Blackholing Routes
Problem
You don't want to route any traffic to particular networks.
Solution
Define static routes to these networks that discard the traffic:
[edit routing-options] aviva@router1# set static route 1.0.0.0/8 discard aviva@router1# set static route 2.0.0.0/8 discard
Discussion
There are some network addresses to which the router should never send traffic, and you never want routes to these networks to be installed in the routing table by one or all routing protocols. A good practice for dealing with these routes is to blackhole them. You do this by defining static routes to them with a next hop of discard. Packets being sent to these networks are then dropped. Also, the router does not send an ICMP (or ICMPv6) unreachable message in response to traffic sent to these networks, and the traffic to these networks is dropped silently. (When there is a reason to have the router send ICMP unreachable messages, use a next hop of reject instead.) Routes with a discard next hop are placed in the forwarding table with a next-hop type of dscd (discard).
Verify that the routes are in the routing table:
aviva@router1> show route inet.0: 23 destinations, 23 routes (22 active, 0 holddown, 1 hidden) + = Active Route, - = Last Active, * = Both 1.0.0.0/8 *[Static/5] 00:03:41 Discard 2.0.0.0/8 *[Static/5] 00:00:02 Discard
They are installed in the forwarding table as discard routes:
aviva@router1> show route forwarding-table Routing table: inet Internet: Destination Type RtRef Next hop Type Index NhRef Netif 1.0.0.0/8 user 0 dscd 12 3 2.0.0.0/8 user 0 dscd 12 3
A good security practice is to blackhole addresses that have not yet been allocated by one of the domain registries, such as ARIN or RIPE (see http://www.iana.org/assignments/ipv4-address-space). This recipe shows two of those addresses. For a complete list, see http://www.cymru.com/gillsr/documents/junos-discard-routes.txt. Because these addresses are not allocated and no traffic should be destined for them anyway, you might wonder why you should bother blackholing traffic to them. One reason is to limit a malicious hacker's ability to attack your router with a DoS attack from external spoofed sources. It also reduces the potential for outbound spoofing from your network. Certain spammers may also use unallocated space to send spam, first by announcing a prefix from unallocated space and sending their spam, then quickly withdrawing the route. Another reason to blackhole unallocated addresses is to reduce the possibility of prefix hijacking. For example, an AS might announce a /16, and the spammer can announce some unused (or even used) space within the /16.
As a note of caution, unallocated-addresses space changes from time to time as new allocations are made. You need to pay close attention to the changes and change your filters accordingly so as not to block legitimate traffic.
See Also
Internet Assigned Numbers Authority (IANA) (http://www.iana.org/assignments/ipv4-address-space) and Team Cymru (http://www.cymru.com/gillsr/documents/junos-discard-routes.txt)