Scenario #1
Member typically announces varous prefix lengths, from a /16 to a /23 to the Indiana GigaPOP. In the scenario with a DDoS detection against a specific host, the /16 would remain announced to the Indiana GigaPOP Commodity Transit and Peer providers with a more specific /24 announced through Internet2/Radware for DDoS Mitigation (Scrubbing). More specific prefixes will force traffic to the specific host within the prefix through the DDoS Mitigation (Scrubbing) Service.
A possible BGP policy configuration for a member's peer defintion to the Indiana Gigapop.
Cisco
!
ip prefix-list MEMBER seq 5 permit 192.168.0.0/16
!
route-map OUT permit 10
match ip address prefix-list MEMBER
!
route-map OUT deny 100
!
Juniper
policy-options {
prefix-list MEMBER {
192.168.0.0/16;
}
policy-statement OUT {
term ANNOUNCE {
from {
prefix-list MEMBER;
}
then accept;
}
term REJECT {
then reject;
}
}
}
Assuming a DDoS attack is occurring against 192.168.73.33. The member would announce 192.168.73.0/24 with the added DDOS BGP community.
Cisco
!
ip prefix-list MEMBER seq 5 permit 192.168.0.0/16
ip prefix-list MEMBER-DDOS seq 5 permit 192.168.73.0/24
!
route-map OUT permit 5
match ip address prefix-list MEMBER-DDOS
set community 19782:666 additive
!
route-map OUT permit 10
match ip address prefix-list MEMBER
!
route-map OUT deny 100
!
Juniper
policy-options {
community DDOS {
members 19782:666;
}
prefix-list MEMBER-DDOS {
192.168.73.0/24;
}
policy-statement OUT {
term ANNOUNCE-DDOS {
from {
prefix-list MEMBER-DDOS;
}
then {
community add DDOS;
accept;
}
}
term ANNOUNCE {
from {
prefix-list MEMBER;
}
then accept;
}
term REJECT {
then reject;
}
}
}