BGP Automation

aurologic flowAnalyzer uses BGP to receive routes under observation as well as adjust their configuration without the need of interacting with our API. Newly announced and also withdrawn routes are being automatically reflected on the flowAnalyzer infrastructure. This means, announcing a prefix as a downstream or from AS30823 automatically gets tagged with 30823:30823 (customer bgp community). Routes with that tag are being forwarded from our core routers towards the bgp daemon running on the flowAnalyzer infrastructure. New announcements are being added every three seconds as well as withdrawn announcements automatically cause more specific announcements (e.g. RTBH / flowShield / flowProxy) to be withdrawn as well.

Routes announced by flowAnalyzer are always announced with bgp add-path. The path identifier is in that case within the following range:

• 1000-1999 -> RTBH Route, with only one dummy next-hop present, the Path identifier will be 1000 always
• 2000-2999 -> flowShield Route, multiple different flowShield nodes cause flowAnalyzer to announce multiple routes (e.g. 2 routes for 2 nodes)
• 3000-3999 -> flowProxy Route, multiple different flowProxy nodes cause flowAnalyzer to announce multiple routes (e.g. 2 routes for 2 nodes)

BGP Communities such as 30823:30820 (RTBH) or 30823:30828 (flowShield) and 30823:30829 (flowProxy) are automatically set for the respective routes in order to distinguish properly between different types up on route import (e.g. to match within a policy and apply different local-pref). Please note, in regular setups the RTBH route must have the highest local-preference, while afterwards flowShield has a lower one than the RTBH route and flowProxy gets the least local-preference. This ensures efficient attack handling.