{"id":11688,"date":"2021-08-04T18:00:00","date_gmt":"2021-08-04T21:00:00","guid":{"rendered":"https:\/\/made4it.com.br\/blackhole-bgp-huawei\/"},"modified":"2023-03-08T12:07:20","modified_gmt":"2023-03-08T15:07:20","slug":"blackhole-bgp-huawei","status":"publish","type":"post","link":"https:\/\/made4it.com.br\/en\/blackhole-bgp-huawei\/","title":{"rendered":"Blackhole BGP \u2013 Huawei (Huawei NE20, Huawei NE40, Huawei NE8000\/NE8k)"},"content":{"rendered":"\n

Now that you know what a BGP<\/strong> blackhole<\/strong> is (if you don’t already know, check out our article on RTBH – Blackhole)<\/a>. Now it’s time to configure it and be able to protect yourself from DDoS attacks.<\/p>\n\n

To summarize the Blackhole, it is a technique of sending a route to the \u201cblack hole\u201d or simply making the router discard packets directed to that IP.<\/strong> With the blackhole you can also announce these attacked IPs to your suppliers\/upstreams and thus stop the attacks.<\/p>\n\n

Now that I know what it is, now comes the question how to blackhole my router? In today’s article we are going to show you how to configure Blackhole on Huawei Routers.<\/strong><\/p>\n\n

\n \n To do the Blackhole manually we have some steps that are:<\/strong>\n <\/p>\n\n

  1. Identify the attacked IP<\/li>
  2. Create route to blackhole<\/li>
  3. Advertise this blackhole route via BGP to your carriers\/upstreams<\/li><\/ol>\n\n

    You can automate all of this with Made4Flow<\/a>, already closing a direct session and not having to do manual work.<\/p>\n\n

    If you want to know how to automate everything with Made4Flow, check out our next article.<\/p>\n\n

    Let’s go to the settings then<\/p>\n\n

    \n 1 \u2013 Identify the attacked IP<\/strong>\n <\/p>\n\n

    You can do this through Netflow analysis, with Made4Flow, through the graphics and identify through the Raw Data Report, which IP has the most traffic and possibly being the victim of the attack.Within Made4Flow, access, for example, the Interface Graphic by Application and then, clicking on the most used port, you can identify which IP is being attacked.<\/p>\n\n

    Or through Made4Flow, simply by accessing the Anti-DDoS module -> Active Anomalies<\/p>\n\n

    \"\"<\/a><\/figure>\n\n

    The attacked IP was: 200.189.56.55 (Example)<\/p>\n\n

    \n 2) Create a route to blackhole or Null0<\/strong>\n <\/p>\n\n

    After identifying the attacked IP via Made4Flow it is now time to create the route on your Huawei Router to effectively play the IP to Blackhole.<\/p>\n\n

    Let’s assume that the attacked IP is 200.200.200.1, let’s create the route as follows<\/p>\n\n

    \"\"<\/a><\/figure>\n\n

    Applied commands:<\/p>\n\n

    system-viewip route-static 200.200.200.1 32 null 0<\/p>\n\n

    After applying the route pointing to Null0 this IP will STOP WORKING!<\/strong><\/p>\n\n

    You can check the route using the display command:If the route has interface Null0, you are already sending it to Blackhole.<\/p>\n\n

    \"\"<\/a><\/figure>\n\n

    \n 3 – Announce the IP in blackhole via BGP to your operators\/upstreams<\/strong>\n <\/p>\n\n

    After identifying and blackhole the route you need to advertise via BGP to your operators\/upstreams.<\/p>\n\n

    Before configuration, it is always recommended to talk to your Operator\/Upstream to find out which Blackhole BGP community is.The BGP session with your operator needs to be established!<\/p>\n\n

    For this, we have a few steps:<\/p>\n\n

    1. Create the Network within BGP<\/li><\/ol>\n\n

      To create you must access BGP and create with the network command<\/p>\n\n

      \"\"<\/a><\/figure>\n\n

      Commands:<\/p>\n\n

      System-viewbgp 65000network 200.200.200.1 32<\/p>\n\n

      1. Configure a prefix-list \/ ip-prefix with the attacked IP<\/li><\/ol>\n\n

        To configure a route-policy in a simple way to send an IP, you must create an ip-prefix to use within the Route-policy<\/p>\n\n

        In our example, where the IP 200.200.200.1\/32 is attacked, we will use the following command:<\/p>\n\n

        \"\"<\/a><\/figure>\n\n

        Command: ip ip-prefix ATTACKED-ID permit 200.200.200.1 32<\/p>\n\n

        1. Configure your Route-Policy to send the attacked IP advertisement<\/li><\/ol>\n\n

          Before configuring the route-policy, you identify which node (sequence) it will be on. You must put it in a position that does not have a deny before it, as a suggestion I recommend putting it first in the route-policy.<\/p>\n\n

          To identify the correct name, look at your route-policy and evaluate the number, using the command:<\/p>\n\n

          \"\"<\/a><\/figure>\n\n

          Command: display current-configuration configuration route-policy OPERATORA-XPTO-OUT<\/p>\n\n

          \"\"<\/a><\/figure>\n\n

          In our case it will be the node with a number less than 1000 to be placed before other configurations. The following configuration was made:Commands:<\/p>\n\n

          route-policy OPERATOR-XPTO-OUT permit node 100if-match ip-prefix IP-ATTACKEDapply community 666:666<\/p>\n\n

          The if-match commands make the Huawei router check the ip-prefix thus saying that only the IPs within the prefix list will be advertised via BGP. In the apply community command it says to apply the BGP community to the IPs that matched the ip-prefix.<\/p>\n\n

          Our XPTO carrier uses community BGP 666:666 to send traffic to Blackhole<\/p>\n\n

          Tip<\/strong>: Talk to your operator to find out which BGP blackhole community they use!<\/p>\n\n

          Once this is done, the IP will remain in blackhole and announced to your operator, the attack will cease if it goes to this single IP.The complete configuration looked like this:<\/p>\n\n

          bgp 65000#ipv4-family unicastundo synchronizationnetwork 200.200.200.0 255.255.252.0network 200.200.200.1 255.255.255.255#route-policy OPERATOR-XPTO-OUT permit node 100if-match ip-prefix IP-ATTACKEDapply community 666:666#route-policy OPERATOR-XPTO-OUT permit node 1000 if-match ip-prefix MY-BLOCK#route-policy OPERATOR-XPTO-OUT deny node 50000#ip ip-prefix MY-BLOCK index 10 permit 200.200.200.0 22ip ip-prefix ATTACKED-IP index 10 permit 200.200.200.1 32#ip route-static 200.200.200.0 255.255.252.0 NULL0ip route-static 200.200.200.1 255.255.255.255 NULL0<\/p>\n\n

          \n Automating with Made4Flow<\/strong>\n <\/p>\n\n

          With Made4Flow it is possible to automate the blackhole announcement process of attacked IPs.For that we need:<\/p>\n\n