Using BGP as-path ACLs to drop traffic from malicious ASs

Unanswered Question
Oct 25th, 2007

A particular AS out there, the one for the Russian Business Network, AS40989, is a source of most of the worms, trojans, bots, etc. that have plagued all of us over the years.

Recently, they've launched a 0-day exploit of PDF files.

I've been asked to configure a way to get rid of all traffic to and from any networks in this AS. Here's my take on the inbound stuff (below). How do I make sure we're not sending anything out to networks in this AS?

Thanks!

-----------------------------

router bgp 65123

neighbor 8.1.1.1 route-map Hacker-Defense

route-map Hacker-Defense permit 10

match as-path 10

set interface Null0

route-map Hacker-Defense permit 20

match as-path 20

ip as-path access-list 10 permit _40989_

ip as-path access-list 10 permit ^40989 .*

ip as-path access-list 20 permit .*

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Richard Burts Thu, 10/25/2007 - 12:22

Gil

There are some issues with the configuration that you have posted. Here are my thoughts and suggestions:

- neighbor 8.1.1.1 route-map Hacker-Defense

the route map must be assigned as in or out. You want to assign it in.

- ip as-path access-list 10 permit _40989_

This line will permit any prefix that originates in 40989 or that passes through 40989. It seems to me that you only want to match if it originates in 40989. I would suggest that you use this instead

ip as-path access-list 10 permit _40989$

and it will match only prefixes that originate in 40989.

- you do not want to set interface null0. That concept works if you are doing route maps for Policy Based Routing. But this route map is not doing packet forwarding but is accepting or denying routing updates. What you want to do is to either have the route map statement or the as-path access-list deny the update. I would suggest that you use

route-map Hacker-Defense deny 10

match as-path 10

along with the modification that I suggested in the as-path access-list. And the route map statement 10 will then not need any set statement.

- ip as-path access-list 10 permit ^40989 .*

The ^40989 would match anything for which 40989 is your immediate neighbor. I doubt that you receive any prefix directly from them. Therefore you do not need this line at all. And the .* is not the correct way to allow any other prefixes (which is what I think you were attempting to do).

- route-map Hacker-Defense permit 20

You certainly do need this line to allow other updates. You actually do not need a match statement under it. So you do not really need

ip as-path access-list 20 permit .*

HTH

Rick

glshillcutt Thu, 10/25/2007 - 12:32

Rick,

It does help. Forgot the "in" -- stupid net admin trick.

In this case, I do want to include any AS paths that transit 40989, as they operate as an ISP, and their affiliates with different ASNs may also source traffic.

I caught the ^40989 .* bit, but this is confirmation of what I saw.

I'm guessing that I may have to drop packets in my outbound ACL to their particular networks to make sure that we don't have any unintended traffic heading their way -- OR, does anyone have an idea of a better way to do this?

Thanks!

-- Gil

Richard Burts Thu, 10/25/2007 - 12:56

Gil

If you want to catch anything that transits their AS as well as anything originating the use _40989_ instead of _40989$.

Restricting outbound traffic is a tougher nut to deal with. On the one hand you will not have any of their routes in your routing table because you will drop the advertisement on the way in. But your default route will forward it. I can not think of any better alternative than to filter their traffic outbound. But how will you identify the networks (prefixes) so that you can put them into an access list on your outbound interface?

HTH

Rick

glshillcutt Thu, 10/25/2007 - 13:20

Rick,

I probably won't be able to get the info directly unless I go out to one of the route reflectors. See below for sample output.

This link, however, can be quite instructive for finding out how an organization has their network structured:

http://www.robtex.com/bgp/as40989.html

Thanks for your help!

-- Gil

--------------------------------------------

route-views.oregon-ix.net>sho ip bgp regexp _40989_

BGP table version is 133168596, local router ID is 198.32.162.100

Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,

S Stale

Origin codes: i - IGP, e - EGP, ? - incomplete

Network Next Hop Metric LocPrf Weight Path

* 81.95.144.0/22 64.125.0.137 124 0 6461 3356 25577 41173 40989 i

* 195.66.232.239 0 5459 25577 41173 40989 i

* 207.172.6.20 0 0 6079 3257 25577 41173 40989 i

* 207.172.6.162 6 0 6079 3257 25577 41173 40989 i

* 217.75.96.60 0 0 16150 8468 25577 41173 40989 i

etc.

etc.

etc.

saimbt Wed, 11/14/2007 - 23:52

Will this AS filters work, if you are learning ONLY default routes from the ISP?

-Sai.

Richard Burts Thu, 11/15/2007 - 04:28

Sai

Probably the best answer is that no these AS filters do not work if you are learning only a default route from the ISP. Technically yes the filters work, but there would be no routes that they would deny and they would serve little purpose. The filters are useful only when there are some of the AS numbers in advertisements that you will receive.

HTH

Rick

saimbt Thu, 11/15/2007 - 22:52

Thats correct.. If learning ONLY default routes, the good solution is not to stop through the AS number but through the destination IP addresses.

Actions

This Discussion