In our previous blog post, we talked about AS (autonomous system) prepending, but sometimes a customer might have restrictions that would not allow them to use AS prepending. If the customer owned more than a less specific prefix, for example /23 prefix, they could advertise a more specific route towards Imperva (a /24) and continue sending the /23 route to their ISP. What we would see when we look at the routing table for different ISPs is that the protected range will be routed through Imperva and the rest of the range will come from the local ISPs.
Let’s continue using the same lab. This time the customer has an aggregated route of 123.1..0/23 (188.8.131.52/24 and 184.108.40.206/24). They decided that they only want 220.127.116.11/24 to be protected in this case and the rest of the traffic will continue routing through the public Internet without protection.
Let’s take a look at the ISP1 routing table.
As we see from the routing table of ISP1, even though the customer is directly connected to ISP1, because the customer is advertising 18.104.22.168/24 to Imperva, the most preferred route is learning that route from AS3356 (ISP2) coming from AS19551 (Imperva). Meanwhile, the aggregate route (22.214.171.124/23) is being learned directly from AS1 (the customer).
We should note that more specific routing isn’t part of the BGP (border gateway protocol) best path algorithm. It is simply where a router will always look at the most specific range in the routing table and forward the IP using that path. As we saw in the drawing above, both 126.96.36.199/23 and 188.8.131.52/24 are stored in the routing table. When do “show route 184.108.40.206/24” to check how ISP1 is learning that route, we can clearly see that it ignored 220.127.116.11/23 and traceroute will route through Imperva as expected.
Sending a more specific path is one of the most preferred ways to route traffic through Imperva, and we always encourage customers to use this method if the option is available to them. This concept is easy to understand and also very safe due to the ability to advertise to both Imperva and their ISP at the same time. However, not all customers have the ability to own a /23 or shorter. In an upcoming article, we will continue to talk about other techniques that might be able to help customers route traffic to Imperva.
The post DDoS Protection for Networks: Divert Traffic Using More Specific Routin appeared first on Blog.
*** This is a Security Bloggers Network syndicated blog from Blog authored by Wallace Lee. Read the original post at: https://www.imperva.com/blog/ddos-protection-for-networks-divert-traffic-using-more-specific-routin/