BGP FlowSpec

 

DDoS BGP redirect

 

BGP FlowSpec

BGP DDoS

Network operators face various challenges in managing and securing their networks in today’s interconnected world. BGP FlowSpec, a powerful extension to the Border Gateway Protocol (BGP), has emerged as a valuable tool for mitigating network threats and improving traffic management. This blog post aims to provide a comprehensive overview of BGP FlowSpec, its benefits, and its role in enhancing network security and traffic management.

BGP FlowSpec, short for BGP Flow Specification, is an extension of the BGP protocol that allows network operators to define and distribute traffic filtering rules across their networks. Unlike traditional BGP routing, which focuses on forwarding packets based on destination IP addresses, BGP FlowSpec enables operators to control traffic based on various attributes, including source IP addresses, destination ports, protocols, and more.

Highlights: BGP FlowSpec

  • Dealing with DDoS Attacks

To deal with DDoS attacks, as standard IP routing is destination-based, we can use routing to route the packets toward a destination of null. If BGP is involved, we can use Remote Triggered Blackhole (RTBH) to remotely signal our upstream router to route the particular destination into a NULL route.

This is quite a simplistic way to mitigate a DDoS attack. On the other hand, BGP FlowSpec can be used as a BGP SDN DDoS solution. And can influence behavior based on a much broader set of criteria with the DDoS BGP redirect criteria?

  • FlowSpec DDoS

For example, with FlowSpec DDoS, we can match up more fields supported by BGP Flowspec (source and destination, IP protocol, source, and destination port, ICMP code, and TCP Flags) and more dynamic actions such as dropped packet test or rate limit.

 

For pre-information, you may find the following helpful post before you proceed:

  1. IPFIX Big Data
  2.  OpenFlow Protocol
  3. Data Center Site Selection
  4. DDoS Attacks
  5. OVS Bridge
  6. Segment Routing

 



BGP DDOS.

Key BGP FlowSpec Discussion Points:


  • Introduction to BGP FlowSpec and how it can be used.

  • Discussion on the BGP FlowSpec operations and how it works.

  • BGP DDoS and mitigation.

  • A final note on DDoS BGP redirect.

 

Back to basics with the BGP FlowSpec

BGP Security

BGP is one protocol that causes the Internet to work. Because of its criticality, unfortunately, BGP has been the target protocol. The main focus of any attacker is to find a vulnerability in a system, in this case, BGP, and then exploit it. RFC 4272, BGP Security Vulnerabilities Analysis, presents various weak areas in BGP that every enterprise or service provider should consider when implementing BGP.

Similar to how most protocols were designed in the past. BGP provides no confidentiality and only limited integrity and authentication services. Furthermore, BGP messages can be replayed; if a bad actor intercepts a BGP UPDATE message that adds a route, the hacker can resend that message after the route has been withdrawn and cause an inconsistent and invalid route to be present in the routing information base (RIB).

 

Enhancing Network Security:

One of the critical benefits of BGP FlowSpec is its ability to enhance network security. By leveraging FlowSpec, network operators can quickly respond to security threats and implement granular traffic filtering policies. For example, in the event of a distributed denial-of-service (DDoS) attack, operators can use BGP FlowSpec to instantly distribute traffic filters across their network, effectively mitigating the attack at its source. This real-time mitigation capability significantly reduces the impact of security incidents and improves network resilience.

Traffic Engineering and Quality of Service:

BGP FlowSpec also plays a crucial role in traffic engineering and quality of service (QoS) management. Network operators can use FlowSpec to shape and redirect traffic based on specific criteria. For instance, by employing BGP FlowSpec, operators can prioritize certain traffic types, such as video or voice traffic, over others, ensuring better QoS for critical applications. Furthermore, FlowSpec enables operators to dynamically reroute traffic in response to network congestion or link failures, optimizing network performance and user experience.

Implementing BGP FlowSpec:

Implementing BGP FlowSpec requires compatible routers and appropriate configuration. Network operators must ensure that their routers support the BGP FlowSpec extension and have the necessary software updates. Additionally, operators must carefully define traffic filtering rules using the BGP FlowSpec syntax, specifying each rule’s desired attributes and actions. It is crucial to thoroughly test and validate the FlowSpec configurations to avoid unintended consequences and ensure the desired outcomes.

Challenges and Considerations:

While BGP FlowSpec offers significant advantages, some challenges and considerations must be considered. FlowSpec configurations can be complex, requiring a deep understanding of network protocols and traffic patterns. Additionally, incorrect or overly aggressive FlowSpec rules can unintentionally disrupt legitimate traffic. Therefore, operators must balance security and network accessibility while regularly reviewing and fine-tuning their FlowSpec policies.

 

Recap on BGP FlowSpec

BGP FlowSpec is a BGP SDN mechanism that distributes flow-based policies to other BGP speakers. It enables the dynamic distribution of security profiles and corrective actions using a signaling mechanism based on BGP. No other protocols (OpenFlow, NETCONF, etc.) are used to disseminate the policies. The solution is based entirely on BGP consisting of a new Border Gateway Protocol Network Layer Reachability Information (BGP NLRI – AFI=1, SAFI=133) encoding format.

It reuses BGP protocol algorithms and inherits all the operational experience from existing BGP designs. It’s simple to extend by adding a new NLRI – MP_REACH_NLRI / MP_UNREACH_NLRI. It’s also a well-known protocol for many other technologies, including IPv6, VPN, labels, and multicast.

All existing BGP high availability and scalability features can be used with BGP FlowSpec; for example, route reflection is possible for a point to multipoint connections. In addition, BGP provides the following:

  • Inter-domain support.
  • Meaning you are not tied down to one AS.
  • You are enabling your BGP FlowSpec domain to span multiple administrative domains.

 

BGP FlowSpec Operations

BGP FlowSpec separates BGP networks’ control and data plane and distributes traffic flow specifications. Within the infrastructure, we have a Flowspec controller, the server, one or more Flowspec clients, and optionally a route-reflector that can be used for scalability. Rules that contain matching criteria and actions are created on the server and are redistributed to clients via MP-BGP. 

The central controller programs forward decisions and inject rules remotely into BGP clients. Cisco, Juniper, and Alcatel-Lucent support BGP FS controllers. It may also run on an x86 server with ExaBGP or Arbor PeakFlow SP Collector Platform.

The client receives the rules from the controller and programs rules of a) traffic descriptions and b) actions to apply to traffic. Then, the client, a BGP speaker, makes the necessary changes to TCAM. An additional optional route reflector component can receive rules from the controller and distribute them to clients.

 

Traffic classification

It classes traffic with Layer 3 and 4 information and offers similar granularity to ACLs. Still, one significant added benefit is that it is distributed, and a central controller controls flow entries. It can match on destination IP, source IP, IP protocol, port, destination port, source port, ICMP type and code, TCP flags, packet length, DCSP, and fragments. Once traffic is identified, it is matched, and specific actions are applied. In some cases, multiple actions are applied.

For example, FlowSpec can remotely program QoS – policers and markers, PBR – leak traffic to a Virtual Routing and Forwarding (VRF) or a new next hop, and replicate the traffic to, for example, a sniffer – all the configuration is carried out on the controller.

 

  • A key point: Scalability restrictions.

However, scalability restrictions exist as BGP FlowSpec entries share the TCAM with ACL and QoS. When the rules are complex using multi-value ranges, it will consume more TCAM than simple matching rules. Cisco provides general guidance of 3000 simple rules per line card.

bgp flowsepc
Diagram: BGP FlowSpec.

 

BGP DDoS and DDoS Mitigation

FlowSpec was initially proposed with RFC 5575 as a DDoS mitigation tool, but its use cases expand to other areas, such as BGP unequal cost load balancing. It’s tough to balance unequally based on your destination. With FlowSpec, it’s possible to identify groups of users based on the source address and then use FlowSpec to traffic engineer on ALL core nodes, not just at network edges.

 

DDoS mitigation operations

BGP Flowspec resembles access lists created with class maps and policy maps that provide matching criteria and traffic filtering actions. They are injected into BGP and propagated to BGP peers. As a result, there are many more criteria to use that destination IP address that can be used to mitigate the DDoS attack.

For example, with the DDoS BGP redirect, we can use criteria such as the source, destination, and L4 parameters and packet specifics such as length.

These are sent in a BGP UPDATE message to BGP border routers within FLOW_SPEC_NLRI along with the action criteria. Once received, several actions can be carried out, and these actions are carried in the extended communities’ Path attributes. So you can drop the policy or redirect to another VRF.

 

DDoS BGP redirect: The volumetric attack.

The primary type of DDoS attack FlowSpec protects against is a volumetric attack – long-lived large flows along with the DNS reflection attack. Volumetric attacks are best mitigated close as possible to the Internet border. The closer you drop the packet to the source, the better. You don’t want the traffic to arrive at its destination or to have the firewall process and drop it.

For example, a TCP SYN attack could be 1000 million packets per second; not many firewall states can address that. It is much better to drop volumetric-type attacks at network borders as they cannot be mitigated within the data center; it’s simply too late.

FlowSpec is also suitable for dropping amplification-type attacks. These attacks do not need to be sent to scrubbing systems and can be handled by FlowSpec by matching the traffic pattern and filtering at the edge.

With BGP Flowspec for DDoS BGP redirects, we have a more granular approach to mitigating DDoS attacks than old-school methods. All this is accomplished by a specific definition of flows based on Layer 3 and 4 matching criteria and actions configured on the FlowSpec server. The rules are automatically redistributed to FlowSpec clients using MP-BGP (SAFI 133), so the clients can take action defined in the rules.

Conclusion:

BGP FlowSpec has become an essential tool for network operators seeking to enhance network security and traffic management. Its ability to distribute traffic filtering rules in real time and its flexibility in defining granular policies make it a valuable asset in today’s dynamic network environments. By leveraging BGP FlowSpec, operators can effectively respond to security threats, optimize traffic engineering, and deliver better QoS. However, careful planning, implementation, and continuous monitoring are crucial to maximize the benefits of BGP FlowSpec while mitigating potential risks.

 

flowspec ddos