🗺️ BGP & Internet Routing
10 د قراءة
BGP FlowSpec: DDoS Mitigation at the Routing Layer
Learn how BGP FlowSpec distributes traffic filtering rules across your network to mitigate DDoS attacks at line rate without dedicated scrubbing centers.
What Is BGP FlowSpec?
BGP FlowSpec (RFC 8955, originally RFC 5575) extends BGP to distribute traffic filtering rules (flow specifications) to routers across your network. Instead of configuring ACLs on each router manually, you inject a FlowSpec rule once, and BGP propagates it everywhere.
Traditional DDoS response:
1. Detect attack
2. SSH into 20 border routers
3. Add ACL to each one manually
4. Total time: 30+ minutes
FlowSpec DDoS response:
1. Detect attack
2. Inject one FlowSpec rule
3. BGP propagates to all routers in seconds
4. Total time: < 1 minute
FlowSpec Rule Components
A FlowSpec rule matches on Layer 3/4 packet fields and applies an action:
Match Fields
| Field | Description | Example |
|---|---|---|
| Destination prefix | Target IP range | 203.0.113.0/24 |
| Source prefix | Attacker IP range | 198.51.100.0/24 |
| IP protocol | TCP, UDP, ICMP | UDP (17) |
| Destination port | Target service port | 53 (DNS) |
| Source port | Attacker source port | Any |
| Packet length | Packet size range | 0-64 bytes |
| DSCP | QoS marking | Any |
| Fragment | Fragmentation flags | Is-fragment |
Actions
| Action | BGP Community | Effect |
|---|---|---|
| Drop (discard) | traffic-rate: 0 | Silently drop matching packets |
| Rate-limit | traffic-rate: 10000 | Limit to 10 Kbps |
| Redirect to VRF | redirect: RT | Send to scrubbing VRF |
| Mark DSCP | traffic-marking: CS1 | Remark for QoS |
| Redirect to next-hop | redirect-to-ip: 10.0.0.99 | Forward to scrubber |
Configuration Example
# Cisco IOS-XR: Drop all UDP traffic to 203.0.113.10 port 53
# from source 198.51.100.0/24
flowspec
address-family ipv4 unicast
flow UDP-FLOOD
match destination 203.0.113.10/32
match source 198.51.100.0/24
match protocol udp
match destination-port 53
action drop
# ExaBGP (software FlowSpec injector)
neighbor 10.0.0.1 {
flow {
route DNS-FLOOD {
match {
destination 203.0.113.10/32;
source 198.51.100.0/24;
protocol udp;
destination-port =53;
}
then {
discard;
}
}
}
}
FlowSpec for DDoS Mitigation
UDP Amplification Attack
# Block DNS amplification (large UDP responses to port 53)
Match: protocol=UDP, destination=YOUR_IP/32, packet-length=512-65535
Action: drop
SYN Flood
# Rate-limit SYN packets to your web server
Match: protocol=TCP, destination=YOUR_IP/32, destination-port=80, tcp-flags=SYN
Action: rate-limit 100 Mbps
NTP Reflection
# Drop NTP monlist responses
Match: protocol=UDP, source-port=123, packet-length=468-65535
Action: drop
Limitations and Risks
- Collateral damage -- Overly broad rules can block legitimate traffic. Always be as specific as possible.
- Hardware support -- FlowSpec rules are implemented in router TCAM, which has limited capacity (typically 1,000-10,000 rules).
- Validation -- Enable FlowSpec validation to prevent peers from injecting rules that affect your legitimate traffic. Only accept FlowSpec from trusted iBGP sources.
- Not a silver bullet -- Volumetric attacks exceeding your uplink capacity still require upstream scrubbing (Cloudflare, Akamai, or transit provider blackholing).