Step 3

Once the target network has been identified during a DDoS attack, apply an outbound policy or export policy to one router (in our example, R1) within the provider network so that the route to the target network is advertised to the other edge routers within the community 666:0.

The following example creates a static route on R1 to the target network 203.0.113.1/32 with a static export policy that applies to the community. When the attack targets change, you only need to create or delete static routes to the target networks. The policy exports them to the edge BGP (Border Gateway Protocol) speakers with the selected community attribute values attached.

R1.1 # edit policy BH_COMM_APPLY
entry bh-comm-apply {
		if match any  {
			nlri 203.0.113.0/24;
			nlri any/32;
		} then {
			community set “666:0”;
		}
}
R1.2 # configure iproute add 203.0.113.1/32 10.0.0.6
R1.3 # enable bgp export static export-policy BH_COMM_APPLY

Alternatively, you can apply the policy as an outbound policy as below:

R1.10 # configure bgp neighbor 10.0.0.2 route-policy out BH_COMM_APPLYR1.11 
# configure bgp neighbor 10.0.0.3 route-policy out BH_COMM_APPLYR1.12 
# configure bgp neighbor 10.0.0.4 route-policy out BH_COMM_APPLY

Published March 2020prev | next

Email this topic

Print this page Print this page

Leave feedback Feedback