As an addition to capability to inject IP feeds to BGP routing table and block them this way we provide capability to block certain countries from reaching service.
Please note that this approach can be used only for compliance reasons in regulated industries where you’re certain that you cannot have legitimate users in blocked countries.
Please do not use this approach for DDoS mitigation reasons as DDoS traffic is very often spoofed and country which is source of attack may not have anything in common with country where malicious actors are located.
To use this capability you will need to request plugin which implements capability from our support team. Please note that this capability may not be included in your current license and may be subject of additional charges.
To use this logic you will need to have FastNetMon Advanced installed with active license for it. Also you will need to setup BGP peering session with your routers. Then you need to create configuration file /etc/country_lockdown.json:
{
"geoip_path": "/usr/share/GeoIP/GeoIP2-Country.mmdb",
"gobgp_api_host": "127.0.0.1:50051",
"bgp_ipv4_next_hop": "10.0.0.1",
"bgp_ipv4_communities": [ "900:123", "1783:9000" ],
"country_block_list": [ "TV" ],
"ip_allow_list": [ "202.2.96.2" ]
}
Please note that you need to obtain MaxMind directly from them as it’s not included in our product. Alternatively, you can use data supplied by ipinfo.io.
You will need to adjust the path to GeoIP2-Country.mmdb if it differs, please check that you have logic to automatically update this file.
You can find all country codes used by MaxMind on this page: https://www.geonames.org/countries/
ip_allow_list list can include IP addresses from blocked countries and it will explicitly split prefixes which include them into multiple prefixes to explicitly avoid blocking them. Please note that it may significantly increase number of prefixes if you add many IPs to this list.
After finishing configuration please use the file in attachment and upload it to the server. Then you need to set executable bit for it:
chmod +x country_lockdown
After that you can run it and it will announce all prefixes to block using our BGP daemon:
./country_lockdown
Example output will be following:
./country_lockdown
2023/06/30 18:13:44 Loaded GeoIP file: {BinaryFormatMajorVersion:2 BinaryFormatMinorVersion:0 BuildEpoch:1687446147 DatabaseType:GeoIP2-Country Description:map[en:GeoIP2 Country database] IPVersion:6 Languages:[de en es fr ja pt-BR ru zh-CN] NodeCount:977873 RecordSize:24}
2023/06/30 18:13:44 GeoIP database has correct format
2023/06/30 18:13:44 Will use next hop: 10.0.0.1
2023/06/30 18:13:44 We have 1 countries in country block list
2023/06/30 18:13:44 Loading prefixes for country code: TV
2023/06/30 18:13:47 Successfully loaded 41 prefixes which belong to this country
2023/06/30 18:13:47 Country prefixes: [5.62.56.241/32 5.62.56.242/31 5.62.58.221/32 5.62.58.222/31 14.137.42.0/24 31.42.183.228/32 45.11.240.128/26 45.42.220.0/24 45.138.10.36/30 57.70.170.0/23 57.71.64.0/20 104.28.13.128/31 104.28.13.130/32 104.28.29.83/32 104.28.29.84/32 104.28.35.98/31 104.28.72.30/31 104.28.90.84/31 104.28.125.92/31 104.28.220.236/30 104.28.220.240/31 104.28.252.236/30 104.28.252.240/31 104.167.192.0/24 136.23.10.195/32 136.23.21.19/32 140.248.20.22/31 146.75.136.22/31 146.75.160.154/31 146.75.190.28/31 172.225.62.192/27 172.225.231.96/28 172.225.245.32/28 194.50.99.228/32 194.50.111.228/32 196.48.196.0/24 196.56.196.0/24 196.197.196.0/24 196.198.196.0/24 196.199.196.0/24 202.2.96.0/19]
2023/06/30 18:13:47 We have 1 entries in allow list
2023/06/30 18:13:47 Allow list: [202.2.96.2]
2023/06/30 18:13:47 We have 2 communities in configuration
2023/06/30 18:13:47 53 prefixes to block
2023/06/30 18:13:47 Prefixes to block [5.62.56.241/32 5.62.56.242/31 5.62.58.221/32 5.62.58.222/31 14.137.42.0/24 31.42.183.228/32 45.11.240.128/26 45.42.220.0/24 45.138.10.36/30 57.70.170.0/23 57.71.64.0/20 104.28.13.128/31 104.28.13.130/32 104.28.29.83/32 104.28.29.84/32 104.28.35.98/31 104.28.72.30/31 104.28.90.84/31 104.28.125.92/31 104.28.220.236/30 104.28.220.240/31 104.28.252.236/30 104.28.252.240/31 104.167.192.0/24 136.23.10.195/32 136.23.21.19/32 140.248.20.22/31 146.75.136.22/31 146.75.160.154/31 146.75.190.28/31 172.225.62.192/27 172.225.231.96/28 172.225.245.32/28 194.50.99.228/32 194.50.111.228/32 196.48.196.0/24 196.56.196.0/24 196.197.196.0/24 196.198.196.0/24 196.199.196.0/24 202.2.96.0/31 202.2.96.3/32 202.2.96.4/30 202.2.96.8/29 202.2.96.16/28 202.2.96.32/27 202.2.96.64/26 202.2.96.128/25 202.2.97.0/24 202.2.98.0/23 202.2.100.0/22 202.2.104.0/21 202.2.112.0/20]
2023/06/30 18:13:47 Successfully connected to GoBGP
2023/06/30 18:13:47 Load all active announces
2023/06/30 18:13:47 Active announces: []
2023/06/30 18:13:47 Finished withdrawal process
2023/06/30 18:13:47 Skipped following prefixes as already active []
2023/06/30 18:13:47 Prepare to announce prefixes [5.62.56.241/32 5.62.56.242/31 5.62.58.221/32 5.62.58.222/31 14.137.42.0/24 31.42.183.228/32 45.11.240.128/26 45.42.220.0/24 45.138.10.36/30 57.70.170.0/23 57.71.64.0/20 104.28.13.128/31 104.28.13.130/32 104.28.29.83/32 104.28.29.84/32 104.28.35.98/31 104.28.72.30/31 104.28.90.84/31 104.28.125.92/31 104.28.220.236/30 104.28.220.240/31 104.28.252.236/30 104.28.252.240/31 104.167.192.0/24 136.23.10.195/32 136.23.21.19/32 140.248.20.22/31 146.75.136.22/31 146.75.160.154/31 146.75.190.28/31 172.225.62.192/27 172.225.231.96/28 172.225.245.32/28 194.50.99.228/32 194.50.111.228/32 196.48.196.0/24 196.56.196.0/24 196.197.196.0/24 196.198.196.0/24 196.199.196.0/24 202.2.96.0/31 202.2.96.3/32 202.2.96.4/30 202.2.96.8/29 202.2.96.16/28 202.2.96.32/27 202.2.96.64/26 202.2.96.128/25 202.2.97.0/24 202.2.98.0/23 202.2.100.0/22 202.2.104.0/21 202.2.112.0/20]
2023/06/30 18:13:47 Announce 5.62.56.241/32
2023/06/30 18:13:47 Announce 5.62.56.242/31
2023/06/30 18:13:47 Announce 5.62.58.221/32
2023/06/30 18:13:47 Announce 5.62.58.222/31
2023/06/30 18:13:47 Announce 14.137.42.0/24
2023/06/30 18:13:47 Announce 31.42.183.228/32
2023/06/30 18:13:47 Announce 45.11.240.128/26
2023/06/30 18:13:47 Announce 45.42.220.0/24
2023/06/30 18:13:47 Announce 45.138.10.36/30
2023/06/30 18:13:47 Announce 57.70.170.0/23
2023/06/30 18:13:47 Announce 57.71.64.0/20
2023/06/30 18:13:47 Announce 104.28.13.128/31
2023/06/30 18:13:47 Announce 104.28.13.130/32
2023/06/30 18:13:47 Announce 104.28.29.83/32
2023/06/30 18:13:47 Announce 104.28.29.84/32
2023/06/30 18:13:47 Announce 104.28.35.98/31
2023/06/30 18:13:47 Announce 104.28.72.30/31
2023/06/30 18:13:47 Announce 104.28.90.84/31
2023/06/30 18:13:47 Announce 104.28.125.92/31
2023/06/30 18:13:47 Announce 104.28.220.236/30
2023/06/30 18:13:47 Announce 104.28.220.240/31
2023/06/30 18:13:47 Announce 104.28.252.236/30
2023/06/30 18:13:47 Announce 104.28.252.240/31
2023/06/30 18:13:47 Announce 104.167.192.0/24
2023/06/30 18:13:47 Announce 136.23.10.195/32
2023/06/30 18:13:47 Announce 136.23.21.19/32
2023/06/30 18:13:47 Announce 140.248.20.22/31
2023/06/30 18:13:47 Announce 146.75.136.22/31
2023/06/30 18:13:47 Announce 146.75.160.154/31
2023/06/30 18:13:47 Announce 146.75.190.28/31
2023/06/30 18:13:47 Announce 172.225.62.192/27
2023/06/30 18:13:47 Announce 172.225.231.96/28
2023/06/30 18:13:47 Announce 172.225.245.32/28
2023/06/30 18:13:47 Announce 194.50.99.228/32
2023/06/30 18:13:47 Announce 194.50.111.228/32
2023/06/30 18:13:47 Announce 196.48.196.0/24
2023/06/30 18:13:47 Announce 196.56.196.0/24
2023/06/30 18:13:47 Announce 196.197.196.0/24
2023/06/30 18:13:47 Announce 196.198.196.0/24
2023/06/30 18:13:47 Announce 196.199.196.0/24
2023/06/30 18:13:47 Announce 202.2.96.0/31
2023/06/30 18:13:47 Announce 202.2.96.3/32
2023/06/30 18:13:47 Announce 202.2.96.4/30
2023/06/30 18:13:47 Announce 202.2.96.8/29
2023/06/30 18:13:47 Announce 202.2.96.16/28
2023/06/30 18:13:47 Announce 202.2.96.32/27
2023/06/30 18:13:47 Announce 202.2.96.64/26
2023/06/30 18:13:47 Announce 202.2.96.128/25
2023/06/30 18:13:47 Announce 202.2.97.0/24
2023/06/30 18:13:47 Announce 202.2.98.0/23
2023/06/30 18:13:47 Announce 202.2.100.0/22
2023/06/30 18:13:47 Announce 202.2.104.0/21
2023/06/30 18:13:47 Announce 202.2.112.0/20
2023/06/30 18:13:47 Success
After testing that it works as expected you can add this tool to cron to run it every day or you can run it manually.
On each run it will add new announcements and withdraw irrelevant / stale prefixes.
You can check list of outgoing BGP announces from our BGP daemon that way:
gobgp global rib
You can add example prefixes that way:
gobgp global rib add 8.88.88.8/24
You can delete example prefixes that way:
gobgp global del 8.88.88.8/24