Components » BGP Connector

Wanguard sends and withdraws BGP announcements (aka advertisements or routing updates) in the following cases:

► To protect the network by announcing DDoS’ed destinations to the upstream provider(s) using a special BGP community. In less than a second, the undesirable traffic is dropped before it enters the protected network because the BGP peers will no longer route the attacked addresses, making them effectively null-routed. This network protection technique is called RTBH (Remote Triggered Black Hole), blackhole routing or null-routing
► To re-route attacked destinations through servers running Wanguard Filter, which analyzes the traffic, rejects the bad packets, and re-injects the cleaned traffic back into the network. This network protection technique is called traffic scrubbing, side filtering, sinkhole routing, or clean pipe
► To leverage BGP Flowspec for mitigation and/or traffic diversion. Flowspec enables mitigation directly on the edge router and offers a much more granular mechanism for matching traffic. Some of the match fields supported by BGP Flowspec: Destination Address, Source Address, IP Protocol, Source Port, Destination Port, ICMP Code, TCP Flags
► To announce the attacking IP in BGP when S/RTBH is available
► Console users can null-route traffic manually, e.g., to block access to a specific IP address for abuses or legal requirements
► Console users can divert traffic manually, e.g., to inspect packets for troubleshooting purposes

The following backends are handling the communication with the BGP-enabled routers:

ExaBGP is a tool typically used outside the data plane to do path manipulation on a BGP network that may be composed of closed-source components. ExaBGP supports newer technologies such as BGP Flowspec
Quagga and FRR provide a mature and widely used BGP daemon that closely resembles existing closed-source platforms like Cisco IOS. This is the recommended backend if the router doesn’t support BGP Flowspec
BGP Connector is a frontend to a previously configured backend. More specifically, a BGP Connector with ExaBGP as the backend is referred to as ExaBGP Connector, while a BGP Connector with Quagga or FRR as the backend is referred to as Quagga Connector.

To add a BGP Connector, click the [+] button from the title bar of the Configuration » Components panel. To modify an existing BGP Connector, go to Configuration » Components and click its name.

ExaBGP Connector

Before you add an ExaBGP Connector, you must have a previously-configured, fully-functional exabgpd. If you do not, jump to the ExaBGP installation section. You can have a single exabgp and many ExaBGP Connectors using it, which is useful if you need to send announcements with different parameters, e.g., when using multiple communities.

EXABGP_CONFIGURATION8.01_png

ExaBGP Connector Configuration parameters:

BGP Connector Name – A short name or description for the ExaBGP Connector
Device Group – Enter a description if you wish to organize components (e.g. by location, characteristics) or to permit fine-grained access for roles
ExaBGP Server – Select a server that runs ExaBGP
Connector Role – Setting the correct role influences the Actions shown in the New Flowspec Rule window and the priority given when there are overlapping announcements by different BGP Connectors with different roles. Prevents mitigation announcements being overwritten by similar diversion announcements
Mitigation – Select if the Connector is used for null routing or traffic filtering
Diversion – Select if the Connector is used for traffic diversion
ExaBGP Pipe – Mandatory path to the pipe file used to control exabgp. The file must be writeable by the “andrisoft” system account
Health Checker – When enabled, the existence of the ExaBGP Pipe file is checked every minute. If the file doesn’t exist, a warning is written in the event log. The status of the BGP peers is checked too, and when a BGP peer is down, another warning is written in the event log. You can view the status of the BGP peers in Reports » Devices » Overview. This functionality needs a working “exabgpcli show neighbor summary” command, executed by the “andrisoft” user
BGP Flowspec – Enable if the router supports BGP Flowspec. If the router doesn’t support Flowspec, consider using a Quagga Connector instead
Flowspec Counters – Since there is no vendor-neutral standard for reporting information about the packets and bytes dropped by Flowspec rules, this functionality is limited to only two options:
Disabled – The matched counters are not visible in Wanguard
Juniper MX – Wanguard connects by SSH to a Juniper MX router using the credentials entered when clicking the options button from the right. Every few seconds, the command “show firewall filter __flowspec_default_inet__” is executed on the router. The output is parsed, and the counters are matched with the known rules
EXABGP_CONNECTOR_FLOWSPEC_8.2
Source RTBH – Enable if the BGP Connector is used for S/RTBH, which should not be confused with the much more popular Destination RTBH. Very few networks support this functionality
BGP Neighbor – Optional parameter used to distinguish between multiple BGP neighbors
Community – BGP community or list of BGP communities to be appended to each announcement. Not mandatory
Extended Community – BGP extended community or list of BGP extended communities to be appended to each announcement. Not mandatory
Redirect (IP/VRF) – Optional parameter for diversion. Can be an IP, VRF, or “self”
Route Distinguisher – An optional rd value to be passed with each announcement
Flow Direction – Switches the source IP with the destination IP in each announcement. Set to “Inverted” only when doing symmetric routing
Other Parameters – Other parameters that will be passed with each announcement, such as local-preference or as-path, in exabgp.conf’s format, separated by a semicolon
Reject External IPs – When checked, it permits only announcements for the prefixes defined in an IP Zone
Max. Flowspec Rules – The number of Flowspec rules accepted by routers is limited, so you may have to enter your router’s limit here to prevent overflowing the Flowspec table size. Limits published by vendors: Alcatel-Lucent 512, Cisco (ASR9k) 3000, Juniper 8000
Reject IPv4 under / – Restricts sending prefixes that have the IPv4 CIDR mask less than the configured value. For example, a value of 32 rejects all prefixes that are not hosts and prevents manual or automatic announcements of subnets. To disable this feature enter the value 0
Reject IPv6 under / – Restricts sending prefixes that have the IPv6 CIDR mask less than the configured value. For example, a value of 128 rejects all prefixes that are not hosts and prevents manual or automatic announcements of subnets. To disable this feature enter the value 0
Restrict IPv4 over / – Set to the maximum IPv4 CIDR mask accepted by your cloud-based DDoS mitigation providers. For example, if your BGP peers accept only /24 prefixes, and you want to announce a whole C class for a single attacked IP, set it to 24. To disable this feature enter the value 32
Restrict IPv6 over / – Set to the maximum IPv6 CIDR mask accepted by your cloud-based DDoS mitigation providers. To disable this feature enter the value 128
Withdrawals – The withdrawal of announcements can be delayed until the time interval specified in the Business Hours field has passed
Comments – Comments about the ExaBGP Connector can be saved here. These observations are not visible elsewhere

To enable the ExaBGP Connector, click the small on/off switch button displayed next to its name in the Configuration » Components panel.

After the ExaBGP Connector is enabled, it can be used by Wanguard Sensor and Wanguard Filter when a Response activates it. To mitigate attacks automatically using Flowspec, configure a Wanguard Filter, and add the “Announce a BGP routing update with Flowspec or S/RTBH” action from the “When a filtering rule is detected” panel of the Response.

Wanguard Console users can send Flowspec announcements via the ExaBGP Connector in Reports » Tools » Routing » [Add Flowspec Rule]. Console users can also use the REST API to send Flowspec announcements from any scripting language.

All BGP routing updates are logged in Reports » Tools » Routing » BGP Announcement Archive. If you encounter errors, check the BGP Connector Troubleshooting steps.

ExaBGP Installation

Wanguard connects to exabgpd using the ExaBGP Connector described in the previous section. The configuration of exabgp.conf exceeds the scope of this documentation. In the Network Integration Guideline chapter, you can find some information about various deployment scenarios and the configuration needed on the routers.

The installation process varies according to the Linux distribution and ExaBGP version.

Install and enable ExaBGP from the package repository:

[root@localhost ~]# apt install exabgp
[root@localhost ~]# systemctl enable exabgp

Create the exabgp config file in /etc/exabgp/exabgp.conf. Example:

neighbor 10.0.0.2 {
  router-id 10.0.0.1;
  local-address 10.0.0.1;
  local-as 65000;
  peer-as 65000;
}

Start and check the exabgp service:

[root@localhost ~]# systemctl start exabgp
[root@localhost ~]# systemctl status exabgp

Enter /run/exabgp/exabgp.in in the ExaBGP Pipe field from the ExaBGP Connector.

Quagga Connector

Before you add a Quagga Connector, you must have a previously-configured, fully-functional bgpd. If you do not, jump to the Quagga / FRR installation section. You can have a single bgpd and many Quagga Connectors using it, which is helpful if you need to send announcements with different parameters, e.g., when using multiple route-maps to send different communities.

QUAGGA_CONFIGURATION8.01_png

Quagga Connector Configuration parameters:

BGP Connector Name – A short name or description of the Quagga Connector
Device Group – Enter a description if you wish to organize components (e.g. by location, characteristics) or to permit fine-grained access for roles
BGPd Server – Select a server that runs Quagga bgpd or FRR bgpd
Connector Role – Setting the correct role influences the Actions shown in Reports » Tools » Routing and the priority given when there are overlapping announcements by different BGP Connectors with different roles. Prevents mitigation announcements being overwritten by similar diversion announcements
Mitigation – Select if the Connector is used for null routing or traffic filtering
Diversion – Select if the Connector is used for traffic diversion
Source RTBH – Enable if the BGP Connector is used for S/RTBH, which should not be confused with the much more popular Destination RTBH. Very few networks support this functionality
Health Checker – When enabled, the status of the BGP peers is checked every minute. When a BGP peer is down, a warning is written in the event log. You can view the status of the BGP peers in Reports » Devices » Overview
AS Number – Enter the same AS number used in the bgpd configuration
Route Map – A route-map that will be used for each announcement. This option is not mandatory but widely used to append communities to the routing update. If you need to use multiple route maps, define multiple Quagga Connectors, one for each route map
AS View – If multiple AS views are defined in the bgpd configuration, enter the AS view you want to use for this Quagga Connector. This option is not mandatory and is rarely used
Login Password – Password needed to connect to the bgpd daemon
Enable Password – Configuration mode password of the bgpd daemon
Reject External IPs – When checked, it permits only announcements for the prefixes defined in an IP Zone
Reject IPv4 under / – Restricts sending prefixes that have the IPv4 CIDR mask less than the configured value. For example, a value of 32 rejects all prefixes that are not hosts and prevents manual or automatic announcements of subnets. To disable this feature enter the value 0
Reject IPv6 under / – Restricts sending prefixes that have the IPv6 CIDR mask less than the configured value. For example, a value of 128 rejects all prefixes that are not hosts and prevents manual or automatic announcements of subnets. To disable this feature enter the value 0
Restrict IPv4 over / – Set to the maximum IPv4 CIDR mask accepted by your cloud-based DDoS mitigation providers. For example, if your BGP peers accept only /24 prefixes, and you want to announce a whole C class for a single attacked IP, set it to 24. To disable this feature enter the value 32
Restrict IPv6 over / – Set to the maximum IPv6 CIDR mask accepted by your cloud-based DDoS mitigation providers. To disable this feature enter the value 128
Quagga/FRR bgpd.conf – The content of the bgpd.conf file can be viewed and changed from the CLI or the user interface. The file’s location is determined by the Linux Distribution parameter from Configuration » Servers. If you replaced the default daemon that came with the distribution, edit the file and restart bgpd only from CLI. The bgpd.conf file uses a format very similar to the Cisco IOS configuration format. Quagga’s documentation covers the configuration options
QUAGGA_CONNECTOR_BGPD_8.2
Zebra Local Black Hole – Check if you need the local black hole feature provided by the Zebra daemon. This rarely-used feature is useful only for inline servers
Zebra Login & Enable Password – Credentials required to connect to the zebra daemon
Comments – Comments about the Quagga Connector can be saved here. These observations are not visible elsewhere

To enable the Quagga Connector, click the small on/off switch button displayed next to its name in the Configuration » Components panel.

After the Quagga Connector is enabled, it can be used by Wanguard Sensor when a Response activates it.

Wanguard Console users can send black hole or diversion announcements via the Quagga Connector in Reports » Tools » Routing » [Create Blackhole] or [Divert Traffic]. Console users can also use the REST API to send BGP announcements from any scripting language.

Quagga / FRR Installation

Wanguard sends and withdraws BGP announcements via the bgpd daemon provided by Quagga or FRR. The installation instructions are distribution-specific:

Install FRR, then edit /etc/frr/daemons. Change bgpd=no to bgpd=yes and remove the string “-A 127.0.0.1” from the bgpd_options line.

[root@localhost ~]# apt install frr
[root@localhost ~]# nano /etc/frr/daemons

To be able to start the bgpd service, create a basic configuration file. Setting a password for the bgpd daemon is usually enough to get it started. Replace “bgppass” with your own password.

[root@localhost ~]# echo 'password bgppass' > /etc/frr/bgpd.conf
[root@localhost ~]# echo 'enable password bgppass' >> /etc/frr/bgpd.conf
[root@localhost ~]# chown frr /etc/frr/bgpd.conf
[root@localhost ~]# mv /etc/frr/frr.conf /etc/frr/frr.conf_bak
[root@localhost ~]# systemctl enable frr
[root@localhost ~]# systemctl restart frr

Connect to the bgp daemon with telnet on localhost port 2605 (default bgpd port) and enter the previously-defined password (“bgppass”) when requested.

[root@localhost ~]# telnet 127.0.0.1 2605
localhost> enable
localhost# config terminal
localhost(config)#

Configure bgpd using the commands shown in the following example after adapting them to your own network. Please note that you can use the prefix-list, route-map, or distribute-list method for filtering outgoing routing information. To have a uniform approach, the following example uses route-maps. Optionally, BGP authentication can be configured to increase security and avoid any illegal BGP announcement which may lead to a security breach.

localhost(config)# router bgp <Wanguard-Filter-AS-number>
localhost(config-router)# bgp router-id <Wanguard-Filter-IP-address>
localhost(config-router)# neighbor <Router-IP-address> remote-as <Router-AS-number>
localhost(config-router)# neighbor <Router-IP-address> description <description>
localhost(config-router)# neighbor <Router-IP-address> password <BGP MD5 password>
localhost(config-router)# neighbor <Router-IP-address> route-map Wanguard-Filter-in in
localhost(config-router)# neighbor <Router-IP-address> route-map Wanguard-Filter-out out
localhost(config-router)# no bgp network import-check
localhost(config-router)# exit
localhost(config)# route-map Wanguard-Filter-in deny 10
localhost(config-route-map)# exit
localhost(config)# route-map Wanguard-Filter-out permit 10
localhost(config-route-map)# set community no-advertise <Wanguard-Filter-community>
localhost(config-route-map)# exit
localhost(config)# write
localhost(config)# exit

To display the bgpd configuration, enter the show running-config command from the “enable” command level. In the following example, the router’s AS number is 1000, and the BGPd AS number is 65000.

The following partial sample output is displayed:

localhost# show running-config
... skipped ...
router bgp 65000
bgp router-id 192.168.1.100
no bgp network import-check
neighbor 192.168.1.1 remote-as 1000
neighbor 192.168.1.1 description divert-from router
neighbor 192.168.1.1 soft-reconfiguration inbound
neighbor 192.168.1.1 route-map Wanguard-Filter-in in
neighbor 192.168.1.1 route-map Wanguard-Filter-out out
!
route-map Wanguard-Filter-in deny 10
!
route-map Wanguard-Filter-out permit 10
set community no-advertise
!
line vty
... skipped ...

IPv4 and IPv6 in Quagga / FRR

The bgpd.conf excerpt below illustrates an example of IPv4 and IPv6 RTBH (Remotely Triggered Black Hole). Two communities were used. Community 667 is for the own infrastructure to avoid on RTBH our self. It is not installed on the RIB and only sent to upstreams.

router bgp 65002
 bgp router-id 198.51.100.220
 no bgp default ipv4-unicast
 neighbor 198.51.100.77 remote-as 65000
 neighbor 198.51.100.77 description RouteReflector1
 neighbor 198.51.100.77 ebgp-multihop 10
 neighbor 198.51.100.77 activate
 neighbor 198.51.100.77 route-map RM-DENY in
 neighbor 198.51.100.77 route-map RM-IPV4-ADVERTISE-NULL out
 neighbor 198.51.100.88 remote-as 65000
 neighbor 198.51.100.88 description RouteReflector2
 neighbor 198.51.100.88 ebgp-multihop 10
 neighbor 198.51.100.88 activate
 neighbor 198.51.100.88 route-map RM-DENY in
 neighbor 198.51.100.88 route-map RM-IPV4-ADVERTISE-NULL out
 neighbor 2001:DB8::77 remote-as 65000
 neighbor 2001:DB8::77 description RouteReflector1
 neighbor 2001:DB8::77 ebgp-multihop 10
 neighbor 2001:DB8::77 override-capability
 neighbor 2001:DB8::88 remote-as 65000
 neighbor 2001:DB8::88 description RouteReflector2
 neighbor 2001:DB8::88 ebgp-multihop 10
!
 address-family ipv6
 neighbor 2001:DB8::77 activate
 neighbor 2001:DB8::77 soft-reconfiguration inbound
 neighbor 2001:DB8::77 route-map RM-DENY in
 neighbor 2001:DB8::77 route-map RM-IPV6-ADVERTISE-NULL out
 neighbor 2001:DB8::88 activate
 neighbor 2001:DB8::88 soft-reconfiguration inbound
 neighbor 2001:DB8::88 route-map RM-DENY in
 neighbor 2001:DB8::88 route-map RM-IPV6-ADVERTISE-NULL out
 exit-address-family
!
ip prefix-list PL-IPV4-ANY-AUTOMATIC-RTBH seq 5 permit 0.0.0.0/0 ge 32
ip prefix-list PL-IPV4-INFRA-AUTOMATIC-RTBH seq 5 permit 198.51.100.0/24 le 32
!
ipv6 prefix-list PL-IPV6-ANY-AUTOMATIC-RTBH seq 5 permit ::/0 ge 128
ipv6 prefix-list PL-IPV6-INFRA-AUTOMATIC-RTBH seq 5 permit 2001:DB8::/64 le 128
!
route-map RM-DENY deny 10
!
route-map RM-IPV4-ADVERTISE-NULL permit 10
 match ip address prefix-list PL-IPV4-INFRA-AUTOMATIC-RTBH
 set community 65000:667
 set ip next-hop 198.51.100.220
!
route-map RM-IPV4-ADVERTISE-NULL permit 20
 match ip address prefix-list PL-IPV4-ANY-AUTOMATIC-RTBH
 set community 65000:666
 set ip next-hop 198.51.100.220
!
route-map RM-IPV6-ADVERTISE-NULL permit 10
 match ipv6 address prefix-list PL-IPV6-INFRA-AUTOMATIC-RTBH
 set community 65000:667
 set ipv6 next-hop global 2001:DB8::220
!
route-map RM-IPV6-ADVERTISE-NULL permit 20
 match ipv6 address prefix-list PL-IPV6-ANY-AUTOMATIC-RTBH
 set community 65000:666
 set ipv6 next-hop global 2001:DB8::220
!

Debug commands (2001:DB8::666 and 198.51.100.66 are null routed):

quagga# show vers
Quagga 0.99.24.1 ().


quagga# sh ipv6 bgp summary
BGP router identifier 198.51.100.220, local AS number 65002
RIB entries 1, using 112 bytes of memory
Peers 4, using 18 KiB of memory

Neighbor        V         AS MsgRcvd MsgSent   TblVer  InQ OutQ Up/Down  State/PfxRcd
2001:DB8::77    4 65000   18675   18683        0    0    0 01:08:19        0
2001:DB8::88    4 65000   18675   18691        0    0    0 00:23:48        0

Total number of neighbors 2

quagga# sh ipv6 bgp neighbors 2001:DB8::88 advertised-routes

   Network          Next Hop            Metric LocPrf Weight Path
*> 2001:DB8::666/128
                    2001:DB8::220
                                            0         32768 i

quagga# sh ip bgp summary
BGP router identifier 198.51.100.220, local AS number 65002
RIB entries 3, using 336 bytes of memory
Peers 4, using 18 KiB of memory

Neighbor        V         AS MsgRcvd MsgSent   TblVer  InQ OutQ Up/Down  State/PfxRcd
198.51.100.77   4 65000   18672   18681        0    0    0 01w5d23h        0
198.51.100.88   4 65000   18671   18681        0    0    0 01w5d23h        0


quagga# sh ip bgp nei 198.51.100.88 advertised-routes

   Network          Next Hop            Metric LocPrf Weight Path
*> 198.51.100.66/32
                    198.51.100.220           0         32768 i

BGP Connector Troubleshooting

✔ Make sure that you have correctly configured the BGP Connector. Each configuration parameter is described in depth in this chapter
✔ Go to Help » Software Updates to make sure that you are running the latest version of the software
✔ Look for warnings and errors in Reports » Tools » Routing » BGP Connector Events. Some events contain additional information which is visible when clicking the [+] sign from the first column
✔ If the event log shows connection errors on port tcp/2605 then bgpd is not accessible via telnet on the IP listed in Configuration » Servers. By default, bgpd is bound to 127.0.0.1, which is why the string “-A 127.0.0.1” must be deleted from bgpd’s starting scripts
✔ If the event log shows connection errors on port tcp/2601 then Quagga Connector was configured with the Zebra Local Back Hole feature, although zebra is either not configured or not accessible from the Console server
✔ If the event log shows pattern timeout errors, then there is a mismatch between a parameter (password, AS number, route-map, AS view) defined in the Quagga Connector and the similar parameter from bgpd.conf
✔ If in Reports » Tools » Routing » Active BGP Announcements you see errors about “orphaned” announcements, check the following possible causes:
▪ If the anomaly was stopped forcefully by clicking [Batch Actions] » Expire in Reports » Tools » Anomalies
▪ If the Sensor that detected the anomaly is no longer running or if it was deleted
▪ If the WANsupervisor service was not running at the time of the withdrawal
▪ If there were connection issues between the Console server and the server running bgpd or exabgpd
▪ If bgpd or exabgpd were running, and in the case of exabgpd if the pipe file is accessible
✔ You can clear the failed announcements from Reports » Tools » Routing » Active BGP Announcements by clicking [Batch Actions] » Clear