BGP Community Support Option

Incapsula supports the use of BGP communities, which enable enhanced flexibility with BGP announcements between an edge router and the Incapsula network. Configuring BGP communities is done during the onboarding process.

The common use case of BGP communities is the Prepend community. Prepend enables on-demand customers to minimize exposure time when onboarding Incapsula during a DDoS attack. This is done by maintaining a low priority second route via Incapsula at all times. The Incapsula route to your network is stored in each edge router in the world, just as all other routes to your network are stored. Once an attack starts and routes via your ISP are no longer active, traffic will be routed through Incapsula.

Example

The following is an example of the above use case. The BGP Prepend community is used to add the same ASN number multiple times.

If your ASN is 1, then your ISP will likely advertise the following prefix:

1.2.3.0/24 ASN:1

In order to be considered a secondary route, Incapsula will advertise the same address with multiple repetitions. For example, Incapsula might advertise the following to the world using the Prepend option (two ASN hop repetitions are shown):

1.2.3.0/24 ASN:1 ASN:1

This route (advertised by Incapsula) appears to have multiple hops between two Autonomous Systems (even though both of them have the same ASN). This will trigger edge routers to prefer the route announced by your ISP.

When an attack commences, your ISP will stop announcing a route to your network and traffic is then immediately routed through the Incapsula network.