Hello, we are witnessing a Distributed DoS attack from ports 23, 2323, 17 and 53. We have two 500 bps providers and some ISP clients and when the attack occurs we saturate the providers. If we block the attacks in the router we are also saturated because the traffic is not connection oriented. I leave an image to explain it
I think the best way to mitigate this is with BGP communities, we have the blackhole bgp communities of our suppliers but we do not know how to detect the attack with the MX5. Someone could help me? I need to detect the DDoS attack and the attacked IP apply the blackhole community so that the providers discard that traffic.
The /32 or /128 prefix must be one included in the customer's existing ingress BGP filter
Which means that if Your ISP is NTT, and You are attacked with spoofed src IP 18.104.22.168. (22.214.171.124 belongs to GOOG) then You won't be able to announce e.g. 126.96.36.199/32 to NTT with blackholing community. No way. If NTT would allow You to do that, they will shoot themselves into the foot: Your 188.8.131.52/32 announcement would be most specific and all DNS traffic within NTT destined to 184.108.40.206 would go to Your MX5.
Same with Hurricane Electric ISP https://www.he.net/adm/blackhole.html - You are supposed to [a] null-route Your OWN /32 under attack and [b] announce it to HE with blackhole community 6939:666 .
I suggest You to read RFC 5635 https://tools.ietf.org/html/rfc5635 to understand how destination RTBH and source RTBH work, and then decide if You want to announce Your own /32 under attack to get it blackholed - i.e. "complete the attack on the behalf of the attacker" as described in RFC 5635 section 3.1.
how do I apply the policies automatically in the MX5?
With fastnetmon.com specifically, I believe You can use iBGP to advertise dst IP/32 being attacked from fastnetmon server to Your MX5, and then announce these IP/32 to Your ISP.
With other collectors that do not support BGP, you can use Python script with Juniper PyEz library (https://github.com/Juniper/py-junos-eznc) running on that collector server to connect to Your MX5 via SSH & configure the required IP/32 in Your MX5 as static/BGP static routes
Yes, that's right. From FastNetMon's side we offer complete support for BGP unicast (for blackhole announces) and BGP Flow Spec (RFC 5575) to filter out only malicious traffic. using your router. More details you could find here: https://fastnetmon.com/advanced-quick-start/