Afenioux's Blog page

3am; darkness; Maintenance window closing. Safety net: rollback.

pmacct and BGP communities (RTBH example)

Written by Arnaud no comments

I will show you an example to see traffic for routes that have some given BGP communities (for example blackholed traffic for RTBH), please read my previous blog post if you need to understand how to use pmacct/sfacct with influxDB and grafana.

We need to setup the BGP collector to get all BGP attributes (and filter them if needed), here is the sfacctd.conf :

debug: false
daemonize: true
pidfile: /var/run/
logfile : /var/log/sfacct.log

! automatically renormalizes byte/packet counters value basing on information acquired
! and take count of the sampling_rate in the (s)Flow sample
sfacctd_renormalize: true

! we need all of this to get BGP attributes (the as_map/as_type is used to map the peer_src_as, it's optional)
bgp_daemon: true
bgp_daemon_as: 65535
bgp_daemon_max_peers: 15
bgp_peer_src_as_map: /etc/pmacct/
bgp_peer_src_as_type: map

! Filters BGP standard communities : 12345:64 will match ranges 64-64, 640-649, 6400-6499 and 64000-64999
! 12345:64... will match community values in the range 64000-64999 only
! Multiple patterns can be supplied comma-separated (LOGICAL OR)

! Having all the BGP communities is not that much bigger
!bgp_stdcomm_pattern: 44530:0, 65535:666

! sfacctd populate 'src_as', 'dst_as', 'peer_src_as' and 'peer_dst_as' primitives from information in bgp
! 'longest' behaves : networks_file < sFlow/NetFlow < <= BGP
sfacctd_as: longest
sfacctd_net: longest

plugins: print[print-rtbh]
! src_as is guessed for the source IP, remember it can be forged
aggregate[print-rtbh]: src_as, dst_as, peer_src_as, peer_dst_as, std_comm, dst_net, dst_mask

! by default file is overwritten
print_output_file[print-rtbh]: /tmp/5m_avg-rtbh.json
print_output[print-rtbh]: json
print_history[print-rtbh]: 5m
print_history_roundoff[print-rtbh]: m
print_refresh_time[print-rtbh]: 300

As you can see I am only using the 'std_comm' primitive to see communities attached to the dst_net/dst_mask but it is also possible to see ext_comm (extended communities) and lrg_comm (larges communities).

You can also see src_std_comm, src_ext_comm, src_lrg_comm for source IP (based on reverse BGP lookups), remember to configure the bgp_src_std_comm_type/bgp_src_ext_comm_type/bgp_src_lrg_comm_type
see pmacct/CONFIG-KEYS. An interesting example for larges communitites is this github issue.

# grep 44530:0 /tmp/5m_avg-rtbh.json
{"event_type": "purge", "as_src": 65000, "as_dst": 65123, "comms": "44530:0_44530:99_44530:1250", "peer_as_src": 64999, "peer_as_dst": 64998, "net_dst": "", "mask_dst": 32, "stamp_inserted": "2020-09-25 10:45:00", "stamp_updated": "2020-09-25 10:50:01", "packets": 1294336, "bytes": 82837504}

That's all folks! 

Classified in : Uncategorized Tags : none

Comments are closed.

Rss feed of the article's comments