Step 3
Once the target network has been identified during a DDoS attack, apply an outbound
policy or export policy to one router (in our example, R1) within the provider network so that
the route to the target network is advertised to the other edge routers within the community
666:0.
The following example creates a static route on R1 to the target
network 203.0.113.1/32 with a static export policy that applies to the community. When the
attack targets change, you only need to create or delete static routes to the target networks.
The policy exports them to the edge BGP speakers with the selected community attribute values
attached.
R1.1 # edit policy BH_COMM_APPLY
entry bh-comm-apply {
if match any {
nlri 203.0.113.0/24;
nlri any/32;
} then {
community set “666:0”;
}
}
R1.2 # configure iproute add 203.0.113.1/32 10.0.0.6
R1.3 # enable bgp export static export-policy BH_COMM_APPLY
Alternatively, you can apply the policy as an outbound policy as
below:
R1.10 # configure bgp neighbor 10.0.0.2 route-policy out BH_COMM_APPLYR1.11
# configure bgp neighbor 10.0.0.3 route-policy out BH_COMM_APPLYR1.12
# configure bgp neighbor 10.0.0.4 route-policy out BH_COMM_APPLY