Routing
Highlighted
Routing

DDoS POC Auto-Rerouting Inquiry

[ Edited ]
3 weeks ago

Hi, 

 

We're doing a POC with a partner wherein we are testing an auto-rerouting for a DDoS attack.

 

Attached is the diagram(POC Diagram.jpg).

 

Test IP: x.x.88.0/24 
Corp Network ASN: 123456
Scrubbing Center ASN: 134190
DDoS Trigger Server( or INI): 45352
Community tag for auto-rerouting is: 123456:911

Target end-state:
1. Once a DDoS attack going to x.x.88.x has entered the Corporate network, the INI will advertise the x.x.88.0/24  prefix with a community tag of 123456:911 and a next-hop IP of the loopback of Core Router(x.x.x.246) to BorderRouter1.
2. Once BorderRouter1 receives the prefix from the INI, it should not export it to its other iBGP neighbors (CoreRouter(s)).
3. It should prefer the route from the INI but should not prefer the INI as the next-hop for x.x.88.0/24  but instead will rely on the next-hop set by the INI on the test prefix which is Core Router(x.x.x.246).
4. Once BorderRouter1 receives the prefix from the INI with community tag, it will automatically advertise the prefix to the Scrubbing Center.
5. Then BorderRouter1 will deny the x.x.88.0/24  prefix advertisement with community tag to its other ISP(Other peerings).


Current state(Manually triggering the INI, prior to live attack):
1. Once INI advertises the the x.x.88.0/24  prefix with a community tag of 123456:911 and a next-hop IP of the loopback of Core Router(x.x.x.246) to BorderRouter1, BorderRouter1 preferred next-hop to the x.x.88.0/24  prefix is the p2p peering with the INI instead of Core Router.
2. Because of this, points 2-5 of the target end-state are not accomplished.

***Even though INI advertises the x.x.88.0/24  prefix it should not be the path going to x.x.88.0/24 .

 

During the manual triggering of the INI, attached image(BorderRouter1 Output during manual triggering.jpg) shows the results we got on BorderRouter1.

 

We're receiving x.x.88.0/24  from the INI with community tag and next hop ip x.x.x.246 but the preferred next hop interface is gr-4/0/0 which is the tunnel interface facing INI. I'm also seeing 'hidden reason: protocol next hop is not on the interface' in the outputs.

 

Thus, points 2-5 of the target end-state are not accomplished.

 

 

Hoping somebody can help.

 

If you have questions, feel free to ask.

 

Thanks in advance.

 

Attachments

3 REPLIES 3
Highlighted
Routing
Solution
Accepted by topic author Saul17
3 weeks ago

Re: DDoS POC Auto-Rerouting Inquiry

3 weeks ago

Hello,

 


@Saul17 wrote:

I'm also seeing 'hidden reason: protocol next hop is not on the interface' in the outputs.

 

 

Thanks in advance.

 


 

Please add following knob to Your INI peer group:

 

 

 

set protocols bgp group INI-BLAH neighbor X.Y.X.Y accept-remote-nexthop

 

 

HTH

Thx

Alex

 

 

 

_____________________________________________________________________

Please ask Your Juniper account team about Juniper Professional Services offerings.
Juniper PS can design, test & build the network/part of the network as per Your requirements

+++++++++++++++++++++++++++++++++++++++++++++

Accept as Solution = cool !
Accept as Solution+Kudo = You are a Star !
Highlighted
Routing

Re: DDoS POC Auto-Rerouting Inquiry

3 weeks ago

Hi 

 

Thank you for the input. I'll try it out tomorrow.

Highlighted
Routing

Re: DDoS POC Auto-Rerouting Inquiry

3 weeks ago

Hi 

 

Feedback