Blackholing a Customer Edge

glitchlist Uncategorized Leave a Comment

Protecting the internal network or a public network segments is the Network Engineer mission’s. Usually, we have firewalls for the perimetral security, but how do we do if we want to protect public transit IP?

Some public IP addresses configured on Customer Edge Routers, provide only the traffic routing from the client side to the ISP so there is no reason to be reached by the public internet.

Since these routers could suffer a DDOS attack, it is good to making them disappear from the internet 🙂
On the border BGP routers where we announce our ASN on Internet Exchanges add the following command:

# Cisco
ip route [public.ip] 255.255.255.255 Null0

# Huawei
ip route-static [public.ip] 255.255.255.255 NULL0

Don’t forget to redistribuite these static routes in the iBGP protocol. Now you are invisible!

.glitchlist crew

Leave a Reply

Your email address will not be published. Required fields are marked *