In addition to the option to announce /32 or /128 hosts which are under attack, FastNetMon can announce whole networks where the attacked host is located. It may be useful for DDoS scrubbing centre diversion or internal network policy changes (i.e. to move the prefix under attack to in-house scrubbing or move it to another ISP).
We made multiple changes to the BGP announces logic in subnet mode. Please ensure that you run at least 2.0.363 before starting with this guide.
To start with, you need to have a BGP session up and running as documented here.
To enable prefix announces, you can usethe following option for IPv4:
sudo fcli set main gobgp_announce_whole_subnet true
And following for IPv6:
sudo fcli set main gobgp_announce_whole_subnet_ipv6 true
Then you need to set a list of one or more communities for each case. For IPv4:
sudo fcli set main gobgp_communities_subnet_ipv4 65004:445 sudo fcli set main gobgp_communities_subnet_ipv4 65004:447
For IPv6:
sudo fcli set main gobgp_communities_subnet_ipv6 65004:445 sudo fcli set main gobgp_communities_subnet_ipv6 65004:447
By default, FastNetMon will use exact same prefix length as specified in networks_list. I.e. if you’ve specified a prefix as /21 and then host from this network as attacked, then it will be announced as /21.
We have an option to control the scope of such announces, and you can easily set it to the required boundary, such as /24 (external DDoS Scrubbing case):
sudo fcli set main gobgp_announce_whole_subnet_force_custom_prefix_length true sudo fcli set main gobgp_announce_whole_subnet_custom_prefix_length 24
For IPv6, it will look like the following:
sudo fcli set main gobgp_announce_whole_subnet_force_custom_ipv6_prefix_length true sudo fcli set main gobgp_announce_whole_subnet_custom_ipv6_prefix_length 48
After this, specify the next hop only for subnet announces:
sudo fcli set main gobgp_next_hop_subnet_ipv4 1.2.3.4 sudo fcli set main gobgp_next_hop_subnet_ipv6 dead::beef sudo fcli commit
As an alternative option, FastNetMon has the capability to announce a list of networks when their total traffic exceeds a defined threshold value using BGP alerts for total hostgroups.
Starting from 2.0.363, you can assign custom BGP Communities for each hostgroup this way:
sudo fcli set hostgroup aaa bgp_communities_subnet_ipv4 65001:772 sudo fcli commit
Starting from 2.0.364, you can specify a custom next hop for announces for each hostgroup:
sudo fcli set hostgroup aaa bgp_next_hops_subnet_ipv4 1.2.3.4 sudo fcli commit
Starting from 2.0.367, you can specify a custom AS_PATH in the following way:
sudo fcli set main gobgp_as_path_subnet_ipv4 12345 sudo fcli set main gobgp_as_path_subnet_ipv4 56789 sudo fcli commit
Alternatively, you can provide a custom AS_PATH for each hostgroup:
sudo fcli set hostgroup global bgp_as_path_subnet_ipv4 12345 sudo fcli set hostgroup global bgp_as_path_subnet_ipv4 56789 sudo fcli commit