BGP FlowSpec

Martin Bacher ti14m028 at
Thu Apr 28 06:31:57 UTC 2016

> Am 27.04.2016 um 17:58 schrieb John Kristoff <jtk at>:
> On Thu, 21 Apr 2016 09:46:13 +0200
> Martin Bacher <ti14m028 at> wrote:
>> - Intra-AS BGP FlowSpec deployment: Who is running it? For which kind
>> of attacks are you using it? Are you only dropping or rate-limiting
>> certain traffic or are you also using the redirect/remark
>> capabilities? What are the limitations from your perspective? Are you
>> facing any operational issues? How are you injecting the FlowSpec
>> routes?
> Unless you received a number of private responses, perhaps the lack of
> public responses is telling.
> I've heard of a few networks doing this and there is some public record
> of it being used, including one instance where a bad rule was behind a
> serious outage:
>  <>

Thanks for that information.  I didn’t know about that outage and this is definitely something which is very important and worth mentioning in the paper. But i would rather say that this is a general risk. A fat fingers issue can always disconnect you from the internet as well as a software bug in a homogenous environment.

>> - Inter-AS: Who is running Inter-AS FlowSpec deployments? What is
>> your experience? Are there any concerns regarding Inter-AS
>> deployments? Has anyone done interop tests?
> You might mine public, archived BGP data and see if there are any
> traffic filtering rules present (they are encoded in extended
> communities, which are optional, transitive).

I don’t think that I will find anything there because it is a dedicated SAFI. Only traffic filtering actions are encoded as extended communities.
> We once tried to coordinate an Inter-AS flow-spec project, but it
> failed miserably due to lack of interest.  For posterity, here is the
> project page:
>  <>

I already came across your project but didn’t recognize that there is/was also some FlowSpec initiative.

> Literally the only people who were interested in it at the time was one
> of the spec's co-authors.  :-)
That’s how it usually starts. ;)

> Since then, we have tried a more modest approach using the well known
> BGP RTBH technique:
>  <>
> This has been much more successful and since we've started we've
> probably had about a dozen networks express interest in flow-spec
> rules.  Verification of rules is potentially tricky, but
> widespread interest still lags in my estimation.
Yes, RTBH is quite common and really helpful in the inter AS world. But eBGP FlowSpec is just offered by very few ISPs. I think that intra AS deployments are more common, but one wouldn’t be able to detect that unless somebody tells you that they are using it.

>> - How are you detecting DDoS attacks (Netflow, in-line probes, ..?)
>> and which applications are you using for the analysis (Peakflow,
>> Open-Source tools, ..?)
> Not speaking for anyone in particular, but don't forget about user
> complaints.  In some cases a network may not notice (or care) if an
> attack is below a certain threshold for their network, but above a
> stress point downstream.
That’s true. They are selling IP-Transit and more traffic means more money. Upstream providers may only care if other customers are also affected or unless you pay them for protection.

Thanks for your comments!


> John

More information about the NANOG mailing list