Some recent events have helped me gain a rapid education in DDoS mitigation stuff. This basically comes down to "pick an upstream with a good NOC" and "being able to call up and request ACLs/rate limiting costs money".
Level3's "SOC" is a joke, don't give those people money for security services.
That said, RTBH is something that I should have had setup long ago it seems. I got a basic BGP community setup for one upstream and tested it and it's awesome. Setup a null route and a network statement and traffic to the IP halts at the provider's edge. Love it.
Looking at the config though, communities are global - they apply to all peers. I need to set this up with my other upstream and I'm at a loss as to how to send one provider one community and the other provider another community.
Here's my (very basic) config that works for a single provider:
!
route-map u1-blackhole permit 10
set community 12345:666
!
router bgp 5432
network 1.2.3.4 mask 255.255.255.255 route-map u1-blackhole
address-family ipv4
neighbor a.b.c.d send-community
Could I just change this to something like this and be safe?
!
route-map u1-blackhole permit 10
set community 12345:666
!
! add:
route-map u2-blackhole permit 10
set community 54321:1666
!
router bgp 5432
network 1.2.3.4 mask 255.255.255.255 route-map u1-blackhole
! add:
network 1.2.3.4 mask 255.255.255.255 route-map u2-blackhole
address-family ipv4
neighbor a.b.c.d send-community
! add:
neighbor d.c.b.a send-community
And the old CLI command I remember to show top talkers does not seem to be available on IOS-XE (03.10.02.S). I can use nfsen to grab stats and see what IP is being hit, but that takes time. Is there any way to see this directly on the router without upgrading to a new IOS?
Thanks all...
And following up to myself, tested with both providers setup as above and it works.
Still curious about a "top talkers" or other command-line stuff to show traffic real-time without waiting for my netflow collector to catch up.
Ios has top talkers built in but it expires with cache
Are you sure on XE? Some feature matrix I saw suggested I'd have to go more bleeding edge to get that. The closest I've come is some giant list of current flows:
Quote
l3-1002x# sh flow monitor ?
broker Show the flow monitor broker
inbound-1 User defined
name Name a specific Flow Monitor
outbound-1 User defined
type Type of the Flow Monitor
| Output modifiers
<cr>
l3-1002x# sh flow monitor in
l3-1002x# sh flow monitor inbound-1 ?
cache Flow monitor cache contents
statistics Flow monitor statistics
| Output modifiers
<cr>
The "statistics" option is just an overview of the caches and such. "cache" is a dump of the whole cache.
This is traditional ios but you could manually set up a top talkers section
http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/netflow/configuration/12-4t/nf-12-4t-book/cfg-nflow-top-talk.html