Certificate Star Note
Filtering With holes either way
sinkhole routing. While this may sound a lot like some Star Trek episode, it’s important for us to understand what each is, and more so how to implement them. Sinkholes are designed to attract traffic and keep it (for analysis or whatever reason). Blockhouse, on the other hand, are designed to attract traffic and never let it be seen again. In larger networks (and what we simulate in our CCIE labs) both of these techniques are typically done via BGP. So let’s start with the sinkhole idea. To create a sinkhole, we want to attract traffic. The first question we need to ask is Why? Whenever you advertise a network out, you inadvertently attract traffic to that IPs. That traffic may be good, or it may be bad. From a security perspective, I’m sure everyone has heard the term Honeypot used before. There is a specific purpose to attract traffic. So let’s say that you have a /24 network advertising to the Internet through various connections. Traffic can come in and wend its way through your network to the destination network segment. You notice a Dos attack, or some huge amount of traffic towards one of your web servers. Where do you secure against this? How do you secure against it? Are you still moving traffic all the way through your network to one final router before the segment? Are you tying up all your link’s bandwidth while doing this? Sinkholes spread throughout your network are a way to break apart and analyze the traffic, perhaps cleaning it and moving the good stuff on through. But multiple routers would need a focal point, or different way to route that traffic. You may simply change the destination for a single IP out of that /24. Most-specific routing always wins, so that’s an easy way. Maybe you have multiple analysis points in your network to segment the traffic and reduce load and bottlenecks in your topology. Either way, follow the lab instructions and you are creating a sinkhole. You may even be advertising extra networks just to attract traffic for analysis (like a Honeypot idea). Just watch what’s being asked, but that’s the concept of a sinkhole. Blackhole routing on the other hand wants to kill traffic. Simply enough, we could go to all of our routers and install some Null0 routes. In real life, this is not a scalable approach. Hence the term remotely-triggered blackhole routing, and we’ll use BGP. Killing a route via a routing protocol is not a simple concept. No matter how hard we try when advertising a route, Null0 is not a valid next-hop to pass along to someone else! So every router needs to have a seed route to Null0. Pick something that isn’t used. Ip route 1.1.1.1 255.255.255.255 null0 That goes on every single router now. Of course, we would also have BGP setup between all of our internal routers. Perhaps not really moving any “real” routing information, just used to kill things. Now we need the trigger. On a central router (wherever an admin is anyway) we’ll do our maintenance for what routes we want to kill. Ip route 192.0.0.0 255.0.0.0 null0 tag 86 ip route 100.100.100.0 255.255.255.0 null0 tag 86 ip route 200.200.200.0 255.255.255.0 null0 tag 86 Notice the tag on those static routes. This will be used for redistribution to help only get the “bad” routes from a router that may actually have many other static routes. Ok, not in the real lab, but we’re pretending that the skills we learn on our way to CCIE have some real-life intrinsic value, right? So once we have decided on our central router what routes we want to kill everywhere, then we pass them out through BGP. Route-map KillRoutes permit 10 Match tag 86 Router bgp 65000 Redistribute static route-map KillRoutes That all seems very simple, right? Well, yes it does, but it won’t help us. At this point, all of our iBGP routers would see the central router as the next hop for each of the routes. Ok, yes, that creates a blackhole. Because it pulls all of the packets into the middle of our network and then kills them locally with a Null0 next-hop. But we are wasting LOTS of bandwidth in doing this. Always filter as close to the source as possible. Good design rules! In order to do this, we need to change the next hop of the route from our central router’s IP address to that of the distributed Null0 route (1.1.1.1 in my example). Route-map NH-Change permit 10 Match tag 86 Set ip next-hop 1.1.1.1 Route-map NH-Change permit 20 Router bgp 65000 Neighbor x.x.x.x route-map NH-Change out (repeat for each of your neighbors unless you’re using peer groups!) The last permit statement of the route-map was to pass-through any other routes that you may want to run in BGP unchanged. Only make the next-hop change for those routes that are evil. You could also set this next-hop within the original redistribute route-map. I just split it out for pointing out the differences. At this point, all of your other routers have learned some routes via iBGP, with a next-hop of 1.1.1.1 and since they have a local static route to Null0 for that next hop, all routes learned this way will be killed. We have now used blackhole routing in a remotely-triggered manner. Kinda cool, huh? Not difficult either, just a matter of thinking about what we are trying to accomplish. As noted, these techniques have been listed more explicitly on both the Security (2.0) and Service Provider CCIE tracks. I don’t see any reason why they can’t be used in Routing & Switching as well, so it never hurts to think these things through! For some extra information, check out: scenario carefully. Makes notes and diagrams as necessary, but think like the router does. Think things through one step at a time and all of these complicated things suddenly become much easier. Cheers, Scott Scott Morris is IPexpert's Vice President of Curriculum and Senior Technical Instructor. With over 20 years of technical training and consulting experience and a wealth of technical certifications, Scott Morris has proven to be among the elite in the technical training industry. Scott is one of the few people in the world who currently hold four separate CCIE certifications, but is one-of-a-kind by having added Juniper Network's expert level certification. He is also actively preparing for the CCIE Voice. Scott has years of experience both writing and teaching CCIE lab preparation materials with an outstanding track record of success. Over the past seven years, Scott has also been involved in many aspects of training directly for Cisco's internal staff on a variety of advanced technical topics. His knowledge and real-world experiences have been sought after for many projects. Scott has also participated in editing, writing and reviewing training books for Cisco Press, Wylie, Sybil, Que. Publishing and McGraw-Hill. His contributing author work includes Cisco Press' Managing Cisco Network Security book ( ISBN: 1578701031) - Chapters on the PIX Firewall; and Cisco Press' CCIE Practical Studies, Vol. 2 (ISBN: 1587050722) - Chapter on Multicast. Scott can be reached sinkhole routing. While this may sound a lot like some Star Trek episode, it’s important for us to understand what each is, and more so how to implement them. Sinkholes are designed to attract traffic and keep it (for analysis or whatever reason). Blockhouse, on the other hand, are designed to attract traffic and never let it be seen again. In larger networks (and what we simulate in our CCIE labs) both of these techniques are typically done via BGP. So let’s start with the sinkhole idea. To create a sinkhole, we want to attract traffic. The first question we need to ask is Why? Whenever you advertise a network out, you inadvertently attract traffic to that IPs. That traffic may be good, or it may be bad. From a security perspective, I’m sure everyone has heard the term Honeypot used before. There is a specific purpose to attract traffic. So let’s say that you have a /24 network advertising to the Internet through various connections. Traffic can come in and wend its way through your network to the destination network segment. You notice a Dos attack, or some huge amount of traffic towards one of your web servers. Where do you secure against this? How do you secure against it? Are you still moving traffic all the way through your network to one final router before the segment? Are you tying up all your link’s bandwidth while doing this? Sinkholes spread throughout your network are a way to break apart and analyze the traffic, perhaps cleaning it and moving the good stuff on through. But multiple routers would need a focal point, or different way to route that traffic. You may simply change the destination for a single IP out of that /24. Most-specific routing always wins, so that’s an easy way. Maybe you have multiple analysis points in your network to segment the traffic and reduce load and bottlenecks in your topology. Either way, follow the lab instructions and you are creating a sinkhole. You may even be advertising extra networks just to attract traffic for analysis (like a Honeypot idea). Just watch what’s being asked, but that’s the concept of a sinkhole. Blackhole routing on the other hand wants to kill traffic. Simply enough, we could go to all of our routers and install some Null0 routes. In real life, this is not a scalable approach. Hence the term remotely-triggered blackhole routing, and we’ll use BGP. Killing a route via a routing protocol is not a simple concept. No matter how hard we try when advertising a route, Null0 is not a valid next-hop to pass along to someone else! So every router needs to have a seed route to Null0. Pick something that isn’t used. Ip route 1.1.1.1 255.255.255.255 null0 That goes on every single router now. Of course, we would also have BGP setup between all of our internal routers. Perhaps not really moving any “real” routing information, just used to kill things. Now we need the trigger. On a central router (wherever an admin is anyway) we’ll do our maintenance for what routes we want to kill. Ip route 192.0.0.0 255.0.0.0 null0 tag 86 ip route 100.100.100.0 255.255.255.0 null0 tag 86 ip route 200.200.200.0 255.255.255.0 null0 tag 86 Notice the tag on those static routes. This will be used for redistribution to help only get the “bad” routes from a router that may actually have many other static routes. Ok, not in the real lab, but we’re pretending that the skills we learn on our way to CCIE have some real-life intrinsic value, right? So once we have decided on our central router what routes we want to kill everywhere, then we pass them out through BGP. Route-map KillRoutes permit 10 Match tag 86 Router bgp 65000 Redistribute static route-map KillRoutes That all seems very simple, right? Well, yes it does, but it won’t help us. At this point, all of our iBGP routers would see the central router as the next hop for each of the routes. Ok, yes, that creates a blackhole. Because it pulls all of the packets into the middle of our network and then kills them locally with a Null0 next-hop. But we are wasting LOTS of bandwidth in doing this. Always filter as close to the source as possible. Good design rules! In order to do this, we need to change the next hop of the route from our central router’s IP address to that of the distributed Null0 route (1.1.1.1 in my example). Route-map NH-Change permit 10 Match tag 86 Set ip next-hop 1.1.1.1 Route-map NH-Change permit 20 Router bgp 65000 Neighbor x.x.x.x route-map NH-Change out (repeat for each of your neighbors unless you’re using peer groups!) The last permit statement of the route-map was to pass-through any other routes that you may want to run in BGP unchanged. Only make the next-hop change for those routes that are evil. You could also set this next-hop within the original redistribute route-map. I just split it out for pointing out the differences. At this point, all of your other routers have learned some routes via iBGP, with a next-hop of 1.1.1.1 and since they have a local static route to Null0 for that next hop, all routes learned this way will be killed. We have now used blackhole routing in a remotely-triggered manner. Kinda cool, huh? Not difficult either, just a matter of thinking about what we are trying to accomplish. As noted, these techniques have been listed more explicitly on both the Security (2.0) and Service Provider CCIE tracks. I don’t see any reason why they can’t be used in Routing & Switching as well, so it never hurts to think these things through! For some extra information, check out: scenario carefully. Makes notes and diagrams as necessary, but think like the router does. Think things through one step at a time and all of these complicated things suddenly become much easier. Cheers, Scott Scott Morris is IPexpert's Vice President of Curriculum and Senior Technical Instructor. With over 20 years of technical training and consulting experience and a wealth of technical certifications, Scott Morris has proven to be among the elite in the technical training industry. Scott is one of the few people in the world who currently hold four separate CCIE certifications, but is one-of-a-kind by having added Juniper Network's expert level certification. He is also actively preparing for the CCIE Voice. Scott has years of experience both writing and teaching CCIE lab preparation materials with an outstanding track record of success. Over the past seven years, Scott has also been involved in many aspects of training directly for Cisco's internal staff on a variety of advanced technical topics. His knowledge and real-world experiences have been sought after for many projects. Scott has also participated in editing, writing and reviewing training books for Cisco Press, Wylie, Sybil, Que. Publishing and McGraw-Hill. His contributing author work includes Cisco Press' Managing Cisco Network Security book ( ISBN: 1578701031) - Chapters on the PIX Firewall; and Cisco Press' CCIE Practical Studies, Vol. 2 (ISBN: 1587050722) - Chapter on Multicast. Scott can be reached
sinkhole routing.
While this may sound a lot
like some Star Trek episode, it’s important for us to understand what each is,
and more so how to implement them. Sinkholes are designed to attract traffic
and keep it (for analysis or whatever reason). Blockhouse, on the other hand,
are designed to attract traffic and never let it be seen again.
In larger networks (and
what we simulate in our CCIE labs) both of these techniques are typically done
via BGP. So let’s start with the sinkhole idea. To create a sinkhole, we want
to attract traffic. The first question we need to ask is Why?
Whenever you advertise a
network out, you inadvertently attract traffic to that IPs. That traffic may
be good, or it may be bad. From a security perspective, I’m sure everyone has
heard the term Honeypot used before. There is a specific purpose to attract
traffic.
So let’s say that you have
a /24 network advertising to the Internet through various connections. Traffic
can come in and wend its way through your network to the destination network
segment. You notice a Dos attack, or some huge amount of traffic towards one of
your web servers. Where do you secure against this? How do you secure against
it? Are you still moving traffic all the way through your network to one final
router before the segment? Are you tying up all your link’s bandwidth while
doing this?
Sinkholes spread
throughout your network are a way to break apart and analyze the traffic,
perhaps cleaning it and moving the good stuff on through. But multiple routers
would need a focal point, or different way to route that traffic. You may
simply change the destination for a single IP out of that /24. Most-specific
routing always wins, so that’s an easy way. Maybe you have multiple analysis
points in your network to segment the traffic and reduce load and bottlenecks in
your topology.
Either way, follow the lab
instructions and you are creating a sinkhole. You may even be advertising extra
networks just to attract traffic for analysis (like a Honeypot idea). Just
watch what’s being asked, but that’s the concept of a sinkhole.
Blackhole routing on the
other hand wants to kill traffic. Simply enough, we could go to all of our
routers and install some Null0 routes. In real life, this is not a scalable
approach. Hence the term remotely-triggered blackhole routing, and we’ll use
BGP. Killing a route via a routing protocol is not a simple concept. No matter
how hard we try when advertising a route, Null0 is not a valid next-hop to pass
along to someone else!
So every router needs to
have a seed route to Null0. Pick something that isn’t used.
Ip route 1.1.1.1
255.255.255.255 null0
That goes on every single
router now. Of course, we would also have BGP setup between all of our internal
routers. Perhaps not really moving any “real” routing information, just used to
kill things. Now we need the trigger. On a central router (wherever an admin
is anyway) we’ll do our maintenance for what routes we want to kill.
Ip route 192.0.0.0
255.0.0.0 null0 tag 86
ip route 100.100.100.0 255.255.255.0 null0 tag 86
ip route 200.200.200.0 255.255.255.0 null0 tag 86
Notice the tag on those
static routes. This will be used for redistribution to help only get the “bad”
routes from a router that may actually have many other static routes. Ok, not
in the real lab, but we’re pretending that the skills we learn on our way to
CCIE have some real-life intrinsic value, right?
So once we have decided on
our central router what routes we want to kill everywhere, then we pass them out
through BGP.
Route-map KillRoutes
permit 10
Match tag 86
Router bgp 65000
Redistribute static route-map KillRoutes
That all seems very
simple, right? Well, yes it does, but it won’t help us. At this point, all of
our iBGP routers would see the central router as the next hop for each of the
routes. Ok, yes, that creates a blackhole. Because it pulls all of the packets
into the middle of our network and then kills them locally with a Null0
next-hop. But we are wasting LOTS of bandwidth in doing this. Always filter as
close to the source as possible. Good design rules!
In order to do this, we
need to change the next hop of the route from our central router’s IP address to
that of the distributed Null0 route (1.1.1.1 in my example).
Route-map NH-Change permit
10
Match tag 86
Set ip next-hop 1.1.1.1
Route-map NH-Change permit 20
Router bgp 65000
Neighbor x.x.x.x route-map NH-Change out
(repeat for each of your neighbors unless you’re using peer groups!)
The last permit statement
of the route-map was to pass-through any other routes that you may want to run
in BGP unchanged. Only make the next-hop change for those routes that are
evil. You could also set this next-hop within the original redistribute
route-map. I just split it out for pointing out the differences.
At this point, all of your
other routers have learned some routes via iBGP, with a next-hop of 1.1.1.1 and
since they have a local static route to Null0 for that next hop, all routes
learned this way will be killed.
We have now used blackhole
routing in a remotely-triggered manner. Kinda cool, huh? Not difficult either,
just a matter of thinking about what we are trying to accomplish.
As noted, these techniques
have been listed more explicitly on both the Security (2.0) and Service Provider
CCIE tracks. I don’t see any reason why they can’t be used in Routing &
Switching as well, so it never hurts to think these things through!
For some extra
information, check out:
scenario carefully. Makes notes and diagrams as necessary, but think like the
router does. Think things through one step at a time and all of these
complicated things suddenly become much easier.
Cheers,
Scott
Scott Morris is
IPexpert's Vice President of Curriculum and Senior Technical Instructor.
With over 20 years of technical training and consulting experience and
a wealth of technical certifications, Scott Morris has proven to be among the
elite in the technical training industry. Scott is one of the few people in the
world who currently hold four separate CCIE certifications, but is one-of-a-kind
by having added Juniper Network's expert level certification. He is also
actively preparing for the CCIE Voice. Scott has years of experience both
writing and teaching CCIE lab preparation materials with an outstanding track
record of success.
Over the past seven years, Scott has also been involved in many aspects of
training directly for Cisco's internal staff on a variety of advanced technical
topics. His knowledge and real-world experiences have been sought after for many
projects.
Scott has also participated in editing, writing and reviewing training books for
Cisco Press, Wylie, Sybil, Que. Publishing and McGraw-Hill. His contributing
author work includes Cisco Press' Managing Cisco Network Security book ( ISBN:
1578701031) - Chapters on the PIX Firewall; and Cisco Press' CCIE Practical
Studies, Vol. 2 (ISBN: 1587050722) - Chapter on Multicast. Scott can be reached
Did you find this article useful? For more useful tips and hints, points to ponder and keep in mind, techniques, and insights pertaining to Internet Business, do please browse for more information at our websites. <a href="http://www.adsence-dollar-factory.com">http://www.adsence-dollar-factory.com</a> <a href="http://www.100earningtips.com">http://www.100earningtips.com</a>
About the Author
Reenactment #5: Star Trek: First Contact
 |
 ★ COLORIZED $2 DOLLAR BILL ★ WITH PRESENTATION CASE COA ★ NOTE ★ CURRENCY ★  US $24.95
|
 1921 D Morgan Silver DOLLAR Coin $1 Beautiful piece 1921 d US $26.01
|
 ONE 1 GRAM 999 PURE FINE SOLID SILVER BULLION BUFFALO BAR No Reserve coin US $5.99
|
 CONGO DR 1000 Francs 1964 P 8 AU punch stars lot 5 pcs US $11.76
|
 ONE SILVER DOLLAR HORSE BLANKET1923 1957 $1 STAR NOTE AUCTION 99 NR US $23.00
|
 $2 Dollar RED Seal US Note Old US Coin SUPER Lot V Nickle BU Coins US $10.51
|
 Lot Of 7 Silver Certificates STAR NOTES US $30.00
|
 Lot Of 10 Silver Certificates STAR NOTES TOO US $20.00
|
 Large Cent 1839 CORONET Cent KM 45 CORONET HAIR with 13 STARS US $48.88
|
 SUPER COLLECTION OF US CURRENCY 95 PIECES COINS NOTES STAMPS SILVER WOW US $59.99
|
 1997 China 5 Yuan 1 oz PIEDFORT Child Carp Silver Coin with COA US $100.00
|
 2001 Europa Monnaie de Paris FRANCE Proof Finish SILVER COIN US $49.99
|
 1953 A $5 SILVER CERTIFICATE STAR NOTE SUPERB CHOICE CU SCARCE BEAUTY PMG 64 US $99.99
|
 ELVIS PRESLEY 2 COINS JFK GOLD Collection King of Rock Roll Pop Music America US $16.60
|
 2010 AMERICA THE BEAUTIFUL QUARTERS THREE COIN SET HOT SPRINGS US $7.95
|
 Lot of 4STAR Notes 2 $1 Silver Certificates 2 $1 Federal Reserve Notes US $9.75
|
 2010 AMERICA THE BEAUTIFUL QUARTERS THREE COIN SET MOUNT HOOD US $7.95
|
 2010 AMERICA THE BEAUTIFUL QUARTERS THREE COIN SET GRAND CANYON US $7.95
|
 2010 AMERICA THE BEAUTIFUL QUARTERS THREE COIN SET YELLOWSTONE US $7.95
|
 1957STAR NOTE$1 Silver CertificateBLUE SEAL55 YRS OLD US $3.77
|
 1957BSTAR NOTE$1 Silver CertificateBLUE SEAL55 YRS OLD US $2.53
|
 2010 AMERICA THE BEAUTIFUL QUARTERS THREE COIN SET YOSEMITE US $7.95
|
 NEW IRAQI DINAR 1 X 25000 Crisp Uncirculated Iraq Dinars IQD NID NR US $26.00
|
 NEW IRAQI DINARS 10 X 25000 Crisp Uncirculated Iraq Dinar note IQD NID 250000 US $299.99
|
 NEW IRAQI DINARS 20 X 25000 Crisp Uncirculated Iraq Dinar note IQD NID 500000 US $599.99
|
 NEW IRAQI DINARS 4 X 25000 Crisp Uncirculated Iraq Dinar note IQD NID 100000 US $133.99
|
 1934A $1000 Silver Certificate North Africa STAR NOTE Scarce VERY FINE US $225.00
|
 NICE CURRENCY LOT $1 $5 SILVER CERTIFICATE STAR NOTE FUNNY NUMBER 8 TOTAL NOTES US $26.00
|
 1957 B $1 SILVER CERTIFICATE STAR NOTE GEMCU PMG 67EPQ RARE AWESOME BEAUTY US $54.99
|
 Brand New 999 PURE FINE Solid SILVER 5 GRAM BULLION BAR AMERICAN EAGLE Ingot US $21.94
|
 1957 ONE DOLLAR SILVER CERTIFICATE $1 STAR NOTE US $50.00
|
 2005 Marine Corps 230th Anniversary Uncirculated Silver Dollar 5C1 US $119.99
|
 2 $100 SILVER CERTIFICATES STAR NOTES US $20.00
|
 2011 American Silver Eagle 25th Anniversary ONE SEALED UNOPENED SET First Strike US $725.00
|
 1964 CANADA Twenty Five Cent Silver PL 66 Certified Slabbed US $49.12
|
 1963 CANADA Fifty Cent 50 SILVER MS 65 Certified Slabbed US $73.68
|
 Silver Certificate Dollar Bills 1957 Series US $24.99
|
 1962 CANADA Fifty Cent 50 Silver MS 65 Certified Slabbed US $73.68
|
 1954 CANADA Ten Cent SILVER MS 65 Certified Slabbed US $87.43
|
 1962 CANADA Twenty Five Cent Silver PL 66 Certified Slabbed US $93.33
|
 1835 CLASSIC HEAD HALF CENT LOOKS TO BE A FINE TO VERY FINE COIN US $59.00
|
 1963 CANADA Twenty Five Cent Silver MS 66 Certified Slabbed US $97.26
|
 1962 CANADA Fifty Cent 50 Silver MS 66 Certified Slabbed US $88.42
|
 1958 CANADA Twenty Five Cent Silver MS 66 Certified Slabbed US $97.26
|
 1918 CANADA 50 Fifty Cent SILVER EF 45 Certified Slabbed US $122.80
|
 1954 CANADA Twenty Five Cent SILVER MS 65 Certified Slabbed US $132.63
|
 Junk Drawer Lot Silver Dime Old Coins Sterling Estate Jewelry 1957 $1 Star Note US $7.50
|
 LOT of 3 $5Silver Certificates1 $20 and 20 $2Reserve Notes US $159.95
|
 ★11944 S standing liberty half dollar★large pics in disc★US bullion coin★H10 US $14.00
|
 1871 G 1 4 GOLD PIONEER DOLLAR COIN CALIFORNIA YOU GRADE 3 DAY SALE NR US $103.50
|
| Powered by phpBay Pro |
