Once the target network has been identified
during a DDoS attack, apply an outbound policy or export policy to one router (in our example,
R1) within the provider network so that the route to the target network is advertised to the
other edge routers within the community 666:0.The following example
creates a static route on R1 to the target network 203.0.113.1/32 with a static export
policy that applies to the community. When the attack targets change, you only need to
create or delete static routes to the target networks. The policy exports them to the edge
BGP speakers with the selected community attribute values
attached.
R1.1 # edit policy BH_COMM_APPLY
entry bh-comm-apply {
if match any {
nlri 203.0.113.0/24;
nlri any/32;
} then {
community set “666:0”;
}
}
R1.2 # configure iproute add 203.0.113.1/32 10.0.0.6
R1.3 # enable bgp export static export-policy BH_COMM_APPLY
Alternatively, you can apply the policy as an outbound policy as
below:
R1.10 # configure bgp neighbor 10.0.0.2 route-policy out BH_COMM_APPLYR1.11
# configure bgp neighbor 10.0.0.3 route-policy out BH_COMM_APPLYR1.12
# configure bgp neighbor 10.0.0.4 route-policy out BH_COMM_APPLY
