on 11-01-201608:55 AM - last edited on 11-01-201604:23 PM by jason_cmgr
Two weeks ago, I mentioned how the topic of denial-of-service DDoS issues, and the potential of BGP Flowspec (BGP-FS) as a way to mitigate them, was a very hot topic at NANOG 68 in Dallas. In general, this topic is top of mind for everyone, especially with the very recent widespread cyberattack. Let’s take a look at the continued evolution of methods to handle these attacks.
Traffic filtering policies have traditionally been very static in service provider networks. But in this age of traffic-based, and more widespread, DDoS attacks, operators need to create dynamic filters for mitigation, all of which requires new tools. BGP-FS lets you quickly mitigate the effects of a DDoS attack by using filtering and policing in protocol updates to BGP peer routers in your network and in adjacent networks.
A Phased Approach with the Brocade Flow Optimizer
Brocade Flow Optimizer not only detects volumetric DDoS attacks, but it mitigates the attack in an automated, closed-loop manner. Flow Optimizer’s detection functionality leverages sFlow and the mitigation functionality has multiple options available.
This has evolved over time:
Flow Optimizer R1.1 provided local network remediation using OpenFlow
Flow Optimizer R1.2 added inter-domain BGP Remote Triggered Black Hole (RTBH) remediation, and
Flow Optimizer R1.3 provides inter-domain BGP-FS
Remotely triggering a black hole route involves advertising a BGP /32 host prefix to adjacent routers, who then discard packets destined to that host. This alleviates the congestion impact on the upstream transit link. Flow Optimizer initiates a remote triggered black hole update, as illustrated in Figure 1.
Upon identification of a volumetric attack, Flow Optimizer informs the trigger router in the local AS to advertise a /32 black hole route with the appropriate BGP community value. The upstream router has a policy in place to match on the community value and discard the packets destined to the /32 host. This effectively stops the attack at the upstream router, which prevents the DDoS attack from congesting the transit link and entering the local network.
What is BGP-FS?
BGP-FS was first defined in RFC 5575: Dissemination of Flow Specification Rules, published in 2009. Both the value and the risks of BGP-FS are recognized and are being studied further, and the IETF community continues to actively update the capabilities of BGP-FS.
Service Providers are currently debating deployment models for BGP-FS. Some providers don’t want BGP-FS updates from external peers because they may not trust the marking; similarly, providers are often leery of allowing external customers to set BGP-FS over the Internet.
Most providers or enterprises can still mark BGP- FS within the customer domain between different autonomous systems (AS). This way, they can isolate an AS with problematic prefixes and prevent other AS’s from overwhelming the one they reside in.
How Does it Work?
With BGP-FS, when an operator identifies an attack, it initiates a BGP-FS update, which includes a mechanism to defeat the attack. This update is typically initiated from a BGP speaker in the local network, which informs BGP routers to take immediate action to block the attack.
In comparison to BGP RTBH (which black holes packets to the /32 host victim), BGP-FS can advertise granular updates to match on specific Layer 3 and Layer 4 fields. This granularity provides similar functionality to how OpenFlow mitigates attacks in Flow Optimizer R1.1.
What’s New in Flow Optimizer R1.3?
Flow Optimizer, in R1.3, has been enhanced to initiate BGP-FS by leveraging an open source distribution called ExaBGP, which—using controllers such as BSC and applications such as BFO—can initiate BGP-FS messages. Among other advantages, ExaBGP provides network operators a cost-effective DDoS protection solution.
Figure 2: BGP-FS Support in Flow Optimizer R1.3
In Figure 2, an attack enters from an upstream border router in another AS (AS# 222), and the MLXe border router is the entry point to the local AS (AS# 111).
The MLXe border router peers with the upstream router, while the BFO server (which includes ExaBGP), also exchanges eBGP updates with the upstream router.
What Has Happened Here?
This new BGP Flowspec mitigation action is supported for both custom profiles and user defined flows.
On identifying a DDoS flow based on a user-configured match, a BGP-FS route is configured on ExaBGP to be announced to its peers. On disabling (deleting) the profile, the route is withdrawn from ExaBGP and in turn from all its peers.