{"id":11684,"date":"2021-08-12T12:00:00","date_gmt":"2021-08-12T15:00:00","guid":{"rendered":"https:\/\/made4it.com.br\/blackhole-bgp-mikrotik\/"},"modified":"2023-03-08T11:49:04","modified_gmt":"2023-03-08T14:49:04","slug":"blackhole-bgp-mikrotik","status":"publish","type":"post","link":"https:\/\/made4it.com.br\/en\/blackhole-bgp-mikrotik\/","title":{"rendered":"Blackhole BGP \u2013 Mikrotik"},"content":{"rendered":"\n

Now that you know what a BGP blackhole<\/strong> is (if you still know, check out our article on RTBH – Blackhole)<\/a>. Now it’s time to configure it in Mikrotike<\/strong> to be able to protect yourself from DDoS attacks.<\/p>\n\n

To summarize the Blackhole, it is a technique of sending a route to the \u201cblack hole\u201d<\/strong> or simply making the router discard packets directed to that IP.<\/p>\n\n

Now that I know what, now comes the question how to blackhole my router? In today’s article we will show how to configure Blackhole in Mikrotik Routers running RouterOS.To do the Blackhole manually we have some steps that are:<\/p>\n\n

  1. Identify the attacked IP<\/li>
  2. Create route to blackhole<\/li>
  3. Advertise this blackhole route via BGP to your carriers\/upstreams<\/li><\/ol>\n\n

    You can automate all of this with Made4Flow<\/a><\/strong>, already closing a direct session and not having to do manual work.<\/p>\n\n

    If you want to know how to automate everything with Made4Flow, check out our next article.<\/p>\n\n

    So let’s go to the settings:<\/p>\n\n

    \n 1 \u2013 Identify the attacked IP<\/strong>\n <\/p>\n\n

    You can use some of Mikrotik’s own tools like Torch or use a Netflow Software that has a DDoS attack sensor like Made4Flow<\/p>\n\n

    Via Torch, go to Tools -> Torch and choose the interface where you are being attacked<\/p>\n\n

    \"\"<\/a><\/figure>\n\n

    Or in Made4Flow in a simple way by accessing Anti-DDoS -> Active Anomalies<\/p>\n\n

    \"\"<\/a><\/figure>\n\n

    The attacked IP was: 200.189.56.55 (Example)<\/p>\n\n

    \n 2) Create a route to blackhole<\/strong>\n <\/p>\n\n

    After identifying the IP attacked via Torch or via Made4Flow, now it’s time to create the route on your Router<\/p>\n\n

    For that go to IP -> Routes and add a new Route<\/p>\n\n

    Let’s assume that the attacked IP is 200.200.200.1, let’s create the route as follows<\/p>\n\n

    \"\"<\/a><\/figure>\n\n

    Add the Dst-address as 200.200.200.1\/32, to identify that it is only the specific IP and the Blackhole type<\/p>\n\n

    Or via terminal with the following command:<\/p>\n\n

    \/ip routeadd distance=1 dst-address=200.200.200.1\/32 type=blackhole<\/p>\n\n

    After applying the route in blackhole this IP will STOP WORKING!<\/strong><\/p>\n\n

    \n 3 – Advertise this blackhole route via BGP to your carriers\/upstreams<\/strong>\n <\/p>\n\n

    After identifying and blackhole the route you need to advertise via BGP to your operators\/upstreams.<\/p>\n\n

    For this we have a few steps:<\/p>\n\n

    1. Create the Route for BGP<\/li><\/ol>\n\n

      To do this go to Routing -> BGP -> Networks and add the route that is in blackhole<\/p>\n\n

      \"\"<\/a><\/figure>\n\n

      In our example the attacked IP was: 200.200.200.1\/32<\/p>\n\n

      Or via command:<\/p>\n\n

      \/routing bgp networkadd network=200.200.200.1\/32 synchronize=no<\/p>\n\n

      1. Configure your Route-Map or Filters to send the advertisement<\/li><\/ol>\n\n

        Enter Routing -> Filters and add the new Filter. In our example, the Filter of our operator XPTO has the name TRANSITO-XPTO-OUT and we are going to add it to send our blackhole route:<\/p>\n\n

        \"\"<\/a><\/figure>\n\n

        Add the IP attacked with the mask \/32 in Prefix<\/p>\n\n

        \"\"<\/a><\/figure>\n\n

        In Actions we will mark it as Accept to accept sending this route<\/p>\n\n

        And finally in BGP Actions and add our operator’s community:Our XPTO carrier uses community BGP 666:666 to send traffic to Blackhole<\/p>\n\n

        \"\"<\/a><\/figure>\n\n

        Via cli it looks like this:<\/p>\n\n

        \/routing filteradd action=accept chain=TRANSITO-XPTO-OUT prefix=200.200.200.1 set-bgp-communities=666:666<\/p>\n\n

        Tip 1<\/strong>: Don’t forget to change the order (Number) of the rule so that it is before the total discard\/reject filter. RouterOS reads Filters rules in numeric sequence, from rule 0 onwards.<\/p>\n\n

        Tip 2<\/strong>: Talk to your operator to find out which BGP blackhole community they use<\/p>\n\n

        Once this is done, the IP will remain in blackhole and announced to your operator, the attack will cease if it goes to this single IP.<\/p>\n\n

        To make life easier, we have the video below, showing in practice how to configure the Mikrotik with Blackhole<\/p>\n\n \n\n

        \n
        \n