Follow

How To: Check for route leaks on a prefix when routed through Silverline using routeviews

 

Description

  • A route leak is propagation of routing announcement(s) beyond their intended scope
  • When routing prefixes over to Silverline for routed DDoS protection, it might be necessary to ensure that the prefix is being routed via the Silverline network and that there are no route leaks for that specific prefix that would potentially bypass Silverline protection.
  • This article explains how to check for route leaks on a prefix when routed through Silverline by using the public route server called "Route Views".

 

Environment

  • Silverline DDoS
  • Routed

 

Procedure

1. Telnet or SSH to the Route Views route server at route-views.routeviews.org

Username: rviews

No password is required.

You should now see a router CLI prompt similar to the one below:

route-views>

2. In order to search for a specific prefix over the internet BGP routing table and routed over Silverline's ASN 55002, use the below example command:

route-views> show ip bgp 107.162.200.0/24 longer-prefixes | include 55002

This will show you prefixes equal to or longer than a /24 prefix length for the specified prefix (in this example, 107.162.200.0). In other words, prefixes with a length from /24 to a /32 for which ASN 55002 is included on their BGP AS-PATH.

Example:

route-views>show ip bgp 107.162.200.0/24 longer-prefixes | inc 55002
N* 107.162.200.0/24 162.251.163.2 0 53767 3257 1299 55002 i
N* 208.51.134.254 0 0 3549 3356 6453 55002 i
N* 198.58.198.255 0 1403 6453 55002 i
N* 212.66.96.126 0 20912 3257 1299 55002 i
N* 144.228.241.130 80 0 1239 1299 55002 i
N* 137.39.3.55 0 701 2914 55002 i
N* 203.181.248.168 0 7660 2516 6453 55002 i
N* 4.68.4.46 0 0 3356 6453 55002 i
N* 12.0.1.63 0 7018 6453 55002 i
N* 140.192.8.16 0 54728 20130 23352 2914 55002 i
N* 198.58.198.254 0 1403 6453 55002 i
N* 64.71.137.241 0 6939 1299 55002 i
N* 206.24.210.80 0 3561 209 3356 1299 55002 i
N* 89.149.178.10 10 0 3257 1299 55002 i
N* 193.0.0.56 0 3333 1257 2914 55002 i
N* 194.85.40.15 0 0 3267 1299 55002 i
N* 94.142.247.3 0 0 8283 6453 55002 i
N* 37.139.139.17 0 0 57866 1299 55002 i
N* 217.192.89.50 0 3303 2914 55002 i
N* 209.124.176.223 0 101 101 2914 55002 i
N* 134.222.87.1 1000 0 286 3257 6453 55002 i
N* 202.93.8.242 0 24441 3491 3491 1299 55002 i
N* 91.218.184.60 0 49788 1299 55002 i
N* 203.62.252.83 0 1221 4637 6453 55002 i
N* 132.198.255.253 0 1351 6939 1299 55002 i
N*> 202.232.0.2 0 2497 2914 55002 i
N* 195.208.112.161 0 3277 3267 1299 55002 i
N* 162.250.137.254 0 4901 6079 1299 55002 i
N* 154.11.12.212 0 0 852 2914 55002 i

The above output shows the prefix being learned by multiple BGP neighbors, all of which show Silverline's ASN 55002 as the originator of this prefix (notice the ASN 55002 at the right-most of each line).

Note: For prefixes where Silverline is not the originator, the ASN 55002 must still be included in the AS-PATH.

3. When a prefix is routed over to Silverline, with the below command we can check for prefixes which do not contain Silverline's ASN 55002 within their AS-PATH, thus indicating a route leak:

route-views>show ip bgp 107.162.200.0/24 longer-prefixes | exclude 55002
BGP table version is 68059466, local router ID is 128.223.51.103
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
r RIB-failure, S Stale, m multipath, b backup-path, f RT-Filter,
x best-external, a additional-path, c RIB-compressed,
Origin codes: i - IGP, e - EGP, ? - incomplete
RPKI validation codes: V valid, I invalid, N Not found

Network Next Hop Metric LocPrf Weight Path
route-views>

In the above example, there were no results shown when excluding ASN 55002 , therefore, in this case there are no route-leaks for this specific prefix, as expected.

 

Note: If you notice route leaking for one of your prefixes, please refer to section "Setting BGP Route Preferences" of KB article: BGP Configuration for DDoS Protection Setup.

 

Related Content

Was this article helpful?
0 out of 0 found this helpful
Have more questions? Submit a request