Friday, January 1, 2010

CCIE-LAB-RTBH

I - DESTINATION BASED

ATTACKER:
 
R1:
router rip
 version 2
 no auto-summary
 network 136.1.0.0
 network 150.1.0.0

TRIGGER:
 
R2:
router rip
 version 2
 no auto-summary
 network 136.1.0.0
 network 150.1.0.0
!
router bgp 23
 neighbor 136.1.23.3 remote-as 23
 neighbor 136.1.23.3 send-community
 redistribute static route-map STATIC_TO_BGP
!
route-map STATIC_TO_BGP permit 10
 match tag 23
 set local-preference 200
 set origin igp
 set community no-export
 set ip next-hop 192.0.2.1
!
ip route 192.0.2.1 255.255.255.255 Null0

when attack start add below acl (with IP of the destination - local server):
 
ip route 10.1.0.100 255.255.255.255 Null0 tag 23

EDGE:
 
R3:
router rip
 version 2
 no auto-summary
 network 136.1.0.0
 network 150.1.0.0
 network 10.0.0.0
!
router bgp 23
 neighbor 136.1.23.2 remote-as 23
!
ip route 192.0.2.1 255.255.255.255 Null0
!
interface Null0
 no ip unreachables

I - SOURCE BASED

TRIGGER:

when attack start add below acl (with source IP of the attacker):
 
ip route 170.170.170.170 255.255.255.255 Null0 tag 23

EDGE:
 
interface FastEthernet0/0.13
 ip verify unicast source reachable-via any

For networks which are not in the routing table or the next hop is Null0 - they are silently dropped.

No comments:

Post a Comment