This document discusses Flowspec, a mechanism for filtering traffic flows using BGP. It can be used to easily rate limit or discard traffic based on attributes like source/destination addresses and ports. The document provides sample configuration examples and notes some limitations like lack of SNMP support for counters. It also shows graphs of attacks detected and mitigated using Flowspec rules.

1. Tom Paseka,
Courtesy of Terry Rodery
Aug 2013
Flowspec @ APF

2. 2
Background
• RFC 5575 (2009)
• Piggybacks on top of existing BGP
• Supported by Juniper (and Alcatel too apparently?)
• Available in JunOS since 7.X
• ExaBGP support too.

3. 3
Operational
• Configure rules on route server (config so easy a
caveman could do it).
• Commit config.
• Rules are pushed via BGP to routers. I typically see the
rules appear on my edge routers in a matter of seconds.
• Flowspec counters are available for viewing from CLI
using “show firewall”.

4. 4
Drawbacks
• Flowspec counters ARE NOT available via SNMP!
Surely someone can fix this  You’ll need to write the
necessary poller, database, graphing, etc. to do this.
• Not able to use prefix-lists to define source/destination
addresses. Must create multiple rules for multiple
prefixes.
• Flowspec is only supported on M,MX,T-Series devices
and is not available on EX and SRX.

5. 5
Sample “rule” configs
Discards all traffic to UDP port 80.
route DISCARD-80-UDP {
match {
protocol udp;
destination-port 80;
}
then discard;
}

6. 6
Sample “rule” configs
Rate-limit TCP SYN to 5Mbps. This will be the easiest rate
limiting you’ve ever done on JunOS. No more manual
policer configuration!
route 108.162.203.11-RL {
match {
destination 108.162.203.11/32;
protocol tcp;
tcp-flags 2;
}
then rate-limit 5m;
}

7. 7
Sample “rule” configs
route 141.101.124.242-DISCARD {
match destination 141.101.124.242/32;
then discard;
}
We no longer “nullroute” using BGP triggered blackhole to
transit providers so we don’t lose visibility into the
attack.

8. 8
Time for the cool stuff! (Graphs)

9. 9
Short Lived Syn Flood

10. 10
Big attack

11. 11
Decaying long lived attack

12. 12
1Gbps attack

13. Questions?

14. Thank You

15. 15
Bad Players
range 198.32.176.0/24 - PAIX
198.32.176.0/24 141.101.86.1 100 0 13335 1299 701 i
198.32.176.0/24 141.101.90.1 100 0 13335 1299 701 i
.......snip
range 202.40.160.0/23 - HKIX
202.40.160.0/23 199.27.132.1 100 0 13335 4436 4134 4809 45474 i
202.40.160.0/23 108.162.235.1 100 0 13335 4436 4134 4809 45474 i
.......snip
range 206.223.123.0/24 - Equinix LA
206.223.123.0/24 103.22.203.1 100 0 13335 4637 6461 i
.......snip
range 218.100.59.0/24 - ACT-IX
218.100.59.0/24 108.162.247.1 100 0 13335 10026 45482 i
range 91.212.235.0/24 - Balkan IX
91.212.235.0/24 141.101.69.1 100 0 13335 12615 47872 49401 49401 i
range 198.32.177.0/24 - PAIX
198.32.177.0/24 141.101.67.1 100 0 13335 4436 2914 i
.......snip
range 206.223.123.0/24 - Equinix LA
206.223.123.0/24 103.22.203.1 100 0 13335 4637 6461 i
206.223.123.0/24 141.101.65.1 100 0 13335 4436 6461 i
.......snip
range 218.100.59.0/24 - ACT-IX
218.100.59.0/24 108.162.247.1 100 0 13335 10026 45482 i
range 91.212.235.0/24 - Balkan IX
91.212.235.0/24 141.101.69.1 100 0 13335 12615 49401 49401 49401 i
range 198.32.177.0/24 - PAIX
198.32.177.0/24 141.101.67.1 100 0 13335 4436 2914 i
198.32.177.0/24 141.101.72.1 100 0 13335 4436 2914 i
.......snip
range 198.32.132.0/24 - TELX
198.32.132.0/24 141.101.76.1 100 0 13335 4637 6461 22969 i
198.32.132.0/24 103.22.203.1 100 0 13335 4637 6461 22969 i
198.32.132.0/24 141.101.71.1 100 0 13335 1299 6461 22969 i
198.32.132.0/24 141.101.86.1 100 0 13335 1299 6461 22969 i
.......snip