BGP FLOW SPEC | FastNetMon Official site

All this docs about ExaBGP 4.0 (Git master branch)

Clone code:

cd /usr/src/
git clone https://github.com/Exa-Networks/exabgp.git

1 2	cd /usr/src/ git clone https://github.com/Exa-Networks/exabgp.git

They are not compatible with ExaBGP 3.0

Create file /root/announcer.py with your favorite editor:

#!/usr/bin/python

fl=open("/var/run/exabgp.cmd", "w")

fl.write("announce flow route source 4.0.0.0/24 destination 127.0.0.0/24 protocol [ udp ] source-port [ =53 ] destination-port [ =80 ] packet-length [ =777 =1122 ] fragment [ is-fragment dont-fragment ] rate-limit 1024" + '\n')
fl.flush()

fl.close

#!/usr/bin/python

fl=open("/var/run/exabgp.cmd", "w")

fl.write("announce flow route source 4.0.0.0/24 destination 127.0.0.0/24 protocol [ udp ] source-port [ =53 ] destination-port [ =80 ] packet-length [ =777 =1122 ] fragment [ is-fragment dont-fragment ] rate-limit 1024" + '\n')

fl.flush()

fl.close

Please be careful about flush and trailing ‘\n’!!!

Then edit file /etc/exabgp_flowspec.conf:

process announce-routes {
    run /usr/bin/socat stdout pipe:/var/run/exabgp.cmd;
    encoder json;
}

neighbor 127.0.0.1 {
    router-id 1.2.3.4;
    local-address 127.0.0.1;
    local-as 1;
    peer-as 1;
    group-updates false;

  family {
        ipv4 flow;
    }
    api {
        processes [ anounce-routes ];
    }
}

process announce-routes {

run /usr/bin/socat stdout pipe:/var/run/exabgp.cmd;

encoder json;

}

neighbor 127.0.0.1 {

router-id 1.2.3.4;

local-address 127.0.0.1;

local-as 1;

peer-as 1;

group-updates false;

family {

ipv4 flow;

}

api {

processes [ anounce-routes ];

}

Run ExaBGP:

cd /usr/src/exabgp
env  exabgp.api.file=/tmp/exabgp.cmd exabgp.daemon.user=root exabgp.daemon.daemonize=false exabgp.daemon.pid=/var/run/exabgp.pid exabgp.log.destination=/var/log/exabgp.log sbin/exabgp --debug /etc/exabgp_flowspec.conf

1 2	cd /usr/src/exabgp env exabgp.api.file=/tmp/exabgp.cmd exabgp.daemon.user=root exabgp.daemon.daemonize=false exabgp.daemon.pid=/var/run/exabgp.pid exabgp.log.destination=/var/log/exabgp.log sbin/exabgp --debug /etc/exabgp_flowspec.conf

Then, you could run FastNetMon (since 1.1.3) with following options:

# This options are mandatory for Flow Spec attack detector
collect_attack_pcap_dumps = on
process_pcap_attack_dumps_with_dpi = on

exabgp = on
exabgp_command_pipe = /var/run/exabgp.cmd
exabgp_community = 65001:666
exabgp_next_hop = 10.0.3.114

exabgp_flow_spec_announces = on

# Please switch off unicast BGP announces with ExaBGP because they are not compatible with Flow Spec
exabgp_announce_whole_subnet = no
exabgp_announce_host = no

# This options are mandatory for Flow Spec attack detector

collect_attack_pcap_dumps = on

process_pcap_attack_dumps_with_dpi = on

exabgp = on

exabgp_command_pipe = /var/run/exabgp.cmd

exabgp_community = 65001:666

exabgp_next_hop = 10.0.3.114

exabgp_flow_spec_announces = on

# Please switch off unicast BGP announces with ExaBGP because they are not compatible with Flow Spec

exabgp_announce_whole_subnet = no

exabgp_announce_host = no

Be aware! We will announce rules with discard option!

Currently we support only most popular amplification attack types:

DNS amplification (we drop all udp traffic originating from 53 port
NTP amplification (we drop all udp traffic originating from 123 port)
SSDP amplification (we drop all udp traffic originating from 1900 port)
SNMP amplification (we drop all udp traffic originating from 161 port)