Automatic nullroute on Juniper gear?

[dcdan]

It seems that the obvious way of automatically adding nullroutes on, say, Juniper EX3200 would be logging in via ssh (with python/phpseclib/etc...) and adding them straight into the configuration and committing. Just wanted to check with the community if the is the only way to go or there are alternative/better ways to deal with this. I do not feel like storing ssh root passwords or private keys to our gear in plain text is a great idea to be honest.

Also, you're using sflow to detect what to nullroute, riiight?

 

[Wintereise]

>> Just wanted to check with the community if the is the only way to go or there are alternative/better ways to deal with this

BGP, granted that on EX requires an AFL to be fully legal. But for most firmware revisions ('JunOS,' even upto 12.3R3.4), invoking BGP only creates a nag message at commit time.

You want to set up a peer that announces prefixes to be nullrouted (Preferably with a community, i.e: 64000:666), and then act on that filter to set nexthop to lo. Note that this will not prevent your pipe from being flooded (unless your nullroutes propagate upstream, see below.)

If you have upstreams connected via BGP as well, you could announce it out again with THEIR blackhole maps if you so desired.

IGP distribution may also work, but aside from OSPF -- that also requires an AFL. Communication is also usually through multicast solutions.

> Also, you're using sflow to detect what to nullroute, riiight?

We use a mixture of sflow/IPFIX depending on the edge device.

 

[dcdan]

@Wintereise:

To clarify, we do run BGP. The issue is that we are currenly adding/removing nullroutes manually. The goal is to automate DoS detection and adding nullroutes.

So you are feeding sflow into a dedicated machine that runs a custom coded scripts which detect floods, correct? What exactly happens when it detects a flood, would the monitoring system log into the switch via SSH and add a nullroute via standard cli means?

 

[Wintereise]

> What exactly happens when it detects a flood, would the monitoring system log into the switch via SSH and add a nullroute via standard cli means?

No, it would announce the prefix via BGP to the edge routers -- which would in turn set the nexthop to lo0/null0 (depending on platform), and propagate it upstream after tagging it with RTBH communities.

Exabgp / openbgpd can be used to do this (PF_KEY required for the latter, so BSD only. MD5 auth is recommended for rtbh route servers.)

For exabgp, you want to set up a parsed route backend that runs infinitely and tells it what to announce and what to withdraw.

Pseudocode might be something like,


 
while(true)
{
    sleep(50);
    return Response::bgp($this->getPendingOperations());
}
 


Of course, this all involves some sort of coding.

 

[dcdan]

Awesome, thank you! Already playing with exabgp.