Every year there are reports of new cyber security threats that are more sophisticated and potent than ever before. The most recent 1.35Tbps amplification attack against Github is a perfect example that attackers are discovering new techniques that can put existing defense mechanisms to the test and succeed in crippling even well provisioned networks.
It is therefore becoming clear that network operators need to constantly invest resources to effectively monitor and protect their infrastructure and customers. However, high capacity detection and mitigation often translates to excessive costs, while few solutions offer protection against a wide range of threats. Moreover, they frequently come with complex interfaces that can only be operated by specialized professionals and can lead to misconfigurations. As a result, there is currently an increasingly high demand for scalable and intuitive solutions that are capable of detecting and most importantly effectively mitigating different types of network anomalies.
The Case for BGP FlowSpec
More traditional DDoS mitigation techniques such as Remote Triggered Black Hole (RTBH) often fall short in effectively blocking large scale DDoS attacks and at the same time allowing legitimate traffic to reach to the targeted host. At the same time, approaches such as Access Control Lists (ACL) can be effective countermeasures but quickly become too cumbersome to configure and maintain.
BGP FlowSpec (Flow Specification) is a standardized method (RFC5575) that was created as a more flexible and scalable solution for mitigating DDoS attacks when compared to approaches such as RTBH and ACLs. BGP FlowSpec is designed to leverage BGP in order to rapidly deploy and propagate filtering and policing rules among a large number of BGP peer routers.
In more detail, FlowSpec offers finer granularity when defining mitigation rules as it allows to match flows based on 12 L3 and L4 attributes such as source/destination IP prefixes and ports, protocol, TCP flags, packet size, and fragmentation to name a few. The specification also defines three types of filtering actions that can be performed on the matched flows (i.e. drop, rate-limit and redirect). The combination of flow matching based on multiple fields and the option to choose among different filtering actions, makes FlowSpec an extremely versatile solution that can be adapted to a wide range of scenarios and successfully mitigate complex attacks.
BGP FlowSpec in Action
The example above illustrates a scenario where a DDoS attack has been launched against a target inside a service provider’s core network. Licit as well as illicit traffic can reach the target following three different paths over three different transit routers. In order to mitigate the attack, a FlowSpec router announces filtering rules to the three transit routers either via direct peering or via a Route Reflector and, as a result, all the DDoS traffic is filtered while legitimate users continue to access the targeted host without experiencing any service interruptions.
Due to its advantages over other solutions, BGP FlowSpec has gained a lot of traction among major vendors in the last years, with early adopters such as Juniper, Cisco, Alcatel and Huawei already offering BGP routers with FlowSpec support, while more vendors keep being added in the list. This is an indication that BGP FlowSpec continues to gain wider acceptance and it is set to eventually become the industry’s go-to technology for effective anomaly mitigation. As a result, BGP FlowSpec allows network security solutions to mitigate attacks without the aid of costly specialized hardware, given that it can be applied without modifying the current infrastructure.
Another use case of FlowSpec that can be very effective for mitigating complex application-layer DDoS attacks, where the separation of licit and illicit traffic is a non straightforward task, is the redirection action. In such scenarios, both the legitimate and the anomalous traffic is redirected to a scrubbing center or to your on-premise solution where it can be analyzed —usually by a DPI (Deep Packet Inspection) solution— in order to safely remove the attack vectors and re-route the clean traffic to the network.
Scrubbing with BGP FlowSpec’s redirect action can have several benefits when compared to more traditional techniques that rely on re-injection tunnels and the modification of the GRT (Global Routing Table). In contrast, FlowSpec performs the redirection by means of VRF (Virtual Routing and Forwarding) which allows the redirection of a specific part of the traffic based on prefixes, ports, protocols and so on, without making any change in the GRT. With this approach, the scrubbing becomes less resource intensive, as it is performed only for a subset of the entire traffic and moreover, the clean traffic can be simply sent back to the GRT without the need of a dedicated re-injection tunnel. As a result, this considerably reduces the cost and resources of the scrubbing center contract or your on-premises solution.
It therefore becomes clear, that BGP FlowSpec is the key protocol for implementing simple and cost-effective solutions for network attack mitigations. It does not only allow operators to easily deploy and maintain mitigation rules, but also effectively defend their infrastructure with a variety of countermeasures.
Extending Talaia with BGP FlowSpec
Talaia, always bringing last advances in network management and security to its customers, has already integrated the use of BGP Flowspec in its monitoring and security solution. This will help transform its solution to a more intelligent platform that can not only accurately identify threats but also act by taking the necessary countermeasures to protect its customers' infrastructure. If you want to take advantage of Talaia’s new threat mitigation feature, do not hesitate to try it out.