In traditional DDoS mitigation methods, such as remotely-triggered black hole (RTBH), a BGP (Border Gateway Protocol) route is injected, advertising the IP address of an under-attack server tagged with a specific community. This specific community on the border routers sets the next hop to discard/null, which subsequently drops all the affected traffic before it enters the network it was originally bound for. While this method prevents DDoS traffic from overwhelming the targeted network, the obvious downside is that the server is thus rendered unreachable even for legitimate traffic. 

BGP Flow Specification (Flowspec) however, is an alternative and a more granular approach to RTBH that allows you to rapidly deploy and propagate filtering and policing across a large number of BGP peer routers to mitigate the effects of a DDoS attack over a network. By applying instructions to match a particular flow with source, destination, L4 parameters and packet data such as length, fragment and so forth, Flowspec allows dynamic installation of an action at the border routers to either:

• drop traffic matching the flow specification, 

• redirect traffic to a particular VRF (Virtual Route Forwarding) for further analysis or,

• police traffic at a specific defined rate 

Flowspec resembles access control lists (ACLs) created with class-maps and policy-maps that provide matching criteria and traffic filtering actions, which are injected to BGP and propagated to BGP peers. For this to materialize, Flowspec adds new NLRI (Network Layer Reachability Information) to the BGP protocol.

Nexusguard Flowspec Deployment

Upon detecting malicious attempts, Nexusguard’s DDoS mitigation platform automatically generates alarms and initiates the process according to a built-in filter-based security profile to detect and analyze threats. With the deployment of Flowspec now, Nexusguard ensures that service provider networks stay healthy by mitigating large volumetric DDoS attacks more effectively to avert backbone and downstream congestion.

‍

The deployment and propagation of mitigation filters to BGP peer routers is a fully automated process, enabling DDoS attacks to be mitigated quickly and efficiently.

‍

Featuring integrated dashboard and tabulated analytics, Nexusguard’s Portal allows customers to monitor and configure mitigation settings and results.

• Monitor BGP status
• Monitor traffic dropped/ rate limited by Flowspec policies
• View active Flowspec policies
• Configure/ manually disable Flowspec policies
• Log Flowspec policies activated for future reference and audit purposes
• View monthly reports and attack statistics of ongoing and blocked DDoS attacks

Use Cases

Nexusguard supports the configuration and setup of namely two BGP router groups as follows:

1. Nexusguard Origin Protection (OP) client’s routers which are Customer managed.

2. Communications Service Provider (CSP) routers which are managed by the CSPs’ SOC. 
‍

Summary of Solution Benefits

• Simple to configure and easy to disseminate
• Seamless integration with existing DDoS Mitigation Platforms
• Same granularity compared to ACLs, as Flowspec is based on n-tuple matching
• Easy to propagate filters to all edge routers in large networks
• Familiar best practices and policy controls used for RTBH can be applied to Flowspec
• Provides more mitigation options to Security Operations Centre (SOC) team
• Mitigates attacks close to its source

For more information, please read about Nexusguard’s Managed DDoS Mitigation Platform.

Incorporating BGP Flowspec into Nexusguard’s DDoS Mitigation Platform now enables CSPs to efficiently and specifically select and drop malicious traffic without impacting healthy traffic streams.