search

pavel-odintsov / fastnetmon

FastNetMon - very fast DDoS sensor with sFlow/Netflow/IPFIX/SPAN support
https://fastnetmon.com
GNU General Public License v2.0
3.4k stars 561 forks source link

gobgp_next_hop_ipv6 set to :: creates no routes during IPv6 ban #1009

Closed Nuyek closed 1 month ago

Nuyek commented 1 month ago

When setting gobgp_next_hop_ipv6 = :: no route automatically gets created in gobgp on IPv6 address ban.

2024-07-10 17:18:42,856 [INFO] IPv6 address xxxx:xxxx:xxxx:xxxx::000a/128 was banned
2024-07-10 17:18:42,856 [ERROR] Can't print attack details to file/var/log/fastnetmon_attacks/xxxx:xxxx:xxxx:xxxx::000a_10_07_24_17:18:41.txt
2024-07-10 17:18:42,856 [INFO] Call GoBGP for ban client started: xxxx:xxxx:xxxx:xxxx::000a
2024-07-10 17:18:42,856 [INFO] Call to GoBGP for ban client is finished: xxxx:xxxx:xxxx:xxxx::000a
2024-07-10 17:18:42,857 [INFO] announce xxxx:xxxx:xxxx:xxxx::000a/128 to GoBGP
2024-07-10 17:18:42,887 [ERROR] AddPath request to BGP daemon failed with code: 2 message invalid nexthop address: :0000

OS: Debian 12 Fastnetmon version: 1.2.7

Steps to Reproduce

  1. Set gobgp_next_hop_ipv6 = :: in /etc/fastnetmon.conf
  2. Have an IPv6 address automatically banned

I noticed if I add a route manually with gobgp global rib add -a ipv6 it works correctly and the nexthop address is shown as :: under gobgp global rib -a ipv6

pavel-odintsov commented 1 month ago

Hello!

Thank you very much for report.

That's quite curious error. I'll try to replicate it in lab.

pavel-odintsov commented 1 month ago

We've reworked IPv6 announce logic completely: https://github.com/pavel-odintsov/fastnetmon/commit/5ed76a49ad81b760cf1a594c92db69c230bc775b and switched it to our own BGP crafting logic: https://github.com/pavel-odintsov/fastnetmon/commit/af49358307aba2e07b97d1205083ecda20b0d62c

pavel-odintsov commented 1 month ago

As nice addition we added separate fields for next hop IPv6 configuration: image

pavel-odintsov commented 1 month ago

I can confirm that following configuration works just fine:

# GoBGP integration
gobgp = on

# Configuration for IPv4 announces
gobgp_next_hop = 0.0.0.0
gobgp_announce_host = on
gobgp_announce_whole_subnet = off

gobgp_community_host = 65001:666
gobgp_community_subnet = 65001:777

# Configuration for IPv6 announces
gobgp_next_hop_ipv6 = ::
gobgp_next_hop_host_ipv6 = ::
gobgp_next_hop_subnet_ipv6 = ::

gobgp_announce_host_ipv6 = on
gobgp_announce_whole_subnet_ipv6 = on

gobgp_community_host_ipv6 = 65001:666
gobgp_community_subnet_ipv6 = 65001:777

Output:

/opt/fastnetmon-community/libraries/gobgp_3_12_0/gobgp global rib -a ipv6
   Network              Next Hop             AS_PATH              Age        Attrs
*> fb::2/128            ::                                        00:00:05   [{Origin: ?} {Communities: 65001:666}]
*> fb::3/128            ::                                        00:00:03   [{Origin: ?} {Communities: 65001:666}]