sales@fastnetmon.com

Support

Free Trial
FastNetMon - Comprehensive Solution For DDoS Security

sales@fastnetmon.com

Support

Free Trial
FastNetMon - Comprehensive Solution For DDoS Security

FastNetMon BGP Flow Spec RFC 5575 JSON representation

FastNetMon's JSON representation format

Example encoded JSON:

{ "source_prefix": "4.0.0.0/24", "destination_prefix": "127.0.0.0/24", "destination_ports": [ 80 ], "source_ports": [ 53, 5353 ], "packet_lengths": [ 777, 1122 ], "protocols": [ "tcp" ], "fragmentation_flags": [ "is-fragment", "dont-fragment" ], "tcp_flags": [ "syn" ], "action_type": "rate-limit", "action": { "rate": 1024 } }

Field explanation:

  • source_prefix - IPv4 network in CIDR format, optional field.

  • destination_prefix - IPv4 network in CIDR format, optional field.

  • destination_ports - list of destination ports (from 0 to 65535), optional field.

  • source_ports - list of source ports (from 0 to 65535), optional field.

  • packet_lengths - list of packet sizes (from 0 to 1500), optional field.

  • protocols - list of protocols (allowed options: udp, tcp, icmp, gre; full list of supported protocols you can find here), optional field.

  • fragmentation_flags - list of fragmentation flags (allowed values: dont-fragment, is-fragment, first-fragment, last-fragment, not-a-fragment), optional field.

  • tcp_flags - list of TCP flags, allowed only when TCP is used in the protocols list. Allowed values: syn, ack, fin, urgent, push, rst. Flags also could be mixed with "|" sign (tcp|push). Optional field.

  • ttls - list of TTLs for traffic matching, non RFC compliant addition

  • vlans - list of vlans for traffic matching, non RFC compliant addition

  • action_type - action type, allowed values: accept, discard, rate-limit, redirect, mark.

  • ipv4_nexthops - list of IPs which can be used when action is set to "accept" to forward traffic to them

  • source_asns - list of source ASNs, non RFC compliant addition

  • destination_asns - list of destination ASNs, non RFC compliant addition

  • input_interfaces - list of input interfaces, non RFC compliant addition, added in 2.0.372

  • output_interfaces - list of output interfaces, non RFC compliant addition, added in 2.0.372

  • agent_addresses - list of IPv4 addresses of agent, non RFC compliant addition, added in 2.0.372

If you are using rate-limit, you should also specify the field "rate" in the section "action". Allowed values for it are from 1 to 100000. Optional field.

If you use action_type "redirect", you should provide fields "redirect_target_as" (16 bit) and "redirect_target_value" (32 bit) in the section "action".

Example redirect action:

sudo fcli set flowspec '{ "source_prefix": "4.0.0.0/24", "destination_prefix": "127.0.0.0/24", "destination_ports": [ 80 ], "source_ports": [ 53, 5353 ], "packet_lengths": [ 777, 1122 ], "protocols": [ "tcp" ], "fragmentation_flags": [ "is-fragment", "dont-fragment" ], "tcp_flags": [ "syn" ], "action_type": "redirect", "action": { "redirect_target_as": 65000, "redirect_target_value": 666 } }'

Example of redirect to IPv4 next hop announce:

sudo fcli set flowspec '{ "source_prefix": "4.0.0.0/32", "destination_prefix": "127.0.0.0/32", "destination_ports": [ 80 ], "source_ports": [ 53, 5353 ], "packet_lengths": [ 777, 1122 ], "protocols": [ "tcp" ], "fragmentation_flags": [ "is-fragment", "dont-fragment" ], "tcp_flags": [ "syn" ], "action_type": "accept", "ipv4_nexthops": ["11.22.33.44"] }'