22.03.2018

Selective BGP blackhole or traffic diversion in FastNetMon Advanced

In this guide we will describe required steps to announce hosts from first host group as /32 with specific community (blackhole for example) and hosts from second host group as /24 with different community (to redirect traffic to scrubbing centre for example). Host group is a group of multiple networks in CIDR format.

Please upgrade FastNetMon to version 2.0.78, it’s minimum possible version for this guide.

This guide assumes that you have configured BGP connection. Please follow quick start guide for it.

After configuring BGP, please disable any standard actions for BGP. We will use notify script instead because we need custom logic:

First of all, convert (split or aggregate) all your networks in networks_list (sudo fcli show main networks_list) to /24 CIDR networks only.

You can remove existing networks from this list this way:

And add new ones this way:

Then, you need to create two host groups.

First one for hosts where you need blackhole action.

Second one for hosts where you need traffic diversion action:

Please install JSON processing library for Perl:

Finally, you need to put this script into file /usr/local/bin/notify_json.pl:

Set executable bit for it:

And configure it for your FastNetMon instance to call it when FastNetMon detects an attack.

After initial setup, we suggest manual check for hosts from each group and test FastNetMon’s behaviour in each case.

To test host from group host_to_blackhole:

To test host from group host_to_scrubbing:

You can debug actions from our script using this command: