BGP FlowSpec

John Kristoff jtk at cymru.com
Wed Apr 27 15:58:23 UTC 2016


On Thu, 21 Apr 2016 09:46:13 +0200
Martin Bacher <ti14m028 at technikum-wien.at> wrote:

> - Intra-AS BGP FlowSpec deployment: Who is running it? For which kind
> of attacks are you using it? Are you only dropping or rate-limiting
> certain traffic or are you also using the redirect/remark
> capabilities? What are the limitations from your perspective? Are you
> facing any operational issues? How are you injecting the FlowSpec
> routes?

Unless you received a number of private responses, perhaps the lack of
public responses is telling.

I've heard of a few networks doing this and there is some public record
of it being used, including one instance where a bad rule was behind a
serious outage:

  <https://support.cloudflare.com/hc/en-us/articles/200172446-CloudFlare-Post-Mortem-from-Outage-on-March-3-2013>

> - Inter-AS: Who is running Inter-AS FlowSpec deployments? What is
> your experience? Are there any concerns regarding Inter-AS
> deployments? Has anyone done interop tests?

You might mine public, archived BGP data and see if there are any
traffic filtering rules present (they are encoded in extended
communities, which are optional, transitive).

We once tried to coordinate an Inter-AS flow-spec project, but it
failed miserably due to lack of interest.  For posterity, here is the
project page:

  <https://www.cymru.com/jtk/misc/community-fs.html>

Literally the only people who were interested in it at the time was one
of the spec's co-authors.  :-)

Since then, we have tried a more modest approach using the well known
BGP RTBH technique:

  <https://www.cymru.com/jtk/misc/utrs.html>

This has been much more successful and since we've started we've
probably had about a dozen networks express interest in flow-spec
rules.  Verification of rules is potentially tricky, but
widespread interest still lags in my estimation.

> - How are you detecting DDoS attacks (Netflow, in-line probes, ..?)
> and which applications are you using for the analysis (Peakflow,
> Open-Source tools, ..?)

Not speaking for anyone in particular, but don't forget about user
complaints.  In some cases a network may not notice (or care) if an
attack is below a certain threshold for their network, but above a
stress point downstream.

John



More information about the NANOG mailing list