This document is a tutorial intended to help in the configuration of a Cisco router to receive a BGP feed from the MAPS RBL. The MAPS RBL (Mail Abuse Prevention System Realtime Blackhole List) is a list of IP addresses and subnets which are known to be the origination point of "spam" email transmission. The result of configuring your routers to discard packets destined TO these addresses is that you will discard any replies to packets that are sent to you from those addresses. This is efficacious since although you'll still receive the very small TCP SYN packets which the spam-sending mailserver uses to try to initiate an SMTP/TCP session, you'll discard the replying TCP SYN-ACK packets which allow the spam-sending mailserver requires before it can proceed with the transaction and actually send you the (much larger) email itself. Unlike methods of spam-blocking which are implemented on the receiving mailserver, this method elimitates IP transit transmission costs on your side, and avoids all but the minimum of reception costs.An ancillary feature of this method is that the spam-sending mailserver has a limited number of TCP transmission buffers, some of which are reserved for each new attempted TCP transmission... many mailserver-based spam-blocking methods reject TCP connections immediately, which allows the spam-sending host to immediately proceed to the next target. This router-based method instead forces the spam-sending server to continue to hold one of its limited number of TCP transmission buffers in reserve for the entire timeout period of the TCP SYN, thus substantially limiting the number of recipients it can target in any period of time.
A BGP router belonging to the MAPS RBL project will establish an external BGP multi-hop peering session with one or more of your routers. It will feed you a set of routes which describe prefixes from which spam is originating. You use a route-map to modify the next-hop of each of those routes, such that packets to destinations within those subnets are routed to Null0, your router's way of discarding a packet. As spammers come and go, their prefixes will be announced and withdrawn across the RBL's peering session with you, which will dynamically update the routing table in your router.
This example contains both text which must be typed into your router verbatim, and variable text which is dependent upon your specific network's configuration. Text which must be replaced with your specific information I've denoted through the use of a dollar-sign and capital letters, thus: $VARIABLE, and I'll explain what the variable denotes in the body of this document. Any text which you'll need to type is denoted by bold monospaced type, while that which the router displays on its console is shown in plain monospaced type.First, contact the MAPS RBL staff and arrange for a BGP feed. They'll need your Autonomous System Number (ASN), and an IP address for your end of the connection. The ASN is the same number that you use for any other BGP peering that you may already have configured. The IP address should be a single, globally-routable IP address with its own /32 (255.255.255.255) subnet mask. That is, it needs to be a subnet of its own, not an address that's included in a larger subnet that you're already using somewhere else in your network. The address needs to by statically allocated, and it needs to be reachable from the Internet.
In your router, begin by creating a loopback interface with the IP address that you've chosen for your end of the peering session:
Router> enNote that you should not use a preexisting loopback address or interface, even one that you've created specifically for the termination of other BGP peering sessions, because if you're using it for anything else, it won't be portable between routers when you need to reconfigure your network.
Router# configure terminal
Router(config)# interface loopback 7777
Router(config-if)# description MAPS RBL BGP Peering Address
Router(config-if)# ip address $LOOPBACKIPADDRESS 255.255.255.255
Router(config-if)# exit
Router(config)# end
Router#Next, use ping or traceroute to verify that the MAPS RBL router can be reached using the IP address you've chosen:
Router# pingNext, create the BGP route-filter which will keep you from advertising your own routes to the MAPS RBL route-server:
Protocol [ip]:
Target IP address: 204.152.184.35
Repeat count [5]:
Datagram size [100]:
Timeout in seconds [2]:
Extended commands [n]: yes
Source address or interface: loopback 7777
Type of service [0]:
Set DF bit in IP header? [no]:
Validate reply data? [no]:
Data pattern [0xABCD]:
Loose, Strict, Record, Timestamp, Verbose[none]:
Sweep range of sizes [n]:
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echoes to 204.152.184.35, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 76/105/136 ms
Router#Router# trace
Protocol [ip]:
Target IP address: 204.152.184.35
Source address: $LOOPBACKIPADDRESS
Numeric display [n]:
Timeout in seconds [3]:
Probe count [3]:
Minimum Time to Live [1]:
Maximum Time to Live [30]:
Port Number [33434]:
Loose, Strict, Record, Timestamp, Verbose[none]:
Type escape sequence to abort.
Tracing the route to dante.mail-abuse.org (204.152.184.35)1 zocalo-gw.pla.mibh.net (128.177.252.2) [AS 3557] 4 msec 4 msec 4 msec
2 ifw2-core.pa.vix.com (204.152.184.5) [AS 3557] 4 msec 4 msec 4 msec
3 dante.mail-abuse.org (204.152.184.35) [AS 3557] 4 msec 4 msec 4 msec
Router#Router(config)# ip access-list extended MAPS-RBLThis filter is absolutely necessary, as the current implementation of the MAPS RBL route-server will not maintain a BGP peering session with any peer which attempts to send it routes. If your outbound filter fails to prevent your router from sending routes to the MAPS RBL route-server, your session will fail each time it's set up, with the error "Write queue size of n exceeded limit of 300 messages."
Router(config-ext-nacl)# deny ip any anyNext, create the route-map and the Null0 "blackhole" route into which you'll direct spam replies:
Router(config)# route-map MAPS-RBL permit 10Last, configure and examine your BGP peering session:
Router(config-route-ma)# set ip next-hop 127.0.77.77
Router(config-route-ma)# set local-preference 7777
Router(config-route-ma)# set community no-export
Router(config-route-ma)# exit
Router(config)# ip route 127.0.77.77 255.255.255.255 Null0Router(config)# router bgp $ASN
Router(config-router)# neighbor 204.152.184.35 remote-as 7777
Router(config-router)# neighbor 204.152.184.35 description MAPS RBL BGP peer
Router(config-router)# neighbor 204.152.184.35 ebgp-multihop
Router(config-router)# neighbor 204.152.184.35 update-source loopback 7777
Router(config-router)# neighbor 204.152.184.35 distribute-list MAPS-RBL out
Router(config-router)# neighbor 204.152.184.35 route-map MAPS-RBL in
Router(config-router)# exit
Router(config)# end
Router#Router# show ip bgp summary
BGP router identifier $LOOPBACKIPADDRESS, local AS number $ASN
BGP table version is 1, main routing table version 1Neighbor V AS MsgRcvd MsgSent TblVer InQ OutQ Up/Down State/PfxRcd
204.152.184.35 4 7777 428 429 1 0 0 00:02:14 4291
Router#
You may wish to add some additional features to the minimal functional example described above. For example, you may wish to discard any announcements of your own prefixes which you hear from the MAPS RBL, so that you don't loose internal connectivity in the event that one of your own customers makes it onto the list. You may wish to create a descriptive DNS PTR record for the IP address associated with your Null0 route, so that folks doing traceroutes to blackholed destinations can discover the reason for their lack of connectivity.
If your router has an IOS image prior to about 12.0, it may not recognize named access lists, in which case you'll see the following error:Router(config)# ip access-list extended MAPS-RBLIf your router gives you such an error, you should use numbered access-lists instead:
^
% Invalid input detected at '^' marker.Router(config)# access-list 77 deny anyThis pair of access lists is redundant, in that the first access-list blocks the exporting of any routes which contain any prefix, and the second one blocks the exporting of routes with any AS-path. This is belt-and-suspenders approach, and generally considered good practice, since it allows you to perform maintenance work on either access-list without affecting the state of the peering session.
Router(config)# ip as-path access-list 77 deny anyIf you use numbered access-lists, your BGP peering session will need to be configured with them by number as well:
Router(config)# router bgp $ASN
Router(config-router)# neighbor 204.152.184.35 remote-as 7777
Router(config-router)# neighbor 204.152.184.35 description MAPS RBL BGP peer
Router(config-router)# neighbor 204.152.184.35 ebgp-multihop
Router(config-router)# neighbor 204.152.184.35 update-source loopback 7777
Router(config-router)# neighbor 204.152.184.35 distribute-list 77 out
Router(config-router)# neighbor 204.152.184.35 filter-list 77 out
Router(config-router)# neighbor 204.152.184.35 route-map MAPS-RBL in
Router(config-router)# exit
Router(config)# end
Router#
Bill Woodcock
Packet Clearing House
404 Balboa
San Francisco, California
94118-3938 USA
woody@pch.net
+1 415 BGP PEER
+1 866 BGP PEER (toll-free in the United States)
http://www.pch.net/documents/tutorials/maps-rbl-bgp-cisco-config-faq.html
http://mail-abuse.org/rbl/maps-rbl-bgp-cisco-config-faq.html
Rev 0.1, August 10, 2000: by Bill Woodcock, based upon Zocalo's January 1997 configuration, so some things may be a little out-of-date. Specifically, is route-mapping next-hop to an address which is statically routed to null0 still the most CPU-efficient way of dropping a packet? Noah, do you want to spin a Juniper version of this document?
Rev 0.2, november 27, 2000: by Bill Woodcock, with addition of warning about failing to filter announcements toward the route-server, per J.D. Falk.