In addition to option to announce /32 or /128 hosts which are under attack FastNetMon can announce whole networks where attacked host is located. It may be useful for DDoS scrubbing centre diversion or internal network policy changes (i.e. to move prefix under attack to in-house scrubbing or move it to another ISP).
First of all, you need to have BGP session up and running as documented here.
To enable prefix announces you can use following option for IPv4:
sudo fcli set main gobgp_announce_whole_subnet true
And following for IPv6:
sudo fcli set main gobgp_announce_whole_subnet_ipv6 true
Then you need to set list of one or more communities for each case. For IPv4:
sudo fcli set main gobgp_communities_subnet_ipv4 65004:445 sudo fcli set main gobgp_communities_subnet_ipv4 65004:447
For IPv6:
sudo fcli set main gobgp_communities_subnet_ipv6 65004:445 sudo fcli set main gobgp_communities_subnet_ipv6 65004:447
By default, FastNetMon will use exactly same prefix length as specified in networks_list. I.e. if you’ve specified prefix as /21 and then host from this network as attacked then it will be announced as /21.
We have an option to control scope of such announces and you can easily set it to required boundary like /24 (external DDoS Scrubbing case):
sudo fcli set main gobgp_announce_whole_subnet_force_custom_prefix_length true sudo fcli set main gobgp_announce_whole_subnet_custom_prefix_length 24
For IPv6 it will look this way:
sudo fcli set main gobgp_announce_whole_subnet_force_custom_ipv6_prefix_length true sudo fcli set main gobgp_announce_whole_subnet_custom_ipv6_prefix_length 48
Next hop setup is shared with standard blackhole announces and can be set this way:
sudo fcli set main gobgp_next_hop 1.2.3.4 sudo fcli set main gobgp_next_hop_ipv6 100::1 sudo fcli commit
As alternative option FastNetMon has capability to announce list of networks when their total traffic exceeds defined threshold value using BGP alerts for total hosgroups.