Introducing Kentik’s New BGP Flowspec Support
Distributed denial-of-service (DDoS) attacks have been a continuous threat since the advent of the commercial Internet. Today, they are becoming increasingly prevalent and cause major financial damage to all types of organizations. In addition to ever larger traffic volumes, attackers are also increasing their target diversity, with attack traffic simultaneously spanning data, applications, and infrastructure to increase the chances of success. With many attacks stemming from totally unpredictable events like political dissent, employee misconduct, or actions of third parties, every type of organization needs to be prepared to mitigate DDoS attacks and proactively defend their networks to ensure business continuity.
Existing methods of DDoS mitigation present a number of challenges:
Defined in RFC 5575, BGP Flow Specification (Flowspec) is a DDoS mitigation solution that allows you to rapidly deploy and propagate filtering and policing across a large number of BGP peers.
The basic elements of Flowspec are:
A key concept from BGP is NLRI, Network Layer Reachability Information, which describes the network/prefix that the given BGP route matches. There are 12 NLRI attributes defined in BGP Flowspec. These attributes are added to the NLRI field within the BGP Update Message that’s advertised to peers and define the particular traffic that the Flowspec route will match.
As you can see, these NLRI types go beyond what’s available in a traditional BGP NLRI, which contains a destination IP / prefix match only. With Flowspec you can match attack traffic much more granularly. You can even distinguish conversations flowing between individual pairs of IPs. This improved granularity can dramatically improve the kind of over-blocking that occurs with traditional RTBH.
Flowspec uses BGP Extended Communities to define actions that routers will take for traffic matching the NLRI attributes from above.
|traffic-rate||set to 0 to drop all traffic|
|redirect to VRF||Change Route Target (RT)|
Here are three key reasons why Flowspec is better:
Flowspec has been around for a few years, so at this point, most of the major routing stacks that support BGP also support Flowspec. This includes open source routing daemons and commercial software from various networking vendors such as Cisco, Juniper, and Nokia (former Alcatel-Lucent).
To strengthen Kentik’s Security and DDoS solution, we have now added Flowspec as a mitigation method. In the first phase, Kentik supports:
Stay tuned for more Flowspec functionality with additional auto-matching intelligence and automation options. For additional technical details, check out our Flowspec Mitigation topic in the Kentik Knowledge Base. Of note, Flowspec support is not turned on by default, so if you are interested in using this feature, please don’t hesitate to contact the Kentik Customer Success team at firstname.lastname@example.org.