Remote Triggered Black Hole

Remote Triggered Black Hole

基本原理

首先说明一下 RTBH (Remote Triggered Black Hole 远程触发黑洞路由) 是一个相对古早的技术,其主要目的是集中的控制某一个地址或地址段的路由,多用于在公网上缓解DoS攻击。

虽说 RTBH 也经历了一些发展(rfc3882、rfc5635、rfc7999)但仍然是一种基于三层IP地址的控制技术,在控制能力和灵活性上能力一般,由于主要是基于 BGP next-hop 属性做控制,所以操作上相对繁琐控制颗粒度也较粗;

RTBH 的技术原理其实很简单,使用 BGP 协议在 AS 内发布目标地址或地址段的 next-hop ,使其指向预先定义的黑洞路由;也可以使用路由策略针对不同的路由器设置不同的 next-hop,从而实现 “Romote Trigger”。

一般来讲,路由器的转发能力要大于其过滤能力,况且 acl/QoS、PBR 等要想是实现自动远程配置几乎只能使用专门开发的系统或设备(通过BGP传递Qos其实有相关的公有技术--“QPPB”,不过用的不多),所以 RTBH 对比其他技术还是有一些价值的。

如果希望有更好的通用控制能力 Flowspec 是一个更好的选择,但这是一个相对较新的技术,低端和老旧设备不一定支持,现阶段部署 RTBH 还有一定的价值;Flowspec 可以看作是使用 MP-BGP 传递的 acl/pbr/QoS,后面单独成文

下面使用模拟器演示传统 RTBH ,拓扑和各 IP 地址如图所示,图中模拟了公网环境 AS65500 和三个 AS 互联;

  • AS 之间使用 EBGP;AS6500 内使用 IS-IS 作为 IGP ;
  • R1 R2 R3 作为边界路由器各连接一个 ISP/AS;
  • 服务器地址是 192.168.0.1/24 模拟DoS中的受害者;
  • R10 生成 RTBH 目标网段;
  • R9 作为分发者将策略下发至各执行路由器;
  • R4 作为集中处置路由器,可以执行黑洞或者将流量通过隧道传送给分析器;
  • R5 R6 是正常转发路由不执行特殊路由策略;
  • 拓扑中除 Server 为 linux 外其余设备均为 H3C-vSR1000 Version 7.1.064, Release 1362P12;环境为网络演示,分析器 Analyse 仅终结了隧道并未做后续处理;
  • 演示传统 RTBH,不作为最佳实践;

img

策略方式:
R10-Trigger 基于静态路由tag分类不同引入 BGP 后携带不同的 Community 发给R9;
R9 基于不同类型的 community 通过 route-policy 设置不同种类的 RTBH ;

为减少篇幅,通用配置见最后的完整配置章节。

我在查文档的时候,RTBH 基本都是基于 cisco 或者juniper 设备的配置,其中路由的生成和策略的分发是在同一台设备上完成的,即 R9 和 R10 的功能在同一台设备上实现,本例中没有这么做是因为华为H3C的设备明确指出 BGP 路由的“原始产生位置”不支持使用 route-policy 手动更改 “next-hop” ;即:在 BGP 视图下使用 “network” 和 “import” 命令的时候使用 route-policy 修改 “next-hop” 不生效,所以才有这种“路由产生”和“策略分发”分离的方式。

目的黑洞

Anti DoS 场景,目的黑洞就是把受害者的地址加到黑洞路由;但这样的话目的地址就彻底失联了,反而算是主动 DoS 了,失去了防护意义,这种情况就需要选择性的使部分路由器产生黑洞路由;

边界黑洞

AS 边界路由器是执行目的黑洞的良好位置,对于公网设备来说,更早的处理攻击流量可以有效的降低 AS 内部的网络压力;大流量DoS攻击,不仅会对目的服务器会产生重大打击,对网络基础设施也会有明显影响。

配置示例:

####R10####
#基于 tag 分类,此处将 tag 17777 的静态路由标记 community 1:7777 传递给 R9
route-policy classer permit node 10
 if-match tag 17777
 apply community 1:7777
#
#本配置中 tag 17777 代表目的黑洞
 ip route-static 192.168.0.7 32 NULL0 tag 17777
#
####R9####
bgp 65500
  #~常规配置略,详见“完整配置”章节~
 address-family ipv4 unicast
  #~常规配置略,详见“完整配置”章节~
  peer Border route-policy Border_Policy export
  peer Border advertise-community
  peer Inner route-policy Inner_Policy export
  
  #入向分类,基于 R10 传递的 Community 分类
  peer Trigger route-policy classifier import
#
#出向策略,发送给边界路由器时候的路由策略
#第一条为常规 BGP 路由,不是 RTBH 路由
route-policy Border_Policy permit node 1
 if-match tag 0
# RTBH 路由 , 7.7.7.7 为预先定义的黑洞
route-policy Border_Policy permit node 10
 if-match tag 17777
 apply community no-export
 apply ip-address next-hop 7.7.7.7
#
#内网常规路由器 BGP 路由
route-policy Inner_Policy permit node 10
 if-match tag 0
 
#入向策略,Trigger路由分类
route-policy classifier permit node 10
 if-match community name com17777
 apply tag 17777
route-policy classifier deny node 80
#
#community-list 用于匹配 community
 ip community-list basic com17777 permit 1:7777
####R1/R2/R3####
bgp 部分略
ip route-static 7.7.7.7 32 NULL0

基于位置黑洞

只在某一个边界路由器上设置黑洞可以减少 RTBH 对正常流量的影响;
为每个边界路由器设置单独的 route-policy ,除了有点麻烦没什么问题;
不过对于此种需求一般建议使用 BLACKHOLE Community 方式从边界路由器再进行一次过滤,减少了集中配置的策略数量。详见下面的 BGP BLACKHOLE community 章节。

集中黑洞/隧道分析

边界路由器是执行黑洞路由的优选位置,但有时候需要对异常流程进行集中处理(比如分析等), R4 作为集中处置路由器,可以执行黑洞或者将流量通过隧道传送给分析器。

将目标地址在边界的下一跳指向 R4 ,R4的的下一跳指向隧道发送给分析器:

#
bgp 65500
  #~常规配置略,详见“完整配置”章节~
 #
 address-family ipv4 unicast
  #~常规配置略,详见“完整配置”章节~
  peer Border route-policy Border_Policy export
  peer Border advertise-community
  peer Centralization route-policy Centralization_Policy export
  peer Trigger route-policy classifier import
#
#边界出向常规 BGP 路由
route-policy Border_Policy permit node 1
 if-match tag 0
#边界出向集中处置路由
route-policy Border_Policy permit node 20
 if-match tag 18888
 apply community no-export
 apply ip-address next-hop 8.8.8.8
#

#基础处置路由,出向策略
#R4 常规路由
route-policy Centralization_Policy permit node 1
 if-match tag 0
#集中处置路由
route-policy Centralization_Policy permit node 20
 if-match tag 18888
 apply ip-address next-hop 172.16.1.2
#入向分类
route-policy classifier permit node 20
 if-match community name com18888
 apply tag 18888
#
route-policy classifier deny node 80
#
ip community-list basic com18888 permit 1:8888

源黑洞

BGP 是一个路由信息传递协议,而路由的传递基于目的地址,目前还没有哪种路由协议会涉及源地址;

但考虑一下,DoS/DDoS 攻击过程中封禁源地址比目的地址更有意义;封禁目的地址,会导致受害者彻底失联,即使只在特定 AS 入口封禁也会有大量的合法访问被波及而无法访问服务;

网路通信是双向的,源地址在回包时候就是目的地址,所以简单的把 DoS 攻击源地址加入黑洞也是有一定意义的,但对于大部分的泛洪攻击流量就没什么效果,这类攻击基本都是源地址发起大量流量,对受害服务器的回包不关心;

路由黑洞只对目的生效,但结合uRPF技术可以很好解决源黑洞问题;简单来讲,开启uRPF后,源、目任一方不在路由表中就拒绝转发;这样对攻击源设置为黑洞就变相实现源黑洞效果;urpf 配置也方式十分简单:

#R1/R2/R3边界路由器
ip urpf loose

R9 设置和目的黑洞一样无差别:

bgp 65500
  #~常规配置略,详见“完整配置”章节~
 #
 address-family ipv4 unicast
  #~常规配置略,详见“完整配置”章节~
  peer Border route-policy Border_Policy export
  peer Border advertise-community
  peer Inner route-policy Inner_Policy export
  #设置入向分类
  peer Trigger route-policy classifier import
#
route-policy Border_Policy permit node 1
 if-match tag 0
#
route-policy Border_Policy permit node 30
 if-match tag 19999
 apply community no-export
 apply ip-address next-hop 7.7.7.7
#
route-policy Centralization_Policy permit node 1
 if-match tag 0
#
route-policy Centralization_Policy permit node 30
 if-match tag 19999
 apply ip-address next-hop 7.7.7.7
#
route-policy classifier permit node 30
 if-match community name com19999
 apply tag 19999
#
route-policy classifier deny node 80
#
ip community-list basic com19999 permit 1:9999

uRPF 功能有不同模式(strict/loose),各有适用场景,详细一点的解释可以看这里

BGP BLACKHOLE community

上述的黑洞方式在跨 AS 的情况下会变得没这么有效,由于不同 AS 通常不是由同一批管理人员控制,next-hop 方式黑洞方式需要预先定义个静态黑洞路由,一个 AS 的路由器解释为黑洞的地址在另一个 AS 内可能正常转发(虽说公网上通常将 rfc1918等定义的定制指向黑洞,但这也只是对对方合理的假设并不是一定要执行的);其实还有一个问题就是 AS 边界路由器出于网络设备压力考虑,通常会拒绝过于明细的 BGP 路由(比如前缀大于 /24 的 IPv4 和大于 /48 的IPv6路由,rfc7454),但 RTBH 最常用设置的就是32位(IPv4,v6为128为)地址,很少会封禁一整个网段;

这时要么在 BGP 中再定义一个新的行为来执行黑洞操作,要么定义一个公认的黑洞地址;目前这两种方案均有 RFC ,rfc7999 定义了黑洞 Community(0xFFFF029A) ,rfc6666 定义了黑洞地址;不过 rfc6666 仅定义了公认 IPv6 黑洞地址(0100::/64),IPv4没有。

rfc7999 的意义其实不在于定义了一个新的 BGP 行为,而是定义了一个公认的行为,毕竟只要与另外一个 AS 约定好,任意私有 Community 均可充当 BLACKHOLE;现在的路由器默认不执行 BLACKHOLE 行为,甚至都不能识别 BLACKHOLE 为一个well-known community,下面以手动 route-policy 的方式实现:

#
bgp 65500
  #~常规配置略,详见“完整配置”章节~
 #
 address-family ipv4 unicast
  peer Border route-policy Border_Policy export
  peer Inner route-policy Inner_Policy export
  peer Trigger route-policy classifier import
#
route-policy Border_Policy permit node 1
 if-match tag 0
#
# BLACKHOLE Community 0xFFFF029A 十进制为 4294902426
route-policy Border_Policy permit node 40
 if-match tag 10000
 apply community 1:0 4294902426
 apply ip-address next-hop 7.7.7.7
#
route-policy Border_Policy permit node 50
 if-match tag 10001
 apply community 1:1 4294902426
 apply ip-address next-hop 7.7.7.7
#
route-policy Border_Policy permit node 60
 if-match tag 10002
 apply community 1:2 4294902426
 apply ip-address next-hop 7.7.7.7
#
route-policy Border_Policy permit node 70
 if-match tag 10003
 apply community 1:3 4294902426
 apply ip-address next-hop 7.7.7.7
#
route-policy Inner_Policy permit node 10
 if-match tag 0
#
route-policy classifier permit node 40
 if-match community name com10000
 apply tag 10000
#
route-policy classifier permit node 50
 if-match community name com10001
 apply tag 10001
#
route-policy classifier permit node 60
 if-match community name com10002
 apply tag 10002
#
route-policy classifier permit node 70
 if-match community name com10003
 apply tag 10003
#
route-policy classifier deny node 80
#
 ip community-list basic com10000 permit 1:0
 ip community-list basic com10001 permit 1:1
 ip community-list basic com10002 permit 1:2
 ip community-list basic com10003 permit 1:3
#边界路由以R1为例

bgp 65500
 router-id 1.1.1.1
 group RR internal
 peer RR connect-interface LoopBack0
 peer 10.0.69.9 group RR
 peer 11.0.0.2 as-number 65501
 peer 11.0.0.2 connect-interface GigabitEthernet8/0
 #
 address-family ipv4 unicast
  peer RR enable
  peer RR route-policy BLACKHOLE_COMMUNITY import
  peer RR next-hop-local
  peer 11.0.0.2 enable
  peer 11.0.0.2 advertise-community
  peer 11.0.0.2 next-hop-local
#
#未设置no-export,表明此路由需要传递给ebgp对等体,请对端协助处置目的黑洞
route-policy BLACKHOLE_COMMUNITY permit node 10
 if-match community name blackhole_r1
 apply community 4294902426
 apply ip-address next-hop 7.7.7.7
#
route-policy BLACKHOLE_COMMUNITY permit node 20
 if-match community name blackhole_all
 apply community 4294902426 no-export
 apply ip-address next-hop 7.7.7.7
#
route-policy BLACKHOLE_COMMUNITY deny node 30
 if-match community name blackhole_comm
#
route-policy BLACKHOLE_COMMUNITY permit node 40
#
 ip community-list basic blackhole_all permit 1:0 4294902426
 ip community-list basic blackhole_comm permit 4294902426
 ip community-list basic blackhole_r1 permit 1:1 4294902426

假设攻击源位于 AS65504,AS65500 向 AS65001发送BLACKHOLE community,请 AS65501 协助封禁经过 AS65501 发往 AS65500 的某一地址的流量。

##ISP1
bgp 65501
 router-id 192.168.1.0
 peer 11.0.0.1 as-number 65500
 peer 11.0.0.1 connect-interface GigabitEthernet1/0
 peer 14.0.0.2 as-number 65504
 peer 14.0.0.2 connect-interface GigabitEthernet2/0
 #
 address-family ipv4 unicast
  network 192.168.1.0 255.255.255.0
  peer 11.0.0.1 enable
  peer 11.0.0.1 route-policy blackhole_comm import
  peer 11.0.0.1 next-hop-local
  peer 14.0.0.2 enable
  peer 14.0.0.2 next-hop-local
#
#接受目的黑洞BLACKHOLE,设置 no-export 不再跨 AS 传播
route-policy blackhole_comm permit node 10
 if-match community name blackhole
 apply community no-export
 apply ip-address next-hop 7.7.7.7
#
route-policy blackhole_comm permit node 100
#
 ip community-list basic blackhole permit 4294902426
#

RFC6666

这个 RFC 废除了一个 IPv6 地址段的前缀,专门用于 IPv6 的黑洞路由,本 RFC 篇幅不长可以直接读一下,之前这个文章也简单描述了一下此 RFC 的目的。

前面已经说过 BGP 协议无法把 next-hop = NULL0 这种形式的路由传递出去,RTBH 需要预先定义一个指向NULL的黑洞路由(比如前面例子中的7.7.7.7),再使用 BGP 传递 next-hop = 7.7.7.7 从而将目标路由间接指向 NULL。

上面拓扑示例中为了方便,使用了容易记忆的 7.7.7.7 作为黑洞,在实际使用的过程中一般使用网络中不会出现的地址,如在公网中使用 RFC1918 地址作为黑洞,或者使用 RFC5737 中定义的 TEST-NET 地址,192.0.2.0/24、198.51.100.0/24 等。

此 RFC 废除的地址段被专门用于黑洞路由,现在路由器还没默认执行该 RFC,需要手动添加路由表,如果打算实现 IPv6 的 RTBH 非常建议直接使用这个段;

如果路由器执行该 RFC,这个前缀应该会被默认添加进路由表,地位类似下面展示的其他指向NULL的特殊用途路由或指向的自身的本地路由:
img
img
img

效果

####R10-Trigger####
#边界目的黑洞
 ip route-static 192.168.0.7 32 NULL0 tag 17777
#集中处置
 ip route-static 192.168.0.8 32 NULL0 tag 18888
#全体边界 BLACKHOLE
 ip route-static 192.168.0.100 32 NULL0 tag 10000
#R1 BLACKHOLE
 ip route-static 192.168.0.101 32 NULL0 tag 10001
#R2 BLACKHOLE
 ip route-static 192.168.0.102 32 NULL0 tag 10002
#R3 BLACKHOLE
 ip route-static 192.168.0.103 32 NULL0 tag 10003
#边界源黑洞
 ip route-static 192.168.1.1 32 NULL0 tag 19999

边界黑洞和集中处置路由
img

R1 BLACKHOLE传递给ISP1的黑洞路由
img

Flowspec

前面说到了传统的 RTBH 是一种粒度很粗的控制方式,而且完全依赖 route-policy 设置 next-hop 实现;可以说灵活度和控制能力都比较有限,好在并没有引入新的协议和特性,完全沿袭之前的技术,使用合理的组合实现 RTBH,几乎无需对设备进行升级,对设备性能也没有很高的需求。

但是随着网络技术的发展对 RTBH 技术有了新的要求,Flowspec 作为一种专门处理网络中非法异常流量的控制协议,作为 MP-BGP 一个新的地址族被加入 ,其角色和架构和上述的 RTBH 差不多,主要是标准协议化了,有更好的控制颗粒度和更灵活的控制方式。这里限于篇幅此部分内容单独成文,具体见这里

完整配置

策略写的有点乱,一般情况下不会同时部署所有类型的 RTBH;简单测试功能正常,没详细测试不知道有没有逻辑bug,抛砖引玉;

###R9
interface LoopBack0
 ip address 9.9.9.9 255.255.255.255
#
interface GigabitEthernet1/0
 port link-mode route
 ip address 10.0.69.9 255.255.255.0
#
interface GigabitEthernet2/0
 port link-mode route
 ip address 10.0.109.9 255.255.255.0
#
bgp 65500
 router-id 9.9.9.9
 group Border internal
 peer Border connect-interface GigabitEthernet1/0
 group Centralization internal
 peer Centralization connect-interface GigabitEthernet1/0
 group Inner internal
 peer Inner connect-interface GigabitEthernet1/0
 group Trigger internal
 peer Trigger connect-interface GigabitEthernet2/0
 peer 1.1.1.1 group Border
 peer 2.2.2.2 group Border
 peer 3.3.3.3 group Border
 peer 4.4.4.4 group Centralization
 peer 5.5.5.5 group Inner
 peer 6.6.6.6 group Inner
 peer 10.0.109.10 group Trigger
 #
 address-family ipv4 unicast
  #出向可以被route-policy修改
  reflect change-path-attribute

  #BGP路由不加入本地路由表,减轻R9作为控制器的压力
  routing-table bgp-rib-only

  peer Border enable
  peer Border route-policy Border_Policy export
  peer Border advertise-community
  peer Border reflect-client
  peer Centralization enable
  peer Centralization route-policy Centralization_Policy export
  peer Centralization reflect-client
  peer Inner enable
  peer Inner route-policy Inner_Policy export
  peer Inner reflect-client
  peer Trigger enable
  peer Trigger route-policy classifier import
#
route-policy Border_Policy permit node 1
 if-match tag 0
#
route-policy Border_Policy permit node 10
 if-match tag 17777
 apply community no-export
 apply ip-address next-hop 7.7.7.7
#
route-policy Border_Policy permit node 20
 if-match tag 18888
 apply community no-export
 apply ip-address next-hop 8.8.8.8
#
route-policy Border_Policy permit node 30
 if-match tag 19999
 apply community no-export
 apply ip-address next-hop 7.7.7.7
#
route-policy Border_Policy permit node 40
 if-match tag 10000
 apply community 1:0 4294902426
 apply ip-address next-hop 7.7.7.7
#
route-policy Border_Policy permit node 50
 if-match tag 10001
 apply community 1:1 4294902426
 apply ip-address next-hop 7.7.7.7
#
route-policy Border_Policy permit node 60
 if-match tag 10002
 apply community 1:2 4294902426
 apply ip-address next-hop 7.7.7.7
#
route-policy Border_Policy permit node 70
 if-match tag 10003
 apply community 1:3 4294902426
 apply ip-address next-hop 7.7.7.7
#
route-policy Centralization_Policy permit node 1
 if-match tag 0
#
route-policy Centralization_Policy permit node 10
 if-match tag 17777
 apply ip-address next-hop 7.7.7.7
#
route-policy Centralization_Policy permit node 20
 if-match tag 18888
 apply ip-address next-hop 172.16.1.2
#
route-policy Centralization_Policy permit node 30
 if-match tag 19999
 apply ip-address next-hop 7.7.7.7
#
route-policy Inner_Policy permit node 10
 if-match tag 0
#
route-policy classifier permit node 10
 if-match community name com17777
 apply tag 17777
#
route-policy classifier permit node 20
 if-match community name com18888
 apply tag 18888
#
route-policy classifier permit node 30
 if-match community name com19999
 apply tag 19999
#
route-policy classifier permit node 40
 if-match community name com10000
 apply tag 10000
#
route-policy classifier permit node 50
 if-match community name com10001
 apply tag 10001
#
route-policy classifier permit node 60
 if-match community name com10002
 apply tag 10002
#
route-policy classifier permit node 70
 if-match community name com10003
 apply tag 10003
#
route-policy classifier deny node 80
#
 ip community-list basic com10000 permit 1:0
 ip community-list basic com10001 permit 1:1
 ip community-list basic com10002 permit 1:2
 ip community-list basic com10003 permit 1:3
 ip community-list basic com17777 permit 1:7777
 ip community-list basic com18888 permit 1:8888
 ip community-list basic com19999 permit 1:9999
#
#此处静态的作用:
#BGP作为一个路由协议在传递路由之前会与当前路由表比对
#只有本地有效的路由条目才会被传递出去
#R9作为控制器其实无需获取过多路由条目,仅需要和BGP对等体通信即可
#但路由在本地无效不会传递,所以添加如下路由
#下面路由也可以使用一条指向10.0.69.6默认路由替代
#此处不想R9与无关地址通信,所以做了如下路由条目
 ip route-static 0.0.0.0 0 NULL0
 ip route-static 1.1.1.1 32 10.0.69.6
 ip route-static 2.2.2.2 32 10.0.69.6
 ip route-static 3.3.3.3 32 10.0.69.6
 ip route-static 4.4.4.4 32 10.0.69.6
 ip route-static 5.5.5.5 32 10.0.69.6
 ip route-static 6.6.6.6 32 10.0.69.6
###R10
interface LoopBack0
 ip address 10.10.10.10 255.255.255.255
#
interface GigabitEthernet1/0
 port link-mode route
 ip address 10.0.109.10 255.255.255.0
#
bgp 65500
 router-id 10.10.10.10
 group RR internal
 peer RR connect-interface GigabitEthernet1/0
 peer 9.9.9.9 as-number 65500
 peer 9.9.9.9 connect-interface GigabitEthernet1/0
 peer 10.0.109.9 group RR
 #
 address-family ipv4 unicast
  import-route static route-policy classer
  peer RR enable
  peer RR advertise-community
#
route-policy classer permit node 10
 if-match tag 17777
 apply community 1:7777
#
route-policy classer permit node 20
 if-match tag 18888
 apply community 1:8888
#
route-policy classer permit node 30
 if-match tag 19999
 apply community 1:9999
#
route-policy classer permit node 40
 if-match tag 10000
 apply community 1:0
#
route-policy classer permit node 50
 if-match tag 10001
 apply community 1:1
#
route-policy classer permit node 60
 if-match tag 10002
 apply community 1:2
#
route-policy classer permit node 70
 if-match tag 10003
 apply community 1:3
#
 ip route-static 192.168.0.7 32 NULL0 tag 17777
 ip route-static 192.168.0.8 32 NULL0 tag 18888
 ip route-static 192.168.0.100 32 NULL0 tag 10000
 ip route-static 192.168.0.101 32 NULL0 tag 10001
 ip route-static 192.168.0.102 32 NULL0 tag 10002
 ip route-static 192.168.0.103 32 NULL0 tag 10003
 ip route-static 192.168.1.1 32 NULL0 tag 19999
###R1
isis 1
 is-level level-1
 cost-style wide
 network-entity 65.0000.0010.0100.1001.00
#
 ip urpf loose
#
interface LoopBack0
 ip address 1.1.1.1 255.255.255.255
 isis enable 1
#
interface GigabitEthernet1/0
 port link-mode route
 ip address 10.0.14.1 255.255.255.0
 isis enable 1
#
interface GigabitEthernet2/0
 port link-mode route
 ip address 10.0.15.1 255.255.255.0
 isis enable 1
#
interface GigabitEthernet8/0
 port link-mode route
 ip address 11.0.0.1 255.255.255.252
#
bgp 65500
 router-id 1.1.1.1
 group RR internal
 peer RR connect-interface LoopBack0
 peer 10.0.69.9 group RR
 peer 11.0.0.2 as-number 65501
 peer 11.0.0.2 connect-interface GigabitEthernet8/0
 #
 address-family ipv4 unicast
  peer RR enable
  peer RR route-policy BLACKHOLE_COMMUNITY import
  peer RR next-hop-local
  peer 11.0.0.2 enable
  peer 11.0.0.2 advertise-community
  peer 11.0.0.2 next-hop-local
#
route-policy BLACKHOLE_COMMUNITY permit node 10
 if-match community name blackhole_r1
 apply community 4294902426
 apply ip-address next-hop 7.7.7.7
#
route-policy BLACKHOLE_COMMUNITY permit node 20
 if-match community name blackhole_all
 apply community 4294902426 no-export
 apply ip-address next-hop 7.7.7.7
#
route-policy BLACKHOLE_COMMUNITY deny node 30
 if-match community name blackhole_comm
#
route-policy BLACKHOLE_COMMUNITY permit node 40
#
 ip community-list basic blackhole_all permit 1:0 4294902426
 ip community-list basic blackhole_comm permit 4294902426
 ip community-list basic blackhole_r1 permit 1:1 4294902426
#
 ip route-static 7.7.7.7 32 NULL0

###R2
isis 1
 is-level level-1
 cost-style wide
 network-entity 65.0000.0020.0200.2002.00
#
 ip urpf loose
#
interface LoopBack0
 ip address 2.2.2.2 255.255.255.255
 isis enable 1
#
interface GigabitEthernet1/0
 port link-mode route
 ip address 10.0.24.2 255.255.255.0
 isis enable 1
#
interface GigabitEthernet2/0
 port link-mode route
 ip address 10.0.25.2 255.255.255.0
 isis enable 1
#
interface GigabitEthernet8/0
 port link-mode route
 ip address 12.0.0.1 255.255.255.252
#
bgp 65500
 router-id 2.2.2.2
 group RR internal
 peer RR connect-interface LoopBack0
 peer 10.0.69.9 group RR
 peer 12.0.0.2 as-number 65502
 peer 12.0.0.2 connect-interface GigabitEthernet8/0
 #
 address-family ipv4 unicast
  peer RR enable
  peer RR route-policy BLACKHOLE_COMMUNITY import
  peer RR next-hop-local
  peer 12.0.0.2 enable
  peer 12.0.0.2 next-hop-local
#
route-policy BLACKHOLE_COMMUNITY permit node 10
 if-match community name blackhole_r2
 apply community 4294902426
 apply ip-address next-hop 7.7.7.7
#
route-policy BLACKHOLE_COMMUNITY permit node 20
 if-match community name blackhole_all
 apply community 4294902426 no-export
 apply ip-address next-hop 7.7.7.7
#
route-policy BLACKHOLE_COMMUNITY deny node 30
 if-match community name blackhole_comm
#
route-policy BLACKHOLE_COMMUNITY permit node 40
#
 ip community-list basic blackhole_all permit 1:0 4294902426
 ip community-list basic blackhole_comm permit 4294902426
 ip community-list basic blackhole_r2 permit 1:2 4294902426
#
 ip route-static 7.7.7.7 32 NULL0

###R3
isis 1
 is-level level-1
 cost-style wide
 network-entity 65.0000.0030.0300.3003.00
#
 ip urpf loose
#
interface LoopBack0
 ip address 3.3.3.3 255.255.255.255
 isis enable 1
#
interface GigabitEthernet1/0
 port link-mode route
 ip address 10.0.34.3 255.255.255.0
 isis enable 1
#
interface GigabitEthernet8/0
 port link-mode route
 ip address 13.0.0.1 255.255.255.252
#
bgp 65500
 router-id 3.3.3.3
 group RR internal
 peer RR connect-interface LoopBack0
 peer 10.0.69.9 group RR
 peer 13.0.0.2 as-number 65503
 peer 13.0.0.2 connect-interface GigabitEthernet8/0
 #
 address-family ipv4 unicast
  peer RR enable
  peer RR route-policy BLACKHOLE_COMMUNITY import
  peer RR next-hop-local
  peer 13.0.0.2 enable
  peer 13.0.0.2 next-hop-local
 #
#
route-policy BLACKHOLE_COMMUNITY permit node 10
 if-match community name blackhole_r3
 apply community 4294902426
 apply ip-address next-hop 7.7.7.7
#
route-policy BLACKHOLE_COMMUNITY permit node 20
 if-match community name blackhole_all
 apply community 4294902426 no-export
 apply ip-address next-hop 7.7.7.7
#
route-policy BLACKHOLE_COMMUNITY deny node 30
 if-match community name blackhole_comm
#
route-policy BLACKHOLE_COMMUNITY permit node 40
#
 ip community-list basic blackhole_all permit 1:0 4294902426
 ip community-list basic blackhole_comm permit 4294902426
 ip community-list basic blackhole_r3 permit 1:3 4294902426
#
 ip route-static 7.7.7.7 32 NULL0

###R4
isis 1
 is-level level-1
 cost-style wide
 network-entity 65.0000.0040.0400.4004.00
 #
 address-family ipv4 unicast
  #将集中处置路由 8.8.8.8 引入 IGP,主要用于边界路由器转发集中处置的下一跳;
  #如果不引入此路由,在边界上设置指向8.8.8.8的静态也可以
  import-route static level-1 route-policy blackhole
#
interface LoopBack0
 ip address 4.4.4.4 255.255.255.255
 isis enable 1
#
interface GigabitEthernet1/0
 port link-mode route
 ip address 10.0.14.4 255.255.255.0
 isis enable 1
#
interface GigabitEthernet2/0
 port link-mode route
 ip address 10.0.24.4 255.255.255.0
 isis enable 1
#
interface GigabitEthernet3/0
 port link-mode route
 ip address 10.0.34.4 255.255.255.0
 isis enable 1
#
interface Tunnel0 mode gre
 ip address 172.16.1.1 255.255.255.252
 source LoopBack0
 destination 192.168.10.1
#
bgp 65500
 router-id 4.4.4.4
 group RR internal
 peer RR connect-interface LoopBack0
 peer 9.9.9.9 as-number 65500
 peer 9.9.9.9 connect-interface LoopBack0
 peer 10.0.69.9 group RR
 #
 address-family ipv4 unicast
  peer RR enable
 #
#
 ip route-static 7.7.7.7 32 NULL0 tag 7777
 ip route-static 8.8.8.8 32 NULL0 tag 8888
###R5
isis 1
 is-level level-1
 cost-style wide
 network-entity 65.0000.0050.0500.5005.00
#
interface LoopBack0
 ip address 5.5.5.5 255.255.255.255
 isis enable 1
#
interface GigabitEthernet1/0
 port link-mode route
 ip address 10.0.15.5 255.255.255.0
 isis enable 1
#
interface GigabitEthernet2/0
 port link-mode route
 ip address 10.0.25.5 255.255.255.0
 isis enable 1
#
interface GigabitEthernet3/0
 port link-mode route
 ip address 10.0.35.5 255.255.255.0
 isis enable 1
#
interface GigabitEthernet4/0
 port link-mode route
 ip address 10.0.56.5 255.255.255.0
 isis enable 1
#
bgp 65500
 router-id 5.5.5.5
 group RR internal
 peer RR connect-interface LoopBack0
 peer 10.0.69.9 group RR
 #
 address-family ipv4 unicast
  peer RR enable
#
###R6
isis 1
 is-level level-1
 cost-style wide
 network-entity 65.0000.0060.0600.6006.00
#
interface LoopBack0
 ip address 6.6.6.6 255.255.255.255
 isis enable 1
#
interface GigabitEthernet1/0
 port link-mode route
 ip address 192.168.10.254 255.255.255.0
 isis enable 1
 isis silent
#
interface GigabitEthernet2/0
 port link-mode route
 ip address 10.0.56.6 255.255.255.0
 isis enable 1
#
interface GigabitEthernet3/0
 port link-mode route
 ip address 192.168.0.254 255.255.255.0
 isis enable 1
 isis silent
#
interface GigabitEthernet4/0
 port link-mode route
 ip address 10.0.69.6 255.255.255.0
 isis enable 1
 isis silent
#
bgp 65500
 router-id 6.6.6.6
 group RR internal
 peer RR connect-interface LoopBack0
 peer 10.0.69.9 group RR
 #
 address-family ipv4 unicast
  network 192.168.0.0 255.255.255.0
  peer RR enable
#
###ISP1
interface LoopBack0
 ip address 192.168.1.1 255.255.255.0
#
interface GigabitEthernet1/0
 port link-mode route
 ip address 11.0.0.2 255.255.255.252
#
interface GigabitEthernet2/0
 port link-mode route
 ip address 14.0.0.1 255.255.255.252
#
bgp 65501
 router-id 192.168.1.0
 peer 11.0.0.1 as-number 65500
 peer 11.0.0.1 connect-interface GigabitEthernet1/0
 peer 14.0.0.2 as-number 65504
 peer 14.0.0.2 connect-interface GigabitEthernet2/0
 #
 address-family ipv4 unicast
  network 192.168.1.0 255.255.255.0
  peer 11.0.0.1 enable
  peer 11.0.0.1 route-policy blackhole_comm import
  peer 11.0.0.1 next-hop-local
  peer 14.0.0.2 enable
  peer 14.0.0.2 next-hop-local
#
route-policy blackhole_comm permit node 10
 if-match community name blackhole
 apply community no-export
 apply ip-address next-hop 7.7.7.7
#
route-policy blackhole_comm permit node 100
#
 ip community-list basic blackhole permit 4294902426
#
 ip route-static 7.7.7.7 32 NULL0
###ISP4
interface LoopBack0
 ip address 192.168.4.1 255.255.255.0
#
interface GigabitEthernet1/0
 port link-mode route
 ip address 14.0.0.2 255.255.255.252
#
bgp 65504
 router-id 192.168.4.0
 peer 14.0.0.1 as-number 65501
 peer 14.0.0.1 connect-interface GigabitEthernet1/0
 #
 address-family ipv4 unicast
  network 192.168.4.0 255.255.255.0
  peer 14.0.0.1 enable
  peer 14.0.0.1 next-hop-local
#
###ISP2
#
interface LoopBack0
 ip address 192.168.2.1 255.255.255.0
#
interface GigabitEthernet1/0
 port link-mode route
 ip address 12.0.0.2 255.255.255.252
#
bgp 65502
 router-id 192.168.2.0
 peer 12.0.0.1 as-number 65500
 peer 12.0.0.1 connect-interface GigabitEthernet1/0
 #
 address-family ipv4 unicast
  network 192.168.2.0 255.255.255.0
  peer 12.0.0.1 enable
  peer 12.0.0.1 route-policy le24 import
  peer 12.0.0.1 next-hop-local
#
route-policy le24 permit node 10
 if-match ip address prefix-list le24
#
 ip prefix-list le24 index 10 permit 0.0.0.0 0 less-equal 24
#
###ISP3
interface LoopBack0
 ip address 192.168.3.1 255.255.255.0
#
interface GigabitEthernet1/0
 port link-mode route
 ip address 13.0.0.2 255.255.255.252
#
bgp 65503
 router-id 192.168.3.0
 peer 13.0.0.1 as-number 65500
 peer 13.0.0.1 connect-interface GigabitEthernet1/0
 #
 address-family ipv4 unicast
  network 192.168.3.0 255.255.255.0
  peer 13.0.0.1 enable
  peer 13.0.0.1 route-policy le24 import
  peer 13.0.0.1 next-hop-local
#
route-policy le24 permit node 10
 if-match ip address prefix-list le24
#
 ip prefix-list le24 index 10 permit 0.0.0.0 0 less-equal 24
#
###Analyse
##仅用于演示网络部署,丢弃全部流量
#
interface GigabitEthernet1/0
 port link-mode route
 ip address 192.168.10.1 255.255.255.0

interface Tunnel0 mode gre
 ip address 172.16.1.2 255.255.255.252
 source GigabitEthernet1/0
 destination 4.4.4.4
#
 ip route-static 0.0.0.0 0 NULL0
 ip route-static 4.4.4.4 32 192.168.10.254
#

参考

https://www.rfc-editor.org/rfc/rfc3882
https://www.rfc-editor.org/rfc/rfc5635
https://www.rfc-editor.org/rfc/rfc7999.html
https://www.cisco.com/c/dam/en_us/about/security/intelligence/blackhole.pdf

posted @ 2024-04-17 22:50  bfhyqy  阅读(166)  评论(0编辑  收藏  举报