Introducing Kentik’s New BGP Flowspec Support
Distributed denial-of-service (DDoS) attacks have been a continuous threat since the advent of the commercial Internet. Today, they are becoming increasingly prevalent and cause major financial damage to all types of organizations. In addition to ever larger traffic volumes, attackers are also increasing their target diversity, with attack traffic simultaneously spanning data, applications, and infrastructure to increase the chances of success. With many attacks stemming from totally unpredictable events like political dissent, employee misconduct, or actions of third parties, every type of organization needs to be prepared to mitigate DDoS attacks and proactively defend their networks to ensure business continuity.
Existing methods of DDoS mitigation present a number of challenges:
A high degree of coordination is required between customers and service providers. For example, during an attack, service provider network engineers need to be skilled at finding attacks, choosing an appropriate mitigation strategy, and have proper access to the infrastructure to apply it.
A common DDoS mitigation technique is Remotely-Triggered Black Hole (RTBH), which requires extensive pre-configuration of discard routes and/or uRPF on all edge routers. Any misconfiguration can lead to downtime or ineffective mitigation with business impact.
For destination-based RTBH, the victim’s destination IP address becomes completely unreachable. While this minimizes collateral damage to adjacent customers and infrastructure, the victim is still down. The mitigation actually “completes the attack.” The victim can update DNS to point at a different IP address in an attempt to get their application back up. However, if the attack is targeting the DNS hostname and not the IP address, the attack will just switch over to the new IP address.
Source-based RTBH only works for a small number of sources. It can’t scale to a large network perimeter or when the source of the attack is distributed across thousands of sources.
Defined in RFC 5575, BGP Flow Specification (Flowspec) is a DDoS mitigation solution that allows you to rapidly deploy and propagate filtering and policing across a large number of BGP peers.
The basic elements of Flowspec are:
A key concept from BGP is NLRI, Network Layer Reachability Information, which describes the network/prefix that the given BGP route matches. There are 12 NLRI attributes defined in BGP Flowspec. These attributes are added to the NLRI field within the BGP Update Message that’s advertised to peers and define the particular traffic that the Flowspec route will match.
As you can see, these NLRI types go beyond what’s available in a traditional BGP NLRI, which contains a destination IP / prefix match only. With Flowspec you can match attack traffic much more granularly. You can even distinguish conversations flowing between individual pairs of IPs. This improved granularity can dramatically improve the kind of over-blocking that occurs with traditional RTBH.
Flowspec uses BGP Extended Communities to define actions that routers will take for traffic matching the NLRI attributes from above.
|traffic-rate||set to 0 to drop all traffic|
|redirect to VRF||Change Route Target (RT)|
Here are three key reasons why Flowspec is better:
Flowspec has been around for a few years, so at this point, most of the major routing stacks that support BGP also support Flowspec. This includes open source routing daemons and commercial software from various networking vendors such as Cisco, Juniper, and Nokia (former Alcatel-Lucent).
To strengthen Kentik’s Security and DDoS solution, we have now added Flowspec as a mitigation method. In the first phase, Kentik supports:
Stay tuned for more Flowspec functionality with additional auto-matching intelligence and automation options. For additional technical details, check out our Flowspec Mitigation topic in the Kentik Knowledge Base. Of note, Flowspec support is not turned on by default, so if you are interested in using this feature, please don’t hesitate to contact the Kentik Customer Success team at firstname.lastname@example.org.