Consolidated  Blackhole  BGP  Communities

The ASN blocking page

The best way to block entire ASNs is not a BGP feed, it's part of a route-map when you have a full BGP feed. Given the lack of
interest for it, I am not going to include the mechanism in the CBBC feed; this page will explain you how to do it on your own router.

I use two sources to decide which ASNs I completely block. The first is Spamhaus' newest ASN DROP :
https://www.spamhaus.org/resource-hub/dnsbl/the-return-of-the-asn-drop/
The actual list : https://www.spamhaus.org/drop/asndrop.json
The python code to automate its deployment : http://arneill-py.sacramento.ca.us/cbbc/asnblock.py.txt

The second source is a personal list I make by looking at :


The Top 100 of the most offending ASNs







The offending ASN ranking is computed once a day from the CBBC internal feed (if the script runs, check the date).
In terms of numbers, the bad players do not change. The ratio is a good indicator of how good or bad an ASN actually is; large number of entries for a large ASN is OK, but not for a small one. Some very large ASNs are very clean with a contamination rate of less than 1 out of 1 million. ASNs with ratios below 10 are considered very clean, ASNs with ratios above 1000 are considered very dirty.

Disclaimer

I am fully aware of some serious agorithmic shortcomings, especially in the computation of the number of advertised IPs (the ASN size). When an ASN does not summarize, it size appears bigger than it really is, as it announces space multiple times. The current code does not understand the lack of summarization (it just sums up what's in the routing table), which makes routing table polluters also appear to have a smaller ratio, too :-(

If you decide to block entire ASNs (I do), which ones you block are your choice. For the internal blackhole feed, I block a total of 34 hand-picked ASNs, a combination of the high-prefix and the high-ratio ones. Plus the 200+ usually listed by Spamhaus. Some ASNs are listed just because they are big. Some because they are scammer-friendly, some because a little of both. Everyone will come up with a list that work for their network, let's just say that ASNs that are both high-count and high-ratio generally end up being blocked. Contrary to the Spamhaus list, this is based purely on statistics from the CBBC feed.

How does it work ?

You need a BGP full feed. There is one here : https://lukasz.bromirski.net/post/bgp-w-labie-3/ Thanks Lukasz.

A route to null0, similar to the CBBC :
Somewhere near the top of the route-map for this peer,
And finally, an ip as-path access-list :

The ip as-path access-list is what the python code at http://arneill-py.sacramento.ca.us/cbbc/asnblock.py.txt generates.
It is not an example on how to write python, but it works. Needs privilege 15 user, as it changes the router's configuration.
The code is adaptive : it reads the current ip as-path access-list, delete what is no longer in the list, and add new entries.

Warning !

CPU usage can be quite high, especially the first time it runs. 100% CPU for several minutes is to be expected.
Any change in the as-path access-list triggers a recompute of the entire BGP table, one million entries times the number of full-feeds.
I run the Spamhaus script once a day in the middle of the night.

CPU utilization for five seconds: 100%/1%; one minute: 99%; five minutes: 85% 
PID Runtime(ms) Invoked uSecs 5Sec 1Min 5Min TTY Process                      
780 567549287 123908850 4580 94.68% 90.04% 75.57% 0 BGP Router                
That's on a Cisco 4321; cheezy processor. Better hardware suffers less.        

c4321-michel#guestshell                          
[guestshell@guestshell ~]$ lscpu                 
 Architecture: x86_64                              
                           Thread(s) per core: 1     Core(s) per socket: 4                             
                           Vendor ID: GenuineIntel   CPU family: 6                                     
Model name: Intel(R) Atom(TM) CPU C2558 @ 2.40GHz
                           CPU MHz: 2400.059         L1d cache: 24K                                    
                           L1i cache: 32K            L2 cache: 1024K