Search Blog for

DDoS Protection for Networks: Divert Traffic Using More Specific Routing

DDoS Protection for Networks: Divert Traffic Using More Specific Routing

In our previous blog post, we talked about AS (autonomous system) prepending, but sometimes a customer might have restrictions that would not allow them to use AS prepending. If the customer owned more than a less specific prefix, for example /23 prefix, they could advertise a more specific route towards Imperva (a /24) and continue sending the /23 route to their ISP. What we would see when we look at the routing table for different ISPs is that the protected range will be routed through Imperva and the rest of the range will come from the local ISPs.

Divert Traffic Using More Specific Routing diagram

Let’s continue using the same lab. This time the customer has an aggregated route of 123.1..0/23 (123.1.0.0/24 and 123.1.1.0/24). They decided that they only want 123.1.1.0/24 to be protected in this case and the rest of the traffic will continue routing through the public Internet without protection.

Let’s take a look at the ISP1 routing table.

Infra DDoS specific route

As we see from the routing table of ISP1, even though the customer is directly connected to ISP1, because the customer is advertising 123.1.1.0/24 to Imperva, the most preferred route is learning that route from AS3356 (ISP2) coming from AS19551 (Imperva). Meanwhile, the aggregate route (123.1.0.0/23) is being learned directly from AS1 (the customer).

We should note that more specific routing isn’t part of the BGP (border gateway protocol) best path algorithm. It is simply where a router will always look at the most specific range in the routing table and forward the IP using that path. As we saw in the drawing above, both 123.1.0.0/23 and 123.1.1.0/24 are stored in the routing table. When do “show route 123.1.1.0/24” to check how ISP1 is learning that route, we can clearly see that it ignored 123.1.0.0/23 and traceroute will route through Imperva as expected.

Infra DDoS specific route 2

Sending a more specific path is one of the most preferred ways to route traffic through Imperva, and we always encourage customers to use this method if the option is available to them. This concept is easy to understand and also very safe due to the ability to advertise to both Imperva and their ISP at the same time. However, not all customers have the ability to own a /23 or shorter. In an upcoming article, we will continue to talk about other techniques that might be able to help customers route traffic to Imperva.