All this docs about ExaBGP 4.0 (Git master branch)
Clone code:
cd /usr/src/ git clone https://github.com/Exa-Networks/exabgp.git
They are not compatible with ExaBGP 3.0
Create file /root/announcer.py with your favorite editor:
#!/usr/bin/python fl=open("/var/run/exabgp.cmd", "w") fl.write("announce flow route source 4.0.0.0/24 destination 127.0.0.0/24 protocol [ udp ] source-port [ =53 ] destination-port [ =80 ] packet-length [ =777 =1122 ] fragment [ is-fragment dont-fragment ] rate-limit 1024" + '\n') fl.flush() fl.close
Please be careful about flush and trailing ‘\n’!!!
Then edit file /etc/exabgp_flowspec.conf:
process announce-routes { run /usr/bin/socat stdout pipe:/var/run/exabgp.cmd; encoder json; } neighbor 127.0.0.1 { router-id 1.2.3.4; local-address 127.0.0.1; local-as 1; peer-as 1; group-updates false; family { ipv4 flow; } api { processes [ anounce-routes ]; } }
Run ExaBGP:
cd /usr/src/exabgp env exabgp.api.file=/tmp/exabgp.cmd exabgp.daemon.user=root exabgp.daemon.daemonize=false exabgp.daemon.pid=/var/run/exabgp.pid exabgp.log.destination=/var/log/exabgp.log sbin/exabgp --debug /etc/exabgp_flowspec.conf
Then, you could run FastNetMon (since 1.1.3) with following options:
# This options are mandatory for Flow Spec attack detector collect_attack_pcap_dumps = on process_pcap_attack_dumps_with_dpi = on exabgp = on exabgp_command_pipe = /var/run/exabgp.cmd exabgp_community = 65001:666 exabgp_next_hop = 10.0.3.114 exabgp_flow_spec_announces = on # Please switch off unicast BGP announces with ExaBGP because they are not compatible with Flow Spec exabgp_announce_whole_subnet = no exabgp_announce_host = no
Be aware! We will announce rules with discard option!
Currently we support only most popular amplification attack types:
- DNS amplification (we drop all udp traffic originating from 53 port
- NTP amplification (we drop all udp traffic originating from 123 port)
- SSDP amplification (we drop all udp traffic originating from 1900 port)
- SNMP amplification (we drop all udp traffic originating from 161 port)