Follow

BGP Configuration for DDoS Protection Setup

Description

  • Guidelines for customer router configurations to manipulate the advertisement of BGP routes to F5 Silverline scrubbing centers.
  • Note: at all times the customer has full control of his routing configuration, and this document should serve only as a guide.  There are many alternate ways to achieve the same results as detailed here.  IP addresses are subject to change.  Please contact the SOC if in any doubt.

 

Environment

  • Silverline DDoS
    • Routed 
  • BGP

 

Procedure

Setting BGP Route Preferences

It's very important that the BGP advertisements are set up so that in the event of an attack, the route to the F5 Silverline scrubbing centers is preferred. You could accomplish this by stopping advertisements to your ISP(s), but this is generally undesirable as it can cause a route to be removed from Internet routing tables.  What's preferable is that under normal operations the route goes through your ISP(s), but during an attack the preference is to the F5 Silverline scrubbing center.

This can be done using route maps (Cisco parlance), and a method for influencing inbound routing decisions.  There are many of these (see here), and you should discuss with the F5 Silverline SOC team on your Technical Onboarding Call which method will work best for your setup and needs.

Before your Technical Onboarding Call with the F5 Silverline SOC:

  • Set your carrier advertisements' local preference to less than 100.
  • Confirm if your upstream carrier can honor AS-PATH prepends.

Note: The routed solution typically results in asymmetric routing.  Inbound traffic to your prefixes will be routed through F5 by virtue of the preferenced route advertisements we send upstream. We do not advertise any internet routes to customers, and your ISP(s) remain the default route for outbound traffic.  So there is no need to worry about applying any route-maps inbound from the F5 links.

 

Example: Cisco AS Path Prepending

As noted, there are many different ways to do this (and on different platforms than Cisco) but the concepts are the same. Here's an example of how you would setup AS Path Prepending with Cisco to set your BGP preferences to prefer the F5 Silverline scrubbing center.

ip prefix-list customer-public-routes permit CUSTOMER_PREFIX_1

ip prefix-list customer-public-routes permit CUSTOMER_PREFIX_2

 

route-map map-route-to-f5 permit 10

match ip address prefix-list customer-public-routes

set as-path prepend 65001 65001 65001 65001    # assume 65001 is your AS 

 

Then, to route traffic over to F5, you’d apply the route-map to the BGP neighbor you have with your ISP. 

To Activate

### apply activation configuration ###

router bgp 65001 #whatever your AS is

  neighbor xxx.xxx.xxx.xxx route-map CARRIERONE-f5-on out . #this is the IP of your ISP BGP peer

  neighbor f5-dca prefix-list route-to-f5 out

  neighbor f5-sjc prefix-list route-to-f5 out


### clear bgp neighbors ###

clear ip bgp peer-group f5-dca soft out

clear ip bgp peer-group f5-sjc soft out

clear ip bgp xxx.xxx.xxx.xxx soft out

 

Repeat this for all upstream peers you have and this will ensure the BGP advertisements for your networks have the AS-path prepended, whereas the one to F5 won’t, ultimately meaning that the F5 route will be preferred.

 

To Deactivate:

 ### apply deactivation configuration ###

router bgp 65001           #whatever your ASN is

  no neighbor xxx.xxx.xxx.xxx route-map CARRIERONE-f5-on out

  neighbor f5-dca prefix-list deny-all out

  neighbor f5-sjc prefix-list deny-all out


### clear bgp neighbors ###

clear ip bgp xxx.xxx.xxx.xxx soft out

clear ip bgp peer-group f5-dca soft out

clear ip bgp peer-group f5-sjc soft out

 

 

Note that when the route through F5 has the AS prepended, the two carriers through which F5 directly peer (Telia and Tata) will continue to prefer the F5 route.  That is because they automatically prefer a 'customer' route (F5) over a 'peer' route (received from other carriers).

Alternatives to AS Prepends:

  • Use a BGP community on the announcements to one ISP that asks that ISP to selectively prepend towards some of their customers or peers or in some regions. The large carriers typically have such communities.
  • Another option is to use the 'no-export' tag on the route-map that you do not want propagated in the Internet.

 

 

BGP Configuration Steps

Section Contents

 

Step One: Complete GRE Configuration

We assume that GRE has been correctly configured as detailed on the GRE Tunnel Set-up page. IP/ICMP connectivity should exist between the /30 red-side tunnel interfaces (107.162.x.x).

 

Step Two: BGP Peering

Once we establish IP connectivity, it is time to establish the BGP neighbor relationship.

This requires your BGP peer secret, located on the Silverline Portal: Q&A: Where can I find my BGP peer secret?

 

Sample Cisco BGP Configuration 

There are many ways to configure the BGP peering relationship.

Here is a sample Cisco BGP configuration.

ip prefix-list pl-route-to-f5 permit CUSTOMER_PREFIX
ip prefix-list deny-all deny 0.0.0.0/0 le 32
 
router bgp xxx # Customer AS number
no synchronization
bgp log-neighbor-changes
no auto-summary
network CUSTOMER_PREFIX mask 255.255.255.0 # assuming it's a /24
neighbor f5-dca peer-group
neighbor f5-dca remote-as 55002
neighbor f5-dca description F5-Auburn-55002
neighbor f5-dca password md5BGPpassword # this will be communicated by F5
neighbor f5-dca version 4
neighbor f5-dca send-community
neighbor f5-dca soft-reconfiguration inbound
neighbor f5-dca prefix-list deny-all in
neighbor f5-dca prefix-list pl-route-to-f5 out
neighbor f5-sjc peer-group
neighbor f5-sjc remote-as 55002
neighbor f5-sjc description F5-SanJose-55002
neighbor f5-sjc password md5BGPpassword # this will be communicated by F5
neighbor f5-sjc version 4
neighbor f5-sjc send-community
neighbor f5-sjc soft-reconfiguration inbound
neighbor f5-sjc prefix-list deny-all in
neighbor f5-sjc prefix-list pl-route-to-f5 out
neighbor F5_DCA_SITEA_RED peer-group f5-dca
neighbor F5_DCA_SITEA_RED description tunnel-to-f5-dca
neighbor F5_SJC_SITEA_RED peer-group f5-sjc
neighbor F5_SJC_SITEA_RED description tunnel-to-f5-sjc
# There will also be BGP statements for the customer sessions with his ISP(s)

 

Update ACLs

Customer should work with their carrier(s) to implement ACLs to block traffic that is not sourced from Silverline. This helps protect against attacks where the attacker targets the original IP address and thus still reach the customer's data center infrastructure.

 


## Lax option

access-list xxx permit gre 107.162.0.0 0.0.255.255 any

access-list xxx permit icmp 107.162.0.0 0.0.255.255 any

 

## Tight option

access-list xxx permit gre host 107.162.8.x host xxx

access-list xxx permit gre host 107.162.9.x host xxx

access-list xxx permit icmp host 107.162.8.x host xxx

access-list xxx permit icmp host 107.162.9.x host xxx

The above ACLs should be applied on the tunnel source interface (“black side”).  The customer may wish to apply the same ACL as he applies on his Internet-facing interfaces to the Tunnel interface itself (“red side”), and should ensure that BGP is permitted from the designated F5 neighbor addresses.

 

Enable BGP Sessions

Important

Do not advertise prefixes to Silverline during initial BGP Peering. First, you must confirm with the SOC how you want to manage your prefix announcements (Step 4 below).

 

1. You can enable BGP sessions directly from the Portal by navigating to Config > Routed Configuration > Routing Management 

Portal-Nav_Routing-MGMT.png

2. In the BGP Peer Status table, you can enable each BGP neighbor IP address by clicking Activate next to it (highlighted in the red box below).

BGP_Peer_Status_Table_ACTIVATE.png

 

3. Once this is done, BGP peer relationships should be established.

RouterA> show bgp neighbor 107.162.18.xxx 
Peer: 107.162.18.xxx+26405 AS 55002 Local: 107.162.18.xxx+179 AS 60529
Type: External State: Established Flags: <Sync RSync>
Last State: EstabSync Last Event: RecvKeepAlive
Last Error: None

 

4. Inform the SOC how you'd like to manage your prefix announcements, either:

  • (a) make use of Route Origination feature,
  • or (b) have Silverline announce prefixes to our carriers once they are advertised to Silverline.

 

5. Once confirmed with the SOC, you can now advertise your prefixes to Silverline.

 

Step Three: Verifying Route Propagation

The combination of the following two lines in the sample Cisco config above tells the router to advertise CUSTOMER_PREFIX to F5:

ip prefix-list pl-route-to-f5 permit CUSTOMER_PREFIX

 neighbor f5-sjc prefix-list pl-route-to-f5 out

Additional prefixes can of course be added to the prefix-list, e.g. if you have several discontiguous /24’s.

 

The best ways to check if BGP has propagated routes are to:

(a) ask the F5 SOC if we are receiving your routes, and

(b) check a Looking Glass server -- see Q&A: What is Looking Glass? for Route Server links

Example

Let’s use http://lg.telia.net/ as an example. Run a BGP query and you should see an output like:

169.254.100.0/24   *[BGP/170] 02:46:17, MED 0, localpref 200, from X.X.X.X

AS path: 55002 <Customer ASN #> I, validation-state: unverified
to X.X.X.X via xe-3/1/0.0> to X.X.X.X via xe-7/0/1.0
to X.X.X.X via xe-7/1/0.0

How to read the above output:

  • The presence of 55002 in the AS path shows that traffic for 169.254.100.0/24 is being routed through AS 55002, which is F5 Silverline.  When you route off of F5 Silverline, you won’t see this in the AS path.
  • 169.254.X.X/16 is reserved space used for the purposes of this example that isn't publicly routable.
  • 'X.X.X.X' will be the GRE tunnel addressing tied to the BGP configuration

 

Related Content

 

 

Was this article helpful?
3 out of 4 found this helpful
Have more questions? Submit a request