Back to Blog

What Is Path.net?

Path.net is a BGP-based DDoS scrubbing provider that operates a global anycast network purpose-built for absorbing and filtering volumetric attacks. Unlike proxy-based mitigation services that require DNS changes, Path.net works at the network layer. You peer with their routers via BGP, and when an attack is detected, traffic is rerouted through their scrubbing centers via GRE tunnels. Clean traffic is then delivered back to your origin infrastructure.

Path.net's approach has several advantages for network operators. Because it operates at BGP level, it can absorb attacks that exceed your transit capacity before they ever reach your edge. Their anycast network distributes scrubbing across multiple PoPs, and GRE tunnel delivery means clean traffic arrives at your origin with minimal added latency. They support both always-on and on-demand scrubbing models.

Why Use Path.net with Flowtriq?

Flowtriq detects DDoS attacks in real time, typically within 1-2 seconds, and classifies them by protocol, vector, and severity. Path.net scrubs the attack traffic. The combination is powerful: Flowtriq acts as the detection and decision layer, while Path.net provides the mitigation capacity.

Without automation, the workflow looks like this: Flowtriq detects an attack, sends an alert, an engineer logs in, evaluates the situation, and manually triggers a BGP announcement to reroute traffic through Path.net. This process takes minutes at best. With a custom BGP adapter, Flowtriq can trigger the BGP announcement automatically when configurable thresholds are exceeded, reducing response time to seconds.

The BGP adapter approach means Flowtriq does not need API access to Path.net. Instead, it instructs a local BGP speaker (ExaBGP or GoBGP) to announce or withdraw routes with Path.net's community strings. This is the same mechanism used for RTBH, but instead of blackholing traffic, you are redirecting it to scrubbing.

Prerequisites

  • Path.net account with an active scrubbing plan and at least one assigned scrubbing profile.
  • IP prefix that you own or have LOA for, registered with Path.net for scrubbing coverage.
  • BGP session details from Path.net: their peering IP, ASN, community strings for scrubbing activation, and GRE tunnel endpoints.
  • Flowtriq workspace with at least one node actively monitoring traffic to the protected prefix.
  • Edge router or server capable of running ExaBGP or GoBGP with connectivity to Path.net's peering endpoint.
  • Admin or owner role in your Flowtriq workspace to configure mitigation settings.

Step 1: Get Your Path.net BGP Details

Log in to the Path.net portal and navigate to your scrubbing profile. You need the following details:

  • Path.net peering IP: The IP address of Path.net's BGP router you will peer with (e.g., 192.0.2.50).
  • Path.net ASN: Their autonomous system number for the BGP session (e.g., 396998).
  • Scrubbing community string: The BGP community that tells Path.net to activate scrubbing for the announced prefix (e.g., 396998:100).
  • GRE tunnel endpoint: The IP you will use for the GRE tunnel to receive clean traffic back.
  • Your ASN: Your own autonomous system number for the peering session.

Community strings vary by plan. Path.net may provide different communities for different scrubbing tiers (e.g., standard vs. advanced filtering). Confirm with their support team which community activates the scrubbing profile you want. Some setups also use an extended community or large community format.

Step 2: Set Up ExaBGP or GoBGP

You need a BGP speaker on your edge router or a dedicated server that can establish a session with Path.net and accept commands from Flowtriq. ExaBGP and GoBGP are the two most common choices.

Option A: ExaBGP Configuration

ExaBGP is a lightweight BGP speaker written in Python. It excels at programmatic route announcements because it accepts commands via stdin or a named pipe, making it ideal for automated triggers.

Install ExaBGP:

pip install exabgp

# Create the configuration directory
mkdir -p /etc/exabgp

Create the ExaBGP configuration file at /etc/exabgp/exabgp.conf:

process announce-routes {
    run /usr/bin/socat stdout pipe:/run/exabgp.cmd;
    encoder json;
}

neighbor 192.0.2.50 {
    router-id 198.51.100.1;
    local-address 198.51.100.1;
    local-as 65001;
    peer-as 396998;
    hold-time 90;

    family {
        ipv4 unicast;
    }

    api {
        processes [ announce-routes ];
    }
}

Create a systemd service for ExaBGP:

# /etc/systemd/system/exabgp.service
[Unit]
Description=ExaBGP BGP Speaker
After=network.target

[Service]
Type=simple
ExecStartPre=/usr/bin/mkfifo /run/exabgp.cmd
ExecStart=/usr/local/bin/exabgp /etc/exabgp/exabgp.conf
ExecStopPost=/bin/rm -f /run/exabgp.cmd
Restart=always
RestartSec=5

[Install]
WantedBy=multi-user.target

Start and enable the service:

systemctl daemon-reload
systemctl enable --now exabgp

To announce a route for scrubbing, write to the named pipe:

# Announce prefix to Path.net with scrubbing community
echo "announce route 198.51.100.0/24 next-hop self community 396998:100" \
  > /run/exabgp.cmd

# Withdraw the route (stop scrubbing)
echo "withdraw route 198.51.100.0/24 next-hop self community 396998:100" \
  > /run/exabgp.cmd

Option B: GoBGP Configuration

GoBGP is a high-performance BGP implementation written in Go. It exposes a gRPC API and a CLI tool (gobgp), making it well-suited for programmatic control from scripts or Flowtriq's webhook handler.

Install GoBGP:

# Download the latest release
wget https://github.com/osrg/gobgp/releases/latest/download/gobgp_linux_amd64.tar.gz
tar xzf gobgp_linux_amd64.tar.gz
mv gobgpd gobgp /usr/local/bin/

Create the GoBGP configuration file at /etc/gobgp/gobgpd.conf:

[global.config]
  as = 65001
  router-id = "198.51.100.1"
  port = 179

[[neighbors]]
  [neighbors.config]
    neighbor-address = "192.0.2.50"
    peer-as = 396998
  [neighbors.timers.config]
    hold-time = 90
    keepalive-interval = 30
  [[neighbors.afi-safis]]
    [neighbors.afi-safis.config]
      afi-safi-name = "ipv4-unicast"

Start GoBGP and announce routes via CLI:

# Start the daemon
gobgpd -f /etc/gobgp/gobgpd.conf &

# Announce prefix with scrubbing community
gobgp global rib add 198.51.100.0/24 community 396998:100

# Verify the announcement
gobgp global rib

# Withdraw the route
gobgp global rib del 198.51.100.0/24

Step 3: Configure Flowtriq's BGP Adapter

With your BGP speaker running and peered with Path.net, the next step is to tell Flowtriq how to trigger announcements when it detects an attack.

  1. Navigate to Dashboard > Mitigation in your Flowtriq workspace.
  2. Click Add Rule and select BGP Announcement as the action type.
  3. Configure the adapter connection:
    • Method: Choose "ExaBGP (named pipe)" or "GoBGP (CLI)" depending on your setup.
    • Pipe path / CLI binary: For ExaBGP, enter /run/exabgp.cmd. For GoBGP, enter /usr/local/bin/gobgp.
    • Host: If the BGP speaker runs on a different server, enter the SSH host. If local, leave as localhost.
  4. Set the protected prefix (e.g., 198.51.100.0/24) that should be announced to Path.net when an attack is detected.
  5. Enter the BGP community string: 396998:100 (your Path.net scrubbing community).
  6. Set the auto-withdraw delay: how long Flowtriq waits after attack traffic subsides before withdrawing the route (recommended: 30 minutes).
  7. Click Save Rule.

Webhook alternative: If your BGP speaker is not on the same server as Flowtriq's node agent, you can use Flowtriq's webhook integration instead. Configure a webhook channel in Dashboard > Channels that posts to a lightweight HTTP endpoint on your BGP speaker host. That endpoint receives the alert payload and executes the appropriate ExaBGP or GoBGP command.

Step 4: Set Trigger Thresholds and Escalation Tier

The BGP adapter should not fire on every minor traffic spike. Configure thresholds that reflect your actual capacity limits:

  • PPS threshold: Set this above your normal peak traffic but below your infrastructure's processing capacity. For example, if your servers handle 500K PPS normally and start degrading at 2M PPS, set the trigger at 1.5M PPS.
  • BPS threshold: Set this relative to your transit link capacity. If your uplink is 10 Gbps, a trigger at 8 Gbps gives you a buffer before saturation.
  • Duration: Require the threshold to be exceeded for a sustained period (e.g., 10 seconds) to avoid triggering on brief spikes.

For escalation, Flowtriq's mitigation rules support tiered responses. A common configuration:

Tier 1 (soft):   1.5M PPS for 10s  -> Alert only (Discord/Slack/email)
Tier 2 (medium): 3M PPS for 10s    -> Announce to Path.net (scrubbing)
Tier 3 (hard):   10M PPS for 5s    -> Announce blackhole to upstream (RTBH)

This ensures scrubbing is activated only when the attack is significant enough to warrant it, and blackholing is reserved for catastrophic volumes that exceed even Path.net's scrubbing capacity for your plan.

Step 5: Test the Integration

Before relying on this in production, verify the entire pipeline works end-to-end with a simulated threshold crossing.

Verify BGP Session

First, confirm your BGP speaker has an established session with Path.net:

# ExaBGP: check the logs
journalctl -u exabgp -f
# Look for: "peer 192.0.2.50 ... up"

# GoBGP: check neighbor status
gobgp neighbor
# State should be "established"

Manual Announcement Test

Manually trigger a route announcement and verify Path.net receives it:

# ExaBGP
echo "announce route 198.51.100.0/24 next-hop self community 396998:100" \
  > /run/exabgp.cmd

# GoBGP
gobgp global rib add 198.51.100.0/24 community 396998:100

# Verify: check Path.net's looking glass or contact support
# to confirm they see the announcement with the scrubbing community

# Then withdraw
echo "withdraw route 198.51.100.0/24 next-hop self community 396998:100" \
  > /run/exabgp.cmd
# or
gobgp global rib del 198.51.100.0/24

Flowtriq Trigger Test

Use Flowtriq's built-in test functionality to simulate a threshold crossing:

  1. Go to Dashboard > Mitigation and find your BGP announcement rule.
  2. Click the Test button on the rule. This simulates a threshold breach without actual attack traffic.
  3. Flowtriq will execute the BGP announcement command. Check that the route appears in your BGP speaker's RIB and that Path.net acknowledges it.
  4. After verification, click Stop Test to withdraw the route.

Always coordinate with Path.net support before running your first test. Let them know you will be sending test announcements so they can confirm receipt on their side and avoid any confusion with their monitoring systems.

Troubleshooting

BGP Session Not Establishing

  • Check connectivity: Ensure your router can reach Path.net's peering IP. Run ping 192.0.2.50 and traceroute 192.0.2.50 to confirm reachability.
  • Verify ASN and IP: Double-check that your local-as, peer-as, local-address, and neighbor-address match what Path.net expects. A single digit off will prevent the session from establishing.
  • Firewall rules: BGP uses TCP port 179. Ensure your firewall allows inbound and outbound TCP/179 to/from Path.net's peering IP.
  • MD5 authentication: If Path.net requires an MD5 password on the BGP session, add it to your ExaBGP or GoBGP config. ExaBGP: add md5-password "yourpassword"; inside the neighbor block. GoBGP: add auth-password = "yourpassword" under [neighbors.config].

Route Announced but Scrubbing Not Activating

  • Community string mismatch: The most common issue. Verify the exact community string with Path.net. Some providers use standard communities (e.g., 396998:100), while others use large communities (e.g., 396998:0:100).
  • Prefix not registered: Path.net will only accept announcements for prefixes you have registered with them. Ensure the prefix you are announcing is in your scrubbing profile.
  • Prefix length: Some providers only accept certain prefix lengths. If announcing a /32, try the covering /24 instead, or vice versa. Confirm with Path.net what prefix lengths they accept.

Flowtriq Not Triggering Announcements

  • Permissions: If the BGP speaker runs as a different user, ensure the Flowtriq agent has permission to write to the ExaBGP pipe or execute the GoBGP binary.
  • Pipe not found: If ExaBGP restarts, the named pipe at /run/exabgp.cmd may be recreated. Verify the pipe exists: ls -la /run/exabgp.cmd.
  • Threshold too high: Check the Flowtriq incident log to see if attacks are being detected but not reaching your trigger threshold. Lower the threshold or review your traffic baselines.
  • Rule disabled: Confirm the mitigation rule is enabled in Dashboard > Mitigation.

GRE Tunnel Not Delivering Clean Traffic

  • Tunnel interface down: Verify the GRE tunnel interface is up on your side: ip link show gre-pathnet.
  • MTU issues: GRE adds 24 bytes of overhead. Set your tunnel MTU to 1476 (or lower) to avoid fragmentation: ip link set gre-pathnet mtu 1476.
  • Routing: Ensure you have a route for Path.net's scrubbing return traffic via the GRE tunnel interface.

If issues persist, check Flowtriq's audit log at Dashboard > Audit for detailed execution logs of each mitigation trigger, and contact Path.net support with your BGP session details and announcement timestamps.

Ready to automate your DDoS mitigation pipeline? Start your free 7-day Flowtriq trial and connect your Path.net scrubbing infrastructure today.

Back to Blog

Related Articles

Mitigations

BGP blackhole routing: RTBH for DDoS mitigation

How RTBH works and when to use it as a last-resort defense against volumetric attacks.
Integrations

How to use Cloudflare with Flowtriq

Complete integration guide for combining Cloudflare's proxy with Flowtriq's detection.
Integrations

PagerDuty escalation policies for DDoS incidents

Configure multi-tier escalation so the right people are paged at the right severity level.