BGP FlowSpec – DDoS Mitigation

BGP FlowSpec is a BGP SDN mechanism used to distribute flow-based policies to other BGP speakers. It enables the dynamic distribution of security profiles along with corrective actions using a signalling mechanism based on BGP. No other protocols (OpenFlow, NETCONF etc) are used to disseminate the policies. The solution is based entirely on BGP consisting of a new Border Gateway Protocol Network Layer Reachability Information (BGP NLRI – AFI=1, SAFI=133) encoding format. It thereby reuses BGP protocol algorithms and inherits all the operational experience from existing BGP designs.


BGP FlowSpec is used to protect against large scale DDoS attacks, or redirect specific flow towards a DC or to distribute a specific filter.


Why use BGP?

It’s simple to extend by adding a new NLRI – MP_REACH_NLRI / MP_UNREACH_NLRI. It’s also a well-known protocol used for many other different types of technologies including IPv6, VPN, labels, and multicast. All existing BGP high availability and scalability features can be used with BGP FlowSpec, for example, route reflection is possible for point to multipoint connections. BGP provides inter-domain support meaning you are not tied down to one AS enabling your BGP FlowSpec domain to span multiple administrative domains.


BGP FlowSpec Operations

BGP FlowSpec separates the control and data plane in BGP networks and distributes traffic flow specifications. It consists of a central controller, clients and optional route-reflector design.

The central controller programs forwarding decisions and inject rules remotely to its BGP clients. Cisco, Juniper and Alcatel-Lucent support BGP FS controllers. It may also run on x86 server with ExaBGP or Arbor PeakFlow SP Collector Platform. The client receives the rules from the controller and programs rules made up of a) traffic descriptions and b) actions to apply to traffic. The client, which is a BGP speaker, carries out the necessary changes to TCAM. An additional optional route reflector component can be used to receive rules from the controller and distribute to its clients.

It classes traffic with Layer 3 and Layer 4 information and offers similar granularity to that of ACL’s but with one major added benefit – it is distributed and flow entries are controlled by a central controller. It can match on destination IP, source IP, IP protocol, port, destination port, source port, ICMP type and code, TCP flags, packet length, DCSP and fragments. Once traffic is identified, it is matched and certain actions are applied. In some cases, multiple actions are applied. FlowSpec can remotely program QoS – policers and markers, PBR – leak traffic to a Virtual Routing and Forwarding (VRF) or a new next hop, and replicate the traffic to, for example, a sniffer – all the configuration is carried out on the controller.




However, there are scalability restrictions as BGP FlowSpec entries share the TCAM with ACL and QoS. When the rules are complex using multi-value ranges, it will consume more TCAM than simple matching rules. Cisco provides a general guidance of 3000 simple rules per line card.


DDoS Mitigation

FlowSpec was initially proposed with RFC 5575 as a DDoS mitigation tool, but its use cases are expanding to other areas such as BGP unequal cost load balancing. It’s very difficult to balance unequally based on your destination. With FlowSpec, it’s possible to identify groups of users based on source address and then use FlowSpec to traffic engineer on ALL core nodes, not just at network edges.

The main type of DDoS attack FlowSpec protects against is a volumetric attack – long lived large flows. Volumetric attacks are best mitigated close as possible to the Internet border. The closer you drop the packet to the source the better. You don’t want the traffic to arrive at its destination or to have the firewall process and drop it. A TCP SYN attack could be 1000 million packets per second and there are not many firewalls states that can address that. It is much better to drop volumetric type attacks at network borders as they cannot be mitigated within the data centre, it’s simply too lateFlowSpec is also good to drop amplification type attacks. These types of attacks do not need to be sent to a scrubbing systems and can be handled by FlowSpec by matching the traffic pattern and filtering at the edge.







About Matt Conran

Matt Conran has created 184 entries.

One Comment

  • SDX: Software Defined Internet Exchange

    […] are other potential design alternatives to SDX, for example, BGP FlowSpec. But in this case, BGP FlowSpec would have to be supported by all participating member AS edge […]

Leave a Reply