Stand-alone BGP route server based on GoBGP which downloads IPv4/v6 threat feeds on a periodic basis, summarizes them, and maintains them as routes. Routers can then iBGP peer with it and blackhole these routes.
Usage of ./blackhole-threats:
-debug
Enable debug logging
-conf string
GoBGP configuration file (default "gobgpd.conf")
-feed value
Threat intelligence feed (use multiple times)
-refresh-rate duration
Refresh timer (default 2h0m0s)
Some threat intelligence feeds:
- abuse.ch Botnet C2 IP Blacklist
- blocklist.de fail2ban reporting service
- Emerging Threats fwip rules
- Spamhaus Don't Route Or Peer List (DROP)
- Spamhaus Extended DROP List (EDROP)
- Talos IP Blacklist
[global.config]
as = 64512
router-id = "192.168.1.2"
[[neighbors]]
[neighbors.config]
neighbor-address = "192.168.1.1"
peer-as = 64512
[[neighbors.afi-safis]]
[neighbors.afi-safis.config]
afi-safi-name = "ipv4-unicast"
[[neighbors.afi-safis]]
[neighbors.afi-safis.config]
afi-safi-name = "ipv6-unicast"/routing bgp instance
set default as=64512
/routing bgp peer
add address-families=ip,ipv6 allow-as-in=2 in-filter=threats-in name=threats remote-address=\
192.168.1.2 ttl=default
/routing filter
add action=accept address-family=ip bgp-communities=64512:666 chain=threats-in comment=\
"Blackhole IPv4 C&C and don't route or peer addresses" protocol=bgp set-type=blackhole
add address-family=ipv6 bgp-communities=64512:666 chain=threats-in comment=\
"Unreachable IPv6 C&C and don't route or peer addresses" protocol=bgp set-type=unreachable
/routing bgp template
set default as=64512 disabled=no routing-table=main
/routing bgp connection
add address-families=ip,ipv6 as=64512 disabled=no input.allow-as=2 .filter=threats-in local.role=ibgp \
name=threats remote.address=192.168.1.2 routing-table=main templates=default
/routing filter rule
add chain=threats-in comment="Blackhole C&C and don't route or peer addresses" disabled=no rule=\
"if (bgp-communities equal 64512:666) {set blackhole yes; accept}"
Copyright (c) 2021 Eric Barkie. All rights reserved.
Use of this source code is governed by the MIT license
that can be found in the LICENSE file.