Filter out routes by type of blackhole in FRRouting
Basically, there are two purposes of using blackhole routes:
- To prevent from DDoS attacks
- To inject fake routes into the routing table with longer network mask (e.g.: for BGP advertisements)
The former can also be implemented using well-known
iptables. But it always depends on what is better
iproute2 using blackhole,
XDP or finally
XDP offload on the hardware when talking about good enough.
If you have thousands of rules in
iptables then the kernel has a lot of work to do by touching every rule in the list. In other words, when you modify a single rule,
iptables has to fetch the whole basket of rules from the kernel (of course using locking because it’s a linked-list and synchronization between CPUs), do the change and put all rules back. So, avoid having a plethora of rules under
iptables - otherwise it will take half a minute to reload.
I’m pretty sure that 99% of servers (if not using the route on the host) has a routing table only with a default route, which means that dropping packets to specific destinations is much cheaper than using
ip route add blackhole 192.168.0.1/32 ip -6 route add blackhole 2a02:4780:dead::beef/128
iptables -A INPUT -d 192.168.0.1/32 -j DROP ip6tables -A INPUT -d 2a02:4780:dead::beef/128 -j DROP
The difference in processing the packets is that
blackhole doesn’t send any packets back to the source while
netfilter generates ICMP responses.
Let’s say you want to filter out blackhole routes from being advertised to BGP neighbors, what you can do? If it’s
/128 then it can be filtered using
prefix-list, otherwise can’t.
route-map bh deny 10 match ip next-hop type blackhole route-map bh deny 20 match ipv6 next-hop type blackhole