This document discusses implementing BGP Flowspec at an IP transit network to help mitigate distributed denial of service (DDoS) attacks. BGP Flowspec allows network operators to announce flow specifications via BGP to define distributed access lists across their network. The document outlines BGP Flowspec options, typical attack scenarios with and without its use, implementation considerations, validation of rules, statistics collection, and plans for a web portal and integration with attack detection systems. Over 85% of detected DDoS traffic was found to originate from foreign interfaces, showing BGP Flowspec's effectiveness against such attacks.

1. Implemen'ng
BGP Flowspec
at IP transit network
Dmitry Onuchin
root@core# show magic
class-map type traffic match-all fs_ex
match destination-address ipv4 a.b.c.d/32
match protocol udp
match destination-port 137-139 80 8080
end-class-map
policy-map type pbr fs_table_ex
class type traffic fs_ex
police rate 8000 bps
class class-default
end-policy-map

2. BGP Flowspec
About:
– RFC5575
– Announce Flow Specifica-on via BGP
– It can be represented as distributed access-list on the
operator`s network
– OBen used to prevent some types of DDoS aEacks on the
fourth level of OSI (Amplifica'on/UDP flood)

3. Flow Specifica5on
Op'ons
(NLRI):
1. Des'na'on prefix
2. Source prefix
3. IP protocol
4. Port
5. Des'na'on port
6. Source port
7. ICMP type
8. ICMP code
9. TCP flags
10. Packet length
11. DSCP
12. Fragment
Ac'ons (extended-community):
• Traffic-rate
• Traffic-ac'on
• Redirect
• Traffic-marking

4. Typical a9ack scenario (before ddos)

5. Typical a9ack scenario (ddos)

6. Typical a9ack scenario(using flowspec)

7. Discussed implementa5on op5ons
• Enable address-family IPv4/IPv6 flowspec on PE routers and customer
sessions :
– Rules valida'on? (vendor-specific, more-specific, etc)
– You can “lose” the router receiving the wrong rules
– Need hardware support for BGP Flowspec
• Write soBware(BGP FS controller):
– The possibility of any type of valida'on
– Separa'on of the operator's network from client sessions BGP FS
– Ability to set rules without hardware support from the client
– Scaling

8. Flowspec rule valida5on
• Must have des5na5on prefix
• Des5na5on prefix must be best on operator`s
network and received from customer session
• Deny port specifica'on (dst/src) is not in protocols
tcp/udp
• Deny tcp-flag is not in protocol tcp
• Deny icmp-type/code is not in protocol icmp
• Limita'ons with regard to the equipment used on the
network (vendor-specific).

9. Implemen5ng BGP Flowspec (stage 1)

10. Implemen5ng BGP Flowspec (stage 2: +stat/mon)

11. Implemen5ng BGP Flowspec (stage 3: +web)

12. Sta5s5cs / Monitoring
• Collect sta's'cs from PE routers
• Send metrics to analyze
• Periodic revalida'on of rules
• Check installed rules on routers

13. Web customer portal
• Sta's'cs and control rules
• Check history on flowspec rules
• Export counters (match/drop) in json
• Possibility to send Flowspec:
– For customers without hardware support bgp flowspec
– In cases you do not have access to the router
– Simple / fast / convenient

14. Installing flowspec via customer portal

15. Graphs example
For customers in Customer portal
Admin portal J :

16. Rate-limit
Cisco ASR9K installs flowspec as policy-map input.

17. DDoS detec5on
• AEacks on overload (UDP Flood/Amplifica'on):
– BGP Flowspec applies to almost all cases
– Detec'on is rela'vely inexpensive (Nellow / Sflow), including on IP
transit network
• AEacks to the network stack (Syn/Ack flood, conntrack …):
– BGP Flowspec rarely used
– Detec'on on transit is not always possible
• Applica'on-based aEacks:
– BGP Flowspec not applicable
– Simple detec'on on transit is impossible (without DPI and analy'cs)

18. Top 10 DDoS a9acks vectors (AKAMAI)
BGP Flowspec applicable in more than 75% of cases

19. Sta5s5cs (Rascom network)
A sample of >5000 real rules

20. Sta5s5cs (Rascom network)

21. Sta5s5cs (Rascom network)
>85% of the traffic of ddos a9acks detected using BGP Flowspec (client rules)
come from foreign interfaces (mostly Tier1 operators)

22. • Hardware limita5on. It is not recommended to use flowspec
as a permanent access-list and always remove unused
• Bad valida5on. Do not test the strength of the operator
(vendor) valida'on rules and always follow the RFC:
– Fall Cloudflare network core (match packet-length >64K)
– During the tests, the Juniper vMX (RPD outage) was lost several
'mes by incorrect rules
• Understanding. If you do not understand bgp flowspec and
its applica'ons, then do not use this service.
Recommenda5ons

23. Development plans
• The introduc'on of the second controller based on GoBGP
– Reserva'on
– Insurance from "bugs" soBware
• API
– Seqng / removing rules
– Sta's'cs (raw)
– Informing / removing rules for which there is no traffic
• Integra'on with the product of the detec'on of aEacks based on
nellow / sflow
• Improvement web customer portal

24. The end!
Ques'ons and sugges'ons - email: do@rascom.ru
Dmitry Onuchin
2017 root@core# cat flood > /dev/null