May 31, 2024

Simplifying Cloud Diversion Route Policies for Better Efficiency and Risk Management with Nexusguard On-Net

Organizations entrusted with the ownership or management of an Autonomous System (AS) can harness Nexusguard Cloud Diversion to unlock unparalleled advantages. This robust solution provides an all-encompassing shield for your entire IP subnet, delivering comprehensive and resilient protection against a wide range of threats.

Crafting an Effective Route Policy Strategy

When faced with the daunting task of mitigating volumetric DDoS attacks, it can prove advantageous to approach the issue with a fresh perspective. These attacks pose a threat to network availability by overwhelming the available bandwidth. However, the true advantage awaits those who successfully address three fundamental questions:

1. Should the under attack network be announced automatically or manually?

When it comes to the two approaches, manual and automatic, for dealing with DDoS attacks, there are advantages and disadvantages to consider:

(a) Manual Approach

Pros: One of the benefits of the manual approach is the ability to conduct verification before implementing diversion. This ensures a safer decision-making process, as potential issues can be thoroughly assessed beforehand.

Cons: However, the manual approach may introduce delays during the verification process. Additionally, during non-working hours, there may be a lack of experienced engineer support, which could impact the effectiveness of the response. Human error in configuring the route policy is also a potential drawback to be mindful of.

(b) Automatic Approach

Pros: The automatic approach offers a faster response time, thanks to its automated nature. It is pre-configured, which helps avoid the possibility of human error during implementation.

Cons: On the downside, the automatic approach lacks the verification step, which means there is no opportunity to confirm the appropriateness of the diversion. Adjusting the route policy in case of changing circumstances becomes challenging, and non-aggregated /24 networks may require manual route changes for optimal performance.

In considering these factors, it's important to weigh the trade-offs between the two approaches and choose the one that aligns best with the specific requirements and constraints of the situation at hand.

2. Should all networks be announced or only the under attack network?

When deciding which networks should be announced during a DDoS attack, there are considerations to be made. One approach is to announce only the under attack network, effectively separating the traffic related to the attack from the rest. By doing so, the risk is diverted away from the unaffected networks, reducing collateral damage.

However, there is a scenario to address when dealing with a /24 network where route aggregation is not possible. In such cases, the recommended practice is to divert traffic on a per /24 IP prefix basis. This is because a /24 IP prefix represents the minimum routable IP block on the Internet. To ensure that attack traffic is prevented from entering the network, it is necessary to withdraw the affected network from the regular Internet uplinks during non-attack periods.

These measures aim to isolate and protect the under attack network while minimizing the impact on other networks and mitigating the risk associated with the DDoS attack.

3. How should the under attack network be announced?

To effectively announce the under attack network, there are several steps that can be taken. First, the network should be announced to Nexusguard (ASN45474) using the external Border Gateway Protocol (eBGP) for proper routing. This ensures that the network traffic is directed to the appropriate destination.

When announcing the under attack network, it is recommended to announce it as a /24 network, indicating the specific IP prefix range associated with the network. This level of granularity allows for more precise routing and control over the traffic flow.

To establish the return path for the traffic, a GRE (Generic Routing Encapsulation) or smart tunnel can be built. These mechanisms provide a secure and efficient way for the under attack network's traffic to be routed back to its intended destination.

During non-attack periods, it is crucial to withdraw the announcement of the under attack network from the peacetime Internet uplinks. In doing so, normal traffic will not be routed through those paths, minimizing any potential impact or interference caused by the ongoing attack.

Following these steps, the under attack network can be effectively announced and managed, ensuring that the traffic is appropriately directed and the network remains operational and secure during DDoS attacks.

Enhanced Security Made Easy through Nexusguard On-Net Cloud Diversion Route Policy

Figure 1 - Nexusguard On-Net Cloud Diversion Policy 

During normal operations, an Origin Protection (OP) client with the IP network address announces its network to upstream providers using its own ASN 123. However, when this network comes under a DDoS attack, a Cloud Diversion agent comes into play, announcing the network to Nexusguard Cloud, which redirects a portion of the attack traffic to the scrubbing centers for mitigation. Unfortunately, some attack traffic may still flow through the original peacetime Internet uplinks, causing degradation and impacting network quality.

To address this issue effectively, the On-Net mode of the Cloud Diversion App is introduced. The Cloud Diversion agent establishes an iBGP peer with the OP client router. When the diversion policy is triggered, the network announcement is sent to the OP client router. At this point, the network engineer can implement a policy using BGP community tags. This policy ensures that the under attack network ( is sent exclusively to Nexusguard Cloud, while simultaneously withdrawing it from the usual peacetime Internet uplinks.

As a result of this approach, the under attack network and the rest of the networks flow through separate Internet uplinks, ultimately reaching the same destination. This segregation helps maintain the integrity of the under attack network and prevents the impact on other networks caused by attack traffic.

Benefits of Nexusguard On-Net

Nexusguard’s On-Net solution offers several benefits that enhance network operations during both peacetime and DDoS attack situations. One significant advantage is the separation of peacetime and under attack network flows through different Internet uplinks. Routing these flows separately minimizes collateral damage, ensuring that the performance and quality of the peacetime networks are maintained. This helps to mitigate issues such as network latency and packet loss, providing a seamless experience for regular network users.

Another notable benefit of Nexusguard On-Net is the ability to fully automate route announcements. This minimizes the need for manual intervention by the network team, reducing the chances of human error during route changes. With automated route announcements, the process becomes more efficient and reliable, allowing for smoother network management and response to potential threats.

Furthermore, Nexusguard On-Net enables almost immediate traffic diversion, with the exception of the time required for BGP convergence. This swift diversion helps to mitigate DDoS attacks at an early stage, minimizing the potential damage they can cause. By promptly diverting the attack traffic away from the targeted network, the impact on network performance and availability can be significantly reduced.

Enhance the resilience and reliability of your network against volumetric DDoS attacks with Nexusguard On-Net, a comprehensive solution that employs a multifaceted approach, leveraging segregated Internet uplinks, automated route announcements, and rapid traffic diversion to safeguard your critical infrastructure.

Get the latest cybersecurity news and expert insights direct to your inbox

Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.