Today we’re going to talk a bit about BGP Flowspec and its effectiveness in mitigating DDoS attacks.
What is Flowspec?
BGP Flow Specification (Flowspec) is defined in RFC 5575(Dissemination of Flow Specification Rules), defines how Flowspec is used to distribute flow rules through the BGP protocol.
Basically, Flowspec is an extension of the BGP protocol that allows routers to apply rules such as dynamic ACLs or dynamic firewall rules to specific types of traffic. These rules can be based on a variety of criteria, including source, destination, protocol, port and so on.
Below is a table with all the possibilities for classifying Flowspec traffic:
BGP Flowspec NLRI Type | QoS Match Fields |
Type 1 | Destination IP / IPv6 address |
Type 2 | Source IP / IPv6 address |
Type 3 | IP / IPv6 Protocol |
Type 4 | Source or destination port |
Type 5 | Destination port |
Type 6 | Source port |
Type 7 | ICMP Type |
Type 8 | ICMP Code |
Type 9 | TCP flags |
Type 10 | Packet length |
Type 11 | DSCP |
Type 12 | Fragmentation bits |
These types of classification can also be combined, for example:
Flow with Source 8.8.8.8/32 source UDP port 53.
Based on the traffic classifications above (from the table or a combination thereof as in the example), we can take the following actions:
Type | Description | PBR Action |
0x8006 | traffic-rate | Drop | Police |
0x8007 | traffic-action | Terminal Action + Sampling |
0x8008 | redirect-vrf | Redirect VRF |
0x8009 | traffic-marking | Set DSCP |
0x0800 | Redirect IP NH | Redirect IPv4 or IPv6 Next-Hop |
How does Flowspec work?
For FlowSpec to work, it is necessary to close the BGP FlowSpec sessions between the BGP Router called in the Edge Topology and the Server/Router that generates the FlowSpec rules, which in our topology is Made4Flow.
In this way, FlowSpec works by sending a special BGP message to the router. This message contains a list of flow rules that the router must apply. Flow rules can be applied to all flows that pass through the router or only to specific flows, just as in a firewall rule you can choose the firewall rule you can choose which flow you want to apply an action to.
If your Operator or Transit supports FlowSpecit is important to request the sessions BGP FlowSpecso we can send the rules of FlowSpec to be applied directly to your operator’s equipment, so that malicious traffic will not reach our equipment, thus avoiding overloading your links.
How can FlowSpec help against DDoS attacks?
To use FlowSpec to mitigate DDoS attacks, you need to use an attack detection tool that generates FlowSpec rules, such as Made4Flow .
When the Netflow Network Analyzer detects a DDoS attack, it generates a special BGP message that contains the flow rules needed to mitigate the attack. This message is then sent to the router, which applies the rules and prevents malicious traffic from reaching its final destination, as shown in the example below, where we see a blocking rule for a destination IP and ICMP type 0 or 8:
Another way to use FlowSpec to mitigate DDoS attacks is to use FlowSpec to limit the rate of traffic that can be sent to a given destination. This can help prevent a DDoS attack from saturating the destination’s bandwidth, as in the example below:
As we saw in the examples above, FlowSpec sends rules to drop or rate-limit the attacked prefixes or IP(s). In this way, we ensure that the DDoS attack does not pass from our BGP/Borda router into the network. For FlowSpec to be more effective against DDoS attacks, it is important to establish a BGP FlowSpec session with their operators, thus increasing the effectiveness of the protection and the blocking can be done directly on the equipment and Routers of your operator and the attack preventing packets and traffic from reaching your equipment preventing your routers from suffering from high CPU, link overload and even loss of communication with your equipment.
Unfortunately, not all operators offer BGP FlowSpec sessions. Check with your operators and, if possible, set up BGP FlowSpec sessions so that if you experience DDoS attacks, you can reduce the impact on your network and increase your protection by creating the rules directly on your routers.
Conclusion
BGP FlowSpec is an effective tool that can be used to mitigate DDoS attacks of all sizes. Using FlowSpec, network administrators can direct DDoS traffic to a mitigation point or limit the rate of traffic that can be sent to a particular destination.
Stay tuned for the next few articles, as we’ll be talking about how to configure BGP FlowSpec sessions on different manufacturers such as Huawei, Juniper, Cisco, Nokia and various other models and brands.