3. BGP sessions
a) Configure Quagga1 and Quagga2
Install quagga and start bgpd and zebra daemons.
bash-4.2# systemctl start bgpd
bash-4.2# systemctl start zebra
Connect to the configuration console using vtysh.
If all sessions are valid you’ll see something similar in exabgp logs:
14:05:40 | 464 | reactor | loaded new configuration successfully
14:11:21 | 464 | reactor | connected to peer-1 with outgoing-35 10.10.12.3-10.10.12.1
14:17:43 | 464 | reactor | connected to peer-2 with outgoing-42 10.10.12.3-10.10.12.2
On Quagga 1 run
Quagga1# show ip bg summary
BGP router identifier 10.10.12.1, local AS number 100
RIB entries 7, using 784 bytes of memory
Peers 4, using 18 KiB of memory
Neighbor V AS MsgRcvd MsgSent TblVer InQ OutQ Up/Down State/PfxRcd
10.10.12.3 4 100 4 13 0 0 0 00:03:36 0 ———-> BGP session is working, but not prefix received yet
On quagga2 run
Quagga2# show ip bgp summary
BGP router identifier 10.10.12.2, local AS number 100
RIB entries 7, using 784 bytes of memory
Peers 4, using 18 KiB of memory
Neighbor V AS MsgRcvd MsgSent TblVer InQ OutQ Up/Down State/PfxRcd
10.10.12.3 4 100 17 19 0 0 0 00:16:41 0 ———-> BGP session is working, but not prefix received yet
Generate flood traffic – icmp
Now generate flood traffic – fastnetmon will react and will add the destination IP in the banned list – banned by packets per second.
From Quagga 4 with an interface in 172.20.17.0/24 network, you can flood icmp the test server which can be found at 10.100.100.100 IP address.
# ping -S 172.20.17.100 -f 10.100.100.100
FastNetMon 1.1.3 master git-38bf681f18f80259337bbb060f7040103416ba8c Pavel Odintsov: fastnetmon.com
IPs ordered by: packets
Incoming traffic 8056 pps 7 mbps 0 flows
10.100.100.100 8056 pps 7 mbps 0 flows *banned*
Outgoing traffic 7772 pps 6 mbps 0 flows
10.100.100.100 7772 pps 6 mbps 0 flows *banned*
Internal traffic 0 pps 0 mbps
Other traffic 0 pps 0 mbps
Screen updated in: 0 sec 281 microseconds
Traffic calculated in: 0 sec 173 microseconds
Total amount of IPv6 packets related to our own network: 0
Not processed packets: 0 pps
Ban list:
10.100.100.100/8056 pps incoming at 26_11_19_14:57:59
You should see something similar in tail -f /var/log/fastnetmon.log:
2019-12-03 09:56:13,979 [INFO] We run execute_ip_ban code with following params in_pps: 2346 out_pps: 2165 in_bps: 272248 out_bps: 251221 and we decide it’s incoming attack
2019-12-03 09:56:13,979 [INFO] Attack with direction: incoming IP: 10.100.100.100 Power: 2346
2019-12-03 09:56:13,980 [INFO] Call script for ban client: 10.100.100.100
2019-12-03 09:56:13,980 [INFO] Script for ban client is finished: 10.100.100.100
2019-12-03 09:56:13,980 [INFO] Call ExaBGP for ban client started: 10.100.100.100
2019-12-03 09:56:13,980 [INFO] Call to ExaBGP for ban client is finished: 10.100.100.100
2019-12-03 09:56:13,980 [INFO] ExaBGP announce message: announce route 10.100.100.100/32 next-hop 192.0.2.6 community 100:666 – this injects new route into system (both Quagga 1 and Quagga2).
On ExaBgp you should see something similar:
07:17:24 | 5877 | api | route added to neighbor 10.10.12.1 local-ip 10.10.12.3 local-as 100 peer-as 100 router-id 10.10.12.3 family-allowed in-open, neighbor 10.10.12.2 local-ip 10.10.12.3 local-as 100 peer-as 100 router-id 10.10.12.3 family-allowed in-open : 10.100.100.100/32 next-hop 192.0.2.6 community 100:666 — > this adds for /32 server which is under flood a next hop to the black hole IP address.
On quagga 1
Quagga1# show ip bgp summary
BGP router identifier 10.10.12.1, local AS number 100
RIB entries 3, using 336 bytes of memory
Peers 3, using 13 KiB of memory
Neighbor V AS MsgRcvd MsgSent TblVer InQ OutQ Up/Down State/PfxRcd
10.10.12.3 4 100 272 271 0 0 0 03:06:32 1 —— A new prefix is learned
Quagga1# show ip bgp
BGP table version is 0, local router ID is 10.10.12.1
Status codes: s suppressed, d damped, h history, * valid, > best, i – internal,
r RIB-failure, S Stale, R Removed
Origin codes: i – IGP, e – EGP, ? – incomplete
Network Next Hop Metric LocPrf Weight Path
*>i10.100.100.100/32 192.0.2.6 100 0 i —> this is the blackhole address
You shoul see similar on Quagga2 router.
When attack is finished:
Exabgp
09:57:49 | 3624 | api | route removed from neighbor 10.10.12.1 local-ip 10.10.12.3 local-as 100 peer-as 100 router-id 10.10.12.3 family-allowed in-open, neighbor 10.10.12.2 local-ip 10.10.12.3 local-as 100 peer-as 100 router-id 10.10.12.3 family-allowed in-open : 10.100.100.100/32 next-hop 192.0.2.6
On Quagga1 and Quagga2 the route/routes are removed.
