Date: Tue, 28 Feb 2012 12:45:17 +0400 From: Eygene Ryabinkin <rea@freebsd.org> To: Bob Bishop <rb@gid.co.uk> Cc: hackers@freebsd.org Subject: Re: Blackhole routes vs firewall drop rules Message-ID: <XGLGghffwZpMNdqW%2BpyCelp3ssE@Y368QdixR6jasnEYsVVjrkTA7mk> In-Reply-To: <BC3D956B-FD78-4C1B-A4AA-8C33651237B2@gid.co.uk> References: <BC3D956B-FD78-4C1B-A4AA-8C33651237B2@gid.co.uk>
next in thread | previous in thread | raw e-mail | index | archive | help
--foM9DbudB2CcldhH Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable Sun, Feb 26, 2012 at 01:34:23PM +0000, Bob Bishop wrote: > I'd like to hear from somebody who understands this stuff on the > relative merits of blackhole routes vs firewall drop rules for > dealing with packets from unwanted sources. I'm particularly > interested in efficiency and scalability. Thanks Are you trying to null-route (seems like its what you call blackhole routes) or firewall on the same machine that is the destination of the packets, on the same machine that is an intermediate router or you're evaluating the null-routing on the intermediate machine vs firewall on the target machine? By the way, with null-routing you'll be able only to blackhole the packets that are going only _to_ some particular IP address or netblock. Routing is almost entirely about the destination IPs (though in some cases you can differentiate on the incoming interface or you can use URPF, if it is supported by your device, but that's not the routing in the strict sense, nevertheless, many routing devices have something that looks like URPF). For FreeBSD the closest analog of URPF is ipfw's verrevpath and pf's urpf-failed. You can do source-based null-routing by injecting null route to the unwanted source, so the packet will be dropped. The neat thing here is that you can use some routing protocol to distribute your blackhole routes to multiple FreeBSD servers and ipfw/pf will do the rest. But if you can sync the blackholing firewall tables (both ipfw and pf support tables that can be updated independently of the firewall rules) across multiple hosts (if you're going to do the distributed blackholing) without handing this work to the routing protocols, this might be faster -- you'll save routing table lookup (though the firewall should inspect the source address, but that should be slightly quicker than to do routing table lookup). At the large scale, null routing nowadays is mostly used for tearing down distributed DDoS. You, probably want to read this thread on NANOG list, http://www.gossamer-threads.com/lists/nanog/users/138153 The typical usage is that some IP or netblock that are under the attack are null-routed on the provider's edges (if the provider hosts this IP/netblock) and internal leafs to tear down the packets before they can flood the infrastructure. If multiple providers (better if they contain the sources for the attack) can do that, the attacking traffic won't even exit their networks and that's a good thing when you're fighting DDoS. But, in general, it will be much better to know your situation to answer such question in a more appropriate manner. --=20 Eygene Ryabinkin ,,,^..^,,, [ Life's unfair - but root password helps! | codelabs.ru ] [ 82FE 06BC D497 C0DE 49EC 4FF0 16AF 9EAE 8152 ECFB | freebsd.org ] --foM9DbudB2CcldhH Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.18 (FreeBSD) iF4EABEIAAYFAk9MlB0ACgkQFq+eroFS7Pts4gD9E9UCMUh5s/Vq7NxFrONY/1xS Lfnv6puV3VdWNBROLc4A/Ag3Sx0dchRqfHCLTRPQFNXcjJhZelPpqqHxlsmzuBFy =nSWc -----END PGP SIGNATURE----- --foM9DbudB2CcldhH--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?XGLGghffwZpMNdqW%2BpyCelp3ssE>