Step 3

Once the target network has been identified during a DDoS attack, apply an outbound policy or export policy to one router (in our example, R1) within the provider network so that the route to the target network is advertised to the other edge routers within the community 666:0.

The following example creates a static route on R1 to the target network 203.0.113.1/32 with a static export policy that applies to the community. When the attack targets change, you only need to create or delete static routes to the target networks. The policy exports them to the edge BGP speakers with the selected community attribute values attached.

R1.1 # edit policy BH_COMM_APPLY
entry bh-comm-apply {
		if match any  {
			nlri 203.0.113.0/24;
			nlri any/32;
		} then {
			community set “666:0”;
		}
}
R1.2 # configure iproute add 203.0.113.1/32 10.0.0.6
R1.3 # enable bgp export static export-policy BH_COMM_APPLY

Alternatively, you can apply the policy as an outbound policy as below:

R1.10 # configure bgp neighbor 10.0.0.2 route-policy out BH_COMM_APPLYR1.11 
# configure bgp neighbor 10.0.0.3 route-policy out BH_COMM_APPLYR1.12 
# configure bgp neighbor 10.0.0.4 route-policy out BH_COMM_APPLY

Switching

Routing

Wireless

Management & Automation

Analytics & Visibility

Security & Access Control

Remote

Cloud

Security

Machine Learning

Campus Fabric

Data Center Fabric

Internet of Things

Wi-Fi 6

Primary & Secondary Education (K-12)

Retail

Service Providers

Federal Government

Manufacturing

Higher Education

Healthcare

Hospitality

State & Local Government

Sports & Public Venues

Support Portal

Knowledge Base

Documentation

End of Sale

Policies & Warranties

Training & Courses

Maintenance Services

Premier Services

Professional Services

Managed Services

Step 3