes. This will be used for redistribution to help only get the “bad”
Routes from a router that may actually have many other static routes. Ok, not n the real lab, but we’re pretending that the skills we learn on our way to CCIE have some real-life intrinsic value, right?
So once we have decided on our central router what routes we want to kill everywhere, then we pass them out through BGP. Route-map Kill Routes permit 10Match tag 86 Router bgp 65000
Redistribute static route-map Kill Routes That all seems very simple, right? Well, yes it does, but it won’t help us. At this point, all of our iBGP routers would see the central router as the next hop for each of the routes. Ok, yes, that creates a black hole. Because it pulls all of the packets into the middle of our network and then kills them locally with a Null0 next-hop. But we are wasting LOTS of bandwidth in doing this. Always filter as close to the source as possible. Good design rules! In order to do this, we need to change the next hop of the route from our central router’s IP address to that of the distributed Null0 route (1.1.1.1 in my example). Route-map NH-Change permit 10Match tag 86
Set ip next-hop 1.1.1.1Route-map NH-Change permit 20 Router bgp 65000.
Neighbor route-map NH-Change out (repeat for each of your neighbors unless you’re using peer groups!) The last permit statement of the route-map was to pass-through any other routes that you may want to run in BGP unchanged. Only make the next-hop change for those routes that are evil. You could also set this next-hop within the original redistribute route-map. I just split it out for pointing out the differences.
At this point, all of your other routers have learned some routes via iBGP, with a next-hop of 1.1.1.1 and since they have a local static route to Null0 for that next hop, all routes learned this way will be killed. We have now used black hole routing in a remotely-triggered manner. Kind of cool, huh? Not difficult either, just a matter of thinking about what we are trying to accomplish.
As noted, these techniques have been listed more explicitly on both the Security (2.0) and Service Provider CCIE tracks. I don’t see any reason why they can’t be used in Routing & Switching as well, so it never hurts to think these things through! For some extra information, check out:
Scenario carefully. Makes notes and diagrams as necessary, but think like the router does. Think things through one step at a time and all of these complicated things suddenly become much easier. Cheers,
Scott Morris is
I expert’s Vice President of Curriculum and Senior Technical Instructor.
With over 20 years of technical training and consulting experience and
a wealth of technical certifications, Scott Morris has proven to be among the elite in the technical training industry. Scott is one of the few people in the world who currently hold four separate CCIE certifications, but is one-of-a-kind by having added Juniper Network's expert level certification. He is also actively preparing for the CCIE Voice. Scott has years of experience both
writing and teaching CCIE lab preparation materials with an outstanding track record of success.
Over the past seven years, Scott has also been involved in many aspects of training directly for Cisco's internal staff on a variety of advanced technical topics. His knowledge and real-world experiences have been sought after for many projects.
Did you find this article useful? For more useful tips and hints, points to ponder and keep in mind, techniques, and insights pertaining to Internet Business, do please browse for more information at our websites. http://www.adsence-dollar-factory.com http://www.100earningtips.com
Related Articles, Information, Products And Links
Related Articles on Networking
- Cathay school offers one-on-one CISCO CCIE Routing and Switching Boot Camp Training
- CCENT, CCNA, CCNP, CCIE Interview Questions.
- What To Look for In a great network marketing company
- How to Make Plan for Internet Agents?
- Construction of Downlink with Affiliation
- wireless-networking-guide
- Real-time Ethernet for critical applications
- How Small and medium businesses' market their product or service?
- People Search Other People In The World
- Organize Your Business With Informatica
Latest Articles on Networking
-
Laptop Rental: Your Key to Increased Profits
In addition, how does a company address business-driven fluctuations in staff, and the resultant security, safety, and customer service issues? Purchasing computers that are used for one week, then set aside for months- only to be misplaced, damaged or stolen before it they can be used again- is an expensive way to run a business.... -
Filtering With Holes Either Way.
Sinkhole routing. While this may sound a lot like some Star Trek episode, it’s important for us to understand what each is, and more so how to implement them. Sinkholes are designed to attract traffic and keep it (for analysis or whatever reason). Blockhouse, on the other hand,... -
Organize Your Business With Informatica
A business with different departments needs data integration so that it can work on smoothly. Informatica consulting can help the departments of the business to get all the data incorporated in a way that it can be accessed and discovered by everyone in each of the department of the organization. ... -
People Search Other People In The World
All over the world people are looking for other people for all sorts of reasons that are as diverse as the day is long. You have single men and women looking for dates and lifelong partners. Friends looking for their high school sweet hearts or other classmates.... -
How Small and medium businesses' market their product or service?
If I take this question back to 1999-2000 the answer was simple, go to internet, search forsome companies "for eg: software companies, california" and collect email addresses from the search results and shoot an email introducing your service or product. Simple! It was the easiest and cost effective way of marketing the business. Life was good. But Now? It won’t work. ... -
Real-time Ethernet for critical applications
Moog FCS, which is part of Moog's Industrial Group, is introducing a combination of communication interfaces based on real-time Ethernet. Using advanced and proven technology, the servo controllers are said to increase the functionality and boost the performance of aerospace testing systems. They now provide fast graphics, accurate synchronisation of up to 500 control channels, reduced latency... -
wireless-networking-guide
Wireless networking has been in the mainstream for the last few years, it's appeal is the flexibility it offers in terms of no wires, being able to connect to the internet from literally anywhere in your house, garden or where the range of the wireless router/modem permits a decent enough signal. Just how do we go about connecting to the internet wirelessly? A wireless network needs to have two... -
Construction of Downlink with Affiliation
If you have spent any time in MLM (multi-level marketing) then you have heard the saying the “MLM is a numbers game”. The heavy hitters tell you that key to success is “recruiting, recruiting, recruiting”. But when it comes to rolling out a product to your downlink, you find out just wrong that statement can be. MLM is about people. It’s under the surface a relationship business.... -
How to Make Plan for Internet Agents?
In more simple terms and cutting through the fancy name Joint Venture Brokering is essentially where you find a product on a site and match that product with knowledgeable marketers who will, and in most cases actually want, to sell the product, making you money from the brokering of the sale. You may be worried that you do not have any specialist awareness but you need to stop and think of your l... -
What To Look for In a great network marketing company
All you need to do to get started is order one product a month at about the third the cost of similar products, find a customer and you are in business. Find two customers and you have potential to make a reasonable income. I've looked into many network marketing companies and products and found most of them to be flawed. Either the products were over priced or the compensation plan was so complic...
