Operating

BGP Setup

CoreDetection includes a built-in BGP speaker (GoBGP) that announces blackhole and mitigation routes to your edge routers when attacks are confirmed. Configure peers in [bgp_settings] using neighbor_N_* keys — one numbered set per router.

BGP sessions use TCP port 179. Allow bidirectional connectivity between the appliance and each neighbor IP. For eBGP multihop, set neighbor_N_multihop appropriately.

Enable the BGP speaker

[bgp_settings]
enabled = true
local_asn = 65001
router_id = 10.10.10.1
default_mitigation_nexthop = 10.10.20.1

announce_critical_attacks = true
announce_high_attacks = true
announce_medium_attacks = false
announce_low_attacks = false

blackhole_community = 65001:666
mitigation_community = 65001:100
no_export_community = 65535:65281

Enable live via PUT /bgp/config or portal Settings → BGP. Policy keys (communities, announce gates) apply immediately; adding or removing neighbor blocks requires a service restart.

neighbor_N_* sections

Neighbors are flat keys inside [bgp_settings], not separate INI sections. Replace N with 1, 2, … for each peer:

KeyDescription
neighbor_N_nameFriendly label (e.g. Core-Router-1)
neighbor_N_ipNeighbor IP address
neighbor_N_asnNeighbor autonomous system number
neighbor_N_typeebgp or ibgp
neighbor_N_enabledEnable this session (true / false)
neighbor_N_nexthopPer-neighbor next-hop override (optional)
neighbor_N_multihopeBGP multihop TTL (default 255)
neighbor_N_passwordOptional MD5/TCP session password

eBGP example

Typical edge deployment: CoreDetection in a dedicated mitigation ASN peers with your border router.

[bgp_settings]
enabled = true
local_asn = 65001
router_id = 10.10.10.1
default_mitigation_nexthop = 10.10.20.1

neighbor_1_name = Core-Router-1
neighbor_1_ip = 156.229.62.252
neighbor_1_asn = 213642
neighbor_1_type = ebgp
neighbor_1_enabled = true
neighbor_1_nexthop = 10.10.20.1
neighbor_1_multihop = 255

default_holdtime = 180
default_keepalive = 60
default_connect_retry = 120

On the router, accept routes from the appliance ASN and honor the blackhole community (65001:666 by default) to null-route attacked destinations.

Router-side BGP configuration

Configure each edge router to peer with the CoreDetection appliance. Replace placeholders:

  • APPLIANCE_IP — CoreDetection BGP speaker address (the peer you configure on the edge router)
  • APPLIANCE_ASN — CoreDetection local_asn (default 65001)
  • LOCAL_ASN — your edge router ASN
  • BH_NEXTHOP — mitigation next-hop from CoreDetection (matches default_mitigation_nexthop, e.g. 10.10.20.1)

Point BH_NEXTHOP to a discard/null interface so /32 RTBH routes take effect. Only accept prefixes from the appliance — never re-export. For FlowSpec instead of blackholes, see BGP FlowSpec and enable the FlowSpec address family below.

Cisco IOS-XR

router bgp LOCAL_ASN
 bgp router-id ROUTER_ID
 neighbor APPLIANCE_IP
  remote-as APPLIANCE_ASN
  ebgp-multihop 255
  address-family ipv4 unicast
   route-policy CD-BGP-IN in
   route-policy CD-BGP-OUT out
  !
  address-family ipv4 flowspec
   route-policy CD-BGP-IN in
  !
 !
!
route-policy CD-BGP-IN
 if community matches-eq (65001:666) then
  set local-preference 200
  pass
 elseif community matches-eq (65001:100) then
  pass
 else
  drop
 endif
end-policy
!
route-policy CD-BGP-OUT
 drop
end-policy
!
router static
 address-family ipv4 unicast
  BH_NEXTHOP/32 Null0
 !

CoreDetection announces /32 host routes with community 65001:666 and next-hop BH_NEXTHOP. The static Null0 route makes those destinations unreachable locally. Remove the ipv4 flowspec block if you use RTBH-only mode.

Nokia SR OS

configure router "Base" bgp
    group "COREDETECTION"
        peer-as APPLIANCE_ASN
        type external
        multihop 255
        import "CD-BGP-IN"
        export "CD-BGP-OUT"
    exit
    neighbor "APPLIANCE_IP"
        group "COREDETECTION"
        description "CoreDetection appliance"
    exit
exit

configure policy-options
    community "BLACKHOLE" members "65001:666"
    community "MITIGATION" members "65001:100"
    policy-statement "CD-BGP-IN"
        entry 10
            from community "BLACKHOLE"
            action accept
        exit
        entry 20
            from community "MITIGATION"
            action accept
        exit
        default-action drop
    exit
    policy-statement "CD-BGP-OUT"
        default-action drop
    exit
exit

configure router "Base" static-route-entry BH_NEXTHOP/32
    black-hole
exit

For FlowSpec, import FlowSpec NLRI from the same neighbor group (SR OS 7750/7250 with FlowSpec license). Attack rules arrive when FlowSpec is enabled on the appliance — see FlowSpec → Router requirements.

Huawei VRP / NetEngine

bgp LOCAL_ASN
 router-id ROUTER_ID
 peer APPLIANCE_IP as-number APPLIANCE_ASN
 peer APPLIANCE_IP ebgp-max-hop 255
 peer APPLIANCE_IP route-policy CD-BGP-IN import
 peer APPLIANCE_IP route-policy CD-BGP-OUT export
 #
 ipv4-family unicast
  peer APPLIANCE_IP enable
 #
 ipv4-flow unicast
  peer APPLIANCE_IP enable
#
route-policy CD-BGP-IN permit node 10
 if-match community-filter cfBLACKHOLE
#
route-policy CD-BGP-IN permit node 20
 if-match community-filter cfMITIGATION
#
route-policy CD-BGP-IN deny node 99
#
route-policy CD-BGP-OUT deny node 10
#
ip community-filter cfBLACKHOLE index 10 permit 65001:666
ip community-filter cfMITIGATION index 10 permit 65001:100
#
ip route-static BH_NEXTHOP 255.255.255.255 NULL0

On older VRP releases without ipv4-flow, omit that stanza and use RTBH only. Community filter syntax may differ slightly by version — adjust to match your release docs.

Arista EOS

router bgp LOCAL_ASN
   router-id ROUTER_ID
   neighbor CD peer group
   neighbor CD remote-as APPLIANCE_ASN
   neighbor CD ebgp-multihop 255
   neighbor APPLIANCE_IP peer group CD
   !
   address-family ipv4
      neighbor CD route-map CD-BGP-IN in
      neighbor CD route-map CD-BGP-OUT out
   !
   address-family ipv4 flowspec
      neighbor CD activate
!
route-map CD-BGP-IN permit 10
   match community BLACKHOLE
   set local-preference 200
!
route-map CD-BGP-IN permit 20
   match community MITIGATION
!
route-map CD-BGP-IN deny 99
!
route-map CD-BGP-OUT deny 10
!
ip community-list standard BLACKHOLE permit 65001:666
ip community-list standard MITIGATION permit 65001:100
!
ip route BH_NEXTHOP/32 Null0

FlowSpec requires the FlowSpec feature license on EOS. Disable the address-family ipv4 flowspec block for RTBH-only deployments.

Flow export from the same router must use a matching EXPORTER_NAME — see Router Flow Export and map it in Exporter map below.

Exporter map (selective mitigation)

In multi-router deployments, you may want mitigation announced to only the edge router that exported the attack traffic, not every BGP peer. The exporter map links NetFlow exporter identity to a BGP neighbor display name.

exporter_map_enabled = true
exporter_map_fallback = none

exporter_map_1_exporter = CORETECH-SOF-RO-01
exporter_map_1_neighbor = Core-Router-1
KeyDescription
exporter_map_enabledEnable selective peer targeting
exporter_map_fallbacknone = skip unmapped exporters; all = all enabled peers; default = first enabled peer
exporter_map_N_exporterNetFlow exporter name or IP (case-insensitive for names)
exporter_map_N_neighborMust match a neighbor_M_name value exactly

Configure in the portal under BGP & Mitigation → Exporter map, or via PUT /bgp/config with exporter_map_enabled, exporter_map_fallback, and exporter_maps array. When FlowSpec is enabled, attack FlowSpec rules follow the same map; manual/blocklist rules still export to all peers.

Set a recognizable exporter name on your routers — the engine reads it from flow records and includes it in attack webhooks as primary_exporter.

Route reconciliation

After crashes or restarts, routers may retain stale blackhole routes that the engine no longer tracks. Route reconciliation periodically compares announced routes against engine state and withdraws phantoms.

enable_route_reconciliation = true
reconciliation_interval = 30
KeyDefaultDescription
enable_route_reconciliationtrueEnable periodic verification
reconciliation_interval30Interval in seconds (minimum 10)

Toggle live via PUT /bgp/config — no restart required. See Configuration → BGP Mitigation for all keys.

Verify sessions

# BGP speaker status
curl -H "X-API-Key: YOUR_KEY" \
  http://localhost:9009/CoreDetection/api/v0/bgp/status

# Neighbor session state
curl -H "X-API-Key: YOUR_KEY" \
  http://localhost:9009/CoreDetection/api/v0/bgp/neighbors

# Bounce a stuck session
curl -X POST -H "X-API-Key: YOUR_KEY" \
  http://localhost:9009/CoreDetection/api/v0/bgp/neighbors/reset/static-1

The portal BGP & Mitigation panel (/bgp) shows the same data and lets you reset sessions, manage the exporter map, and view routes from the UI.

Portal & API management

TaskEngine APIPortal
Policy & reconciliationPUT /bgp/configBGP & Mitigation → Policy
Exporter mapPUT /bgp/configBGP & Mitigation → Exporter map
View routesGET /bgp/routesBGP & Mitigation → routes tabs
Manual blackholePOST /bgp/routes/manualBGP & Mitigation → Manual
Edit neighborPUT /bgp/neighbors/{id}BGP & Mitigation → Neighbors
Reset sessionPOST /bgp/neighbors/reset/{id}BGP & Mitigation → Neighbors

For targeted filtering instead of full blackholes, enable BGP FlowSpec — when FlowSpec is on, attack mitigation announces FlowSpec rules instead of blackhole routes.

Next steps