{"id":10084,"date":"2022-05-09T15:36:00","date_gmt":"2022-05-09T18:36:00","guid":{"rendered":"http:\/\/made4it.com.br\/how-to-configure-blackhole-in-cisco-ios-xe\/"},"modified":"2023-02-13T11:39:42","modified_gmt":"2023-02-13T14:39:42","slug":"how-to-configure-blackhole-in-cisco-ios-xe","status":"publish","type":"post","link":"https:\/\/made4it.com.br\/en\/how-to-configure-blackhole-in-cisco-ios-xe\/","title":{"rendered":"How to Configure Blackhole on Cisco IOS-XE"},"content":{"rendered":"\n

Now that you know what a BGP<\/strong> Blackhole<\/strong> is (if you still don’t know, check out our article on RTBH \u2013 Blackhole).<\/a> Now it’s time to configure it and be able to protect yourself from DDoS attacks.<\/p>\n\n

To summarize the Blackhole, it is a technique of sending a route to the \u201cblack hole\u201d or simply making the router discard packets directed to that IP.<\/strong> With Blackhole you can also announce these attacked IPs to your suppliers\/upstreams and thus stop the attacks.<\/p>\n\n

Now that I know what it is, now comes the question, how to blackhole my router? In today’s article we will show you how to configure Blackhole on Cisco routers<\/strong><\/p>\n\n

\n To do the Blackhole manually we have some steps that are:<\/strong>\n <\/p>\n\n

  1. Identify the attacked IP;<\/li>
  2. Create the route to blackhole;<\/li>
  3. Advertise this blackhole route via BGP to your carriers\/upstreams.<\/li><\/ol>\n\n

    You can automate all of this with Made4Flow<\/a>, already closing a direct session and not having to do manual work.<\/p>\n\n

    Let’s go to the settings then<\/p>\n\n

    \n 1 \u2013 Identify the attacked IP<\/strong>\n <\/p>\n\n

    You can do this through Netflow analysis, as in Made4Flow, through the graphs and identify through the Raw Data Report, which IP has the most traffic and possibly being the victim of the attack.<\/p>\n\n

    Within Made4Flow, access, for example, the Interface Graph by Application, then, by clicking on the most used port, you can identify which IP is being attacked, or through Made4Flow, simply by accessing the Anti-DDoS module -> Active Anomalies.<\/p>\n\n

    \"\"<\/a><\/figure>\n\n

    The attacked IP was: 200.189.56.55 (Example)<\/p>\n\n

    2) Create a route to Blackhole or Null0<\/strong><\/strong><\/p>\n\n

    After identifying the attacked IP via Made4Flow, now it’s time to create the route on your Cisco Router to effectively throw the IP to Blackhole or Null0.<\/p>\n\n

    Let’s assume that the attacked IP is 200.200.200.1, let’s create the route as follows<\/p>\n\n

    Commands applied:<\/p>\n\n

    enableconfigure terminalip route 200.200.200.1 255.255.255.255 Null0<\/pre>\n\n
    After applying the route pointing to Null0 this IP will STOP WORKING!<\/strong><\/p>\n\n
    You can check the route using the show command:<\/p>\n\n
    \"\"<\/a><\/figure>\n\n
    If the route is showing as Null0 then you are already sending it to Blackhole.<\/p>\n\n
    \n          3 \u2013 Advertise the IP in blackhole via BGP to your operators\/upstreams<\/strong>\n        <\/p>\n\n
    After identifying and blackhole the route, you need to advertise via BGP to your carriers\/upstreams.<\/p>\n\n
    Note: Before setting up, it is always recommended to talk to your Operator\/Upstream to find out which Blackhole BGP community is.<\/p>\n\n
    The BGP session with your carrier needs to be established.<\/p>\n\n
    For this we have a few steps:<\/p>\n\n
    \n          Configure your Carrier\/Upstream Blackhole Community<\/strong>\n        <\/p>\n\n
    To configure the blackhole community to be used later, we need to run the following command:<\/p>\n\n
    \"\"<\/a><\/figure>\n\n
    Commands:<\/p>\n\n
    ip prefix-list BLACKHOLE permit 200.200.200.1\/32route-map BLACKHOLE permitmatch ip address prefix-list BLACKHOLEset community 666:666<\/pre>\n\n
     set community 666:666<\/p>\n\n
    In case it is necessary to add more communities, apply the same command changing the community name and number.<\/p>\n\n
    \n          Tip: Talk to your operator to find out which BGP blackhole community they use.<\/strong>\n        <\/p>\n\n
    Announce the attacked IP with the BlackHole community for Upstream<\/p>\n\n
    To carry out the advertisement of the attacked IP with the blackhole community, it is necessary to carry out the following steps;<\/p>\n\n
    Enter the Cisco router’s BGP configuration<\/p>\n\n
    \"\"<\/a><\/figure>\n\n
    After that, we announce the attacked IP to our Upstream, using the command below;<\/p>\n\n
    \"\"<\/a><\/figure>\n\n
    Commands:<\/p>\n\n
    router bgp 65000neighbor 192.168.100.1 as 64700neighbor 192.168.100.1 route-map BLACKHOLE out<\/pre>\n\n
    \n          Automating with Made4Flow<\/strong>\n        <\/p>\n\n
    With Made4Flow, it is possible to automate the blackhole announcement process of attacked IPs.<\/p>\n\n
    For that we need:<\/p>\n\n
    1. Configure the BGP session between the Edge Router and Made4Flow;<\/li><\/ol>\n\n
      To configure the BGP session between the Router and Made4Flow, you need to create a route-map and then the BGP session.<\/p>\n\n
      To configure the route-map:<\/p>\n\n
      \"\"<\/a><\/figure>\n\n
      Comando: route-map MADE4FLOW-IN permit 1000<\/p>\n\n
      \n                       <\/strong>\n          set ip nex-hop 192.168.66.66<\/strong>\n        <\/p>\n\n
      In this case it is necessary to add Next-hop manually on the router.<\/p>\n\n
      Within Made4Flow, you can already advertise with the BGP community and the correct Next-hop if you prefer.<\/p>\n\n
      \n          Configure Made4Flow to send via Actions<\/strong>\n        <\/p>\n\n
      Within the Anti-DDoS Module, you can access the menu: Actions and Responses and configure the response to send the Blackhole with the correct BGP community:<\/p>\n\n
      \"\"<\/a><\/figure>\n\n
      \n          Configure the Router to Send to Carriers<\/strong>\n        <\/p>\n\n
      To configure to send to operators\/upstreams you need to configure so that the BGP community is identified in the outbound Route-map match.<\/p>\n\n
      For this we need to configure an ip community-filter<\/p>\n\n
      \"\"<\/a><\/figure>\n\n
      The next step is to configure the Route-map of your operator\/upstream, as in sending the blackhole, but now matching the community in the match, as in our configuration:<\/p>\n\n
      \"\"<\/a><\/figure>\n\n
      Check if you receive from Made4Flow<\/p>\n\n
      \"\"<\/a><\/figure>\n\n
      Command: <\/p>\n\n
      show bgp ipv4 unicast neighbors 192.168.120.2 routes<\/pre>\n\n
      And if you are sending to the operator:<\/p>\n\n
      \"\"<\/a><\/figure>\n\n
      Command:<\/p>\n\n
      show bgp ipv4 unicast neighbors 192.168.1.1 advertised-routes<\/p>\n\n
      Having made these settings, the automation of Made4Flow is ready. Upon receiving an attack, Made4Flow can now send this route to Blackhole.<\/p>\n\n
      We have other content on how to configure Blackhole<\/a> that you can find on our blog and any questions you still have, please contact our team of experts Leonardo Nascimento | Made4it consultant<\/strong><\/p>\n","protected":false},"excerpt":{"rendered":"
      Now that you know what a BGP Blackhole is (if you still don’t know, check out our article on RTBH \u2013 Blackhole). Now it’s time to configure it and be able to protect yourself from DDoS attacks. To summarize the Blackhole, it is a technique of sending a route to the \u201cblack hole\u201d or simply […]<\/p>\n","protected":false},"author":13,"featured_media":9032,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"postBodyCss":"","postBodyMargin":[],"postBodyPadding":[],"postBodyBackground":{"backgroundType":"classic","gradient":""},"footnotes":""},"categories":[352],"tags":[],"class_list":["post-10084","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-uncategorized-en"],"aioseo_notices":[],"_links":{"self":[{"href":"https:\/\/made4it.com.br\/en\/wp-json\/wp\/v2\/posts\/10084","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/made4it.com.br\/en\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/made4it.com.br\/en\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/made4it.com.br\/en\/wp-json\/wp\/v2\/users\/13"}],"replies":[{"embeddable":true,"href":"https:\/\/made4it.com.br\/en\/wp-json\/wp\/v2\/comments?post=10084"}],"version-history":[{"count":0,"href":"https:\/\/made4it.com.br\/en\/wp-json\/wp\/v2\/posts\/10084\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/made4it.com.br\/en\/wp-json\/wp\/v2\/media\/9032"}],"wp:attachment":[{"href":"https:\/\/made4it.com.br\/en\/wp-json\/wp\/v2\/media?parent=10084"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/made4it.com.br\/en\/wp-json\/wp\/v2\/categories?post=10084"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/made4it.com.br\/en\/wp-json\/wp\/v2\/tags?post=10084"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}