Example: IPv6 Blackhole Route (Blackhole Route of the Upstream Router)

Networking Requirements

The detecting device detects that an oversized volume of traffic is destined to 1::1:1:1/128 and occupies the inbound bandwidth of the cleaning device. To prevent this attack from affecting other Zones, it is determined that all traffic destined to 1::1:1:1/128 shall be discarded. Figure 1 shows the networking.

Figure 1 Configuring blackhole traffic diversion

Implementation Mechanism

The traffic diversion router diverts traffic to the cleaning device for cleaning, and the blackhole router discards all traffic destined to an IP address. The blackhole router and traffic diversion router are two different routers.

  1. On the ATIC management center, set the IP address for blackhole traffic diversion to 1::1:1:1/128 and enable blackhole traffic diversion. On the cleaning device, generate a static route to 1::1:1:1/128, with the egress being NULL0.

  2. Configure a routing policy on the cleaning device, import the route with the egress being NULL0 to BGP, and advertise the route to the blackhole router.

  3. On the blackhole router, set the next hop of the route advertised on the cleaning device with the destination address being 1::1:1:1 and the egress being NULL0 to 1::1:1:2.

  4. On the blackhole router, configure blackhole route ipv6 route-static 1::1:1:2 128 NULL0 and iterate it with the route advertised through BGP and with the destination address being 1::1:1:1/128 and the next hop being 1::1:1:2 to generate a route with the destination address being 1::1:1:1/128 and the next hop being NULL0 for blackhole traffic diversion.

    1::1:1:2 specifies the destination IP address of the configured blackhole route. The route advertised by the cleaning device to the blackhole router is iterated with the blackhole route on the blackhole router to implement blackhole traffic diversion. You can set this destination IP address as required and are advised to set it to one that will not be used for other purposes on the network.

Configurations at the Management Center

Configure static blackhole traffic diversion.

  1. Choose Defense > Policy Settings > Blackhole.
  2. On the Blackhole page, click .

  3. Select a blackhole mode. The options are Routing blackhole, Service provider, and LPU blackhole.
  4. Choose Clean Device or Service provider and set the IP address and subnet mask for blackhole traffic diversion.

    After you configure blackhole traffic diversion, all traffic destined to the specified IP address is discarded.

  5. Optional: Select Automatically enable for the blackhole traffic diversion task to immediately take effect after it is created.

    If you do not select Automatically enable, you need to manually enable the created blackhole traffic diversion task for it to take effect.

  6. Click OK.

    After you enable blackhole traffic diversion, a static route with the destination address being 1::1:1:1 and the outbound interface being NULL0 is generated on the cleaning device.

Configure dynamic blackhole traffic diversion.

  1. Choose Defense > Policy Settings > Zone.
  2. Click in the Operation column of the Zone list.
  3. Customize an alarm policy for the Zone. Set the Action of the Critical alarm severity to Enable blackhole. Table 1 lists related parameters.

    Table 1 Parameters of user-defined alarm severity rules

    Parameter

    Description

    Incoming Traffic (Mbps)

    Incoming traffic bandwidth per second, which is calculated based on a single IP address

    Incoming Traffic (pps)

    Incoming packets per second

    TCP Concurrent Connections

    Number of concurrent connections

    TCP New Connections

    Number of new connections per second

    Duration

    Attack or anomaly duration

    Action

    Alarm action that varies with the alarm severity (In the configuration of dynamic blackhole traffic diversion, you need to set the Action of the Critical alarm severity to Enable blackhole.)

  4. Configure network segments for dynamic blackhole traffic diversion. Stop the ATIC service, access access the ATIC installation path , and open datetable.properties in com.huawei.atic.cbb.policy-0.0.1-SNAPSHOT.jar. Modify BlackHoleIPMask and BlackHoleIPV6Mask as required.

    In the Windows operating system, the file path is software-installation-path\Runtime\Tomcat6\Lego-UI-Plat\WEB-INF\lib\com.huawei.atic.cbb.policy-0.0.1-SNAPSHOT.jar.

    In the Linux operating system, the file path is software-installation-path/components/atic/Tomcat6/Lego-UI-Plat/WEB-INF/lib/com.huawei.atic.cbb.policy-0.0.1-SNAPSHOT.jar.

    • Perform this step only when the dynamic blackhole traffic diversion by network segment.
    • After you modify network segments of dynamic blackhole traffic diversion, you must restart the ATIC service.
    • The network segment configuration of dynamic blackhole traffic diversion globally takes effect.

Configurations on the Blackhole Router

This section uses Huawei NE80E as an example to describe router-related configurations. Router configurations vary with the router version, and the following configurations are only for your reference.

  1. Run the system-view command to access the system view.
  2. Configure a BGP community attribute.

    [sysname] bgp 100
[sysname-bgp] peer 10::1:5:1 as-number 200
[sysname-bgp] peer 10::1:5:1 ebgp-max-hop 255
[sysname-bgp] quit

  3. On the blackhole router, configure routing policy 1.

    [sysname] ip community-filter 1 permit 500:5000
[sysname] route-policy 1 permit node 1 
# Advertise a route with the destination address as 1::1:1:1, outbound interface as null0, and next-hop address as 1::1:1:2 to the cleaning device.
[sysname-route-policy] if-match community-filter 1
[sysname-route-policy] apply ipv6 next-hop 1::1:1:2
[sysname-route-policy] quit

  4. On the blackhole router, configure the BGP community attribute and advertise the dynamically generated route.

    [sysname] bgp 100
[sysname-bgp] undo synchronization
[sysname-bgp] ipv6-family unicast
[sysname-bgp-af-ipv6] peer 10::1:5:1 enable
[sysname-bgp-af-ipv6] peer 10::1:5:1 route-policy 1 import
[sysname-bgp] quit

  5. Configure a blackhole route.

    [sysname] ipv6 route-static 1::1:1:2 128 NULL 0

    1::1:1:2 specifies the destination IP address of the configured blackhole route. The route advertised by the cleaning device to the blackhole router is iterated with the blackhole route on the blackhole router to implement blackhole traffic diversion. You can set this destination IP address as required and are advised to set it to one that will not be used for other purposes on the network.

Configurations on the Cleaning Device

  1. In the user view, run the system-view command to access the system view.
  2. Configure a BGP community attribute.

    [sysname] bgp 200
[sysname-bgp] peer 10::1:3:1 as-number 100
[sysname-bgp] peer 10::1:3:1 ebgp-max-hop 255
[sysname-bgp] peer 10::1:2:1 as-number 200
[sysname-bgp] quit

  3. On the cleaning device, configure a routing policy.

    [sysname] route-policy 1 permit node 1  # Configure the cleaning device to advertise blackhole routes to the blackhole router.
[sysname-route-policy] if-match interface NULL0
[sysname-route-policy] apply community 500:5000 no-advertise
[sysname] route-policy 2 permit node 1   # Configure the cleaning device to import blackhole routes after establishing a peer relationship with the blackhole router.
[sysname-route-policy] if-match interface NULL0  
[sysname-route-policy] quit
[sysname] route-policy 3 deny node 1   # Configure the cleaning device to advertise only traffic diversion routes to the peer traffic diversion router. Blackhole routes that match the policy will be discarded and will not be advertised to the peer traffic diversion router.
[sysname-route-policy] if-match interface NULL0
[sysname-route-policy] quit
[sysname] route-policy 3 permit node 5   # Configure the cleaning device to advertise traffic diversion routes only to the peer traffic diversion router, not any other peers.
[sysname-route-policy] apply community no-advertise
[sysname-route-policy] quit

    After you enable blackhole traffic diversion at the management center, a static route with the destination address being 1::1:1:1 and the outbound interface being NULL0 is generated on the cleaning device.

    When you configure a blackhole route, set the node to a smaller value than those of other traffic diversion policies for it to be preferentially matched.

  4. On the cleaning device, configure the BGP community attribute and advertise the dynamically generated route.

    [sysname] bgp 200
[sysname-bgp] undo synchronization
[sysname-bgp] ipv6-family unicast
[sysname-bgp-af-ipv6] import-route static route-policy 2
[sysname-bgp-af-ipv6] import-route unr
[sysname-bgp-af-ipv6] peer 10::1:3:1 enable
[sysname-bgp-af-ipv6] peer 10::1:3:1 route-policy 1 export
[sysname-bgp-af-ipv6] peer 10::1:3:1 advertise-community
[sysname-bgp-af-ipv6] peer 10::1:2:1 enable
[sysname-bgp-af-ipv6] peer 10::1:2:1 route-policy 3 export
[sysname-bgp-af-ipv6] peer 10::1:2:1 advertise-community
[sysname-bgp-af-ipv6] quit
[sysname-bgp] quit

Configurations on the Traffic Diversion Router

  1. Establish BGP with the cleaning device for traffic diversion.

    [router2] bgp 200
[router2-bgp] peer 10::1:2:2 as-number 200

    For the traffic diversion router, only BGP configurations are described. For specific routing policy configurations, see other traffic diversion configuration examples.

Parent topic: Routing Blackhole
Copyright © Huawei Technologies Co., Ltd.