Prior to the attack, configure inbound route-maps on all
edge BGP
speakers (R2 through R4 in Black Hole Routing
Using BGP).
These inbound policies modify the next-hop of
specifically marked BGP network layer reach-ability information (NLRIs) to point to the
chosen black hole next-hop. We use BGP community or extended-community attributes to
identify NLRIs that need to be black holed (ones whose next-hops have to be modified). The
community values that are chosen should be reserved for this purpose within the provider
network.
In the following example, a community of
666:0 is chosen for identifying blackhole routes. The next-hop of BGP NLRIs with that
community attribute is modified to use the blackhole
next-hop.
R3.1 # edit policy BH_policy_NH
entry bh-nhset {
if match any {
community 666:0;
nlri any/32 ;
} then {
next-hop 192.168.2.66 ;
permit ;
}
}
entry bh-default {
if match any {
} then {
permit ;
}
}
