BGP Setup
CoreDetection includes a built-in BGP speaker (GoBGP) that announces blackhole and mitigation routes to your edge routers when attacks are confirmed. Configure peers in [bgp_settings] using neighbor_N_* keys — one numbered set per router.
neighbor_N_multihop appropriately.Enable the BGP speaker
[bgp_settings]
enabled = true
local_asn = 65001
router_id = 10.10.10.1
default_mitigation_nexthop = 10.10.20.1
announce_critical_attacks = true
announce_high_attacks = true
announce_medium_attacks = false
announce_low_attacks = false
blackhole_community = 65001:666
mitigation_community = 65001:100
no_export_community = 65535:65281Enable live via PUT /bgp/config or portal Settings → BGP. Policy keys (communities, announce gates) apply immediately; adding or removing neighbor blocks requires a service restart.
neighbor_N_* sections
Neighbors are flat keys inside [bgp_settings], not separate INI sections. Replace N with 1, 2, … for each peer:
| Key | Description |
|---|---|
neighbor_N_name | Friendly label (e.g. Core-Router-1) |
neighbor_N_ip | Neighbor IP address |
neighbor_N_asn | Neighbor autonomous system number |
neighbor_N_type | ebgp or ibgp |
neighbor_N_enabled | Enable this session (true / false) |
neighbor_N_nexthop | Per-neighbor next-hop override (optional) |
neighbor_N_multihop | eBGP multihop TTL (default 255) |
neighbor_N_password | Optional MD5/TCP session password |
eBGP example
Typical edge deployment: CoreDetection in a dedicated mitigation ASN peers with your border router.
[bgp_settings]
enabled = true
local_asn = 65001
router_id = 10.10.10.1
default_mitigation_nexthop = 10.10.20.1
neighbor_1_name = Core-Router-1
neighbor_1_ip = 156.229.62.252
neighbor_1_asn = 213642
neighbor_1_type = ebgp
neighbor_1_enabled = true
neighbor_1_nexthop = 10.10.20.1
neighbor_1_multihop = 255
default_holdtime = 180
default_keepalive = 60
default_connect_retry = 120On the router, accept routes from the appliance ASN and honor the blackhole community (65001:666 by default) to null-route attacked destinations.
Router-side BGP configuration
Configure each edge router to peer with the CoreDetection appliance. Replace placeholders:
APPLIANCE_IP— CoreDetection BGP speaker address (the peer you configure on the edge router)APPLIANCE_ASN— CoreDetectionlocal_asn(default65001)LOCAL_ASN— your edge router ASNBH_NEXTHOP— mitigation next-hop from CoreDetection (matchesdefault_mitigation_nexthop, e.g.10.10.20.1)
Point BH_NEXTHOP to a discard/null interface so /32 RTBH routes take effect. Only accept prefixes from the appliance — never re-export. For FlowSpec instead of blackholes, see BGP FlowSpec and enable the FlowSpec address family below.
Cisco IOS-XR
router bgp LOCAL_ASN
bgp router-id ROUTER_ID
neighbor APPLIANCE_IP
remote-as APPLIANCE_ASN
ebgp-multihop 255
address-family ipv4 unicast
route-policy CD-BGP-IN in
route-policy CD-BGP-OUT out
!
address-family ipv4 flowspec
route-policy CD-BGP-IN in
!
!
!
route-policy CD-BGP-IN
if community matches-eq (65001:666) then
set local-preference 200
pass
elseif community matches-eq (65001:100) then
pass
else
drop
endif
end-policy
!
route-policy CD-BGP-OUT
drop
end-policy
!
router static
address-family ipv4 unicast
BH_NEXTHOP/32 Null0
!CoreDetection announces /32 host routes with community 65001:666 and next-hop BH_NEXTHOP. The static Null0 route makes those destinations unreachable locally. Remove the ipv4 flowspec block if you use RTBH-only mode.
Nokia SR OS
configure router "Base" bgp
group "COREDETECTION"
peer-as APPLIANCE_ASN
type external
multihop 255
import "CD-BGP-IN"
export "CD-BGP-OUT"
exit
neighbor "APPLIANCE_IP"
group "COREDETECTION"
description "CoreDetection appliance"
exit
exit
configure policy-options
community "BLACKHOLE" members "65001:666"
community "MITIGATION" members "65001:100"
policy-statement "CD-BGP-IN"
entry 10
from community "BLACKHOLE"
action accept
exit
entry 20
from community "MITIGATION"
action accept
exit
default-action drop
exit
policy-statement "CD-BGP-OUT"
default-action drop
exit
exit
configure router "Base" static-route-entry BH_NEXTHOP/32
black-hole
exitFor FlowSpec, import FlowSpec NLRI from the same neighbor group (SR OS 7750/7250 with FlowSpec license). Attack rules arrive when FlowSpec is enabled on the appliance — see FlowSpec → Router requirements.
Huawei VRP / NetEngine
bgp LOCAL_ASN
router-id ROUTER_ID
peer APPLIANCE_IP as-number APPLIANCE_ASN
peer APPLIANCE_IP ebgp-max-hop 255
peer APPLIANCE_IP route-policy CD-BGP-IN import
peer APPLIANCE_IP route-policy CD-BGP-OUT export
#
ipv4-family unicast
peer APPLIANCE_IP enable
#
ipv4-flow unicast
peer APPLIANCE_IP enable
#
route-policy CD-BGP-IN permit node 10
if-match community-filter cfBLACKHOLE
#
route-policy CD-BGP-IN permit node 20
if-match community-filter cfMITIGATION
#
route-policy CD-BGP-IN deny node 99
#
route-policy CD-BGP-OUT deny node 10
#
ip community-filter cfBLACKHOLE index 10 permit 65001:666
ip community-filter cfMITIGATION index 10 permit 65001:100
#
ip route-static BH_NEXTHOP 255.255.255.255 NULL0On older VRP releases without ipv4-flow, omit that stanza and use RTBH only. Community filter syntax may differ slightly by version — adjust to match your release docs.
Arista EOS
router bgp LOCAL_ASN
router-id ROUTER_ID
neighbor CD peer group
neighbor CD remote-as APPLIANCE_ASN
neighbor CD ebgp-multihop 255
neighbor APPLIANCE_IP peer group CD
!
address-family ipv4
neighbor CD route-map CD-BGP-IN in
neighbor CD route-map CD-BGP-OUT out
!
address-family ipv4 flowspec
neighbor CD activate
!
route-map CD-BGP-IN permit 10
match community BLACKHOLE
set local-preference 200
!
route-map CD-BGP-IN permit 20
match community MITIGATION
!
route-map CD-BGP-IN deny 99
!
route-map CD-BGP-OUT deny 10
!
ip community-list standard BLACKHOLE permit 65001:666
ip community-list standard MITIGATION permit 65001:100
!
ip route BH_NEXTHOP/32 Null0FlowSpec requires the FlowSpec feature license on EOS. Disable the address-family ipv4 flowspec block for RTBH-only deployments.
EXPORTER_NAME — see Router Flow Export and map it in Exporter map below.Exporter map (selective mitigation)
In multi-router deployments, you may want mitigation announced to only the edge router that exported the attack traffic, not every BGP peer. The exporter map links NetFlow exporter identity to a BGP neighbor display name.
exporter_map_enabled = true
exporter_map_fallback = none
exporter_map_1_exporter = CORETECH-SOF-RO-01
exporter_map_1_neighbor = Core-Router-1| Key | Description |
|---|---|
exporter_map_enabled | Enable selective peer targeting |
exporter_map_fallback | none = skip unmapped exporters; all = all enabled peers; default = first enabled peer |
exporter_map_N_exporter | NetFlow exporter name or IP (case-insensitive for names) |
exporter_map_N_neighbor | Must match a neighbor_M_name value exactly |
Configure in the portal under BGP & Mitigation → Exporter map, or via PUT /bgp/config with exporter_map_enabled, exporter_map_fallback, and exporter_maps array. When FlowSpec is enabled, attack FlowSpec rules follow the same map; manual/blocklist rules still export to all peers.
primary_exporter.Route reconciliation
After crashes or restarts, routers may retain stale blackhole routes that the engine no longer tracks. Route reconciliation periodically compares announced routes against engine state and withdraws phantoms.
enable_route_reconciliation = true
reconciliation_interval = 30| Key | Default | Description |
|---|---|---|
enable_route_reconciliation | true | Enable periodic verification |
reconciliation_interval | 30 | Interval in seconds (minimum 10) |
Toggle live via PUT /bgp/config — no restart required. See Configuration → BGP Mitigation for all keys.
Verify sessions
# BGP speaker status
curl -H "X-API-Key: YOUR_KEY" \
http://localhost:9009/CoreDetection/api/v0/bgp/status
# Neighbor session state
curl -H "X-API-Key: YOUR_KEY" \
http://localhost:9009/CoreDetection/api/v0/bgp/neighbors
# Bounce a stuck session
curl -X POST -H "X-API-Key: YOUR_KEY" \
http://localhost:9009/CoreDetection/api/v0/bgp/neighbors/reset/static-1The portal BGP & Mitigation panel (/bgp) shows the same data and lets you reset sessions, manage the exporter map, and view routes from the UI.
Portal & API management
| Task | Engine API | Portal |
|---|---|---|
| Policy & reconciliation | PUT /bgp/config | BGP & Mitigation → Policy |
| Exporter map | PUT /bgp/config | BGP & Mitigation → Exporter map |
| View routes | GET /bgp/routes | BGP & Mitigation → routes tabs |
| Manual blackhole | POST /bgp/routes/manual | BGP & Mitigation → Manual |
| Edit neighbor | PUT /bgp/neighbors/{id} | BGP & Mitigation → Neighbors |
| Reset session | POST /bgp/neighbors/reset/{id} | BGP & Mitigation → Neighbors |
For targeted filtering instead of full blackholes, enable BGP FlowSpec — when FlowSpec is on, attack mitigation announces FlowSpec rules instead of blackhole routes.
Next steps
- Full key reference — Configuration → BGP Mitigation
- API endpoints — REST API Reference
- FlowSpec alternative — FlowSpec guide